aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-05-08 03:56:47 -0400
committerJames Morris <jmorris@namei.org>2009-05-08 03:56:47 -0400
commitd254117099d711f215e62427f55dfb8ebd5ad011 (patch)
tree0848ff8dd74314fec14a86497f8d288c86ba7c65 /security
parent07ff7a0b187f3951788f64ae1f30e8109bc8e9eb (diff)
parent8c9ed899b44c19e81859fbb0e9d659fe2f8630fc (diff)
Merge branch 'master' into next
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c1
-rw-r--r--security/device_cgroup.c21
-rw-r--r--security/keys/request_key.c9
-rw-r--r--security/security.c2
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/smack/smack_lsm.c11
-rw-r--r--security/tomoyo/common.c6
-rw-r--r--security/tomoyo/common.h2
-rw-r--r--security/tomoyo/domain.c2
-rw-r--r--security/tomoyo/file.c2
-rw-r--r--security/tomoyo/realpath.c3
-rw-r--r--security/tomoyo/realpath.h2
-rw-r--r--security/tomoyo/tomoyo.c2
-rw-r--r--security/tomoyo/tomoyo.h2
14 files changed, 39 insertions, 28 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 97ac1f167717..48b7e0228fa3 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -948,7 +948,6 @@ changed:
948 return commit_creds(new); 948 return commit_creds(new);
949 949
950no_change: 950no_change:
951 error = 0;
952error: 951error:
953 abort_creds(new); 952 abort_creds(new);
954 return error; 953 return error;
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 3aacd0fe7179..5fda7df19723 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -11,6 +11,7 @@
11#include <linux/uaccess.h> 11#include <linux/uaccess.h>
12#include <linux/seq_file.h> 12#include <linux/seq_file.h>
13#include <linux/rcupdate.h> 13#include <linux/rcupdate.h>
14#include <linux/mutex.h>
14 15
15#define ACC_MKNOD 1 16#define ACC_MKNOD 1
16#define ACC_READ 2 17#define ACC_READ 2
@@ -21,9 +22,11 @@
21#define DEV_CHAR 2 22#define DEV_CHAR 2
22#define DEV_ALL 4 /* this represents all devices */ 23#define DEV_ALL 4 /* this represents all devices */
23 24
25static DEFINE_MUTEX(devcgroup_mutex);
26
24/* 27/*
25 * whitelist locking rules: 28 * whitelist locking rules:
26 * hold cgroup_lock() for update/read. 29 * hold devcgroup_mutex for update/read.
27 * hold rcu_read_lock() for read. 30 * hold rcu_read_lock() for read.
28 */ 31 */
29 32
@@ -67,7 +70,7 @@ static int devcgroup_can_attach(struct cgroup_subsys *ss,
67} 70}
68 71
69/* 72/*
70 * called under cgroup_lock() 73 * called under devcgroup_mutex
71 */ 74 */
72static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) 75static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig)
73{ 76{
@@ -92,7 +95,7 @@ free_and_exit:
92 95
93/* Stupid prototype - don't bother combining existing entries */ 96/* Stupid prototype - don't bother combining existing entries */
94/* 97/*
95 * called under cgroup_lock() 98 * called under devcgroup_mutex
96 */ 99 */
97static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, 100static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
98 struct dev_whitelist_item *wh) 101 struct dev_whitelist_item *wh)
@@ -130,7 +133,7 @@ static void whitelist_item_free(struct rcu_head *rcu)
130} 133}
131 134
132/* 135/*
133 * called under cgroup_lock() 136 * called under devcgroup_mutex
134 */ 137 */
135static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, 138static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup,
136 struct dev_whitelist_item *wh) 139 struct dev_whitelist_item *wh)
@@ -185,8 +188,10 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup_subsys *ss,
185 list_add(&wh->list, &dev_cgroup->whitelist); 188 list_add(&wh->list, &dev_cgroup->whitelist);
186 } else { 189 } else {
187 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); 190 parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
191 mutex_lock(&devcgroup_mutex);
188 ret = dev_whitelist_copy(&dev_cgroup->whitelist, 192 ret = dev_whitelist_copy(&dev_cgroup->whitelist,
189 &parent_dev_cgroup->whitelist); 193 &parent_dev_cgroup->whitelist);
194 mutex_unlock(&devcgroup_mutex);
190 if (ret) { 195 if (ret) {
191 kfree(dev_cgroup); 196 kfree(dev_cgroup);
192 return ERR_PTR(ret); 197 return ERR_PTR(ret);
@@ -273,7 +278,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
273 * does the access granted to dev_cgroup c contain the access 278 * does the access granted to dev_cgroup c contain the access
274 * requested in whitelist item refwh. 279 * requested in whitelist item refwh.
275 * return 1 if yes, 0 if no. 280 * return 1 if yes, 0 if no.
276 * call with c->lock held 281 * call with devcgroup_mutex held
277 */ 282 */
278static int may_access_whitelist(struct dev_cgroup *c, 283static int may_access_whitelist(struct dev_cgroup *c,
279 struct dev_whitelist_item *refwh) 284 struct dev_whitelist_item *refwh)
@@ -426,11 +431,11 @@ static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft,
426 const char *buffer) 431 const char *buffer)
427{ 432{
428 int retval; 433 int retval;
429 if (!cgroup_lock_live_group(cgrp)) 434
430 return -ENODEV; 435 mutex_lock(&devcgroup_mutex);
431 retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), 436 retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp),
432 cft->private, buffer); 437 cft->private, buffer);
433 cgroup_unlock(); 438 mutex_unlock(&devcgroup_mutex);
434 return retval; 439 return retval;
435} 440}
436 441
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 22a31582bfaa..03fe63ed55bd 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -311,7 +311,8 @@ static int construct_alloc_key(struct key_type *type,
311 311
312 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 312 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
313 313
314 down_write(&dest_keyring->sem); 314 if (dest_keyring)
315 down_write(&dest_keyring->sem);
315 316
316 /* attach the key to the destination keyring under lock, but we do need 317 /* attach the key to the destination keyring under lock, but we do need
317 * to do another check just in case someone beat us to it whilst we 318 * to do another check just in case someone beat us to it whilst we
@@ -322,10 +323,12 @@ static int construct_alloc_key(struct key_type *type,
322 if (!IS_ERR(key_ref)) 323 if (!IS_ERR(key_ref))
323 goto key_already_present; 324 goto key_already_present;
324 325
325 __key_link(dest_keyring, key); 326 if (dest_keyring)
327 __key_link(dest_keyring, key);
326 328
327 mutex_unlock(&key_construction_mutex); 329 mutex_unlock(&key_construction_mutex);
328 up_write(&dest_keyring->sem); 330 if (dest_keyring)
331 up_write(&dest_keyring->sem);
329 mutex_unlock(&user->cons_lock); 332 mutex_unlock(&user->cons_lock);
330 *_key = key; 333 *_key = key;
331 kleave(" = 0 [%d]", key_serial(key)); 334 kleave(" = 0 [%d]", key_serial(key));
diff --git a/security/security.c b/security/security.c
index 206e53844d2f..5284255c5cdf 100644
--- a/security/security.c
+++ b/security/security.c
@@ -445,6 +445,7 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
445 return 0; 445 return 0;
446 return security_ops->inode_create(dir, dentry, mode); 446 return security_ops->inode_create(dir, dentry, mode);
447} 447}
448EXPORT_SYMBOL_GPL(security_inode_create);
448 449
449int security_inode_link(struct dentry *old_dentry, struct inode *dir, 450int security_inode_link(struct dentry *old_dentry, struct inode *dir,
450 struct dentry *new_dentry) 451 struct dentry *new_dentry)
@@ -475,6 +476,7 @@ int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
475 return 0; 476 return 0;
476 return security_ops->inode_mkdir(dir, dentry, mode); 477 return security_ops->inode_mkdir(dir, dentry, mode);
477} 478}
479EXPORT_SYMBOL_GPL(security_inode_mkdir);
478 480
479int security_inode_rmdir(struct inode *dir, struct dentry *dentry) 481int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
480{ 482{
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 39046ddd90a9..195906bce266 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3145,7 +3145,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3145 struct fown_struct *fown, int signum) 3145 struct fown_struct *fown, int signum)
3146{ 3146{
3147 struct file *file; 3147 struct file *file;
3148 u32 sid = current_sid(); 3148 u32 sid = task_sid(tsk);
3149 u32 perm; 3149 u32 perm;
3150 struct file_security_struct *fsec; 3150 struct file_security_struct *fsec;
