diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima_fs.c | 14 | ||||
| -rw-r--r-- | security/keys/gc.c | 4 | ||||
| -rw-r--r-- | security/keys/keyctl.c | 2 | ||||
| -rw-r--r-- | security/lsm_audit.c | 2 | ||||
| -rw-r--r-- | security/min_addr.c | 4 | ||||
| -rw-r--r-- | security/selinux/avc.c | 19 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 2 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 8 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 6 |
10 files changed, 35 insertions, 29 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index b8186bac8b7e..6cf8fd2b79e8 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -61,7 +61,8 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task) | |||
| 61 | struct cgroup_subsys devices_subsys; | 61 | struct cgroup_subsys devices_subsys; |
| 62 | 62 | ||
| 63 | static int devcgroup_can_attach(struct cgroup_subsys *ss, | 63 | static int devcgroup_can_attach(struct cgroup_subsys *ss, |
| 64 | struct cgroup *new_cgroup, struct task_struct *task) | 64 | struct cgroup *new_cgroup, struct task_struct *task, |
| 65 | bool threadgroup) | ||
| 65 | { | 66 | { |
| 66 | if (current != task && !capable(CAP_SYS_ADMIN)) | 67 | if (current != task && !capable(CAP_SYS_ADMIN)) |
| 67 | return -EPERM; | 68 | return -EPERM; |
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 6bfc7eaebfda..0c72c9c38956 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c | |||
| @@ -43,7 +43,7 @@ static ssize_t ima_show_htable_violations(struct file *filp, | |||
| 43 | return ima_show_htable_value(buf, count, ppos, &ima_htable.violations); | 43 | return ima_show_htable_value(buf, count, ppos, &ima_htable.violations); |
| 44 | } | 44 | } |
| 45 | 45 | ||
| 46 | static struct file_operations ima_htable_violations_ops = { | 46 | static const struct file_operations ima_htable_violations_ops = { |
| 47 | .read = ima_show_htable_violations | 47 | .read = ima_show_htable_violations |
| 48 | }; | 48 | }; |
| 49 | 49 | ||
| @@ -55,7 +55,7 @@ static ssize_t ima_show_measurements_count(struct file *filp, | |||
| 55 | 55 | ||
| 56 | } | 56 | } |
| 57 | 57 | ||
| 58 | static struct file_operations ima_measurements_count_ops = { | 58 | static const struct file_operations ima_measurements_count_ops = { |
| 59 | .read = ima_show_measurements_count | 59 | .read = ima_show_measurements_count |
| 60 | }; | 60 | }; |
| 61 | 61 | ||
| @@ -146,7 +146,7 @@ static int ima_measurements_show(struct seq_file *m, void *v) | |||
| 146 | return 0; | 146 | return 0; |
| 147 | } | 147 | } |
| 148 | 148 | ||
| 149 | static struct seq_operations ima_measurments_seqops = { | 149 | static const struct seq_operations ima_measurments_seqops = { |
| 150 | .start = ima_measurements_start, | 150 | .start = ima_measurements_start, |
| 151 | .next = ima_measurements_next, | 151 | .next = ima_measurements_next, |
| 152 | .stop = ima_measurements_stop, | 152 | .stop = ima_measurements_stop, |
| @@ -158,7 +158,7 @@ static int ima_measurements_open(struct inode *inode, struct file *file) | |||
| 158 | return seq_open(file, &ima_measurments_seqops); | 158 | return seq_open(file, &ima_measurments_seqops); |
| 159 | } | 159 | } |
| 160 | 160 | ||
| 161 | static struct file_operations ima_measurements_ops = { | 161 | static const struct file_operations ima_measurements_ops = { |
| 162 | .open = ima_measurements_open, | 162 | .open = ima_measurements_open, |
| 163 | .read = seq_read, | 163 | .read = seq_read, |
| 164 | .llseek = seq_lseek, | 164 | .llseek = seq_lseek, |
| @@ -221,7 +221,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v) | |||
| 221 | return 0; | 221 | return 0; |
| 222 | } | 222 | } |
| 223 | 223 | ||
| 224 | static struct seq_operations ima_ascii_measurements_seqops = { | 224 | static const struct seq_operations ima_ascii_measurements_seqops = { |
| 225 | .start = ima_measurements_start, | 225 | .start = ima_measurements_start, |
| 226 | .next = ima_measurements_next, | 226 | .next = ima_measurements_next, |
| 227 | .stop = ima_measurements_stop, | 227 | .stop = ima_measurements_stop, |
| @@ -233,7 +233,7 @@ static int ima_ascii_measurements_open(struct inode *inode, struct file *file) | |||
| 233 | return seq_open(file, &ima_ascii_measurements_seqops); | 233 | return seq_open(file, &ima_ascii_measurements_seqops); |
| 234 | } | 234 | } |
| 235 | 235 | ||
| 236 | static struct file_operations ima_ascii_measurements_ops = { | 236 | static const struct file_operations ima_ascii_measurements_ops = { |
| 237 | .open = ima_ascii_measurements_open, | 237 | .open = ima_ascii_measurements_open, |
| 238 | .read = seq_read, | 238 | .read = seq_read, |
| 239 | .llseek = seq_lseek, | 239 | .llseek = seq_lseek, |
| @@ -313,7 +313,7 @@ static int ima_release_policy(struct inode *inode, struct file *file) | |||
| 313 | return 0; | 313 | return 0; |
| 314 | } | 314 | } |
| 315 | 315 | ||
| 316 | static struct file_operations ima_measure_policy_ops = { | 316 | static const struct file_operations ima_measure_policy_ops = { |
| 317 | .open = ima_open_policy, | 317 | .open = ima_open_policy, |
| 318 | .write = ima_write_policy, | 318 | .write = ima_write_policy, |
| 319 | .release = ima_release_policy | 319 | .release = ima_release_policy |
diff --git a/security/keys/gc.c b/security/keys/gc.c index 485fc6233c38..4770be375ffe 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
| @@ -169,9 +169,9 @@ static void key_garbage_collector(struct work_struct *work) | |||
| 169 | 169 | ||
| 170 | /* trawl through the keys looking for keyrings */ | 170 | /* trawl through the keys looking for keyrings */ |
| 171 | for (;;) { | 171 | for (;;) { |
| 172 | if (key->expiry > now && key->expiry < new_timer) { | 172 | if (key->expiry > limit && key->expiry < new_timer) { |
| 173 | kdebug("will expire %x in %ld", | 173 | kdebug("will expire %x in %ld", |
| 174 | key_serial(key), key->expiry - now); | 174 | key_serial(key), key->expiry - limit); |
| 175 | new_timer = key->expiry; | 175 | new_timer = key->expiry; |
| 176 | } | 176 | } |
| 177 | 177 | ||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 2fb28efc5326..06ec722897be 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
| @@ -873,7 +873,7 @@ static long get_instantiation_keyring(key_serial_t ringid, | |||
| 873 | /* otherwise specify the destination keyring recorded in the | 873 | /* otherwise specify the destination keyring recorded in the |
| 874 | * authorisation key (any KEY_SPEC_*_KEYRING) */ | 874 | * authorisation key (any KEY_SPEC_*_KEYRING) */ |
| 875 | if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { | 875 | if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { |
| 876 | *_dest_keyring = rka->dest_keyring; | 876 | *_dest_keyring = key_get(rka->dest_keyring); |
| 877 | return 0; | 877 | return 0; |
| 878 | } | 878 | } |
| 879 | 879 | ||
diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 500aad0ebd6a..3bb90b6f1dd3 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c | |||
| @@ -187,7 +187,7 @@ static inline void print_ipv6_addr(struct audit_buffer *ab, | |||
| 187 | char *name1, char *name2) | 187 | char *name1, char *name2) |
| 188 | { | 188 | { |
| 189 | if (!ipv6_addr_any(addr)) | 189 | if (!ipv6_addr_any(addr)) |
| 190 | audit_log_format(ab, " %s=%pI6", name1, addr); | 190 | audit_log_format(ab, " %s=%pI6c", name1, addr); |
| 191 | if (port) | 191 | if (port) |
| 192 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); | 192 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); |
| 193 | } | 193 | } |
diff --git a/security/min_addr.c b/security/min_addr.c index 14cc7b3b8d03..c844eed7915d 100644 --- a/security/min_addr.c +++ b/security/min_addr.c | |||
| @@ -28,12 +28,12 @@ static void update_mmap_min_addr(void) | |||
| 28 | * sysctl handler which just sets dac_mmap_min_addr = the new value and then | 28 | * sysctl handler which just sets dac_mmap_min_addr = the new value and then |
| 29 | * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly | 29 | * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly |
| 30 | */ | 30 | */ |
| 31 | int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp, | 31 | int mmap_min_addr_handler(struct ctl_table *table, int write, |
| 32 | void __user *buffer, size_t *lenp, loff_t *ppos) | 32 | void __user *buffer, size_t *lenp, loff_t *ppos) |
| 33 | { | 33 | { |
| 34 | int ret; | 34 | int ret; |
| 35 | 35 | ||
| 36 | ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos); | 36 | ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); |
| 37 | 37 | ||
| 38 | update_mmap_min_addr(); | 38 | update_mmap_min_addr(); |
| 39 | 39 | ||
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 1ed0f076aadc..b4b5da1c0a42 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -868,8 +868,19 @@ u32 avc_policy_seqno(void) | |||
| 868 | 868 | ||
| 869 | void avc_disable(void) | 869 | void avc_disable(void) |
| 870 | { | 870 | { |
