8 files changed, 106 insertions, 17 deletions
diff --git a/security/capability.c b/security/capability.c
index 2c6e06d18fab..38ac54e3aed1 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -44,6 +44,7 @@ static struct security_operations capability_ops = {
        .task_setioprio =               cap_task_setioprio,
        .task_setnice =                 cap_task_setnice,
        .task_post_setuid =             cap_task_post_setuid,
+        .task_prctl =                   cap_task_prctl,
        .task_reparent_to_init =        cap_task_reparent_to_init,
        .syslog =                       cap_syslog,
diff --git a/security/commoncap.c b/security/commoncap.c
index 852905789caf..e8c3f5e46705 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -24,11 +24,8 @@
 #include <linux/hugetlb.h>
 #include <linux/mount.h>
 #include <linux/sched.h>
+#include <linux/prctl.h>
-/* Global security state */
+#include <linux/securebits.h>
-unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
-EXPORT_SYMBOL(securebits);
 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
@@ -368,7 +365,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
        /* AUD: Audit candidate if current->cap_effective is set */
-        current->keep_capabilities = 0;
+        current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
 }
 int cap_bprm_secureexec (struct linux_binprm *bprm)
@@ -448,7 +445,7 @@ static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
 {
        if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) &&
            (current->uid != 0 && current->euid != 0 && current->suid != 0) &&
-            !current->keep_capabilities) {
+            !issecure(SECURE_KEEP_CAPS)) {
                cap_clear (current->cap_permitted);
                cap_clear (current->cap_effective);
        }
@@ -547,7 +544,7 @@ int cap_task_setnice (struct task_struct *p, int nice)
 * this task could get inconsistent info.  There can be no
 * racing writer bc a task can only change its own caps.
 */
-long cap_prctl_drop(unsigned long cap)
+static long cap_prctl_drop(unsigned long cap)
 {
        if (!capable(CAP_SETPCAP))
                return -EPERM;
@@ -556,6 +553,7 @@ long cap_prctl_drop(unsigned long cap)
        cap_lower(current->cap_bset, cap);
        return 0;
 }
 #else
 int cap_task_setscheduler (struct task_struct *p, int policy,
                           struct sched_param *lp)
@@ -572,12 +570,99 @@ int cap_task_setnice (struct task_struct *p, int nice)
 }
 #endif
+int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+                   unsigned long arg4, unsigned long arg5, long *rc_p)
+{
+        long error = 0;
+        switch (option) {
+        case PR_CAPBSET_READ:
+                if (!cap_valid(arg2))
+                        error = -EINVAL;
+                else
+                        error = !!cap_raised(current->cap_bset, arg2);
+                break;
+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
+        case PR_CAPBSET_DROP:
+                error = cap_prctl_drop(arg2);
+                break;
+        /*
+         * The next four prctl's remain to assist with transitioning a
+         * system from legacy UID=0 based privilege (when filesystem
+         * capabilities are not in use) to a system using filesystem
+         * capabilities only - as the POSIX.1e draft intended.
+         *
+         * Note:
+         *
+         *  PR_SET_SECUREBITS =
+         *      issecure_mask(SECURE_KEEP_CAPS_LOCKED)
+         *    | issecure_mask(SECURE_NOROOT)
+         *    | issecure_mask(SECURE_NOROOT_LOCKED)
+         *    | issecure_mask(SECURE_NO_SETUID_FIXUP)
+         *    | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
+         *
+         * will ensure that the current process and all of its
+         * children will be locked into a pure
+         * capability-based-privilege environment.
