aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c6
-rw-r--r--security/smack/smack_lsm.c63
-rw-r--r--security/smack/smackfs.c14
3 files changed, 54 insertions, 29 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..71a166a05975 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -29,6 +29,7 @@
29#include <linux/securebits.h> 29#include <linux/securebits.h>
30#include <linux/user_namespace.h> 30#include <linux/user_namespace.h>
31#include <linux/binfmts.h> 31#include <linux/binfmts.h>
32#include <linux/personality.h>
32 33
33/* 34/*
34 * If a non-root user executes a setuid-root binary in 35 * If a non-root user executes a setuid-root binary in
@@ -505,6 +506,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
505 } 506 }
506skip: 507skip:
507 508
509 /* if we have fs caps, clear dangerous personality flags */
510 if (!cap_issubset(new->cap_permitted, old->cap_permitted))
511 bprm->per_clear |= PER_CLEAR_ON_SETID;
512
513
508 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 514 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
509 * credentials unless they have the appropriate permit 515 * credentials unless they have the appropriate permit
510 */ 516 */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 81c03a597112..45c32f074166 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1939,18 +1939,19 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
1939 char *hostsp; 1939 char *hostsp;
1940 struct socket_smack *ssp = sk->sk_security; 1940 struct socket_smack *ssp = sk->sk_security;
1941 struct smk_audit_info ad; 1941 struct smk_audit_info ad;
1942 struct lsm_network_audit net;
1943 1942
1944 rcu_read_lock(); 1943 rcu_read_lock();
1945 hostsp = smack_host_label(sap); 1944 hostsp = smack_host_label(sap);
1946 if (hostsp != NULL) { 1945 if (hostsp != NULL) {
1947 sk_lbl = SMACK_UNLABELED_SOCKET;
1948#ifdef CONFIG_AUDIT 1946#ifdef CONFIG_AUDIT
1947 struct lsm_network_audit net;
1948
1949 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 1949 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
1950 ad.a.u.net->family = sap->sin_family; 1950 ad.a.u.net->family = sap->sin_family;
1951 ad.a.u.net->dport = sap->sin_port; 1951 ad.a.u.net->dport = sap->sin_port;
1952 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 1952 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
1953#endif 1953#endif
1954 sk_lbl = SMACK_UNLABELED_SOCKET;
1954 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad); 1955 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
1955 } else { 1956 } else {
1956 sk_lbl = SMACK_CIPSO_SOCKET; 1957 sk_lbl = SMACK_CIPSO_SOCKET;
@@ -2809,11 +2810,14 @@ static int smack_unix_stream_connect(struct sock *sock,
2809 struct socket_smack *osp = other->sk_security; 2810 struct socket_smack *osp = other->sk_security;
2810 struct socket_smack *nsp = newsk->sk_security; 2811 struct socket_smack *nsp = newsk->sk_security;
2811 struct smk_audit_info ad; 2812 struct smk_audit_info ad;
2812 struct lsm_network_audit net;
2813 int rc = 0; 2813 int rc = 0;
2814 2814
2815#ifdef CONFIG_AUDIT
2816 struct lsm_network_audit net;
2817
2815 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2818 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2816 smk_ad_setfield_u_net_sk(&ad, other); 2819 smk_ad_setfield_u_net_sk(&ad, other);
2820#endif
2817 2821
2818 if (!capable(CAP_MAC_OVERRIDE)) 2822 if (!capable(CAP_MAC_OVERRIDE))
2819 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2823 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
@@ -2842,11 +2846,14 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
2842 struct socket_smack *ssp = sock->sk->sk_security; 2846 struct socket_smack *ssp = sock->sk->sk_security;
2843 struct socket_smack *osp = other->sk->sk_security; 2847 struct socket_smack *osp = other->sk->sk_security;
2844 struct smk_audit_info ad; 2848 struct smk_audit_info ad;
2845 struct lsm_network_audit net;
2846 int rc = 0; 2849 int rc = 0;
2847 2850
2851#ifdef CONFIG_AUDIT
2852 struct lsm_network_audit net;
2853
2848 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2854 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2849 smk_ad_setfield_u_net_sk(&ad, other->sk); 2855 smk_ad_setfield_u_net_sk(&ad, other->sk);
2856#endif
2850 2857
2851 if (!capable(CAP_MAC_OVERRIDE)) 2858 if (!capable(CAP_MAC_OVERRIDE))
2852 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2859 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
