aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-11-15 18:36:29 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2010-11-15 18:40:01 -0500
commit12b3052c3ee8f508b2c7ee4ddd63ed03423409d8 (patch)
treeb97d0f209f363cfad94ce9d075312274e349da89 /security
parent6800e4c0ea3e96cf78953b8b5743381cb1bb9e37 (diff)
capabilities/syslog: open code cap_syslog logic to fix build failure
The addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build failure when CONFIG_PRINTK=n. This is because the capabilities code which used the new option was built even though the variable in question didn't exist. The patch here fixes this by moving the capabilities checks out of the LSM and into the caller. All (known) LSMs should have been calling the capabilities hook already so it actually makes the code organization better to eliminate the hook altogether. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/capability.c5
-rw-r--r--security/commoncap.c21
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/smack/smack_lsm.c8
5 files changed, 10 insertions, 34 deletions
diff --git a/security/capability.c b/security/capability.c
index 30ae00fbecd5..c773635ca3a0 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op)
17 return 0; 17 return 0;
18} 18}
19 19
20static int cap_syslog(int type)
21{
22 return 0;
23}
24
20static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) 25static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
21{ 26{
22 return 0; 27 return 0;
diff --git a/security/commoncap.c b/security/commoncap.c
index 04b80f9912bf..64c2ed9c9015 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,7 +27,6 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/prctl.h> 28#include <linux/prctl.h>
29#include <linux/securebits.h> 29#include <linux/securebits.h>
30#include <linux/syslog.h>
31 30
32/* 31/*
33 * If a non-root user executes a setuid-root binary in 32 * If a non-root user executes a setuid-root binary in
@@ -884,26 +883,6 @@ error:
884} 883}
885 884
886/** 885/**
887 * cap_syslog - Determine whether syslog function is permitted
888 * @type: Function requested
889 * @from_file: Whether this request came from an open file (i.e. /proc)
890 *
891 * Determine whether the current process is permitted to use a particular
892 * syslog function, returning 0 if permission is granted, -ve if not.
893 */
894int cap_syslog(int type, bool from_file)
895{
896 if (type != SYSLOG_ACTION_OPEN && from_file)
897 return 0;
898 if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
899 return -EPERM;
900 if ((type != SYSLOG_ACTION_READ_ALL &&
901 type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
902 return -EPERM;
903 return 0;
904}
905
906/**
907 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 886 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
908 * @mm: The VM space in which the new mapping is to be made 887 * @mm: The VM space in which the new mapping is to be made
909 * @pages: The size of the mapping 888 * @pages: The size of the mapping
diff --git a/security/security.c b/security/security.c
index 3ef5e2a7a741..1b798d3df710 100644
--- a/security/security.c
+++ b/security/security.c
@@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry)
197 return security_ops->quota_on(dentry); 197 return security_ops->quota_on(dentry);
198} 198}
199 199
200int security_syslog(int type, bool from_file) 200int security_syslog(int type)
201{ 201{
202 return security_ops->syslog(type, from_file); 202 return security_ops->syslog(type);
203} 203}
204 204
205int security_settime(struct timespec *ts, struct timezone *tz) 205int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9154cf90ae1..65fa8bf596f5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry)
1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1974} 1974}
1975 1975
1976static int selinux_syslog(int type, bool from_file) 1976static int selinux_syslog(int type)
1977{ 1977{
1978 int rc; 1978 int rc;
1979 1979
1980 rc = cap_syslog(type, from_file);
1981 if (rc)
1982 return rc;
1983
1984 switch (type) { 1980 switch (type) {
1985 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1981 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1986 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1982 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bc39f4067af6..489a85afa477 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
157 * 157 *
158 * Returns 0 on success, error code otherwise. 158 * Returns 0 on success, error code otherwise.
159 */ 159 */
160static int smack_syslog(int type, bool from_file) 160static int smack_syslog(int typefrom_file)
161{ 161{
162 int rc; 162 int rc = 0;
163 char *sp = current_security(); 163 char *sp = current_security();
164 164
165 rc = cap_syslog(type, from_file);
166 if (rc != 0)
167 return rc;
168
169 if (capable(CAP_MAC_OVERRIDE)) 165 if (capable(CAP_MAC_OVERRIDE))
170 return 0; 166 return 0;
171 167