diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-12-15 05:36:37 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-12-15 05:36:37 +0100 |
commit | 67e2c3883828b39548cee2091b36656787775d95 (patch) | |
tree | 975a0f546a604beda30d4ede34f8e9cca9a88b71 /security/smack | |
parent | Merge tag 'char-misc-3.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/g... (diff) | |
parent | Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next (diff) | |
download | linux-67e2c3883828b39548cee2091b36656787775d95.tar.xz linux-67e2c3883828b39548cee2091b36656787775d95.zip |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security layer updates from James Morris:
"In terms of changes, there's general maintenance to the Smack,
SELinux, and integrity code.
The IMA code adds a new kconfig option, IMA_APPRAISE_SIGNED_INIT,
which allows IMA appraisal to require signatures. Support for reading
keys from rootfs before init is call is also added"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits)
selinux: Remove security_ops extern
security: smack: fix out-of-bounds access in smk_parse_smack()
VFS: refactor vfs_read()
ima: require signature based appraisal
integrity: provide a hook to load keys when rootfs is ready
ima: load x509 certificate from the kernel
integrity: provide a function to load x509 certificate from the kernel
integrity: define a new function integrity_read_file()
Security: smack: replace kzalloc with kmem_cache for inode_smack
Smack: Lock mode for the floor and hat labels
ima: added support for new kernel cmdline parameter ima_template_fmt
ima: allocate field pointers array on demand in template_desc_init_fields()
ima: don't allocate a copy of template_fmt in template_desc_init_fields()
ima: display template format in meas. list if template name length is zero
ima: added error messages to template-related functions
ima: use atomic bit operations to protect policy update interface
ima: ignore empty and with whitespaces policy lines
ima: no need to allocate entry for comment
ima: report policy load status
ima: use path names cache
...
Diffstat (limited to 'security/smack')
-rw-r--r-- | security/smack/smack_access.c | 17 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 13 |
2 files changed, 18 insertions, 12 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 5b970ffde024..1158430f5bb9 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -142,8 +142,7 @@ int smk_access(struct smack_known *subject, struct smack_known *object, * Tasks cannot be assigned the internet label. * An internet subject can access any object. */ - if (object == &smack_known_web || - subject == &smack_known_web) + if (object == &smack_known_web || subject == &smack_known_web) goto out_audit; /* * A star object can be accessed by any subject. @@ -157,10 +156,11 @@ int smk_access(struct smack_known *subject, struct smack_known *object, if (subject->smk_known == object->smk_known) goto out_audit; /* - * A hat subject can read any object. - * A floor object can be read by any subject. + * A hat subject can read or lock any object. + * A floor object can be read or locked by any subject. */ - if ((request & MAY_ANYREAD) == request) { + if ((request & MAY_ANYREAD) == request || + (request & MAY_LOCK) == request) { if (object == &smack_known_floor) goto out_audit; if (subject == &smack_known_hat) @@ -452,10 +452,9 @@ char *smk_parse_smack(const char *string, int len) return NULL; smack = kzalloc(i + 1, GFP_KERNEL); - if (smack != NULL) { - strncpy(smack, string, i + 1); - smack[i] = '\0'; - } + if (smack != NULL) + strncpy(smack, string, i); + return smack; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 433ae61e7f42..f1b17a476e12 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -53,6 +53,7 @@ #define SMK_SENDING 2 LIST_HEAD(smk_ipv6_port_list); +static struct kmem_cache *smack_inode_cache; #ifdef CONFIG_SECURITY_SMACK_BRINGUP static void smk_bu_mode(int mode, char *s) @@ -240,7 +241,7 @@ struct inode_smack *new_inode_smack(struct smack_known *skp) { struct inode_smack *isp; - isp = kzalloc(sizeof(struct inode_smack), GFP_NOFS); + isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); if (isp == NULL) return NULL; @@ -767,7 +768,7 @@ static int smack_inode_alloc_security(struct inode *inode) */ static void smack_inode_free_security(struct inode *inode) { - kfree(inode->i_security); + kmem_cache_free(smack_inode_cache, inode->i_security); inode->i_security = NULL; } @@ -4264,10 +4265,16 @@ static __init int smack_init(void) if (!security_module_enable(&smack_ops)) return 0; + smack_inode_cache = KMEM_CACHE(inode_smack, 0); + if (!smack_inode_cache) + return -ENOMEM; + tsp = new_task_smack(&smack_known_floor, &smack_known_floor, GFP_KERNEL); - if (tsp == NULL) + if (tsp == NULL) { + kmem_cache_destroy(smack_inode_cache); return -ENOMEM; + } printk(KERN_INFO "Smack: Initializing.\n"); |