aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-12-09 03:01:03 -0500
committerJames Morris <jmorris@namei.org>2009-12-09 03:01:03 -0500
commit1ad1f10cd915744bbe52b19423653b38287d827d (patch)
treeae072aace36b45a55d80b8cbf1b6d92523a88ea0 /security
parent08e3daff217059c84c360cc71212686e0a7995af (diff)
parent2b876f95d03e226394b5d360c86127cbefaf614b (diff)
Merge branch 'master' into next
Diffstat (limited to 'security')
-rw-r--r--security/keys/sysctl.c17
-rw-r--r--security/lsm_audit.c12
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/smack/smack_lsm.c4
-rw-r--r--security/tomoyo/file.c21
-rw-r--r--security/tomoyo/realpath.c9
-rw-r--r--security/tomoyo/tomoyo.c80
-rw-r--r--security/tomoyo/tomoyo.h2
8 files changed, 26 insertions, 125 deletions
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index 5e05dc09e2db..ee32d181764a 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -17,54 +17,49 @@ static const int zero, one = 1, max = INT_MAX;
17 17
18ctl_table key_sysctls[] = { 18ctl_table key_sysctls[] = {
19 { 19 {
20 .ctl_name = CTL_UNNUMBERED,
21 .procname = "maxkeys", 20 .procname = "maxkeys",
22 .data = &key_quota_maxkeys, 21 .data = &key_quota_maxkeys,
23 .maxlen = sizeof(unsigned), 22 .maxlen = sizeof(unsigned),
24 .mode = 0644, 23 .mode = 0644,
25 .proc_handler = &proc_dointvec_minmax, 24 .proc_handler = proc_dointvec_minmax,
26 .extra1 = (void *) &one, 25 .extra1 = (void *) &one,
27 .extra2 = (void *) &max, 26 .extra2 = (void *) &max,
28 }, 27 },
29 { 28 {
30 .ctl_name = CTL_UNNUMBERED,
31 .procname = "maxbytes", 29 .procname = "maxbytes",
32 .data = &key_quota_maxbytes, 30 .data = &key_quota_maxbytes,
33 .maxlen = sizeof(unsigned), 31 .maxlen = sizeof(unsigned),
34 .mode = 0644, 32 .mode = 0644,
35 .proc_handler = &proc_dointvec_minmax, 33 .proc_handler = proc_dointvec_minmax,
36 .extra1 = (void *) &one, 34 .extra1 = (void *) &one,
37 .extra2 = (void *) &max, 35 .extra2 = (void *) &max,
38 }, 36 },
39 { 37 {
40 .ctl_name = CTL_UNNUMBERED,
41 .procname = "root_maxkeys", 38 .procname = "root_maxkeys",
42 .data = &key_quota_root_maxkeys, 39 .data = &key_quota_root_maxkeys,
43 .maxlen = sizeof(unsigned), 40 .maxlen = sizeof(unsigned),
44 .mode = 0644, 41 .mode = 0644,
45 .proc_handler = &proc_dointvec_minmax, 42 .proc_handler = proc_dointvec_minmax,
46 .extra1 = (void *) &one, 43 .extra1 = (void *) &one,
47 .extra2 = (void *) &max, 44 .extra2 = (void *) &max,
48 }, 45 },
49 { 46 {
50 .ctl_name = CTL_UNNUMBERED,
51 .procname = "root_maxbytes", 47 .procname = "root_maxbytes",
52 .data = &key_quota_root_maxbytes, 48 .data = &key_quota_root_maxbytes,
53 .maxlen = sizeof(unsigned), 49 .maxlen = sizeof(unsigned),
54 .mode = 0644, 50 .mode = 0644,
55 .proc_handler = &proc_dointvec_minmax, 51 .proc_handler = proc_dointvec_minmax,
56 .extra1 = (void *) &one, 52 .extra1 = (void *) &one,
57 .extra2 = (void *) &max, 53 .extra2 = (void *) &max,
58 }, 54 },
59 { 55 {
60 .ctl_name = CTL_UNNUMBERED,
61 .procname = "gc_delay", 56 .procname = "gc_delay",
62 .data = &key_gc_delay, 57 .data = &key_gc_delay,
63 .maxlen = sizeof(unsigned), 58 .maxlen = sizeof(unsigned),
64 .mode = 0644, 59 .mode = 0644,
65 .proc_handler = &proc_dointvec_minmax, 60 .proc_handler = proc_dointvec_minmax,
66 .extra1 = (void *) &zero, 61 .extra1 = (void *) &zero,
67 .extra2 = (void *) &max, 62 .extra2 = (void *) &max,
68 }, 63 },
69 { .ctl_name = 0 } 64 { }
70}; 65};
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 51bd0fd9c9f0..acba3dfc8d29 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -273,11 +273,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
273 case AF_INET: { 273 case AF_INET: {
274 struct inet_sock *inet = inet_sk(sk); 274 struct inet_sock *inet = inet_sk(sk);
275 275
276 print_ipv4_addr(ab, inet->rcv_saddr, 276 print_ipv4_addr(ab, inet->inet_rcv_saddr,
277 inet->sport, 277 inet->inet_sport,
278 "laddr", "lport"); 278 "laddr", "lport");
279 print_ipv4_addr(ab, inet->daddr, 279 print_ipv4_addr(ab, inet->inet_daddr,
280 inet->dport, 280 inet->inet_dport,
281 "faddr", "fport"); 281 "faddr", "fport");
282 break; 282 break;
283 } 283 }
@@ -286,10 +286,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
286 struct ipv6_pinfo *inet6 = inet6_sk(sk); 286 struct ipv6_pinfo *inet6 = inet6_sk(sk);
287 287
