diff options
| -rw-r--r-- | include/linux/security.h | 9 | ||||
| -rw-r--r-- | kernel/printk.c | 15 | ||||
| -rw-r--r-- | security/capability.c | 5 | ||||
| -rw-r--r-- | security/commoncap.c | 21 | ||||
| -rw-r--r-- | security/security.c | 4 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 6 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 8 |
7 files changed, 28 insertions, 40 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index b8246a8df7d2..fd4d55fb8845 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -77,7 +77,6 @@ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 77 | extern int cap_task_setscheduler(struct task_struct *p); | 77 | extern int cap_task_setscheduler(struct task_struct *p); |
| 78 | extern int cap_task_setioprio(struct task_struct *p, int ioprio); | 78 | extern int cap_task_setioprio(struct task_struct *p, int ioprio); |
| 79 | extern int cap_task_setnice(struct task_struct *p, int nice); | 79 | extern int cap_task_setnice(struct task_struct *p, int nice); |
| 80 | extern int cap_syslog(int type, bool from_file); | ||
| 81 | extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); | 80 | extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); |
| 82 | 81 | ||
| 83 | struct msghdr; | 82 | struct msghdr; |
| @@ -1388,7 +1387,7 @@ struct security_operations { | |||
| 1388 | int (*sysctl) (struct ctl_table *table, int op); | 1387 | int (*sysctl) (struct ctl_table *table, int op); |
| 1389 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); | 1388 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
| 1390 | int (*quota_on) (struct dentry *dentry); | 1389 | int (*quota_on) (struct dentry *dentry); |
| 1391 | int (*syslog) (int type, bool from_file); | 1390 | int (*syslog) (int type); |
| 1392 | int (*settime) (struct timespec *ts, struct timezone *tz); | 1391 | int (*settime) (struct timespec *ts, struct timezone *tz); |
| 1393 | int (*vm_enough_memory) (struct mm_struct *mm, long pages); | 1392 | int (*vm_enough_memory) (struct mm_struct *mm, long pages); |
| 1394 | 1393 | ||
| @@ -1671,7 +1670,7 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap); | |||
| 1671 | int security_sysctl(struct ctl_table *table, int op); | 1670 | int security_sysctl(struct ctl_table *table, int op); |
| 1672 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); | 1671 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
| 1673 | int security_quota_on(struct dentry *dentry); | 1672 | int security_quota_on(struct dentry *dentry); |
| 1674 | int security_syslog(int type, bool from_file); | 1673 | int security_syslog(int type); |
| 1675 | int security_settime(struct timespec *ts, struct timezone *tz); | 1674 | int security_settime(struct timespec *ts, struct timezone *tz); |
| 1676 | int security_vm_enough_memory(long pages); | 1675 | int security_vm_enough_memory(long pages); |
| 1677 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); | 1676 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); |
| @@ -1901,9 +1900,9 @@ static inline int security_quota_on(struct dentry *dentry) | |||
| 1901 | return 0; | 1900 | return 0; |
| 1902 | } | 1901 | } |
| 1903 | 1902 | ||
| 1904 | static inline int security_syslog(int type, bool from_file) | 1903 | static inline int security_syslog(int type) |
| 1905 | { | 1904 | { |
| 1906 | return cap_syslog(type, from_file); | 1905 | return 0; |
| 1907 | } | 1906 | } |
| 1908 | 1907 | ||
| 1909 | static inline int security_settime(struct timespec *ts, struct timezone *tz) | 1908 | static inline int security_settime(struct timespec *ts, struct timezone *tz) |
diff --git a/kernel/printk.c b/kernel/printk.c index 38e7d5868d60..9a2264fc42ca 100644 --- a/kernel/printk.c +++ b/kernel/printk.c | |||
| @@ -274,7 +274,20 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) | |||
| 274 | char c; | 274 | char c; |
| 275 | int error = 0; | 275 | int error = 0; |
| 276 | 276 | ||
| 277 | error = security_syslog(type, from_file); | 277 | /* |
| 278 | * If this is from /proc/kmsg we only do the capabilities checks | ||
| 279 | * at open time. | ||
| 280 | */ | ||
| 281 | if (type == SYSLOG_ACTION_OPEN || !from_file) { | ||
| 282 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | ||
| 283 | return -EPERM; | ||
| 284 | if ((type != SYSLOG_ACTION_READ_ALL && | ||
| 285 | type != SYSLOG_ACTION_SIZE_BUFFER) && | ||
| 286 | !capable(CAP_SYS_ADMIN)) | ||
| 287 | return -EPERM; | ||
| 288 | } | ||
| 289 | |||
| 290 | error = security_syslog(type); | ||
| 278 | if (error) | 291 | if (error) |
| 279 | return error; | 292 | return error; |
| 280 | 293 | ||
