aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig12
-rw-r--r--security/apparmor/lsm.c6
-rw-r--r--security/apparmor/policy.c2
-rw-r--r--security/commoncap.c2
-rw-r--r--security/inode.c8
-rw-r--r--security/keys/process_keys.c2
-rw-r--r--security/selinux/selinuxfs.c9
-rw-r--r--security/smack/smackfs.c12
8 files changed, 33 insertions, 20 deletions
diff --git a/security/Kconfig b/security/Kconfig
index bd72ae623494..e80da955e687 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS
39 39
40 If you are unsure as to whether this is required, answer N. 40 If you are unsure as to whether this is required, answer N.
41 41
42config SECURITY_DMESG_RESTRICT
43 bool "Restrict unprivileged access to the kernel syslog"
44 default n
45 help
46 This enforces restrictions on unprivileged users reading the kernel
47 syslog via dmesg(8).
48
49 If this option is not selected, no restrictions will be enforced
50 unless the dmesg_restrict sysctl is explicitly set to (1).
51
52 If you are unsure how to answer this question, answer N.
53
42config SECURITY 54config SECURITY
43 bool "Enable different security models" 55 bool "Enable different security models"
44 depends on SYSFS 56 depends on SYSFS
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cf1de4462ccd..b7106f192b75 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -922,7 +922,7 @@ static int __init apparmor_init(void)
922 error = register_security(&apparmor_ops); 922 error = register_security(&apparmor_ops);
923 if (error) { 923 if (error) {
924 AA_ERROR("Unable to register AppArmor\n"); 924 AA_ERROR("Unable to register AppArmor\n");
925 goto register_security_out; 925 goto set_init_cxt_out;
926 } 926 }
927 927
928 /* Report that AppArmor successfully initialized */ 928 /* Report that AppArmor successfully initialized */
@@ -936,6 +936,9 @@ static int __init apparmor_init(void)
936 936
937 return error; 937 return error;
938 938
939set_init_cxt_out:
940 aa_free_task_context(current->real_cred->security);
941
939register_security_out: 942register_security_out:
940 aa_free_root_ns(); 943 aa_free_root_ns();
941 944
@@ -944,7 +947,6 @@ alloc_out:
944 947
945 apparmor_enabled = 0; 948 apparmor_enabled = 0;
946 return error; 949 return error;
947
948} 950}
949 951
950security_initcall(apparmor_init); 952security_initcall(apparmor_init);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 52cc865f1464..4f0eadee78b8 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -306,7 +306,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
306 return ns; 306 return ns;
307 307
308fail_unconfined: 308fail_unconfined:
309 kzfree(ns->base.name); 309 kzfree(ns->base.hname);
310fail_ns: 310fail_ns:
311 kzfree(ns); 311 kzfree(ns);
312 return NULL; 312 return NULL;
diff --git a/security/commoncap.c b/security/commoncap.c
index 5e632b4857e4..04b80f9912bf 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -895,6 +895,8 @@ int cap_syslog(int type, bool from_file)
895{ 895{
896 if (type != SYSLOG_ACTION_OPEN && from_file) 896 if (type != SYSLOG_ACTION_OPEN && from_file)
897 return 0; 897 return 0;
898 if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
899 return -EPERM;
898 if ((type != SYSLOG_ACTION_READ_ALL && 900 if ((type != SYSLOG_ACTION_READ_ALL &&
899 type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) 901 type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
900 return -EPERM; 902 return -EPERM;
diff --git a/security/inode.c b/security/inode.c
index cb8f47c66a58..c4df2fbebe6b 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -131,17 +131,17 @@ static int fill_super(struct super_block *sb, void *data, int silent)
131 return simple_fill_super(sb, SECURITYFS_MAGIC, files); 131 return simple_fill_super(sb, SECURITYFS_MAGIC, files);
132} 132}
133 133
134static int get_sb(struct file_system_type *fs_type, 134static struct dentry *get_sb(struct file_system_type *fs_type,
