Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
3e3dda22
Commit
3e3dda22
authored
Mar 15, 2003
by
Greg Kroah-Hartman
Browse files
Options
Browse Files
Download
Plain Diff
Merge
bk://lsm@bkbits.net/linus-2.5
into kroah.com:/home/linux/linux/BK/lsm-2.5
parents
bda2dabe
1e799f78
Changes
14
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
171 additions
and
54 deletions
+171
-54
fs/dcache.c
fs/dcache.c
+3
-0
fs/exportfs/expfs.c
fs/exportfs/expfs.c
+2
-3
fs/file_table.c
fs/file_table.c
+27
-8
fs/namei.c
fs/namei.c
+3
-6
fs/nfsd/vfs.c
fs/nfsd/vfs.c
+3
-6
fs/super.c
fs/super.c
+8
-0
include/linux/fs.h
include/linux/fs.h
+4
-1
include/linux/security.h
include/linux/security.h
+56
-16
kernel/ksyms.c
kernel/ksyms.c
+2
-1
kernel/printk.c
kernel/printk.c
+5
-2
kernel/sys.c
kernel/sys.c
+16
-5
kernel/sysctl.c
kernel/sysctl.c
+5
-0
security/capability.c
security/capability.c
+10
-0
security/dummy.c
security/dummy.c
+27
-6
No files found.
fs/dcache.c
View file @
3e3dda22
...
@@ -25,6 +25,7 @@
...
@@ -25,6 +25,7 @@
#include <linux/module.h>
#include <linux/module.h>
#include <linux/mount.h>
#include <linux/mount.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
#include <linux/security.h>
#define DCACHE_PARANOIA 1
#define DCACHE_PARANOIA 1
/* #define DCACHE_DEBUG 1 */
/* #define DCACHE_DEBUG 1 */
...
@@ -760,6 +761,7 @@ struct dentry * d_alloc(struct dentry * parent, const struct qstr *name)
...
@@ -760,6 +761,7 @@ struct dentry * d_alloc(struct dentry * parent, const struct qstr *name)
void
d_instantiate
(
struct
dentry
*
entry
,
struct
inode
*
inode
)
void
d_instantiate
(
struct
dentry
*
entry
,
struct
inode
*
inode
)
{
{
if
(
!
list_empty
(
&
entry
->
d_alias
))
BUG
();
if
(
!
list_empty
(
&
entry
->
d_alias
))
BUG
();
security_d_instantiate
(
entry
,
inode
);
spin_lock
(
&
dcache_lock
);
spin_lock
(
&
dcache_lock
);
if
(
inode
)
if
(
inode
)
list_add
(
&
entry
->
d_alias
,
&
inode
->
i_dentry
);
list_add
(
&
entry
->
d_alias
,
&
inode
->
i_dentry
);
...
@@ -890,6 +892,7 @@ struct dentry *d_splice_alias(struct inode *inode, struct dentry *dentry)
...
@@ -890,6 +892,7 @@ struct dentry *d_splice_alias(struct inode *inode, struct dentry *dentry)
struct
dentry
*
new
=
NULL
;
struct
dentry
*
new
=
NULL
;
if
(
inode
&&
S_ISDIR
(
inode
->
i_mode
))
{
if
(
inode
&&
S_ISDIR
(
inode
->
i_mode
))
{
security_d_instantiate
(
dentry
,
inode
);
spin_lock
(
&
dcache_lock
);
spin_lock
(
&
dcache_lock
);
if
(
!
list_empty
(
&
inode
->
i_dentry
))
{
if
(
!
list_empty
(
&
inode
->
i_dentry
))
{
new
=
list_entry
(
inode
->
i_dentry
.
next
,
struct
dentry
,
d_alias
);
new
=
list_entry
(
inode
->
i_dentry
.
next
,
struct
dentry
,
d_alias
);
...
...
fs/exportfs/expfs.c
View file @
3e3dda22
...
@@ -353,7 +353,7 @@ static int get_name(struct dentry *dentry, char *name,
...
@@ -353,7 +353,7 @@ static int get_name(struct dentry *dentry, char *name,
/*
/*
* Open the directory ...
* Open the directory ...
*/
*/
error
=
init_private_file
(
&
file
,
dentry
,
FMODE_READ
);
error
=
open_private_file
(
&
file
,
dentry
,
O_RDONLY
);
if
(
error
)
if
(
error
)
goto
out
;
goto
out
;
error
=
-
EINVAL
;
error
=
-
EINVAL
;
...
@@ -381,8 +381,7 @@ static int get_name(struct dentry *dentry, char *name,
...
@@ -381,8 +381,7 @@ static int get_name(struct dentry *dentry, char *name,
}
}
out_close:
out_close:
if
(
file
.
f_op
->
release
)
close_private_file
(
&
file
);
file
.
f_op
->
release
(
dir
,
&
file
);
out:
out:
return
error
;
return
error
;
}
}
...
...
fs/file_table.c
View file @
3e3dda22
...
@@ -93,23 +93,42 @@ struct file * get_empty_filp(void)
...
@@ -93,23 +93,42 @@ struct file * get_empty_filp(void)
/*
/*
* Clear and initialize a (private) struct file for the given dentry,
* Clear and initialize a (private) struct file for the given dentry,
* a
nd call the open function (if any). The caller must verify that
* a
llocate the security structure, and call the open function (if any).
*
inode->i_fop is not NULL
.
*
The file should be released using close_private_file
.
