diff options
Diffstat (limited to 'security/yama')
-rw-r--r-- | security/yama/Kconfig | 8 | ||||
-rw-r--r-- | security/yama/yama_lsm.c | 16 |
2 files changed, 19 insertions, 5 deletions
diff --git a/security/yama/Kconfig b/security/yama/Kconfig index 51d6709d8bbd..20ef5143c0c0 100644 --- a/security/yama/Kconfig +++ b/security/yama/Kconfig | |||
@@ -11,3 +11,11 @@ config SECURITY_YAMA | |||
11 | Further information can be found in Documentation/security/Yama.txt. | 11 | Further information can be found in Documentation/security/Yama.txt. |
12 | 12 | ||
13 | If you are unsure how to answer this question, answer N. | 13 | If you are unsure how to answer this question, answer N. |
14 | |||
15 | config SECURITY_YAMA_STACKED | ||
16 | bool "Yama stacked with other LSMs" | ||
17 | depends on SECURITY_YAMA | ||
18 | default n | ||
19 | help | ||
20 | When Yama is built into the kernel, force it to stack with the | ||
21 | selected primary LSM. | ||
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 0cc99a3ea42d..b4c29848b49d 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c | |||
@@ -100,7 +100,7 @@ static void yama_ptracer_del(struct task_struct *tracer, | |||
100 | * yama_task_free - check for task_pid to remove from exception list | 100 | * yama_task_free - check for task_pid to remove from exception list |
101 | * @task: task being removed | 101 | * @task: task being removed |
102 | */ | 102 | */ |
103 | static void yama_task_free(struct task_struct *task) | 103 | void yama_task_free(struct task_struct *task) |
104 | { | 104 | { |
105 | yama_ptracer_del(task, task); | 105 | yama_ptracer_del(task, task); |
106 | } | 106 | } |
@@ -116,7 +116,7 @@ static void yama_task_free(struct task_struct *task) | |||
116 | * Return 0 on success, -ve on error. -ENOSYS is returned when Yama | 116 | * Return 0 on success, -ve on error. -ENOSYS is returned when Yama |
117 | * does not handle the given option. | 117 | * does not handle the given option. |
118 | */ | 118 | */ |
119 | static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 119 | int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
120 | unsigned long arg4, unsigned long arg5) | 120 | unsigned long arg4, unsigned long arg5) |
121 | { | 121 | { |
122 | int rc; | 122 | int rc; |
@@ -143,7 +143,7 @@ static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
143 | if (arg2 == 0) { | 143 | if (arg2 == 0) { |
144 | yama_ptracer_del(NULL, myself); | 144 | yama_ptracer_del(NULL, myself); |
145 | rc = 0; | 145 | rc = 0; |
146 | } else if (arg2 == PR_SET_PTRACER_ANY) { | 146 | } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { |
147 | rc = yama_ptracer_add(NULL, myself); | 147 | rc = yama_ptracer_add(NULL, myself); |
148 | } else { | 148 | } else { |
149 | struct task_struct *tracer; | 149 | struct task_struct *tracer; |
@@ -243,7 +243,7 @@ static int ptracer_exception_found(struct task_struct *tracer, | |||
243 | * | 243 | * |
244 | * Returns 0 if following the ptrace is allowed, -ve on error. | 244 | * Returns 0 if following the ptrace is allowed, -ve on error. |
245 | */ | 245 | */ |
246 | static int yama_ptrace_access_check(struct task_struct *child, | 246 | int yama_ptrace_access_check(struct task_struct *child, |
247 | unsigned int mode) | 247 | unsigned int mode) |
248 | { | 248 | { |
249 | int rc; | 249 | int rc; |
@@ -293,7 +293,7 @@ static int yama_ptrace_access_check(struct task_struct *child, | |||
293 | * | 293 | * |
294 | * Returns 0 if following the ptrace is allowed, -ve on error. | 294 | * Returns 0 if following the ptrace is allowed, -ve on error. |
295 | */ | 295 | */ |
296 | static int yama_ptrace_traceme(struct task_struct *parent) | 296 | int yama_ptrace_traceme(struct task_struct *parent) |
297 | { | 297 | { |
298 | int rc; | 298 | int rc; |
299 | 299 | ||
@@ -324,6 +324,7 @@ static int yama_ptrace_traceme(struct task_struct *parent) | |||
324 | return rc; | 324 | return rc; |
325 | } | 325 | } |
326 | 326 | ||
327 | #ifndef CONFIG_SECURITY_YAMA_STACKED | ||
327 | static struct security_operations yama_ops = { | 328 | static struct security_operations yama_ops = { |
328 | .name = "yama", | 329 | .name = "yama", |
329 | 330 | ||
@@ -332,6 +333,7 @@ static struct security_operations yama_ops = { | |||
332 | .task_prctl = yama_task_prctl, | 333 | .task_prctl = yama_task_prctl, |
333 | .task_free = yama_task_free, | 334 | .task_free = yama_task_free, |
334 | }; | 335 | }; |
336 | #endif | ||
335 | 337 | ||
336 | #ifdef CONFIG_SYSCTL | 338 | #ifdef CONFIG_SYSCTL |
337 | static int yama_dointvec_minmax(struct ctl_table *table, int write, | 339 | static int yama_dointvec_minmax(struct ctl_table *table, int write, |
@@ -378,13 +380,17 @@ static struct ctl_table yama_sysctl_table[] = { | |||
378 | 380 | ||
379 | static __init int yama_init(void) | 381 | static __init int yama_init(void) |
380 | { | 382 | { |
383 | #ifndef CONFIG_SECURITY_YAMA_STACKED | ||
381 | if (!security_module_enable(&yama_ops)) | 384 | if (!security_module_enable(&yama_ops)) |
382 | return 0; | 385 | return 0; |
386 | #endif | ||
383 | 387 | ||
384 | printk(KERN_INFO "Yama: becoming mindful.\n"); | 388 | printk(KERN_INFO "Yama: becoming mindful.\n"); |
385 | 389 | ||
390 | #ifndef CONFIG_SECURITY_YAMA_STACKED | ||
386 | if (register_security(&yama_ops)) | 391 | if (register_security(&yama_ops)) |
387 | panic("Yama: kernel registration failed.\n"); | 392 | panic("Yama: kernel registration failed.\n"); |
393 | #endif | ||
388 | 394 | ||
389 | #ifdef CONFIG_SYSCTL | 395 | #ifdef CONFIG_SYSCTL |
390 | if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) | 396 | if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) |