From 2e1479d95d02b43660fe03ab2c595ec9751a6f97 Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Mon, 17 Mar 2008 22:29:23 +0200 Subject: make selinux_parse_opts_str() static This patch makes the needlessly global selinux_parse_opts_str() static. Signed-off-by: Adrian Bunk Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4bf4807f2d44..41a049f50f58 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -800,7 +800,8 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, mutex_unlock(&newsbsec->lock); } -int selinux_parse_opts_str(char *options, struct security_mnt_opts *opts) +static int selinux_parse_opts_str(char *options, + struct security_mnt_opts *opts) { char *p; char *context = NULL, *defcontext = NULL; -- cgit v1.2.3 From 1d252fb870aa9cd227c4beb1a226ecd434f57f28 Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Wed, 19 Mar 2008 17:00:51 -0700 Subject: smack: do not dereference NULL ipc object In the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO as the desired operation, no specific object is meant to be controlled and only system-wide information is returned. This leads to a NULL IPC object in the LSM hooks if the _INFO flag is given. Avoid dereferencing this NULL pointer in Smack ipc *ctl() methods. Signed-off-by: Ahmed S. Darwish Acked-by: Casey Schaufler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/smack/smack_lsm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0241fd359675..38d707593b31 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1508,7 +1508,7 @@ static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) */ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) { - char *ssp = smack_of_shm(shp); + char *ssp; int may; switch (cmd) { @@ -1532,6 +1532,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) return -EINVAL; } + ssp = smack_of_shm(shp); return smk_curacc(ssp, may); } @@ -1616,7 +1617,7 @@ static int smack_sem_associate(struct sem_array *sma, int semflg) */ static int smack_sem_semctl(struct sem_array *sma, int cmd) { - char *ssp = smack_of_sem(sma); + char *ssp; int may; switch (cmd) { @@ -1645,6 +1646,7 @@ static int smack_sem_semctl(struct sem_array *sma, int cmd) return -EINVAL; } + ssp = smack_of_sem(sma); return smk_curacc(ssp, may); } @@ -1730,7 +1732,7 @@ static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) */ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) { - char *msp = smack_of_msq(msq); + char *msp; int may; switch (cmd) { @@ -1752,6 +1754,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) return -EINVAL; } + msp = smack_of_msq(msq); return smk_curacc(msp, may); } -- cgit v1.2.3 From aedb60a67c10a0861af179725d060765262ba0fb Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 29 Feb 2008 15:14:57 +0000 Subject: file capabilities: remove cap_task_kill() The original justification for cap_task_kill() was as follows: check_kill_permission() does appropriate uid equivalence checks. However with file capabilities it becomes possible for an unprivileged user to execute a file with file capabilities resulting in a more privileged task with the same uid. However now that cap_task_kill() always returns 0 (permission granted) when p->uid==current->uid, the whole hook is worthless, and only likely to create more subtle problems in the corner cases where it might still be called but return -EPERM. Those cases are basically when uids are different but euid/suid is equivalent as per the check in check_kill_permission(). One example of a still-broken application is 'at' for non-root users. This patch removes cap_task_kill(). Signed-off-by: Serge Hallyn Acked-by: Andrew G. Morgan Earlier-version-tested-by: Luiz Fernando N. Capitulino Acked-by: Casey Schaufler Signed-off-by: Linus Torvalds --- security/capability.c | 1 - security/commoncap.c | 40 ---------------------------------------- security/smack/smack_lsm.c | 5 ----- 3 files changed, 46 deletions(-) (limited to 'security') diff --git a/security/capability.c b/security/capability.c index 9e99f36a8b5c..2c6e06d18fab 100644 --- a/security/capability.c +++ b/security/capability.c @@ -40,7 +40,6 @@ static struct security_operations capability_ops = { .inode_need_killpriv = cap_inode_need_killpriv, .inode_killpriv = cap_inode_killpriv, - .task_kill = cap_task_kill, .task_setscheduler = cap_task_setscheduler, .task_setioprio = cap_task_setioprio, .task_setnice = cap_task_setnice, diff --git a/security/commoncap.c b/security/commoncap.c index bb0c095f5761..06d5c9469ba3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -540,41 +540,6 @@ int cap_task_setnice (struct task_struct *p, int nice) return cap_safe_nice(p); } -int cap_task_kill(struct task_struct *p, struct siginfo *info, - int sig, u32 secid) -{ - if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) - return 0; - - /* - * Running a setuid root program raises your capabilities. - * Killing your own setuid root processes was previously - * allowed. - * We must preserve legacy signal behavior in this case. - */ - if (p->uid == current->uid) - return 0; - - /* sigcont is permitted within same session */ - if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p))) - return 0; - - if (secid) - /* - * Signal sent as a particular user. - * Capabilities are ignored. May be wrong, but it's the - * only thing we can do at the moment. - * Used only by usb drivers? - */ - return 0; - if (cap_issubset(p->cap_permitted, current->cap_permitted)) - return 0; - if (capable(CAP_KILL)) - return 0; - - return -EPERM; -} - /* * called from kernel/sys.c for prctl(PR_CABSET_DROP) * done without task_capability_lock() because it introduces @@ -605,11 +570,6 @@ int cap_task_setnice (struct task_struct *p, int nice) { return 0; } -int cap_task_kill(struct task_struct *p, struct siginfo *info, - int sig, u32 secid) -{ - return 0; -} #endif void cap_task_reparent_to_init (struct task_struct *p) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 38d707593b31..732ba27923c4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1117,11 +1117,6 @@ static int smack_task_movememory(struct task_struct *p) static int smack_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid) { - int rc; - - rc = cap_task_kill(p, info, sig, secid); - if (rc != 0) - return rc; /* * Special cases where signals really ought to go through * in spite of policy. Stephen Smalley suggests it may -- cgit v1.2.3 From cb622bbb69e41f2746aadf5d7d527e77597abe2e Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Mon, 24 Mar 2008 12:29:49 -0700 Subject: smackfs: remove redundant lock, fix open(,O_RDWR) Older smackfs was parsing MAC rules by characters, thus a need of locking write sessions on open() was needed. This lock is no longer useful now since each rule is handled by a single write() call. This is also a bugfix since seq_open() was not called if an open() O_RDWR flag was given, leading to a seq_read() without an initialized seq_file, thus an Oops. Signed-off-by: Ahmed S. Darwish Reported-by: Jonathan Corbet Acked-by: Casey Schaufler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/smack/smackfs.c | 35 ++--------------------------------- 1 file changed, 2 insertions(+), 33 deletions(-) (limited to 'security') diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index afe7c9b0732a..cfae8afcc262 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -73,11 +73,6 @@ struct smk_list_entry *smack_list; #define SEQ_READ_FINISHED 1 -/* - * Disable concurrent writing open() operations - */ -static struct semaphore smack_write_sem; - /* * Values for parsing cipso rules * SMK_DIGITLEN: Length of a digit field in a rule. @@ -168,32 +163,7 @@ static struct seq_operations load_seq_ops = { */ static int smk_open_load(struct inode *inode, struct file *file) { - if ((file->f_flags & O_ACCMODE) == O_RDONLY) - return seq_open(file, &load_seq_ops); - - if (down_interruptible(&smack_write_sem)) - return -ERESTARTSYS; - - return 0; -} - -/** - * smk_release_load - release() for /smack/load - * @inode: inode structure representing file - * @file: "load" file pointer - * - * For a reading session, use the seq_file release - * implementation. - * Otherwise, we are at the end of a writing session so - * clean everything up. - */ -static int smk_release_load(struct inode *inode, struct file *file) -{ - if ((file->f_flags & O_ACCMODE) == O_RDONLY) - return seq_release(inode, file); - - up(&smack_write_sem); - return 0; + return seq_open(file, &load_seq_ops); } /** @@ -341,7 +311,7 @@ static const struct file_operations smk_load_ops = { .read = seq_read, .llseek = seq_lseek, .write = smk_write_load, - .release = smk_release_load, + .release = seq_release, }; /** @@ -1011,7 +981,6 @@ static int __init init_smk_fs(void) } } - sema_init(&smack_write_sem, 1); smk_cipso_doi(); smk_unlbl_ambient(NULL); -- cgit v1.2.3 From 0794c66d49885a2f615618ce4940434b5b067d84 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 17 Mar 2008 08:55:18 -0400 Subject: selinux: handle files opened with flags 3 by checking ioctl permission Handle files opened with flags 3 by checking ioctl permission. Default to returning FILE__IOCTL from file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or transfer, thereby validating such descriptors early as with normal r/w descriptors and catching leaks of them prior to attempted usage. Signed-off-by: Stephen Smalley Acked-by: Eric Paris Signed-off-by: James Morris --- security/selinux/hooks.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 41a049f50f58..c2fef7b12dc7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1630,6 +1630,12 @@ static inline u32 file_to_av(struct file *file) else av |= FILE__WRITE; } + if (!av) { + /* + * Special file opened with flags 3 for ioctl-only use. + */ + av = FILE__IOCTL; + } return av; } -- cgit v1.2.3