diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/Kconfig | 2 | ||||
-rw-r--r-- | security/keys/keyring.c | 6 | ||||
-rw-r--r-- | security/selinux/nlmsgtab.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 8 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 4 |
5 files changed, 16 insertions, 6 deletions
diff --git a/security/Kconfig b/security/Kconfig index e9c6ac724fef..beb86b500adf 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -103,7 +103,7 @@ config INTEL_TXT | |||
103 | config LSM_MMAP_MIN_ADDR | 103 | config LSM_MMAP_MIN_ADDR |
104 | int "Low address space for LSM to protect from user allocation" | 104 | int "Low address space for LSM to protect from user allocation" |
105 | depends on SECURITY && SECURITY_SELINUX | 105 | depends on SECURITY && SECURITY_SELINUX |
106 | default 32768 if ARM | 106 | default 32768 if ARM || (ARM64 && COMPAT) |
107 | default 65536 | 107 | default 65536 |
108 | help | 108 | help |
109 | This is the portion of low virtual memory which should be protected | 109 | This is the portion of low virtual memory which should be protected |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d46cbc5e335e..2fb2576dc644 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -1000,7 +1000,11 @@ static int keyring_detect_cycle_iterator(const void *object, | |||
1000 | 1000 | ||
1001 | kenter("{%d}", key->serial); | 1001 | kenter("{%d}", key->serial); |
1002 | 1002 | ||
1003 | BUG_ON(key != ctx->match_data); | 1003 | /* We might get a keyring with matching index-key that is nonetheless a |
1004 | * different keyring. */ | ||
1005 | if (key != ctx->match_data) | ||
1006 | return 0; | ||
1007 | |||
1004 | ctx->result = ERR_PTR(-EDEADLK); | 1008 | ctx->result = ERR_PTR(-EDEADLK); |
1005 | return 1; | 1009 | return 1; |
1006 | } | 1010 | } |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 332ac8a80cf5..2df7b900e259 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
@@ -17,6 +17,7 @@ | |||
17 | #include <linux/inet_diag.h> | 17 | #include <linux/inet_diag.h> |
18 | #include <linux/xfrm.h> | 18 | #include <linux/xfrm.h> |
19 | #include <linux/audit.h> | 19 | #include <linux/audit.h> |
20 | #include <linux/sock_diag.h> | ||
20 | 21 | ||
21 | #include "flask.h" | 22 | #include "flask.h" |
22 | #include "av_permissions.h" | 23 | #include "av_permissions.h" |
@@ -78,6 +79,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] = | |||
78 | { | 79 | { |
79 | { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, | 80 | { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, |
80 | { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, | 81 | { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, |
82 | { SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, | ||
81 | }; | 83 | }; |
82 | 84 | ||
83 | static struct nlmsg_perm nlmsg_xfrm_perms[] = | 85 | static struct nlmsg_perm nlmsg_xfrm_perms[] = |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index c0f498842129..9c5cdc2caaef 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -3338,10 +3338,10 @@ static int filename_write_helper(void *key, void *data, void *ptr) | |||
3338 | if (rc) | 3338 | if (rc) |
3339 | return rc; | 3339 | return rc; |
3340 | 3340 | ||
3341 | buf[0] = ft->stype; | 3341 | buf[0] = cpu_to_le32(ft->stype); |
3342 | buf[1] = ft->ttype; | 3342 | buf[1] = cpu_to_le32(ft->ttype); |
3343 | buf[2] = ft->tclass; | 3343 | buf[2] = cpu_to_le32(ft->tclass); |
3344 | buf[3] = otype->otype; | 3344 | buf[3] = cpu_to_le32(otype->otype); |
3345 | 3345 | ||
3346 | rc = put_entry(buf, sizeof(u32), 4, fp); | 3346 | rc = put_entry(buf, sizeof(u32), 4, fp); |
3347 | if (rc) | 3347 | if (rc) |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c93c21127f0c..5d0144ee8ed6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, | |||
1232 | struct context context; | 1232 | struct context context; |
1233 | int rc = 0; | 1233 | int rc = 0; |
1234 | 1234 | ||
1235 | /* An empty security context is never valid. */ | ||
1236 | if (!scontext_len) | ||
1237 | return -EINVAL; | ||
1238 | |||
1235 | if (!ss_initialized) { | 1239 | if (!ss_initialized) { |
1236 | int i; | 1240 | int i; |
1237 | 1241 | ||