aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2010-12-22 12:57:02 -0500
committerJiri Kosina <jkosina@suse.cz>2010-12-22 12:57:02 -0500
commit4b7bd364700d9ac8372eff48832062b936d0793b (patch)
tree0dbf78c95456a0b02d07fcd473281f04a87e266d /security
parentc0d8768af260e2cbb4bf659ae6094a262c86b085 (diff)
parent90a8a73c06cc32b609a880d48449d7083327e11a (diff)
Merge branch 'master' into for-next
Conflicts: MAINTAINERS arch/arm/mach-omap2/pm24xx.c drivers/scsi/bfa/bfa_fcpim.c Needed to update to apply fixes for which the old branch was too outdated.
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig12
-rw-r--r--security/apparmor/lsm.c6
-rw-r--r--security/apparmor/policy.c2
-rw-r--r--security/capability.c5
-rw-r--r--security/commoncap.c19
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/smack/smack_lsm.c8
8 files changed, 27 insertions, 35 deletions
diff --git a/security/Kconfig b/security/Kconfig
index bd72ae62349..e80da955e68 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS
39 39
40 If you are unsure as to whether this is required, answer N. 40 If you are unsure as to whether this is required, answer N.
41 41
42config SECURITY_DMESG_RESTRICT
43 bool "Restrict unprivileged access to the kernel syslog"
44 default n
45 help
46 This enforces restrictions on unprivileged users reading the kernel
47 syslog via dmesg(8).
48
49 If this option is not selected, no restrictions will be enforced
50 unless the dmesg_restrict sysctl is explicitly set to (1).
51
52 If you are unsure how to answer this question, answer N.
53
42config SECURITY 54config SECURITY
43 bool "Enable different security models" 55 bool "Enable different security models"
44 depends on SYSFS 56 depends on SYSFS
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cf1de4462cc..b7106f192b7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -922,7 +922,7 @@ static int __init apparmor_init(void)
922 error = register_security(&apparmor_ops); 922 error = register_security(&apparmor_ops);
923 if (error) { 923 if (error) {
924 AA_ERROR("Unable to register AppArmor\n"); 924 AA_ERROR("Unable to register AppArmor\n");
925 goto register_security_out; 925 goto set_init_cxt_out;
926 } 926 }
927 927
928 /* Report that AppArmor successfully initialized */ 928 /* Report that AppArmor successfully initialized */
@@ -936,6 +936,9 @@ static int __init apparmor_init(void)
936 936
937 return error; 937 return error;
938 938
939set_init_cxt_out:
940 aa_free_task_context(current->real_cred->security);
941
939register_security_out: 942register_security_out:
940 aa_free_root_ns(); 943 aa_free_root_ns();
941 944
@@ -944,7 +947,6 @@ alloc_out:
944 947
945 apparmor_enabled = 0; 948 apparmor_enabled = 0;
946 return error; 949 return error;
947
948} 950}
949 951
950security_initcall(apparmor_init); 952security_initcall(apparmor_init);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 52cc865f146..4f0eadee78b 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -306,7 +306,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
306 return ns; 306 return ns;
307 307
308fail_unconfined: 308fail_unconfined:
309 kzfree(ns->base.name); 309 kzfree(ns->base.hname);
310fail_ns: 310fail_ns:
311 kzfree(ns); 311 kzfree(ns);
312 return NULL; 312 return NULL;
diff --git a/security/capability.c b/security/capability.c
index 30ae00fbecd..c773635ca3a 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op)
17 return 0; 17 return 0;
18} 18}
19 19
20static int cap_syslog(int type)
21{
22 return 0;
23}
24
20static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) 25static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
21{ 26{
22 return 0; 27 return 0;
diff --git a/security/commoncap.c b/security/commoncap.c
index 5e632b4857e..64c2ed9c901 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,7 +27,6 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/prctl.h> 28#include <linux/prctl.h>
29#include <linux/securebits.h> 29#include <linux/securebits.h>
30#include <linux/syslog.h>
31 30
32/* 31/*
33 * If a non-root user executes a setuid-root binary in 32 * If a non-root user executes a setuid-root binary in
@@ -884,24 +883,6 @@ error:
884} 883}
885 884
886/** 885/**
887 * cap_syslog - Determine whether syslog function is permitted
888 * @type: Function requested
889 * @from_file: Whether this request came from an open file (i.e. /proc)
890 *
891 * Determine whether the current process is permitted to use a particular
892 * syslog function, returning 0 if permission is granted, -ve if not.
893 */
894int cap_syslog(int type, bool from_file)
895{
896 if (type != SYSLOG_ACTION_OPEN && from_file)
897 return 0;
898 if ((type != SYSLOG_ACTION_READ_ALL &&
899 type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
900 return -EPERM;
901 return 0;
902}
903
904/**
905 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 886 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
906 * @mm: The VM space in which the new mapping is to be made 887 * @mm: The VM space in which the new mapping is to be made
907 * @pages: The size of the mapping 888 * @pages: The size of the mapping
diff --git a/security/security.c b/security/security.c
index 3ef5e2a7a74..1b798d3df71 100644
--- a/security/security.c
+++ b/security/security.c
@@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry)
197 return security_ops->quota_on(dentry); 197 return security_ops->quota_on(dentry);
198} 198}
199 199
200int security_syslog(int type, bool from_file) 200int security_syslog(int type)
201{ 201{
202 return security_ops->syslog(type, from_file); 202 return security_ops->syslog(type);
203} 203}
204 204
205int security_settime(struct timespec *ts, struct timezone *tz) 205int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9154cf90ae..65fa8bf596f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry)
1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1974} 1974}
1975 1975
1976static int selinux_syslog(int type, bool from_file) 1976static int selinux_syslog(int type)
1977{ 1977{
1978 int rc; 1978 int rc;
1979 1979
1980 rc = cap_syslog(type, from_file);
1981 if (rc)
1982 return rc;
1983
1984 switch (type) { 1980 switch (type) {
1985 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1981 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1986 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1982 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bc39f4067af..489a85afa47 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
157 * 157 *
158 * Returns 0 on success, error code otherwise. 158 * Returns 0 on success, error code otherwise.
159 */ 159 */
160static int smack_syslog(int type, bool from_file) 160static int smack_syslog(int typefrom_file)
161{ 161{
162 int rc; 162 int rc = 0;
163 char *sp = current_security(); 163 char *sp = current_security();
164 164
165 rc = cap_syslog(type, from_file);
166 if (rc != 0)
167 return rc;
168
169 if (capable(CAP_MAC_OVERRIDE)) 165 if (capable(CAP_MAC_OVERRIDE))
170 return 0; 166 return 0;
171 167