diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-12-17 19:58:26 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-12-17 19:58:26 -0500 |
commit | efc8e7f4c83dc85acbf5f54a8b1b24ae75b20aaa (patch) | |
tree | cf7df8a837b719623e13b3ab19e8cfce1e270883 | |
parent | b5c96f89177b460ef89ecd777d5f2fefd4534d3f (diff) | |
parent | a00ae4d21b2fa9379914f270ffffd8d3bec55430 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support
NOMMU: Optimise away the {dac_,}mmap_min_addr tests
security/min_addr.c: make init_mmap_min_addr() static
keys: PTR_ERR return of wrong pointer in keyctl_get_security()
-rw-r--r-- | include/linux/security.h | 7 | ||||
-rw-r--r-- | kernel/sysctl.c | 2 | ||||
-rw-r--r-- | mm/Kconfig | 1 | ||||
-rw-r--r-- | security/Makefile | 3 | ||||
-rw-r--r-- | security/keys/keyctl.c | 12 | ||||
-rw-r--r-- | security/min_addr.c | 2 |
6 files changed, 24 insertions, 3 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 466cbadbd1ef..2c627d361c02 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -95,8 +95,13 @@ struct seq_file; | |||
95 | extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); | 95 | extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); |
96 | extern int cap_netlink_recv(struct sk_buff *skb, int cap); | 96 | extern int cap_netlink_recv(struct sk_buff *skb, int cap); |
97 | 97 | ||
98 | #ifdef CONFIG_MMU | ||
98 | extern unsigned long mmap_min_addr; | 99 | extern unsigned long mmap_min_addr; |
99 | extern unsigned long dac_mmap_min_addr; | 100 | extern unsigned long dac_mmap_min_addr; |
101 | #else | ||
102 | #define dac_mmap_min_addr 0UL | ||
103 | #endif | ||
104 | |||
100 | /* | 105 | /* |
101 | * Values used in the task_security_ops calls | 106 | * Values used in the task_security_ops calls |
102 | */ | 107 | */ |
@@ -121,6 +126,7 @@ struct request_sock; | |||
121 | #define LSM_UNSAFE_PTRACE 2 | 126 | #define LSM_UNSAFE_PTRACE 2 |
122 | #define LSM_UNSAFE_PTRACE_CAP 4 | 127 | #define LSM_UNSAFE_PTRACE_CAP 4 |
123 | 128 | ||
129 | #ifdef CONFIG_MMU | ||
124 | /* | 130 | /* |
125 | * If a hint addr is less than mmap_min_addr change hint to be as | 131 | * If a hint addr is less than mmap_min_addr change hint to be as |
126 | * low as possible but still greater than mmap_min_addr | 132 | * low as possible but still greater than mmap_min_addr |
@@ -135,6 +141,7 @@ static inline unsigned long round_hint_to_min(unsigned long hint) | |||
135 | } | 141 | } |
136 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, | 142 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, |
137 | void __user *buffer, size_t *lenp, loff_t *ppos); | 143 | void __user *buffer, size_t *lenp, loff_t *ppos); |
144 | #endif | ||
138 | 145 | ||
139 | #ifdef CONFIG_SECURITY | 146 | #ifdef CONFIG_SECURITY |
140 | 147 | ||
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 6665761c006d..8a68b2448468 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
@@ -1214,6 +1214,7 @@ static struct ctl_table vm_table[] = { | |||
1214 | .proc_handler = proc_dointvec_jiffies, | 1214 | .proc_handler = proc_dointvec_jiffies, |
1215 | }, | 1215 | }, |
1216 | #endif | 1216 | #endif |
1217 | #ifdef CONFIG_MMU | ||
1217 | { | 1218 | { |
1218 | .procname = "mmap_min_addr", | 1219 | .procname = "mmap_min_addr", |
1219 | .data = &dac_mmap_min_addr, | 1220 | .data = &dac_mmap_min_addr, |
@@ -1221,6 +1222,7 @@ static struct ctl_table vm_table[] = { | |||
1221 | .mode = 0644, | 1222 | .mode = 0644, |
1222 | .proc_handler = mmap_min_addr_handler, | 1223 | .proc_handler = mmap_min_addr_handler, |
1223 | }, | 1224 | }, |
1225 | #endif | ||
1224 | #ifdef CONFIG_NUMA | 1226 | #ifdef CONFIG_NUMA |
1225 | { | 1227 | { |
1226 | .procname = "numa_zonelist_order", | 1228 | .procname = "numa_zonelist_order", |