@@ -2993,7 +3000,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
2993 char *csp; 3000 char *csp;
2994 int rc; 3001 int rc;
2995 struct smk_audit_info ad; 3002 struct smk_audit_info ad;
3003#ifdef CONFIG_AUDIT
2996 struct lsm_network_audit net; 3004 struct lsm_network_audit net;
3005#endif
2997 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 3006 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
2998 return 0; 3007 return 0;
2999 3008
@@ -3156,7 +3165,9 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3156 char *sp; 3165 char *sp;
3157 int rc; 3166 int rc;
3158 struct smk_audit_info ad; 3167 struct smk_audit_info ad;
3168#ifdef CONFIG_AUDIT
3159 struct lsm_network_audit net; 3169 struct lsm_network_audit net;
3170#endif
3160 3171
3161 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 3172 /* handle mapped IPv4 packets arriving via IPv6 sockets */
3162 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3173 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -3629,8 +3640,38 @@ struct security_operations smack_ops = {
3629}; 3640};
3630 3641
3631 3642
3632static __init void init_smack_know_list(void) 3643static __init void init_smack_known_list(void)
3633{ 3644{
3645 /*
3646 * Initialize CIPSO locks
3647 */
3648 spin_lock_init(&smack_known_huh.smk_cipsolock);
3649 spin_lock_init(&smack_known_hat.smk_cipsolock);
3650 spin_lock_init(&smack_known_star.smk_cipsolock);
3651 spin_lock_init(&smack_known_floor.smk_cipsolock);
3652 spin_lock_init(&smack_known_invalid.smk_cipsolock);
3653 spin_lock_init(&smack_known_web.smk_cipsolock);
3654 /*
3655 * Initialize rule list locks
3656 */
3657 mutex_init(&smack_known_huh.smk_rules_lock);
3658 mutex_init(&smack_known_hat.smk_rules_lock);
3659 mutex_init(&smack_known_floor.smk_rules_lock);
3660 mutex_init(&smack_known_star.smk_rules_lock);
3661 mutex_init(&smack_known_invalid.smk_rules_lock);
3662 mutex_init(&smack_known_web.smk_rules_lock);
3663 /*
3664 * Initialize rule lists
3665 */
3666 INIT_LIST_HEAD(&smack_known_huh.smk_rules);
3667 INIT_LIST_HEAD(&smack_known_hat.smk_rules);
3668 INIT_LIST_HEAD(&smack_known_star.smk_rules);
3669 INIT_LIST_HEAD(&smack_known_floor.smk_rules);
3670 INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
3671 INIT_LIST_HEAD(&smack_known_web.smk_rules);
3672 /*
3673 * Create the known labels list
3674 */
3634 list_add(&smack_known_huh.list, &smack_known_list); 3675 list_add(&smack_known_huh.list, &smack_known_list);
3635 list_add(&smack_known_hat.list, &smack_known_list); 3676 list_add(&smack_known_hat.list, &smack_known_list);
3636 list_add(&smack_known_star.list, &smack_known_list); 3677 list_add(&smack_known_star.list, &smack_known_list);
@@ -3665,16 +3706,8 @@ static __init int smack_init(void)
3665 cred = (struct cred *) current->cred; 3706 cred = (struct cred *) current->cred;
3666 cred->security = tsp; 3707 cred->security = tsp;
3667 3708
3668 /* initialize the smack_know_list */ 3709 /* initialize the smack_known_list */
3669 init_smack_know_list(); 3710 init_smack_known_list();
3670 /*
3671 * Initialize locks
3672 */
3673 spin_lock_init(&smack_known_huh.smk_cipsolock);
3674 spin_lock_init(&smack_known_hat.smk_cipsolock);
3675 spin_lock_init(&smack_known_star.smk_cipsolock);
3676 spin_lock_init(&smack_known_floor.smk_cipsolock);
3677 spin_lock_init(&smack_known_invalid.smk_cipsolock);
3678 3711
3679 /* 3712 /*
3680 * Register with LSM 3713 * Register with LSM
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5c32f36ff706..038811cb7e62 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1614,20 +1614,6 @@ static int __init init_smk_fs(void)
1614 smk_cipso_doi(); 1614 smk_cipso_doi();
1615 smk_unlbl_ambient(NULL); 1615 smk_unlbl_ambient(NULL);
1616 1616
1617 mutex_init(&smack_known_floor.smk_rules_lock);
1618 mutex_init(&smack_known_hat.smk_rules_lock);
1619 mutex_init(&smack_known_huh.smk_rules_lock);
1620 mutex_init(&smack_known_invalid.smk_rules_lock);
1621 mutex_init(&smack_known_star.smk_rules_lock);
1622 mutex_init(&smack_known_web.smk_rules_lock);
1623
1624 INIT_LIST_HEAD(&smack_known_floor.smk_rules);
1625 INIT_LIST_HEAD(&smack_known_hat.smk_rules);
1626 INIT_LIST_HEAD(&smack_known_huh.smk_rules);
1627 INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
1628 INIT_LIST_HEAD(&smack_known_star.smk_rules);
1629 INIT_LIST_HEAD(&smack_known_web.smk_rules);
1630
1631 return err; 1617 return err;
1632} 1618}
1633 1619