288 print_ipv6_addr(ab, &inet6->rcv_saddr, 288 print_ipv6_addr(ab, &inet6->rcv_saddr,
289 inet->sport, 289 inet->inet_sport,
290 "laddr", "lport"); 290 "laddr", "lport");
291 print_ipv6_addr(ab, &inet6->daddr, 291 print_ipv6_addr(ab, &inet6->daddr,
292 inet->dport, 292 inet->inet_dport,
293 "faddr", "fport"); 293 "faddr", "fport");
294 break; 294 break;
295 } 295 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c96d63ec4753..7a374c2eb043 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4093,7 +4093,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4093 char *addrp; 4093 char *addrp;
4094 4094
4095 COMMON_AUDIT_DATA_INIT(&ad, NET); 4095 COMMON_AUDIT_DATA_INIT(&ad, NET);
4096 ad.u.net.netif = skb->iif; 4096 ad.u.net.netif = skb->skb_iif;
4097 ad.u.net.family = family; 4097 ad.u.net.family = family;
4098 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4098 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4099 if (err) 4099 if (err)
@@ -4155,7 +4155,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4155 return 0; 4155 return 0;
4156 4156
4157 COMMON_AUDIT_DATA_INIT(&ad, NET); 4157 COMMON_AUDIT_DATA_INIT(&ad, NET);
4158 ad.u.net.netif = skb->iif; 4158 ad.u.net.netif = skb->skb_iif;
4159 ad.u.net.family = family; 4159 ad.u.net.family = family;
4160 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4160 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4161 if (err) 4161 if (err)
@@ -4167,7 +4167,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4167 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4167 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4168 if (err) 4168 if (err)
4169 return err; 4169 return err;
4170 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4170 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4171 peer_sid, &ad); 4171 peer_sid, &ad);
4172 if (err) { 4172 if (err) {
4173 selinux_netlbl_err(skb, err, 0); 4173 selinux_netlbl_err(skb, err, 0);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c33b6bb9b6dd..529c9ca65878 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2602,7 +2602,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
2602#ifdef CONFIG_AUDIT 2602#ifdef CONFIG_AUDIT
2603 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2603 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2604 ad.a.u.net.family = sk->sk_family; 2604 ad.a.u.net.family = sk->sk_family;
2605 ad.a.u.net.netif = skb->iif; 2605 ad.a.u.net.netif = skb->skb_iif;
2606 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2606 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
2607#endif 2607#endif
2608 /* 2608 /*
@@ -2757,7 +2757,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2757#ifdef CONFIG_AUDIT 2757#ifdef CONFIG_AUDIT
2758 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2758 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2759 ad.a.u.net.family = family; 2759 ad.a.u.net.family = family;
2760 ad.a.u.net.netif = skb->iif; 2760 ad.a.u.net.netif = skb->skb_iif;
2761 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2761 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
2762#endif 2762#endif
2763 /* 2763 /*
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 2d10f98fc551..482f0e7ed997 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -1118,27 +1118,6 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1118} 1118}
1119 1119
1120/** 1120/**
1121 * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write".
1122 *
1123 * @domain: Pointer to "struct tomoyo_domain_info".
1124 * @filename: Filename to check.
1125 * @perm: Mode ("read" or "write" or "read/write").
1126 * Returns 0 on success, negative value otherwise.
1127 */
1128int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
1129 const char *filename, const u8 perm)
1130{
1131 struct tomoyo_path_info name;
1132 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1133
1134 if (!mode)
1135 return 0;
1136 name.name = filename;
1137 tomoyo_fill_path_info(&name);
1138 return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
1139}
1140
1141/**
1142 * tomoyo_check_exec_perm - Check permission for "execute". 1121 * tomoyo_check_exec_perm - Check permission for "execute".
1143 * 1122 *
1144 * @domain: Pointer to "struct tomoyo_domain_info". 1123 * @domain: Pointer to "struct tomoyo_domain_info".
