diff options
| author | James Morris <james.morris@microsoft.com> | 2018-11-12 09:07:41 -0800 |
|---|---|---|
| committer | James Morris <james.morris@microsoft.com> | 2018-11-12 09:07:41 -0800 |
| commit | 26b76320a8a550472bbb8f42257df83fcb8d8df6 (patch) | |
| tree | 8a5b569f4f070bf4971e24e7fccfe3004b8fc4ba /security/smack | |
| parent | f09c296ebf407f98f4ca70892e612b54484bf663 (diff) | |
| parent | ccda4af0f4b92f7b4c308d3acc262f4a7e3affad (diff) | |
Merge tag 'v4.20-rc2' into next-general
Sync to Linux 4.20-rc2 for downstream developers.
Diffstat (limited to 'security/smack')
| -rw-r--r-- | security/smack/smack_lsm.c | 17 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 3 |
2 files changed, 12 insertions, 8 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 2fb56bcf1316..81fb4c1631e9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -421,6 +421,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, struct smk_audit_info ad, *saip = NULL; struct task_smack *tsp; struct smack_known *tracer_known; + const struct cred *tracercred; if ((mode & PTRACE_MODE_NOAUDIT) == 0) { smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); @@ -429,7 +430,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, } rcu_read_lock(); - tsp = __task_cred(tracer)->security; + tracercred = __task_cred(tracer); + tsp = tracercred->security; tracer_known = smk_of_task(tsp); if ((mode & PTRACE_MODE_ATTACH) && @@ -439,7 +441,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, rc = 0; else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) rc = -EACCES; - else if (capable(CAP_SYS_PTRACE)) + else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) rc = 0; else rc = -EACCES; @@ -1841,6 +1843,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, { struct smack_known *skp; struct smack_known *tkp = smk_of_task(tsk->cred->security); + const struct cred *tcred; struct file *file; int rc; struct smk_audit_info ad; @@ -1854,8 +1857,12 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, skp = file->f_security; rc = smk_access(skp, tkp, MAY_DELIVER, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); - if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) + + rcu_read_lock(); + tcred = __task_cred(tsk); + if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) rc = 0; + rcu_read_unlock(); smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); smk_ad_setfield_u_tsk(&ad, tsk); @@ -2251,7 +2258,7 @@ static int smack_task_movememory(struct task_struct *p) * Return 0 if write access is permitted * */ -static int smack_task_kill(struct task_struct *p, struct siginfo *info, +static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, int sig, const struct cred *cred) { struct smk_audit_info ad; @@ -3467,7 +3474,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) */ final = &smack_known_star; /* - * No break. + * Fall through. * * If a smack value has been set we want to use it, * but since tmpfs isn't giving us the opportunity diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index f6482e53d55a..06b517075ec0 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2853,7 +2853,6 @@ static const struct file_operations smk_ptrace_ops = { static int smk_fill_super(struct super_block *sb, void *data, int silent) { int rc; - struct inode *root_inode; static const struct tree_descr smack_files[] = { [SMK_LOAD] = { @@ -2917,8 +2916,6 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent) return rc; } - root_inode = d_inode(sb->s_root); - return 0; } |