Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
434d42cf
Commit
434d42cf
authored
May 24, 2011
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'next' into for-linus
parents
d762f438
12a5a262
Changes
25
Hide whitespace changes
Inline
Side-by-side
Showing
25 changed files
with
205 additions
and
64 deletions
+205
-64
fs/binfmt_flat.c
fs/binfmt_flat.c
+8
-0
include/linux/capability.h
include/linux/capability.h
+0
-5
include/linux/init_task.h
include/linux/init_task.h
+0
-7
include/linux/key.h
include/linux/key.h
+13
-0
include/linux/kmod.h
include/linux/kmod.h
+3
-0
kernel/capability.c
kernel/capability.c
+0
-4
kernel/cred.c
kernel/cred.c
+3
-3
kernel/kmod.c
kernel/kmod.c
+100
-0
kernel/sysctl.c
kernel/sysctl.c
+6
-0
net/dns_resolver/dns_key.c
net/dns_resolver/dns_key.c
+6
-4
security/Kconfig
security/Kconfig
+1
-0
security/commoncap.c
security/commoncap.c
+4
-9
security/keys/internal.h
security/keys/internal.h
+3
-1
security/keys/keyctl.c
security/keys/keyctl.c
+6
-0
security/keys/keyring.c
security/keys/keyring.c
+24
-13
security/keys/proc.c
security/keys/proc.c
+1
-1
security/keys/process_keys.c
security/keys/process_keys.c
+7
-5
security/keys/request_key.c
security/keys/request_key.c
+1
-2
security/keys/request_key_auth.c
security/keys/request_key_auth.c
+2
-1
security/keys/user_defined.c
security/keys/user_defined.c
+2
-2
security/tomoyo/common.c
security/tomoyo/common.c
+12
-5
security/tomoyo/file.c
security/tomoyo/file.c
+0
-1
security/tomoyo/memory.c
security/tomoyo/memory.c
+1
-0
security/tomoyo/mount.c
security/tomoyo/mount.c
+1
-0
security/tomoyo/util.c
security/tomoyo/util.c
+1
-1
No files found.
fs/binfmt_flat.c
View file @
434d42cf
...
...
@@ -820,6 +820,8 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
int
res
;
char
buf
[
16
];
memset
(
&
bprm
,
0
,
sizeof
(
bprm
));
/* Create the file name */
sprintf
(
buf
,
"/lib/lib%d.so"
,
id
);
...
...
@@ -835,6 +837,12 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
if
(
!
bprm
.
cred
)
goto
out
;
/* We don't really care about recalculating credentials at this point
* as we're past the point of no return and are dealing with shared
* libraries.
*/
bprm
.
cred_prepared
=
1
;
res
=
prepare_binprm
(
&
bprm
);
if
(
!
IS_ERR_VALUE
(
res
))
...
...
include/linux/capability.h
View file @
434d42cf
...
...
@@ -417,7 +417,6 @@ extern const kernel_cap_t __cap_init_eff_set;
# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
| CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
CAP_FS_MASK_B1 } })
...
...
@@ -427,11 +426,7 @@ extern const kernel_cap_t __cap_init_eff_set;
#endif
/* _KERNEL_CAPABILITY_U32S != 2 */
#define CAP_INIT_INH_SET CAP_EMPTY_SET
# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
# define cap_set_full(c) do { (c) = __cap_full_set; } while (0)
# define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0)
#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
...
...
include/linux/init_task.h
View file @
434d42cf
...
...
@@ -83,13 +83,6 @@ extern struct group_info init_groups;
#define INIT_IDS
#endif
/*
* Because of the reduced scope of CAP_SETPCAP when filesystem
* capabilities are in effect, it is safe to allow CAP_SETPCAP to
* be available in the default configuration.
*/
# define CAP_INIT_BSET CAP_FULL_SET
#ifdef CONFIG_RCU_BOOST
#define INIT_TASK_RCU_BOOST() \
.rcu_boost_mutex = NULL,
...
...
include/linux/key.h
View file @
434d42cf
...
...
@@ -276,6 +276,19 @@ static inline key_serial_t key_serial(struct key *key)
return
key
?
key
->
serial
:
0
;
}
/**
* key_is_instantiated - Determine if a key has been positively instantiated
* @key: The key to check.
*
* Return true if the specified key has been positively instantiated, false
* otherwise.
