diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 2 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 11 | ||||
| -rw-r--r-- | security/tomoyo/common.c | 6 | ||||
| -rw-r--r-- | security/tomoyo/realpath.c | 16 | ||||
| -rw-r--r-- | security/tomoyo/tomoyo.c | 6 |
5 files changed, 24 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ba808ef6bab..2fcad7c33ea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3153,7 +3153,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = current_sid(); + u32 sid = task_sid(tsk); u32 perm; struct file_security_struct *fsec; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 921514902ec..98b3195347a 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -609,8 +609,12 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { if (!capable(CAP_MAC_ADMIN)) rc = -EPERM; - /* a label cannot be void and cannot begin with '-' */ - if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) + /* + * check label validity here so import wont fail on + * post_setxattr + */ + if (size == 0 || size >= SMK_LABELLEN || + smk_import(value, size) == NULL) rc = -EINVAL; } else rc = cap_inode_setxattr(dentry, name, value, size, flags); @@ -644,9 +648,6 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, if (strcmp(name, XATTR_NAME_SMACK)) return; - if (size >= SMK_LABELLEN) - return; - isp = dentry->d_inode->i_security; /* diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index d4d41b3efc7..ddfb9cccf46 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -1720,14 +1720,14 @@ static bool tomoyo_policy_loader_exists(void) * policies are not loaded yet. * Thus, let do_execve() call this function everytime. */ - struct nameidata nd; + struct path path; - if (path_lookup(tomoyo_loader, LOOKUP_FOLLOW, &nd)) { + if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { printk(KERN_INFO "Not activating Mandatory Access Control now " "since %s doesn't exist.\n", tomoyo_loader); return false; } - path_put(&nd.path); + path_put(&path); return true; } diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index bf8e2b45168..40927a84cb6 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -165,11 +165,11 @@ char *tomoyo_realpath_from_path(struct path *path) */ char *tomoyo_realpath(const char *pathname) { - struct nameidata nd; + struct path path; - if (pathname && path_lookup(pathname, LOOKUP_FOLLOW, &nd) == 0) { - char *buf = tomoyo_realpath_from_path(&nd.path); - path_put(&nd.path); + if (pathname && kern_path(pathname, LOOKUP_FOLLOW, &path) == 0) { + char *buf = tomoyo_realpath_from_path(&path); + path_put(&path); return buf; } return NULL; @@ -184,11 +184,11 @@ char *tomoyo_realpath(const char *pathname) */ char *tomoyo_realpath_nofollow(const char *pathname) { - struct nameidata nd; + struct path path; - if (pathname && path_lookup(pathname, 0, &nd) == 0) { - char *buf = tomoyo_realpath_from_path(&nd.path); - path_put(&nd.path); + if (pathname && kern_path(pathname, 0, &path) == 0) { + char *buf = tomoyo_realpath_from_path(&path); + path_put(&path); return buf; } return NULL; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 5b481912752..e42be5c4f05 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -27,6 +27,12 @@ static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) { + int rc; + + rc = cap_bprm_set_creds(bprm); + if (rc) + return rc; + /* * Do only if this function is called for the first time of an execve * operation. |