diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-04-07 20:11:41 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-04-07 20:11:41 +0200 |
commit | 3612605a5a5bc3d3ae0ec861328be8a2990f2c7a (patch) | |
tree | 6c387085155874bdf15ff9eec539c15801880734 /security/apparmor | |
parent | Merge tag 'fscache-next-20180406' of git://git.kernel.org/pub/scm/linux/kerne... (diff) | |
parent | security: convert security hooks to use hlist (diff) | |
download | linux-3612605a5a5bc3d3ae0ec861328be8a2990f2c7a.tar.xz linux-3612605a5a5bc3d3ae0ec861328be8a2990f2c7a.zip |
Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull general security layer updates from James Morris:
- Convert security hooks from list to hlist, a nice cleanup, saving
about 50% of space, from Sargun Dhillon.
- Only pass the cred, not the secid, to kill_pid_info_as_cred and
security_task_kill (as the secid can be determined from the cred),
from Stephen Smalley.
- Close a potential race in kernel_read_file(), by making the file
unwritable before calling the LSM check (vs after), from Kees Cook.
* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
security: convert security hooks to use hlist
exec: Set file unwritable before LSM check
usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/lsm.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 6134302c143c..528f59b580a8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -716,16 +716,23 @@ static int apparmor_task_setrlimit(struct task_struct *task, } static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, - int sig, u32 secid) + int sig, const struct cred *cred) { struct aa_label *cl, *tl; int error; - if (secid) - /* TODO: after secid to label mapping is done. - * Dealing with USB IO specific behavior + if (cred) { + /* + * Dealing with USB IO specific behavior */ - return 0; + cl = aa_get_newest_cred_label(cred); + tl = aa_get_task_label(target); + error = aa_may_signal(cl, tl, sig); + aa_put_label(cl); + aa_put_label(tl); + return error; + } + cl = __begin_current_label_crit_section(); tl = aa_get_task_label(target); error = aa_may_signal(cl, tl, sig); |