diff options
| author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:14 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:14 -0500 |
| commit | 1cdcbec1a3372c0c49c59d292e708fd07b509f18 (patch) | |
| tree | d1bd302c8d66862da45b494cbc766fb4caa5e23e /include/linux/security.h | |
| parent | 8bbf4976b59fc9fc2861e79cab7beb3f6d647640 (diff) | |
CRED: Neuter sys_capset()
Take away the ability for sys_capset() to affect processes other than current.
This means that current will not need to lock its own credentials when reading
them against interference by other processes.
This has effectively been the case for a while anyway, since:
(1) Without LSM enabled, sys_capset() is disallowed.
(2) With file-based capabilities, sys_capset() is neutered.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 48 |
1 files changed, 16 insertions, 32 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 5fe28a671cd3..d1ce8beddbd7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -53,8 +53,8 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz); | |||
| 53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); | 53 | extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); |
| 54 | extern int cap_ptrace_traceme(struct task_struct *parent); | 54 | extern int cap_ptrace_traceme(struct task_struct *parent); |
| 55 | extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 55 | extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); |
| 56 | extern int cap_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 56 | extern int cap_capset_check(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); |
| 57 | extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); | 57 | extern void cap_capset_set(kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); |
| 58 | extern int cap_bprm_set_security(struct linux_binprm *bprm); | 58 | extern int cap_bprm_set_security(struct linux_binprm *bprm); |
| 59 | extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); | 59 | extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); |
| 60 | extern int cap_bprm_secureexec(struct linux_binprm *bprm); | 60 | extern int cap_bprm_secureexec(struct linux_binprm *bprm); |
| @@ -1191,24 +1191,14 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 1191 | * Return 0 if the capability sets were successfully obtained. | 1191 | * Return 0 if the capability sets were successfully obtained. |
| 1192 | * @capset_check: | 1192 | * @capset_check: |
| 1193 | * Check permission before setting the @effective, @inheritable, and | 1193 | * Check permission before setting the @effective, @inheritable, and |
| 1194 | * @permitted capability sets for the @target process. | 1194 | * @permitted capability sets for the current process. |
| 1195 | * Caveat: @target is also set to current if a set of processes is | ||
| 1196 | * specified (i.e. all processes other than current and init or a | ||
| 1197 | * particular process group). Hence, the capset_set hook may need to | ||
| 1198 | * revalidate permission to the actual target process. | ||
| 1199 | * @target contains the task_struct structure for target process. | ||
| 1200 | * @effective contains the effective capability set. | 1195 | * @effective contains the effective capability set. |
| 1201 | * @inheritable contains the inheritable capability set. | 1196 | * @inheritable contains the inheritable capability set. |
| 1202 | * @permitted contains the permitted capability set. | 1197 | * @permitted contains the permitted capability set. |
| 1203 | * Return 0 if permission is granted. | 1198 | * Return 0 if permission is granted. |
| 1204 | * @capset_set: | 1199 | * @capset_set: |
| 1205 | * Set the @effective, @inheritable, and @permitted capability sets for | 1200 | * Set the @effective, @inheritable, and @permitted capability sets for |
| 1206 | * the @target process. Since capset_check cannot always check permission | 1201 | * the current process. |
| 1207 | * to the real @target process, this hook may also perform permission | ||
| 1208 | * checking to determine if the current process is allowed to set the | ||
| 1209 | * capability sets of the @target process. However, this hook has no way | ||
| 1210 | * of returning an error due to the structure of the sys_capset code. | ||
| 1211 | * @target contains the task_struct structure for target process. | ||
| 1212 | * @effective contains the effective capability set. | 1202 | * @effective contains the effective capability set. |
| 1213 | * @inheritable contains the inheritable capability set. | 1203 | * @inheritable contains the inheritable capability set. |
| 1214 | * @permitted contains the permitted capability set. | 1204 | * @permitted contains the permitted capability set. |
| @@ -1303,12 +1293,10 @@ struct security_operations { | |||
| 1303 | int (*capget) (struct task_struct *target, | 1293 | int (*capget) (struct task_struct *target, |
| 1304 | kernel_cap_t *effective, | 1294 | kernel_cap_t *effective, |
| 1305 | kernel_cap_t *inheritable, kernel_cap_t *permitted); | 1295 | kernel_cap_t *inheritable, kernel_cap_t *permitted); |
| 1306 | int (*capset_check) (struct task_struct *target, | 1296 | int (*capset_check) (kernel_cap_t *effective, |
| 1307 | kernel_cap_t *effective, | ||
| 1308 | kernel_cap_t *inheritable, | 1297 | kernel_cap_t *inheritable, |
| 1309 | kernel_cap_t *permitted); | 1298 | kernel_cap_t *permitted); |
| 1310 | void (*capset_set) (struct task_struct *target, | 1299 | void (*capset_set) (kernel_cap_t *effective, |
| 1311 | kernel_cap_t *effective, | ||
| 1312 | kernel_cap_t *inheritable, | 1300 | kernel_cap_t *inheritable, |
| 1313 | kernel_cap_t *permitted); | 1301 | kernel_cap_t *permitted); |
| 1314 | int (*capable) (struct task_struct *tsk, int cap, int audit); | 1302 | int (*capable) (struct task_struct *tsk, int cap, int audit); |
| @@ -1572,12 +1560,10 @@ int security_capget(struct task_struct *target, | |||
| 1572 | kernel_cap_t *effective, | 1560 | kernel_cap_t *effective, |
| 1573 | kernel_cap_t *inheritable, | 1561 | kernel_cap_t *inheritable, |
| 1574 | kernel_cap_t *permitted); | 1562 | kernel_cap_t *permitted); |
| 1575 | int security_capset_check(struct task_struct *target, | 1563 | int security_capset_check(kernel_cap_t *effective, |
| 1576 | kernel_cap_t *effective, | ||
| 1577 | kernel_cap_t *inheritable, | 1564 | kernel_cap_t *inheritable, |
| 1578 | kernel_cap_t *permitted); | 1565 | kernel_cap_t *permitted); |
| 1579 | void security_capset_set(struct task_struct *target, | 1566 | void security_capset_set(kernel_cap_t *effective, |
| 1580 | kernel_cap_t *effective, | ||
| 1581 | kernel_cap_t *inheritable, | 1567 | kernel_cap_t *inheritable, |
| 1582 | kernel_cap_t *permitted); | 1568 | kernel_cap_t *permitted); |
| 1583 | int security_capable(struct task_struct *tsk, int cap); | 1569 | int security_capable(struct task_struct *tsk, int cap); |
| @@ -1769,20 +1755,18 @@ static inline int security_capget(struct task_struct *target, | |||
| 1769 | return cap_capget(target, effective, inheritable, permitted); | 1755 | return cap_capget(target, effective, inheritable, permitted); |
| 1770 | } | 1756 | } |
| 1771 | 1757 | ||
| 1772 | static inline int security_capset_check(struct task_struct *target, | 1758 | static inline int security_capset_check(kernel_cap_t *effective, |
| 1773 | kernel_cap_t *effective, | 1759 | kernel_cap_t *inheritable, |
| 1774 | kernel_cap_t *inheritable, | 1760 | kernel_cap_t *permitted) |
| 1775 | kernel_cap_t *permitted) | ||
| 1776 | { | 1761 | { |
| 1777 | return cap_capset_check(target, effective, inheritable, permitted); | 1762 | return cap_capset_check(effective, inheritable, permitted); |
| 1778 | } | 1763 | } |
| 1779 | 1764 | ||
| 1780 | static inline void security_capset_set(struct task_struct *target, | 1765 | static inline void security_capset_set(kernel_cap_t *effective, |
| 1781 | kernel_cap_t *effective, | 1766 | kernel_cap_t *inheritable, |
| 1782 | kernel_cap_t *inheritable, | 1767 | kernel_cap_t *permitted) |
| 1783 | kernel_cap_t *permitted) | ||
| 1784 | { | 1768 | { |
| 1785 | cap_capset_set(target, effective, inheritable, permitted); | 1769 | cap_capset_set(effective, inheritable, permitted); |
| 1786 | } | 1770 | } |
| 1787 | 1771 | ||
| 1788 | static inline int security_capable(struct task_struct *tsk, int cap) | 1772 | static inline int security_capable(struct task_struct *tsk, int cap) |