diff v17→v20 (patch 13) | series

Inter-revision diff: patch 13

Comparing v17 (message) to v20 (message)
--- v17
+++ v20
@@ -22,20 +22,20 @@
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 ---
  fs/proc/base.c                       |   1 +
- include/linux/lsm_hooks.h            |  15 +++
+ include/linux/lsm_hooks.h            |  17 +++
  security/apparmor/include/apparmor.h |   3 +-
  security/apparmor/lsm.c              |  32 +++++
  security/security.c                  | 167 ++++++++++++++++++++++++---
  security/selinux/hooks.c             |  11 ++
  security/selinux/include/classmap.h  |   2 +-
  security/smack/smack_lsm.c           |   7 ++
- 8 files changed, 219 insertions(+), 19 deletions(-)
+ 8 files changed, 221 insertions(+), 19 deletions(-)
 
 diff --git a/fs/proc/base.c b/fs/proc/base.c
-index eb2255e95f62..8217e2642096 100644
+index 617db4e0faa0..2edb51d4c725 100644
 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
-@@ -2777,6 +2777,7 @@ static const struct pid_entry attr_dir_stuff[] = {
+@@ -2803,6 +2803,7 @@ static const struct pid_entry attr_dir_stuff[] = {
  	ATTR(NULL, "fscreate",		0666),
  	ATTR(NULL, "keycreate",		0666),
  	ATTR(NULL, "sockcreate",	0666),
@@ -44,10 +44,10 @@
  	DIR("smack",			0555,
  	    proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
 diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 5b9b79e07fb6..7799c6d2a63a 100644
+index 983008c6fede..e559df1df169 100644
 --- a/include/linux/lsm_hooks.h
 +++ b/include/linux/lsm_hooks.h
-@@ -1616,4 +1616,19 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
+@@ -1647,4 +1647,21 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
  
  extern int lsm_inode_alloc(struct inode *inode);
  
@@ -59,10 +59,12 @@
 + */
 +static inline int lsm_task_display(struct task_struct *task)
 +{
++#ifdef CONFIG_SECURITY
 +	int *display = task->security;
 +
 +	if (display)
 +		return *display;
++#endif
 +	return LSMBLOB_INVALID;
 +}
 +
@@ -83,7 +85,7 @@
  /* Control parameters settable through module/boot flags */
  extern enum audit_mode aa_g_audit;
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 146d75e5e021..16b992235c11 100644
+index 432915c1d427..31a6f11890f1 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
 @@ -612,6 +612,25 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
@@ -133,7 +135,7 @@
  	if (args[size - 1] != '\0') {
  		/* null terminate */
 diff --git a/security/security.c b/security/security.c
-index ed33ee97afe4..e86c84a904d5 100644
+index c3bac45bbb79..e1c9f87db64b 100644
 --- a/security/security.c
 +++ b/security/security.c
 @@ -75,7 +75,14 @@ static struct kmem_cache *lsm_file_cache;
@@ -196,7 +198,7 @@
  	return 0;
  }
  
-@@ -1602,14 +1623,26 @@ int security_file_open(struct file *file)
+@@ -1628,14 +1649,26 @@ int security_file_open(struct file *file)
  
  int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
  {
@@ -226,7 +228,7 @@
  }
  
  void security_task_free(struct task_struct *task)
-@@ -2006,23 +2039,110 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+@@ -2038,23 +2071,110 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
  				char **value)
  {
  	struct security_hook_list *hp;
@@ -337,7 +339,7 @@
  		return hp->hook.setprocattr(name, value, size);
  	}
  	return LSM_RET_DEFAULT(setprocattr);
-@@ -2042,15 +2162,15 @@ EXPORT_SYMBOL(security_ismaclabel);
+@@ -2074,15 +2194,15 @@ EXPORT_SYMBOL(security_ismaclabel);
  int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
  {
  	struct security_hook_list *hp;
@@ -349,16 +351,16 @@
  			continue;
 -		rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot],
 -					      secdata, seclen);
--		if (rc != 0)
+-		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
 -			return rc;
 +		if (display == LSMBLOB_INVALID || display == hp->lsmid->slot)
 +			return hp->hook.secid_to_secctx(
 +					blob->secid[hp->lsmid->slot],
 +					secdata, seclen);
  	}
- 	return 0;
- }
-@@ -2060,16 +2180,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
+ 
+ 	return LSM_RET_DEFAULT(secid_to_secctx);
+@@ -2093,16 +2213,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
  			     struct lsmblob *blob)
  {
  	struct security_hook_list *hp;
@@ -379,7 +381,7 @@
  	}
  	return 0;
  }
-@@ -2077,7 +2196,14 @@ EXPORT_SYMBOL(security_secctx_to_secid);
+@@ -2110,7 +2229,14 @@ EXPORT_SYMBOL(security_secctx_to_secid);
  
  void security_release_secctx(char *secdata, u32 seclen)
  {
@@ -395,7 +397,7 @@
  }
  EXPORT_SYMBOL(security_release_secctx);
  
-@@ -2202,8 +2328,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
+@@ -2251,8 +2377,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
  int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
  				      int __user *optlen, unsigned len)
  {
@@ -414,10 +416,10 @@
  
  int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 44e9d0a332ba..ada6f6d65279 100644
+index 1172b3f30f99..f73dec68ee32 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -6332,6 +6332,17 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
+@@ -6335,6 +6335,17 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
  	/*
  	 * Basic control over ability to set these attributes at all.
  	 */
@@ -436,10 +438,10 @@
  		error = avc_has_perm(&selinux_state,
  				     mysid, mysid, SECCLASS_PROCESS,
 diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
-index 986f3ac14282..ba36a55b5ea4 100644
+index 40cebde62856..1858aa47b32a 100644
 --- a/security/selinux/include/classmap.h
 +++ b/security/selinux/include/classmap.h
-@@ -52,7 +52,7 @@ struct security_class_mapping secclass_map[] = {
+@@ -53,7 +53,7 @@ struct security_class_mapping secclass_map[] = {
  	    "execmem", "execstack", "execheap", "setkeycreate",
  	    "setsockcreate", "getrlimit", NULL } },
  	{ "process2",
@@ -449,10 +451,10 @@
  	  { "ipc_info", "syslog_read", "syslog_mod",
  	    "syslog_console", "module_request", "module_load", NULL } },
 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 12e01d450dd4..00a304861657 100644
+index d4655dec2d70..8b708cca921a 100644
 --- a/security/smack/smack_lsm.c
 +++ b/security/smack/smack_lsm.c
-@@ -3510,6 +3510,13 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
+@@ -3494,6 +3494,13 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
  	struct smack_known_list_elem *sklep;
  	int rc;
`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help