Merge tag 'v3.13-rc4' into core/locking

Merge Linux 3.13-rc4, to refresh this rather old tree with the latest fixes. Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Ingo Molnar <mingo@kernel.org> 2013-12-17 09:27:08 -0500
committer: Ingo Molnar <mingo@kernel.org> 2013-12-17 09:27:08 -0500
commit: bb799d3b980eb803ca2da4a4eefbd9308f8d988a (patch)
tree: 69fbe0cd6d47b23a50f5e1d87bf7489532fae149 /security/apparmor
parent: 919fc6e34831d1c2b58bfb5ae261dc3facc9b269 (diff)
parent: 319e2e3f63c348a9b66db4667efa73178e18b17d (diff)
8 files changed, 22 insertions, 44 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 031d2d9dd695..89c78658031f 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -111,7 +111,6 @@ static const char *const aa_audit_type[] = {
 static void audit_pre(struct audit_buffer *ab, void *ca)
 {
        struct common_audit_data *sa = ca;
-        struct task_struct *tsk = sa->aad->tsk ? sa->aad->tsk : current;
        if (aa_g_audit_header) {
                audit_log_format(ab, "apparmor=");
@@ -132,11 +131,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
        if (sa->aad->profile) {
                struct aa_profile *profile = sa->aad->profile;
-                pid_t pid;
-                rcu_read_lock();
-                pid = rcu_dereference(tsk->real_parent)->pid;
-                rcu_read_unlock();
-                audit_log_format(ab, " parent=%d", pid);
                if (profile->ns != root_ns) {
                        audit_log_format(ab, " namespace=");
                        audit_log_untrustedstring(ab, profile->ns->base.hname);
@@ -149,12 +143,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
                audit_log_format(ab, " name=");
                audit_log_untrustedstring(ab, sa->aad->name);
        }
-        if (sa->aad->tsk) {
-                audit_log_format(ab, " pid=%d comm=", tsk->pid);
-                audit_log_untrustedstring(ab, tsk->comm);
-        }
 }
 /**
@@ -212,7 +200,7 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
        if (sa->aad->type == AUDIT_APPARMOR_KILL)
                (void)send_sig_info(SIGKILL, NULL,
-                                    sa->aad->tsk ?  sa->aad->tsk : current);
+                                    sa->u.tsk ?  sa->u.tsk : current);
        if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
                return complain_error(sa->aad->error);
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 84d1f5f53877..1101c6f64bb7 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -53,8 +53,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
 /**
 * audit_caps - audit a capability
- * @profile: profile confining task (NOT NULL)
+ * @profile: profile being tested for confinement (NOT NULL)
- * @task: task capability test was performed against (NOT NULL)
 * @cap: capability tested
 * @error: error code returned by test
 *
@@ -63,8 +62,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
 *
 * Returns: 0 or sa->error on success,  error code on failure
 */
-static int audit_caps(struct aa_profile *profile, struct task_struct *task,
+static int audit_caps(struct aa_profile *profile, int cap, int error)
-                      int cap, int error)
 {
        struct audit_cache *ent;
        int type = AUDIT_APPARMOR_AUTO;
@@ -73,7 +71,6 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task,
        sa.type = LSM_AUDIT_DATA_CAP;
        sa.aad = &aad;
        sa.u.cap = cap;
-        sa.aad->tsk = task;
        sa.aad->op = OP_CAPABLE;
        sa.aad->error = error;
@@ -124,8 +121,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
 /**
 * aa_capable - test permission to use capability
- * @task: task doing capability test against (NOT NULL)
+ * @profile: profile being tested against (NOT NULL)
- * @profile: profile confining @task (NOT NULL)
 * @cap: capability to be tested
 * @audit: whether an audit record should be generated
 *
@@ -133,8 +129,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
 *
 * Returns: 0 on success, or else an error code.
