diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/capability.c | 1 | ||||
-rw-r--r-- | security/commoncap.c | 40 | ||||
-rw-r--r-- | security/selinux/hooks.c | 9 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 14 | ||||
-rw-r--r-- | security/smack/smackfs.c | 35 |
5 files changed, 16 insertions, 83 deletions
diff --git a/security/capability.c b/security/capability.c index 9e99f36a8b5c..2c6e06d18fab 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -40,7 +40,6 @@ static struct security_operations capability_ops = { | |||
40 | .inode_need_killpriv = cap_inode_need_killpriv, | 40 | .inode_need_killpriv = cap_inode_need_killpriv, |
41 | .inode_killpriv = cap_inode_killpriv, | 41 | .inode_killpriv = cap_inode_killpriv, |
42 | 42 | ||
43 | .task_kill = cap_task_kill, | ||
44 | .task_setscheduler = cap_task_setscheduler, | 43 | .task_setscheduler = cap_task_setscheduler, |
45 | .task_setioprio = cap_task_setioprio, | 44 | .task_setioprio = cap_task_setioprio, |
46 | .task_setnice = cap_task_setnice, | 45 | .task_setnice = cap_task_setnice, |
diff --git a/security/commoncap.c b/security/commoncap.c index bb0c095f5761..06d5c9469ba3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -540,41 +540,6 @@ int cap_task_setnice (struct task_struct *p, int nice) | |||
540 | return cap_safe_nice(p); | 540 | return cap_safe_nice(p); |
541 | } | 541 | } |
542 | 542 | ||
543 | int cap_task_kill(struct task_struct *p, struct siginfo *info, | ||
544 | int sig, u32 secid) | ||
545 | { | ||
546 | if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) | ||
547 | return 0; | ||
548 | |||
549 | /* | ||
550 | * Running a setuid root program raises your capabilities. | ||
551 | * Killing your own setuid root processes was previously | ||
552 | * allowed. | ||
553 | * We must preserve legacy signal behavior in this case. | ||
554 | */ | ||
555 | if (p->uid == current->uid) | ||
556 | return 0; | ||
557 | |||
558 | /* sigcont is permitted within same session */ | ||
559 | if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p))) | ||
560 | return 0; | ||
561 | |||
562 | if (secid) | ||
563 | /* | ||
564 | * Signal sent as a particular user. | ||
565 | * Capabilities are ignored. May be wrong, but it's the | ||
566 | * only thing we can do at the moment. | ||
567 | * Used only by usb drivers? | ||
568 | */ | ||
569 | return 0; | ||
570 | if (cap_issubset(p->cap_permitted, current->cap_permitted)) | ||
571 | return 0; | ||
572 | if (capable(CAP_KILL)) | ||
573 | return 0; | ||
574 | |||
575 | return -EPERM; | ||
576 | } | ||
577 | |||
578 | /* | 543 | /* |
579 | * called from kernel/sys.c for prctl(PR_CABSET_DROP) | 544 | * called from kernel/sys.c for prctl(PR_CABSET_DROP) |
580 | * done without task_capability_lock() because it introduces | 545 | * done without task_capability_lock() because it introduces |
@@ -605,11 +570,6 @@ int cap_task_setnice (struct task_struct *p, int nice) | |||
605 | { | 570 | { |
606 | return 0; | 571 | return 0; |
607 | } | 572 | } |
608 | int cap_task_kill(struct task_struct *p, struct siginfo *info, | ||
609 | int sig, u32 secid) | ||
610 | { | ||
611 | return 0; | ||
612 | } | ||
613 | #endif | 573 | #endif |
614 | 574 | ||
615 | void cap_task_reparent_to_init (struct task_struct *p) | 575 | void cap_task_reparent_to_init (struct task_struct *p) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4bf4807f2d44..c2fef7b12dc7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -800,7 +800,8 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
800 | mutex_unlock(&newsbsec->lock); | 800 | mutex_unlock(&newsbsec->lock); |
801 | } | 801 | } |
802 | 802 | ||
803 | int selinux_parse_opts_str(char *options, struct security_mnt_opts *opts) | 803 | static int selinux_parse_opts_str(char *options, |
804 | struct security_mnt_opts *opts) | ||
804 | { | 805 | { |
805 | char *p; | 806 | char *p; |
806 | char *context = NULL, *defcontext = NULL; | 807 | char *context = NULL, *defcontext = NULL; |
@@ -1629,6 +1630,12 @@ static inline u32 file_to_av(struct file *file) | |||
1629 | else | 1630 | else |
1630 | av |= FILE__WRITE; | 1631 | av |= FILE__WRITE; |
1631 | } | 1632 | } |
1633 | if (!av) { | ||
1634 | /* | ||
1635 | * Special file opened with flags 3 for ioctl-only use. | ||
1636 | */ | ||
1637 | av = FILE__IOCTL; | ||
1638 | } | ||
1632 | 1639 | ||
1633 | return av; | 1640 | return av; |
1634 | } | 1641 | } |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0241fd359675..732ba27923c4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -1117,11 +1117,6 @@ static int smack_task_movememory(struct task_struct *p) | |||
1117 | static int smack_task_kill(struct task_struct *p, struct siginfo *info, | 1117 | static int smack_task_kill(struct task_struct *p, struct siginfo *info, |
1118 | int sig, u32 secid) | 1118 | int sig, u32 secid) |
1119 | { | 1119 | { |
1120 | int rc; | ||
1121 | |||
1122 | rc = cap_task_kill(p, info, sig, secid); | ||
1123 | if (rc != 0) | ||
1124 | return rc; | ||
1125 | /* | 1120 | /* |
1126 | * Special cases where signals really ought to go through | 1121 | * Special cases where signals really ought to go through |
1127 | * in spite of policy. Stephen Smalley suggests it may | 1122 | * in spite of policy. Stephen Smalley suggests it may |
@@ -1508,7 +1503,7 @@ static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) | |||
1508 | */ | 1503 | */ |
1509 | static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) | 1504 | static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) |
1510 | { | 1505 | { |
1511 | char *ssp = smack_of_shm(shp); | 1506 | char *ssp; |
1512 | int may; | 1507 | int may; |
1513 | 1508 | ||
1514 | switch (cmd) { | 1509 | switch (cmd) { |
@@ -1532,6 +1527,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) | |||
1532 | return -EINVAL; | 1527 | return -EINVAL; |
1533 | } | 1528 | } |
1534 | 1529 | ||
1530 | ssp = smack_of_shm(shp); | ||
1535 | return smk_curacc(ssp, may); | 1531 | return smk_curacc(ssp, may); |
1536 | } | 1532 | } |
1537 | 1533 | ||
@@ -1616,7 +1612,7 @@ static int smack_sem_associate(struct sem_array *sma, int semflg) | |||
1616 | */ | 1612 | */ |
1617 | static int smack_sem_semctl(struct sem_array *sma, int cmd) | 1613 | static int smack_sem_semctl(struct sem_array *sma, int cmd) |
1618 | { | 1614 | { |
1619 | char *ssp = smack_of_sem(sma); | 1615 | char *ssp; |
1620 | int may; | 1616 | int may; |
1621 | 1617 | ||
1622 | switch (cmd) { | 1618 | switch (cmd) { |
@@ -1645,6 +1641,7 @@ static int smack_sem_semctl(struct sem_array *sma, int cmd) | |||
1645 | return -EINVAL; | 1641 | return -EINVAL; |
1646 | } | 1642 | } |
1647 | 1643 | ||
1644 | ssp = smack_of_sem(sma); | ||
1648 | return smk_curacc(ssp, may); | 1645 | return smk_curacc(ssp, may); |
1649 | } | 1646 | } |
1650 | 1647 | ||