| 871 | avc_flush(); | 871 | /* |
| 872 | synchronize_rcu(); | 872 | * If you are looking at this because you have realized that we are |
| 873 | if (avc_node_cachep) | 873 | * not destroying the avc_node_cachep it might be easy to fix, but |
| 874 | kmem_cache_destroy(avc_node_cachep); | 874 | * I don't know the memory barrier semantics well enough to know. It's |
| 875 | * possible that some other task dereferenced security_ops when | ||
| 876 | * it still pointed to selinux operations. If that is the case it's | ||
| 877 | * possible that it is about to use the avc and is about to need the | ||
| 878 | * avc_node_cachep. I know I could wrap the security.c security_ops call | ||
| 879 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | ||
| 880 | * the cache and get that memory back. | ||
| 881 | */ | ||
| 882 | if (avc_node_cachep) { | ||
| 883 | avc_flush(); | ||
| 884 | /* kmem_cache_destroy(avc_node_cachep); */ | ||
| 885 | } | ||
| 875 | } | 886 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 417f7c994522..bb230d5d7085 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2411,7 +2411,7 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
| 2411 | /* Wake up the parent if it is waiting so that it can recheck | 2411 | /* Wake up the parent if it is waiting so that it can recheck |
| 2412 | * wait permission to the new task SID. */ | 2412 | * wait permission to the new task SID. */ |
| 2413 | read_lock(&tasklist_lock); | 2413 | read_lock(&tasklist_lock); |
| 2414 | wake_up_interruptible(¤t->real_parent->signal->wait_chldexit); | 2414 | __wake_up_parent(current, current->real_parent); |
| 2415 | read_unlock(&tasklist_lock); | 2415 | read_unlock(&tasklist_lock); |
| 2416 | } | 2416 | } |
| 2417 | 2417 | ||
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index acae7ef4092d..c33b6bb9b6dd 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -30,17 +30,11 @@ | |||
| 30 | #include <net/netlabel.h> | 30 | #include <net/netlabel.h> |
| 31 | #include <net/cipso_ipv4.h> | 31 | #include <net/cipso_ipv4.h> |
| 32 | #include <linux/audit.h> | 32 | #include <linux/audit.h> |
| 33 | #include <linux/magic.h> | ||
| 33 | #include "smack.h" | 34 | #include "smack.h" |
| 34 | 35 | ||
| 35 | #define task_security(task) (task_cred_xxx((task), security)) | 36 | #define task_security(task) (task_cred_xxx((task), security)) |
| 36 | 37 | ||
| 37 | /* | ||
| 38 | * I hope these are the hokeyist lines of code in the module. Casey. | ||
| 39 | */ | ||
| 40 | #define DEVPTS_SUPER_MAGIC 0x1cd1 | ||
| 41 | #define SOCKFS_MAGIC 0x534F434B | ||
| 42 | #define TMPFS_MAGIC 0x01021994 | ||
| 43 | |||
| 44 | /** | 38 | /** |
| 45 | * smk_fetch - Fetch the smack label from a file. | 39 | * smk_fetch - Fetch the smack label from a file. |
| 46 | * @ip: a pointer to the inode | 40 | * @ip: a pointer to the inode |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index f83a80980726..aeead7585093 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -187,7 +187,7 @@ static void load_seq_stop(struct seq_file *s, void *v) | |||
| 187 | /* No-op */ | 187 | /* No-op */ |
| 188 | } | 188 | } |
| 189 | 189 | ||
| 190 | static struct seq_operations load_seq_ops = { | 190 | static const struct seq_operations load_seq_ops = { |
| 191 | .start = load_seq_start, | 191 | .start = load_seq_start, |
| 192 | .next = load_seq_next, | 192 | .next = load_seq_next, |
| 193 | .show = load_seq_show, | 193 | .show = load_seq_show, |
| @@ -503,7 +503,7 @@ static void cipso_seq_stop(struct seq_file *s, void *v) | |||
| 503 | /* No-op */ | 503 | /* No-op */ |
| 504 | } | 504 | } |
| 505 | 505 | ||
| 506 | static struct seq_operations cipso_seq_ops = { | 506 | static const struct seq_operations cipso_seq_ops = { |
| 507 | .start = cipso_seq_start, | 507 | .start = cipso_seq_start, |
| 508 | .stop = cipso_seq_stop, | 508 | .stop = cipso_seq_stop, |
| 509 | .next = cipso_seq_next, | 509 | .next = cipso_seq_next, |
| @@ -697,7 +697,7 @@ static void netlbladdr_seq_stop(struct seq_file *s, void *v) | |||
| 697 | /* No-op */ | 697 | /* No-op */ |
| 698 | } | 698 | } |
| 699 | 699 | ||
| 700 | static struct seq_operations netlbladdr_seq_ops = { | 700 | static const struct seq_operations netlbladdr_seq_ops = { |
| 701 | .start = netlbladdr_seq_start, | 701 | .start = netlbladdr_seq_start, |
| 702 | .stop = netlbladdr_seq_stop, | 702 | .stop = netlbladdr_seq_stop, |
| 703 | .next = netlbladdr_seq_next, | 703 | .next = netlbladdr_seq_next, |