 */
-int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
+int aa_capable(struct aa_profile *profile, int cap, int audit)
-               int audit)
 {
        int error = profile_capable(profile, cap);
@@ -144,5 +139,5 @@ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
                return error;
        }
-        return audit_caps(profile, task, cap, error);
+        return audit_caps(profile, cap, error);
 }
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 26c607c971f5..452567d3a08e 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -50,23 +50,21 @@ void aa_free_domain_entries(struct aa_domain *domain)
 /**
 * may_change_ptraced_domain - check if can change profile on ptraced task
- * @task: task we want to change profile of   (NOT NULL)
 * @to_profile: profile to change to  (NOT NULL)
 *
- * Check if the task is ptraced and if so if the tracing task is allowed
+ * Check if current is ptraced and if so if the tracing task is allowed
 * to trace the new domain
 *
 * Returns: %0 or error if change not allowed
 */
-static int may_change_ptraced_domain(struct task_struct *task,
+static int may_change_ptraced_domain(struct aa_profile *to_profile)
-                                     struct aa_profile *to_profile)
 {
        struct task_struct *tracer;
        struct aa_profile *tracerp = NULL;
        int error = 0;
        rcu_read_lock();
-        tracer = ptrace_parent(task);
+        tracer = ptrace_parent(current);
        if (tracer)
                /* released below */
                tracerp = aa_get_task_profile(tracer);
@@ -75,7 +73,7 @@ static int may_change_ptraced_domain(struct task_struct *task,
        if (!tracer || unconfined(tracerp))
                goto out;
-        error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH);
+        error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
 out:
        rcu_read_unlock();
@@ -477,7 +475,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
        }
        if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
-                error = may_change_ptraced_domain(current, new_profile);
+                error = may_change_ptraced_domain(new_profile);
                if (error) {
                        aa_put_profile(new_profile);
                        goto audit;
@@ -690,7 +688,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
                        }
                }
-                error = may_change_ptraced_domain(current, hat);
+                error = may_change_ptraced_domain(hat);
                if (error) {
                        info = "ptraced";
                        error = -EPERM;
@@ -829,7 +827,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
        }
        /* check if tracing task is allowed to trace target domain */
-        error = may_change_ptraced_domain(current, target);
+        error = may_change_ptraced_domain(target);
        if (error) {
                info = "ptrace prevents transition";
                goto audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 30e8d7687259..ba3dfd17f23f 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -109,7 +109,6 @@ struct apparmor_audit_data {
        void *profile;
        const char *name;
        const char *info;
-        struct task_struct *tsk;
        union {
                void *target;
                struct {
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 2e7c9d6a2f3b..fc3fa381d850 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -4,7 +4,7 @@
 * This file contains AppArmor capability mediation definitions.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2013 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
@@ -38,8 +38,7 @@ struct aa_caps {
 extern struct aa_fs_entry aa_fs_entry_caps[];
-int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
+int aa_capable(struct aa_profile *profile, int cap, int audit);
-               int audit);
 static inline void aa_free_cap_rules(struct aa_caps *caps)
 {
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
index aeda0fbc8b2f..288ca76e2fb1 100644
--- a/security/apparmor/include/ipc.h
+++ b/security/apparmor/include/ipc.h
@@ -19,8 +19,8 @@
 struct aa_profile;
-int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
+int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
-                  struct aa_profile *tracee, unsigned int mode);
+                  unsigned int mode);
 int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
              unsigned int mode);
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index c51d2266587e..777ac1c47253 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -54,15 +54,14 @@ static int aa_audit_ptrace(struct aa_profile *profile,
 /**
 * aa_may_ptrace - test if tracer task can trace the tracee
- * @tracer_task: task who will do the tracing  (NOT NULL)
 * @tracer: profile of the task doing the tracing  (NOT NULL)
 * @tracee: task to be traced
 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
 *
 * Returns: %0 else error code if permission denied or error
 */
-int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
+int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
-                  struct aa_profile *tracee, unsigned int mode)
+                  unsigned int mode)
 {
        /* TODO: currently only based on capability, not extended ptrace
         *       rules,
@@ -72,7 +71,7 @@ int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
        if (unconfined(tracer) || tracer == tracee)
                return 0;
        /* log this capability request */
-        return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
+        return aa_capable(tracer, CAP_SYS_PTRACE, 1);
 }
 /**
@@ -101,7 +100,7 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
        if (!unconfined(tracer_p)) {
                struct aa_profile *tracee_p = aa_get_task_profile(tracee);
-                error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
+                error = aa_may_ptrace(tracer_p, tracee_p, mode);
                error = aa_audit_ptrace(tracer_p, tracee_p, error);
                aa_put_profile(tracee_p);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb99e18123b4..4257b7e2796b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -145,7 +145,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
        if (!error) {
                profile = aa_cred_profile(cred);
                if (!unconfined(profile))
-                        error = aa_capable(current, profile, cap, audit);
+                        error = aa_capable(profile, cap, audit);
        }
        return error;
 }
author	Ingo Molnar <mingo@kernel.org>	2013-12-17 09:27:08 -0500
committer	Ingo Molnar <mingo@kernel.org>	2013-12-17 09:27:08 -0500
commit	bb799d3b980eb803ca2da4a4eefbd9308f8d988a (patch)
tree	69fbe0cd6d47b23a50f5e1d87bf7489532fae149 /security/apparmor
parent	919fc6e34831d1c2b58bfb5ae261dc3facc9b269 (diff)
parent	319e2e3f63c348a9b66db4667efa73178e18b17d (diff)