diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-06-06 16:15:56 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-06-06 16:15:56 -0700 |
| commit | 10b1eb7d8ce5635a7deb273f8291d8a0a7681de1 (patch) | |
| tree | 946b7d496a4e24db5120be376e075b52982fae83 /include | |
| parent | d75ae5bdf2353e5c6a1f83da5f6f2d31582f09a3 (diff) | |
| parent | 890e2abe1028c39e5399101a2c277219cd637aaa (diff) | |
Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security system updates from James Morris:
- incorporate new socketpair() hook into LSM and wire up the SELinux
and Smack modules. From David Herrmann:
"The idea is to allow SO_PEERSEC to be called on AF_UNIX sockets
created via socketpair(2), and return the same information as if
you emulated socketpair(2) via a temporary listener socket.
Right now SO_PEERSEC will return the unlabeled credentials for a
socketpair, rather than the actual credentials of the creating
process."
- remove the unused security_settime LSM hook (Sargun Dhillon).
- remove some stack allocated arrays from the keys code (Tycho
Andersen)
* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
dh key: get rid of stack allocated array for zeroes
dh key: get rid of stack allocated array
big key: get rid of stack array allocation
smack: provide socketpair callback
selinux: provide socketpair callback
net: hook socketpair() into LSM
security: add hook for socketpair()
security: remove security_settime
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/lsm_hooks.h | 7 | ||||
| -rw-r--r-- | include/linux/security.h | 21 |
2 files changed, 14 insertions, 14 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9d0b286f3dba..8f1131c8dd54 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -757,6 +757,11 @@ * @type contains the requested communications type. * @protocol contains the requested protocol. * @kern set to 1 if a kernel socket. + * @socket_socketpair: + * Check permissions before creating a fresh pair of sockets. + * @socka contains the first socket structure. + * @sockb contains the second socket structure. + * Return 0 if permission is granted and the connection was established. * @socket_bind: * Check permission before socket protocol layer bind operation is * performed and the socket @sock is bound to the address specified in the @@ -1656,6 +1661,7 @@ union security_list_options { int (*socket_create)(int family, int type, int protocol, int kern); int (*socket_post_create)(struct socket *sock, int family, int type, int protocol, int kern); + int (*socket_socketpair)(struct socket *socka, struct socket *sockb); int (*socket_bind)(struct socket *sock, struct sockaddr *address, int addrlen); int (*socket_connect)(struct socket *sock, struct sockaddr *address, @@ -1922,6 +1928,7 @@ struct security_hook_heads { struct hlist_head unix_may_send; struct hlist_head socket_create; struct hlist_head socket_post_create; + struct hlist_head socket_socketpair; struct hlist_head socket_bind; struct hlist_head socket_connect; struct hlist_head socket_listen; diff --git a/include/linux/security.h b/include/linux/security.h index 200920f521a1..63030c85ee19 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -220,12 +220,6 @@ int security_quotactl(int cmds, int type, int id, struct super_block *sb); int security_quota_on(struct dentry *dentry); int security_syslog(int type); int security_settime64(const struct timespec64 *ts, const struct timezone *tz); -static inline int security_settime(const struct timespec *ts, const struct timezone *tz) -{ - struct timespec64 ts64 = timespec_to_timespec64(*ts); - - return security_settime64(&ts64, tz); -} int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); int security_bprm_set_creds(struct linux_binprm *bprm); int security_bprm_check(struct linux_binprm *bprm); @@ -508,14 +502,6 @@ static inline int security_settime64(const struct timespec64 *ts, return cap_settime(ts, tz); } -static inline int security_settime(const struct timespec *ts, - const struct timezone *tz) -{ - struct timespec64 ts64 = timespec_to_timespec64(*ts); - - return cap_settime(&ts64, tz); -} - static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) { return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages)); @@ -1191,6 +1177,7 @@ int security_unix_may_send(struct socket *sock, struct socket *other); int security_socket_create(int family, int type, int protocol, int kern); int security_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern); +int security_socket_socketpair(struct socket *socka, struct socket *sockb); int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen); int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen); int security_socket_listen(struct socket *sock, int backlog); @@ -1262,6 +1249,12 @@ static inline int security_socket_post_create(struct socket *sock, return 0; } +static inline int security_socket_socketpair(struct socket *socka, + struct socket *sockb) +{ + return 0; +} + static inline int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) |