aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorIngo Molnar <mingo@elte.hu>2008-06-16 05:24:00 -0400
committerIngo Molnar <mingo@elte.hu>2008-06-16 05:24:00 -0400
commit6d72b7952fa7d7c61d021398970c29afde6a4443 (patch)
tree31c00be8e2837e2db2e62c694421a93a9f4c79d7 /security
parent6360b1fbb4a939efd34fc770c2ebd927c55506e0 (diff)
parent066519068ad2fbe98c7f45552b1f592903a9c8c8 (diff)
Merge branch 'linus' into core/rodata
Diffstat (limited to 'security')
-rw-r--r--security/device_cgroup.c36
-rw-r--r--security/dummy.c24
-rw-r--r--security/keys/internal.h1
-rw-r--r--security/smack/smack_lsm.c12
4 files changed, 61 insertions, 12 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 4ea583689eec..baf348834b66 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -49,10 +49,14 @@ struct dev_cgroup {
49 spinlock_t lock; 49 spinlock_t lock;
50}; 50};
51 51
52static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
53{
54 return container_of(s, struct dev_cgroup, css);
55}
56
52static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup) 57static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup)
53{ 58{
54 return container_of(cgroup_subsys_state(cgroup, devices_subsys_id), 59 return css_to_devcgroup(cgroup_subsys_state(cgroup, devices_subsys_id));
55 struct dev_cgroup, css);
56} 60}
57 61
58struct cgroup_subsys devices_subsys; 62struct cgroup_subsys devices_subsys;
@@ -102,7 +106,7 @@ free_and_exit:
102static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, 106static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
103 struct dev_whitelist_item *wh) 107 struct dev_whitelist_item *wh)
104{ 108{
105 struct dev_whitelist_item *whcopy; 109 struct dev_whitelist_item *whcopy, *walk;
106 110
107 whcopy = kmalloc(sizeof(*whcopy), GFP_KERNEL); 111 whcopy = kmalloc(sizeof(*whcopy), GFP_KERNEL);
108 if (!whcopy) 112 if (!whcopy)
@@ -110,7 +114,21 @@ static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
110 114
111 memcpy(whcopy, wh, sizeof(*whcopy)); 115 memcpy(whcopy, wh, sizeof(*whcopy));
112 spin_lock(&dev_cgroup->lock); 116 spin_lock(&dev_cgroup->lock);
113 list_add_tail(&whcopy->list, &dev_cgroup->whitelist); 117 list_for_each_entry(walk, &dev_cgroup->whitelist, list) {
118 if (walk->type != wh->type)
119 continue;
120 if (walk->major != wh->major)
121 continue;
122 if (walk->minor != wh->minor)
123 continue;
124
125 walk->access |= wh->access;
126 kfree(whcopy);
127 whcopy = NULL;
128 }
129
130 if (whcopy != NULL)
131 list_add_tail(&whcopy->list, &dev_cgroup->whitelist);
114 spin_unlock(&dev_cgroup->lock); 132 spin_unlock(&dev_cgroup->lock);
115 return 0; 133 return 0;
116} 134}
@@ -502,7 +520,6 @@ struct cgroup_subsys devices_subsys = {
502 520
503int devcgroup_inode_permission(struct inode *inode, int mask) 521int devcgroup_inode_permission(struct inode *inode, int mask)
504{ 522{
505 struct cgroup *cgroup;
506 struct dev_cgroup *dev_cgroup; 523 struct dev_cgroup *dev_cgroup;
507 struct dev_whitelist_item *wh; 524 struct dev_whitelist_item *wh;
508 525
@@ -511,8 +528,8 @@ int devcgroup_inode_permission(struct inode *inode, int mask)
511 return 0; 528 return 0;
512 if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode)) 529 if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode))
513 return 0; 530 return 0;
514 cgroup = task_cgroup(current, devices_subsys.subsys_id); 531 dev_cgroup = css_to_devcgroup(task_subsys_state(current,
515 dev_cgroup = cgroup_to_devcgroup(cgroup); 532 devices_subsys_id));
516 if (!dev_cgroup) 533 if (!dev_cgroup)
517 return 0; 534 return 0;
518 535
@@ -543,12 +560,11 @@ acc_check:
543 560
544int devcgroup_inode_mknod(int mode, dev_t dev) 561int devcgroup_inode_mknod(int mode, dev_t dev)
545{ 562{
546 struct cgroup *cgroup;
547 struct dev_cgroup *dev_cgroup; 563 struct dev_cgroup *dev_cgroup;
548 struct dev_whitelist_item *wh; 564 struct dev_whitelist_item *wh;
549 565
550 cgroup = task_cgroup(current, devices_subsys.subsys_id); 566 dev_cgroup = css_to_devcgroup(task_subsys_state(current,
551 dev_cgroup = cgroup_to_devcgroup(cgroup); 567 devices_subsys_id));
552 if (!dev_cgroup) 568 if (!dev_cgroup)
553 return 0; 569 return 0;
554 570
diff --git a/security/dummy.c b/security/dummy.c
index f50c6c3c32c9..b8916883b77f 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -27,6 +27,8 @@
27#include <linux/hugetlb.h> 27#include <linux/hugetlb.h>
28#include <linux/ptrace.h> 28#include <linux/ptrace.h>
29#include <linux/file.h> 29#include <linux/file.h>
30#include <linux/prctl.h>
31#include <linux/securebits.h>
30 32
31static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) 33static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
32{ 34{
@@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
607static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3, 609static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
608 unsigned long arg4, unsigned long arg5, long *rc_p) 610 unsigned long arg4, unsigned long arg5, long *rc_p)
609{ 611{
610 return 0; 612 switch (option) {
613 case PR_CAPBSET_READ:
614 *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
615 break;
616 case PR_GET_KEEPCAPS:
617 *rc_p = issecure(SECURE_KEEP_CAPS);
618 break;
619 case PR_SET_KEEPCAPS:
620 if (arg2 > 1)
621 *rc_p = -EINVAL;
622 else if (arg2)
623 current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
624 else
625 current->securebits &=
626 ~issecure_mask(SECURE_KEEP_CAPS);
627 break;
628 default:
629 return 0;
630 }
631
632 return 1;
611} 633}
612 634
613static void dummy_task_reparent_to_init (struct task_struct *p) 635static void dummy_task_reparent_to_init (struct task_struct *p)
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 8c05587f5018..b39f5c2e2c4b 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -78,7 +78,6 @@ extern unsigned key_quota_maxbytes;
78 78
79extern struct rb_root key_serial_tree; 79extern struct rb_root key_serial_tree;
80extern spinlock_t key_serial_lock; 80extern spinlock_t key_serial_lock;
81extern struct semaphore key_alloc_sem;
82extern struct mutex key_construction_mutex; 81extern struct mutex key_construction_mutex;
83extern wait_queue_head_t request_key_conswq; 82extern wait_queue_head_t request_key_conswq;
84 83
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b5c8f9237008..4a09293efa00 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1881,6 +1881,18 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
1881 final = sbsp->smk_default; 1881 final = sbsp->smk_default;
1882 1882
1883 /* 1883 /*
1884 * If this is the root inode the superblock
1885 * may be in the process of initialization.
1886 * If that is the case use the root value out
1887 * of the superblock.
1888 */
1889 if (opt_dentry->d_parent == opt_dentry) {
1890 isp->smk_inode = sbsp->smk_root;
1891 isp->smk_flags |= SMK_INODE_INSTANT;
1892 goto unlockandout;
1893 }
1894
1895 /*
1884 * This is pretty hackish. 1896 * This is pretty hackish.
1885 * Casey says that we shouldn't have to do 1897 * Casey says that we shouldn't have to do
1886 * file system specific code, but it does help 1898 * file system specific code, but it does help
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-21 14:06:15 -0400