Commit e94f8ccd authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'smack-for-5.4-rc1' of git://github.com/cschaufler/smack-next

Pull smack updates from Casey Schaufler:
 "Four patches for v5.4. Nothing is major.

  All but one are in response to mechanically detected potential issues.
  The remaining patch cleans up kernel-doc notations"

* tag 'smack-for-5.4-rc1' of git://github.com/cschaufler/smack-next:
  smack: use GFP_NOFS while holding inode_smack::smk_lock
  security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
  smack: fix some kernel-doc notations
  Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
parents 9f7582d1 e5bfad3d
...@@ -465,7 +465,7 @@ char *smk_parse_smack(const char *string, int len) ...@@ -465,7 +465,7 @@ char *smk_parse_smack(const char *string, int len)
if (i == 0 || i >= SMK_LONGLABEL) if (i == 0 || i >= SMK_LONGLABEL)
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
smack = kzalloc(i + 1, GFP_KERNEL); smack = kzalloc(i + 1, GFP_NOFS);
if (smack == NULL) if (smack == NULL)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
...@@ -500,7 +500,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, ...@@ -500,7 +500,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
if ((m & *cp) == 0) if ((m & *cp) == 0)
continue; continue;
rc = netlbl_catmap_setbit(&sap->attr.mls.cat, rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
cat, GFP_KERNEL); cat, GFP_NOFS);
if (rc < 0) { if (rc < 0) {
netlbl_catmap_free(sap->attr.mls.cat); netlbl_catmap_free(sap->attr.mls.cat);
return rc; return rc;
...@@ -536,7 +536,7 @@ struct smack_known *smk_import_entry(const char *string, int len) ...@@ -536,7 +536,7 @@ struct smack_known *smk_import_entry(const char *string, int len)
if (skp != NULL) if (skp != NULL)
goto freeout; goto freeout;
skp = kzalloc(sizeof(*skp), GFP_KERNEL); skp = kzalloc(sizeof(*skp), GFP_NOFS);
if (skp == NULL) { if (skp == NULL) {
skp = ERR_PTR(-ENOMEM); skp = ERR_PTR(-ENOMEM);
goto freeout; goto freeout;
......
...@@ -288,7 +288,7 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, ...@@ -288,7 +288,7 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
if (!(ip->i_opflags & IOP_XATTR)) if (!(ip->i_opflags & IOP_XATTR))
return ERR_PTR(-EOPNOTSUPP); return ERR_PTR(-EOPNOTSUPP);
buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS);
if (buffer == NULL) if (buffer == NULL)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
...@@ -307,7 +307,7 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, ...@@ -307,7 +307,7 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
/** /**
* init_inode_smack - initialize an inode security blob * init_inode_smack - initialize an inode security blob
* @isp: the blob to initialize * @inode: inode to extract the info from
* @skp: a pointer to the Smack label entry to use in the blob * @skp: a pointer to the Smack label entry to use in the blob
* *
*/ */
...@@ -509,7 +509,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) ...@@ -509,7 +509,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
/** /**
* smack_syslog - Smack approval on syslog * smack_syslog - Smack approval on syslog
* @type: message type * @typefrom_file: unused
* *
* Returns 0 on success, error code otherwise. * Returns 0 on success, error code otherwise.
*/ */
...@@ -765,7 +765,7 @@ static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) ...@@ -765,7 +765,7 @@ static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts)
/** /**
* smack_set_mnt_opts - set Smack specific mount options * smack_set_mnt_opts - set Smack specific mount options
* @sb: the file system superblock * @sb: the file system superblock
* @opts: Smack mount options * @mnt_opts: Smack mount options
* @kern_flags: mount option from kernel space or user space * @kern_flags: mount option from kernel space or user space
* @set_kern_flags: where to store converted mount opts * @set_kern_flags: where to store converted mount opts
* *
...@@ -937,7 +937,8 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) ...@@ -937,7 +937,8 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
if (rc != 0) if (rc != 0)
return rc; return rc;
} else if (bprm->unsafe) }
if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
return -EPERM; return -EPERM;
bsp->smk_task = isp->smk_task; bsp->smk_task = isp->smk_task;
...@@ -958,7 +959,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) ...@@ -958,7 +959,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
* smack_inode_alloc_security - allocate an inode blob * smack_inode_alloc_security - allocate an inode blob
* @inode: the inode in need of a blob * @inode: the inode in need of a blob
* *
* Returns 0 if it gets a blob, -ENOMEM otherwise * Returns 0
*/ */
static int smack_inode_alloc_security(struct inode *inode) static int smack_inode_alloc_security(struct inode *inode)
{ {
...@@ -1164,7 +1165,7 @@ static int smack_inode_rename(struct inode *old_inode, ...@@ -1164,7 +1165,7 @@ static int smack_inode_rename(struct inode *old_inode,
* *
* This is the important Smack hook. * This is the important Smack hook.
* *
* Returns 0 if access is permitted, -EACCES otherwise * Returns 0 if access is permitted, an error code otherwise
*/ */
static int smack_inode_permission(struct inode *inode, int mask) static int smack_inode_permission(struct inode *inode, int mask)
{ {
...@@ -1222,8 +1223,7 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) ...@@ -1222,8 +1223,7 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
/** /**
* smack_inode_getattr - Smack check for getting attributes * smack_inode_getattr - Smack check for getting attributes
* @mnt: vfsmount of the object * @path: path to extract the info from
* @dentry: the object
* *
* Returns 0 if access is permitted, an error code otherwise * Returns 0 if access is permitted, an error code otherwise
*/ */
...@@ -1870,14 +1870,13 @@ static int smack_file_receive(struct file *file) ...@@ -1870,14 +1870,13 @@ static int smack_file_receive(struct file *file)
/** /**
* smack_file_open - Smack dentry open processing * smack_file_open - Smack dentry open processing
* @file: the object * @file: the object
* @cred: task credential
* *
* Set the security blob in the file structure. * Set the security blob in the file structure.
* Allow the open only if the task has read access. There are * Allow the open only if the task has read access. There are
* many read operations (e.g. fstat) that you can do with an * many read operations (e.g. fstat) that you can do with an
* fd even if you have the file open write-only. * fd even if you have the file open write-only.
* *
* Returns 0 * Returns 0 if current has access, error code otherwise
*/ */
static int smack_file_open(struct file *file) static int smack_file_open(struct file *file)
{ {
...@@ -1900,7 +1899,7 @@ static int smack_file_open(struct file *file) ...@@ -1900,7 +1899,7 @@ static int smack_file_open(struct file *file)
/** /**
* smack_cred_alloc_blank - "allocate" blank task-level security credentials * smack_cred_alloc_blank - "allocate" blank task-level security credentials
* @new: the new credentials * @cred: the new credentials
* @gfp: the atomicity of any memory allocations * @gfp: the atomicity of any memory allocations
* *
* Prepare a blank set of credentials for modification. This must allocate all * Prepare a blank set of credentials for modification. This must allocate all
...@@ -1983,7 +1982,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) ...@@ -1983,7 +1982,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
/** /**
* smack_cred_getsecid - get the secid corresponding to a creds structure * smack_cred_getsecid - get the secid corresponding to a creds structure
* @c: the object creds * @cred: the object creds
* @secid: where to put the result * @secid: where to put the result
* *
* Sets the secid to contain a u32 version of the smack label. * Sets the secid to contain a u32 version of the smack label.
...@@ -2140,8 +2139,6 @@ static int smack_task_getioprio(struct task_struct *p) ...@@ -2140,8 +2139,6 @@ static int smack_task_getioprio(struct task_struct *p)
/** /**
* smack_task_setscheduler - Smack check on setting scheduler * smack_task_setscheduler - Smack check on setting scheduler
* @p: the task object * @p: the task object
* @policy: unused
* @lp: unused
* *
* Return 0 if read access is permitted * Return 0 if read access is permitted
*/ */
...@@ -2611,8 +2608,9 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) ...@@ -2611,8 +2608,9 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
/** /**
* smk_ipv6_port_check - check Smack port access * smk_ipv6_port_check - check Smack port access
* @sock: socket * @sk: socket
* @address: address * @address: address
* @act: the action being taken
* *
* Create or update the port list entry * Create or update the port list entry
*/ */
...@@ -2782,7 +2780,7 @@ static int smack_socket_post_create(struct socket *sock, int family, ...@@ -2782,7 +2780,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
* *
* Cross reference the peer labels for SO_PEERSEC * Cross reference the peer labels for SO_PEERSEC
* *
* Returns 0 on success, and error code otherwise * Returns 0
*/ */
static int smack_socket_socketpair(struct socket *socka, static int smack_socket_socketpair(struct socket *socka,
struct socket *sockb) struct socket *sockb)
...@@ -3014,13 +3012,13 @@ static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) ...@@ -3014,13 +3012,13 @@ static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd)
* *
* Returns 0 if current has the requested access, error code otherwise * Returns 0 if current has the requested access, error code otherwise
*/ */
static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr,
int shmflg) int shmflg)
{ {
int may; int may;
may = smack_flags_to_may(shmflg); may = smack_flags_to_may(shmflg);
return smk_curacc_shm(ipc, may); return smk_curacc_shm(isp, may);
} }
/** /**
...@@ -3925,6 +3923,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ...@@ -3925,6 +3923,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
skp = smack_ipv6host_label(&sadd); skp = smack_ipv6host_label(&sadd);
if (skp == NULL) if (skp == NULL)
skp = smack_net_ambient; skp = smack_net_ambient;
if (skb == NULL)
break;
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
ad.a.u.net->family = family; ad.a.u.net->family = family;
...@@ -4762,7 +4762,7 @@ static __init void init_smack_known_list(void) ...@@ -4762,7 +4762,7 @@ static __init void init_smack_known_list(void)
/** /**
* smack_init - initialize the smack system * smack_init - initialize the smack system
* *
* Returns 0 * Returns 0 on success, -ENOMEM is there's no memory
*/ */
static __init int smack_init(void) static __init int smack_init(void)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment