Merge branch 'next' into for-linus

James Morris
2 parents d762f43831 12a5a2621b
Showing 25 changed files Side-by-side Diff
fs/binfmt_flat.c
include/linux/capability.h
include/linux/init_task.h
include/linux/key.h
include/linux/kmod.h
kernel/capability.c
kernel/cred.c
kernel/kmod.c
kernel/sysctl.c
net/dns_resolver/dns_key.c
security/Kconfig
security/commoncap.c
security/keys/internal.h
security/keys/keyctl.c
security/keys/keyring.c
security/keys/proc.c
security/keys/process_keys.c
security/keys/request_key.c
security/keys/request_key_auth.c
security/keys/user_defined.c
@@ -820,6 +820,8 @@
 	int res;
 	char buf[16];
  
+	memset(&bprm, 0, sizeof(bprm));
+
 	/* Create the file name */
 	sprintf(buf, "/lib/lib%d.so", id);
  
@@ -834,6 +836,12 @@
 	res = -ENOMEM;
 	if (!bprm.cred)
 		goto out;
+
+	/* We don't really care about recalculating credentials at this point
+	 * as we're past the point of no return and are dealing with shared
+	 * libraries.
+	 */
+	bprm.cred_prepared = 1;
  
 	res = prepare_binprm(&bprm);
  
@@ -417,7 +417,6 @@
  
 # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
 # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
-# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
 # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
 				    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
 				    CAP_FS_MASK_B1 } })
  
@@ -427,11 +426,7 @@
  
 #endif /* _KERNEL_CAPABILITY_U32S != 2 */
  
-#define CAP_INIT_INH_SET    CAP_EMPTY_SET
-
 # define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)
-# define cap_set_full(c)      do { (c) = __cap_full_set; } while (0)
-# define cap_set_init_eff(c)  do { (c) = __cap_init_eff_set; } while (0)
  
 #define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
 #define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
@@ -83,13 +83,6 @@
 #define INIT_IDS
 #endif
  
-/*
- * Because of the reduced scope of CAP_SETPCAP when filesystem
- * capabilities are in effect, it is safe to allow CAP_SETPCAP to
- * be available in the default configuration.
- */
-# define CAP_INIT_BSET  CAP_FULL_SET
-
 #ifdef CONFIG_RCU_BOOST
 #define INIT_TASK_RCU_BOOST()						\
 	.rcu_boost_mutex = NULL,
@@ -276,6 +276,19 @@
 	return key ? key->serial : 0;
 }
  
+/**
+ * key_is_instantiated - Determine if a key has been positively instantiated
+ * @key: The key to check.
+ *
+ * Return true if the specified key has been positively instantiated, false
+ * otherwise.
+ */
+static inline bool key_is_instantiated(const struct key *key)
+{
+	return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+		!test_bit(KEY_FLAG_NEGATIVE, &key->flags);
+}
+
 #define rcu_dereference_key(KEY)					\
 	(rcu_dereference_protected((KEY)->payload.rcudata,		\
 				   rwsem_is_locked(&((struct key *)(KEY))->sem)))
@@ -24,6 +24,7 @@
 #include <linux/errno.h>
 #include <linux/compiler.h>
 #include <linux/workqueue.h>
+#include <linux/sysctl.h>
  
 #define KMOD_PATH_LEN 256
  
@@ -108,6 +109,8 @@
 	return call_usermodehelper_fns(path, argv, envp, wait,
 				       NULL, NULL, NULL);
 }
+
+extern struct ctl_table usermodehelper_table[];
  
 extern void usermodehelper_init(void);
  
@@ -22,12 +22,8 @@
  */
  
 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
-const kernel_cap_t __cap_full_set = CAP_FULL_SET;
-const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
  
 EXPORT_SYMBOL(__cap_empty_set);
-EXPORT_SYMBOL(__cap_full_set);
-EXPORT_SYMBOL(__cap_init_eff_set);
  
 int file_caps_enabled = 1;
  
@@ -49,10 +49,10 @@
 	.magic			= CRED_MAGIC,
 #endif
 	.securebits		= SECUREBITS_DEFAULT,
-	.cap_inheritable	= CAP_INIT_INH_SET,
+	.cap_inheritable	= CAP_EMPTY_SET,
 	.cap_permitted		= CAP_FULL_SET,
-	.cap_effective		= CAP_INIT_EFF_SET,
-	.cap_bset		= CAP_INIT_BSET,
+	.cap_effective		= CAP_FULL_SET,
+	.cap_bset		= CAP_FULL_SET,
 	.user			= INIT_USER,
 	.user_ns		= &init_user_ns,
 	.group_info		= &init_groups,
@@ -25,6 +25,7 @@
 #include <linux/kmod.h>
 #include <linux/slab.h>
 #include <linux/completion.h>
+#include <linux/cred.h>
 #include <linux/file.h>
 #include <linux/fdtable.h>
 #include <linux/workqueue.h>
@@ -43,6 +44,13 @@
  
 static struct workqueue_struct *khelper_wq;
  
+#define CAP_BSET	(void *)1
+#define CAP_PI		(void *)2
+
+static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
+static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
+static DEFINE_SPINLOCK(umh_sysctl_lock);
+
 #ifdef CONFIG_MODULES
  
 /*
@@ -132,6 +140,7 @@
 static int ____call_usermodehelper(void *data)
 {
 	struct subprocess_info *sub_info = data;
+	struct cred *new;
 	int retval;
  
 	spin_lock_irq(&current->sighand->siglock);
@@ -153,6 +162,19 @@
 			goto fail;
 	}
  
+	retval = -ENOMEM;
+	new = prepare_kernel_cred(current);
+	if (!new)
+		goto fail;
+
+	spin_lock(&umh_sysctl_lock);
+	new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset);
+	new->cap_inheritable = cap_intersect(usermodehelper_inheritable,
+					     new->cap_inheritable);
+	spin_unlock(&umh_sysctl_lock);
+
+	commit_creds(new);
+
 	retval = kernel_execve(sub_info->path,
 			       (const char *const *)sub_info->argv,
 			       (const char *const *)sub_info->envp);
@@ -419,6 +441,84 @@
 	return retval;
 }
 EXPORT_SYMBOL(call_usermodehelper_exec);
+
+static int proc_cap_handler(struct ctl_table *table, int write,
+			 void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	struct ctl_table t;
+	unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
+	kernel_cap_t new_cap;
+	int err, i;
+
+	if (write && (!capable(CAP_SETPCAP) ||
+		      !capable(CAP_SYS_MODULE)))
+		return -EPERM;
+
+	/*
+	 * convert from the global kernel_cap_t to the ulong array to print to
+	 * userspace if this is a read.
+	 */
+	spin_lock(&umh_sysctl_lock);
+	for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++)  {
+		if (table->data == CAP_BSET)
+			cap_array[i] = usermodehelper_bset.cap[i];
+		else if (table->data == CAP_PI)
+			cap_array[i] = usermodehelper_inheritable.cap[i];
+		else
+			BUG();
+	}
+	spin_unlock(&umh_sysctl_lock);
+
+	t = *table;
+	t.data = &cap_array;
+
+	/*
+	 * actually read or write and array of ulongs from userspace.  Remember
+	 * these are least significant 32 bits first
+	 */
+	err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos);
+	if (err < 0)
+		return err;
+
+	/*
+	 * convert from the sysctl array of ulongs to the kernel_cap_t
+	 * internal representation
+	 */
+	for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++)
+		new_cap.cap[i] = cap_array[i];
+
+	/*
+	 * Drop everything not in the new_cap (but don't add things)
+	 */
+	spin_lock(&umh_sysctl_lock);
+	if (write) {
+		if (table->data == CAP_BSET)
+			usermodehelper_bset = cap_intersect(usermodehelper_bset, new_cap);
+		if (table->data == CAP_PI)
+			usermodehelper_inheritable = cap_intersect(usermodehelper_inheritable, new_cap);
+	}
+	spin_unlock(&umh_sysctl_lock);
+
+	return 0;
+}
+
+struct ctl_table usermodehelper_table[] = {
+	{
+		.procname	= "bset",
+		.data		= CAP_BSET,
+		.maxlen		= _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
+		.mode		= 0600,
+		.proc_handler	= proc_cap_handler,
+	},
+	{
+		.procname	= "inheritable",
+		.data		= CAP_PI,
+		.maxlen		= _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
+		.mode		= 0600,
+		.proc_handler	= proc_cap_handler,
+	},
+	{ }
+};
  
 void __init usermodehelper_init(void)
 {
@@ -56,6 +56,7 @@
 #include <linux/kprobes.h>
 #include <linux/pipe_fs_i.h>
 #include <linux/oom.h>
+#include <linux/kmod.h>
  
 #include <asm/uaccess.h>
 #include <asm/processor.h>
@@ -614,6 +615,11 @@
 		.procname	= "random",
 		.mode		= 0555,
 		.child		= random_table,
+	},
+	{
+		.procname	= "usermodehelper",
+		.mode		= 0555,
+		.child		= usermodehelper_table,
 	},
 	{
 		.procname	= "overflowuid",
@@ -212,10 +212,12 @@
 	int err = key->type_data.x[0];
  
 	seq_puts(m, key->description);
-	if (err)
-		seq_printf(m, ": %d", err);
-	else
-		seq_printf(m, ": %u", key->datalen);
+	if (key_is_instantiated(key)) {
+		if (err)
+			seq_printf(m, ": %d", err);
+		else
+			seq_printf(m, ": %u", key->datalen);
+	}
 }
  
 /*
@@ -167,6 +167,7 @@
 config LSM_MMAP_MIN_ADDR
 	int "Low address space for LSM to protect from user allocation"
 	depends on SECURITY && SECURITY_SELINUX
+	default 32768 if ARM
 	default 65536
 	help
 	  This is the portion of low virtual memory which should be protected
@@ -529,15 +529,10 @@
 	new->suid = new->fsuid = new->euid;
 	new->sgid = new->fsgid = new->egid;
  
-	/* For init, we want to retain the capabilities set in the initial
-	 * task.  Thus we skip the usual capability rules
-	 */
-	if (!is_global_init(current)) {
-		if (effective)
-			new->cap_effective = new->cap_permitted;
-		else
-			cap_clear(new->cap_effective);
-	}
+	if (effective)
+		new->cap_effective = new->cap_permitted;
+	else
+		cap_clear(new->cap_effective);
 	bprm->cap_effective = effective;
  
 	/*
@@ -109,11 +109,13 @@
 				    const struct cred *cred,
 				    struct key_type *type,
 				    const void *description,
-				    key_match_func_t match);
+				    key_match_func_t match,
+				    bool no_state_check);
  
 extern key_ref_t search_my_process_keyrings(struct key_type *type,
 					    const void *description,
 					    key_match_func_t match,
+					    bool no_state_check,
 					    const struct cred *cred);
 extern key_ref_t search_process_keyrings(struct key_type *type,
 					 const void *description,
@@ -206,8 +206,14 @@
 		goto error5;
 	}
  
+	/* wait for the key to finish being constructed */
+	ret = wait_for_key_construction(key, 1);
+	if (ret < 0)
+		goto error6;
+
 	ret = key->serial;
  
+error6:
  	key_put(key);
 error5:
 	key_type_put(ktype);
@@ -176,13 +176,15 @@
 	else
 		seq_puts(m, "[anon]");
  
-	rcu_read_lock();
-	klist = rcu_dereference(keyring->payload.subscriptions);
-	if (klist)
-		seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
-	else
-		seq_puts(m, ": empty");
-	rcu_read_unlock();
+	if (key_is_instantiated(keyring)) {
+		rcu_read_lock();
+		klist = rcu_dereference(keyring->payload.subscriptions);
+		if (klist)
+			seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
+		else
+			seq_puts(m, ": empty");
+		rcu_read_unlock();
+	}
 }
  
 /*
@@ -271,6 +273,7 @@
  * @type: The type of key to search for.
  * @description: Parameter for @match.
  * @match: Function to rule on whether or not a key is the one required.
+ * @no_state_check: Don't check if a matching key is bad
  *
  * Search the supplied keyring tree for a key that matches the criteria given.
  * The root keyring and any linked keyrings must grant Search permission to the
@@ -303,7 +306,8 @@
 			     const struct cred *cred,
 			     struct key_type *type,
 			     const void *description,
-			     key_match_func_t match)
+			     key_match_func_t match,
+			     bool no_state_check)
 {
 	struct {
 		struct keyring_list *keylist;
@@ -345,6 +349,8 @@
 	kflags = keyring->flags;
 	if (keyring->type == type && match(keyring, description)) {
 		key = keyring;
+		if (no_state_check)
+			goto found;
  
 		/* check it isn't negative and hasn't expired or been
 		 * revoked */
  
@@ -384,11 +390,13 @@
 			continue;
  
 		/* skip revoked keys and expired keys */
-		if (kflags & (1 << KEY_FLAG_REVOKED))
-			continue;
+		if (!no_state_check) {
+			if (kflags & (1 << KEY_FLAG_REVOKED))
+				continue;
  
-		if (key->expiry && now.tv_sec >= key->expiry)
-			continue;
+			if (key->expiry && now.tv_sec >= key->expiry)
+				continue;
+		}
  
 		/* keys that don't match */
 		if (!match(key, description))
@@ -399,6 +407,9 @@
 					cred, KEY_SEARCH) < 0)
 			continue;
  
+		if (no_state_check)
+			goto found;
+
 		/* we set a different error code if we pass a negative key */
 		if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
 			err = key->type_data.reject_error;
@@ -478,7 +489,7 @@
 		return ERR_PTR(-ENOKEY);
  
 	return keyring_search_aux(keyring, current->cred,
-				  type, description, type->match);
+				  type, description, type->match, false);
 }
 EXPORT_SYMBOL(keyring_search);
  
@@ -199,7 +199,7 @@
 	if (key->perm & KEY_POS_VIEW) {
 		skey_ref = search_my_process_keyrings(key->type, key,
 						      lookup_user_key_possessed,
-						      cred);
+						      true, cred);
 		if (!IS_ERR(skey_ref)) {
 			key_ref_put(skey_ref);
 			key_ref = make_key_ref(key, 1);
@@ -331,6 +331,7 @@
 key_ref_t search_my_process_keyrings(struct key_type *type,
 				     const void *description,
 				     key_match_func_t match,
+				     bool no_state_check,
 				     const struct cred *cred)
 {
 	key_ref_t key_ref, ret, err;
@@ -350,7 +351,7 @@
 	if (cred->thread_keyring) {
 		key_ref = keyring_search_aux(
 			make_key_ref(cred->thread_keyring, 1),
-			cred, type, description, match);
+			cred, type, description, match, no_state_check);
 		if (!IS_ERR(key_ref))
 			goto found;
  
@@ -371,7 +372,7 @@
 	if (cred->tgcred->process_keyring) {
 		key_ref = keyring_search_aux(
 			make_key_ref(cred->tgcred->process_keyring, 1),
-			cred, type, description, match);
+			cred, type, description, match, no_state_check);
 		if (!IS_ERR(key_ref))
 			goto found;
  
@@ -395,7 +396,7 @@
 			make_key_ref(rcu_dereference(
 					     cred->tgcred->session_keyring),
 				     1),
-			cred, type, description, match);
+			cred, type, description, match, no_state_check);
 		rcu_read_unlock();
  
 		if (!IS_ERR(key_ref))
@@ -417,7 +418,7 @@
 	else if (cred->user->session_keyring) {
 		key_ref = keyring_search_aux(
 			make_key_ref(cred->user->session_keyring, 1),
-			cred, type, description, match);
+			cred, type, description, match, no_state_check);
 		if (!IS_ERR(key_ref))
 			goto found;
  
@@ -459,7 +460,8 @@
  
 	might_sleep();
  
-	key_ref = search_my_process_keyrings(type, description, match, cred);
+	key_ref = search_my_process_keyrings(type, description, match,
+					     false, cred);
 	if (!IS_ERR(key_ref))
 		goto found;
 	err = key_ref;
@@ -530,8 +530,7 @@
 	       dest_keyring, flags);
  
 	/* search all the process keyrings for a key */
-	key_ref = search_process_keyrings(type, description, type->match,
-					  cred);
+	key_ref = search_process_keyrings(type, description, type->match, cred);
  
 	if (!IS_ERR(key_ref)) {
 		key = key_ref_to_ptr(key_ref);
@@ -59,7 +59,8 @@
  
 	seq_puts(m, "key:");
 	seq_puts(m, key->description);
-	seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
+	if (key_is_instantiated(key))
+		seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
 }
  
 /*
@@ -157,8 +157,8 @@
 void user_describe(const struct key *key, struct seq_file *m)
 {
 	seq_puts(m, key->description);
-
-	seq_printf(m, ": %u", key->datalen);
+	if (key_is_instantiated(key))
+		seq_printf(m, ": %u", key->datalen);
 }
  