3151 3151
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index f557767911c9..0d030b4513c8 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -675,8 +675,12 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
675 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 675 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
676 if (!capable(CAP_MAC_ADMIN)) 676 if (!capable(CAP_MAC_ADMIN))
677 rc = -EPERM; 677 rc = -EPERM;
678 /* a label cannot be void and cannot begin with '-' */ 678 /*
679 if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) 679 * check label validity here so import wont fail on
680 * post_setxattr
681 */
682 if (size == 0 || size >= SMK_LABELLEN ||
683 smk_import(value, size) == NULL)
680 rc = -EINVAL; 684 rc = -EINVAL;
681 } else 685 } else
682 rc = cap_inode_setxattr(dentry, name, value, size, flags); 686 rc = cap_inode_setxattr(dentry, name, value, size, flags);
@@ -713,9 +717,6 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
713 if (strcmp(name, XATTR_NAME_SMACK)) 717 if (strcmp(name, XATTR_NAME_SMACK))
714 return; 718 return;
715 719
716 if (size >= SMK_LABELLEN)
717 return;
718
719 isp = dentry->d_inode->i_security; 720 isp = dentry->d_inode->i_security;
720 721
721 /* 722 /*
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index a0affd9cfca8..d4d41b3efc7c 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
@@ -1773,7 +1773,7 @@ void tomoyo_load_policy(const char *filename)
1773 envp[2] = NULL; 1773 envp[2] = NULL;
1774 call_usermodehelper(argv[0], argv, envp, 1); 1774 call_usermodehelper(argv[0], argv, envp, 1);
1775 1775
1776 printk(KERN_INFO "TOMOYO: 2.2.0-pre 2009/02/01\n"); 1776 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
1777 printk(KERN_INFO "Mandatory Access Control activated.\n"); 1777 printk(KERN_INFO "Mandatory Access Control activated.\n");
1778 tomoyo_policy_loaded = true; 1778 tomoyo_policy_loaded = true;
1779 { /* Check all profiles currently assigned to domains are defined. */ 1779 { /* Check all profiles currently assigned to domains are defined. */
@@ -1800,7 +1800,7 @@ void tomoyo_load_policy(const char *filename)
1800static int tomoyo_read_version(struct tomoyo_io_buffer *head) 1800static int tomoyo_read_version(struct tomoyo_io_buffer *head)
1801{ 1801{
1802 if (!head->read_eof) { 1802 if (!head->read_eof) {
1803 tomoyo_io_printf(head, "2.2.0-pre"); 1803 tomoyo_io_printf(head, "2.2.0");
1804 head->read_eof = true; 1804 head->read_eof = true;
1805 } 1805 }
1806 return 0; 1806 return 0;
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index e77e6a6de0f2..678f4ff16aa4 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 2f2b449ffd2d..2d6748741a26 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 65f50c1c5ee9..2316da8ec5bc 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index d47f16b844b2..bf8e2b451687 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -5,13 +5,14 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
12#include <linux/types.h> 12#include <linux/types.h>
13#include <linux/mount.h> 13#include <linux/mount.h>
14#include <linux/mnt_namespace.h> 14#include <linux/mnt_namespace.h>
15#include <linux/fs_struct.h>
15#include "common.h" 16#include "common.h"
16#include "realpath.h" 17#include "realpath.h"
17 18
diff --git a/security/tomoyo/realpath.h b/security/tomoyo/realpath.h
index 7ec9fc9cbc07..78217a37960b 100644
--- a/security/tomoyo/realpath.h
+++ b/security/tomoyo/realpath.h
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 3eeeae12c4dc..5b481912752a 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h
index a0c8f6e0bea4..41c6ebafb9c5 100644
--- a/security/tomoyo/tomoyo.h
+++ b/security/tomoyo/tomoyo.h
@@ -5,7 +5,7 @@
5 * 5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 * 7 *
8 * Version: 2.2.0-pre 2009/02/01 8 * Version: 2.2.0 2009/04/01
9 * 9 *
10 */ 10 */
11 11