diff --git a/security/capability.c b/security/capability.c index 30ae00fbecd5..c773635ca3a0 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op) | |||
| 17 | return 0; | 17 | return 0; |
| 18 | } | 18 | } |
| 19 | 19 | ||
| 20 | static int cap_syslog(int type) | ||
| 21 | { | ||
| 22 | return 0; | ||
| 23 | } | ||
| 24 | |||
| 20 | static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) | 25 | static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) |
| 21 | { | 26 | { |
| 22 | return 0; | 27 | return 0; |
diff --git a/security/commoncap.c b/security/commoncap.c index 04b80f9912bf..64c2ed9c9015 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -27,7 +27,6 @@ | |||
| 27 | #include <linux/sched.h> | 27 | #include <linux/sched.h> |
| 28 | #include <linux/prctl.h> | 28 | #include <linux/prctl.h> |
| 29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
| 30 | #include <linux/syslog.h> | ||
| 31 | 30 | ||
| 32 | /* | 31 | /* |
| 33 | * If a non-root user executes a setuid-root binary in | 32 | * If a non-root user executes a setuid-root binary in |
| @@ -884,26 +883,6 @@ error: | |||
| 884 | } | 883 | } |
| 885 | 884 | ||
| 886 | /** | 885 | /** |
| 887 | * cap_syslog - Determine whether syslog function is permitted | ||
| 888 | * @type: Function requested | ||
| 889 | * @from_file: Whether this request came from an open file (i.e. /proc) | ||
| 890 | * | ||
| 891 | * Determine whether the current process is permitted to use a particular | ||
| 892 | * syslog function, returning 0 if permission is granted, -ve if not. | ||
| 893 | */ | ||
| 894 | int cap_syslog(int type, bool from_file) | ||
| 895 | { | ||
| 896 | if (type != SYSLOG_ACTION_OPEN && from_file) | ||
| 897 | return 0; | ||
| 898 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | ||
| 899 | return -EPERM; | ||
| 900 | if ((type != SYSLOG_ACTION_READ_ALL && | ||
| 901 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) | ||
| 902 | return -EPERM; | ||
| 903 | return 0; | ||
| 904 | } | ||
| 905 | |||
| 906 | /** | ||
| 907 | * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted | 886 | * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted |
| 908 | * @mm: The VM space in which the new mapping is to be made | 887 | * @mm: The VM space in which the new mapping is to be made |
| 909 | * @pages: The size of the mapping | 888 | * @pages: The size of the mapping |
diff --git a/security/security.c b/security/security.c index 3ef5e2a7a741..1b798d3df710 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry) | |||
| 197 | return security_ops->quota_on(dentry); | 197 | return security_ops->quota_on(dentry); |
| 198 | } | 198 | } |
| 199 | 199 | ||
| 200 | int security_syslog(int type, bool from_file) | 200 | int security_syslog(int type) |
| 201 | { | 201 | { |
| 202 | return security_ops->syslog(type, from_file); | 202 | return security_ops->syslog(type); |
| 203 | } | 203 | } |
| 204 | 204 | ||
| 205 | int security_settime(struct timespec *ts, struct timezone *tz) | 205 | int security_settime(struct timespec *ts, struct timezone *tz) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9154cf90ae1..65fa8bf596f5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry) | |||
| 1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | 1973 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); |
| 1974 | } | 1974 | } |
| 1975 | 1975 | ||
| 1976 | static int selinux_syslog(int type, bool from_file) | 1976 | static int selinux_syslog(int type) |
| 1977 | { | 1977 | { |
| 1978 | int rc; | 1978 | int rc; |
| 1979 | 1979 | ||
| 1980 | rc = cap_syslog(type, from_file); | ||
| 1981 | if (rc) | ||
| 1982 | return rc; | ||
| 1983 | |||
| 1984 | switch (type) { | 1980 | switch (type) { |
| 1985 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ | 1981 | case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ |
| 1986 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ | 1982 | case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index bc39f4067af6..489a85afa477 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
| 157 | * | 157 | * |
| 158 | * Returns 0 on success, error code otherwise. | 158 | * Returns 0 on success, error code otherwise. |
| 159 | */ | 159 | */ |
| 160 | static int smack_syslog(int type, bool from_file) | 160 | static int smack_syslog(int typefrom_file) |
| 161 | { | 161 | { |
| 162 | int rc; | 162 | int rc = 0; |
| 163 | char *sp = current_security(); | 163 | char *sp = current_security(); |
| 164 | 164 | ||
| 165 | rc = cap_syslog(type, from_file); | ||
| 166 | if (rc != 0) | ||
| 167 | return rc; | ||
| 168 | |||
| 169 | if (capable(CAP_MAC_OVERRIDE)) | 165 | if (capable(CAP_MAC_OVERRIDE)) |
| 170 | return 0; | 166 | return 0; |
| 171 | 167 | ||