diff options
author | James Morris <jmorris@namei.org> | 2009-05-08 17:56:47 +1000 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-05-08 17:56:47 +1000 |
commit | d254117099d711f215e62427f55dfb8ebd5ad011 (patch) | |
tree | 0848ff8dd74314fec14a86497f8d288c86ba7c65 /security | |
parent | 07ff7a0b187f3951788f64ae1f30e8109bc8e9eb (diff) | |
parent | 8c9ed899b44c19e81859fbb0e9d659fe2f8630fc (diff) | |
download | op-kernel-dev-d254117099d711f215e62427f55dfb8ebd5ad011.zip op-kernel-dev-d254117099d711f215e62427f55dfb8ebd5ad011.tar.gz |
Merge branch 'master' into next
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 1 | ||||
-rw-r--r-- | security/device_cgroup.c | 21 | ||||
-rw-r--r-- | security/keys/request_key.c | 9 | ||||
-rw-r--r-- | security/security.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 11 | ||||
-rw-r--r-- | security/tomoyo/common.c | 6 | ||||
-rw-r--r-- | security/tomoyo/common.h | 2 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 2 | ||||
-rw-r--r-- | security/tomoyo/file.c | 2 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 3 | ||||
-rw-r--r-- | security/tomoyo/realpath.h | 2 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 2 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.h | 2 |
14 files changed, 39 insertions, 28 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 97ac1f1..48b7e02 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -948,7 +948,6 @@ changed: return commit_creds(new); no_change: - error = 0; error: abort_creds(new); return error; diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 3aacd0f..5fda7df 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -11,6 +11,7 @@ #include <linux/uaccess.h> #include <linux/seq_file.h> #include <linux/rcupdate.h> +#include <linux/mutex.h> #define ACC_MKNOD 1 #define ACC_READ 2 @@ -21,9 +22,11 @@ #define DEV_CHAR 2 #define DEV_ALL 4 /* this represents all devices */ +static DEFINE_MUTEX(devcgroup_mutex); + /* * whitelist locking rules: - * hold cgroup_lock() for update/read. + * hold devcgroup_mutex for update/read. * hold rcu_read_lock() for read. */ @@ -67,7 +70,7 @@ static int devcgroup_can_attach(struct cgroup_subsys *ss, } /* - * called under cgroup_lock() + * called under devcgroup_mutex */ static int dev_whitelist_copy(struct list_head *dest, struct list_head *orig) { @@ -92,7 +95,7 @@ free_and_exit: /* Stupid prototype - don't bother combining existing entries */ /* - * called under cgroup_lock() + * called under devcgroup_mutex */ static int dev_whitelist_add(struct dev_cgroup *dev_cgroup, struct dev_whitelist_item *wh) @@ -130,7 +133,7 @@ static void whitelist_item_free(struct rcu_head *rcu) } /* - * called under cgroup_lock() + * called under devcgroup_mutex */ static void dev_whitelist_rm(struct dev_cgroup *dev_cgroup, struct dev_whitelist_item *wh) @@ -185,8 +188,10 @@ static struct cgroup_subsys_state *devcgroup_create(struct cgroup_subsys *ss, list_add(&wh->list, &dev_cgroup->whitelist); } else { parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup); + mutex_lock(&devcgroup_mutex); ret = dev_whitelist_copy(&dev_cgroup->whitelist, &parent_dev_cgroup->whitelist); + mutex_unlock(&devcgroup_mutex); if (ret) { kfree(dev_cgroup); return ERR_PTR(ret); @@ -273,7 +278,7 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft, * does the access granted to dev_cgroup c contain the access * requested in whitelist item refwh. * return 1 if yes, 0 if no. - * call with c->lock held + * call with devcgroup_mutex held */ static int may_access_whitelist(struct dev_cgroup *c, struct dev_whitelist_item *refwh) @@ -426,11 +431,11 @@ static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft, const char *buffer) { int retval; - if (!cgroup_lock_live_group(cgrp)) - return -ENODEV; + + mutex_lock(&devcgroup_mutex); retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp), cft->private, buffer); - cgroup_unlock(); + mutex_unlock(&devcgroup_mutex); return retval; } diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 22a3158..03fe63e 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -311,7 +311,8 @@ static int construct_alloc_key(struct key_type *type, set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); - down_write(&dest_keyring->sem); + if (dest_keyring) + down_write(&dest_keyring->sem); /* attach the key to the destination keyring under lock, but we do need * to do another check just in case someone beat us to it whilst we @@ -322,10 +323,12 @@ static int construct_alloc_key(struct key_type *type, if (!IS_ERR(key_ref)) goto key_already_present; - __key_link(dest_keyring, key); + if (dest_keyring) + __key_link(dest_keyring, key); mutex_unlock(&key_construction_mutex); - up_write(&dest_keyring->sem); + if (dest_keyring) + up_write(&dest_keyring->sem); mutex_unlock(&user->cons_lock); *_key = key; kleave(" = 0 [%d]", key_serial(key)); diff --git a/security/security.c b/security/security.c index 206e538..5284255 100644 --- a/security/security.c +++ b/security/security.c @@ -445,6 +445,7 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) return 0; return security_ops->inode_create(dir, dentry, mode); } +EXPORT_SYMBOL_GPL(security_inode_create); int security_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@ -475,6 +476,7 @@ int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) return 0; return security_ops->inode_mkdir(dir, dentry, mode); } +EXPORT_SYMBOL_GPL(security_inode_mkdir); int security_inode_rmdir(struct inode *dir, struct dentry *dentry) { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 39046dd..195906b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3145,7 +3145,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = current_sid(); + u32 sid = task_sid(tsk); u32 perm; struct file_security_struct *fsec; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f557767..0d030b4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -675,8 +675,12 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { if (!capable(CAP_MAC_ADMIN)) rc = -EPERM; - /* a label cannot be void and cannot begin with '-' */ - if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) + /* + * check label validity here so import wont fail on + * post_setxattr + */ + if (size == 0 || size >= SMK_LABELLEN || + smk_import(value, size) == NULL) rc = -EINVAL; } else rc = cap_inode_setxattr(dentry, name, value, size, flags); @@ -713,9 +717,6 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, if (strcmp(name, XATTR_NAME_SMACK)) return; - if (size >= SMK_LABELLEN) - return; - isp = dentry->d_inode->i_security; /* diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index a0affd9..d4d41b3 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ @@ -1773,7 +1773,7 @@ void tomoyo_load_policy(const char *filename) envp[2] = NULL; call_usermodehelper(argv[0], argv, envp, 1); - printk(KERN_INFO "TOMOYO: 2.2.0-pre 2009/02/01\n"); + printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); printk(KERN_INFO "Mandatory Access Control activated.\n"); tomoyo_policy_loaded = true; { /* Check all profiles currently assigned to domains are defined. */ @@ -1800,7 +1800,7 @@ void tomoyo_load_policy(const char *filename) static int tomoyo_read_version(struct tomoyo_io_buffer *head) { if (!head->read_eof) { - tomoyo_io_printf(head, "2.2.0-pre"); + tomoyo_io_printf(head, "2.2.0"); head->read_eof = true; } return 0; diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index e77e6a6..678f4ff 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 2f2b449..2d67487 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 65f50c1..2316da8 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index d47f16b..bf8e2b4 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -5,13 +5,14 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ #include <linux/types.h> #include <linux/mount.h> #include <linux/mnt_namespace.h> +#include <linux/fs_struct.h> #include "common.h" #include "realpath.h" diff --git a/security/tomoyo/realpath.h b/security/tomoyo/realpath.h index 7ec9fc9c..78217a3 100644 --- a/security/tomoyo/realpath.h +++ b/security/tomoyo/realpath.h @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 3eeeae1..5b48191 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h index a0c8f6e..41c6eba 100644 --- a/security/tomoyo/tomoyo.h +++ b/security/tomoyo/tomoyo.h @@ -5,7 +5,7 @@ * * Copyright (C) 2005-2009 NTT DATA CORPORATION * - * Version: 2.2.0-pre 2009/02/01 + * Version: 2.2.0 2009/04/01 * */ |