diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-14 16:36:55 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-14 16:36:55 -0400 |
| commit | 847106ff628805e1a0aa91e7f53381f3fdfcd839 (patch) | |
| tree | 457c8d6a5ff20f4d0f28634a196f92273298e49e /fs | |
| parent | c142bda458a9c81097238800e1bd8eeeea09913d (diff) | |
| parent | 6f0f0fd496333777d53daff21a4e3b28c4d03a6d (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (25 commits)
security: remove register_security hook
security: remove dummy module fix
security: remove dummy module
security: remove unused sb_get_mnt_opts hook
LSM/SELinux: show LSM mount options in /proc/mounts
SELinux: allow fstype unknown to policy to use xattrs if present
security: fix return of void-valued expressions
SELinux: use do_each_thread as a proper do/while block
SELinux: remove unused and shadowed addrlen variable
SELinux: more user friendly unknown handling printk
selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)
SELinux: drop load_mutex in security_load_policy
SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av
SELinux: open code sidtab lock
SELinux: open code load_mutex
SELinux: open code policy_rwlock
selinux: fix endianness bug in network node address handling
selinux: simplify ioctl checking
SELinux: enable processes with mac_admin to get the raw inode contexts
Security: split proc ptrace checking into read vs. attach
...
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/namespace.c | 14 | ||||
| -rw-r--r-- | fs/proc/base.c | 9 | ||||
| -rw-r--r-- | fs/proc/task_mmu.c | 6 | ||||
| -rw-r--r-- | fs/proc/task_nommu.c | 2 |
4 files changed, 20 insertions, 11 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 4fc302c2a0e0..4f6f7635b59c 100644 --- a/fs/namespace.c +++ b/fs/namespace.c | |||
| @@ -750,7 +750,7 @@ struct proc_fs_info { | |||
| 750 | const char *str; | 750 | const char *str; |
| 751 | }; | 751 | }; |
| 752 | 752 | ||
| 753 | static void show_sb_opts(struct seq_file *m, struct super_block *sb) | 753 | static int show_sb_opts(struct seq_file *m, struct super_block *sb) |
| 754 | { | 754 | { |
| 755 | static const struct proc_fs_info fs_info[] = { | 755 | static const struct proc_fs_info fs_info[] = { |
| 756 | { MS_SYNCHRONOUS, ",sync" }, | 756 | { MS_SYNCHRONOUS, ",sync" }, |
| @@ -764,6 +764,8 @@ static void show_sb_opts(struct seq_file *m, struct super_block *sb) | |||
| 764 | if (sb->s_flags & fs_infop->flag) | 764 | if (sb->s_flags & fs_infop->flag) |
| 765 | seq_puts(m, fs_infop->str); | 765 | seq_puts(m, fs_infop->str); |
| 766 | } | 766 | } |
| 767 | |||
| 768 | return security_sb_show_options(m, sb); | ||
| 767 | } | 769 | } |
| 768 | 770 | ||
| 769 | static void show_mnt_opts(struct seq_file *m, struct vfsmount *mnt) | 771 | static void show_mnt_opts(struct seq_file *m, struct vfsmount *mnt) |
| @@ -806,11 +808,14 @@ static int show_vfsmnt(struct seq_file *m, void *v) | |||
| 806 | seq_putc(m, ' '); | 808 | seq_putc(m, ' '); |
| 807 | show_type(m, mnt->mnt_sb); | 809 | show_type(m, mnt->mnt_sb); |
| 808 | seq_puts(m, __mnt_is_readonly(mnt) ? " ro" : " rw"); | 810 | seq_puts(m, __mnt_is_readonly(mnt) ? " ro" : " rw"); |
| 809 | show_sb_opts(m, mnt->mnt_sb); | 811 | err = show_sb_opts(m, mnt->mnt_sb); |
| 812 | if (err) | ||
| 813 | goto out; | ||
| 810 | show_mnt_opts(m, mnt); | 814 | show_mnt_opts(m, mnt); |
| 811 | if (mnt->mnt_sb->s_op->show_options) | 815 | if (mnt->mnt_sb->s_op->show_options) |
| 812 | err = mnt->mnt_sb->s_op->show_options(m, mnt); | 816 | err = mnt->mnt_sb->s_op->show_options(m, mnt); |
| 813 | seq_puts(m, " 0 0\n"); | 817 | seq_puts(m, " 0 0\n"); |
| 818 | out: | ||
| 814 | return err; | 819 | return err; |
| 815 | } | 820 | } |
| 816 | 821 | ||
| @@ -865,10 +870,13 @@ static int show_mountinfo(struct seq_file *m, void *v) | |||
| 865 | seq_putc(m, ' '); | 870 | seq_putc(m, ' '); |
| 866 | mangle(m, mnt->mnt_devname ? mnt->mnt_devname : "none"); | 871 | mangle(m, mnt->mnt_devname ? mnt->mnt_devname : "none"); |
| 867 | seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw"); | 872 | seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw"); |
| 868 | show_sb_opts(m, sb); | 873 | err = show_sb_opts(m, sb); |
| 874 | if (err) | ||
| 875 | goto out; | ||
| 869 | if (sb->s_op->show_options) | 876 | if (sb->s_op->show_options) |
| 870 | err = sb->s_op->show_options(m, mnt); | 877 | err = sb->s_op->show_options(m, mnt); |
