UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 

Pull smack updates from James Morris:
 "Two minor fixes"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: Privilege check on key operations
  Smack: fix dereferenced before check
This commit is contained in:
Linus Torvalds 2018-01-31 13:10:22 -08:00
parent 3c29548f87 d19dfe58b7
commit 2a71490314
3 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
security/smack/smack.h
View File

@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
void smk_insert_entry(struct smack_known *skp);
struct smack_known *smk_find_entry(const char *);
bool smack_privileged(int cap);
bool smack_privileged_cred(int cap, const struct cred *cred);
void smk_destroy_label_list(struct list_head *list);
/*

40
security/smack/smack_access.c
View File

@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
LIST_HEAD(smack_onlycap_list);
DEFINE_MUTEX(smack_onlycap_lock);
/*
/**
* smack_privileged_cred - are all privilege requirements met by cred
* @cap: The requested capability
* @cred: the credential to use
*
* Is the task privileged and allowed to be privileged
* by the onlycap rule.
*
* Returns true if the task is allowed to be privileged, false if it's not.
*/
bool smack_privileged(int cap)
bool smack_privileged_cred(int cap, const struct cred *cred)
{
struct smack_known *skp = smk_of_current();
struct task_smack *tsp = cred->security;
struct smack_known *skp = tsp->smk_task;
struct smack_known_list_elem *sklep;
int rc;
/*
* All kernel tasks are privileged
*/
if (unlikely(current->flags & PF_KTHREAD))
return true;
rc = cap_capable(current_cred(), &init_user_ns, cap,
SECURITY_CAP_AUDIT);
rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
if (rc)
return false;
@ -662,3 +660,23 @@ bool smack_privileged(int cap)
return false;
}
/**
* smack_privileged - are all privilege requirements met
* @cap: The requested capability
*
* Is the task privileged and allowed to be privileged
* by the onlycap rule.
*
* Returns true if the task is allowed to be privileged, false if it's not.
*/
bool smack_privileged(int cap)
{
/*
* All kernel tasks are privileged
*/
if (unlikely(current->flags & PF_KTHREAD))
return true;
return smack_privileged_cred(cap, current_cred());
}

10
security/smack/smack_lsm.c
View File

@ -2866,12 +2866,16 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
struct smack_known *rsp;
struct socket_smack *ssp = sock->sk->sk_security;
struct socket_smack *ssp;
#endif
if (sock->sk == NULL)
return 0;
#ifdef SMACK_IPV6_SECMARK_LABELING
ssp = sock->sk->sk_security;
#endif
switch (sock->sk->sk_family) {
case PF_INET:
if (addrlen < sizeof(struct sockaddr_in))
@ -4365,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
*/
if (tkp == NULL)
return -EACCES;
if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
return 0;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
ad.a.u.key_struct.key = keyp->serial;