*/
*/
int
init_private_file
(
struct
file
*
filp
,
struct
dentry
*
dentry
,
int
mode
)
int
open_private_file
(
struct
file
*
filp
,
struct
dentry
*
dentry
,
int
flags
)
{
{
int
error
;
memset
(
filp
,
0
,
sizeof
(
*
filp
));
memset
(
filp
,
0
,
sizeof
(
*
filp
));
eventpoll_init_file
(
filp
);
eventpoll_init_file
(
filp
);
filp
->
f_mode
=
mode
;
filp
->
f_flags
=
flags
;
filp
->
f_mode
=
(
flags
+
1
)
&
O_ACCMODE
;
atomic_set
(
&
filp
->
f_count
,
1
);
atomic_set
(
&
filp
->
f_count
,
1
);
filp
->
f_dentry
=
dentry
;
filp
->
f_dentry
=
dentry
;
filp
->
f_uid
=
current
->
fsuid
;
filp
->
f_uid
=
current
->
fsuid
;
filp
->
f_gid
=
current
->
fsgid
;
filp
->
f_gid
=
current
->
fsgid
;
filp
->
f_op
=
dentry
->
d_inode
->
i_fop
;
filp
->
f_op
=
dentry
->
d_inode
->
i_fop
;
if
(
filp
->
f_op
->
open
)
error
=
security_file_alloc
(
filp
);
return
filp
->
f_op
->
open
(
dentry
->
d_inode
,
filp
);
if
(
!
error
)
else
if
(
filp
->
f_op
&&
filp
->
f_op
->
open
)
{
return
0
;
error
=
filp
->
f_op
->
open
(
dentry
->
d_inode
,
filp
);
if
(
error
)
security_file_free
(
filp
);
}
return
error
;
}
/*
* Release a private file by calling the release function (if any) and
* freeing the security structure.
*/
void
close_private_file
(
struct
file
*
file
)
{
struct
inode
*
inode
=
file
->
f_dentry
->
d_inode
;
if
(
file
->
f_op
&&
file
->
f_op
->
release
)
file
->
f_op
->
release
(
inode
,
file
);
security_file_free
(
file
);
}
}
void
fput
(
struct
file
*
file
)
void
fput
(
struct
file
*
file
)
...
...
fs/namei.c
View file @
3e3dda22
...
@@ -361,10 +361,8 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, i
...
@@ -361,10 +361,8 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, i
result
=
dir
->
i_op
->
lookup
(
dir
,
dentry
);
result
=
dir
->
i_op
->
lookup
(
dir
,
dentry
);
if
(
result
)
if
(
result
)
dput
(
dentry
);
dput
(
dentry
);
else
{
else
result
=
dentry
;
result
=
dentry
;
security_inode_post_lookup
(
dir
,
result
);
}
}
}
up
(
&
dir
->
i_sem
);
up
(
&
dir
->
i_sem
);
return
result
;
return
result
;
...
@@ -894,10 +892,9 @@ struct dentry * lookup_hash(struct qstr *name, struct dentry * base)
...
@@ -894,10 +892,9 @@ struct dentry * lookup_hash(struct qstr *name, struct dentry * base)
if
(
!
new
)
if
(
!
new
)
goto
out
;
goto
out
;
dentry
=
inode
->
i_op
->
lookup
(
inode
,
new
);
dentry
=
inode
->
i_op
->
lookup
(
inode
,
new
);
if
(
!
dentry
)
{
if
(
!
dentry
)
dentry
=
new
;
dentry
=
new
;
security_inode_post_lookup
(
inode
,
dentry
);
else
}
else
dput
(
new
);
dput
(
new
);
}
}
out:
out:
...
...
fs/nfsd/vfs.c
View file @
3e3dda22
...
@@ -442,7 +442,7 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
...
@@ -442,7 +442,7 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
{
{
struct
dentry
*
dentry
;
struct
dentry
*
dentry
;
struct
inode
*
inode
;
struct
inode
*
inode
;
int
flags
=
O_RDONLY
|
O_LARGEFILE
,
mode
=
FMODE_READ
,
err
;
int
flags
=
O_RDONLY
|
O_LARGEFILE
,
err
;
/*
/*
* If we get here, then the client has already done an "open",
* If we get here, then the client has already done an "open",
...
@@ -479,14 +479,12 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
...
@@ -479,14 +479,12 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
goto
out_nfserr
;
goto
out_nfserr
;
flags
=
O_WRONLY
|
O_LARGEFILE
;
flags
=
O_WRONLY
|
O_LARGEFILE
;
mode
=
FMODE_WRITE
;
DQUOT_INIT
(
inode
);
DQUOT_INIT
(
inode
);
}
}
err
=
init_private_file
(
filp
,
dentry
,
mode
);
err
=
open_private_file
(
filp
,
dentry
,
flags
);
if
(
!
err
)
{
if
(
!
err
)
{
filp
->
f_flags
=
flags
;
filp
->
f_vfsmnt
=
fhp
->
fh_export
->
ex_mnt
;
filp
->
f_vfsmnt
=
fhp
->
fh_export
->
ex_mnt
;
}
else
if
(
access
&
MAY_WRITE
)
}
else
if
(
access
&
MAY_WRITE
)
put_write_access
(
inode
);
put_write_access
(
inode
);
...
@@ -507,8 +505,7 @@ nfsd_close(struct file *filp)
...
@@ -507,8 +505,7 @@ nfsd_close(struct file *filp)
struct
dentry
*
dentry
=
filp
->
f_dentry
;
struct
dentry
*
dentry
=
filp
->
f_dentry
;
struct
inode
*
inode
=
dentry
->
d_inode
;
struct
inode
*
inode
=
dentry
->
d_inode
;
if
(
filp
->
f_op
->
release
)
close_private_file
(
filp
);
filp
->
f_op
->
release
(
inode
,
filp
);
if
(
filp
->
f_mode
&
FMODE_WRITE
)
if
(
filp
->
f_mode
&
FMODE_WRITE
)
put_write_access
(
inode
);
put_write_access
(
inode
);
}
}
...
...
fs/super.c
View file @
3e3dda22
...
@@ -611,6 +611,7 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
...
@@ -611,6 +611,7 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
struct
file_system_type
*
type
=
get_fs_type
(
fstype
);
struct
file_system_type
*
type
=
get_fs_type
(
fstype
);
struct
super_block
*
sb
=
ERR_PTR
(
-
ENOMEM
);
struct
super_block
*
sb
=
ERR_PTR
(
-
ENOMEM
);
struct
vfsmount
*
mnt
;
struct
vfsmount
*
mnt
;
int
error
;
if
(
!
type
)
if
(
!
type
)
return
ERR_PTR
(
-
ENODEV
);
return
ERR_PTR
(
-
ENODEV
);
...
@@ -621,6 +622,9 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
...
@@ -621,6 +622,9 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
sb
=
type
->
get_sb
(
type
,
flags
,
name
,
data
);
sb
=
type
->
get_sb
(
type
,
flags
,
name
,
data
);
if
(
IS_ERR
(
sb
))
if
(
IS_ERR
(
sb
))
goto
out_mnt
;
goto
out_mnt
;
error
=
security_sb_kern_mount
(
sb
);
if
(
error
)
goto
out_sb
;
mnt
->
mnt_sb
=
sb
;
mnt
->
mnt_sb
=
sb
;
mnt
->
mnt_root
=
dget
(
sb
->
s_root
);
mnt
->
mnt_root
=
dget
(
sb
->
s_root
);
mnt
->
mnt_mountpoint
=
sb
->
s_root
;
mnt
->
mnt_mountpoint
=
sb
->
s_root
;
...
@@ -628,6 +632,10 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
...
@@ -628,6 +632,10 @@ do_kern_mount(const char *fstype, int flags, char *name, void *data)
up_write
(
&
sb
->
s_umount
);
up_write
(
&
sb
->
s_umount
);
put_filesystem
(
type
);
put_filesystem
(
type
);
return
mnt
;
return
mnt
;
out_sb:
up_write
(
&
sb
->
s_umount
);
deactivate_super
(
sb
);
sb
=
ERR_PTR
(
error
);
out_mnt:
out_mnt:
free_vfsmnt
(
mnt
);
free_vfsmnt
(
mnt
);
out:
out:
...
...
include/linux/fs.h
View file @
3e3dda22
...
@@ -456,7 +456,10 @@ extern spinlock_t files_lock;
...
@@ -456,7 +456,10 @@ extern spinlock_t files_lock;
#define get_file(x) atomic_inc(&(x)->f_count)
#define get_file(x) atomic_inc(&(x)->f_count)
#define file_count(x) atomic_read(&(x)->f_count)
#define file_count(x) atomic_read(&(x)->f_count)
extern
int
init_private_file
(
struct
file
*
,
struct
dentry
*
,
int
);
/* Initialize and open a private file and allocate its security structure. */
extern
int
open_private_file
(
struct
file
*
,
struct
dentry
*
,
int
);
/* Release a private file and free its security structure. */
extern
void
close_private_file
(
struct
file
*
file
);
#define MAX_NON_LFS ((1UL<<31) - 1)
#define MAX_NON_LFS ((1UL<<31) - 1)
...
...
include/linux/security.h
View file @
3e3dda22
...
@@ -48,6 +48,7 @@ extern void cap_bprm_compute_creds (struct linux_binprm *bprm);
...
@@ -48,6 +48,7 @@ extern void cap_bprm_compute_creds (struct linux_binprm *bprm);
extern
int
cap_task_post_setuid
(
uid_t
old_ruid
,
uid_t
old_euid
,
uid_t
old_suid
,
int
flags
);
extern
int
cap_task_post_setuid
(
uid_t
old_ruid
,
uid_t
old_euid
,
uid_t
old_suid
,
int
flags
);
extern
void
cap_task_kmod_set_label
(
void
);
extern
void
cap_task_kmod_set_label
(
void
);
extern
void
cap_task_reparent_to_init
(
struct
task_struct
*
p
);
extern
void
cap_task_reparent_to_init
(
struct
task_struct
*
p
);
extern
int
cap_syslog
(
int
type
);
static
inline
int
cap_netlink_send
(
struct
sk_buff
*
skb
)
static
inline
int
cap_netlink_send
(
struct
sk_buff
*
skb
)
{
{
...
@@ -62,7 +63,6 @@ static inline int cap_netlink_recv (struct sk_buff *skb)
...
@@ -62,7 +63,6 @@ static inline int cap_netlink_recv (struct sk_buff *skb)
return
0
;
return
0
;
}
}
/*
/*
* Values used in the task_security_ops calls
* Values used in the task_security_ops calls
*/
*/
...
@@ -351,10 +351,6 @@ struct swap_info_struct;
...
@@ -351,10 +351,6 @@ struct swap_info_struct;
* @mnt is the vfsmount where the dentry was looked up
* @mnt is the vfsmount where the dentry was looked up
* @dentry contains the dentry structure for the file.
* @dentry contains the dentry structure for the file.
* Return 0 if permission is granted.
* Return 0 if permission is granted.
* @inode_post_lookup:
* Set the security attributes for a file after it has been looked up.
* @inode contains the inode structure for parent directory.
* @d contains the dentry structure for the file.
* @inode_delete:
* @inode_delete:
* @inode contains the inode structure for deleted inode.
* @inode contains the inode structure for deleted inode.
* This hook is called when a deleted inode is released (i.e. an inode
* This hook is called when a deleted inode is released (i.e. an inode
...
@@ -926,11 +922,23 @@ struct swap_info_struct;
...
@@ -926,11 +922,23 @@ struct swap_info_struct;
* is NULL.
* is NULL.
* @file contains the file structure for the accounting file (may be NULL).
* @file contains the file structure for the accounting file (may be NULL).
* Return 0 if permission is granted.
* Return 0 if permission is granted.
* @sysctl:
* Check permission before accessing the @table sysctl variable in the
* manner specified by @op.
* @table contains the ctl_table structure for the sysctl variable.
* @op contains the operation (001 = search, 002 = write, 004 = read).
* Return 0 if permission is granted.
* @capable:
* @capable:
* Check whether the @tsk process has the @cap capability.
* Check whether the @tsk process has the @cap capability.
* @tsk contains the task_struct for the process.
* @tsk contains the task_struct for the process.
* @cap contains the capability <include/linux/capability.h>.
* @cap contains the capability <include/linux/capability.h>.
* Return 0 if the capability is granted for @tsk.
* Return 0 if the capability is granted for @tsk.
* @syslog:
* Check permission before accessing the kernel message ring or changing
* logging to the console.
* See the syslog(2) manual page for an explanation of the @type values.
* @type contains the type of action.
* Return 0 if permission is granted.
*
*
* @register_security:
* @register_security:
* allow module stacking.
* allow module stacking.
...
@@ -957,9 +965,11 @@ struct security_operations {
...
@@ -957,9 +965,11 @@ struct security_operations {
kernel_cap_t
*
inheritable
,
kernel_cap_t
*
inheritable
,
kernel_cap_t
*
permitted
);
kernel_cap_t
*
permitted
);
int
(
*
acct
)
(
struct
file
*
file
);
int
(
*
acct
)
(
struct
file
*
file
);
int
(
*
sysctl
)
(
ctl_table
*
table
,
int
op
);
int
(
*
capable
)
(
struct
task_struct
*
tsk
,
int
cap
);
int
(
*
capable
)
(
struct
task_struct
*
tsk
,
int
cap
);
int
(
*
quotactl
)
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
);
int
(
*
quotactl
)
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
);
int
(
*
quota_on
)
(
struct
file
*
f
);
int
(
*
quota_on
)
(
struct
file
*
f
);
int
(
*
syslog
)
(
int
type
);
int
(
*
bprm_alloc_security
)
(
struct
linux_binprm
*
bprm
);
int
(
*
bprm_alloc_security
)
(
struct
linux_binprm
*
bprm
);
void
(
*
bprm_free_security
)
(
struct
linux_binprm
*
bprm
);
void
(
*
bprm_free_security
)
(
struct
linux_binprm
*
bprm
);
...
@@ -969,6 +979,7 @@ struct security_operations {
...
@@ -969,6 +979,7 @@ struct security_operations {
int
(
*
sb_alloc_security
)
(
struct
super_block
*
sb
);
int
(
*
sb_alloc_security
)
(
struct
super_block
*
sb
);
void
(
*
sb_free_security
)
(
struct
super_block
*
sb
);
void
(
*
sb_free_security
)
(
struct
super_block
*
sb
);
int
(
*
sb_kern_mount
)
(
struct
super_block
*
sb
);
int
(
*
sb_statfs
)
(
struct
super_block
*
sb
);
int
(
*
sb_statfs
)
(
struct
super_block
*
sb
);
int
(
*
sb_mount
)
(
char
*
dev_name
,
struct
nameidata
*
nd
,
int
(
*
sb_mount
)
(
char
*
dev_name
,
struct
nameidata
*
nd
,
char
*
type
,
unsigned
long
flags
,
void
*
data
);
char
*
type
,
unsigned
long
flags
,
void
*
data
);
...
@@ -1022,7 +1033,6 @@ struct security_operations {
...
@@ -1022,7 +1033,6 @@ struct security_operations {
int
(
*
inode_permission_lite
)
(
struct
inode
*
inode
,
int
mask
);
int
(
*
inode_permission_lite
)
(
struct
inode
*
inode
,
int
mask
);
int
(
*
inode_setattr
)
(
struct
dentry
*
dentry
,
struct
iattr
*
attr
);
int
(
*
inode_setattr
)
(
struct
dentry
*
dentry
,
struct
iattr
*
attr
);
int
(
*
inode_getattr
)
(
struct
vfsmount
*
mnt
,
struct
dentry
*
dentry
);
int
(
*
inode_getattr
)
(
struct
vfsmount
*
mnt
,
struct
dentry
*
dentry
);
void
(
*
inode_post_lookup
)
(
struct
inode
*
inode
,
struct
dentry
*
d
);
void
(
*
inode_delete
)
(
struct
inode
*
inode
);
void
(
*
inode_delete
)
(
struct
inode
*
inode
);
int
(
*
inode_setxattr
)
(
struct
dentry
*
dentry
,
char
*
name
,
void
*
value
,
int
(
*
inode_setxattr
)
(
struct
dentry
*
dentry
,
char
*
name
,
void
*
value
,
size_t
size
,
int
flags
);
size_t
size
,
int
flags
);
...
@@ -1111,6 +1121,8 @@ struct security_operations {
...
