Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
a2a15479
Commit
a2a15479
authored
Feb 10, 2017
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'stable-4.11' of
git://git.infradead.org/users/pcmoore/selinux
into next
parents
e2241be6
1ea0ce40
Changes
13
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
341 additions
and
314 deletions
+341
-314
fs/proc/base.c
fs/proc/base.c
+9
-4
include/linux/lsm_hooks.h
include/linux/lsm_hooks.h
+1
-9
include/linux/security.h
include/linux/security.h
+2
-8
kernel/exit.c
kernel/exit.c
+2
-17
security/apparmor/lsm.c
security/apparmor/lsm.c
+2
-5
security/security.c
security/security.c
+2
-8
security/selinux/hooks.c
security/selinux/hooks.c
+188
-191
security/selinux/include/classmap.h
security/selinux/include/classmap.h
+62
-0
security/selinux/include/objsec.h
security/selinux/include/objsec.h
+10
-0
security/selinux/include/security.h
security/selinux/include/security.h
+2
-1
security/selinux/selinuxfs.c
security/selinux/selinuxfs.c
+57
-41
security/selinux/ss/services.c
security/selinux/ss/services.c
+3
-0
security/smack/smack_lsm.c
security/smack/smack_lsm.c
+1
-30
No files found.
fs/proc/base.c
View file @
a2a15479
...
...
@@ -2488,6 +2488,12 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
length
=
-
ESRCH
;
if
(
!
task
)
goto
out_no_task
;
/* A task may only write its own attributes. */
length
=
-
EACCES
;
if
(
current
!=
task
)
goto
out
;
if
(
count
>
PAGE_SIZE
)
count
=
PAGE_SIZE
;
...
...
@@ -2503,14 +2509,13 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
}
/* Guard against adverse ptrace interaction */
length
=
mutex_lock_interruptible
(
&
task
->
signal
->
cred_guard_mutex
);
length
=
mutex_lock_interruptible
(
&
current
->
signal
->
cred_guard_mutex
);
if
(
length
<
0
)
goto
out_free
;
length
=
security_setprocattr
(
task
,
(
char
*
)
file
->
f_path
.
dentry
->
d_name
.
name
,
length
=
security_setprocattr
(
file
->
f_path
.
dentry
->
d_name
.
name
,
page
,
count
);
mutex_unlock
(
&
task
->
signal
->
cred_guard_mutex
);
mutex_unlock
(
&
current
->
signal
->
cred_guard_mutex
);
out_free:
kfree
(
page
);
out:
...
...
include/linux/lsm_hooks.h
View file @
a2a15479
...
...
@@ -665,11 +665,6 @@
* @sig contains the signal value.
* @secid contains the sid of the process where the signal originated
* Return 0 if permission is granted.
* @task_wait:
* Check permission before allowing a process to reap a child process @p
* and collect its status information.
* @p contains the task_struct for process.
* Return 0 if permission is granted.
* @task_prctl:
* Check permission before performing a process control operation on the
* current process.
...
...
@@ -1506,7 +1501,6 @@ union security_list_options {
int
(
*
task_movememory
)(
struct
task_struct
*
p
);
int
(
*
task_kill
)(
struct
task_struct
*
p
,
struct
siginfo
*
info
,
int
sig
,
u32
secid
);
int
(
*
task_wait
)(
struct
task_struct
*
p
);
int
(
*
task_prctl
)(
int
option
,
unsigned
long
arg2
,
unsigned
long
arg3
,
unsigned
long
arg4
,
unsigned
long
arg5
);
void
(
*
task_to_inode
)(
struct
task_struct
*
p
,
struct
inode
*
inode
);
...
...
@@ -1546,8 +1540,7 @@ union security_list_options {
void
(
*
d_instantiate
)(
struct
dentry
*
dentry
,
struct
inode
*
inode
);
int
(
*
getprocattr
)(
struct
task_struct
*
p
,
char
*
name
,
char
**
value
);
int
(
*
setprocattr
)(
struct
task_struct
*
p
,
char
*
name
,
void
*
value
,
size_t
size
);
int
(
*
setprocattr
)(
const
char
*
name
,
void
*
value
,
size_t
size
);
int
(
*
ismaclabel
)(
const
char
*
name
);
int
(
*
secid_to_secctx
)(
u32
secid
,
char
**
secdata
,
u32
*
seclen
);
int
(
*
secctx_to_secid
)(
const
char
*
secdata
,
u32
seclen
,
u32
*
secid
);
...
...
@@ -1767,7 +1760,6 @@ struct security_hook_heads {
struct
list_head
task_getscheduler
;
struct
list_head
task_movememory
;
struct
list_head
task_kill
;
struct
list_head
task_wait
;
struct
list_head
task_prctl
;
struct
list_head
task_to_inode
;
struct
list_head
ipc_permission
;
...
...
include/linux/security.h
View file @
a2a15479
...
...
@@ -332,7 +332,6 @@ int security_task_getscheduler(struct task_struct *p);
int
security_task_movememory
(
struct
task_struct
*
p
);
int
security_task_kill
(
struct
task_struct
*
p
,
struct
siginfo
*
info
,
int
sig
,
u32
secid
);
int
security_task_wait
(
struct
task_struct
*
p
);
int
security_task_prctl
(
int
option
,
unsigned
long
arg2
,
unsigned
long
arg3
,
unsigned
long
arg4
,
unsigned
long
arg5
);
void
security_task_to_inode
(
struct
task_struct
*
p
,
struct
inode
*
inode
);
...
...
@@ -361,7 +360,7 @@ int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned
nsops
,
int
alter
);
void
security_d_instantiate
(
struct
dentry
*
dentry
,
struct
inode
*
inode
);
int
security_getprocattr
(
struct
task_struct
*
p
,
char
*
name
,
char
**
value
);
int
security_setprocattr
(
struct
task_struct
*
p
,
char
*
name
,
void
*
value
,
size_t
size
);
int
security_setprocattr
(
const
char
*
name
,
void
*
value
,
size_t
size
);
int
security_netlink_send
(
struct
sock
*
sk
,
struct
sk_buff
*
skb
);
int
security_ismaclabel
(
const
char
*
name
);
int
security_secid_to_secctx
(
u32
secid
,
char
**
secdata
,
u32
*
seclen
);
...
...
@@ -980,11 +979,6 @@ static inline int security_task_kill(struct task_struct *p,
return
0
;
}
static
inline
int
security_task_wait
(
struct
task_struct
*
p
)
{
return
0
;
}
static
inline
int
security_task_prctl
(
int
option
,
unsigned
long
arg2
,
unsigned
long
arg3
,
unsigned
long
arg4
,
...
...
@@ -1106,7 +1100,7 @@ static inline int security_getprocattr(struct task_struct *p, char *name, char *
return
-
EINVAL
;
}
static
inline
int
security_setprocattr
(
struct
task_struct
*
p
,
char
*
name
,
void
*
value
,
size_t
size
)
static
inline
int
security_setprocattr
(
char
*
name
,
void
*
value
,
size_t
size
)
{
return
-
EINVAL
;
}
...
...
kernel/exit.c
View file @
a2a15479
...
...
@@ -14,7 +14,6 @@
#include <linux/tty.h>
#include <linux/iocontext.h>
#include <linux/key.h>
#include <linux/security.h>
#include <linux/cpu.h>
#include <linux/acct.h>
#include <linux/tsacct_kern.h>
...
...
@@ -1360,7 +1359,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
* Returns nonzero for a final return, when we have unlocked tasklist_lock.
* Returns zero if the search for a child should continue;
* then ->notask_error is 0 if @p is an eligible child,
* or
another error from security_task_wait(), or
still -ECHILD.
* or still -ECHILD.
*/
static
int
wait_consider_task
(
struct
wait_opts
*
wo
,
int
ptrace
,
struct
task_struct
*
p
)
...
...
@@ -1380,20 +1379,6 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace,
if
(
!
ret
)
return
ret
;
ret
=
security_task_wait
(
p
);
if
(
unlikely
(
ret
<
0
))
{
/*
* If we have not yet seen any eligible child,
* then let this error code replace -ECHILD.
* A permission error will give the user a clue
* to look for security policy problems, rather
* than for mysterious wait bugs.
*/
if
(
wo
->
notask_error
)
wo
->
notask_error
=
ret
;
return
0
;
}
if
(
unlikely
(
exit_state
==
EXIT_TRACE
))
{
/*
* ptrace == 0 means we are the natural parent. In this case
...
...
@@ -1486,7 +1471,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace,
* Returns nonzero for a final return, when we have unlocked tasklist_lock.
* Returns zero if the search for a child should continue; then
* ->notask_error is 0 if there were any eligible children,
* or
another error from security_task_wait(), or
still -ECHILD.
* or still -ECHILD.
*/
static
int
do_wait_thread
(
struct
wait_opts
*
wo
,
struct
task_struct
*
tsk
)
{
...
...
security/apparmor/lsm.c
View file @
a2a15479
...
...
@@ -505,8 +505,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
return
error
;
}
static
int
apparmor_setprocattr
(
struct
task_struct
*
task
,
char
*
nam
e
,
void
*
value
,
size_t
size
)
static
int
apparmor_setprocattr
(
const
char
*
name
,
void
*
valu
e
,
size_t
size
)
{
char
*
command
,
*
largs
=
NULL
,
*
args
=
value
;
size_t
arg_size
;
...
...
@@ -515,9 +515,6 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
if
(
size
==
0
)
return
-
EINVAL
;
/* task can only write its own attributes */
if
(
current
!=
task
)
return
-
EACCES
;
/* AppArmor requires that the buffer must be null terminated atm */
if
(
args
[
size
-
1
]
!=
'\0'
)
{
...
...
security/security.c
View file @
a2a15479
...
...
@@ -1063,11 +1063,6 @@ int security_task_kill(struct task_struct *p, struct siginfo *info,
return
call_int_hook
(
task_kill
,
0
,
p
,
info
,
sig
,
secid
);
}
int
security_task_wait
(
struct
task_struct
*
p
)
{
return
call_int_hook
(
task_wait
,
0
,
p
);
}
int
security_task_prctl
(
int
option
,
unsigned
long
arg2
,
unsigned
long
arg3
,
unsigned
long
arg4
,
unsigned
long
arg5
)
{
...
...
@@ -1208,9 +1203,9 @@ int security_getprocattr(struct task_struct *p, char *name, char **value)
return
call_int_hook
(
getprocattr
,
-
EINVAL
,
p
,
name
,
value
);
}
int
security_setprocattr
(
struct
task_struct
*
p
,
char
*
name
,
void
*
value
,
size_t
size
)
int
security_setprocattr
(
const
char
*
name
,
void
*
value
,
size_t
size
)
{
return
call_int_hook
(
setprocattr
,
-
EINVAL
,
p
,
name
,
value
,
size
);
return
call_int_hook
(
setprocattr
,
-
EINVAL
,
name
,
value
,
size
);
}
int
security_netlink_send
(
struct
sock
*
sk
,
struct
sk_buff
*
skb
)
...
...
@@ -1807,7 +1802,6 @@ struct security_hook_heads security_hook_heads = {
.
task_movememory
=
LIST_HEAD_INIT
(
security_hook_heads
.
task_movememory
),
.
task_kill
=
LIST_HEAD_INIT
(
security_hook_heads
.
task_kill
),
.
task_wait
=
LIST_HEAD_INIT
(
security_hook_heads
.
task_wait
),
.
task_prctl
=
LIST_HEAD_INIT
(
security_hook_heads
.
task_prctl
),
.
task_to_inode
=
LIST_HEAD_INIT
(
security_hook_heads
.
task_to_inode
),
...
...
security/selinux/hooks.c
View file @
a2a15479
This diff is collapsed.
Click to expand it.
security/selinux/include/classmap.h
View file @
a2a15479
...
...
@@ -171,5 +171,67 @@ struct security_class_mapping secclass_map[] = {
{
COMMON_CAP_PERMS
,
NULL
}
},
{
"cap2_userns"
,
{
COMMON_CAP2_PERMS
,
NULL
}
},
{
"sctp_socket"
,
{
COMMON_SOCK_PERMS
,
"node_bind"
,
NULL
}
},
{
"icmp_socket"
,
{
COMMON_SOCK_PERMS
,
"node_bind"
,
NULL
}
},
{
"ax25_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"ipx_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"netrom_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"atmpvc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"x25_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"rose_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"decnet_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"atmsvc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"rds_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"irda_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"pppox_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"llc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"can_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"tipc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"bluetooth_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"iucv_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"rxrpc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"isdn_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"phonet_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"ieee802154_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"caif_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"alg_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"nfc_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"vsock_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"kcm_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
"qipcrtr_socket"
,
{
COMMON_SOCK_PERMS
,
NULL
}
},
{
NULL
}
};
#if PF_MAX > 43
#error New address family defined, please update secclass_map.
#endif
security/selinux/include/objsec.h
View file @
a2a15479
...
...
@@ -37,6 +37,16 @@ struct task_security_struct {
u32
sockcreate_sid
;
/* fscreate SID */
};
/*
* get the subjective security ID of the current task
*/
static
inline
u32
current_sid
(
void
)
{
const
struct
task_security_struct
*
tsec
=
current_security
();
return
tsec
->
sid
;
}
enum
label_initialized
{
LABEL_INVALID
,
/* invalid or not initialized */
LABEL_INITIALIZED
,
/* initialized */
...
...
security/selinux/include/security.h
View file @
a2a15479
...
...
@@ -69,7 +69,7 @@ extern int selinux_enabled;
enum
{
POLICYDB_CAPABILITY_NETPEER
,
POLICYDB_CAPABILITY_OPENPERM
,
POLICYDB_CAPABILITY_
REDHAT1
,
POLICYDB_CAPABILITY_
EXTSOCKCLASS
,
POLICYDB_CAPABILITY_ALWAYSNETWORK
,
__POLICYDB_CAPABILITY_MAX
};
...
...
@@ -77,6 +77,7 @@ enum {
extern
int
selinux_policycap_netpeer
;
extern
int
selinux_policycap_openperm
;
extern
int
selinux_policycap_extsockclass
;
extern
int
selinux_policycap_alwaysnetwork
;
/*
...
...
security/selinux/selinuxfs.c
View file @
a2a15479
...
...
@@ -45,7 +45,7 @@
static
char
*
policycap_names
[]
=
{
"network_peer_controls"
,
"open_perms"
,
"
redhat1
"
,
"
extended_socket_class
"
,
"always_check_network"
};
...
...
@@ -77,25 +77,6 @@ static char policy_opened;
/* global data for policy capabilities */
static
struct
dentry
*
policycap_dir
;
/* Check whether a task is allowed to use a security operation. */
static
int
task_has_security
(
struct
task_struct
*
tsk
,
u32
perms
)
{
const
struct
task_security_struct
*
tsec
;
u32
sid
=
0
;
rcu_read_lock
();
tsec
=
__task_cred
(
tsk
)
->
security
;
if
(
tsec
)
sid
=
tsec
->
sid
;
rcu_read_unlock
();
if
(
!
tsec
)
return
-
EACCES
;
return
avc_has_perm
(
sid
,
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
perms
,
NULL
);
}
enum
sel_inos
{
SEL_ROOT_INO
=
2
,
SEL_LOAD
,
/* load policy */
...
...
@@ -166,7 +147,9 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
new_value
=
!!
new_value
;
if
(
new_value
!=
selinux_enforcing
)
{
length
=
task_has_security
(
current
,
SECURITY__SETENFORCE
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__SETENFORCE
,
NULL
);
if
(
length
)
goto
out
;
audit_log
(
current
->
audit_context
,
GFP_KERNEL
,
AUDIT_MAC_STATUS
,
...
...
@@ -368,7 +351,8 @@ static int sel_open_policy(struct inode *inode, struct file *filp)
mutex_lock
(
&
sel_mutex
);
rc
=
task_has_security
(
current
,
SECURITY__READ_POLICY
);
rc
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__READ_POLICY
,
NULL
);
if
(
rc
)
goto
err
;
...
...
