Miscellaneous minor fixes for v5.13.
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgycj0O+d1G2aycA8rZhLv9lQBTwFAmCIm8cACgkQrZhLv9lQ BTwJehAAoukC2NmR4BvW5VAeba3OroXmA8cxRR17hXzkUKaoJDqnuBjZjbHBsL+a mUbcrO1cQyGiqvIz5LbUENa561HxCiCqt+DARli7fMJvKgrJAoSaUQWAyTguOU7o wUoKQbc1e3asWpHuH4oJm5hxZHTrdbWgebwzI2RI87qPbHsh0KNKli5b49zmVdcI 3yzsOJmHxQwkLPqga8diL/3xd0jYj5qk8ySJrEpLzEbxgMEEoFJzrddfzixH2TME 5xyl+CZO6R1kZZdzLizI/mmsNqEay0aCdY0ydGbX0ekIkv4/+Fc2Q0zQ2dY1i9g8 Pkg8KcJRd57c85hCjBAiS5lV8KQpXupDPbI1PoD+aHdD0pJ1t+r2GogdAaUWo3Su Gw/E7oBpR4s5KDxvAo+EW+u5UCYEwozvo4RmXaq80L16GxbVffEJKQj039KWFQ1C kcO+lg9xkD9W/p8O0B8BW2EkeVRj4mwQthI+VDDwmaC2GFRLcaOVp4CqDhppo5Bt YnwJUBKkoQGYXPpxq3T/tA2WrmjFW0ZSeGFwFFP5SgDRForj4Udkn7J4J7aqDtUA zwhAssJ10DHrqMcxu9lBvwuM3o9pZMjGVJNRI89ffIZ3hKd+WXRGI478Jsqohvp4 8lmckuXif1UukMYctjs3eIGuKHLj0QufuTMypVcMfw4B+927lvA= =l2df -----END PGP SIGNATURE----- Merge tag 'fixes-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security layer fixes from James Morris: "Miscellaneous minor fixes" * tag 'fixes-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: commoncap: clean up kernel-doc comments security: commoncap: fix -Wstringop-overread warning
This commit is contained in:
Коммит
acd3d28594
|
@ -50,7 +50,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
|
|||
/**
|
||||
* cap_capable - Determine whether a task has a particular effective capability
|
||||
* @cred: The credentials to use
|
||||
* @ns: The user namespace in which we need the capability
|
||||
* @targ_ns: The user namespace in which we need the capability
|
||||
* @cap: The capability to check for
|
||||
* @opts: Bitmask of options defined in include/linux/security.h
|
||||
*
|
||||
|
@ -289,7 +289,7 @@ int cap_capset(struct cred *new,
|
|||
* affects the security markings on that inode, and if it is, should
|
||||
* inode_killpriv() be invoked or the change rejected.
|
||||
*
|
||||
* Returns 1 if security.capability has a value, meaning inode_killpriv()
|
||||
* Return: 1 if security.capability has a value, meaning inode_killpriv()
|
||||
* is required, 0 otherwise, meaning inode_killpriv() is not required.
|
||||
*/
|
||||
int cap_inode_need_killpriv(struct dentry *dentry)
|
||||
|
@ -315,7 +315,7 @@ int cap_inode_need_killpriv(struct dentry *dentry)
|
|||
* permissions. On non-idmapped mounts or if permission checking is to be
|
||||
* performed on the raw inode simply passs init_user_ns.
|
||||
*
|
||||
* Returns 0 if successful, -ve on error.
|
||||
* Return: 0 if successful, -ve on error.
|
||||
*/
|
||||
int cap_inode_killpriv(struct user_namespace *mnt_userns, struct dentry *dentry)
|
||||
{
|
||||
|
@ -400,7 +400,7 @@ int cap_inode_getsecurity(struct user_namespace *mnt_userns,
|
|||
&tmpbuf, size, GFP_NOFS);
|
||||
dput(dentry);
|
||||
|
||||
if (ret < 0)
|
||||
if (ret < 0 || !tmpbuf)
|
||||
return ret;
|
||||
|
||||
fs_ns = inode->i_sb->s_user_ns;
|
||||
|
@ -532,7 +532,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap)
|
|||
* permissions. On non-idmapped mounts or if permission checking is to be
|
||||
* performed on the raw inode simply passs init_user_ns.
|
||||
*
|
||||
* If all is ok, we return the new size, on error return < 0.
|
||||
* Return: On success, return the new size; on error, return < 0.
|
||||
*/
|
||||
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
|
||||
const void **ivalue, size_t size)
|
||||
|
@ -881,7 +881,9 @@ static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
|
|||
*
|
||||
* Set up the proposed credentials for a new execution context being
|
||||
* constructed by execve(). The proposed creds in @bprm->cred is altered,
|
||||
* which won't take effect immediately. Returns 0 if successful, -ve on error.
|
||||
* which won't take effect immediately.
|
||||
*
|
||||
* Return: 0 if successful, -ve on error.