+         */
+        case PR_SET_SECUREBITS:
+                if ((((current->securebits & SECURE_ALL_LOCKS) >> 1)
+                     & (current->securebits ^ arg2))                  /*[1]*/
+                    || ((current->securebits & SECURE_ALL_LOCKS
+                         & ~arg2))                                    /*[2]*/
+                    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
+                    || (cap_capable(current, CAP_SETPCAP) != 0)) {    /*[4]*/
+                        /*
+                         * [1] no changing of bits that are locked
+                         * [2] no unlocking of locks
+                         * [3] no setting of unsupported bits
+                         * [4] doing anything requires privilege (go read about
+                         *     the "sendmail capabilities bug")
+                         */
+                        error = -EPERM;  /* cannot change a locked bit */
+                } else {
+                        current->securebits = arg2;
+                }
+                break;
+        case PR_GET_SECUREBITS:
+                error = current->securebits;
+                break;
+#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
+        case PR_GET_KEEPCAPS:
+                if (issecure(SECURE_KEEP_CAPS))
+                        error = 1;
+                break;
+        case PR_SET_KEEPCAPS:
+                if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
+                        error = -EINVAL;
+                else if (issecure(SECURE_KEEP_CAPS_LOCKED))
+                        error = -EPERM;
+                else if (arg2)
+                        current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
+                else
+                        current->securebits &=
+                                ~issecure_mask(SECURE_KEEP_CAPS);
+                break;
+        default:
+                /* No functionality available - continue with default */
+                return 0;
+        }
+        /* Functionality provided */
+        *rc_p = error;
+        return 1;
+}
 void cap_task_reparent_to_init (struct task_struct *p)
 {
        cap_set_init_eff(p->cap_effective);
        cap_clear(p->cap_inheritable);
        cap_set_full(p->cap_permitted);
-        p->keep_capabilities = 0;
+        p->securebits = SECUREBITS_DEFAULT;
        return;
 }
diff --git a/security/dummy.c b/security/dummy.c
index b0232bbf427b..58d4dd1af5c7 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -604,7 +604,7 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
 }
 static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
-                             unsigned long arg4, unsigned long arg5)
+                             unsigned long arg4, unsigned long arg5, long *rc_p)
 {
        return 0;
 }
diff --git a/security/root_plug.c b/security/root_plug.c
index 6112d1404c81..a41cf42a4fa0 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -86,6 +86,7 @@ static struct security_operations rootplug_security_ops = {
        .task_post_setuid =             cap_task_post_setuid,
        .task_reparent_to_init =        cap_task_reparent_to_init,
+        .task_prctl =                   cap_task_prctl,
        .bprm_check_security =          rootplug_bprm_check_security,
 };
diff --git a/security/security.c b/security/security.c
index 8a285c7b9962..d5cb5898d967 100644
--- a/security/security.c
+++ b/security/security.c
@@ -733,9 +733,9 @@ int security_task_wait(struct task_struct *p)
 }
 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
-                         unsigned long arg4, unsigned long arg5)
+                         unsigned long arg4, unsigned long arg5, long *rc_p)
 {
-        return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
+        return security_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
 }
 void security_task_reparent_to_init(struct task_struct *p)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 308e2cf17d75..04acb5af8317 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3303,12 +3303,13 @@ static int selinux_task_prctl(int option,
                              unsigned long arg2,
                              unsigned long arg3,
                              unsigned long arg4,
-                              unsigned long arg5)
+                              unsigned long arg5,
+                              long *rc_p)
 {
        /* The current prctl operations do not appear to require
           any SELinux controls since they merely observe or modify
           the state of the current process. */
-        return 0;
+        return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
 }
 static int selinux_task_wait(struct task_struct *p)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4215971434e6..77ec16a3b68b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1242,7 +1242,7 @@ static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap)
        int rc;
        int byte;
-        if (catset == 0)
+        if (!catset)
                return;
        sap->flags |= NETLBL_SECATTR_MLS_CAT;
@@ -2495,6 +2495,7 @@ struct security_operations smack_ops = {
        .task_wait =                    smack_task_wait,
        .task_reparent_to_init =        cap_task_reparent_to_init,
        .task_to_inode =                smack_task_to_inode,
+        .task_prctl =                   cap_task_prctl,
        .ipc_permission =               smack_ipc_permission,
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 6ba283783b70..a5da5a8cfe9b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -317,7 +317,7 @@ static const struct file_operations smk_load_ops = {
 /**
 * smk_cipso_doi - initialize the CIPSO domain
 */
-void smk_cipso_doi(void)
+static void smk_cipso_doi(void)
 {
        int rc;
        struct cipso_v4_doi *doip;
@@ -350,7 +350,7 @@ void smk_cipso_doi(void)
 /**
 * smk_unlbl_ambient - initialize the unlabeled domain
 */
-void smk_unlbl_ambient(char *oldambient)
+static void smk_unlbl_ambient(char *oldambient)
 {
        int rc;
        struct netlbl_audit audit_info;

diff --git a/security/capability.c b/security/capability.c index 2c6e06d18fab..38ac54e3aed1 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -44,6 +44,7 @@ static struct security_operations capability_ops = {
44	.task_setioprio = cap_task_setioprio,	44	.task_setioprio = cap_task_setioprio,
45	.task_setnice = cap_task_setnice,	45	.task_setnice = cap_task_setnice,
46	.task_post_setuid = cap_task_post_setuid,	46	.task_post_setuid = cap_task_post_setuid,
		47	.task_prctl = cap_task_prctl,
47	.task_reparent_to_init = cap_task_reparent_to_init,	48	.task_reparent_to_init = cap_task_reparent_to_init,
48		49
49	.syslog = cap_syslog,	50	.syslog = cap_syslog,


diff --git a/security/commoncap.c b/security/commoncap.c index 852905789caf..e8c3f5e46705 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -24,11 +24,8 @@
24	#include <linux/hugetlb.h>	24	#include <linux/hugetlb.h>
25	#include <linux/mount.h>	25	#include <linux/mount.h>
26	#include <linux/sched.h>	26	#include <linux/sched.h>
27		27	#include <linux/prctl.h>
28	/* Global security state */	28	#include <linux/securebits.h>
29
30	unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
31	EXPORT_SYMBOL(securebits);
32		29
33	int cap_netlink_send(struct sock sk, struct sk_buff skb)	30	int cap_netlink_send(struct sock sk, struct sk_buff skb)
34	{	31	{
@@ -368,7 +365,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
368		365
369	/* AUD: Audit candidate if current->cap_effective is set */	366	/* AUD: Audit candidate if current->cap_effective is set */
370		367
371	current->keep_capabilities = 0;	368	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
372	}	369	}
373		370
374	int cap_bprm_secureexec (struct linux_binprm *bprm)	371	int cap_bprm_secureexec (struct linux_binprm *bprm)
@@ -448,7 +445,7 @@ static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
448	{	445	{
449	if ((old_ruid == 0 \|\| old_euid == 0 \|\| old_suid == 0) &&	446	if ((old_ruid == 0 \|\| old_euid == 0 \|\| old_suid == 0) &&
450	(current->uid != 0 && current->euid != 0 && current->suid != 0) &&	447	(current->uid != 0 && current->euid != 0 && current->suid != 0) &&
451	!current->keep_capabilities) {	448	!issecure(SECURE_KEEP_CAPS)) {
452	cap_clear (current->cap_permitted);	449	cap_clear (current->cap_permitted);
453	cap_clear (current->cap_effective);	450	cap_clear (current->cap_effective);
454	}	451	}
@@ -547,7 +544,7 @@ int cap_task_setnice (struct task_struct *p, int nice)
547	* this task could get inconsistent info. There can be no	544	* this task could get inconsistent info. There can be no
548	* racing writer bc a task can only change its own caps.	545	* racing writer bc a task can only change its own caps.
549	*/	546	*/
550	long cap_prctl_drop(unsigned long cap)	547	static long cap_prctl_drop(unsigned long cap)
551	{	548	{
552	if (!capable(CAP_SETPCAP))	549	if (!capable(CAP_SETPCAP))
553	return -EPERM;	550	return -EPERM;
@@ -556,6 +553,7 @@ long cap_prctl_drop(unsigned long cap)
556	cap_lower(current->cap_bset, cap);	553	cap_lower(current->cap_bset, cap);
557	return 0;	554	return 0;
558	}	555	}
		556
559	#else	557	#else
560	int cap_task_setscheduler (struct task_struct *p, int policy,	558	int cap_task_setscheduler (struct task_struct *p, int policy,
561	struct sched_param *lp)	559	struct sched_param *lp)
@@ -572,12 +570,99 @@ int cap_task_setnice (struct task_struct *p, int nice)
572	}	570	}
573	#endif	571	#endif
574		572
		573	int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
		574	unsigned long arg4, unsigned long arg5, long *rc_p)
		575	{
		576	long error = 0;
		577
		578	switch (option) {
		579	case PR_CAPBSET_READ:
		580	if (!cap_valid(arg2))
		581	error = -EINVAL;
		582	else
		583	error = !!cap_raised(current->cap_bset, arg2);
		584	break;
		585	#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
		586	case PR_CAPBSET_DROP:
		587	error = cap_prctl_drop(arg2);
		588	break;
		589
		590	/*
		591	* The next four prctl's remain to assist with transitioning a
		592	* system from legacy UID=0 based privilege (when filesystem
		593	* capabilities are not in use) to a system using filesystem
		594	* capabilities only - as the POSIX.1e draft intended.
		595	*
		596	* Note:
		597	*
		598	* PR_SET_SECUREBITS =
		599	* issecure_mask(SECURE_KEEP_CAPS_LOCKED)
		600	* \| issecure_mask(SECURE_NOROOT)
		601	* \| issecure_mask(SECURE_NOROOT_LOCKED)
		602	* \| issecure_mask(SECURE_NO_SETUID_FIXUP)
		603	* \| issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
		604	*
		605	* will ensure that the current process and all of its
		606	* children will be locked into a pure
		607	* capability-based-privilege environment.
		608	*/
		609	case PR_SET_SECUREBITS:
		610	if ((((current->securebits & SECURE_ALL_LOCKS) >> 1)
		611	& (current->securebits ^ arg2)) /[1]/
		612	\|\| ((current->securebits & SECURE_ALL_LOCKS
		613	& ~arg2)) /[2]/
		614	\|\| (arg2 & ~(SECURE_ALL_LOCKS \| SECURE_ALL_BITS)) /[3]/
		615	\|\| (cap_capable(current, CAP_SETPCAP) != 0)) { /[4]/
		616	/*
		617	* [1] no changing of bits that are locked
		618	* [2] no unlocking of locks
		619	* [3] no setting of unsupported bits
		620	* [4] doing anything requires privilege (go read about
		621	* the "sendmail capabilities bug")
		622	*/
		623	error = -EPERM; /* cannot change a locked bit */
		624	} else {
		625	current->securebits = arg2;
		626	}
		627	break;
		628	case PR_GET_SECUREBITS:
		629	error = current->securebits;
		630	break;
		631
		632	#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
		633
		634	case PR_GET_KEEPCAPS:
		635	if (issecure(SECURE_KEEP_CAPS))
		636	error = 1;
		637	break;
		638	case PR_SET_KEEPCAPS:
		639	if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
		640	error = -EINVAL;
		641	else if (issecure(SECURE_KEEP_CAPS_LOCKED))
		642	error = -EPERM;
		643	else if (arg2)
		644	current->securebits \|= issecure_mask(SECURE_KEEP_CAPS);
		645	else
		646	current->securebits &=
		647	~issecure_mask(SECURE_KEEP_CAPS);
		648	break;
		649
		650	default:
		651	/* No functionality available - continue with default */
		652	return 0;
		653	}
		654
		655	/* Functionality provided */
		656	*rc_p = error;
		657	return 1;
		658	}
		659
575	void cap_task_reparent_to_init (struct task_struct *p)	660	void cap_task_reparent_to_init (struct task_struct *p)
576	{	661	{
577	cap_set_init_eff(p->cap_effective);	662	cap_set_init_eff(p->cap_effective);
578	cap_clear(p->cap_inheritable);	663	cap_clear(p->cap_inheritable);
579	cap_set_full(p->cap_permitted);	664	cap_set_full(p->cap_permitted);
580	p->keep_capabilities = 0;	665	p->securebits = SECUREBITS_DEFAULT;
581	return;	666	return;
582	}	667	}
583		668


diff --git a/security/dummy.c b/security/dummy.c index b0232bbf427b..58d4dd1af5c7 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -604,7 +604,7 @@ static int dummy_task_kill (struct task_struct p, struct siginfo info,
604	}	604	}
605		605
606	static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,	606	static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
607	unsigned long arg4, unsigned long arg5)	607	unsigned long arg4, unsigned long arg5, long *rc_p)
608	{	608	{
609	return 0;	609	return 0;
610	}	610	}


diff --git a/security/root_plug.c b/security/root_plug.c index 6112d1404c81..a41cf42a4fa0 100644 --- a/security/root_plug.c +++ b/security/root_plug.c
@@ -86,6 +86,7 @@ static struct security_operations rootplug_security_ops = {
86		86
87	.task_post_setuid = cap_task_post_setuid,	87	.task_post_setuid = cap_task_post_setuid,
88	.task_reparent_to_init = cap_task_reparent_to_init,	88	.task_reparent_to_init = cap_task_reparent_to_init,
		89	.task_prctl = cap_task_prctl,
89		90
90	.bprm_check_security = rootplug_bprm_check_security,	91	.bprm_check_security = rootplug_bprm_check_security,
91	};	92	};


diff --git a/security/security.c b/security/security.c index 8a285c7b9962..d5cb5898d967 100644 --- a/security/security.c +++ b/security/security.c
@@ -733,9 +733,9 @@ int security_task_wait(struct task_struct *p)
733	}	733	}
734		734
735	int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,	735	int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
736	unsigned long arg4, unsigned long arg5)	736	unsigned long arg4, unsigned long arg5, long *rc_p)
737	{	737	{
738	return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);	738	return security_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
739	}	739	}
740		740
741	void security_task_reparent_to_init(struct task_struct *p)	741	void security_task_reparent_to_init(struct task_struct *p)


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 308e2cf17d75..04acb5af8317 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3303,12 +3303,13 @@ static int selinux_task_prctl(int option,
3303	unsigned long arg2,	3303	unsigned long arg2,
3304	unsigned long arg3,	3304	unsigned long arg3,
3305	unsigned long arg4,	3305	unsigned long arg4,
3306	unsigned long arg5)	3306	unsigned long arg5,
		3307	long *rc_p)
3307	{	3308	{
3308	/* The current prctl operations do not appear to require	3309	/* The current prctl operations do not appear to require
3309	any SELinux controls since they merely observe or modify	3310	any SELinux controls since they merely observe or modify
3310	the state of the current process. */	3311	the state of the current process. */
3311	return 0;	3312	return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3312	}	3313	}
3313		3314
3314	static int selinux_task_wait(struct task_struct *p)	3315	static int selinux_task_wait(struct task_struct *p)


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4215971434e6..77ec16a3b68b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -1242,7 +1242,7 @@ static void smack_set_catset(char catset, struct netlbl_lsm_secattr sap)
1242	int rc;	1242	int rc;
1243	int byte;	1243	int byte;
1244		1244
1245	if (catset == 0)	1245	if (!catset)
1246	return;	1246	return;
1247		1247
1248	sap->flags \|= NETLBL_SECATTR_MLS_CAT;	1248	sap->flags \|= NETLBL_SECATTR_MLS_CAT;
@@ -2495,6 +2495,7 @@ struct security_operations smack_ops = {
2495	.task_wait = smack_task_wait,	2495	.task_wait = smack_task_wait,
2496	.task_reparent_to_init = cap_task_reparent_to_init,	2496	.task_reparent_to_init = cap_task_reparent_to_init,
2497	.task_to_inode = smack_task_to_inode,	2497	.task_to_inode = smack_task_to_inode,
		2498	.task_prctl = cap_task_prctl,
2498		2499
2499	.ipc_permission = smack_ipc_permission,	2500	.ipc_permission = smack_ipc_permission,
2500		2501


diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 6ba283783b70..a5da5a8cfe9b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -317,7 +317,7 @@ static const struct file_operations smk_load_ops = {
317	/**	317	/**
318	* smk_cipso_doi - initialize the CIPSO domain	318	* smk_cipso_doi - initialize the CIPSO domain
319	*/	319	*/
320	void smk_cipso_doi(void)	320	static void smk_cipso_doi(void)
321	{	321	{
322	int rc;	322	int rc;
323	struct cipso_v4_doi *doip;	323	struct cipso_v4_doi *doip;
@@ -350,7 +350,7 @@ void smk_cipso_doi(void)
350	/**	350	/**
351	* smk_unlbl_ambient - initialize the unlabeled domain	351	* smk_unlbl_ambient - initialize the unlabeled domain
352	*/	352	*/
353	void smk_unlbl_ambient(char *oldambient)	353	static void smk_unlbl_ambient(char *oldambient)
354	{	354	{
355	int rc;	355	int rc;
356	struct netlbl_audit audit_info;	356	struct netlbl_audit audit_info;