diff options
-rw-r--r-- | include/linux/security.h | 20 | ||||
-rw-r--r-- | kernel/sys.c | 15 | ||||
-rw-r--r-- | security/capability.c | 6 | ||||
-rw-r--r-- | security/security.c | 5 |
4 files changed, 0 insertions, 46 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 33b0c1b27f82..447c57fcec88 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -674,18 +674,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
674 | * userspace to load a kernel module with the given name. | 674 | * userspace to load a kernel module with the given name. |
675 | * @kmod_name name of the module requested by the kernel | 675 | * @kmod_name name of the module requested by the kernel |
676 | * Return 0 if successful. | 676 | * Return 0 if successful. |
677 | * @task_setuid: | ||
678 | * Check permission before setting one or more of the user identity | ||
679 | * attributes of the current process. The @flags parameter indicates | ||
680 | * which of the set*uid system calls invoked this hook and how to | ||
681 | * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID | ||
682 | * definitions at the beginning of this file for the @flags values and | ||
683 | * their meanings. | ||
684 | * @id0 contains a uid. | ||
685 | * @id1 contains a uid. | ||
686 | * @id2 contains a uid. | ||
687 | * @flags contains one of the LSM_SETID_* values. | ||
688 | * Return 0 if permission is granted. | ||
689 | * @task_fix_setuid: | 677 | * @task_fix_setuid: |
690 | * Update the module's state after setting one or more of the user | 678 | * Update the module's state after setting one or more of the user |
691 | * identity attributes of the current process. The @flags parameter | 679 | * identity attributes of the current process. The @flags parameter |
@@ -1536,7 +1524,6 @@ struct security_operations { | |||
1536 | int (*kernel_act_as)(struct cred *new, u32 secid); | 1524 | int (*kernel_act_as)(struct cred *new, u32 secid); |
1537 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); | 1525 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); |
1538 | int (*kernel_module_request)(char *kmod_name); | 1526 | int (*kernel_module_request)(char *kmod_name); |
1539 | int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); | ||
1540 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, | 1527 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, |
1541 | int flags); | 1528 | int flags); |
1542 | int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); | 1529 | int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); |
@@ -1793,7 +1780,6 @@ void security_transfer_creds(struct cred *new, const struct cred *old); | |||
1793 | int security_kernel_act_as(struct cred *new, u32 secid); | 1780 | int security_kernel_act_as(struct cred *new, u32 secid); |
1794 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); | 1781 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); |
1795 | int security_kernel_module_request(char *kmod_name); | 1782 | int security_kernel_module_request(char *kmod_name); |
1796 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); | ||
1797 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 1783 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |
1798 | int flags); | 1784 | int flags); |
1799 | int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); | 1785 | int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); |
@@ -2330,12 +2316,6 @@ static inline int security_kernel_module_request(char *kmod_name) | |||
2330 | return 0; | 2316 | return 0; |
2331 | } | 2317 | } |
2332 | 2318 | ||
2333 | static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, | ||
2334 | int flags) | ||
2335 | { | ||
2336 | return 0; | ||
2337 | } | ||
2338 | |||
2339 | static inline int security_task_fix_setuid(struct cred *new, | 2319 | static inline int security_task_fix_setuid(struct cred *new, |
2340 | const struct cred *old, | 2320 | const struct cred *old, |
2341 | int flags) | 2321 | int flags) |
diff --git a/kernel/sys.c b/kernel/sys.c index 8298878f4f71..396c11cd9a20 100644 --- a/kernel/sys.c +++ b/kernel/sys.c | |||
@@ -609,10 +609,6 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) | |||
609 | return -ENOMEM; | 609 | return -ENOMEM; |
610 | old = current_cred(); | 610 | old = current_cred(); |
611 | 611 | ||
612 | retval = security_task_setuid(ruid, euid, (uid_t)-1, LSM_SETID_RE); | ||
613 | if (retval) | ||
614 | goto error; | ||
615 | |||
616 | retval = -EPERM; | 612 | retval = -EPERM; |
617 | if (ruid != (uid_t) -1) { | 613 | if (ruid != (uid_t) -1) { |
618 | new->uid = ruid; | 614 | new->uid = ruid; |
@@ -674,10 +670,6 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) | |||
674 | return -ENOMEM; | 670 | return -ENOMEM; |
675 | old = current_cred(); | 671 | old = current_cred(); |
676 | 672 | ||
677 | retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_ID); | ||
678 | if (retval) | ||
679 | goto error; | ||
680 | |||
681 | retval = -EPERM; | 673 | retval = -EPERM; |
682 | if (capable(CAP_SETUID)) { | 674 | if (capable(CAP_SETUID)) { |
683 | new->suid = new->uid = uid; | 675 | new->suid = new->uid = uid; |
@@ -718,9 +710,6 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) | |||
718 | if (!new) | 710 | if (!new) |
719 | return -ENOMEM; | 711 | return -ENOMEM; |
720 | 712 | ||
721 | retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); | ||
722 | if (retval) | ||
723 | goto error; | ||
724 | old = current_cred(); | 713 | old = current_cred(); |
725 | 714 | ||
726 | retval = -EPERM; | 715 | retval = -EPERM; |
@@ -850,9 +839,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) | |||
850 | old = current_cred(); | 839 | old = current_cred(); |
851 | old_fsuid = old->fsuid; | 840 | old_fsuid = old->fsuid; |
852 | 841 | ||
853 | if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0) | ||
854 | goto error; | ||
855 | |||
856 | if (uid == old->uid || uid == old->euid || | 842 | if (uid == old->uid || uid == old->euid || |
857 | uid == old->suid || uid == old->fsuid || | 843 | uid == old->suid || uid == old->fsuid || |
858 | capable(CAP_SETUID)) { | 844 | capable(CAP_SETUID)) { |
@@ -863,7 +849,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) | |||
863 | } | 849 | } |
864 | } | 850 | } |
865 | 851 | ||
866 | error: | ||
867 | abort_creds(new); | 852 | abort_creds(new); |
868 | return old_fsuid; | 853 | return old_fsuid; |
869 | 854 | ||
diff --git a/security/capability.c b/security/capability.c index a927bdea1816..41ff54f3b4d8 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -392,11 +392,6 @@ static int cap_kernel_module_request(char *kmod_name) | |||
392 | return 0; | 392 | return 0; |
393 | } | 393 | } |
394 | 394 | ||
395 | static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
396 | { | ||
397 | return 0; | ||
398 | } | ||
399 | |||
400 | static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | 395 | static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) |
401 | { | 396 | { |
402 | return 0; | 397 | return 0; |
@@ -972,7 +967,6 @@ void security_fixup_ops(struct security_operations *ops) | |||
972 | set_to_cap_if_null(ops, kernel_act_as); | 967 | set_to_cap_if_null(ops, kernel_act_as); |
973 | set_to_cap_if_null(ops, kernel_create_files_as); | 968 | set_to_cap_if_null(ops, kernel_create_files_as); |
974 | set_to_cap_if_null(ops, kernel_module_request); | 969 | set_to_cap_if_null(ops, kernel_module_request); |
975 | set_to_cap_if_null(ops, task_setuid); | ||
976 | set_to_cap_if_null(ops, task_fix_setuid); | 970 | set_to_cap_if_null(ops, task_fix_setuid); |
977 | set_to_cap_if_null(ops, task_setgid); | 971 | set_to_cap_if_null(ops, task_setgid); |
978 | set_to_cap_if_null(ops, task_setpgid); | 972 | set_to_cap_if_null(ops, task_setpgid); |
diff --git a/security/security.c b/security/security.c index 6e5942653d4f..3900da3da87b 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -732,11 +732,6 @@ int security_kernel_module_request(char *kmod_name) | |||
732 | return security_ops->kernel_module_request(kmod_name); | 732 | return security_ops->kernel_module_request(kmod_name); |
733 | } | 733 | } |
734 | 734 | ||
735 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
736 | { | ||
737 | return security_ops->task_setuid(id0, id1, id2, flags); | ||
738 | } | ||
739 | |||
740 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 735 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |
741 | int flags) | 736 | int flags) |
742 | { | 737 | { |