135 int flags, const char *dev_name, 135 int flags, const char *dev_name,
136 void *data, struct vfsmount *mnt) 136 void *data)
137{ 137{
138 return get_sb_single(fs_type, flags, data, fill_super, mnt); 138 return mount_single(fs_type, flags, data, fill_super);
139} 139}
140 140
141static struct file_system_type fs_type = { 141static struct file_system_type fs_type = {
142 .owner = THIS_MODULE, 142 .owner = THIS_MODULE,
143 .name = "securityfs", 143 .name = "securityfs",
144 .get_sb = get_sb, 144 .mount = get_sb,
145 .kill_sb = kill_litter_super, 145 .kill_sb = kill_litter_super,
146}; 146};
147 147
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index f8e7251ae2c8..504bdd2452bd 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -207,7 +207,7 @@ static int install_process_keyring(void)
207 ret = install_process_keyring_to_cred(new); 207 ret = install_process_keyring_to_cred(new);
208 if (ret < 0) { 208 if (ret < 0) {
209 abort_creds(new); 209 abort_creds(new);
210 return ret != -EEXIST ?: 0; 210 return ret != -EEXIST ? ret : 0;
211 } 211 }
212 212
213 return commit_creds(new); 213 return commit_creds(new);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 55a755c1a1bd..073fd5b0a53a 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1909,16 +1909,15 @@ err:
1909 goto out; 1909 goto out;
1910} 1910}
1911 1911
1912static int sel_get_sb(struct file_system_type *fs_type, 1912static struct dentry *sel_mount(struct file_system_type *fs_type,
1913 int flags, const char *dev_name, void *data, 1913 int flags, const char *dev_name, void *data)
1914 struct vfsmount *mnt)
1915{ 1914{
1916 return get_sb_single(fs_type, flags, data, sel_fill_super, mnt); 1915 return mount_single(fs_type, flags, data, sel_fill_super);
1917} 1916}
1918 1917
1919static struct file_system_type sel_fs_type = { 1918static struct file_system_type sel_fs_type = {
1920 .name = "selinuxfs", 1919 .name = "selinuxfs",
1921 .get_sb = sel_get_sb, 1920 .mount = sel_mount,
1922 .kill_sb = kill_litter_super, 1921 .kill_sb = kill_litter_super,
1923}; 1922};
1924 1923
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 7512502d0162..dc1fd6239f24 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1310,27 +1310,25 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
1310} 1310}
1311 1311
1312/** 1312/**
1313 * smk_get_sb - get the smackfs superblock 1313 * smk_mount - get the smackfs superblock
1314 * @fs_type: passed along without comment 1314 * @fs_type: passed along without comment
1315 * @flags: passed along without comment 1315 * @flags: passed along without comment
1316 * @dev_name: passed along without comment 1316 * @dev_name: passed along without comment
1317 * @data: passed along without comment 1317 * @data: passed along without comment
1318 * @mnt: passed along without comment
1319 * 1318 *
1320 * Just passes everything along. 1319 * Just passes everything along.
1321 * 1320 *
1322 * Returns what the lower level code does. 1321 * Returns what the lower level code does.
1323 */ 1322 */
1324static int smk_get_sb(struct file_system_type *fs_type, 1323static struct dentry *smk_mount(struct file_system_type *fs_type,
1325 int flags, const char *dev_name, void *data, 1324 int flags, const char *dev_name, void *data)
1326 struct vfsmount *mnt)
1327{ 1325{
1328 return get_sb_single(fs_type, flags, data, smk_fill_super, mnt); 1326 return mount_single(fs_type, flags, data, smk_fill_super);
1329} 1327}
1330 1328
1331static struct file_system_type smk_fs_type = { 1329static struct file_system_type smk_fs_type = {
1332 .name = "smackfs", 1330 .name = "smackfs",
1333 .get_sb = smk_get_sb, 1331 .mount = smk_mount,
1334 .kill_sb = kill_litter_super, 1332 .kill_sb = kill_litter_super,
1335}; 1333};
1336 1334
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-05 11:55:13 -0400