diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/commoncap.c | 6 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 44 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 14 |
3 files changed, 39 insertions, 25 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..71a166a05975 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -29,6 +29,7 @@ | |||
| 29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
| 30 | #include <linux/user_namespace.h> | 30 | #include <linux/user_namespace.h> |
| 31 | #include <linux/binfmts.h> | 31 | #include <linux/binfmts.h> |
| 32 | #include <linux/personality.h> | ||
| 32 | 33 | ||
| 33 | /* | 34 | /* |
| 34 | * If a non-root user executes a setuid-root binary in | 35 | * If a non-root user executes a setuid-root binary in |
| @@ -505,6 +506,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) | |||
| 505 | } | 506 | } |
| 506 | skip: | 507 | skip: |
| 507 | 508 | ||
| 509 | /* if we have fs caps, clear dangerous personality flags */ | ||
| 510 | if (!cap_issubset(new->cap_permitted, old->cap_permitted)) | ||
| 511 | bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
| 512 | |||
| 513 | |||
| 508 | /* Don't let someone trace a set[ug]id/setpcap binary with the revised | 514 | /* Don't let someone trace a set[ug]id/setpcap binary with the revised |
| 509 | * credentials unless they have the appropriate permit | 515 | * credentials unless they have the appropriate permit |
| 510 | */ | 516 | */ |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 10056f2f6df3..45c32f074166 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -3640,8 +3640,38 @@ struct security_operations smack_ops = { | |||
| 3640 | }; | 3640 | }; |
| 3641 | 3641 | ||
| 3642 | 3642 | ||
| 3643 | static __init void init_smack_know_list(void) | 3643 | static __init void init_smack_known_list(void) |
| 3644 | { | 3644 | { |
| 3645 | /* | ||
| 3646 | * Initialize CIPSO locks | ||
| 3647 | */ | ||
| 3648 | spin_lock_init(&smack_known_huh.smk_cipsolock); | ||
| 3649 | spin_lock_init(&smack_known_hat.smk_cipsolock); | ||
| 3650 | spin_lock_init(&smack_known_star.smk_cipsolock); | ||
| 3651 | spin_lock_init(&smack_known_floor.smk_cipsolock); | ||
| 3652 | spin_lock_init(&smack_known_invalid.smk_cipsolock); | ||
| 3653 | spin_lock_init(&smack_known_web.smk_cipsolock); | ||
| 3654 | /* | ||
| 3655 | * Initialize rule list locks | ||
| 3656 | */ | ||
| 3657 | mutex_init(&smack_known_huh.smk_rules_lock); | ||
| 3658 | mutex_init(&smack_known_hat.smk_rules_lock); | ||
| 3659 | mutex_init(&smack_known_floor.smk_rules_lock); | ||
| 3660 | mutex_init(&smack_known_star.smk_rules_lock); | ||
| 3661 | mutex_init(&smack_known_invalid.smk_rules_lock); | ||
| 3662 | mutex_init(&smack_known_web.smk_rules_lock); | ||
| 3663 | /* | ||
| 3664 | * Initialize rule lists | ||
| 3665 | */ | ||
| 3666 | INIT_LIST_HEAD(&smack_known_huh.smk_rules); | ||
| 3667 | INIT_LIST_HEAD(&smack_known_hat.smk_rules); | ||
| 3668 | INIT_LIST_HEAD(&smack_known_star.smk_rules); | ||
| 3669 | INIT_LIST_HEAD(&smack_known_floor.smk_rules); | ||
| 3670 | INIT_LIST_HEAD(&smack_known_invalid.smk_rules); | ||
| 3671 | INIT_LIST_HEAD(&smack_known_web.smk_rules); | ||
| 3672 | /* | ||
| 3673 | * Create the known labels list | ||
| 3674 | */ | ||
| 3645 | list_add(&smack_known_huh.list, &smack_known_list); | 3675 | list_add(&smack_known_huh.list, &smack_known_list); |
| 3646 | list_add(&smack_known_hat.list, &smack_known_list); | 3676 | list_add(&smack_known_hat.list, &smack_known_list); |
| 3647 | list_add(&smack_known_star.list, &smack_known_list); | 3677 | list_add(&smack_known_star.list, &smack_known_list); |
| @@ -3676,16 +3706,8 @@ static __init int smack_init(void) | |||
| 3676 | cred = (struct cred *) current->cred; | 3706 | cred = (struct cred *) current->cred; |
| 3677 | cred->security = tsp; | 3707 | cred->security = tsp; |
| 3678 | 3708 | ||
| 3679 | /* initialize the smack_know_list */ | 3709 | /* initialize the smack_known_list */ |
| 3680 | init_smack_know_list(); | 3710 | init_smack_known_list(); |
| 3681 | /* | ||
| 3682 | * Initialize locks | ||
| 3683 | */ | ||
| 3684 | spin_lock_init(&smack_known_huh.smk_cipsolock); | ||
| 3685 | spin_lock_init(&smack_known_hat.smk_cipsolock); | ||
| 3686 | spin_lock_init(&smack_known_star.smk_cipsolock); | ||
| 3687 | spin_lock_init(&smack_known_floor.smk_cipsolock); | ||
| 3688 | spin_lock_init(&smack_known_invalid.smk_cipsolock); | ||
| 3689 | 3711 | ||
| 3690 | /* | 3712 | /* |
| 3691 | * Register with LSM | 3713 | * Register with LSM |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 5c32f36ff706..038811cb7e62 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -1614,20 +1614,6 @@ static int __init init_smk_fs(void) | |||
| 1614 | smk_cipso_doi(); | 1614 | smk_cipso_doi(); |
| 1615 | smk_unlbl_ambient(NULL); | 1615 | smk_unlbl_ambient(NULL); |
| 1616 | 1616 | ||
| 1617 | mutex_init(&smack_known_floor.smk_rules_lock); | ||
| 1618 | mutex_init(&smack_known_hat.smk_rules_lock); | ||
| 1619 | mutex_init(&smack_known_huh.smk_rules_lock); | ||
| 1620 | mutex_init(&smack_known_invalid.smk_rules_lock); | ||
| 1621 | mutex_init(&smack_known_star.smk_rules_lock); | ||
| 1622 | mutex_init(&smack_known_web.smk_rules_lock); | ||
| 1623 | |||
| 1624 | INIT_LIST_HEAD(&smack_known_floor.smk_rules); | ||
| 1625 | INIT_LIST_HEAD(&smack_known_hat.smk_rules); | ||
| 1626 | INIT_LIST_HEAD(&smack_known_huh.smk_rules); | ||
| 1627 | INIT_LIST_HEAD(&smack_known_invalid.smk_rules); | ||
| 1628 | INIT_LIST_HEAD(&smack_known_star.smk_rules); | ||
| 1629 | INIT_LIST_HEAD(&smack_known_web.smk_rules); | ||
| 1630 | |||
| 1631 | return err; | 1617 | return err; |
| 1632 | } | 1618 | } |
| 1633 | 1619 | ||