X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=security%2Fdummy.c;h=649326bf64ea37e82afe63901560f96c687a468b;hb=7199677d2e919edc75d1fb8856c98cd0c1bbcfc5;hp=64b647a0d9a648c0d59a7622103a2c10ebf2a14d;hpb=2b0460b534f383eca744eb8fff66ec9f57e702b9;p=linux-2.6 diff --git a/security/dummy.c b/security/dummy.c index 64b647a0d9..649326bf64 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -15,7 +15,6 @@ #undef DEBUG #include -#include #include #include #include @@ -37,16 +36,19 @@ static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) static int dummy_capget (struct task_struct *target, kernel_cap_t * effective, kernel_cap_t * inheritable, kernel_cap_t * permitted) { - *effective = *inheritable = *permitted = 0; - if (!issecure(SECURE_NOROOT)) { - if (target->euid == 0) { - *permitted |= (~0 & ~CAP_FS_MASK); - *effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK); - } - if (target->fsuid == 0) { - *permitted |= CAP_FS_MASK; - *effective |= CAP_FS_MASK; - } + if (target->euid == 0) { + cap_set_full(*permitted); + cap_set_init_eff(*effective); + } else { + cap_clear(*permitted); + cap_clear(*effective); + } + + cap_clear(*inheritable); + + if (target->fsuid != 0) { + *permitted = cap_drop_fs_set(*permitted); + *effective = cap_drop_fs_set(*effective); } return 0; } @@ -228,22 +230,40 @@ static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags, } -static void dummy_sb_post_mountroot (void) +static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) { return; } -static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) +static int dummy_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +{ + return 0; +} + +static void dummy_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) { return; } -static int dummy_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +static int dummy_sb_get_mnt_opts(const struct super_block *sb, char ***mount_options, + int **flags, int *num_opts) { + *mount_options = NULL; + *flags = NULL; + *num_opts = 0; return 0; } -static void dummy_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +static int dummy_sb_set_mnt_opts(struct super_block *sb, char **mount_options, + int *flags, int num_opts) +{ + if (unlikely(num_opts)) + return -EOPNOTSUPP; + return 0; +} + +static void dummy_sb_clone_mnt_opts(const struct super_block *oldsb, + struct super_block *newsb) { return; } @@ -377,7 +397,17 @@ static int dummy_inode_removexattr (struct dentry *dentry, char *name) return 0; } -static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) +static int dummy_inode_need_killpriv(struct dentry *dentry) +{ + return 0; +} + +static int dummy_inode_killpriv(struct dentry *dentry) +{ + return 0; +} + +static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) { return -EOPNOTSUPP; } @@ -392,11 +422,6 @@ static int dummy_inode_listsecurity(struct inode *inode, char *buffer, size_t bu return 0; } -static const char *dummy_inode_xattr_getsuffix(void) -{ - return NULL; -} - static int dummy_file_permission (struct file *file, int mask) { return 0; @@ -424,7 +449,7 @@ static int dummy_file_mmap (struct file *file, unsigned long reqprot, unsigned long addr, unsigned long addr_only) { - if (addr < mmap_min_addr) + if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) return -EACCES; return 0; } @@ -906,11 +931,6 @@ static int dummy_register_security (const char *name, struct security_operations return -EINVAL; } -static int dummy_unregister_security (const char *name, struct security_operations *ops) -{ - return -EINVAL; -} - static void dummy_d_instantiate (struct dentry *dentry, struct inode *inode) { return; @@ -931,6 +951,11 @@ static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return -EOPNOTSUPP; } +static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +{ + return -EOPNOTSUPP; +} + static void dummy_release_secctx(char *secdata, u32 seclen) { } @@ -997,10 +1022,12 @@ void security_fixup_ops (struct security_operations *ops) set_to_dummy_if_null(ops, sb_umount_close); set_to_dummy_if_null(ops, sb_umount_busy); set_to_dummy_if_null(ops, sb_post_remount); - set_to_dummy_if_null(ops, sb_post_mountroot); set_to_dummy_if_null(ops, sb_post_addmount); set_to_dummy_if_null(ops, sb_pivotroot); set_to_dummy_if_null(ops, sb_post_pivotroot); + set_to_dummy_if_null(ops, sb_get_mnt_opts); + set_to_dummy_if_null(ops, sb_set_mnt_opts); + set_to_dummy_if_null(ops, sb_clone_mnt_opts); set_to_dummy_if_null(ops, inode_alloc_security); set_to_dummy_if_null(ops, inode_free_security); set_to_dummy_if_null(ops, inode_init_security); @@ -1023,7 +1050,8 @@ void security_fixup_ops (struct security_operations *ops) set_to_dummy_if_null(ops, inode_getxattr); set_to_dummy_if_null(ops, inode_listxattr); set_to_dummy_if_null(ops, inode_removexattr); - set_to_dummy_if_null(ops, inode_xattr_getsuffix); + set_to_dummy_if_null(ops, inode_need_killpriv); + set_to_dummy_if_null(ops, inode_killpriv); set_to_dummy_if_null(ops, inode_getsecurity); set_to_dummy_if_null(ops, inode_setsecurity); set_to_dummy_if_null(ops, inode_listsecurity); @@ -1084,11 +1112,11 @@ void security_fixup_ops (struct security_operations *ops) set_to_dummy_if_null(ops, netlink_send); set_to_dummy_if_null(ops, netlink_recv); set_to_dummy_if_null(ops, register_security); - set_to_dummy_if_null(ops, unregister_security); set_to_dummy_if_null(ops, d_instantiate); set_to_dummy_if_null(ops, getprocattr); set_to_dummy_if_null(ops, setprocattr); set_to_dummy_if_null(ops, secid_to_secctx); + set_to_dummy_if_null(ops, secctx_to_secid); set_to_dummy_if_null(ops, release_secctx); #ifdef CONFIG_SECURITY_NETWORK set_to_dummy_if_null(ops, unix_stream_connect);