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 917f564cdab1..18369d497eb8 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -110,6 +110,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname,
110 spin_unlock(&dcache_lock); 110 spin_unlock(&dcache_lock);
111 path_put(&root); 111 path_put(&root);
112 path_put(&ns_root); 112 path_put(&ns_root);
113 /* Prepend "/proc" prefix if using internal proc vfs mount. */
114 if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) &&
115 (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) {
116 sp -= 5;
117 if (sp >= newname)
118 memcpy(sp, "/proc", 5);
119 else
120 sp = ERR_PTR(-ENOMEM);
121 }
113 } 122 }
114 if (IS_ERR(sp)) 123 if (IS_ERR(sp))
115 error = PTR_ERR(sp); 124 error = PTR_ERR(sp);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 3fb5f6ea4fc9..ad9555fc3765 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -85,83 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
85 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); 85 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1);
86} 86}
87 87
88#ifdef CONFIG_SYSCTL
89
90static int tomoyo_prepend(char **buffer, int *buflen, const char *str)
91{
92 int namelen = strlen(str);
93
94 if (*buflen < namelen)
95 return -ENOMEM;
96 *buflen -= namelen;
97 *buffer -= namelen;
98 memcpy(*buffer, str, namelen);
99 return 0;
100}
101
102/**
103 * tomoyo_sysctl_path - return the realpath of a ctl_table.
104 * @table: pointer to "struct ctl_table".
105 *
106 * Returns realpath(3) of the @table on success.
107 * Returns NULL on failure.
108 *
109 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
110 * if this function didn't return NULL.
111 */
112static char *tomoyo_sysctl_path(struct ctl_table *table)
113{
114 int buflen = TOMOYO_MAX_PATHNAME_LEN;
115 char *buf = tomoyo_alloc(buflen);
116 char *end = buf + buflen;
117 int error = -ENOMEM;
118
119 if (!buf)
120 return NULL;
121
122 *--end = '\0';
123 buflen--;
124 while (table) {
125 char num[32];
126 const char *sp = table->procname;
127
128 if (!sp) {
129 memset(num, 0, sizeof(num));
130 snprintf(num, sizeof(num) - 1, "=%d=", table->ctl_name);
131 sp = num;
132 }
133 if (tomoyo_prepend(&end, &buflen, sp) ||
134 tomoyo_prepend(&end, &buflen, "/"))
135 goto out;
136 table = table->parent;
137 }
138 if (tomoyo_prepend(&end, &buflen, "/proc/sys"))
139 goto out;
140 error = tomoyo_encode(buf, end - buf, end);
141 out:
142 if (!error)
143 return buf;
144 tomoyo_free(buf);
145 return NULL;
146}
147
148static int tomoyo_sysctl(struct ctl_table *table, int op)
149{
150 int error;
151 char *name;
152
153 op &= MAY_READ | MAY_WRITE;
154 if (!op)
155 return 0;
156 name = tomoyo_sysctl_path(table);
157 if (!name)
158 return -ENOMEM;
159 error = tomoyo_check_file_perm(tomoyo_domain(), name, op);
160 tomoyo_free(name);
161 return error;
162}
163#endif
164
165static int tomoyo_path_truncate(struct path *path, loff_t length, 88static int tomoyo_path_truncate(struct path *path, loff_t length,
166 unsigned int time_attrs) 89 unsigned int time_attrs)
167{ 90{
@@ -336,9 +259,6 @@ static struct security_operations tomoyo_security_ops = {
336 .cred_transfer = tomoyo_cred_transfer, 259 .cred_transfer = tomoyo_cred_transfer,
337 .bprm_set_creds = tomoyo_bprm_set_creds, 260 .bprm_set_creds = tomoyo_bprm_set_creds,
338 .bprm_check_security = tomoyo_bprm_check_security, 261 .bprm_check_security = tomoyo_bprm_check_security,
339#ifdef CONFIG_SYSCTL
340 .sysctl = tomoyo_sysctl,
341#endif
342 .file_fcntl = tomoyo_file_fcntl, 262 .file_fcntl = tomoyo_file_fcntl,
343 .dentry_open = tomoyo_dentry_open, 263 .dentry_open = tomoyo_dentry_open,
344 .path_truncate = tomoyo_path_truncate, 264 .path_truncate = tomoyo_path_truncate,
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h
index fac02655ea4b..bf3986addc1a 100644
--- a/security/tomoyo/tomoyo.h
+++ b/security/tomoyo/tomoyo.h
@@ -18,8 +18,6 @@ struct inode;
18struct linux_binprm; 18struct linux_binprm;
19struct pt_regs; 19struct pt_regs;
20 20
21int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
22 const char *filename, const u8 perm);
23int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 21int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
24 const struct tomoyo_path_info *filename); 22 const struct tomoyo_path_info *filename);
25int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 23int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-28 05:59:14 -0500