diff options
| author | David S. Miller <davem@davemloft.net> | 2011-12-23 17:13:56 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-12-23 17:13:56 -0500 |
| commit | abb434cb0539fb355c1c921f8fd761efbbac3462 (patch) | |
| tree | 24a7d99ec161f8fd4dc9ff03c9c4cc93be883ce6 /security | |
| parent | 2494654d4890316e7340fb8b3458daad0474a1b9 (diff) | |
| parent | 6350323ad8def2ac00d77cdee3b79c9b9fba75c4 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts:
net/bluetooth/l2cap_core.c
Just two overlapping changes, one added an initialization of
a local variable, and another change added a new local variable.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/path.c | 65 | ||||
| -rw-r--r-- | security/integrity/evm/evm_crypto.c | 19 | ||||
| -rw-r--r-- | security/selinux/netport.c | 4 | ||||
| -rw-r--r-- | security/tomoyo/realpath.c | 13 |
4 files changed, 66 insertions, 35 deletions
diff --git a/security/apparmor/path.c b/security/apparmor/path.c index 36cc0cc39e78..b566eba4a65c 100644 --- a/security/apparmor/path.c +++ b/security/apparmor/path.c | |||
| @@ -57,23 +57,44 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen) | |||
| 57 | static int d_namespace_path(struct path *path, char *buf, int buflen, | 57 | static int d_namespace_path(struct path *path, char *buf, int buflen, |
| 58 | char **name, int flags) | 58 | char **name, int flags) |
| 59 | { | 59 | { |
| 60 | struct path root, tmp; | ||
| 61 | char *res; | 60 | char *res; |
| 62 | int connected, error = 0; | 61 | int error = 0; |
| 62 | int connected = 1; | ||
| 63 | |||
| 64 | if (path->mnt->mnt_flags & MNT_INTERNAL) { | ||
| 65 | /* it's not mounted anywhere */ | ||
| 66 | res = dentry_path(path->dentry, buf, buflen); | ||
| 67 | *name = res; | ||
| 68 | if (IS_ERR(res)) { | ||
| 69 | *name = buf; | ||
| 70 | return PTR_ERR(res); | ||
| 71 | } | ||
| 72 | if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC && | ||
| 73 | strncmp(*name, "/sys/", 5) == 0) { | ||
| 74 | /* TODO: convert over to using a per namespace | ||
| 75 | * control instead of hard coded /proc | ||
| 76 | */ | ||
| 77 | return prepend(name, *name - buf, "/proc", 5); | ||
| 78 | } | ||
| 79 | return 0; | ||
| 80 | } | ||
| 63 | 81 | ||
| 64 | /* Get the root we want to resolve too, released below */ | 82 | /* resolve paths relative to chroot?*/ |
| 65 | if (flags & PATH_CHROOT_REL) { | 83 | if (flags & PATH_CHROOT_REL) { |
| 66 | /* resolve paths relative to chroot */ | 84 | struct path root; |
| 67 | get_fs_root(current->fs, &root); | 85 | get_fs_root(current->fs, &root); |
| 68 | } else { | 86 | res = __d_path(path, &root, buf, buflen); |
| 69 | /* resolve paths relative to namespace */ | 87 | if (res && !IS_ERR(res)) { |
| 70 | root.mnt = current->nsproxy->mnt_ns->root; | 88 | /* everything's fine */ |
| 71 | root.dentry = root.mnt->mnt_root; | 89 | *name = res; |
| 72 | path_get(&root); | 90 | path_put(&root); |
| 91 | goto ok; | ||
| 92 | } | ||
| 93 | path_put(&root); | ||
| 94 | connected = 0; | ||
| 73 | } | 95 | } |
| 74 | 96 | ||
| 75 | tmp = root; | 97 | res = d_absolute_path(path, buf, buflen); |
| 76 | res = __d_path(path, &tmp, buf, buflen); | ||
| 77 | 98 | ||
| 78 | *name = res; | 99 | *name = res; |
| 79 | /* handle error conditions - and still allow a partial path to | 100 | /* handle error conditions - and still allow a partial path to |
| @@ -84,7 +105,10 @@ static int d_namespace_path(struct path *path, char *buf, int buflen, | |||
| 84 | *name = buf; | 105 | *name = buf; |
| 85 | goto out; | 106 | goto out; |
| 86 | } | 107 | } |
| 108 | if (!our_mnt(path->mnt)) | ||
| 109 | connected = 0; | ||
| 87 | 110 | ||
| 111 | ok: | ||
| 88 | /* Handle two cases: | 112 | /* Handle two cases: |
| 89 | * 1. A deleted dentry && profile is not allowing mediation of deleted | 113 | * 1. A deleted dentry && profile is not allowing mediation of deleted |
| 90 | * 2. On some filesystems, newly allocated dentries appear to the | 114 | * 2. On some filesystems, newly allocated dentries appear to the |
| @@ -97,10 +121,7 @@ static int d_namespace_path(struct path *path, char *buf, int buflen, | |||
| 97 | goto out; | 121 | goto out; |
| 98 | } | 122 | } |
| 99 | 123 | ||
| 100 | /* Determine if the path is connected to the expected root */ | 124 | /* If the path is not connected to the expected root, |
| 101 | connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt; | ||
| 102 | |||
| 103 | /* If the path is not connected, | ||
| 104 | * check if it is a sysctl and handle specially else remove any | 125 | * check if it is a sysctl and handle specially else remove any |
| 105 | * leading / that __d_path may have returned. | 126 | * leading / that __d_path may have returned. |
| 106 | * Unless | 127 | * Unless |
| @@ -112,17 +133,9 @@ static int d_namespace_path(struct path *path, char *buf, int buflen, | |||
| 112 | * namespace root. | 133 | * namespace root. |
| 113 | */ | 134 | */ |
| 114 | if (!connected) { | 135 | if (!connected) { |
| 115 | /* is the disconnect path a sysctl? */ | 136 | if (!(flags & PATH_CONNECT_PATH) && |
| 116 | if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC && | ||
| 117 | strncmp(*name, "/sys/", 5) == 0) { | ||
| 118 | /* TODO: convert over to using a per namespace | ||
| 119 | * control instead of hard coded /proc | ||
| 120 | */ | ||
| 121 | error = prepend(name, *name - buf, "/proc", 5); | ||
| 122 | } else if (!(flags & PATH_CONNECT_PATH) && | ||
| 123 | !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && | 137 | !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && |
| 124 | (tmp.mnt == current->nsproxy->mnt_ns->root && | 138 | our_mnt(path->mnt))) { |
| 125 | tmp.dentry == tmp.mnt->mnt_root))) { | ||
| 126 | /* disconnected path, don't return pathname starting | 139 | /* disconnected path, don't return pathname starting |
| 127 | * with '/' | 140 | * with '/' |
| 128 | */ | 141 | */ |
| @@ -133,8 +146,6 @@ static int d_namespace_path(struct path *path, char *buf, int buflen, | |||
| 133 | } | 146 | } |
| 134 | 147 | ||
| 135 | out: | 148 | out: |
| 136 | path_put(&root); | ||
| 137 | |||
| 138 | return error; | 149 | return error; |
| 139 | } | 150 | } |
| 140 | 151 | ||
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 5dd5b140242c..8738deff26fa 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c | |||
| @@ -27,20 +27,35 @@ static int evmkey_len = MAX_KEY_SIZE; | |||
| 27 | 27 | ||
| 28 | struct crypto_shash *hmac_tfm; | 28 | struct crypto_shash *hmac_tfm; |
| 29 | 29 | ||
| 30 | static DEFINE_MUTEX(mutex); | ||
| 31 | |||
| 30 | static struct shash_desc *init_desc(void) | 32 | static struct shash_desc *init_desc(void) |
| 31 | { | 33 | { |
| 32 | int rc; | 34 | int rc; |
| 33 | struct shash_desc *desc; | 35 | struct shash_desc *desc; |
| 34 | 36 | ||
| 35 | if (hmac_tfm == NULL) { | 37 | if (hmac_tfm == NULL) { |
| 38 | mutex_lock(&mutex); | ||
| 39 | if (hmac_tfm) | ||
| 40 | goto out; | ||
| 36 | hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC); | 41 | hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC); |
| 37 | if (IS_ERR(hmac_tfm)) { | 42 | if (IS_ERR(hmac_tfm)) { |
| 38 | pr_err("Can not allocate %s (reason: %ld)\n", | 43 | pr_err("Can not allocate %s (reason: %ld)\n", |
| 39 | evm_hmac, PTR_ERR(hmac_tfm)); | 44 | evm_hmac, PTR_ERR(hmac_tfm)); |
| 40 | rc = PTR_ERR(hmac_tfm); | 45 | rc = PTR_ERR(hmac_tfm); |
| 41 | hmac_tfm = NULL; | 46 | hmac_tfm = NULL; |
| 47 | mutex_unlock(&mutex); | ||
| 48 | return ERR_PTR(rc); | ||
| 49 | } | ||
| 50 | rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len); | ||
| 51 | if (rc) { | ||
| 52 | crypto_free_shash(hmac_tfm); | ||
| 53 | hmac_tfm = NULL; | ||
| 54 | mutex_unlock(&mutex); | ||
| 42 | return ERR_PTR(rc); | 55 | return ERR_PTR(rc); |
| 43 | } | 56 | } |
| 57 | out: | ||
| 58 | mutex_unlock(&mutex); | ||
| 44 | } | 59 | } |
| 45 | 60 | ||
| 46 | desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm), | 61 | desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm), |
| @@ -51,11 +66,7 @@ static struct shash_desc *init_desc(void) | |||
| 51 | desc->tfm = hmac_tfm; | 66 | desc->tfm = hmac_tfm; |
| 52 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; | 67 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
| 53 | 68 | ||
| 54 | rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len); | ||
| 55 | if (rc) | ||
| 56 | goto out; | ||
| 57 | rc = crypto_shash_init(desc); | 69 | rc = crypto_shash_init(desc); |
| 58 | out: | ||
| 59 | if (rc) { | 70 | if (rc) { |
| 60 | kfree(desc); | 71 | kfree(desc); |
| 61 | return ERR_PTR(rc); | 72 | return ERR_PTR(rc); |
diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 0b62bd112461..7b9eb1faf68b 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c | |||
| @@ -123,7 +123,9 @@ static void sel_netport_insert(struct sel_netport *port) | |||
| 123 | if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { | 123 | if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { |
| 124 | struct sel_netport *tail; | 124 | struct sel_netport *tail; |
| 125 | tail = list_entry( | 125 | tail = list_entry( |
| 126 | rcu_dereference(sel_netport_hash[idx].list.prev), | 126 | rcu_dereference_protected( |
| 127 | sel_netport_hash[idx].list.prev, | ||
| 128 | lockdep_is_held(&sel_netport_lock)), | ||
| 127 | struct sel_netport, list); | 129 | struct sel_netport, list); |
| 128 | list_del_rcu(&tail->list); | 130 | list_del_rcu(&tail->list); |
| 129 | kfree_rcu(tail, rcu); | 131 | kfree_rcu(tail, rcu); |
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 738bbdf8d4c7..d9f3ced8756e 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c | |||
| @@ -101,9 +101,8 @@ static char *tomoyo_get_absolute_path(struct path *path, char * const buffer, | |||
| 101 | { | 101 | { |
| 102 | char *pos = ERR_PTR(-ENOMEM); | 102 | char *pos = ERR_PTR(-ENOMEM); |
| 103 | if (buflen >= 256) { | 103 | if (buflen >= 256) { |
| 104 | struct path ns_root = { }; | ||
| 105 | /* go to whatever namespace root we are under */ | 104 | /* go to whatever namespace root we are under */ |
| 106 | pos = __d_path(path, &ns_root, buffer, buflen - 1); | 105 | pos = d_absolute_path(path, buffer, buflen - 1); |
| 107 | if (!IS_ERR(pos) && *pos == '/' && pos[1]) { | 106 | if (!IS_ERR(pos) && *pos == '/' && pos[1]) { |
| 108 | struct inode *inode = path->dentry->d_inode; | 107 | struct inode *inode = path->dentry->d_inode; |
| 109 | if (inode && S_ISDIR(inode->i_mode)) { | 108 | if (inode && S_ISDIR(inode->i_mode)) { |
| @@ -294,8 +293,16 @@ char *tomoyo_realpath_from_path(struct path *path) | |||
| 294 | pos = tomoyo_get_local_path(path->dentry, buf, | 293 | pos = tomoyo_get_local_path(path->dentry, buf, |
| 295 | buf_len - 1); | 294 | buf_len - 1); |
| 296 | /* Get absolute name for the rest. */ | 295 | /* Get absolute name for the rest. */ |
| 297 | else | 296 | else { |
| 298 | pos = tomoyo_get_absolute_path(path, buf, buf_len - 1); | 297 | pos = tomoyo_get_absolute_path(path, buf, buf_len - 1); |
| 298 | /* | ||
| 299 | * Fall back to local name if absolute name is not | ||
| 300 | * available. | ||
| 301 | */ | ||
| 302 | if (pos == ERR_PTR(-EINVAL)) | ||
| 303 | pos = tomoyo_get_local_path(path->dentry, buf, | ||
| 304 | buf_len - 1); | ||
| 305 | } | ||
| 299 | encode: | 306 | encode: |
| 300 | if (IS_ERR(pos)) | 307 | if (IS_ERR(pos)) |
| 301 | continue; | 308 | continue; |