@@ -429,7 +413,8 @@ static ssize_t sel_read_policy(struct file *filp, char __user *buf,
mutex_lock
(
&
sel_mutex
);
ret
=
task_has_security
(
current
,
SECURITY__READ_POLICY
);
ret
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__READ_POLICY
,
NULL
);
if
(
ret
)
goto
out
;
...
...
@@ -499,7 +484,8 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
mutex_lock
(
&
sel_mutex
);
length
=
task_has_security
(
current
,
SECURITY__LOAD_POLICY
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__LOAD_POLICY
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -522,20 +508,28 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
goto
out
;
length
=
security_load_policy
(
data
,
count
);
if
(
length
)
if
(
length
)
{
pr_warn_ratelimited
(
"SELinux: failed to load policy
\n
"
);
goto
out
;
}
length
=
sel_make_bools
();
if
(
length
)
if
(
length
)
{
pr_err
(
"SELinux: failed to load policy booleans
\n
"
);
goto
out1
;
}
length
=
sel_make_classes
();
if
(
length
)
if
(
length
)
{
pr_err
(
"SELinux: failed to load policy classes
\n
"
);
goto
out1
;
}
length
=
sel_make_policycap
();
if
(
length
)
if
(
length
)
{
pr_err
(
"SELinux: failed to load policy capabilities
\n
"
);
goto
out1
;
}
length
=
count
;
...
...
@@ -561,7 +555,8 @@ static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
u32
sid
,
len
;
ssize_t
length
;
length
=
task_has_security
(
current
,
SECURITY__CHECK_CONTEXT
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__CHECK_CONTEXT
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -604,7 +599,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
ssize_t
length
;
unsigned
int
new_value
;
length
=
task_has_security
(
current
,
SECURITY__SETCHECKREQPROT
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__SETCHECKREQPROT
,
NULL
);
if
(
length
)
return
length
;
...
...
@@ -645,7 +642,8 @@ static ssize_t sel_write_validatetrans(struct file *file,
u16
tclass
;
int
rc
;
rc
=
task_has_security
(
current
,
SECURITY__VALIDATE_TRANS
);
rc
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__VALIDATE_TRANS
,
NULL
);
if
(
rc
)
goto
out
;
...
...
@@ -772,7 +770,8 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
struct
av_decision
avd
;
ssize_t
length
;
length
=
task_has_security
(
current
,
SECURITY__COMPUTE_AV
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__COMPUTE_AV
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -822,7 +821,9 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
u32
len
;
int
nargs
;
length
=
task_has_security
(
current
,
SECURITY__COMPUTE_CREATE
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__COMPUTE_CREATE
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -919,7 +920,9 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
char
*
newcon
=
NULL
;
u32
len
;
length
=
task_has_security
(
current
,
SECURITY__COMPUTE_RELABEL
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__COMPUTE_RELABEL
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -975,7 +978,9 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
int
i
,
rc
;
u32
len
,
nsids
;
length
=
task_has_security
(
current
,
SECURITY__COMPUTE_USER
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__COMPUTE_USER
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -1035,7 +1040,9 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
char
*
newcon
=
NULL
;
u32
len
;
length
=
task_has_security
(
current
,
SECURITY__COMPUTE_MEMBER
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__COMPUTE_MEMBER
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -1142,7 +1149,9 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
mutex_lock
(
&
sel_mutex
);
length
=
task_has_security
(
current
,
SECURITY__SETBOOL
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__SETBOOL
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -1198,7 +1207,9 @@ static ssize_t sel_commit_bools_write(struct file *filep,
mutex_lock
(
&
sel_mutex
);
length
=
task_has_security
(
current
,
SECURITY__SETBOOL
);
length
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__SETBOOL
,
NULL
);
if
(
length
)
goto
out
;
...
...
@@ -1299,8 +1310,11 @@ static int sel_make_bools(void)
isec
=
(
struct
inode_security_struct
*
)
inode
->
i_security
;
ret
=
security_genfs_sid
(
"selinuxfs"
,
page
,
SECCLASS_FILE
,
&
sid
);
if
(
ret
)
goto
out
;
if
(
ret
)
{
pr_warn_ratelimited
(
"SELinux: no sid found, defaulting to security isid for %s
\n
"
,
page
);
sid
=
SECINITSID_SECURITY
;
}
isec
->
sid
=
sid
;
isec
->
initialized
=
LABEL_INITIALIZED
;
...
...
@@ -1351,7 +1365,9 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
ssize_t
ret
;
unsigned
int
new_value
;
ret
=
task_has_security
(
current
,
SECURITY__SETSECPARAM
);
ret
=
avc_has_perm
(
current_sid
(),
SECINITSID_SECURITY
,
SECCLASS_SECURITY
,
SECURITY__SETSECPARAM
,
NULL
);
if
(
ret
)
return
ret
;
...
...
security/selinux/ss/services.c
View file @
a2a15479
...
...
@@ -72,6 +72,7 @@
int
selinux_policycap_netpeer
;
int
selinux_policycap_openperm
;
int
selinux_policycap_extsockclass
;
int
selinux_policycap_alwaysnetwork
;
static
DEFINE_RWLOCK
(
policy_rwlock
);
...
...
@@ -1988,6 +1989,8 @@ static void security_load_policycaps(void)
POLICYDB_CAPABILITY_NETPEER
);
selinux_policycap_openperm
=
ebitmap_get_bit
(
&
policydb
.
policycaps
,
POLICYDB_CAPABILITY_OPENPERM
);
selinux_policycap_extsockclass
=
ebitmap_get_bit
(
&
policydb
.
policycaps
,
POLICYDB_CAPABILITY_EXTSOCKCLASS
);
selinux_policycap_alwaysnetwork
=
ebitmap_get_bit
(
&
policydb
.
policycaps
,
POLICYDB_CAPABILITY_ALWAYSNETWORK
);
}
...
...
security/smack/smack_lsm.c
View file @
a2a15479
...
...
@@ -2301,25 +2301,6 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
return
rc
;
}
/**
* smack_task_wait - Smack access check for waiting
* @p: task to wait for
*
* Returns 0
*/
static
int
smack_task_wait
(
struct
task_struct
*
p
)
{
/*
* Allow the operation to succeed.
* Zombies are bad.
* In userless environments (e.g. phones) programs
* get marked with SMACK64EXEC and even if the parent
* and child shouldn't be talking the parent still
* may expect to know when the child exits.
*/
return
0
;
}
/**
* smack_task_to_inode - copy task smack into the inode blob
* @p: task to copy from
...
...
@@ -3680,7 +3661,6 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
/**
* smack_setprocattr - Smack process attribute setting
* @p: the object task
* @name: the name of the attribute in /proc/.../attr
* @value: the value to set
* @size: the size of the value
...
...
@@ -3690,8 +3670,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
*
* Returns the length of the smack label or an error code
*/
static
int
smack_setprocattr
(
struct
task_struct
*
p
,
char
*
name
,
void
*
value
,
size_t
size
)
static
int
smack_setprocattr
(
const
char
*
name
,
void
*
value
,
size_t
size
)
{
struct
task_smack
*
tsp
=
current_security
();
struct
cred
*
new
;
...
...
@@ -3699,13 +3678,6 @@ static int smack_setprocattr(struct task_struct *p, char *name,
struct
smack_known_list_elem
*
sklep
;
int
rc
;
/*
* Changing another process' Smack value is too dangerous
* and supports no sane use case.
*/
if
(
p
!=
current
)
return
-
EPERM
;
if
(
!
smack_privileged
(
CAP_MAC_ADMIN
)
&&
list_empty
(
&
tsp
->
smk_relabel
))
return
-
EPERM
;
...
...
@@ -4727,7 +4699,6 @@ static struct security_hook_list smack_hooks[] = {
LSM_HOOK_INIT
(
task_getscheduler
,
smack_task_getscheduler
),
LSM_HOOK_INIT
(
task_movememory
,
smack_task_movememory
),
LSM_HOOK_INIT
(
task_kill
,
smack_task_kill
),
LSM_HOOK_INIT
(
task_wait
,
smack_task_wait
),
LSM_HOOK_INIT
(
task_to_inode
,
smack_task_to_inode
),
LSM_HOOK_INIT
(
ipc_permission
,
smack_ipc_permission
),
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment