diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 3 | ||||
| -rw-r--r-- | security/security.c | 5 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 54 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 3 |
4 files changed, 18 insertions, 47 deletions
diff --git a/security/capability.c b/security/capability.c index 5b01c0b02422..63d10da515a5 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -211,8 +211,7 @@ static int cap_inode_follow_link(struct dentry *dentry, | |||
| 211 | return 0; | 211 | return 0; |
| 212 | } | 212 | } |
| 213 | 213 | ||
| 214 | static int cap_inode_permission(struct inode *inode, int mask, | 214 | static int cap_inode_permission(struct inode *inode, int mask) |
| 215 | struct nameidata *nd) | ||
| 216 | { | 215 | { |
| 217 | return 0; | 216 | return 0; |
| 218 | } | 217 | } |
diff --git a/security/security.c b/security/security.c index 59f23b5918b3..ff7068727757 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -429,11 +429,11 @@ int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) | |||
| 429 | return security_ops->inode_follow_link(dentry, nd); | 429 | return security_ops->inode_follow_link(dentry, nd); |
| 430 | } | 430 | } |
| 431 | 431 | ||
| 432 | int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd) | 432 | int security_inode_permission(struct inode *inode, int mask) |
| 433 | { | 433 | { |
| 434 | if (unlikely(IS_PRIVATE(inode))) | 434 | if (unlikely(IS_PRIVATE(inode))) |
| 435 | return 0; | 435 | return 0; |
| 436 | return security_ops->inode_permission(inode, mask, nd); | 436 | return security_ops->inode_permission(inode, mask); |
| 437 | } | 437 | } |
| 438 | 438 | ||
| 439 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | 439 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) |
| @@ -442,6 +442,7 @@ int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | |||
| 442 | return 0; | 442 | return 0; |
| 443 | return security_ops->inode_setattr(dentry, attr); | 443 | return security_ops->inode_setattr(dentry, attr); |
| 444 | } | 444 | } |
| 445 | EXPORT_SYMBOL_GPL(security_inode_setattr); | ||
| 445 | 446 | ||
| 446 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | 447 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
| 447 | { | 448 | { |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 63f131fc42e4..40d06c533f89 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -25,7 +25,7 @@ | |||
| 25 | 25 | ||
| 26 | #include <linux/init.h> | 26 | #include <linux/init.h> |
| 27 | #include <linux/kernel.h> | 27 | #include <linux/kernel.h> |
| 28 | #include <linux/ptrace.h> | 28 | #include <linux/tracehook.h> |
| 29 | #include <linux/errno.h> | 29 | #include <linux/errno.h> |
| 30 | #include <linux/sched.h> | 30 | #include <linux/sched.h> |
| 31 | #include <linux/security.h> | 31 | #include <linux/security.h> |
| @@ -1971,22 +1971,6 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 1971 | return __vm_enough_memory(mm, pages, cap_sys_admin); | 1971 | return __vm_enough_memory(mm, pages, cap_sys_admin); |
| 1972 | } | 1972 | } |
| 1973 | 1973 | ||
| 1974 | /** | ||
| 1975 | * task_tracer_task - return the task that is tracing the given task | ||
| 1976 | * @task: task to consider | ||
| 1977 | * | ||
| 1978 | * Returns NULL if noone is tracing @task, or the &struct task_struct | ||
| 1979 | * pointer to its tracer. | ||
| 1980 | * | ||
| 1981 | * Must be called under rcu_read_lock(). | ||
| 1982 | */ | ||
| 1983 | static struct task_struct *task_tracer_task(struct task_struct *task) | ||
| 1984 | { | ||
| 1985 | if (task->ptrace & PT_PTRACED) | ||
| 1986 | return rcu_dereference(task->parent); | ||
| 1987 | return NULL; | ||
| 1988 | } | ||
| 1989 | |||
| 1990 | /* binprm security operations */ | 1974 | /* binprm security operations */ |
| 1991 | 1975 | ||
| 1992 | static int selinux_bprm_alloc_security(struct linux_binprm *bprm) | 1976 | static int selinux_bprm_alloc_security(struct linux_binprm *bprm) |
| @@ -2238,7 +2222,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
| 2238 | u32 ptsid = 0; | 2222 | u32 ptsid = 0; |
| 2239 | 2223 | ||
| 2240 | rcu_read_lock(); | 2224 | rcu_read_lock(); |
| 2241 | tracer = task_tracer_task(current); | 2225 | tracer = tracehook_tracer_task(current); |
| 2242 | if (likely(tracer != NULL)) { | 2226 | if (likely(tracer != NULL)) { |
| 2243 | sec = tracer->security; | 2227 | sec = tracer->security; |
| 2244 | ptsid = sec->sid; | 2228 | ptsid = sec->sid; |
| @@ -2640,12 +2624,11 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na | |||
| 2640 | return dentry_has_perm(current, NULL, dentry, FILE__READ); | 2624 | return dentry_has_perm(current, NULL, dentry, FILE__READ); |
| 2641 | } | 2625 | } |
| 2642 | 2626 | ||
| 2643 | static int selinux_inode_permission(struct inode *inode, int mask, | 2627 | static int selinux_inode_permission(struct inode *inode, int mask) |
| 2644 | struct nameidata *nd) | ||
| 2645 | { | 2628 | { |
| 2646 | int rc; | 2629 | int rc; |
| 2647 | 2630 | ||
| 2648 | rc = secondary_ops->inode_permission(inode, mask, nd); | 2631 | rc = secondary_ops->inode_permission(inode, mask); |
| 2649 | if (rc) | 2632 | if (rc) |
| 2650 | return rc; | 2633 | return rc; |
| 2651 | 2634 | ||
| @@ -5247,7 +5230,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
| 5247 | Otherwise, leave SID unchanged and fail. */ | 5230 | Otherwise, leave SID unchanged and fail. */ |
| 5248 | task_lock(p); | 5231 | task_lock(p); |
| 5249 | rcu_read_lock(); | 5232 | rcu_read_lock(); |
| 5250 | tracer = task_tracer_task(p); | 5233 | tracer = tracehook_tracer_task(p); |
| 5251 | if (tracer != NULL) { | 5234 | if (tracer != NULL) { |
| 5252 | struct task_security_struct *ptsec = tracer->security; | 5235 | struct task_security_struct *ptsec = tracer->security; |
| 5253 | u32 ptsid = ptsec->sid; | 5236 | u32 ptsid = ptsec->sid; |
| @@ -5670,27 +5653,20 @@ static struct nf_hook_ops selinux_ipv6_ops[] = { | |||
| 5670 | static int __init selinux_nf_ip_init(void) | 5653 | static int __init selinux_nf_ip_init(void) |
| 5671 | { | 5654 | { |
| 5672 | int err = 0; | 5655 | int err = 0; |
| 5673 | u32 iter; | ||
| 5674 | 5656 | ||
| 5675 | if (!selinux_enabled) | 5657 | if (!selinux_enabled) |
| 5676 | goto out; | 5658 | goto out; |
| 5677 | 5659 | ||
| 5678 | printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); | 5660 | printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); |
| 5679 | 5661 | ||
| 5680 | for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) { | 5662 | err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); |
| 5681 | err = nf_register_hook(&selinux_ipv4_ops[iter]); | 5663 | if (err) |
| 5682 | if (err) | 5664 | panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); |
| 5683 | panic("SELinux: nf_register_hook for IPv4: error %d\n", | ||
| 5684 | err); | ||
| 5685 | } | ||
| 5686 | 5665 | ||
| 5687 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 5666 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 5688 | for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) { | 5667 | err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); |
| 5689 | err = nf_register_hook(&selinux_ipv6_ops[iter]); | 5668 | if (err) |
| 5690 | if (err) | 5669 | panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); |
| 5691 | panic("SELinux: nf_register_hook for IPv6: error %d\n", | ||
| 5692 | err); | ||
| 5693 | } | ||
| 5694 | #endif /* IPV6 */ | 5670 | #endif /* IPV6 */ |
| 5695 | 5671 | ||
| 5696 | out: | 5672 | out: |
| @@ -5702,15 +5678,11 @@ __initcall(selinux_nf_ip_init); | |||
| 5702 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 5678 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
| 5703 | static void selinux_nf_ip_exit(void) | 5679 | static void selinux_nf_ip_exit(void) |
| 5704 | { | 5680 | { |
| 5705 | u32 iter; | ||
| 5706 | |||
| 5707 | printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); | 5681 | printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); |
| 5708 | 5682 | ||
| 5709 | for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) | 5683 | nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); |
| 5710 | nf_unregister_hook(&selinux_ipv4_ops[iter]); | ||
| 5711 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 5684 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 5712 | for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) | 5685 | nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); |
| 5713 | nf_unregister_hook(&selinux_ipv6_ops[iter]); | ||
| 5714 | #endif /* IPV6 */ | 5686 | #endif /* IPV6 */ |
| 5715 | } | 5687 | } |
| 5716 | #endif | 5688 | #endif |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index ee5a51cbc5eb..1b40e558f983 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -522,8 +522,7 @@ static int smack_inode_rename(struct inode *old_inode, | |||
| 522 | * | 522 | * |
| 523 | * Returns 0 if access is permitted, -EACCES otherwise | 523 | * Returns 0 if access is permitted, -EACCES otherwise |
| 524 | */ | 524 | */ |
| 525 | static int smack_inode_permission(struct inode *inode, int mask, | 525 | static int smack_inode_permission(struct inode *inode, int mask) |
| 526 | struct nameidata *nd) | ||
| 527 | { | 526 | { |
| 528 | /* | 527 | /* |
| 529 | * No permission to check. Existence test. Yup, it's there. | 528 | * No permission to check. Existence test. Yup, it's there. |