From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tyler Hicks <tyhicks@canonical.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
James Morris <james.l.morris@oracle.com>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.7 03/59] kernel: Add noaudit variant of ns_capable()
Date: Mon, 12 Sep 2016 17:29:23 +0200 [thread overview]
Message-ID: <20160912152128.896602508@linuxfoundation.org> (raw)
In-Reply-To: <20160912152128.765864031@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hicks <tyhicks@canonical.com>
commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream.
When checking the current cred for a capability in a specific user
namespace, it isn't always desirable to have the LSMs audit the check.
This patch adds a noaudit variant of ns_capable() for when those
situations arise.
The common logic between ns_capable() and the new ns_capable_noaudit()
is moved into a single, shared function to keep duplicated code to a
minimum and ease maintainability.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/capability.h | 5 ++++
kernel/capability.c | 46 +++++++++++++++++++++++++++++++++++----------
2 files changed, 41 insertions(+), 10 deletions(-)
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -206,6 +206,7 @@ extern bool has_ns_capability_noaudit(st
struct user_namespace *ns, int cap);
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
+extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
#else
static inline bool has_capability(struct task_struct *t, int cap)
{
@@ -233,6 +234,10 @@ static inline bool ns_capable(struct use
{
return true;
}
+static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
+{
+ return true;
+}
#endif /* CONFIG_MULTIUSER */
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_
return has_ns_capability_noaudit(t, &init_user_ns, cap);
}
+static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
+{
+ int capable;
+
+ if (unlikely(!cap_valid(cap))) {
+ pr_crit("capable() called with invalid cap=%u\n", cap);
+ BUG();
+ }
+
+ capable = audit ? security_capable(current_cred(), ns, cap) :
+ security_capable_noaudit(current_cred(), ns, cap);
+ if (capable == 0) {
+ current->flags |= PF_SUPERPRIV;
+ return true;
+ }
+ return false;
+}
+
/**
* ns_capable - Determine if the current task has a superior capability in effect
* @ns: The usernamespace we want the capability in
@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_
*/
bool ns_capable(struct user_namespace *ns, int cap)
{
- if (unlikely(!cap_valid(cap))) {
- pr_crit("capable() called with invalid cap=%u\n", cap);
- BUG();
- }
-
- if (security_capable(current_cred(), ns, cap) == 0) {
- current->flags |= PF_SUPERPRIV;
- return true;
- }
- return false;
+ return ns_capable_common(ns, cap, true);
}
EXPORT_SYMBOL(ns_capable);
+/**
+ * ns_capable_noaudit - Determine if the current task has a superior capability
+ * (unaudited) in effect
+ * @ns: The usernamespace we want the capability in
+ * @cap: The capability to be tested for
+ *
+ * Return true if the current task has the given superior capability currently
+ * available for use, false if not.
+ *
+ * This sets PF_SUPERPRIV on the task if the capability is available on the
+ * assumption that it's about to be used.
+ */
+bool ns_capable_noaudit(struct user_namespace *ns, int cap)
+{
+ return ns_capable_common(ns, cap, false);
+}
+EXPORT_SYMBOL(ns_capable_noaudit);
/**
* capable - Determine if the current task has a superior capability in effect
next prev parent reply other threads:[~2016-09-12 15:29 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160912153038uscas1p166159f601d12fb1e6621d90d3ef5d311@uscas1p1.samsung.com>
[not found] ` <20160912152128.765864031@linuxfoundation.org>
2016-09-12 15:29 ` [PATCH 4.7 01/59] Revert "floppy: refactor open() flags handling" Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 02/59] apparmor: fix refcount race when finding a child profile Greg Kroah-Hartman
2016-09-12 15:29 ` Greg Kroah-Hartman [this message]
2016-09-12 15:29 ` [PATCH 4.7 04/59] net: Use ns_capable_noaudit() when determining net sysctl permissions Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 05/59] fs: Check for invalid i_uid in may_follow_link() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 06/59] cred: Reject inodes with invalid ids in set_create_file_as() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 07/59] ext4: validate that metadata blocks do not overlap superblock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 08/59] ext4: fix xattr shifting when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 09/59] ext4: fix xattr shifting when expanding inodes part 2 Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 10/59] ext4: properly align shifted xattrs when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 11/59] ext4: avoid deadlock when expanding inode size Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 13/59] block: Fix race triggered by blk_set_queue_dying() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 14/59] block: make sure a big bio is split into at most 256 bvecs Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 15/59] cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 16/59] cdc-acm: added sanity checking for probe() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 19/59] drm/atomic: Dont potentially reset color_mgmt_changed on successive property updates Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 20/59] drm: Reject page_flip for !DRIVER_MODESET Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 21/59] drm/msm: fix use of copy_from_user() while holding spinlock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 22/59] drm/vc4: Use drm_free_large() on handles to match its allocation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 23/59] drm/vc4: Fix overflow mem unreferencing when the binner runs dry Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 24/59] drm/vc4: Fix oops when userspace hands in a bad BO Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 25/59] ASoC: atmel_ssc_dai: Dont unconditionally reset SSC on stream startup Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 26/59] xfs: fix superblock inprogress check Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 27/59] timekeeping: Cap array access in timekeeping_debug Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 28/59] timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 30/59] ovl: proper cleanup of workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 31/59] ovl: dont copy up opaqueness Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 32/59] ovl: remove posix_acl_default from workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 33/59] ovl: listxattr: use strnlen() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 34/59] ovl: fix workdir creation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 35/59] mei: me: disable driver on SPT SPS firmware Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 36/59] ubifs: Fix xattr generic handler usage Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 38/59] bdev: fix NULL pointer dereference Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 39/59] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 40/59] irqchip/mips-gic: Cleanup chip and handler setup Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 41/59] irqchip/mips-gic: Implement activate op for device domain Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 42/59] vhost/scsi: fix reuse of &vq->iov[out] in response Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 43/59] x86/apic: Do not init irq remapping if ioapic is disabled Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 44/59] xprtrdma: Create common scatterlist fields in rpcrdma_mw Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 46/59] fscrypto: add authorization check for setting encryption policy Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 47/59] fscrypto: only allow setting encryption policy on directories Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 48/59] ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 49/59] ALSA: firewire-tascam: accessing to user space outside spinlock Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 50/59] ALSA: fireworks: " Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 51/59] ALSA: rawmidi: Fix possible deadlock with virmidi registration Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 52/59] ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 53/59] ALSA: hda - Enable subwoofer on Dell Inspiron 7559 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 54/59] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 55/59] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 56/59] ALSA: timer: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 57/59] ALSA: timer: Fix zero-division by continue of uninitialized instance Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 58/59] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 59/59] cpufreq: dt: Add terminate entry for of_device_id tables Greg Kroah-Hartman
2016-09-13 3:07 ` [PATCH 4.7 00/59] 4.7.4-stable review Guenter Roeck
2016-09-13 8:57 ` Greg Kroah-Hartman
[not found] ` <57d7cc1f.0d8d1c0a.df2d3.a693@mx.google.com>
2016-09-13 12:12 ` Greg Kroah-Hartman
2016-09-13 17:40 ` Kevin Hilman
2016-09-13 18:32 ` Shuah Khan
2016-09-15 6:19 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160912152128.896602508@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=stable@vger.kernel.org \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).