Commit 847106ff authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of... 

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (25 commits)
  security: remove register_security hook
  security: remove dummy module fix
  security: remove dummy module
  security: remove unused sb_get_mnt_opts hook
  LSM/SELinux: show LSM mount options in /proc/mounts
  SELinux: allow fstype unknown to policy to use xattrs if present
  security: fix return of void-valued expressions
  SELinux: use do_each_thread as a proper do/while block
  SELinux: remove unused and shadowed addrlen variable
  SELinux: more user friendly unknown handling printk
  selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)
  SELinux: drop load_mutex in security_load_policy
  SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av
  SELinux: open code sidtab lock
  SELinux: open code load_mutex
  SELinux: open code policy_rwlock
  selinux: fix endianness bug in network node address handling
  selinux: simplify ioctl checking
  SELinux: enable processes with mac_admin to get the raw inode contexts
  Security: split proc ptrace checking into read vs. attach
  ...
parents c142bda4 6f0f0fd4

fs/namespace.c

+11 −3
Original line number Diff line number Diff line
@@ -750,7 +750,7 @@ struct proc_fs_info { 
	const char *str;

};



static void show_sb_opts(struct seq_file *m, struct super_block *sb)

static int show_sb_opts(struct seq_file *m, struct super_block *sb)

{

	static const struct proc_fs_info fs_info[] = {

		{ MS_SYNCHRONOUS, ",sync" },
@@ -764,6 +764,8 @@ static void show_sb_opts(struct seq_file *m, struct super_block *sb) 
		if (sb->s_flags & fs_infop->flag)

			seq_puts(m, fs_infop->str);

	}



	return security_sb_show_options(m, sb);

}



static void show_mnt_opts(struct seq_file *m, struct vfsmount *mnt)
@@ -806,11 +808,14 @@ static int show_vfsmnt(struct seq_file *m, void *v) 
	seq_putc(m, ' ');

	show_type(m, mnt->mnt_sb);

	seq_puts(m, __mnt_is_readonly(mnt) ? " ro" : " rw");

	show_sb_opts(m, mnt->mnt_sb);

	err = show_sb_opts(m, mnt->mnt_sb);

	if (err)

		goto out;

	show_mnt_opts(m, mnt);

	if (mnt->mnt_sb->s_op->show_options)

		err = mnt->mnt_sb->s_op->show_options(m, mnt);

	seq_puts(m, " 0 0\n");

out:

	return err;

}
@@ -865,10 +870,13 @@ static int show_mountinfo(struct seq_file *m, void *v) 
	seq_putc(m, ' ');

	mangle(m, mnt->mnt_devname ? mnt->mnt_devname : "none");

	seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw");

	show_sb_opts(m, sb);

	err = show_sb_opts(m, sb);

	if (err)

		goto out;

	if (sb->s_op->show_options)

		err = sb->s_op->show_options(m, mnt);

	seq_putc(m, '\n');

out:

	return err;

}

fs/proc/base.c

+5 −4
Original line number Diff line number Diff line
@@ -233,7 +233,7 @@ static int check_mem_permission(struct task_struct *task) 
	 */

	if (task->parent == current && (task->ptrace & PT_PTRACED) &&

	    task_is_stopped_or_traced(task) &&

	    ptrace_may_attach(task))

	    ptrace_may_access(task, PTRACE_MODE_ATTACH))

		return 0;



	/*
@@ -251,7 +251,8 @@ struct mm_struct *mm_for_maps(struct task_struct *task) 
	task_lock(task);

	if (task->mm != mm)

		goto out;

	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)

	if (task->mm != current->mm &&

	    __ptrace_may_access(task, PTRACE_MODE_READ) < 0)

		goto out;

	task_unlock(task);

	return mm;
@@ -518,7 +519,7 @@ static int proc_fd_access_allowed(struct inode *inode) 
	 */

	task = get_proc_task(inode);

	if (task) {

		allowed = ptrace_may_attach(task);

		allowed = ptrace_may_access(task, PTRACE_MODE_READ);

		put_task_struct(task);

	}

	return allowed;
@@ -904,7 +905,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, 
	if (!task)

		goto out_no_task;



	if (!ptrace_may_attach(task))

	if (!ptrace_may_access(task, PTRACE_MODE_READ))

		goto out;



	ret = -ENOMEM;

fs/proc/task_mmu.c

+3 −3
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ static int show_map(struct seq_file *m, void *v) 
	dev_t dev = 0;

	int len;



	if (maps_protect && !ptrace_may_attach(task))

	if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ))

		return -EACCES;



	if (file) {
@@ -646,7 +646,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, 
		goto out;



	ret = -EACCES;

	if (!ptrace_may_attach(task))

	if (!ptrace_may_access(task, PTRACE_MODE_READ))

		goto out_task;



	ret = -EINVAL;
@@ -747,7 +747,7 @@ static int show_numa_map_checked(struct seq_file *m, void *v) 
	struct proc_maps_private *priv = m->private;

	struct task_struct *task = priv->task;



	if (maps_protect && !ptrace_may_attach(task))

	if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ))

		return -EACCES;



	return show_numa_map(m, v);

fs/proc/task_nommu.c

+1 −1
Original line number Diff line number Diff line
@@ -113,7 +113,7 @@ static int show_map(struct seq_file *m, void *_vml) 
	struct proc_maps_private *priv = m->private;

	struct task_struct *task = priv->task;



	if (maps_protect && !ptrace_may_attach(task))

	if (maps_protect && !ptrace_may_access(task, PTRACE_MODE_READ))

		return -EACCES;



	return nommu_vma_show(m, vml->vma);

include/linux/ptrace.h

+6 −2
Original line number Diff line number Diff line
@@ -95,8 +95,12 @@ extern void __ptrace_link(struct task_struct *child, 
			  struct task_struct *new_parent);

extern void __ptrace_unlink(struct task_struct *child);

extern void ptrace_untrace(struct task_struct *child);

extern int ptrace_may_attach(struct task_struct *task);

extern int __ptrace_may_attach(struct task_struct *task);

#define PTRACE_MODE_READ   1

#define PTRACE_MODE_ATTACH 2

/* Returns 0 on success, -errno on denial. */

extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);

/* Returns true on success, false on denial. */

extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);



static inline int ptrace_reparented(struct task_struct *child)

{

CRA Git | Maintained and supported by SUSTech CRA and CCSE