summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-04-07 21:11:41 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2018-04-07 21:11:41 +0300
commit3612605a5a5bc3d3ae0ec861328be8a2990f2c7a (patch)
tree6c387085155874bdf15ff9eec539c15801880734 /security
parent62f8e6c5dcb6666e7da402aea28fcf846eea144c (diff)
parentdf0ce17331e2501dbffc060041dfc6c5f85227b5 (diff)
downloadlinux-3612605a5a5bc3d3ae0ec861328be8a2990f2c7a.tar.xz
Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull general security layer updates from James Morris: - Convert security hooks from list to hlist, a nice cleanup, saving about 50% of space, from Sargun Dhillon. - Only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill (as the secid can be determined from the cred), from Stephen Smalley. - Close a potential race in kernel_read_file(), by making the file unwritable before calling the LSM check (vs after), from Kees Cook. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: convert security hooks to use hlist exec: Set file unwritable before LSM check usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/lsm.c17
-rw-r--r--security/security.c26
-rw-r--r--security/selinux/hooks.c7
-rw-r--r--security/smack/smack_lsm.c12
4 files changed, 35 insertions, 27 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 6134302c143c..528f59b580a8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -716,16 +716,23 @@ static int apparmor_task_setrlimit(struct task_struct *task,
}
static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *cred)
{
struct aa_label *cl, *tl;
int error;
- if (secid)
- /* TODO: after secid to label mapping is done.
- * Dealing with USB IO specific behavior
+ if (cred) {
+ /*
+ * Dealing with USB IO specific behavior
*/
- return 0;
+ cl = aa_get_newest_cred_label(cred);
+ tl = aa_get_task_label(target);
+ error = aa_may_signal(cl, tl, sig);
+ aa_put_label(cl);
+ aa_put_label(tl);
+ return error;
+ }
+
cl = __begin_current_label_crit_section();
tl = aa_get_task_label(target);
error = aa_may_signal(cl, tl, sig);
diff --git a/security/security.c b/security/security.c
index af53d2834e20..7301902a8721 100644
--- a/security/security.c
+++ b/security/security.c
@@ -61,11 +61,11 @@ static void __init do_security_initcalls(void)
int __init security_init(void)
{
int i;
- struct list_head *list = (struct list_head *) &security_hook_heads;
+ struct hlist_head *list = (struct hlist_head *) &security_hook_heads;
- for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head);
+ for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
i++)
- INIT_LIST_HEAD(&list[i]);
+ INIT_HLIST_HEAD(&list[i]);
pr_info("Security Framework initialized\n");
/*
@@ -163,7 +163,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
for (i = 0; i < count; i++) {
hooks[i].lsm = lsm;
- list_add_tail_rcu(&hooks[i].list, hooks[i].head);
+ hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
if (lsm_append(lsm, &lsm_names) < 0)
panic("%s - Cannot get early memory.\n", __func__);
@@ -201,7 +201,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
do { \
struct security_hook_list *P; \
\
- list_for_each_entry(P, &security_hook_heads.FUNC, list) \
+ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \
P->hook.FUNC(__VA_ARGS__); \
} while (0)
@@ -210,7 +210,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
do { \
struct security_hook_list *P; \
\
- list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
+ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
RC = P->hook.FUNC(__VA_ARGS__); \
if (RC != 0) \
break; \
@@ -317,7 +317,7 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
* agree that it should be set it will. If any module
* thinks it should not be set it won't.
*/
- list_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
rc = hp->hook.vm_enough_memory(mm, pages);
if (rc <= 0) {
cap_sys_admin = 0;
@@ -805,7 +805,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
/*
* Only one module will provide an attribute with a given name.
*/
- list_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
if (rc != -EOPNOTSUPP)
return rc;
@@ -823,7 +823,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
/*
* Only one module will provide an attribute with a given name.
*/
- list_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
rc = hp->hook.inode_setsecurity(inode, name, value, size,
flags);
if (rc != -EOPNOTSUPP)
@@ -1114,9 +1114,9 @@ int security_task_movememory(struct task_struct *p)
}
int security_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *cred)
{
- return call_int_hook(task_kill, 0, p, info, sig, secid);
+ return call_int_hook(task_kill, 0, p, info, sig, cred);
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
@@ -1126,7 +1126,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
int rc = -ENOSYS;
struct security_hook_list *hp;
- list_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
if (thisrc != -ENOSYS) {
rc = thisrc;
@@ -1651,7 +1651,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
* For speed optimization, we explicitly break the loop rather than
* using the macro
*/
- list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
+ hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
list) {
rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
break;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0314fc766134..2b8c55e181ae 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4156,16 +4156,19 @@ static int selinux_task_movememory(struct task_struct *p)
}
static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *cred)
{
+ u32 secid;
u32 perm;
if (!sig)
perm = PROCESS__SIGNULL; /* null signal; existence test */
else
perm = signal_to_av(sig);
- if (!secid)
+ if (!cred)
secid = current_sid();
+ else
+ secid = cred_sid(cred);
return avc_has_perm(&selinux_state,
secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0735b8db158b..57fef8e04658 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2228,15 +2228,13 @@ static int smack_task_movememory(struct task_struct *p)
* @p: the task object
* @info: unused
* @sig: unused
- * @secid: identifies the smack to use in lieu of current's
+ * @cred: identifies the cred to use in lieu of current's
*
* Return 0 if write access is permitted
*
- * The secid behavior is an artifact of an SELinux hack
- * in the USB code. Someday it may go away.
*/
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *cred)
{
struct smk_audit_info ad;
struct smack_known *skp;
@@ -2252,17 +2250,17 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* Sending a signal requires that the sender
* can write the receiver.
*/
- if (secid == 0) {
+ if (cred == NULL) {
rc = smk_curacc(tkp, MAY_DELIVER, &ad);
rc = smk_bu_task(p, MAY_DELIVER, rc);
return rc;
}
/*
- * If the secid isn't 0 we're dealing with some USB IO
+ * If the cred isn't NULL we're dealing with some USB IO
* specific behavior. This is not clean. For one thing
* we can't take privilege into account.
*/
- skp = smack_from_secid(secid);
+ skp = smk_of_task(cred->security);
rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
return rc;