diff options
| author | Alex Shi <alex.shi@linaro.org> | 2014-06-17 15:50:01 +0800 |
|---|---|---|
| committer | Alex Shi <alex.shi@linaro.org> | 2014-06-17 15:50:01 +0800 |
| commit | fea9037ebedd7f0b0ef56239efe9857fcfed4e21 (patch) | |
| tree | 9a95a67b33f80e8d16b2b6754e5270329a6a7134 /kernel | |
| parent | 9921b8dc1fb1b6607092d8293cbff0b8e4416c07 (diff) | |
| parent | 73eabc6d790066f9d77345d0c61fc6ae4736b5fc (diff) | |
Merge tag v3.10.44 into linux-linaro-lsk
This is the 3.10.44 stable release.
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/auditsc.c | 27 | ||||
| -rw-r--r-- | kernel/capability.c | 18 |
2 files changed, 25 insertions, 20 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb32b60a..03a3af8538bd 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) return AUDIT_BUILD_CONTEXT; } +static int audit_in_mask(const struct audit_krule *rule, unsigned long val) +{ + int word, bit; + + if (val > 0xffffffff) + return false; + + word = AUDIT_WORD(val); + if (word >= AUDIT_BITMASK_SIZE) + return false; + + bit = AUDIT_BIT(val); + + return rule->mask[word] & bit; +} + /* At syscall entry and exit time, this filter is called if the * audit_state is not low enough that auditing cannot take place, but is * also not high enough that we already know we have to write an audit @@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, rcu_read_lock(); if (!list_empty(list)) { - int word = AUDIT_WORD(ctx->major); - int bit = AUDIT_BIT(ctx->major); - list_for_each_entry_rcu(e, list, list) { - if ((e->rule.mask[word] & bit) == bit && + if (audit_in_mask(&e->rule, ctx->major) && audit_filter_rules(tsk, &e->rule, ctx, NULL, &state, false)) { rcu_read_unlock(); @@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, static int audit_filter_inode_name(struct task_struct *tsk, struct audit_names *n, struct audit_context *ctx) { - int word, bit; int h = audit_hash_ino((u32)n->ino); struct list_head *list = &audit_inode_hash[h]; struct audit_entry *e; enum audit_state state; - word = AUDIT_WORD(ctx->major); - bit = AUDIT_BIT(ctx->major); - if (list_empty(list)) return 0; list_for_each_entry_rcu(e, list, list) { - if ((e->rule.mask[word] & bit) == bit && + if (audit_in_mask(&e->rule, ctx->major) && audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { ctx->current_state = state; return 1; diff --git a/kernel/capability.c b/kernel/capability.c index f6c2ce5701e1..d52eecc0942b 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -445,22 +445,18 @@ bool nsown_capable(int cap) } /** - * inode_capable - Check superior capability over inode + * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped * @inode: The inode in question * @cap: The capability in question * - * Return true if the current task has the given superior capability - * targeted at it's own user namespace and that the given inode is owned - * by the current user namespace or a child namespace. - * - * Currently we check to see if an inode is owned by the current - * user namespace by seeing if the inode's owner maps into the - * current user namespace. - * + * Return true if the current task has the given capability targeted at + * its own user namespace and that the given inode's uid and gid are + * mapped into the current user namespace. */ -bool inode_capable(const struct inode *inode, int cap) +bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) { struct user_namespace *ns = current_user_ns(); - return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid); + return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && + kgid_has_mapping(ns, inode->i_gid); } |