Commit 5c874a5b authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next

Pull smack updates from Casey Schaufler:
 "There is nothing more significant than an improvement to a byte count
  check in smackfs.

  All changes have been in next for weeks"

* tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next:
  Smack: fix doc warning
  Revert "Smack: Handle io_uring kernel thread privileges"
  smackfs: restrict bytes count in smk_set_cipso()
  security/smack/: fix misspellings using codespell tool
parents 290fe0fa fe6bde73
...@@ -332,7 +332,7 @@ static void smack_log_callback(struct audit_buffer *ab, void *a) ...@@ -332,7 +332,7 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
* @object_label : smack label of the object being accessed * @object_label : smack label of the object being accessed
* @request: requested permissions * @request: requested permissions
* @result: result from smk_access * @result: result from smk_access
* @a: auxiliary audit data * @ad: auxiliary audit data
* *
* Audit the granting or denial of permissions in accordance * Audit the granting or denial of permissions in accordance
* with the policy. * with the policy.
...@@ -396,6 +396,7 @@ struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; ...@@ -396,6 +396,7 @@ struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
/** /**
* smk_insert_entry - insert a smack label into a hash map, * smk_insert_entry - insert a smack label into a hash map,
* @skp: smack label
* *
* this function must be called under smack_known_lock * this function must be called under smack_known_lock
*/ */
...@@ -476,8 +477,10 @@ char *smk_parse_smack(const char *string, int len) ...@@ -476,8 +477,10 @@ char *smk_parse_smack(const char *string, int len)
/** /**
* smk_netlbl_mls - convert a catset to netlabel mls categories * smk_netlbl_mls - convert a catset to netlabel mls categories
* @level: MLS sensitivity level
* @catset: the Smack categories * @catset: the Smack categories
* @sap: where to put the netlabel categories * @sap: where to put the netlabel categories
* @len: number of bytes for the levels in a CIPSO IP option
* *
* Allocates and fills attr.mls * Allocates and fills attr.mls
* Returns 0 on success, error code on failure. * Returns 0 on success, error code on failure.
...@@ -688,10 +691,9 @@ bool smack_privileged_cred(int cap, const struct cred *cred) ...@@ -688,10 +691,9 @@ bool smack_privileged_cred(int cap, const struct cred *cred)
bool smack_privileged(int cap) bool smack_privileged(int cap)
{ {
/* /*
* Kernel threads may not have credentials we can use. * All kernel tasks are privileged
* The io_uring kernel threads do have reliable credentials.
*/ */
if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD) if (unlikely(current->flags & PF_KTHREAD))
return true; return true;
return smack_privileged_cred(cap, current_cred()); return smack_privileged_cred(cap, current_cred());
......
...@@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule, ...@@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
* @data: string to be parsed, null terminated * @data: string to be parsed, null terminated
* @rule: Will be filled with Smack parsed rule * @rule: Will be filled with Smack parsed rule
* @import: if non-zero, import labels * @import: if non-zero, import labels
* @tokens: numer of substrings expected in data * @tokens: number of substrings expected in data
* *
* Returns number of processed bytes on success, -ERRNO on failure. * Returns number of processed bytes on success, -ERRNO on failure.
*/ */
...@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, ...@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
if (format == SMK_FIXED24_FMT && if (format == SMK_FIXED24_FMT &&
(count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
return -EINVAL; return -EINVAL;
if (count > PAGE_SIZE)
return -EINVAL;
data = memdup_user_nul(buf, count); data = memdup_user_nul(buf, count);
if (IS_ERR(data)) if (IS_ERR(data))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment