aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c13
-rw-r--r--security/device_cgroup.c44
-rw-r--r--security/dummy.c24
-rw-r--r--security/keys/internal.h1
-rw-r--r--security/smack/smack_lsm.c12
5 files changed, 76 insertions, 18 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 5edabc7542a..33d34330841 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -103,10 +103,16 @@ static inline int cap_inh_is_capped(void)
return (cap_capable(current, CAP_SETPCAP) != 0);
}
+static inline int cap_limit_ptraced_target(void) { return 1; }
+
#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
static inline int cap_inh_is_capped(void) { return 1; }
+static inline int cap_limit_ptraced_target(void)
+{
+ return !capable(CAP_SETPCAP);
+}
#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
@@ -342,9 +348,10 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
bprm->e_uid = current->uid;
bprm->e_gid = current->gid;
}
- if (!capable (CAP_SETPCAP)) {
- new_permitted = cap_intersect (new_permitted,
- current->cap_permitted);
+ if (cap_limit_ptraced_target()) {
+ new_permitted =
+ cap_intersect(new_permitted,
+ current->cap_permitted);
}
}
}
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 4ea583689ee..ddd92cec78e 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -49,10 +49,14 @@ struct dev_cgroup {
spinlock_t lock;
};
+static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
+{
+ return container_of(s, struct dev_cgroup, css);
+}
+
static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup)
{
- return container_of(cgroup_subsys_state(cgroup, devices_subsys_id),
- struct dev_cgroup, css);
+ return css_to_devcgroup(cgroup_subsys_state(cgroup, devices_subsys_id));
}
struct cgroup_subsys devices_subsys;
@@ -102,7 +106,7 @@ free_and_exit:
static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
struct dev_whitelist_item *wh)
{
- struct dev_whitelist_item *whcopy;
+ struct dev_whitelist_item *whcopy, *walk;
whcopy = kmalloc(sizeof(*whcopy), GFP_KERNEL);
if (!whcopy)
@@ -110,7 +114,21 @@ static int dev_whitelist_add(struct dev_cgroup *dev_cgroup,
memcpy(whcopy, wh, sizeof(*whcopy));
spin_lock(&dev_cgroup->lock);
- list_add_tail(&whcopy->list, &dev_cgroup->whitelist);
+ list_for_each_entry(walk, &dev_cgroup->whitelist, list) {
+ if (walk->type != wh->type)
+ continue;
+ if (walk->major != wh->major)
+ continue;
+ if (walk->minor != wh->minor)
+ continue;
+
+ walk->access |= wh->access;
+ kfree(whcopy);
+ whcopy = NULL;
+ }
+
+ if (whcopy != NULL)
+ list_add_tail(&whcopy->list, &dev_cgroup->whitelist);
spin_unlock(&dev_cgroup->lock);
return 0;
}
@@ -204,7 +222,7 @@ static void devcgroup_destroy(struct cgroup_subsys *ss,
#define DEVCG_DENY 2
#define DEVCG_LIST 3
-#define MAJMINLEN 10
+#define MAJMINLEN 13
#define ACCLEN 4
static void set_access(char *acc, short access)
@@ -236,7 +254,7 @@ static void set_majmin(char *str, unsigned m)
if (m == ~0)
sprintf(str, "*");
else
- snprintf(str, MAJMINLEN, "%d", m);
+ snprintf(str, MAJMINLEN, "%u", m);
}
static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
@@ -282,7 +300,7 @@ static int may_access_whitelist(struct dev_cgroup *c,
continue;
if (whitem->minor != ~0 && whitem->minor != refwh->minor)
continue;
- if (refwh->access & (~(whitem->access | ACC_MASK)))
+ if (refwh->access & (~whitem->access))
continue;
return 1;
}
@@ -364,6 +382,8 @@ static ssize_t devcgroup_access_write(struct cgroup *cgroup, struct cftype *cft,
case 'a':
wh.type = DEV_ALL;
wh.access = ACC_MASK;
+ wh.major = ~0;
+ wh.minor = ~0;
goto handle;
case 'b':
wh.type = DEV_BLOCK;
@@ -502,7 +522,6 @@ struct cgroup_subsys devices_subsys = {
int devcgroup_inode_permission(struct inode *inode, int mask)
{
- struct cgroup *cgroup;
struct dev_cgroup *dev_cgroup;
struct dev_whitelist_item *wh;
@@ -511,8 +530,8 @@ int devcgroup_inode_permission(struct inode *inode, int mask)
return 0;
if (!S_ISBLK(inode->i_mode) && !S_ISCHR(inode->i_mode))
return 0;
- cgroup = task_cgroup(current, devices_subsys.subsys_id);
- dev_cgroup = cgroup_to_devcgroup(cgroup);
+ dev_cgroup = css_to_devcgroup(task_subsys_state(current,
+ devices_subsys_id));
if (!dev_cgroup)
return 0;
@@ -543,12 +562,11 @@ acc_check:
int devcgroup_inode_mknod(int mode, dev_t dev)
{
- struct cgroup *cgroup;
struct dev_cgroup *dev_cgroup;
struct dev_whitelist_item *wh;
- cgroup = task_cgroup(current, devices_subsys.subsys_id);
- dev_cgroup = cgroup_to_devcgroup(cgroup);
+ dev_cgroup = css_to_devcgroup(task_subsys_state(current,
+ devices_subsys_id));
if (!dev_cgroup)
return 0;
diff --git a/security/dummy.c b/security/dummy.c
index f50c6c3c32c..b8916883b77 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -27,6 +27,8 @@
#include <linux/hugetlb.h>
#include <linux/ptrace.h>
#include <linux/file.h>
+#include <linux/prctl.h>
+#include <linux/securebits.h>
static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
{
@@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5, long *rc_p)
{
- return 0;
+ switch (option) {
+ case PR_CAPBSET_READ:
+ *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
+ break;
+ case PR_GET_KEEPCAPS:
+ *rc_p = issecure(SECURE_KEEP_CAPS);
+ break;
+ case PR_SET_KEEPCAPS:
+ if (arg2 > 1)
+ *rc_p = -EINVAL;
+ else if (arg2)
+ current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
+ else
+ current->securebits &=
+ ~issecure_mask(SECURE_KEEP_CAPS);
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
}
static void dummy_task_reparent_to_init (struct task_struct *p)
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 8c05587f501..b39f5c2e2c4 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -78,7 +78,6 @@ extern unsigned key_quota_maxbytes;
extern struct rb_root key_serial_tree;
extern spinlock_t key_serial_lock;
-extern struct semaphore key_alloc_sem;
extern struct mutex key_construction_mutex;
extern wait_queue_head_t request_key_conswq;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b5c8f923700..4a09293efa0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1881,6 +1881,18 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
final = sbsp->smk_default;
/*
+ * If this is the root inode the superblock
+ * may be in the process of initialization.
+ * If that is the case use the root value out
+ * of the superblock.
+ */
+ if (opt_dentry->d_parent == opt_dentry) {
+ isp->smk_inode = sbsp->smk_root;
+ isp->smk_flags |= SMK_INODE_INSTANT;
+ goto unlockandout;
+ }
+
+ /*
* This is pretty hackish.
* Casey says that we shouldn't have to do
* file system specific code, but it does help