diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-07-01 01:28:43 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-07-01 01:28:43 +0300 |
commit | 5c874a5b29c264f88fafb323e8df7da7b214b6a9 (patch) | |
tree | bb2c9904e4088947a55625566bba2ca947847da8 /security | |
parent | 290fe0fa6f5a1a3374dfd03fe0eda6c43d53e6cf (diff) | |
parent | fe6bde732be8c4711a878b11491d9a2749b03909 (diff) | |
download | linux-5c874a5b29c264f88fafb323e8df7da7b214b6a9.tar.xz |
Merge tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler:
"There is nothing more significant than an improvement to a byte count
check in smackfs.
All changes have been in next for weeks"
* tag 'Smack-for-5.14' of git://github.com/cschaufler/smack-next:
Smack: fix doc warning
Revert "Smack: Handle io_uring kernel thread privileges"
smackfs: restrict bytes count in smk_set_cipso()
security/smack/: fix misspellings using codespell tool
Diffstat (limited to 'security')
-rw-r--r-- | security/smack/smack_access.c | 10 | ||||
-rw-r--r-- | security/smack/smackfs.c | 4 |
2 files changed, 9 insertions, 5 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 7eabb448acab..1f391f6a3d47 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -332,7 +332,7 @@ static void smack_log_callback(struct audit_buffer *ab, void *a) * @object_label : smack label of the object being accessed * @request: requested permissions * @result: result from smk_access - * @a: auxiliary audit data + * @ad: auxiliary audit data * * Audit the granting or denial of permissions in accordance * with the policy. @@ -396,6 +396,7 @@ struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; /** * smk_insert_entry - insert a smack label into a hash map, + * @skp: smack label * * this function must be called under smack_known_lock */ @@ -476,8 +477,10 @@ char *smk_parse_smack(const char *string, int len) /** * smk_netlbl_mls - convert a catset to netlabel mls categories + * @level: MLS sensitivity level * @catset: the Smack categories * @sap: where to put the netlabel categories + * @len: number of bytes for the levels in a CIPSO IP option * * Allocates and fills attr.mls * Returns 0 on success, error code on failure. @@ -688,10 +691,9 @@ bool smack_privileged_cred(int cap, const struct cred *cred) bool smack_privileged(int cap) { /* - * Kernel threads may not have credentials we can use. - * The io_uring kernel threads do have reliable credentials. + * All kernel tasks are privileged */ - if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD) + if (unlikely(current->flags & PF_KTHREAD)) return true; return smack_privileged_cred(cap, current_cred()); diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 22ded2c26089..3a75d2a8f517 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule, * @data: string to be parsed, null terminated * @rule: Will be filled with Smack parsed rule * @import: if non-zero, import labels - * @tokens: numer of substrings expected in data + * @tokens: number of substrings expected in data * * Returns number of processed bytes on success, -ERRNO on failure. */ @@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, if (format == SMK_FIXED24_FMT && (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) return -EINVAL; + if (count > PAGE_SIZE) + return -EINVAL; data = memdup_user_nul(buf, count); if (IS_ERR(data)) |