aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c43
1 files changed, 24 insertions, 19 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2fcad7c33eaf..8d8b69c5664e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1285,6 +1285,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1285 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1285 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1286 context, len); 1286 context, len);
1287 if (rc == -ERANGE) { 1287 if (rc == -ERANGE) {
1288 kfree(context);
1289
1288 /* Need a larger buffer. Query for the right size. */ 1290 /* Need a larger buffer. Query for the right size. */
1289 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1291 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1290 NULL, 0); 1292 NULL, 0);
@@ -1292,7 +1294,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1292 dput(dentry); 1294 dput(dentry);
1293 goto out_unlock; 1295 goto out_unlock;
1294 } 1296 }
1295 kfree(context);
1296 len = rc; 1297 len = rc;
1297 context = kmalloc(len+1, GFP_NOFS); 1298 context = kmalloc(len+1, GFP_NOFS);
1298 if (!context) { 1299 if (!context) {
@@ -1980,10 +1981,6 @@ static int selinux_sysctl(ctl_table *table, int op)
1980 u32 tsid, sid; 1981 u32 tsid, sid;
1981 int rc; 1982 int rc;
1982 1983
1983 rc = secondary_ops->sysctl(table, op);
1984 if (rc)
1985 return rc;
1986
1987 sid = current_sid(); 1984 sid = current_sid();
1988 1985
1989 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1986 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
@@ -2375,10 +2372,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2375{ 2372{
2376 const struct task_security_struct *tsec = current_security(); 2373 const struct task_security_struct *tsec = current_security();
2377 struct itimerval itimer; 2374 struct itimerval itimer;
2378 struct sighand_struct *psig;
2379 u32 osid, sid; 2375 u32 osid, sid;
2380 int rc, i; 2376 int rc, i;
2381 unsigned long flags;
2382 2377
2383 osid = tsec->osid; 2378 osid = tsec->osid;
2384 sid = tsec->sid; 2379 sid = tsec->sid;
@@ -2398,22 +2393,20 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2398 memset(&itimer, 0, sizeof itimer); 2393 memset(&itimer, 0, sizeof itimer);
2399 for (i = 0; i < 3; i++) 2394 for (i = 0; i < 3; i++)
2400 do_setitimer(i, &itimer, NULL); 2395 do_setitimer(i, &itimer, NULL);
2401 flush_signals(current);
2402 spin_lock_irq(&current->sighand->siglock); 2396 spin_lock_irq(&current->sighand->siglock);
2403 flush_signal_handlers(current, 1); 2397 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2404 sigemptyset(&current->blocked); 2398 __flush_signals(current);
2405 recalc_sigpending(); 2399 flush_signal_handlers(current, 1);
2400 sigemptyset(&current->blocked);
2401 }
2406 spin_unlock_irq(&current->sighand->siglock); 2402 spin_unlock_irq(&current->sighand->siglock);
2407 } 2403 }
2408 2404
2409 /* Wake up the parent if it is waiting so that it can recheck 2405 /* Wake up the parent if it is waiting so that it can recheck
2410 * wait permission to the new task SID. */ 2406 * wait permission to the new task SID. */
2411 read_lock_irq(&tasklist_lock); 2407 read_lock(&tasklist_lock);
2412 psig = current->parent->sighand; 2408 wake_up_interruptible(&current->real_parent->signal->wait_chldexit);
2413 spin_lock_irqsave(&psig->siglock, flags); 2409 read_unlock(&tasklist_lock);
2414 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2415 spin_unlock_irqrestore(&psig->siglock, flags);
2416 read_unlock_irq(&tasklist_lock);
2417} 2410}
2418 2411
2419/* superblock security operations */ 2412/* superblock security operations */
@@ -3037,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3037 int rc = 0; 3030 int rc = 0;
3038 u32 sid = current_sid(); 3031 u32 sid = current_sid();
3039 3032
3040 if (addr < mmap_min_addr) 3033 /*
3034 * notice that we are intentionally putting the SELinux check before
3035 * the secondary cap_file_mmap check. This is such a likely attempt
3036 * at bad behaviour/exploit that we always want to get the AVC, even
3037 * if DAC would have also denied the operation.
3038 */
3039 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3041 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3040 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3042 MEMPROTECT__MMAP_ZERO, NULL); 3041 MEMPROTECT__MMAP_ZERO, NULL);
3042 if (rc)
3043 return rc;
3044 }
3045
3046 /* do DAC check on address space usage */
3047 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3043 if (rc || addr_only) 3048 if (rc || addr_only)
3044 return rc; 3049 return rc;
3045 3050
@@ -4503,7 +4508,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4503 * when the packet is on it's final way out. 4508 * when the packet is on it's final way out.
4504 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4509 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4505 * is NULL, in this case go ahead and apply access control. */ 4510 * is NULL, in this case go ahead and apply access control. */
4506 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4511 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4507 return NF_ACCEPT; 4512 return NF_ACCEPT;
4508#endif 4513#endif
4509 secmark_active = selinux_secmark_enabled(); 4514 secmark_active = selinux_secmark_enabled();
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-04 19:05:12 -0400