|
||||
*/
|
||||
int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file)
|
||||
{
|
||||
|
@ -1117,7 +1119,9 @@ static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
|
|||
* @flags: Indications of what has changed
|
||||
*
|
||||
* Fix up the results of setuid() call before the credential changes are
|
||||
* actually applied, returning 0 to grant the changes, -ve to deny them.
|
||||
* actually applied.
|
||||
*
|
||||
* Return: 0 to grant the changes, -ve to deny them.
|
||||
*/
|
||||
int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
|
||||
{
|
||||
|
@ -1187,7 +1191,9 @@ static int cap_safe_nice(struct task_struct *p)
|
|||
* @p: The task to affect
|
||||
*
|
||||
* Detemine if the requested scheduler policy change is permitted for the
|
||||
* specified task, returning 0 if permission is granted, -ve if denied.
|
||||
* specified task.
|
||||
*
|
||||
* Return: 0 if permission is granted, -ve if denied.
|
||||
*/
|
||||
int cap_task_setscheduler(struct task_struct *p)
|
||||
{
|
||||
|
@ -1195,12 +1201,14 @@ int cap_task_setscheduler(struct task_struct *p)
|
|||
}
|
||||
|
||||
/**
|
||||
* cap_task_ioprio - Detemine if I/O priority change is permitted
|
||||
* cap_task_setioprio - Detemine if I/O priority change is permitted
|
||||
* @p: The task to affect
|
||||
* @ioprio: The I/O priority to set
|
||||
*
|
||||
* Detemine if the requested I/O priority change is permitted for the specified
|
||||
* task, returning 0 if permission is granted, -ve if denied.
|
||||
* task.
|
||||
*
|
||||
* Return: 0 if permission is granted, -ve if denied.
|
||||
*/
|
||||
int cap_task_setioprio(struct task_struct *p, int ioprio)
|
||||
{
|
||||
|
@ -1208,12 +1216,14 @@ int cap_task_setioprio(struct task_struct *p, int ioprio)
|
|||
}
|
||||
|
||||
/**
|
||||
* cap_task_ioprio - Detemine if task priority change is permitted
|
||||
* cap_task_setnice - Detemine if task priority change is permitted
|
||||
* @p: The task to affect
|
||||
* @nice: The nice value to set
|
||||
*
|
||||
* Detemine if the requested task priority change is permitted for the
|
||||
* specified task, returning 0 if permission is granted, -ve if denied.
|
||||
* specified task.
|
||||
*
|
||||
* Return: 0 if permission is granted, -ve if denied.
|
||||
*/
|
||||
int cap_task_setnice(struct task_struct *p, int nice)
|
||||
{
|
||||
|
@ -1243,12 +1253,15 @@ static int cap_prctl_drop(unsigned long cap)
|
|||
/**
|
||||
* cap_task_prctl - Implement process control functions for this security module
|
||||
* @option: The process control function requested
|
||||
* @arg2, @arg3, @arg4, @arg5: The argument data for this function
|
||||
* @arg2: The argument data for this function
|
||||
* @arg3: The argument data for this function
|
||||
* @arg4: The argument data for this function
|
||||
* @arg5: The argument data for this function
|
||||
*
|
||||
* Allow process control functions (sys_prctl()) to alter capabilities; may
|
||||
* also deny access to other functions not otherwise implemented here.
|
||||
*
|
||||
* Returns 0 or +ve on success, -ENOSYS if this function is not implemented
|
||||
* Return: 0 or +ve on success, -ENOSYS if this function is not implemented
|
||||
* here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
|
||||
* modules will consider performing the function.
|
||||
*/
|
||||
|
@ -1383,7 +1396,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|||
* @pages: The size of the mapping
|
||||
*
|
||||
* Determine whether the allocation of a new virtual mapping by the current
|
||||
* task is permitted, returning 1 if permission is granted, 0 if not.
|
||||
* task is permitted.
|
||||
*
|
||||
* Return: 1 if permission is granted, 0 if not.
|
||||
*/
|
||||
int cap_vm_enough_memory(struct mm_struct *mm, long pages)
|
||||
{
|
||||
|
@ -1396,14 +1411,15 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
|
|||
return cap_sys_admin;
|
||||
}
|
||||
|
||||
/*
|
||||
/**
|
||||
* cap_mmap_addr - check if able to map given addr
|
||||
* @addr: address attempting to be mapped
|
||||
*
|
||||
* If the process is attempting to map memory below dac_mmap_min_addr they need
|
||||
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
|
||||
* capability security module. Returns 0 if this mapping should be allowed
|
||||
* -EPERM if not.
|
||||
* capability security module.
|
||||
*
|
||||
* Return: 0 if this mapping should be allowed or -EPERM if not.
|
||||
*/
|
||||
int cap_mmap_addr(unsigned long addr)
|
||||
{
|
||||
|
|
Загрузка…
Ссылка в новой задаче