diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 1 | ||||
-rw-r--r-- | security/device_cgroup.c | 21 | ||||
-rw-r--r-- | security/keys/request_key.c | 9 | ||||
-rw-r--r-- | security/security.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 11 | ||||
-rw-r--r-- | security/tomoyo/common.c | 6 | ||||
-rw-r--r-- | security/tomoyo/common.h | 2 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 2 | ||||
-rw-r--r-- | security/tomoyo/file.c | 2 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 3 | ||||
-rw-r--r-- | security/tomoyo/realpath.h | 2 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 2 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.h | 2 |
14 files changed, 39 insertions, 28 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 97ac1f167717..48b7e0228fa3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -948,7 +948,6 @@ changed: | |||
948 | return commit_creds(new); | 948 | return commit_creds(new); |
949 | 949 | ||
950 | no_change: | 950 | no_change: |
951 | error = 0; | ||
952 | error: | 951 | error: |
953 | abort_creds(new); | 952 | abort_creds(new); |
954 | return error; | 953 | return error; |
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 3aacd0fe7179..5fda7df19723 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
@@ -11,6 +11,7 @@ | |||
11 | #include <linux/uaccess.h> | 11 | #include <linux/uaccess.h> |
12 | #include <linux/seq_file.h> | 12 | #include <linux/seq_file.h> |
13 | #include <linux/rcupdate.h> | 13 | #include <linux/rcupdate.h> |
14 | #include <linux/mutex.h> | ||
14 | 15 | ||
15 | #define ACC_MKNOD 1 | 16 | #define ACC_MKNOD 1 |
16 | #define ACC_READ 2 | 17 | #define ACC_READ 2 |
@@ -21,9 +22,11 @@ | |||
21 | #define DEV_CHAR 2 | 22 | #define DEV_CHAR 2 |
22 | #define DEV_ALL 4 /* this represents all devices */ | 23 | #define DEV_ALL 4 /* this represents all devices */ |
23 | 24 | ||
25 | static DEFINE_MUTEX(devcgroup_mutex); | ||
26 | |||
24 | /* | 27 | /* |
25 | * whitelist locking rules: | 28 | * whitelist locking rules: |
26 | * hold cgroup_lock() for update/read. | 29 | * hold devcgroup_mutex for update/read. |
27 | * hold rcu_read_lock() for read. | 30 | * hold rcu_read_lock() for read. |
28 | */ | 31 | */ |
29 | 32 | ||
@@ -67,7 +70,7 @@ static int devcgroup_can_attach(struct cgroup_subsys *ss, | |||
67 | } | 70 | } |
68 | 71 | ||
69 | /* | 72 | /* |
70 | * called under cgroup_lock() | 73 | * called under devcgroup_mutex |
71 | */ | 74 | */ |
72 | static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) | 75 | static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) |
73 | { | 76 | { |
@@ -92,7 +95,7 @@ free_and_exit: | |||
92 | 95 | ||
93 | /* Stupid prototype - don't bother combining existing entries */ | 96 | /* Stupid prototype - don't bother combining existing entries */ |
94 | /* | 97 | /* |
95 | * called under cgroup_lock() | 98 | * called under devcgroup_mutex |
96 | */ | 99 | */ |
97 | static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, | 100 | static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, |
98 | struct dev_whitelist_item *wh) | 101 | struct dev_whitelist_item *wh) |
@@ -130,7 +133,7 @@ static void whitelist_item_free(struct rcu_head *rcu) | |||
130 | } | 133 | } |
131 | 134 | ||
132 | /* | 135 | /* |
133 | * called under cgroup_lock() | 136 | * called under devcgroup_mutex |
134 | */ | 137 | */ |
135 | static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, | 138 | static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, |
136 | struct dev_whitelist_item *wh) | 139 | struct dev_whitelist_item *wh) |
@@ -185,8 +188,10 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup_subsys *ss, | |||
185 | list_add(&wh->list, &dev_cgroup->whitelist); | 188 | list_add(&wh->list, &dev_cgroup->whitelist); |
186 | } else { | 189 | } else { |
187 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); | 190 | parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); |
191 | mutex_lock(&devcgroup_mutex); | ||
188 | ret = dev_whitelist_copy(&dev_cgroup->whitelist, | 192 | ret = dev_whitelist_copy(&dev_cgroup->whitelist, |
189 | &parent_dev_cgroup->whitelist); | 193 | &parent_dev_cgroup->whitelist); |
194 | mutex_unlock(&devcgroup_mutex); | ||
190 | if (ret) { | 195 | if (ret) { |
191 | kfree(dev_cgroup); | 196 | kfree(dev_cgroup); |
192 | return ERR_PTR(ret); | 197 | return ERR_PTR(ret); |
@@ -273,7 +278,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, | |||