| 871 | seq_putc(m, '\n'); | 878 | seq_putc(m, '\n'); |
| 879 | out: | ||
| 872 | return err; | 880 | return err; |
| 873 | } | 881 | } |
| 874 | 882 | ||
diff --git a/fs/proc/base.c b/fs/proc/base.c index 3b455371e7ff..58c3e6a8e15e 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c | |||
| @@ -233,7 +233,7 @@ static int check_mem_permission(struct task_struct *task) | |||
| 233 | */ | 233 | */ |
| 234 | if (task->parent == current && (task->ptrace & PT_PTRACED) && | 234 | if (task->parent == current && (task->ptrace & PT_PTRACED) && |
| 235 | task_is_stopped_or_traced(task) && | 235 | task_is_stopped_or_traced(task) && |
| 236 | ptrace_may_attach(task)) | 236 | ptrace_may_access(task, PTRACE_MODE_ATTACH)) |
| 237 | return 0; | 237 | return 0; |
| 238 | 238 | ||
| 239 | /* | 239 | /* |
| @@ -251,7 +251,8 @@ struct mm_struct *mm_for_maps(struct task_struct *task) | |||
| 251 | task_lock(task); | 251 | task_lock(task); |
| 252 | if (task->mm != mm) | 252 | if (task->mm != mm) |
| 253 | goto out; | 253 | goto out; |
| 254 | if (task->mm != current->mm && __ptrace_may_attach(task) < 0) | 254 | if (task->mm != current->mm && |
| 255 | __ptrace_may_access(task, PTRACE_MODE_READ) < 0) | ||
| 255 | goto out; | 256 | goto out; |
| 256 | task_unlock(task); | 257 | task_unlock(task); |
| 257 | return mm; | 258 | return mm; |
| @@ -518,7 +519,7 @@ static int proc_fd_access_allowed(struct inode *inode) | |||
| 518 | */ | 519 | */ |
| 519 | task = get_proc_task(inode); | 520 | task = get_proc_task(inode); |
| 520 | if (task) { | 521 | if (task) { |
| 521 | allowed = ptrace_may_attach(task); | 522 | allowed = ptrace_may_access(task, PTRACE_MODE_READ); |
| 522 | put_task_struct(task); | 523 | put_task_struct(task); |
| 523 | } | 524 | } |
| 524 | return allowed; | 525 | return allowed; |
| @@ -904,7 +905,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, | |||
| 904 | if (!task) | 905 | if (!task) |
| 905 | goto out_no_task; | 906 | goto out_no_task; |
| 906 | 907 | ||
| 907 | if (!ptrace_may_attach(task)) | 908 | if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
| 908 | goto out; | 909 | goto out; |
| 909 | 910 | ||
| 910 | ret = -ENOMEM; | 911 | ret = -ENOMEM; |
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index c492449f3b45..164bd9f9ede3 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c | |||
| @@ -210,7 +210,7 @@ static int show_map(struct seq_file *m, void *v) | |||
| 210 | dev_t dev = 0; | 210 | dev_t dev = 0; |
| 211 | int len; | 211 | int len; |
| 212 | 212 | ||
| 213 | if (maps_protect && !ptrace_may_attach(task)) | 213 | if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ)) |
| 214 | return -EACCES; | 214 | return -EACCES; |
| 215 | 215 | ||
| 216 | if (file) { | 216 | if (file) { |
| @@ -646,7 +646,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, | |||
| 646 | goto out; | 646 | goto out; |
| 647 | 647 | ||
| 648 | ret = -EACCES; | 648 | ret = -EACCES; |
| 649 | if (!ptrace_may_attach(task)) | 649 | if (!ptrace_may_access(task, PTRACE_MODE_READ)) |
| 650 | goto out_task; | 650 | goto out_task; |
| 651 | 651 | ||
| 652 | ret = -EINVAL; | 652 | ret = -EINVAL; |
| @@ -747,7 +747,7 @@ static int show_numa_map_checked(struct seq_file *m, void *v) | |||
| 747 | struct proc_maps_private *priv = m->private; | 747 | struct proc_maps_private *priv = m->private; |
| 748 | struct task_struct *task = priv->task; | 748 | struct task_struct *task = priv->task; |
| 749 | 749 | ||
| 750 | if (maps_protect && !ptrace_may_attach(task)) | 750 | if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ)) |
| 751 | return -EACCES; | 751 | return -EACCES; |
| 752 | 752 | ||
| 753 | return show_numa_map(m, v); | 753 | return show_numa_map(m, v); |
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c index 4b4f9cc2f186..5d84e7121df8 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c | |||
| @@ -113,7 +113,7 @@ static int show_map(struct seq_file *m, void *_vml) | |||
| 113 | struct proc_maps_private *priv = m->private; | 113 | struct proc_maps_private *priv = m->private; |
| 114 | struct task_struct *task = priv->task; | 114 | struct task_struct *task = priv->task; |
| 115 | 115 | ||
| 116 | if (maps_protect && !ptrace_may_attach(task)) | 116 | if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ)) |
| 117 | return -EACCES; | 117 | return -EACCES; |
| 118 | 118 | ||
| 119 | return nommu_vma_show(m, vml->vma); | 119 | return nommu_vma_show(m, vml->vma); |