diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-21 23:27:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-21 23:27:36 -0400 |
| commit | cb60e3e65c1b96a4d6444a7a13dc7dd48bc15a2b (patch) | |
| tree | 4322be35db678f6299348a76ad60a2023954af7d /net | |
| parent | 99262a3dafa3290866512ddfb32609198f8973e9 (diff) | |
| parent | ff2bb047c4bce9742e94911eeb44b4d6ff4734ab (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"New notable features:
- The seccomp work from Will Drewry
- PR_{GET,SET}_NO_NEW_PRIVS from Andy Lutomirski
- Longer security labels for Smack from Casey Schaufler
- Additional ptrace restriction modes for Yama by Kees Cook"
Fix up trivial context conflicts in arch/x86/Kconfig and include/linux/filter.h
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits)
apparmor: fix long path failure due to disconnected path
apparmor: fix profile lookup for unconfined
ima: fix filename hint to reflect script interpreter name
KEYS: Don't check for NULL key pointer in key_validate()
Smack: allow for significantly longer Smack labels v4
gfp flags for security_inode_alloc()?
Smack: recursive tramsmute
Yama: replace capable() with ns_capable()
TOMOYO: Accept manager programs which do not start with / .
KEYS: Add invalidation support
KEYS: Do LRU discard in full keyrings
KEYS: Permit in-place link replacement in keyring list
KEYS: Perform RCU synchronisation on keys prior to key destruction
KEYS: Announce key type (un)registration
KEYS: Reorganise keys Makefile
KEYS: Move the key config into security/keys/Kconfig
KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat
Yama: remove an unused variable
samples/seccomp: fix dependencies on arch macros
Yama: add additional ptrace scopes
...
Diffstat (limited to 'net')
| -rw-r--r-- | net/compat.c | 8 | ||||
| -rw-r--r-- | net/core/filter.c | 6 | ||||
| -rw-r--r-- | net/dns_resolver/dns_key.c | 5 | ||||
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 1 |
4 files changed, 7 insertions, 13 deletions
diff --git a/net/compat.c b/net/compat.c index e240441a2317..1b96281892de 100644 --- a/net/compat.c +++ b/net/compat.c | |||
| @@ -328,14 +328,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) | |||
| 328 | __scm_destroy(scm); | 328 | __scm_destroy(scm); |
| 329 | } | 329 | } |
| 330 | 330 | ||
| 331 | /* | ||
| 332 | * A struct sock_filter is architecture independent. | ||
| 333 | */ | ||
| 334 | struct compat_sock_fprog { | ||
| 335 | u16 len; | ||
| 336 | compat_uptr_t filter; /* struct sock_filter * */ | ||
| 337 | }; | ||
| 338 | |||
| 339 | static int do_set_attach_filter(struct socket *sock, int level, int optname, | 331 | static int do_set_attach_filter(struct socket *sock, int level, int optname, |
| 340 | char __user *optval, unsigned int optlen) | 332 | char __user *optval, unsigned int optlen) |
| 341 | { | 333 | { |
diff --git a/net/core/filter.c b/net/core/filter.c index 47a5f055e7f3..a3eddb515d1b 100644 --- a/net/core/filter.c +++ b/net/core/filter.c | |||
| @@ -38,6 +38,7 @@ | |||
| 38 | #include <linux/filter.h> | 38 | #include <linux/filter.h> |
| 39 | #include <linux/reciprocal_div.h> | 39 | #include <linux/reciprocal_div.h> |
| 40 | #include <linux/ratelimit.h> | 40 | #include <linux/ratelimit.h> |
| 41 | #include <linux/seccomp.h> | ||
| 41 | 42 | ||
| 42 | /* No hurry in this branch | 43 | /* No hurry in this branch |
| 43 | * | 44 | * |
| @@ -355,6 +356,11 @@ load_b: | |||
| 355 | A = 0; | 356 | A = 0; |
| 356 | continue; | 357 | continue; |
| 357 | } | 358 | } |
| 359 | #ifdef CONFIG_SECCOMP_FILTER | ||
| 360 | case BPF_S_ANC_SECCOMP_LD_W: | ||
| 361 | A = seccomp_bpf_load(fentry->k); | ||
| 362 | continue; | ||
| 363 | #endif | ||
| 358 | default: | 364 | default: |
| 359 | WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n", | 365 | WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n", |
| 360 | fentry->code, fentry->jt, | 366 | fentry->code, fentry->jt, |
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 6f70ea935b0b..d9507dd05818 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c | |||
| @@ -249,9 +249,6 @@ static int __init init_dns_resolver(void) | |||
| 249 | struct key *keyring; | 249 | struct key *keyring; |
| 250 | int ret; | 250 | int ret; |
| 251 | 251 | ||
| 252 | printk(KERN_NOTICE "Registering the %s key type\n", | ||
| 253 | key_type_dns_resolver.name); | ||
| 254 | |||
| 255 | /* create an override credential set with a special thread keyring in | 252 | /* create an override credential set with a special thread keyring in |
| 256 | * which DNS requests are cached | 253 | * which DNS requests are cached |
| 257 | * | 254 | * |
| @@ -301,8 +298,6 @@ static void __exit exit_dns_resolver(void) | |||
| 301 | key_revoke(dns_resolver_cache->thread_keyring); | 298 | key_revoke(dns_resolver_cache->thread_keyring); |
| 302 | unregister_key_type(&key_type_dns_resolver); | 299 | unregister_key_type(&key_type_dns_resolver); |
| 303 | put_cred(dns_resolver_cache); | 300 | put_cred(dns_resolver_cache); |
| 304 | printk(KERN_NOTICE "Unregistered %s key type\n", | ||
| 305 | key_type_dns_resolver.name); | ||
| 306 | } | 301 | } |
| 307 | 302 | ||
| 308 | module_init(init_dns_resolver) | 303 | module_init(init_dns_resolver) |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3c87a1c4066f..c53e8f42aa75 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -26,6 +26,7 @@ | |||
| 26 | #include <linux/cache.h> | 26 | #include <linux/cache.h> |
| 27 | #include <linux/audit.h> | 27 | #include <linux/audit.h> |
| 28 | #include <net/dst.h> | 28 | #include <net/dst.h> |
| 29 | #include <net/flow.h> | ||
| 29 | #include <net/xfrm.h> | 30 | #include <net/xfrm.h> |
| 30 | #include <net/ip.h> | 31 | #include <net/ip.h> |
| 31 | #ifdef CONFIG_XFRM_STATISTICS | 32 | #ifdef CONFIG_XFRM_STATISTICS |