diff options
author | Alex Shi <alex.shi@linaro.org> | 2016-02-29 10:18:54 +0800 |
---|---|---|
committer | Alex Shi <alex.shi@linaro.org> | 2016-02-29 10:18:54 +0800 |
commit | 582ee3a96f6a108f589bdc4ce8cc8176c8d763e5 (patch) | |
tree | ffb7c064fe0b7202ebc770cd3c69f5b802893215 /security | |
parent | 02bbd06e489a9f56910973535152d3ec47f3fdcc (diff) | |
parent | 12a08707dec7ff067688710aee0d4698f6da98a6 (diff) |
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 7 | ||||
-rw-r--r-- | security/integrity/evm/evm_main.c | 3 |
2 files changed, 8 insertions, 2 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index f035b84b3601..7fa251aea32f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -148,12 +148,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) { int ret = 0; const struct cred *cred, *child_cred; + const kernel_cap_t *caller_caps; rcu_read_lock(); cred = current_cred(); child_cred = __task_cred(child); + if (mode & PTRACE_MODE_FSCREDS) + caller_caps = &cred->cap_effective; + else + caller_caps = &cred->cap_permitted; if (cred->user_ns == child_cred->user_ns && - cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) + cap_issubset(child_cred->cap_permitted, *caller_caps)) goto out; if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) goto out; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1334e02ae8f4..3d145a3ffccf 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -23,6 +23,7 @@ #include <linux/integrity.h> #include <linux/evm.h> #include <crypto/hash.h> +#include <crypto/algapi.h> #include "evm.h" int evm_initialized; @@ -148,7 +149,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, xattr_value_len, calc.digest); if (rc) break; - rc = memcmp(xattr_data->digest, calc.digest, + rc = crypto_memneq(xattr_data->digest, calc.digest, sizeof(calc.digest)); if (rc) rc = -EINVAL; |