@@ -1111,6 +1121,8 @@ struct security_operations {
int
(
*
unregister_security
)
(
const
char
*
name
,
int
(
*
unregister_security
)
(
const
char
*
name
,
struct
security_operations
*
ops
);
struct
security_operations
*
ops
);
void
(
*
d_instantiate
)
(
struct
dentry
*
dentry
,
struct
inode
*
inode
);
#ifdef CONFIG_SECURITY_NETWORK
#ifdef CONFIG_SECURITY_NETWORK
int
(
*
unix_stream_connect
)
(
struct
socket
*
sock
,
int
(
*
unix_stream_connect
)
(
struct
socket
*
sock
,
struct
socket
*
other
,
struct
sock
*
newsk
);
struct
socket
*
other
,
struct
sock
*
newsk
);
...
@@ -1178,6 +1190,11 @@ static inline int security_acct (struct file *file)
...
@@ -1178,6 +1190,11 @@ static inline int security_acct (struct file *file)
return
security_ops
->
acct
(
file
);
return
security_ops
->
acct
(
file
);
}
}
static
inline
int
security_sysctl
(
ctl_table
*
table
,
int
op
)
{
return
security_ops
->
sysctl
(
table
,
op
);
}
static
inline
int
security_quotactl
(
int
cmds
,
int
type
,
int
id
,
static
inline
int
security_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
struct
super_block
*
sb
)
{
{
...
@@ -1189,6 +1206,11 @@ static inline int security_quota_on (struct file * file)
...
@@ -1189,6 +1206,11 @@ static inline int security_quota_on (struct file * file)
return
security_ops
->
quota_on
(
file
);
return
security_ops
->
quota_on
(
file
);
}
}
static
inline
int
security_syslog
(
int
type
)
{
return
security_ops
->
syslog
(
type
);
}
static
inline
int
security_bprm_alloc
(
struct
linux_binprm
*
bprm
)
static
inline
int
security_bprm_alloc
(
struct
linux_binprm
*
bprm
)
{
{
return
security_ops
->
bprm_alloc_security
(
bprm
);
return
security_ops
->
bprm_alloc_security
(
bprm
);
...
@@ -1220,6 +1242,11 @@ static inline void security_sb_free (struct super_block *sb)
...
@@ -1220,6 +1242,11 @@ static inline void security_sb_free (struct super_block *sb)
security_ops
->
sb_free_security
(
sb
);
security_ops
->
sb_free_security
(
sb
);
}
}
static
inline
int
security_sb_kern_mount
(
struct
super_block
*
sb
)
{
return
security_ops
->
sb_kern_mount
(
sb
);
}
static
inline
int
security_sb_statfs
(
struct
super_block
*
sb
)
static
inline
int
security_sb_statfs
(
struct
super_block
*
sb
)
{
{
return
security_ops
->
sb_statfs
(
sb
);
return
security_ops
->
sb_statfs
(
sb
);
...
@@ -1426,12 +1453,6 @@ static inline int security_inode_getattr (struct vfsmount *mnt,
...
@@ -1426,12 +1453,6 @@ static inline int security_inode_getattr (struct vfsmount *mnt,
return
security_ops
->
inode_getattr
(
mnt
,
dentry
);
return
security_ops
->
inode_getattr
(
mnt
,
dentry
);
}
}
static
inline
void
security_inode_post_lookup
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
security_ops
->
inode_post_lookup
(
inode
,
dentry
);
}
static
inline
void
security_inode_delete
(
struct
inode
*
inode
)
static
inline
void
security_inode_delete
(
struct
inode
*
inode
)
{
{
security_ops
->
inode_delete
(
inode
);
security_ops
->
inode_delete
(
inode
);
...
@@ -1729,6 +1750,11 @@ static inline int security_sem_semop (struct sem_array * sma,
...
@@ -1729,6 +1750,11 @@ static inline int security_sem_semop (struct sem_array * sma,
return
security_ops
->
sem_semop
(
sma
,
sops
,
nsops
,
alter
);
return
security_ops
->
sem_semop
(
sma
,
sops
,
nsops
,
alter
);
}
}
static
inline
void
security_d_instantiate
(
struct
dentry
*
dentry
,
struct
inode
*
inode
)
{
security_ops
->
d_instantiate
(
dentry
,
inode
);
}
static
inline
int
security_netlink_send
(
struct
sk_buff
*
skb
)
static
inline
int
security_netlink_send
(
struct
sk_buff
*
skb
)
{
{
return
security_ops
->
netlink_send
(
skb
);
return
security_ops
->
netlink_send
(
skb
);
...
@@ -1793,6 +1819,11 @@ static inline int security_acct (struct file *file)
...
@@ -1793,6 +1819,11 @@ static inline int security_acct (struct file *file)
return
0
;
return
0
;
}
}
static
inline
int
security_sysctl
(
ctl_table
*
table
,
int
op
)
{
return
0
;
}
static
inline
int
security_quotactl
(
int
cmds
,
int
type
,
int
id
,
static
inline
int
security_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
struct
super_block
*
sb
)
{
{
...
@@ -1804,6 +1835,11 @@ static inline int security_quota_on (struct file * file)
...
@@ -1804,6 +1835,11 @@ static inline int security_quota_on (struct file * file)
return
0
;
return
0
;
}
}
static
inline
int
security_syslog
(
int
type
)
{
return
cap_syslog
(
type
);
}
static
inline
int
security_bprm_alloc
(
struct
linux_binprm
*
bprm
)
static
inline
int
security_bprm_alloc
(
struct
linux_binprm
*
bprm
)
{
{
return
0
;
return
0
;
...
@@ -1835,6 +1871,11 @@ static inline int security_sb_alloc (struct super_block *sb)
...
@@ -1835,6 +1871,11 @@ static inline int security_sb_alloc (struct super_block *sb)
static
inline
void
security_sb_free
(
struct
super_block
*
sb
)
static
inline
void
security_sb_free
(
struct
super_block
*
sb
)
{
}
{
}
static
inline
int
security_sb_kern_mount
(
struct
super_block
*
sb
)
{
return
0
;
}
static
inline
int
security_sb_statfs
(
struct
super_block
*
sb
)
static
inline
int
security_sb_statfs
(
struct
super_block
*
sb
)
{
{
return
0
;
return
0
;
...
@@ -2013,10 +2054,6 @@ static inline int security_inode_getattr (struct vfsmount *mnt,
...
@@ -2013,10 +2054,6 @@ static inline int security_inode_getattr (struct vfsmount *mnt,
return
0
;
return
0
;
}
}
static
inline
void
security_inode_post_lookup
(
struct
inode
*
inode
,
struct
dentry
*
dentry
)
{
}
static
inline
void
security_inode_delete
(
struct
inode
*
inode
)
static
inline
void
security_inode_delete
(
struct
inode
*
inode
)
{
}
{
}
...
@@ -2300,6 +2337,9 @@ static inline int security_sem_semop (struct sem_array * sma,
...
@@ -2300,6 +2337,9 @@ static inline int security_sem_semop (struct sem_array * sma,
return
0
;
return
0
;
}
}
static
inline
void
security_d_instantiate
(
struct
dentry
*
dentry
,
struct
inode
*
inode
)
{
}
/*
/*
* The netlink capability defaults need to be used inline by default
* The netlink capability defaults need to be used inline by default
* (rather than hooking into the capability module) to reduce overhead
* (rather than hooking into the capability module) to reduce overhead
...
...
kernel/ksyms.c
View file @
3e3dda22
...
@@ -177,7 +177,8 @@ EXPORT_SYMBOL(mark_buffer_dirty);
...
@@ -177,7 +177,8 @@ EXPORT_SYMBOL(mark_buffer_dirty);
EXPORT_SYMBOL
(
end_buffer_io_sync
);
EXPORT_SYMBOL
(
end_buffer_io_sync
);
EXPORT_SYMBOL
(
__mark_inode_dirty
);
EXPORT_SYMBOL
(
__mark_inode_dirty
);
EXPORT_SYMBOL
(
get_empty_filp
);
EXPORT_SYMBOL
(
get_empty_filp
);
EXPORT_SYMBOL
(
init_private_file
);
EXPORT_SYMBOL
(
open_private_file
);
EXPORT_SYMBOL
(
close_private_file
);
EXPORT_SYMBOL
(
filp_open
);
EXPORT_SYMBOL
(
filp_open
);
EXPORT_SYMBOL
(
filp_close
);
EXPORT_SYMBOL
(
filp_close
);
EXPORT_SYMBOL
(
put_filp
);
EXPORT_SYMBOL
(
put_filp
);
...
...
kernel/printk.c
View file @
3e3dda22
...
@@ -28,6 +28,7 @@
...
@@ -28,6 +28,7 @@
#include <linux/config.h>
#include <linux/config.h>
#include <linux/delay.h>
#include <linux/delay.h>
#include <linux/smp.h>
#include <linux/smp.h>
#include <linux/security.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
...
@@ -161,6 +162,10 @@ int do_syslog(int type, char * buf, int len)
...
@@ -161,6 +162,10 @@ int do_syslog(int type, char * buf, int len)
char
c
;
char
c
;
int
error
=
0
;
int
error
=
0
;
error
=
security_syslog
(
type
);
if
(
error
)
return
error
;
switch
(
type
)
{
switch
(
type
)
{
case
0
:
/* Close log */
case
0
:
/* Close log */
break
;
break
;
...
@@ -273,8 +278,6 @@ int do_syslog(int type, char * buf, int len)
...
@@ -273,8 +278,6 @@ int do_syslog(int type, char * buf, int len)
asmlinkage
long
sys_syslog
(
int
type
,
char
*
buf
,
int
len
)
asmlinkage
long
sys_syslog
(
int
type
,
char
*
buf
,
int
len
)
{
{
if
((
type
!=
3
)
&&
!
capable
(
CAP_SYS_ADMIN
))
return
-
EPERM
;
return
do_syslog
(
type
,
buf
,
len
);
return
do_syslog
(
type
,
buf
,
len
);
}
}
...
...
kernel/sys.c
View file @
3e3dda22
...
@@ -212,18 +212,25 @@ cond_syscall(sys_delete_module)
...
@@ -212,18 +212,25 @@ cond_syscall(sys_delete_module)
static
int
set_one_prio
(
struct
task_struct
*
p
,
int
niceval
,
int
error
)
static
int
set_one_prio
(
struct
task_struct
*
p
,
int
niceval
,
int
error
)
{
{
int
no_nice
;
if
(
p
->
uid
!=
current
->
euid
&&
if
(
p
->
uid
!=
current
->
euid
&&
p
->
uid
!=
current
->
uid
&&
!
capable
(
CAP_SYS_NICE
))
{
p
->
uid
!=
current
->
uid
&&
!
capable
(
CAP_SYS_NICE
))
{
error
=
-
EPERM
;
error
=
-
EPERM
;
goto
out
;
goto
out
;
}
}
if
(
niceval
<
task_nice
(
p
)
&&
!
capable
(
CAP_SYS_NICE
))
{
error
=
-
EACCES
;
goto
out
;
}
no_nice
=
security_task_setnice
(
p
,
niceval
);
if
(
no_nice
)
{
error
=
no_nice
;
goto
out
;
}
if
(
error
==
-
ESRCH
)
if
(
error
==
-
ESRCH
)
error
=
0
;
error
=
0
;
if
(
niceval
<
task_nice
(
p
)
&&
!
capable
(
CAP_SYS_NICE
))
set_user_nice
(
p
,
niceval
);
error
=
-
EACCES
;
else
set_user_nice
(
p
,
niceval
);
out:
out:
return
error
;
return
error
;
}
}
...
@@ -941,6 +948,10 @@ asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
...
@@ -941,6 +948,10 @@ asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
}
}
ok_pgid:
ok_pgid:
err
=
security_task_setpgid
(
p
,
pgid
);
if
(
err
)
goto
out
;
if
(
p
->
pgrp
!=
pgid
)
{
if
(
p
->
pgrp
!=
pgid
)
{
detach_pid
(
p
,
PIDTYPE_PGID
);
detach_pid
(
p
,
PIDTYPE_PGID
);
p
->
pgrp
=
pgid
;
p
->
pgrp
=
pgid
;
...
...
kernel/sysctl.c
View file @
3e3dda22
...
@@ -33,6 +33,7 @@
...
@@ -33,6 +33,7 @@
#include <linux/highuid.h>
#include <linux/highuid.h>
#include <linux/writeback.h>
#include <linux/writeback.h>
#include <linux/hugetlb.h>
#include <linux/hugetlb.h>
#include <linux/security.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
#ifdef CONFIG_ROOT_NFS
#ifdef CONFIG_ROOT_NFS
...
@@ -432,6 +433,10 @@ static int test_perm(int mode, int op)
...
@@ -432,6 +433,10 @@ static int test_perm(int mode, int op)
static
inline
int
ctl_perm
(
ctl_table
*
table
,
int
op
)
static
inline
int
ctl_perm
(
ctl_table
*
table
,
int
op
)
{
{
int
error
;
error
=
security_sysctl
(
table
,
op
);
if
(
error
)
return
error
;
return
test_perm
(
table
->
mode
,
op
);
return
test_perm
(
table
->
mode
,
op
);
}
}
...
...
security/capability.c
View file @
3e3dda22
...
@@ -263,6 +263,13 @@ void cap_task_reparent_to_init (struct task_struct *p)
...
@@ -263,6 +263,13 @@ void cap_task_reparent_to_init (struct task_struct *p)
return
;
return
;
}
}
int
cap_syslog
(
int
type
)
{
if
((
type
!=
3
)
&&
!
capable
(
CAP_SYS_ADMIN
))
return
-
EPERM
;
return
0
;
}
EXPORT_SYMBOL
(
cap_capable
);
EXPORT_SYMBOL
(
cap_capable
);
EXPORT_SYMBOL
(
cap_ptrace
);
EXPORT_SYMBOL
(
cap_ptrace
);
EXPORT_SYMBOL
(
cap_capget
);
EXPORT_SYMBOL
(
cap_capget
);
...
@@ -273,6 +280,7 @@ EXPORT_SYMBOL(cap_bprm_compute_creds);
...
@@ -273,6 +280,7 @@ EXPORT_SYMBOL(cap_bprm_compute_creds);
EXPORT_SYMBOL
(
cap_task_post_setuid
);
EXPORT_SYMBOL
(
cap_task_post_setuid
);
EXPORT_SYMBOL
(
cap_task_kmod_set_label
);
EXPORT_SYMBOL
(
cap_task_kmod_set_label
);
EXPORT_SYMBOL
(
cap_task_reparent_to_init
);
EXPORT_SYMBOL
(
cap_task_reparent_to_init
);
EXPORT_SYMBOL
(
cap_syslog
);
#ifdef CONFIG_SECURITY
#ifdef CONFIG_SECURITY
...
@@ -292,6 +300,8 @@ static struct security_operations capability_ops = {
...
@@ -292,6 +300,8 @@ static struct security_operations capability_ops = {
.
task_post_setuid
=
cap_task_post_setuid
,
.
task_post_setuid
=
cap_task_post_setuid
,
.
task_kmod_set_label
=
cap_task_kmod_set_label
,
.
task_kmod_set_label
=
cap_task_kmod_set_label
,
.
task_reparent_to_init
=
cap_task_reparent_to_init
,
.
task_reparent_to_init
=
cap_task_reparent_to_init
,
.
syslog
=
cap_syslog
,
};
};
#if defined(CONFIG_SECURITY_CAPABILITIES_MODULE)
#if defined(CONFIG_SECURITY_CAPABILITIES_MODULE)
...
...
security/dummy.c
View file @
3e3dda22
...
@@ -75,6 +75,11 @@ static int dummy_capable (struct task_struct *tsk, int cap)
...
@@ -75,6 +75,11 @@ static int dummy_capable (struct task_struct *tsk, int cap)
return
-
EPERM
;
return
-
EPERM
;
}
}
static
int
dummy_sysctl
(
ctl_table
*
table
,
int
op
)
{
return
0
;
}
static
int
dummy_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
static
int
dummy_quotactl
(
int
cmds
,
int
type
,
int
id
,
struct
super_block
*
sb
)
{
{
return
0
;
return
0
;
...
@@ -85,6 +90,13 @@ static int dummy_quota_on (struct file *f)
...
@@ -85,6 +90,13 @@ static int dummy_quota_on (struct file *f)
return
0
;
return
0
;
}
}
static
int
dummy_syslog
(
int
type
)
{
if
((
type
!=
3
)
&&
current
->
euid
)
return
-
EPERM
;
return
0
;
}
static
int
dummy_bprm_alloc_security
(
struct
linux_binprm
*
bprm
)
static
int
dummy_bprm_alloc_security
(
struct
linux_binprm
*
bprm
)
{
{
return
0
;
return
0
;
...
@@ -120,6 +132,11 @@ static void dummy_sb_free_security (struct super_block *sb)
...