diff --git a/mm/Kconfig b/mm/Kconfig index 43ea8c3a2bbf..ee9f3e0f2b69 100644 --- a/mm/Kconfig +++ b/mm/Kconfig | |||
@@ -221,6 +221,7 @@ config KSM | |||
221 | 221 | ||
222 | config DEFAULT_MMAP_MIN_ADDR | 222 | config DEFAULT_MMAP_MIN_ADDR |
223 | int "Low address space to protect from user allocation" | 223 | int "Low address space to protect from user allocation" |
224 | depends on MMU | ||
224 | default 4096 | 225 | default 4096 |
225 | help | 226 | help |
226 | This is the portion of low virtual memory which should be protected | 227 | This is the portion of low virtual memory which should be protected |
diff --git a/security/Makefile b/security/Makefile index bb44e350c618..da20a193c8dd 100644 --- a/security/Makefile +++ b/security/Makefile | |||
@@ -8,7 +8,8 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack | |||
8 | subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo | 8 | subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo |
9 | 9 | ||
10 | # always enable default capabilities | 10 | # always enable default capabilities |
11 | obj-y += commoncap.o min_addr.o | 11 | obj-y += commoncap.o |
12 | obj-$(CONFIG_MMU) += min_addr.o | ||
12 | 13 | ||
13 | # Object file lists | 14 | # Object file lists |
14 | obj-$(CONFIG_SECURITY) += security.o capability.o | 15 | obj-$(CONFIG_SECURITY) += security.o capability.o |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 06ec722897be..e9c2e7c584d9 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -1194,7 +1194,7 @@ long keyctl_get_security(key_serial_t keyid, | |||
1194 | * have the authorisation token handy */ | 1194 | * have the authorisation token handy */ |
1195 | instkey = key_get_instantiation_authkey(keyid); | 1195 | instkey = key_get_instantiation_authkey(keyid); |
1196 | if (IS_ERR(instkey)) | 1196 | if (IS_ERR(instkey)) |
1197 | return PTR_ERR(key_ref); | 1197 | return PTR_ERR(instkey); |
1198 | key_put(instkey); | 1198 | key_put(instkey); |
1199 | 1199 | ||
1200 | key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); | 1200 | key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); |
@@ -1236,6 +1236,7 @@ long keyctl_get_security(key_serial_t keyid, | |||
1236 | */ | 1236 | */ |
1237 | long keyctl_session_to_parent(void) | 1237 | long keyctl_session_to_parent(void) |
1238 | { | 1238 | { |
1239 | #ifdef TIF_NOTIFY_RESUME | ||
1239 | struct task_struct *me, *parent; | 1240 | struct task_struct *me, *parent; |
1240 | const struct cred *mycred, *pcred; | 1241 | const struct cred *mycred, *pcred; |
1241 | struct cred *cred, *oldcred; | 1242 | struct cred *cred, *oldcred; |
@@ -1326,6 +1327,15 @@ not_permitted: | |||
1326 | error_keyring: | 1327 | error_keyring: |
1327 | key_ref_put(keyring_r); | 1328 | key_ref_put(keyring_r); |
1328 | return ret; | 1329 | return ret; |
1330 | |||
1331 | #else /* !TIF_NOTIFY_RESUME */ | ||
1332 | /* | ||
1333 | * To be removed when TIF_NOTIFY_RESUME has been implemented on | ||
1334 | * m68k/xtensa | ||
1335 | */ | ||
1336 | #warning TIF_NOTIFY_RESUME not implemented | ||
1337 | return -EOPNOTSUPP; | ||
1338 | #endif /* !TIF_NOTIFY_RESUME */ | ||
1329 | } | 1339 | } |
1330 | 1340 | ||
1331 | /*****************************************************************************/ | 1341 | /*****************************************************************************/ |
diff --git a/security/min_addr.c b/security/min_addr.c index fc43c9d37084..e86f297522bf 100644 --- a/security/min_addr.c +++ b/security/min_addr.c | |||
@@ -43,7 +43,7 @@ int mmap_min_addr_handler(struct ctl_table *table, int write, | |||
43 | return ret; | 43 | return ret; |
44 | } | 44 | } |
45 | 45 | ||
46 | int __init init_mmap_min_addr(void) | 46 | static int __init init_mmap_min_addr(void) |
47 | { | 47 | { |
48 | update_mmap_min_addr(); | 48 | update_mmap_min_addr(); |
49 | 49 | ||