From 30e053248da178cf6154bb7e950dc8713567e3fa Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Tue, 3 Jan 2012 13:14:29 +0100 Subject: security: Fix security_old_inode_init_security() when CONFIG_SECURITY is not set Commit 1e39f384bb01 ("evm: fix build problems") makes the stub version of security_old_inode_init_security() return 0 when CONFIG_SECURITY is not set. But that makes callers such as reiserfs_security_init() assume that security_old_inode_init_security() has set name, value, and len arguments properly - but security_old_inode_init_security() left them uninitialized which then results in interesting failures. Revert security_old_inode_init_security() to the old behavior of returning EOPNOTSUPP since both callers (reiserfs and ocfs2) handle this just fine. [ Also fixed the S_PRIVATE(inode) case of the actual non-stub security_old_inode_init_security() function to return EOPNOTSUPP for the same reason, as pointed out by Mimi Zohar. It got incorrectly changed to match the new function in commit fb88c2b6cbb1: "evm: fix security/security_old_init_security return code". - Linus ] Reported-by: Jorge Bastos Acked-by: James Morris Acked-by: Mimi Zohar Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 0c6cc69c8f86..e2f684aeb70c 100644 --- a/security/security.c +++ b/security/security.c @@ -381,7 +381,7 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir, void **value, size_t *len) { if (unlikely(IS_PRIVATE(inode))) - return 0; + return -EOPNOTSUPP; return security_ops->inode_init_security(inode, dir, qstr, name, value, len); } -- cgit v1.2.3 From 18bb1db3e7607e4a997d50991a6f9fa5b0f8722c Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 26 Jul 2011 01:41:39 -0400 Subject: switch vfs_mkdir() and ->mkdir() to umode_t vfs_mkdir() gets int, but immediately drops everything that might not fit into umode_t and that's the only caller of ->mkdir()... Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index e2f684aeb70c..be49eb5768bc 100644 --- a/security/security.c +++ b/security/security.c @@ -506,7 +506,7 @@ int security_inode_symlink(struct inode *dir, struct dentry *dentry, return security_ops->inode_symlink(dir, dentry, old_name); } -int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) +int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) { if (unlikely(IS_PRIVATE(dir))) return 0; -- cgit v1.2.3 From 4acdaf27ebe2034c342f3be57ef49aed1ad885ef Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 26 Jul 2011 01:42:34 -0400 Subject: switch ->create() to umode_t vfs_create() ignores everything outside of 16bit subset of its mode argument; switching it to umode_t is obviously equivalent and it's the only caller of the method Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index be49eb5768bc..2420eed87639 100644 --- a/security/security.c +++ b/security/security.c @@ -475,7 +475,7 @@ int security_path_chroot(struct path *path) } #endif -int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) +int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) { if (unlikely(IS_PRIVATE(dir))) return 0; -- cgit v1.2.3 From 1a67aafb5f72a436ca044293309fa7e6351d6a35 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 26 Jul 2011 01:52:52 -0400 Subject: switch ->mknod() to umode_t Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 2420eed87639..8cc0f0caa640 100644 --- a/security/security.c +++ b/security/security.c @@ -521,7 +521,7 @@ int security_inode_rmdir(struct inode *dir, struct dentry *dentry) return security_ops->inode_rmdir(dir, dentry); } -int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) +int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { if (unlikely(IS_PRIVATE(dir))) return 0; -- cgit v1.2.3 From 910f4ecef3f67714ebff69d0bc34313e48afaed2 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 26 Jul 2011 04:25:58 -0400 Subject: switch security_path_chmod() to umode_t Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 8cc0f0caa640..3635a13cd4ab 100644 --- a/security/security.c +++ b/security/security.c @@ -455,7 +455,7 @@ int security_path_truncate(struct path *path) } int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt, - mode_t mode) + umode_t mode) { if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; -- cgit v1.2.3 From 4572befe248fd0d94aedc98775e3f0ddc8a26651 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 21 Nov 2011 14:56:21 -0500 Subject: switch ->path_mkdir() to umode_t Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 3635a13cd4ab..e9724e058b43 100644 --- a/security/security.c +++ b/security/security.c @@ -397,7 +397,7 @@ int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, } EXPORT_SYMBOL(security_path_mknod); -int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode) +int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode) { if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) return 0; -- cgit v1.2.3 From 04fc66e789a896e684bfdca30208e57eb832dd96 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 21 Nov 2011 14:58:38 -0500 Subject: switch ->path_mknod() to umode_t Signed-off-by: Al Viro --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index e9724e058b43..151152de1a0a 100644 --- a/security/security.c +++ b/security/security.c @@ -388,7 +388,7 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir, EXPORT_SYMBOL(security_old_inode_init_security); #ifdef CONFIG_SECURITY_PATH -int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, +int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, unsigned int dev) { if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) -- cgit v1.2.3 From 6a9de49115d5ff9871d953af1a5c8249e1585731 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Jan 2012 12:25:14 -0500 Subject: capabilities: remove the task from capable LSM hook entirely The capabilities framework is based around credentials, not necessarily the current task. Yet we still passed the current task down into LSMs from the security_capable() LSM hook as if it was a meaningful portion of the security decision. This patch removes the 'generic' passing of current and instead forces individual LSMs to use current explicitly if they think it is appropriate. In our case those LSMs are SELinux and AppArmor. I believe the AppArmor use of current is incorrect, but that is wholely unrelated to this patch. This patch does not change what AppArmor does, it just makes it clear in the AppArmor code that it is doing it. The SELinux code still uses current in it's audit message, which may also be wrong and needs further investigation. Again this is NOT a change, it may have always been wrong, this patch just makes it clear what is happening. Signed-off-by: Eric Paris --- security/security.