diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/commoncap.c | 13 | ||||
| -rw-r--r-- | security/selinux/netlabel.c | 7 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 2 |
3 files changed, 15 insertions, 7 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 5bc1895f3f9..ea61bc73f6d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -59,6 +59,12 @@ int cap_netlink_recv(struct sk_buff *skb, int cap) EXPORT_SYMBOL(cap_netlink_recv); +/* + * NOTE WELL: cap_capable() cannot be used like the kernel's capable() + * function. That is, it has the reverse semantics: cap_capable() + * returns 0 when a task has a capability, but the kernel's capable() + * returns 1 for this case. + */ int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ @@ -107,10 +113,11 @@ static inline int cap_block_setpcap(struct task_struct *target) static inline int cap_inh_is_capped(void) { /* - * return 1 if changes to the inheritable set are limited - * to the old permitted set. + * Return 1 if changes to the inheritable set are limited + * to the old permitted set. That is, if the current task + * does *not* possess the CAP_SETPCAP capability. */ - return !cap_capable(current, CAP_SETPCAP); + return (cap_capable(current, CAP_SETPCAP) != 0); } #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index d243ddc723a..66e013d6f6f 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -53,10 +53,11 @@ static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) struct sk_security_struct *sksec = sk->sk_security; struct netlbl_lsm_secattr secattr; + netlbl_secattr_init(&secattr); + rc = security_netlbl_sid_to_secattr(sid, &secattr); if (rc != 0) - return rc; - + goto sock_setsid_return; rc = netlbl_sock_setattr(sk, &secattr); if (rc == 0) { spin_lock_bh(&sksec->nlbl_lock); @@ -64,6 +65,8 @@ static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) spin_unlock_bh(&sksec->nlbl_lock); } +sock_setsid_return: + netlbl_secattr_destroy(&secattr); return rc; } diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d572dc908f3..f83b19daed1 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2606,8 +2606,6 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) int rc = -ENOENT; struct context *ctx; - netlbl_secattr_init(secattr); - if (!ss_initialized) return 0; |