diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/capability.c | 2 | ||||
-rw-r--r-- | security/commoncap.c | 3 | ||||
-rw-r--r-- | security/security.c | 7 | ||||
-rw-r--r-- | security/selinux/hooks.c | 8 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 2 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 6 |
6 files changed, 15 insertions, 13 deletions
diff --git a/security/capability.c b/security/capability.c index ab3d807accc3..2984ea4f776f 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -761,7 +761,7 @@ static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir) | |||
761 | 761 | ||
762 | static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x, | 762 | static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x, |
763 | struct xfrm_policy *xp, | 763 | struct xfrm_policy *xp, |
764 | struct flowi *fl) | 764 | const struct flowi *fl) |
765 | { | 765 | { |
766 | return 1; | 766 | return 1; |
767 | } | 767 | } |
diff --git a/security/commoncap.c b/security/commoncap.c index dbfdaed4cc66..49c57fd60aea 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -52,13 +52,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) | |||
52 | 52 | ||
53 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | 53 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) |
54 | { | 54 | { |
55 | NETLINK_CB(skb).eff_cap = current_cap(); | ||
56 | return 0; | 55 | return 0; |
57 | } | 56 | } |
58 | 57 | ||
59 | int cap_netlink_recv(struct sk_buff *skb, int cap) | 58 | int cap_netlink_recv(struct sk_buff *skb, int cap) |
60 | { | 59 | { |
61 | if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) | 60 | if (!cap_raised(current_cap(), cap)) |
62 | return -EPERM; | 61 | return -EPERM; |
63 | return 0; | 62 | return 0; |
64 | } | 63 | } |
diff --git a/security/security.c b/security/security.c index bab9b23c3ff4..9187665a3fdd 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -1105,7 +1105,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
1105 | 1105 | ||
1106 | void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | 1106 | void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
1107 | { | 1107 | { |
1108 | security_ops->sk_getsecid(sk, &fl->secid); | 1108 | security_ops->sk_getsecid(sk, &fl->flowi_secid); |
1109 | } | 1109 | } |
1110 | EXPORT_SYMBOL(security_sk_classify_flow); | 1110 | EXPORT_SYMBOL(security_sk_classify_flow); |
1111 | 1111 | ||
@@ -1238,7 +1238,8 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) | |||
1238 | } | 1238 | } |
1239 | 1239 | ||
1240 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | 1240 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, |
1241 | struct xfrm_policy *xp, struct flowi *fl) | 1241 | struct xfrm_policy *xp, |
1242 | const struct flowi *fl) | ||
1242 | { | 1243 | { |
1243 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); | 1244 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); |
1244 | } | 1245 | } |
@@ -1250,7 +1251,7 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) | |||
1250 | 1251 | ||
1251 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) | 1252 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) |
1252 | { | 1253 | { |
1253 | int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); | 1254 | int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0); |
1254 | 1255 | ||
1255 | BUG_ON(rc); | 1256 | BUG_ON(rc); |
1256 | } | 1257 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d52a92507412..6475e1f0223e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -4346,7 +4346,7 @@ static void selinux_secmark_refcount_dec(void) | |||
4346 | static void selinux_req_classify_flow(const struct request_sock *req, | 4346 | static void selinux_req_classify_flow(const struct request_sock *req, |
4347 | struct flowi *fl) | 4347 | struct flowi *fl) |
4348 | { | 4348 | { |
4349 | fl->secid = req->secid; | 4349 | fl->flowi_secid = req->secid; |
4350 | } | 4350 | } |
4351 | 4351 | ||
4352 | static int selinux_tun_dev_create(void) | 4352 | static int selinux_tun_dev_create(void) |
@@ -4695,6 +4695,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) | |||
4695 | { | 4695 | { |
4696 | int err; | 4696 | int err; |
4697 | struct common_audit_data ad; | 4697 | struct common_audit_data ad; |
4698 | u32 sid; | ||
4698 | 4699 | ||
4699 | err = cap_netlink_recv(skb, capability); | 4700 | err = cap_netlink_recv(skb, capability); |
4700 | if (err) | 4701 | if (err) |
@@ -4703,8 +4704,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) | |||
4703 | COMMON_AUDIT_DATA_INIT(&ad, CAP); | 4704 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
4704 | ad.u.cap = capability; | 4705 | ad.u.cap = capability; |
4705 | 4706 | ||
4706 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | 4707 | security_task_getsecid(current, &sid); |
4707 | SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); | 4708 | return avc_has_perm(sid, sid, SECCLASS_CAPABILITY, |
4709 | CAP_TO_MASK(capability), &ad); | ||
4708 | } | 4710 | } |
4709 | 4711 | ||
4710 | static int ipc_alloc_security(struct task_struct *task, | 4712 | static int ipc_alloc_security(struct task_struct *task, |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 13128f9a3e5a..b43813c9e049 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x); | |||
19 | int selinux_xfrm_state_delete(struct xfrm_state *x); | 19 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
20 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); | 20 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); |
21 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 21 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
22 | struct xfrm_policy *xp, struct flowi *fl); | 22 | struct xfrm_policy *xp, const struct flowi *fl); |
23 | 23 | ||
24 | /* | 24 | /* |
25 | * Extract the security blob from the sock (it's actually on the socket) | 25 | * Extract the security blob from the sock (it's actually on the socket) |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 728c57e3d65d..68178b76a2b3 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) | |||
112 | */ | 112 | */ |
113 | 113 | ||
114 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, | 114 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, |
115 | struct flowi *fl) | 115 | const struct flowi *fl) |
116 | { | 116 | { |
117 | u32 state_sid; | 117 | u32 state_sid; |
118 | int rc; | 118 | int rc; |
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy * | |||
135 | 135 | ||
136 | state_sid = x->security->ctx_sid; | 136 | state_sid = x->security->ctx_sid; |
137 | 137 | ||
138 | if (fl->secid != state_sid) | 138 | if (fl->flowi_secid != state_sid) |
139 | return 0; | 139 | return 0; |
140 | 140 | ||
141 | rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, | 141 | rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, |
142 | ASSOCIATION__SENDTO, | 142 | ASSOCIATION__SENDTO, |
143 | NULL)? 0:1; | 143 | NULL)? 0:1; |
144 | 144 | ||