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index d9e153390926..9ae68c64455e 100644 --- a/security/security.c +++ b/security/security.c @@ -157,8 +157,7 @@ int security_capset(struct cred *new, const struct cred *old, int security_capable(struct user_namespace *ns, const struct cred *cred, int cap) { - return security_ops->capable(current, cred, ns, cap, - SECURITY_CAP_AUDIT); + return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); } int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, @@ -168,7 +167,7 @@ int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int ret; cred = get_task_cred(tsk); - ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT); + ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); put_cred(cred); return ret; } @@ -180,7 +179,7 @@ int security_real_capable_noaudit(struct task_struct *tsk, int ret; cred = get_task_cred(tsk); - ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT); + ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT); put_cred(cred); return ret; } -- cgit v1.2.3 From b7e724d303b684655e4ca3dabd5a6840ad19012d Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Jan 2012 12:25:15 -0500 Subject: capabilities: reverse arguments to security_capable security_capable takes ns, cred, cap. But the LSM capable() hook takes cred, ns, cap. The capability helper functions also take cred, ns, cap. Rather than flip argument order just to flip it back, leave them alone. Heck, this should be a little faster since argument will be in the right place! Signed-off-by: Eric Paris --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 9ae68c64455e..b9e57f4fc44a 100644 --- a/security/security.c +++ b/security/security.c @@ -154,7 +154,7 @@ int security_capset(struct cred *new, const struct cred *old, effective, inheritable, permitted); } -int security_capable(struct user_namespace *ns, const struct cred *cred, +int security_capable(const struct cred *cred, struct user_namespace *ns, int cap) { return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); -- cgit v1.2.3 From c7eba4a97563fd8b431787f7ad623444f2da80c6 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Jan 2012 12:25:15 -0500 Subject: capabilities: introduce security_capable_noaudit Exactly like security_capable except don't audit any denials. This is for places where the kernel may make decisions about what to do if a task has a given capability, but which failing that capability is not a sign of a security policy violation. An example is checking if a task has CAP_SYS_ADMIN to lower it's likelyhood of being killed by the oom killer. This check is not a security violation if it is denied. Signed-off-by: Eric Paris Acked-by: Serge E. Hallyn --- security/security.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index b9e57f4fc44a..b7edaae77d1d 100644 --- a/security/security.c +++ b/security/security.c @@ -160,6 +160,12 @@ int security_capable(const struct cred *cred, struct user_namespace *ns, return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); } +int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns, + int cap) +{ + return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT); +} + int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int cap) { -- cgit v1.2.3 From 2920a8409de5a51575d03deca07e5bb2be6fc98d Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Jan 2012 12:25:15 -0500 Subject: capabilities: remove all _real_ interfaces The name security_real_capable and security_real_capable_noaudit just don't make much sense to me. Convert them to use security_capable and security_capable_noaudit. Signed-off-by: Eric Paris Acked-by: Serge E. Hallyn --- security/security.c | 24 ------------------------ 1 file changed, 24 deletions(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index b7edaae77d1d..8900c5c4db5c 100644 --- a/security/security.c +++ b/security/security.c @@ -166,30 +166,6 @@ int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns, return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT); } -int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, - int cap) -{ - const struct cred *cred; - int ret; - - cred = get_task_cred(tsk); - ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); - put_cred(cred); - return ret; -} - -int security_real_capable_noaudit(struct task_struct *tsk, - struct user_namespace *ns, int cap) -{ - const struct cred *cred; - int ret; - - cred = get_task_cred(tsk); - ret = security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT); - put_cred(cred); - return ret; -} - int security_quotactl(int cmds, int type, int id, struct super_block *sb) { return security_ops->quotactl(cmds, type, id, sb); -- cgit v1.2.3 From fd778461524849afd035679030ae8e8873c72b81 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Jan 2012 12:25:16 -0500 Subject: security: remove the security_netlink_recv hook as it is equivalent to capable() Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being received. Today we instead get the capabilities from the current task. This has rendered the entire purpose of the hook moot as it is now functionally equivalent to the capable() call. Signed-off-by: Eric Paris --- security/security.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 8900c5c4db5c..85481a9c5632 100644 --- a/security/security.c +++ b/security/security.c @@ -922,12 +922,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb) return security_ops->netlink_send(sk, skb); } -int security_netlink_recv(struct sk_buff *skb, int cap) -{ - return security_ops->netlink_recv(skb, cap); -} -EXPORT_SYMBOL(security_netlink_recv); - int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { return security_ops->secid_to_secctx(secid, secdata, seclen); -- cgit v1.2.3 From cdcf116d44e78c7216ba9f8be9af1cdfca7af728 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 8 Dec 2011 10:51:53 -0500 Subject: switch security_path_chmod() to struct path * Signed-off-by: Al Viro --- security/security.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 151152de1a0a..214502c772ab 100644 --- a/security/security.c +++ b/security/security.c @@ -454,12 +454,11 @@ int security_path_truncate(struct path *path) return security_ops->path_truncate(path); } -int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt, - umode_t mode) +int security_path_chmod(struct path *path, umode_t mode) { - if (unlikely(IS_PRIVATE(dentry->d_inode))) + if (unlikely(IS_PRIVATE(path->dentry->d_inode))) return 0; - return security_ops->path_chmod(dentry, mnt, mode); + return security_ops->path_chmod(path, mode); } int security_path_chown(struct path *path, uid_t uid, gid_t gid) -- cgit v1.2.3