@@ -1730,7 +1727,7 @@ static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) | |||
1730 | */ | 1727 | */ |
1731 | static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) | 1728 | static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) |
1732 | { | 1729 | { |
1733 | char *msp = smack_of_msq(msq); | 1730 | char *msp; |
1734 | int may; | 1731 | int may; |
1735 | 1732 | ||
1736 | switch (cmd) { | 1733 | switch (cmd) { |
@@ -1752,6 +1749,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) | |||
1752 | return -EINVAL; | 1749 | return -EINVAL; |
1753 | } | 1750 | } |
1754 | 1751 | ||
1752 | msp = smack_of_msq(msq); | ||
1755 | return smk_curacc(msp, may); | 1753 | return smk_curacc(msp, may); |
1756 | } | 1754 | } |
1757 | 1755 | ||
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index afe7c9b0732a..cfae8afcc262 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -74,11 +74,6 @@ struct smk_list_entry *smack_list; | |||
74 | #define SEQ_READ_FINISHED 1 | 74 | #define SEQ_READ_FINISHED 1 |
75 | 75 | ||
76 | /* | 76 | /* |
77 | * Disable concurrent writing open() operations | ||
78 | */ | ||
79 | static struct semaphore smack_write_sem; | ||
80 | |||
81 | /* | ||
82 | * Values for parsing cipso rules | 77 | * Values for parsing cipso rules |
83 | * SMK_DIGITLEN: Length of a digit field in a rule. | 78 | * SMK_DIGITLEN: Length of a digit field in a rule. |
84 | * SMK_CIPSOMIN: Minimum possible cipso rule length. | 79 | * SMK_CIPSOMIN: Minimum possible cipso rule length. |
@@ -168,32 +163,7 @@ static struct seq_operations load_seq_ops = { | |||
168 | */ | 163 | */ |
169 | static int smk_open_load(struct inode *inode, struct file *file) | 164 | static int smk_open_load(struct inode *inode, struct file *file) |
170 | { | 165 | { |
171 | if ((file->f_flags & O_ACCMODE) == O_RDONLY) | 166 | return seq_open(file, &load_seq_ops); |
172 | return seq_open(file, &load_seq_ops); | ||
173 | |||
174 | if (down_interruptible(&smack_write_sem)) | ||
175 | return -ERESTARTSYS; | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
180 | /** | ||
181 | * smk_release_load - release() for /smack/load | ||
182 | * @inode: inode structure representing file | ||
183 | * @file: "load" file pointer | ||
184 | * | ||
185 | * For a reading session, use the seq_file release | ||
186 | * implementation. | ||
187 | * Otherwise, we are at the end of a writing session so | ||
188 | * clean everything up. | ||
189 | */ | ||
190 | static int smk_release_load(struct inode *inode, struct file *file) | ||
191 | { | ||
192 | if ((file->f_flags & O_ACCMODE) == O_RDONLY) | ||
193 | return seq_release(inode, file); | ||
194 | |||
195 | up(&smack_write_sem); | ||
196 | return 0; | ||
197 | } | 167 | } |
198 | 168 | ||
199 | /** | 169 | /** |
@@ -341,7 +311,7 @@ static const struct file_operations smk_load_ops = { | |||
341 | .read = seq_read, | 311 | .read = seq_read, |
342 | .llseek = seq_lseek, | 312 | .llseek = seq_lseek, |
343 | .write = smk_write_load, | 313 | .write = smk_write_load, |
344 | .release = smk_release_load, | 314 | .release = seq_release, |
345 | }; | 315 | }; |
346 | 316 | ||
347 | /** | 317 | /** |
@@ -1011,7 +981,6 @@ static int __init init_smk_fs(void) | |||
1011 | } | 981 | } |
1012 | } | 982 | } |
1013 | 983 | ||
1014 | sema_init(&smack_write_sem, 1); | ||
1015 | smk_cipso_doi(); | 984 | smk_cipso_doi(); |
1016 | smk_unlbl_ambient(NULL); | 985 | smk_unlbl_ambient(NULL); |
1017 | 986 | ||