*/
static
inline
bool
key_is_instantiated
(
const
struct
key
*
key
)
{
return
test_bit
(
KEY_FLAG_INSTANTIATED
,
&
key
->
flags
)
&&
!
test_bit
(
KEY_FLAG_NEGATIVE
,
&
key
->
flags
);
}
#define rcu_dereference_key(KEY) \
(rcu_dereference_protected((KEY)->payload.rcudata, \
rwsem_is_locked(&((struct key *)(KEY))->sem)))
...
...
include/linux/kmod.h
View file @
434d42cf
...
...
@@ -24,6 +24,7 @@
#include <linux/errno.h>
#include <linux/compiler.h>
#include <linux/workqueue.h>
#include <linux/sysctl.h>
#define KMOD_PATH_LEN 256
...
...
@@ -109,6 +110,8 @@ call_usermodehelper(char *path, char **argv, char **envp, enum umh_wait wait)
NULL
,
NULL
,
NULL
);
}
extern
struct
ctl_table
usermodehelper_table
[];
extern
void
usermodehelper_init
(
void
);
extern
int
usermodehelper_disable
(
void
);
...
...
kernel/capability.c
View file @
434d42cf
...
...
@@ -22,12 +22,8 @@
*/
const
kernel_cap_t
__cap_empty_set
=
CAP_EMPTY_SET
;
const
kernel_cap_t
__cap_full_set
=
CAP_FULL_SET
;
const
kernel_cap_t
__cap_init_eff_set
=
CAP_INIT_EFF_SET
;
EXPORT_SYMBOL
(
__cap_empty_set
);
EXPORT_SYMBOL
(
__cap_full_set
);
EXPORT_SYMBOL
(
__cap_init_eff_set
);
int
file_caps_enabled
=
1
;
...
...
kernel/cred.c
View file @
434d42cf
...
...
@@ -49,10 +49,10 @@ struct cred init_cred = {
.
magic
=
CRED_MAGIC
,
#endif
.
securebits
=
SECUREBITS_DEFAULT
,
.
cap_inheritable
=
CAP_
INIT_INH
_SET
,
.
cap_inheritable
=
CAP_
EMPTY
_SET
,
.
cap_permitted
=
CAP_FULL_SET
,
.
cap_effective
=
CAP_
INIT_EFF
_SET
,
.
cap_bset
=
CAP_
INIT_B
SET
,
.
cap_effective
=
CAP_
FULL
_SET
,
.
cap_bset
=
CAP_
FULL_
SET
,
.
user
=
INIT_USER
,
.
user_ns
=
&
init_user_ns
,
.
group_info
=
&
init_groups
,
...
...
kernel/kmod.c
View file @
434d42cf
...
...
@@ -25,6 +25,7 @@
#include <linux/kmod.h>
#include <linux/slab.h>
#include <linux/completion.h>
#include <linux/cred.h>
#include <linux/file.h>
#include <linux/fdtable.h>
#include <linux/workqueue.h>
...
...
@@ -43,6 +44,13 @@ extern int max_threads;
static
struct
workqueue_struct
*
khelper_wq
;
#define CAP_BSET (void *)1
#define CAP_PI (void *)2
static
kernel_cap_t
usermodehelper_bset
=
CAP_FULL_SET
;
static
kernel_cap_t
usermodehelper_inheritable
=
CAP_FULL_SET
;
static
DEFINE_SPINLOCK
(
umh_sysctl_lock
);
#ifdef CONFIG_MODULES
/*
...
...
@@ -132,6 +140,7 @@ EXPORT_SYMBOL(__request_module);
static
int
____call_usermodehelper
(
void
*
data
)
{
struct
subprocess_info
*
sub_info
=
data
;
struct
cred
*
new
;
int
retval
;
spin_lock_irq
(
&
current
->
sighand
->
siglock
);
...
...
@@ -153,6 +162,19 @@ static int ____call_usermodehelper(void *data)
goto
fail
;
}
retval
=
-
ENOMEM
;
new
=
prepare_kernel_cred
(
current
);
if
(
!
new
)
goto
fail
;
spin_lock
(
&
umh_sysctl_lock
);
new
->
cap_bset
=
cap_intersect
(
usermodehelper_bset
,
new
->
cap_bset
);
new
->
cap_inheritable
=
cap_intersect
(
usermodehelper_inheritable
,
new
->
cap_inheritable
);
spin_unlock
(
&
umh_sysctl_lock
);
commit_creds
(
new
);
retval
=
kernel_execve
(
sub_info
->
path
,
(
const
char
*
const
*
)
sub_info
->
argv
,
(
const
char
*
const
*
)
sub_info
->
envp
);
...
...
@@ -420,6 +442,84 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info,
}
EXPORT_SYMBOL
(
call_usermodehelper_exec
);
static
int
proc_cap_handler
(
struct
ctl_table
*
table
,
int
write
,
void
__user
*
buffer
,
size_t
*
lenp
,
loff_t
*
ppos
)
{
struct
ctl_table
t
;
unsigned
long
cap_array
[
_KERNEL_CAPABILITY_U32S
];
kernel_cap_t
new_cap
;
int
err
,
i
;
if
(
write
&&
(
!
capable
(
CAP_SETPCAP
)
||
!
capable
(
CAP_SYS_MODULE
)))
return
-
EPERM
;
/*
* convert from the global kernel_cap_t to the ulong array to print to
* userspace if this is a read.
*/
spin_lock
(
&
umh_sysctl_lock
);
for
(
i
=
0
;
i
<
_KERNEL_CAPABILITY_U32S
;
i
++
)
{
if
(
table
->
data
==
CAP_BSET
)
cap_array
[
i
]
=
usermodehelper_bset
.
cap
[
i
];
else
if
(
table
->
data
==
CAP_PI
)
cap_array
[
i
]
=
usermodehelper_inheritable
.
cap
[
i
];
else
BUG
();
}
spin_unlock
(
&
umh_sysctl_lock
);
t
=
*
table
;
t
.
data
=
&
cap_array
;
/*
* actually read or write and array of ulongs from userspace. Remember
* these are least significant 32 bits first
*/
err
=
proc_doulongvec_minmax
(
&
t
,
write
,
buffer
,
lenp
,
ppos
);
if
(
err
<
0
)
return
err
;
/*
* convert from the sysctl array of ulongs to the kernel_cap_t
* internal representation
*/
for
(
i
=
0
;
i
<
_KERNEL_CAPABILITY_U32S
;
i
++
)
new_cap
.
cap
[
i
]
=
cap_array
[
i
];
/*
* Drop everything not in the new_cap (but don't add things)
*/
spin_lock
(
&
umh_sysctl_lock
);
if
(
write
)
{
if
(
table
->
data
==
CAP_BSET
)
usermodehelper_bset
=
cap_intersect
(
usermodehelper_bset
,
new_cap
);
if
(
table
->
data
==
CAP_PI
)
usermodehelper_inheritable
=
cap_intersect
(
usermodehelper_inheritable
,
new_cap
);
}
spin_unlock
(
&
umh_sysctl_lock
);
return
0
;
}
struct
ctl_table
usermodehelper_table
[]
=
{
{
.
procname
=
"bset"
,
.
data
=
CAP_BSET
,
.
maxlen
=
_KERNEL_CAPABILITY_U32S
*
sizeof
(
unsigned
long
),
.
mode
=
0600
,
.
proc_handler
=
proc_cap_handler
,
},
{
.
procname
=
"inheritable"
,
.
data
=
CAP_PI
,
.
maxlen
=
_KERNEL_CAPABILITY_U32S
*
sizeof
(
unsigned
long
),
.
mode
=
0600
,
.
proc_handler
=
proc_cap_handler
,
},
{
}
};
void
__init
usermodehelper_init
(
void
)
{
khelper_wq
=
create_singlethread_workqueue
(
"khelper"
);
...
...
kernel/sysctl.c
View file @
434d42cf
...
...
@@ -56,6 +56,7 @@
#include <linux/kprobes.h>
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/kmod.h>
#include <asm/uaccess.h>
#include <asm/processor.h>
...
...
@@ -615,6 +616,11 @@ static struct ctl_table kern_table[] = {
.
mode
=
0555
,
.
child
=
random_table
,
},
{
.
procname
=
"usermodehelper"
,
.
mode
=
0555
,
.
child
=
usermodehelper_table
,
},
{
.
procname
=
"overflowuid"
,
.
data
=
&
overflowuid
,
...
...
net/dns_resolver/dns_key.c
View file @
434d42cf
...
...
@@ -212,10 +212,12 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
int
err
=
key
->
type_data
.
x
[
0
];
seq_puts
(
m
,
key
->
description
);
if
(
err
)
seq_printf
(
m
,
": %d"
,
err
);
else
seq_printf
(
m
,
": %u"
,
key
->
datalen
);
if
(
key_is_instantiated
(
key
))
{
if
(
err
)
seq_printf
(
m
,
": %d"
,
err
);
else
seq_printf
(
m
,
": %u"
,
key
->
datalen
);
}
}
/*
...
