diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 13 | ||||
-rw-r--r-- | security/device_cgroup.c | 38 | ||||
-rw-r--r-- | security/dummy.c | 24 | ||||
-rw-r--r-- | security/keys/internal.h | 1 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 12 |
5 files changed, 73 insertions, 15 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 5edabc7542a..33d34330841 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -103,10 +103,16 @@ static inline int cap_inh_is_capped(void) return (cap_capable(current, CAP_SETPCAP) != 0); } +static inline int cap_limit_ptraced_target(void) { return 1; } + #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ static inline int cap_block_setpcap(struct task_struct *t) { return 0; } static inline int cap_inh_is_capped(void) { return 1; } +static inline int cap_limit_ptraced_target(void) +{ + return !capable(CAP_SETPCAP); +} #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ @@ -342,9 +348,10 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) bprm->e_uid = current->uid; bprm->e_gid = current->gid; } - if (!capable (CAP_SETPCAP)) { - new_permitted = cap_intersect (new_permitted, - current->cap_permitted); + if (cap_limit_ptraced_target()) { + new_permitted = + cap_intersect(new_permitted, + current->cap_permitted); } } } diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 4ea583689ee..fd764a0858d 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -49,10 +49,14 @@ struct dev_cgroup { spinlock_t lock; }; +static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s) +{ + return container_of(s, struct dev_cgroup, css); +} + static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup) { - return container_of(cgroup_subsys_state(cgroup, devices_subsys_id), - struct dev_cgroup, css); + return css_to_devcgroup(cgroup_subsys_state(cgroup, devices_subsys_id)); } struct cgroup_subsys devices_subsys; @@ -102,7 +106,7 @@ free_and_exit: static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, struct dev_whitelist_item *wh) { - struct dev_whitelist_item *whcopy; + struct dev_whitelist_item *whcopy, *walk; whcopy = kmalloc(sizeof(*whcopy), GFP_KERNEL); if (!whcopy) @@ -110,7 +114,21 @@ static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, memcpy(whcopy, wh, sizeof(*whcopy)); spin_lock(&dev_cgroup->lock); - list_add_tail(&whcopy->list, &dev_cgroup->whitelist); + list_for_each_entry(walk, &dev_cgroup->whitelist, list) { + if (walk->type != wh->type) + continue; + if (walk->major != wh->major) + continue; + if (walk->minor != wh->minor) + continue; + + walk->access |= wh->access; + kfree(whcopy); + whcopy = NULL; + } + + if (whcopy != NULL) + list_add_tail(&whcopy->list, &dev_cgroup->whitelist); spin_unlock(&dev_cgroup->lock); return 0; } @@ -364,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft, case 'a': wh.type = DEV_ALL; wh.access = ACC_MASK; + wh.major = ~0; + wh.minor = ~0; goto handle; case 'b': wh.type = DEV_BLOCK; @@ -502,7 +522,6 @@ struct cgroup_subsys devices_subsys = { int devcgroup_inode_permission(struct inode *inode, int mask) { - struct cgroup *cgroup; struct dev_cgroup *dev_cgroup; struct dev_whitelist_item *wh; @@ -511,8 +530,8 @@ int devcgroup_inode_permission(struct inode *inode, int mask) return 0; if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode)) return 0; - cgroup = task_cgroup(current, devices_subsys.subsys_id); - dev_cgroup = cgroup_to_devcgroup(cgroup); + dev_cgroup = css_to_devcgroup(task_subsys_state(current, + devices_subsys_id)); if (!dev_cgroup) return 0; @@ -543,12 +562,11 @@ acc_check: int devcgroup_inode_mknod(int mode, dev_t dev) { - struct cgroup *cgroup; struct dev_cgroup *dev_cgroup; struct dev_whitelist_item *wh; - cgroup = task_cgroup(current, devices_subsys.subsys_id); - dev_cgroup = cgroup_to_devcgroup(cgroup); + dev_cgroup = css_to_devcgroup(task_subsys_state(current, + devices_subsys_id)); if (!dev_cgroup) return 0; diff --git a/security/dummy.c b/security/dummy.c index f50c6c3c32c..b8916883b77 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -27,6 +27,8 @@ #include <linux/hugetlb.h> #include <linux/ptrace.h> #include <linux/file.h> +#include <linux/prctl.h> +#include <linux/securebits.h> static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) { @@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info, static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5, long *rc_p) { - return 0; + switch (option) { + case PR_CAPBSET_READ: + *rc_p = (cap_valid(arg2) ? 1 : -EINVAL); + break; + case PR_GET_KEEPCAPS: + *rc_p = issecure(SECURE_KEEP_CAPS); + break; + case PR_SET_KEEPCAPS: + if (arg2 > 1) + *rc_p = -EINVAL; + else if (arg2) + current->securebits |= issecure_mask(SECURE_KEEP_CAPS); + else + current->securebits &= + ~issecure_mask(SECURE_KEEP_CAPS); + break; + default: + return 0; + } + + return 1; } static void dummy_task_reparent_to_init (struct task_struct *p) diff --git a/security/keys/internal.h b/security/keys/internal.h index 8c05587f501..b39f5c2e2c4 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -78,7 +78,6 @@ extern unsigned key_quota_maxbytes; extern struct rb_root key_serial_tree; extern spinlock_t key_serial_lock; -extern struct semaphore key_alloc_sem; extern struct mutex key_construction_mutex; extern wait_queue_head_t request_key_conswq; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b5c8f923700..4a09293efa0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1881,6 +1881,18 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) final = sbsp->smk_default; /* + * If this is the root inode the superblock + * may be in the process of initialization. + * If that is the case use the root value out + * of the superblock. + */ + if (opt_dentry->d_parent == opt_dentry) { + isp->smk_inode = sbsp->smk_root; + isp->smk_flags |= SMK_INODE_INSTANT; + goto unlockandout; + } + + /* * This is pretty hackish. * Casey says that we shouldn't have to do * file system specific code, but it does help |