summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-04-07 20:11:41 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2018-04-07 20:11:41 +0200
commit3612605a5a5bc3d3ae0ec861328be8a2990f2c7a (patch)
tree6c387085155874bdf15ff9eec539c15801880734 /security/apparmor
parentMerge tag 'fscache-next-20180406' of git://git.kernel.org/pub/scm/linux/kerne... (diff)
parentsecurity: convert security hooks to use hlist (diff)
downloadlinux-3612605a5a5bc3d3ae0ec861328be8a2990f2c7a.tar.xz
linux-3612605a5a5bc3d3ae0ec861328be8a2990f2c7a.zip
Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull general security layer updates from James Morris: - Convert security hooks from list to hlist, a nice cleanup, saving about 50% of space, from Sargun Dhillon. - Only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill (as the secid can be determined from the cred), from Stephen Smalley. - Close a potential race in kernel_read_file(), by making the file unwritable before calling the LSM check (vs after), from Kees Cook. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: convert security hooks to use hlist exec: Set file unwritable before LSM check usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/lsm.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 6134302c143c..528f59b580a8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -716,16 +716,23 @@ static int apparmor_task_setrlimit(struct task_struct *task,
}
static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *cred)
{
struct aa_label *cl, *tl;
int error;
- if (secid)
- /* TODO: after secid to label mapping is done.
- * Dealing with USB IO specific behavior
+ if (cred) {
+ /*
+ * Dealing with USB IO specific behavior
*/
- return 0;
+ cl = aa_get_newest_cred_label(cred);
+ tl = aa_get_task_label(target);
+ error = aa_may_signal(cl, tl, sig);
+ aa_put_label(cl);
+ aa_put_label(tl);
+ return error;
+ }
+
cl = __begin_current_label_crit_section();
tl = aa_get_task_label(target);
error = aa_may_signal(cl, tl, sig);