diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-20 11:55:50 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-20 11:55:50 -0400 |
commit | 96b5b7f4f2d59b37c1fc2fba1ae25999accd6dcd (patch) | |
tree | cda421c6cd7533940b35504660a05a366a3ece0c /kernel | |
parent | f72caf7e496465182eeda842ac66a5e75404ddf1 (diff) | |
parent | 539c99fd7fc28f8db257c713c10fb4aceadf8887 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (61 commits)
KEYS: Return more accurate error codes
LSM: Add __init to fixup function.
TOMOYO: Add pathname grouping support.
ima: remove ACPI dependency
TPM: ACPI/PNP dependency removal
security/selinux/ss: Use kstrdup
TOMOYO: Use stack memory for pending entry.
Revert "ima: remove ACPI dependency"
Revert "TPM: ACPI/PNP dependency removal"
KEYS: Do preallocation for __key_link()
TOMOYO: Use mutex_lock_interruptible.
KEYS: Better handling of errors from construct_alloc_key()
KEYS: keyring_serialise_link_sem is only needed for keyring->keyring links
TOMOYO: Use GFP_NOFS rather than GFP_KERNEL.
ima: remove ACPI dependency
TPM: ACPI/PNP dependency removal
selinux: generalize disabling of execmem for plt-in-heap archs
LSM Audit: rename LSM_AUDIT_NO_AUDIT to LSM_AUDIT_DATA_NONE
CRED: Holding a spinlock does not imply the holding of RCU read lock
SMACK: Don't #include Ext2 headers
...
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/acct.c | 20 | ||||
-rw-r--r-- | kernel/cred.c | 2 | ||||
-rw-r--r-- | kernel/groups.c | 6 | ||||
-rw-r--r-- | kernel/sys.c | 31 |
4 files changed, 5 insertions, 54 deletions
diff --git a/kernel/acct.c b/kernel/acct.c index e4c0e1fee9b0..385b88461c29 100644 --- a/kernel/acct.c +++ b/kernel/acct.c | |||
@@ -216,7 +216,6 @@ static int acct_on(char *name) | |||
216 | { | 216 | { |
217 | struct file *file; | 217 | struct file *file; |
218 | struct vfsmount *mnt; | 218 | struct vfsmount *mnt; |
219 | int error; | ||
220 | struct pid_namespace *ns; | 219 | struct pid_namespace *ns; |
221 | struct bsd_acct_struct *acct = NULL; | 220 | struct bsd_acct_struct *acct = NULL; |
222 | 221 | ||
@@ -244,13 +243,6 @@ static int acct_on(char *name) | |||
244 | } | 243 | } |
245 | } | 244 | } |
246 | 245 | ||
247 | error = security_acct(file); | ||
248 | if (error) { | ||
249 | kfree(acct); | ||
250 | filp_close(file, NULL); | ||
251 | return error; | ||
252 | } | ||
253 | |||
254 | spin_lock(&acct_lock); | 246 | spin_lock(&acct_lock); |
255 | if (ns->bacct == NULL) { | 247 | if (ns->bacct == NULL) { |
256 | ns->bacct = acct; | 248 | ns->bacct = acct; |
@@ -281,7 +273,7 @@ static int acct_on(char *name) | |||
281 | */ | 273 | */ |
282 | SYSCALL_DEFINE1(acct, const char __user *, name) | 274 | SYSCALL_DEFINE1(acct, const char __user *, name) |
283 | { | 275 | { |
284 | int error; | 276 | int error = 0; |
285 | 277 | ||
286 | if (!capable(CAP_SYS_PACCT)) | 278 | if (!capable(CAP_SYS_PACCT)) |
287 | return -EPERM; | 279 | return -EPERM; |
@@ -299,13 +291,11 @@ SYSCALL_DEFINE1(acct, const char __user *, name) | |||
299 | if (acct == NULL) | 291 | if (acct == NULL) |
300 | return 0; | 292 | return 0; |
301 | 293 | ||
302 | error = security_acct(NULL); | 294 | spin_lock(&acct_lock); |
303 | if (!error) { | 295 | acct_file_reopen(acct, NULL, NULL); |
304 | spin_lock(&acct_lock); | 296 | spin_unlock(&acct_lock); |
305 | acct_file_reopen(acct, NULL, NULL); | ||
306 | spin_unlock(&acct_lock); | ||
307 | } | ||
308 | } | 297 | } |
298 | |||
309 | return error; | 299 | return error; |
310 | } | 300 | } |
311 | 301 | ||
diff --git a/kernel/cred.c b/kernel/cred.c index 8f3672a58a1e..2c24870c55d1 100644 --- a/kernel/cred.c +++ b/kernel/cred.c | |||
@@ -522,8 +522,6 @@ int commit_creds(struct cred *new) | |||
522 | #endif | 522 | #endif |
523 | BUG_ON(atomic_read(&new->usage) < 1); | 523 | BUG_ON(atomic_read(&new->usage) < 1); |
524 | 524 | ||
525 | security_commit_creds(new, old); | ||
526 | |||
527 | get_cred(new); /* we will require a ref for the subj creds too */ | 525 | get_cred(new); /* we will require a ref for the subj creds too */ |
528 | 526 | ||
529 | /* dumpability changes */ | 527 | /* dumpability changes */ |
diff --git a/kernel/groups.c b/kernel/groups.c index 2b45b2ee3964..53b1916c9492 100644 --- a/kernel/groups.c +++ b/kernel/groups.c | |||
@@ -164,12 +164,6 @@ int groups_search(const struct group_info *group_info, gid_t grp) | |||
164 | */ | 164 | */ |
165 | int set_groups(struct cred *new, struct group_info *group_info) | 165 | int set_groups(struct cred *new, struct group_info *group_info) |
166 | { | 166 | { |
167 | int retval; | ||
168 | |||
169 | retval = security_task_setgroups(group_info); | ||
170 | if (retval) | ||
171 | return retval; | ||
172 | |||
173 | put_group_info(new->group_info); | 167 | put_group_info(new->group_info); |
174 | groups_sort(group_info); | 168 | groups_sort(group_info); |
175 | get_group_info(group_info); | 169 | get_group_info(group_info); |
diff --git a/kernel/sys.c b/kernel/sys.c index 7cb426a58965..0d36d889c74d 100644 --- a/kernel/sys.c +++ b/kernel/sys.c | |||
@@ -492,10 +492,6 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) | |||
492 | return -ENOMEM; | 492 | return -ENOMEM; |
493 | old = current_cred(); | 493 | old = current_cred(); |
494 | 494 | ||
495 | retval = security_task_setgid(rgid, egid, (gid_t)-1, LSM_SETID_RE); | ||
496 | if (retval) | ||
497 | goto error; | ||
498 | |||
499 | retval = -EPERM; | 495 | retval = -EPERM; |
500 | if (rgid != (gid_t) -1) { | 496 | if (rgid != (gid_t) -1) { |
501 | if (old->gid == rgid || | 497 | if (old->gid == rgid || |
@@ -543,10 +539,6 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) | |||
543 | return -ENOMEM; | 539 | return -ENOMEM; |
544 | old = current_cred(); | 540 | old = current_cred(); |
545 | 541 | ||
546 | retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID); | ||
547 | if (retval) | ||
548 | goto error; | ||
549 | |||
550 | retval = -EPERM; | 542 | retval = -EPERM; |
551 | if (capable(CAP_SETGID)) | 543 | if (capable(CAP_SETGID)) |
552 | new->gid = new->egid = new->sgid = new->fsgid = gid; | 544 | new->gid = new->egid = new->sgid = new->fsgid = gid; |
@@ -610,10 +602,6 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) | |||
610 | return -ENOMEM; | 602 | return -ENOMEM; |
611 | old = current_cred(); | 603 | old = current_cred(); |
612 | 604 | ||
613 | retval = security_task_setuid(ruid, euid, (uid_t)-1, LSM_SETID_RE); | ||
614 | if (retval) | ||
615 | goto error; | ||
616 | |||
617 | retval = -EPERM; | 605 | retval = -EPERM; |
618 | if (ruid != (uid_t) -1) { | 606 | if (ruid != (uid_t) -1) { |
619 | new->uid = ruid; | 607 | new->uid = ruid; |
@@ -675,10 +663,6 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) | |||
675 | return -ENOMEM; | 663 | return -ENOMEM; |
676 | old = current_cred(); | 664 | old = current_cred(); |
677 | 665 | ||
678 | retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_ID); | ||
679 | if (retval) | ||
680 | goto error; | ||
681 | |||
682 | retval = -EPERM; | 666 | retval = -EPERM; |
683 | if (capable(CAP_SETUID)) { | 667 | if (capable(CAP_SETUID)) { |
684 | new->suid = new->uid = uid; | 668 | new->suid = new->uid = uid; |
@@ -719,9 +703,6 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) | |||
719 | if (!new) | 703 | if (!new) |
720 | return -ENOMEM; | 704 | return -ENOMEM; |
721 | 705 | ||
722 | retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); | ||
723 | if (retval) | ||
724 | goto error; | ||
725 | old = current_cred(); | 706 | old = current_cred(); |
726 | 707 | ||
727 | retval = -EPERM; | 708 | retval = -EPERM; |
@@ -788,10 +769,6 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) | |||
788 | return -ENOMEM; | 769 | return -ENOMEM; |
789 | old = current_cred(); | 770 | old = current_cred(); |
790 | 771 | ||
791 | retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES); | ||
792 | if (retval) | ||
793 | goto error; | ||
794 | |||
795 | retval = -EPERM; | 772 | retval = -EPERM; |
796 | if (!capable(CAP_SETGID)) { | 773 | if (!capable(CAP_SETGID)) { |
797 | if (rgid != (gid_t) -1 && rgid != old->gid && | 774 | if (rgid != (gid_t) -1 && rgid != old->gid && |
@@ -851,9 +828,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) | |||
851 | old = current_cred(); | 828 | old = current_cred(); |
852 | old_fsuid = old->fsuid; | 829 | old_fsuid = old->fsuid; |
853 | 830 | ||
854 | if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0) | ||
855 | goto error; | ||
856 | |||
857 | if (uid == old->uid || uid == old->euid || | 831 | if (uid == old->uid || uid == old->euid || |
858 | uid == old->suid || uid == old->fsuid || | 832 | uid == old->suid || uid == old->fsuid || |
859 | capable(CAP_SETUID)) { | 833 | capable(CAP_SETUID)) { |
@@ -864,7 +838,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) | |||
864 | } | 838 | } |
865 | } | 839 | } |
866 | 840 | ||
867 | error: | ||
868 | abort_creds(new); | 841 | abort_creds(new); |
869 | return old_fsuid; | 842 | return old_fsuid; |
870 | 843 | ||
@@ -888,9 +861,6 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) | |||
888 | old = current_cred(); | 861 | old = current_cred(); |
889 | old_fsgid = old->fsgid; | 862 | old_fsgid = old->fsgid; |
890 | 863 | ||
891 | if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS)) | ||
892 | goto error; | ||
893 | |||
894 | if (gid == old->gid || gid == old->egid || | 864 | if (gid == old->gid || gid == old->egid || |
895 | gid == old->sgid || gid == old->fsgid || | 865 | gid == old->sgid || gid == old->fsgid || |
896 | capable(CAP_SETGID)) { | 866 | capable(CAP_SETGID)) { |
@@ -900,7 +870,6 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) | |||
900 | } | 870 | } |
901 | } | 871 | } |
902 | 872 | ||
903 | error: | ||
904 | abort_creds(new); | 873 | abort_creds(new); |
905 | return old_fsgid; | 874 | return old_fsgid; |
906 | 875 | ||