diff options
| author | Glenn Elliott <gelliott@cs.unc.edu> | 2012-03-04 19:47:13 -0500 |
|---|---|---|
| committer | Glenn Elliott <gelliott@cs.unc.edu> | 2012-03-04 19:47:13 -0500 |
| commit | c71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch) | |
| tree | ecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /security/apparmor/lsm.c | |
| parent | ea53c912f8a86a8567697115b6a0d8152beee5c8 (diff) | |
| parent | 6a00f206debf8a5c8899055726ad127dbeeed098 (diff) | |
Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp
Conflicts:
litmus/sched_cedf.c
Diffstat (limited to 'security/apparmor/lsm.c')
| -rw-r--r-- | security/apparmor/lsm.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index cf1de4462ccd..3d2fd141dff7 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -22,6 +22,7 @@ | |||
| 22 | #include <linux/ctype.h> | 22 | #include <linux/ctype.h> |
| 23 | #include <linux/sysctl.h> | 23 | #include <linux/sysctl.h> |
| 24 | #include <linux/audit.h> | 24 | #include <linux/audit.h> |
| 25 | #include <linux/user_namespace.h> | ||
| 25 | #include <net/sock.h> | 26 | #include <net/sock.h> |
| 26 | 27 | ||
| 27 | #include "include/apparmor.h" | 28 | #include "include/apparmor.h" |
| @@ -136,11 +137,11 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, | |||
| 136 | } | 137 | } |
| 137 | 138 | ||
| 138 | static int apparmor_capable(struct task_struct *task, const struct cred *cred, | 139 | static int apparmor_capable(struct task_struct *task, const struct cred *cred, |
| 139 | int cap, int audit) | 140 | struct user_namespace *ns, int cap, int audit) |
| 140 | { | 141 | { |
| 141 | struct aa_profile *profile; | 142 | struct aa_profile *profile; |
| 142 | /* cap_capable returns 0 on success, else -EPERM */ | 143 | /* cap_capable returns 0 on success, else -EPERM */ |
| 143 | int error = cap_capable(task, cred, cap, audit); | 144 | int error = cap_capable(task, cred, ns, cap, audit); |
| 144 | if (!error) { | 145 | if (!error) { |
| 145 | profile = aa_cred_profile(cred); | 146 | profile = aa_cred_profile(cred); |
| 146 | if (!unconfined(profile)) | 147 | if (!unconfined(profile)) |
| @@ -592,7 +593,8 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, | |||
| 592 | sa.aad.op = OP_SETPROCATTR; | 593 | sa.aad.op = OP_SETPROCATTR; |
| 593 | sa.aad.info = name; | 594 | sa.aad.info = name; |
| 594 | sa.aad.error = -EINVAL; | 595 | sa.aad.error = -EINVAL; |
| 595 | return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL, | 596 | return aa_audit(AUDIT_APPARMOR_DENIED, |
| 597 | __aa_current_profile(), GFP_KERNEL, | ||
| 596 | &sa, NULL); | 598 | &sa, NULL); |
| 597 | } | 599 | } |
| 598 | } else if (strcmp(name, "exec") == 0) { | 600 | } else if (strcmp(name, "exec") == 0) { |
| @@ -610,7 +612,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, | |||
| 610 | static int apparmor_task_setrlimit(struct task_struct *task, | 612 | static int apparmor_task_setrlimit(struct task_struct *task, |
| 611 | unsigned int resource, struct rlimit *new_rlim) | 613 | unsigned int resource, struct rlimit *new_rlim) |
| 612 | { | 614 | { |
| 613 | struct aa_profile *profile = aa_current_profile(); | 615 | struct aa_profile *profile = __aa_current_profile(); |
| 614 | int error = 0; | 616 | int error = 0; |
| 615 | 617 | ||
| 616 | if (!unconfined(profile)) | 618 | if (!unconfined(profile)) |
| @@ -693,11 +695,9 @@ static struct kernel_param_ops param_ops_aalockpolicy = { | |||
| 693 | 695 | ||
| 694 | static int param_set_audit(const char *val, struct kernel_param *kp); | 696 | static int param_set_audit(const char *val, struct kernel_param *kp); |
| 695 | static int param_get_audit(char *buffer, struct kernel_param *kp); | 697 | static int param_get_audit(char *buffer, struct kernel_param *kp); |
| 696 | #define param_check_audit(name, p) __param_check(name, p, int) | ||
| 697 | 698 | ||
| 698 | static int param_set_mode(const char *val, struct kernel_param *kp); | 699 | static int param_set_mode(const char *val, struct kernel_param *kp); |
| 699 | static int param_get_mode(char *buffer, struct kernel_param *kp); | 700 | static int param_get_mode(char *buffer, struct kernel_param *kp); |
| 700 | #define param_check_mode(name, p) __param_check(name, p, int) | ||
| 701 | 701 | ||
| 702 | /* Flag values, also controllable via /sys/module/apparmor/parameters | 702 | /* Flag values, also controllable via /sys/module/apparmor/parameters |
| 703 | * We define special types as we want to do additional mediation. | 703 | * We define special types as we want to do additional mediation. |
| @@ -922,7 +922,7 @@ static int __init apparmor_init(void) | |||
| 922 | error = register_security(&apparmor_ops); | 922 | error = register_security(&apparmor_ops); |
| 923 | if (error) { | 923 | if (error) { |
| 924 | AA_ERROR("Unable to register AppArmor\n"); | 924 | AA_ERROR("Unable to register AppArmor\n"); |
| 925 | goto register_security_out; | 925 | goto set_init_cxt_out; |
| 926 | } | 926 | } |
| 927 | 927 | ||
| 928 | /* Report that AppArmor successfully initialized */ | 928 | /* Report that AppArmor successfully initialized */ |
| @@ -936,6 +936,9 @@ static int __init apparmor_init(void) | |||
| 936 | 936 | ||
| 937 | return error; | 937 | return error; |
| 938 | 938 | ||
| 939 | set_init_cxt_out: | ||
| 940 | aa_free_task_context(current->real_cred->security); | ||
| 941 | |||
| 939 | register_security_out: | 942 | register_security_out: |
| 940 | aa_free_root_ns(); | 943 | aa_free_root_ns(); |
| 941 | 944 | ||
| @@ -944,7 +947,6 @@ alloc_out: | |||
| 944 | 947 | ||
| 945 | apparmor_enabled = 0; | 948 | apparmor_enabled = 0; |
| 946 | return error; | 949 | return error; |
| 947 | |||
| 948 | } | 950 | } |
| 949 | 951 | ||
| 950 | security_initcall(apparmor_init); | 952 | security_initcall(apparmor_init); |