From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752914AbbCKWmg (ORCPT ); Wed, 11 Mar 2015 18:42:36 -0400 Received: from smtp106.biz.mail.bf1.yahoo.com ([98.139.244.54]:46465 "EHLO smtp106.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752773AbbCKWme (ORCPT ); Wed, 11 Mar 2015 18:42:34 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: d0oOby0VM1mw3LXGmPOTRRvHdEfqBKohq6q3niadle7DYAY nbsq60zv489kdUCouTZRH6j04TOI0FHqlz7tvPCwp39Y6urPSawR4o_lknSV NIo2mXLzBgauBtWHuufYlxwj8CRONCoEX5CAl4IL1w5gzNtdVBUleoObVlig 6rs2vRbCKJ7bKeBszoicfWwSJYfqmjqQj63_QjG34lsK5qtjZ.ulSqDeHqJB xcCN5B5whrTQdERBHoRQKo340dclAZSXRATVXUB6qWl7kggKPeThpsTa6PgM 8xY8kdQAdNNjmEWGC9oBHG6_bX.bEPk.cH8dQakW9jzU8yfWDKOnzMsaKnJ1 FAGez1Dn7Bums4TGxHg_qt7CuE1fSc_0J4UuVnIXzZ_rDBySwMVF7zBzf3Dr hOZzq27KsijJnvVyxmlIpolGzNh8y23sIsE0AGw0Sd.tkvg1Ie1qyuI2zi5y 6oZp3cf7TY9gagKfOBsG_8CvSYdRDasMZDssey2le0YIGd.fhup57sIxtpEK alVhG9k2WuzuavH0q.JlN1_3RjaYH_g-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Message-ID: <5500C4D6.7070302@schaufler-ca.com> Date: Wed, 11 Mar 2015 15:42:30 -0700 From: Casey Schaufler User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Stephen Smalley , James Morris , James Morris , LSM , LKLM CC: Paul Moore , John Johansen , Tetsuo Handa , Eric Paris , Kees Cook , Casey Schaufler Subject: [PATCH 8/7 v21] LSM: Fixes for issues found in review References: <54FE4553.3000209@schaufler-ca.com> <54FE46EF.4000708@schaufler-ca.com> <5500708B.3050101@tycho.nsa.gov> <55008DD0.3030402@schaufler-ca.com> <5500967A.3040203@tycho.nsa.gov> In-Reply-To: <5500967A.3040203@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Subject: [PATCH 8/7 v21] LSM: Fixes for issues found in review Correct capability hook uses that hadn't been done properly in the 6/7 patch. Signed-off-by: Casey Schaufler Reported-by: Stephen Smalley --- security/apparmor/domain.c | 8 +++----- security/selinux/hooks.c | 15 +-------------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b09fff7..dc0027b 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -529,15 +529,13 @@ cleanup: */ int apparmor_bprm_secureexec(struct linux_binprm *bprm) { - int ret = cap_bprm_secureexec(bprm); - /* the decision to use secure exec is computed in set_creds * and stored in bprm->unsafe. */ - if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED)) - ret = 1; + if (bprm->unsafe & AA_SECURE_X_NEEDED) + return 1; - return ret; + return 0; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3fd8610..e71c797 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2008,7 +2008,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent) static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - return cap_capget(target, effective, inheritable, permitted); + return current_has_perm(target, PROCESS__GETCAP); } static int selinux_capset(struct cred *new, const struct cred *old, @@ -2016,13 +2016,6 @@ static int selinux_capset(struct cred *new, const struct cred *old, const kernel_cap_t *inheritable, const kernel_cap_t *permitted) { - int error; - - error = cap_capset(new, old, - effective, inheritable, permitted); - if (error) - return error; - return cred_has_perm(old, new, PROCESS__SETCAP); } @@ -2039,12 +2032,6 @@ static int selinux_capset(struct cred *new, const struct cred *old, static int selinux_capable(const struct cred *cred, struct user_namespace *ns, int cap, int audit) { - int rc; - - rc = cap_capable(cred, ns, cap, audit); - if (rc) - return rc; - return cred_has_capability(cred, cap, audit); }