...
security/Kconfig
View file @
434d42cf
...
...
@@ -167,6 +167,7 @@ config INTEL_TXT
config
LSM_MMAP_MIN_ADDR
int
"Low address space for LSM to protect from user allocation"
depends
on
SECURITY
&&
SECURITY_SELINUX
default
32768
if
ARM
default
65536
help
This
is
the
portion
of
low
virtual
memory
which
should
be
protected
...
...
security/commoncap.c
View file @
434d42cf
...
...
@@ -529,15 +529,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
new
->
suid
=
new
->
fsuid
=
new
->
euid
;
new
->
sgid
=
new
->
fsgid
=
new
->
egid
;
/* For init, we want to retain the capabilities set in the initial
* task. Thus we skip the usual capability rules
*/
if
(
!
is_global_init
(
current
))
{
if
(
effective
)
new
->
cap_effective
=
new
->
cap_permitted
;
else
cap_clear
(
new
->
cap_effective
);
}
if
(
effective
)
new
->
cap_effective
=
new
->
cap_permitted
;
else
cap_clear
(
new
->
cap_effective
);
bprm
->
cap_effective
=
effective
;
/*
...
...
security/keys/internal.h
View file @
434d42cf
...
...
@@ -109,11 +109,13 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
const
struct
cred
*
cred
,
struct
key_type
*
type
,
const
void
*
description
,
key_match_func_t
match
);
key_match_func_t
match
,
bool
no_state_check
);
extern
key_ref_t
search_my_process_keyrings
(
struct
key_type
*
type
,
const
void
*
description
,
key_match_func_t
match
,
bool
no_state_check
,
const
struct
cred
*
cred
);
extern
key_ref_t
search_process_keyrings
(
struct
key_type
*
type
,
const
void
*
description
,
...
...
security/keys/keyctl.c
View file @
434d42cf
...
...
@@ -206,8 +206,14 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
goto
error5
;
}
/* wait for the key to finish being constructed */
ret
=
wait_for_key_construction
(
key
,
1
);
if
(
ret
<
0
)
goto
error6
;
ret
=
key
->
serial
;
error6:
key_put
(
key
);
error5:
key_type_put
(
ktype
);
...
...
security/keys/keyring.c
View file @
434d42cf
...
...
@@ -176,13 +176,15 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
else
seq_puts
(
m
,
"[anon]"
);
rcu_read_lock
();
klist
=
rcu_dereference
(
keyring
->
payload
.
subscriptions
);
if
(
klist
)
seq_printf
(
m
,
": %u/%u"
,
klist
->
nkeys
,
klist
->
maxkeys
);
else
seq_puts
(
m
,
": empty"
);
rcu_read_unlock
();
if
(
key_is_instantiated
(
keyring
))
{
rcu_read_lock
();
klist
=
rcu_dereference
(
keyring
->
payload
.
subscriptions
);
if
(
klist
)
seq_printf
(
m
,
": %u/%u"
,
klist
->
nkeys
,
klist
->
maxkeys
);
else
seq_puts
(
m
,
": empty"
);
rcu_read_unlock
();
}
}
/*
...
...
@@ -271,6 +273,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
* @type: The type of key to search for.
* @description: Parameter for @match.
* @match: Function to rule on whether or not a key is the one required.
* @no_state_check: Don't check if a matching key is bad
*
* Search the supplied keyring tree for a key that matches the criteria given.
* The root keyring and any linked keyrings must grant Search permission to the
...
...
@@ -303,7 +306,8 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
const
struct
cred
*
cred
,
struct
key_type
*
type
,
const
void
*
description
,
key_match_func_t
match
)
key_match_func_t
match
,
bool
no_state_check
)
{
struct
{
struct
keyring_list
*
keylist
;
...
...
@@ -345,6 +349,8 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
kflags
=
keyring
->
flags
;
if
(
keyring
->
type
==
type
&&
match
(
keyring
,
description
))
{
key
=
keyring
;
if
(
no_state_check
)
goto
found
;
/* check it isn't negative and hasn't expired or been
* revoked */
...
...
@@ -384,11 +390,13 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
continue
;
/* skip revoked keys and expired keys */
if
(
kflags
&
(
1
<<
KEY_FLAG_REVOKED
))
continue
;
if
(
!
no_state_check
)
{
if
(
kflags
&
(
1
<<
KEY_FLAG_REVOKED
))
continue
;
if
(
key
->
expiry
&&
now
.
tv_sec
>=
key
->
expiry
)
continue
;
if
(
key
->
expiry
&&
now
.
tv_sec
>=
key
->
expiry
)
continue
;
}
/* keys that don't match */
if
(
!
match
(
key
,
description
))
...
...
@@ -399,6 +407,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
cred
,
KEY_SEARCH
)
<
0
)
continue
;
if
(
no_state_check
)
goto
found
;
/* we set a different error code if we pass a negative key */
if
(
kflags
&
(
1
<<
KEY_FLAG_NEGATIVE
))
{
err
=
key
->
type_data
.
reject_error
;
...
...
@@ -478,7 +489,7 @@ key_ref_t keyring_search(key_ref_t keyring,
return
ERR_PTR
(
-
ENOKEY
);
return
keyring_search_aux
(
keyring
,
current
->
cred
,
type
,
description
,
type
->
match
);
type
,
description
,
type
->
match
,
false
);
}
EXPORT_SYMBOL
(
keyring_search
);
...
...
security/keys/proc.c
View file @
434d42cf
...
...
@@ -199,7 +199,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
if
(
key
->
perm
&
KEY_POS_VIEW
)
{
skey_ref
=
search_my_process_keyrings
(
key
->
type
,
key
,
lookup_user_key_possessed
,
cred
);
true
,
cred
);
if
(
!
IS_ERR
(
skey_ref
))
{
key_ref_put
(
skey_ref
);
key_ref
=
make_key_ref
(
key
,
1
);
...
...
security/keys/process_keys.c
View file @
434d42cf
...
...
@@ -331,6 +331,7 @@ void key_fsgid_changed(struct task_struct *tsk)
key_ref_t
search_my_process_keyrings
(
struct
key_type
*
type
,
const
void
*
description
,
key_match_func_t
match
,
bool
no_state_check
,
const
struct
cred
*
cred
)
{
key_ref_t
key_ref
,
ret
,
err
;
...
...
@@ -350,7 +351,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
if
(
cred
->
thread_keyring
)
{
key_ref
=
keyring_search_aux
(
make_key_ref
(
cred
->
thread_keyring
,
1
),
cred
,
type
,
description
,
match
);
cred
,
type
,
description
,
match
,
no_state_check
);
if
(
!
IS_ERR
(
key_ref
))
goto
found
;
...
...
@@ -371,7 +372,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
if
(
cred
->
tgcred
->
process_keyring
)
{
key_ref
=
keyring_search_aux
(
make_key_ref
(
cred
->
tgcred
->
process_keyring
,
1
),
cred
,
type
,
description
,
match
);
cred
,
type
,
description
,
match
,
no_state_check
);
if
(
!
IS_ERR
(
key_ref
))
goto
found
;
...
...
@@ -395,7 +396,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
make_key_ref
(
rcu_dereference
(
cred
->
tgcred
->
session_keyring
),
1
),
cred
,
type
,
description
,
match
);
cred
,
type
,
description
,
match
,
no_state_check
);
rcu_read_unlock
();
if
(
!
IS_ERR
(
key_ref
))
...
...
@@ -417,7 +418,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
else
if
(
cred
->
user
->
session_keyring
)
{
key_ref
=
keyring_search_aux
(
make_key_ref
(
cred
->
user
->
session_keyring
,
1
),
cred
,
type
,
description
,
match
);
cred
,
type
,
description
,
match
,
no_state_check
);
if
(
!
IS_ERR
(
key_ref
))
goto
found
;
...
...
@@ -459,7 +460,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
might_sleep
();
key_ref
=
search_my_process_keyrings
(
type
,
description
,
match
,
cred
);
key_ref
=
search_my_process_keyrings
(
type
,
description
,
match
,
false
,
cred
);
if
(
!
IS_ERR
(
key_ref
))
goto
found
;
err
=
key_ref
;
...
...
security/keys/request_key.c
View file @
434d42cf
...
...
@@ -530,8 +530,7 @@ struct key *request_key_and_link(struct key_type *type,
dest_keyring
,
flags
);
/* search all the process keyrings for a key */
key_ref
=
search_process_keyrings
(
type
,
description
,
type
->
match
,
cred
);
key_ref
=
search_process_keyrings
(
type
,
description
,
type
->
match
,
cred
);
if
(
!
IS_ERR
(
key_ref
))
{
key
=
key_ref_to_ptr
(
key_ref
);
...
...
security/keys/request_key_auth.c
View file @
434d42cf
...
...
@@ -59,7 +59,8 @@ static void request_key_auth_describe(const struct key *key,
seq_puts
(
m
,
"key:"
);
seq_puts
(
m
,
key
->
description
);
seq_printf
(
m
,
" pid:%d ci:%zu"
,
rka
->
pid
,
rka
->
callout_len
);
if
(
key_is_instantiated
(
key
))
seq_printf
(
m
,
" pid:%d ci:%zu"
,
rka
->
pid
,
rka
->
callout_len
);
}
/*
...
...
security/keys/user_defined.c
View file @
434d42cf
...
...
@@ -157,8 +157,8 @@ EXPORT_SYMBOL_GPL(user_destroy);
void
user_describe
(
const
struct
key
*
key
,
struct
seq_file
*
m
)
{
seq_puts
(
m
,
key
->
description
);
seq_printf
(
m
,
": %u"
,
key
->
datalen
);
if
(
key_is_instantiated
(
key
))
seq_printf
(
m
,
": %u"
,
key
->
datalen
);
}
EXPORT_SYMBOL_GPL
(
user_describe
);
...
...
security/tomoyo/common.c
View file @
434d42cf
...
...
@@ -108,10 +108,9 @@ static bool tomoyo_flush(struct tomoyo_io_buffer *head)
head
->
read_user_buf
+=
len
;
w
+=
len
;
}
if
(
*
w
)
{
head
->
r
.
w
[
0
]
=
w
;
head
->
r
.
w
[
0
]
=
w
;
if
(
*
w
)
return
false
;
}
/* Add '\0' for query. */
if
(
head
->
poll
)
{
if
(
!
head
->
read_user_buf_avail
||
...
...
@@ -459,8 +458,16 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
if
(
profile
==
&
tomoyo_default_profile
)
return
-
EINVAL
;
if
(
!
strcmp
(
data
,
"COMMENT"
))
{
const
struct
tomoyo_path_info
*
old_comment
=
profile
->
comment
;
profile
->
comment
=
tomoyo_get_name
(
cp
);
static
DEFINE_SPINLOCK
(
lock
);
const
struct
tomoyo_path_info
*
new_comment
=
tomoyo_get_name
(
cp
);
const
struct
tomoyo_path_info
*
old_comment
;
if
(
!
new_comment
)
return
-
ENOMEM
;
spin_lock
(
&
lock
);
old_comment
=
profile
->
comment
;
profile
->
comment
=
new_comment
;
spin_unlock
(
&
lock
);
tomoyo_put_name
(
old_comment
);
return
0
;
}
...
...
security/tomoyo/file.c
View file @
434d42cf
...
...
@@ -1011,7 +1011,6 @@ int tomoyo_path_perm(const u8 operation, struct path *path)
break
;
case
TOMOYO_TYPE_RMDIR
:
case
TOMOYO_TYPE_CHROOT
:
case
TOMOYO_TYPE_UMOUNT
:
tomoyo_add_slash
(
&
buf
);
break
;
}
...
...
security/tomoyo/memory.c
View file @
434d42cf
...
...
@@ -75,6 +75,7 @@ void *tomoyo_commit_ok(void *data, const unsigned int size)
memset
(
data
,
0
,
size
);
return
ptr
;
}
kfree
(
ptr
);
return
NULL
;
}
...
...
security/tomoyo/mount.c
View file @
434d42cf
...
...
@@ -143,6 +143,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name,
goto
out
;
}
requested_dev_name
=
tomoyo_realpath_from_path
(
&
path
);
path_put
(
&
path
);
if
(
!
requested_dev_name
)
{
error
=
-
ENOENT
;
goto
out
;
...
...
security/tomoyo/util.c
View file @
434d42cf
...
...
@@ -390,7 +390,7 @@ bool tomoyo_correct_domain(const unsigned char *domainname)
if
(
!
cp
)
break
;
if
(
*
domainname
!=
'/'
||
!
tomoyo_correct_word2
(
domainname
,
cp
-
domainname
-
1
))
!
tomoyo_correct_word2
(
domainname
,
cp
-
domainname
))
goto
out
;
domainname
=
cp
+
1
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment