diff options
| author | Kees Cook | 2012-09-04 15:32:13 -0500 |
|---|---|---|
| committer | James Morris | 2012-09-05 16:12:31 -0500 |
| commit | c6993e4ac002c92bc75379212e9179c36d4bf7ee (patch) | |
| tree | cdb4c800ea3cf4003b07087166cc767dab79032f /security/security.c | |
| parent | 81198078d7da4240f3cbfc2c6a8ea6cd417f51a7 (diff) | |
| download | am43-linux-kernel-c6993e4ac002c92bc75379212e9179c36d4bf7ee.tar.gz am43-linux-kernel-c6993e4ac002c92bc75379212e9179c36d4bf7ee.tar.xz am43-linux-kernel-c6993e4ac002c92bc75379212e9179c36d4bf7ee.zip | |
security: allow Yama to be unconditionally stacked
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected,
no matter what LSM module is primary.
Ubuntu and Chrome OS already carry patches to do this, and Fedora
has voiced interest in doing this as well. Instead of having multiple
distributions (or LSM authors) carrying these patches, just allow Yama
to be called unconditionally when selected by the new CONFIG.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index 860aeb349cb..68c1b9b45d9 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -136,11 +136,23 @@ int __init register_security(struct security_operations *ops) | |||
| 136 | 136 | ||
| 137 | int security_ptrace_access_check(struct task_struct *child, unsigned int mode) | 137 | int security_ptrace_access_check(struct task_struct *child, unsigned int mode) |
| 138 | { | 138 | { |
| 139 | #ifdef CONFIG_SECURITY_YAMA_STACKED | ||
| 140 | int rc; | ||
| 141 | rc = yama_ptrace_access_check(child, mode); | ||
| 142 | if (rc) | ||
| 143 | return rc; | ||
| 144 | #endif | ||
| 139 | return security_ops->ptrace_access_check(child, mode); | 145 | return security_ops->ptrace_access_check(child, mode); |
| 140 | } | 146 | } |
| 141 | 147 | ||
| 142 | int security_ptrace_traceme(struct task_struct *parent) | 148 | int security_ptrace_traceme(struct task_struct *parent) |
| 143 | { | 149 | { |
| 150 | #ifdef CONFIG_SECURITY_YAMA_STACKED | ||
| 151 | int rc; | ||
| 152 | rc = yama_ptrace_traceme(parent); | ||
| 153 | if (rc) | ||
| 154 | return rc; | ||
| 155 | #endif | ||
| 144 | return security_ops->ptrace_traceme(parent); | 156 | return security_ops->ptrace_traceme(parent); |
| 145 | } | 157 | } |
| 146 | 158 | ||
| @@ -761,6 +773,9 @@ int security_task_create(unsigned long clone_flags) | |||
| 761 | 773 | ||
| 762 | void security_task_free(struct task_struct *task) | 774 | void security_task_free(struct task_struct *task) |
| 763 | { | 775 | { |
| 776 | #ifdef CONFIG_SECURITY_YAMA_STACKED | ||
| 777 | yama_task_free(task); | ||
| 778 | #endif | ||
| 764 | security_ops->task_free(task); | 779 | security_ops->task_free(task); |
| 765 | } | 780 | } |
| 766 | 781 | ||
| @@ -876,6 +891,12 @@ int security_task_wait(struct task_struct *p) | |||
| 876 | int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 891 | int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
| 877 | unsigned long arg4, unsigned long arg5) | 892 | unsigned long arg4, unsigned long arg5) |
| 878 | { | 893 | { |
| 894 | #ifdef CONFIG_SECURITY_YAMA_STACKED | ||
| 895 | int rc; | ||
| 896 | rc = yama_task_prctl(option, arg2, arg3, arg4, arg5); | ||
| 897 | if (rc != -ENOSYS) | ||
| 898 | return rc; | ||
| 899 | #endif | ||
| 879 | return security_ops->task_prctl(option, arg2, arg3, arg4, arg5); | 900 | return security_ops->task_prctl(option, arg2, arg3, arg4, arg5); |
| 880 | } | 901 | } |
| 881 | 902 | ||