273 | * does the access granted to dev_cgroup c contain the access | 278 | * does the access granted to dev_cgroup c contain the access |
274 | * requested in whitelist item refwh. | 279 | * requested in whitelist item refwh. |
275 | * return 1 if yes, 0 if no. | 280 | * return 1 if yes, 0 if no. |
276 | * call with c->lock held | 281 | * call with devcgroup_mutex held |
277 | */ | 282 | */ |
278 | static int may_access_whitelist(struct dev_cgroup *c, | 283 | static int may_access_whitelist(struct dev_cgroup *c, |
279 | struct dev_whitelist_item *refwh) | 284 | struct dev_whitelist_item *refwh) |
@@ -426,11 +431,11 @@ static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft, | |||
426 | const char *buffer) | 431 | const char *buffer) |
427 | { | 432 | { |
428 | int retval; | 433 | int retval; |
429 | if (!cgroup_lock_live_group(cgrp)) | 434 | |
430 | return -ENODEV; | 435 | mutex_lock(&devcgroup_mutex); |
431 | retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), | 436 | retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), |
432 | cft->private, buffer); | 437 | cft->private, buffer); |
433 | cgroup_unlock(); | 438 | mutex_unlock(&devcgroup_mutex); |
434 | return retval; | 439 | return retval; |
435 | } | 440 | } |
436 | 441 | ||
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 22a31582bfaa..03fe63ed55bd 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -311,7 +311,8 @@ static int construct_alloc_key(struct key_type *type, | |||
311 | 311 | ||
312 | set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); | 312 | set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); |
313 | 313 | ||
314 | down_write(&dest_keyring->sem); | 314 | if (dest_keyring) |
315 | down_write(&dest_keyring->sem); | ||
315 | 316 | ||
316 | /* attach the key to the destination keyring under lock, but we do need | 317 | /* attach the key to the destination keyring under lock, but we do need |
317 | * to do another check just in case someone beat us to it whilst we | 318 | * to do another check just in case someone beat us to it whilst we |
@@ -322,10 +323,12 @@ static int construct_alloc_key(struct key_type *type, | |||
322 | if (!IS_ERR(key_ref)) | 323 | if (!IS_ERR(key_ref)) |
323 | goto key_already_present; | 324 | goto key_already_present; |
324 | 325 | ||
325 | __key_link(dest_keyring, key); | 326 | if (dest_keyring) |
327 | __key_link(dest_keyring, key); | ||
326 | 328 | ||
327 | mutex_unlock(&key_construction_mutex); | 329 | mutex_unlock(&key_construction_mutex); |
328 | up_write(&dest_keyring->sem); | 330 | if (dest_keyring) |
331 | up_write(&dest_keyring->sem); | ||
329 | mutex_unlock(&user->cons_lock); | 332 | mutex_unlock(&user->cons_lock); |
330 | *_key = key; | 333 | *_key = key; |
331 | kleave(" = 0 [%d]", key_serial(key)); | 334 | kleave(" = 0 [%d]", key_serial(key)); |
diff --git a/security/security.c b/security/security.c index 206e53844d2f..5284255c5cdf 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -445,6 +445,7 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) | |||
445 | return 0; | 445 | return 0; |
446 | return security_ops->inode_create(dir, dentry, mode); | 446 | return security_ops->inode_create(dir, dentry, mode); |
447 | } | 447 | } |
448 | EXPORT_SYMBOL_GPL(security_inode_create); | ||
448 | 449 | ||
449 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | 450 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, |
450 | struct dentry *new_dentry) | 451 | struct dentry *new_dentry) |
@@ -475,6 +476,7 @@ int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) | |||
475 | return 0; | 476 | return 0; |
476 | return security_ops->inode_mkdir(dir, dentry, mode); | 477 | return security_ops->inode_mkdir(dir, dentry, mode); |
477 | } | 478 | } |
479 | EXPORT_SYMBOL_GPL(security_inode_mkdir); | ||
478 | 480 | ||
479 | int security_inode_rmdir(struct inode *dir, struct dentry *dentry) | 481 | int security_inode_rmdir(struct inode *dir, struct dentry *dentry) |
480 | { | 482 | { |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 39046ddd90a9..195906bce266 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3145,7 +3145,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, | |||
3145 | struct fown_struct *fown, int signum) | 3145 | struct fown_struct *fown, int signum) |
3146 | { | 3146 | { |
3147 | struct file *file; | 3147 | struct file *file; |
3148 | u32 sid = current_sid(); | 3148 | u32 sid = task_sid(tsk); |
3149 | u32 perm; | 3149 | u32 perm; |
3150 | struct file_security_struct *fsec; | 3150 | struct file_security_struct *fsec; |
3151 | 3151 | ||
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f557767911c9..0d030b4513c8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -675,8 +675,12 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |||
675 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { | 675 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { |
676 | if (!capable(CAP_MAC_ADMIN)) | 676 | if (!capable(CAP_MAC_ADMIN)) |
677 | rc = -EPERM; | 677 | rc = -EPERM; |
678 | /* a label cannot be void and cannot begin with '-' */ | 678 | /* |
679 | if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) | 679 | * check label validity here so import wont fail on |
680 | * post_setxattr | ||
681 | */ | ||
682 | if (size == 0 || size >= SMK_LABELLEN || | ||
683 | smk_import(value, size) == NULL) | ||
680 | rc = -EINVAL; | 684 | rc = -EINVAL; |
681 | } else | 685 | } else |
682 | rc = cap_inode_setxattr(dentry, name, value, size, flags); | 686 | rc = cap_inode_setxattr(dentry, name, value, size, flags); |
@@ -713,9 +717,6 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, | |||
713 | if (strcmp(name, XATTR_NAME_SMACK)) | 717 | if (strcmp(name, XATTR_NAME_SMACK)) |
714 | return; | 718 | return; |
715 | 719 | ||
716 | if (size >= SMK_LABELLEN) | ||
717 | return; | ||
718 | |||
719 | isp = dentry->d_inode->i_security; | 720 | isp = dentry->d_inode->i_security; |
720 | 721 | ||
721 | /* | 722 | /* |
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index a0affd9cfca8..d4d41b3efc7c 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
@@ -1773,7 +1773,7 @@ void tomoyo_load_policy(const char *filename) | |||
1773 | envp[2] = NULL; | 1773 | envp[2] = NULL; |
1774 | call_usermodehelper(argv[0], argv, envp, 1); | 1774 | call_usermodehelper(argv[0], argv, envp, 1); |
1775 | 1775 | ||
1776 | printk(KERN_INFO "TOMOYO: 2.2.0-pre 2009/02/01\n"); | 1776 | printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); |
1777 | printk(KERN_INFO "Mandatory Access Control activated.\n"); | 1777 | printk(KERN_INFO "Mandatory Access Control activated.\n"); |
1778 | tomoyo_policy_loaded = true; | 1778 | tomoyo_policy_loaded = true; |
1779 | { /* Check all profiles currently assigned to domains are defined. */ | 1779 | { /* Check all profiles currently assigned to domains are defined. */ |
@@ -1800,7 +1800,7 @@ void tomoyo_load_policy(const char *filename) | |||
1800 | static int tomoyo_read_version(struct tomoyo_io_buffer *head) | 1800 | static int tomoyo_read_version(struct tomoyo_io_buffer *head) |
1801 | { | 1801 | { |
1802 | if (!head->read_eof) { | 1802 | if (!head->read_eof) { |
1803 | tomoyo_io_printf(head, "2.2.0-pre"); | 1803 | tomoyo_io_printf(head, "2.2.0"); |
1804 | head->read_eof = true; | 1804 | head->read_eof = true; |
1805 | } | 1805 | } |
1806 | return 0; | 1806 | return 0; |
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index e77e6a6de0f2..678f4ff16aa4 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 2f2b449ffd2d..2d6748741a26 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 65f50c1c5ee9..2316da8ec5bc 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index d47f16b844b2..bf8e2b451687 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c | |||
@@ -5,13 +5,14 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include <linux/types.h> | 12 | #include <linux/types.h> |
13 | #include <linux/mount.h> | 13 | #include <linux/mount.h> |
14 | #include <linux/mnt_namespace.h> | 14 | #include <linux/mnt_namespace.h> |
15 | #include <linux/fs_struct.h> | ||
15 | #include "common.h" | 16 | #include "common.h" |
16 | #include "realpath.h" | 17 | #include "realpath.h" |
17 | 18 | ||
diff --git a/security/tomoyo/realpath.h b/security/tomoyo/realpath.h index 7ec9fc9cbc07..78217a37960b 100644 --- a/security/tomoyo/realpath.h +++ b/security/tomoyo/realpath.h | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 3eeeae12c4dc..5b481912752a 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h index a0c8f6e0bea4..41c6ebafb9c5 100644 --- a/security/tomoyo/tomoyo.h +++ b/security/tomoyo/tomoyo.h | |||
@@ -5,7 +5,7 @@ | |||
5 | * | 5 | * |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 | * | 7 | * |
8 | * Version: 2.2.0-pre 2009/02/01 | 8 | * Version: 2.2.0 2009/04/01 |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | ||