summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2021-07-01 01:28:43 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2021-07-01 01:28:43 +0300
commit5c874a5b29c264f88fafb323e8df7da7b214b6a9 (patch)
treebb2c9904e4088947a55625566bba2ca947847da8 /security
parent290fe0fa6f5a1a3374dfd03fe0eda6c43d53e6cf (diff)
parentfe6bde732be8c4711a878b11491d9a2749b03909 (diff)
downloadlinux-5c874a5b29c264f88fafb323e8df7da7b214b6a9.tar.xz
Merge tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler: "There is nothing more significant than an improvement to a byte count check in smackfs. All changes have been in next for weeks" * tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next: Smack: fix doc warning Revert "Smack: Handle io_uring kernel thread privileges" smackfs: restrict bytes count in smk_set_cipso() security/smack/: fix misspellings using codespell tool
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_access.c10
-rw-r--r--security/smack/smackfs.c4
2 files changed, 9 insertions, 5 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 7eabb448acab..1f391f6a3d47 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -332,7 +332,7 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
* @object_label : smack label of the object being accessed
* @request: requested permissions
* @result: result from smk_access
- * @a: auxiliary audit data
+ * @ad: auxiliary audit data
*
* Audit the granting or denial of permissions in accordance
* with the policy.
@@ -396,6 +396,7 @@ struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
/**
* smk_insert_entry - insert a smack label into a hash map,
+ * @skp: smack label
*
* this function must be called under smack_known_lock
*/
@@ -476,8 +477,10 @@ char *smk_parse_smack(const char *string, int len)
/**
* smk_netlbl_mls - convert a catset to netlabel mls categories
+ * @level: MLS sensitivity level
* @catset: the Smack categories
* @sap: where to put the netlabel categories
+ * @len: number of bytes for the levels in a CIPSO IP option
*
* Allocates and fills attr.mls
* Returns 0 on success, error code on failure.
@@ -688,10 +691,9 @@ bool smack_privileged_cred(int cap, const struct cred *cred)
bool smack_privileged(int cap)
{
/*
- * Kernel threads may not have credentials we can use.
- * The io_uring kernel threads do have reliable credentials.
+ * All kernel tasks are privileged
*/
- if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD)
+ if (unlikely(current->flags & PF_KTHREAD))
return true;
return smack_privileged_cred(cap, current_cred());
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 22ded2c26089..3a75d2a8f517 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
* @data: string to be parsed, null terminated
* @rule: Will be filled with Smack parsed rule
* @import: if non-zero, import labels
- * @tokens: numer of substrings expected in data
+ * @tokens: number of substrings expected in data
*
* Returns number of processed bytes on success, -ERRNO on failure.
*/
@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
if (format == SMK_FIXED24_FMT &&
(count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
return -EINVAL;
+ if (count > PAGE_SIZE)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))