@@ -120,6 +132,11 @@ static void dummy_sb_free_security (struct super_block *sb)
return
;
return
;
}
}
static
int
dummy_sb_kern_mount
(
struct
super_block
*
sb
)
{
return
0
;
}
static
int
dummy_sb_statfs
(
struct
super_block
*
sb
)
static
int
dummy_sb_statfs
(
struct
super_block
*
sb
)
{
{
return
0
;
return
0
;
...
@@ -306,11 +323,6 @@ static int dummy_inode_getattr (struct vfsmount *mnt, struct dentry *dentry)
...
@@ -306,11 +323,6 @@ static int dummy_inode_getattr (struct vfsmount *mnt, struct dentry *dentry)
return
0
;
return
0
;
}
}
static
void
dummy_inode_post_lookup
(
struct
inode
*
ino
,
struct
dentry
*
d
)
{
return
;
}
static
void
dummy_inode_delete
(
struct
inode
*
ino
)
static
void
dummy_inode_delete
(
struct
inode
*
ino
)
{
{
return
;
return
;
...
@@ -719,6 +731,12 @@ static int dummy_unregister_security (const char *name, struct security_operatio
...
@@ -719,6 +731,12 @@ static int dummy_unregister_security (const char *name, struct security_operatio
return
-
EINVAL
;
return
-
EINVAL
;
}
}
static
void
dummy_d_instantiate
(
struct
dentry
*
dentry
,
struct
inode
*
inode
)
{
return
;
}
struct
security_operations
dummy_security_ops
;
struct
security_operations
dummy_security_ops
;
#define set_to_dummy_if_null(ops, function) \
#define set_to_dummy_if_null(ops, function) \
...
@@ -740,6 +758,8 @@ void security_fixup_ops (struct security_operations *ops)
...
@@ -740,6 +758,8 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null
(
ops
,
capable
);
set_to_dummy_if_null
(
ops
,
capable
);
set_to_dummy_if_null
(
ops
,
quotactl
);
set_to_dummy_if_null
(
ops
,
quotactl
);
set_to_dummy_if_null
(
ops
,
quota_on
);
set_to_dummy_if_null
(
ops
,
quota_on
);
set_to_dummy_if_null
(
ops
,
sysctl
);
set_to_dummy_if_null
(
ops
,
syslog
);
set_to_dummy_if_null
(
ops
,
bprm_alloc_security
);
set_to_dummy_if_null
(
ops
,
bprm_alloc_security
);
set_to_dummy_if_null
(
ops
,
bprm_free_security
);
set_to_dummy_if_null
(
ops
,
bprm_free_security
);
set_to_dummy_if_null
(
ops
,
bprm_compute_creds
);
set_to_dummy_if_null
(
ops
,
bprm_compute_creds
);
...
@@ -747,6 +767,7 @@ void security_fixup_ops (struct security_operations *ops)
...
@@ -747,6 +767,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null
(
ops
,
bprm_check_security
);
set_to_dummy_if_null
(
ops
,
bprm_check_security
);
set_to_dummy_if_null
(
ops
,
sb_alloc_security
);
set_to_dummy_if_null
(
ops
,
sb_alloc_security
);
set_to_dummy_if_null
(
ops
,
sb_free_security
);
set_to_dummy_if_null
(
ops
,
sb_free_security
);
set_to_dummy_if_null
(
ops
,
sb_kern_mount
);
set_to_dummy_if_null
(
ops
,
sb_statfs
);
set_to_dummy_if_null
(
ops
,
sb_statfs
);
set_to_dummy_if_null
(
ops
,
sb_mount
);
set_to_dummy_if_null
(
ops
,
sb_mount
);
set_to_dummy_if_null
(
ops
,
sb_check_sb
);
set_to_dummy_if_null
(
ops
,
sb_check_sb
);
...
@@ -780,7 +801,6 @@ void security_fixup_ops (struct security_operations *ops)
...
@@ -780,7 +801,6 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null
(
ops
,
inode_permission_lite
);
set_to_dummy_if_null
(
ops
,
inode_permission_lite
);
set_to_dummy_if_null
(
ops
,
inode_setattr
);
set_to_dummy_if_null
(
ops
,
inode_setattr
);
set_to_dummy_if_null
(
ops
,
inode_getattr
);
set_to_dummy_if_null
(
ops
,
inode_getattr
);
set_to_dummy_if_null
(
ops
,
inode_post_lookup
);
set_to_dummy_if_null
(
ops
,
inode_delete
);
set_to_dummy_if_null
(
ops
,
inode_delete
);
set_to_dummy_if_null
(
ops
,
inode_setxattr
);
set_to_dummy_if_null
(
ops
,
inode_setxattr
);
set_to_dummy_if_null
(
ops
,
inode_getxattr
);
set_to_dummy_if_null
(
ops
,
inode_getxattr
);
...
@@ -839,6 +859,7 @@ void security_fixup_ops (struct security_operations *ops)
...
@@ -839,6 +859,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null
(
ops
,
netlink_recv
);
set_to_dummy_if_null
(
ops
,
netlink_recv
);
set_to_dummy_if_null
(
ops
,
register_security
);
set_to_dummy_if_null
(
ops
,
register_security
);
set_to_dummy_if_null
(
ops
,
unregister_security
);
set_to_dummy_if_null
(
ops
,
unregister_security
);
set_to_dummy_if_null
(
ops
,
d_instantiate
);
#ifdef CONFIG_SECURITY_NETWORK
#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null
(
ops
,
unix_stream_connect
);
set_to_dummy_if_null
(
ops
,
unix_stream_connect
);
set_to_dummy_if_null
(
ops
,
unix_may_send
);
set_to_dummy_if_null
(
ops
,
unix_may_send
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment