Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (25 commits) security: remove register_security hook security: remove dummy module fix security: remove dummy module security: remove unused sb_get_mnt_opts hook LSM/SELinux: show LSM mount options in /proc/mounts SELinux: allow fstype unknown to policy to use xattrs if present security: fix return of void-valued expressions SELinux: use do_each_thread as a proper do/while block SELinux: remove unused and shadowed addrlen variable SELinux: more user friendly unknown handling printk selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine) SELinux: drop load_mutex in security_load_policy SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av SELinux: open code sidtab lock SELinux: open code load_mutex SELinux: open code policy_rwlock selinux: fix endianness bug in network node address handling selinux: simplify ioctl checking SELinux: enable processes with mac_admin to get the raw inode contexts Security: split proc ptrace checking into read vs. attach ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2008-07-14 16:36:55 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2008-07-14 16:36:55 -0400
commit: 847106ff628805e1a0aa91e7f53381f3fdfcd839 (patch)
tree: 457c8d6a5ff20f4d0f28634a196f92273298e49e /include
parent: c142bda458a9c81097238800e1bd8eeeea09913d (diff)
parent: 6f0f0fd496333777d53daff21a4e3b28c4d03a6d (diff)
2 files changed, 26 insertions, 31 deletions
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
index f98501ba557e..c6f5f9dd0cee 100644
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -95,8 +95,12 @@ extern void __ptrace_link(struct task_struct *child,
                          struct task_struct *new_parent);
 extern void __ptrace_unlink(struct task_struct *child);
 extern void ptrace_untrace(struct task_struct *child);
-extern int ptrace_may_attach(struct task_struct *task);
+#define PTRACE_MODE_READ   1
-extern int __ptrace_may_attach(struct task_struct *task);
+#define PTRACE_MODE_ATTACH 2
+/* Returns 0 on success, -errno on denial. */
+extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
+/* Returns true on success, false on denial. */
+extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
 static inline int ptrace_reparented(struct task_struct *child)
 {
diff --git a/include/linux/security.h b/include/linux/security.h
index 50737c70e78e..31c8851ec5d0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -46,7 +46,8 @@ struct audit_krule;
 */
 extern int cap_capable(struct task_struct *tsk, int cap);
 extern int cap_settime(struct timespec *ts, struct timezone *tz);
-extern int cap_ptrace(struct task_struct *parent, struct task_struct *child);
+extern int cap_ptrace(struct task_struct *parent, struct task_struct *child,
+                      unsigned int mode);
 extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
 extern int cap_capset_check(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
 extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
@@ -79,6 +80,7 @@ struct xfrm_selector;
 struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
+struct seq_file;
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
@@ -289,10 +291,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Update module state after a successful pivot.
 *      @old_path contains the path for the old root.
 *      @new_path contains the path for the new root.
- * @sb_get_mnt_opts:
- *      Get the security relevant mount options used for a superblock
- *      @sb the superblock to get security mount options from
- *      @opts binary data structure containing all lsm mount data
 * @sb_set_mnt_opts:
 *      Set the security relevant mount options used for a superblock
 *      @sb the superblock to set security mount options for
@@ -1170,6 +1168,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      attributes would be changed by the execve.
 *      @parent contains the task_struct structure for parent process.
 *      @child contains the task_struct structure for child process.
+ *      @mode contains the PTRACE_MODE flags indicating the form of access.
 *      Return 0 if permission is granted.
 * @capget:
 *      Get the @effective, @inheritable, and @permitted capability sets for
@@ -1240,11 +1239,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @pages contains the number of pages.
 *      Return 0 if permission is granted.
 *
- * @register_security:
- *      allow module stacking.
- *      @name contains the name of the security module being stacked.
- *      @ops contains a pointer to the struct security_operations of the module to stack.
- *
 * @secid_to_secctx:
 *      Convert secid to security context.
 *      @secid contains the security ID.
@@ -1295,7 +1289,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 struct security_operations {
        char name[SECURITY_NAME_MAX + 1];
-        int (*ptrace) (struct task_struct *parent, struct task_struct *child);
+        int (*ptrace) (struct task_struct *parent, struct task_struct *child,
+                       unsigned int mode);
        int (*capget) (struct task_struct *target,
                       kernel_cap_t *effective,
                       kernel_cap_t *inheritable, kernel_cap_t *permitted);
@@ -1328,6 +1323,7 @@ struct security_operations {
        void (*sb_free_security) (struct super_block *sb);
        int (*sb_copy_data) (char *orig, char *copy);
        int (*sb_kern_mount) (struct super_block *sb, void *data);
+        int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
        int (*sb_statfs) (struct dentry *dentry);
        int (*sb_mount) (char *dev_name, struct path *path,
                         char *type, unsigned long flags, void *data);
@@ -1343,8 +1339,6 @@ struct security_operations {
                             struct path *new_path);
        void (*sb_post_pivotroot) (struct path *old_path,
                                   struct path *new_path);
-        int (*sb_get_mnt_opts) (const struct super_block *sb,
-                                struct security_mnt_opts *opts);
        int (*sb_set_mnt_opts) (struct super_block *sb,
                                struct security_mnt_opts *opts);
        void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
@@ -1472,10 +1466,6 @@ struct security_operations {
        int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
        int (*netlink_recv) (struct sk_buff *skb, int cap);
-        /* allow module stacking */
-        int (*register_security) (const char *name,
-                                  struct security_operations *ops);
        void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
        int (*getprocattr) (struct task_struct *p, char *name, char **value);
@@ -1565,7 +1555,6 @@ struct security_operations {
 extern int security_init(void);
 extern int security_module_enable(struct security_operations *ops);
 extern int register_security(struct security_operations *ops);
-extern int mod_reg_security(const char *name, struct security_operations *ops);
 extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
                                             struct dentry *parent, void *data,
                                             const struct file_operations *fops);
@@ -1573,7 +1562,8 @@ extern struct dentry *securityfs_create_dir(const char *name, struct dentry *par
 extern void securityfs_remove(struct dentry *dentry);
 /* Security operations */
-int security_ptrace(struct task_struct *parent, struct task_struct *child);
+int security_ptrace(struct task_struct *parent, struct task_struct *child,
+                    unsigned int mode);
 int security_capget(struct task_struct *target,
                    kernel_cap_t *effective,
                    kernel_cap_t *inheritable,
@@ -1606,6 +1596,7 @@ int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
 int security_sb_copy_data(char *orig, char *copy);
 int security_sb_kern_mount(struct super_block *sb, void *data);
+int security_sb_show_options(struct seq_file *m, struct super_block *sb);
 int security_sb_statfs(struct dentry *dentry);
 int security_sb_mount(char *dev_name, struct path *path,
                      char *type, unsigned long flags, void *data);
@@ -1617,8 +1608,6 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d
 void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint);
 int security_sb_pivotroot(struct path *old_path, struct path *new_path);
 void security_sb_post_pivotroot(struct path *old_path, struct path *new_path);
-int security_sb_get_mnt_opts(const struct super_block *sb,
-                                struct security_mnt_opts *opts);
 int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
                                struct super_block *newsb);
@@ -1755,9 +1744,11 @@ static inline int security_init(void)
        return 0;
 }
-static inline int security_ptrace(struct task_struct *parent, struct task_struct *child)
+static inline int security_ptrace(struct task_struct *parent,
+                                  struct task_struct *child,
+                                  unsigned int mode)
 {
-        return cap_ptrace(parent, child);
+        return cap_ptrace(parent, child, mode);
 }
 static inline int security_capget(struct task_struct *target,
@@ -1881,6 +1872,12 @@ static inline int security_sb_kern_mount(struct super_block *sb, void *data)
        return 0;
 }
+static inline int security_sb_show_options(struct seq_file *m,
+                                           struct super_block *sb)
+{
+        return 0;
+}
 static inline int security_sb_statfs(struct dentry *dentry)
 {
        return 0;
@@ -1927,12 +1924,6 @@ static inline int security_sb_pivotroot(struct path *old_path,
 static inline void security_sb_post_pivotroot(struct path *old_path,
                                              struct path *new_path)
 { }
-static inline int security_sb_get_mnt_opts(const struct super_block *sb,
-                                           struct security_mnt_opts *opts)
-{
-        security_init_mnt_opts(opts);
-        return 0;
-}
 static inline int security_sb_set_mnt_opts(struct super_block *sb,
                                           struct security_mnt_opts *opts)
author	Linus Torvalds <torvalds@linux-foundation.org>	2008-07-14 16:36:55 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2008-07-14 16:36:55 -0400
commit	847106ff628805e1a0aa91e7f53381f3fdfcd839 (patch)
tree	457c8d6a5ff20f4d0f28634a196f92273298e49e /include
parent	c142bda458a9c81097238800e1bd8eeeea09913d (diff)
parent	6f0f0fd496333777d53daff21a4e3b28c4d03a6d (diff)