 EXPORT_SYMBOL_GPL(user_describe);
@@ -108,10 +108,9 @@
 			head->read_user_buf += len;
 			w += len;
 		}
-		if (*w) {
-			head->r.w[0] = w;
+		head->r.w[0] = w;
+		if (*w)
 			return false;
-		}
 		/* Add '\0' for query. */
 		if (head->poll) {
 			if (!head->read_user_buf_avail ||
@@ -459,8 +458,16 @@
 	if (profile == &tomoyo_default_profile)
 		return -EINVAL;
 	if (!strcmp(data, "COMMENT")) {
-		const struct tomoyo_path_info *old_comment = profile->comment;
-		profile->comment = tomoyo_get_name(cp);
+		static DEFINE_SPINLOCK(lock);
+		const struct tomoyo_path_info *new_comment
+			= tomoyo_get_name(cp);
+		const struct tomoyo_path_info *old_comment;
+		if (!new_comment)
+			return -ENOMEM;
+		spin_lock(&lock);
+		old_comment = profile->comment;
+		profile->comment = new_comment;
+		spin_unlock(&lock);
 		tomoyo_put_name(old_comment);
 		return 0;
 	}
@@ -1011,7 +1011,6 @@
 		break;
 	case TOMOYO_TYPE_RMDIR:
 	case TOMOYO_TYPE_CHROOT:
-	case TOMOYO_TYPE_UMOUNT:
 		tomoyo_add_slash(&buf);
 		break;
 	}
@@ -75,6 +75,7 @@
 		memset(data, 0, size);
 		return ptr;
 	}
+	kfree(ptr);
 	return NULL;
 }
  
@@ -143,6 +143,7 @@
 			goto out;
 		}
 		requested_dev_name = tomoyo_realpath_from_path(&path);
+		path_put(&path);
 		if (!requested_dev_name) {
 			error = -ENOENT;
 			goto out;
@@ -390,7 +390,7 @@
 		if (!cp)
 			break;
 		if (*domainname != '/' ||
-		    !tomoyo_correct_word2(domainname, cp - domainname - 1))
+		    !tomoyo_correct_word2(domainname, cp - domainname))
 			goto out;
 		domainname = cp + 1;
 	}
...	...	@@ -820,6 +820,8 @@
820	820	int res;
821	821	char buf[16];
822	822
	823	+ memset(&bprm, 0, sizeof(bprm));
	824	+
823	825	/* Create the file name */
824	826	sprintf(buf, "/lib/lib%d.so", id);
825	827
...	...	@@ -834,6 +836,12 @@
834	836	res = -ENOMEM;
835	837	if (!bprm.cred)
836	838	goto out;
	839	+
	840	+ /* We don't really care about recalculating credentials at this point
	841	+ * as we're past the point of no return and are dealing with shared
	842	+ * libraries.
	843	+ */
	844	+ bprm.cred_prepared = 1;
837	845
838	846	res = prepare_binprm(&bprm);
839	847
...	...	@@ -417,7 +417,6 @@
417	417
418	418	# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
419	419	# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
420		-# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
421	420	# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
422	421	\| CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
423	422	CAP_FS_MASK_B1 } })
424	423
...	...	@@ -427,11 +426,7 @@
427	426
428	427	#endif /* _KERNEL_CAPABILITY_U32S != 2 */
429	428
430		-#define CAP_INIT_INH_SET CAP_EMPTY_SET
431		-
432	429	# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
433		-# define cap_set_full(c) do { (c) = __cap_full_set; } while (0)
434		-# define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0)
435	430
436	431	#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] \|= CAP_TO_MASK(flag))
437	432	#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
...	...	@@ -83,13 +83,6 @@
83	83	#define INIT_IDS
84	84	#endif
85	85
86		-/*
87		- * Because of the reduced scope of CAP_SETPCAP when filesystem
88		- * capabilities are in effect, it is safe to allow CAP_SETPCAP to
89		- * be available in the default configuration.
90		- */
91		-# define CAP_INIT_BSET CAP_FULL_SET
92		-
93	86	#ifdef CONFIG_RCU_BOOST
94	87	#define INIT_TASK_RCU_BOOST() \
95	88	.rcu_boost_mutex = NULL,
...	...	@@ -276,6 +276,19 @@
276	276	return key ? key->serial : 0;
277	277	}
278	278
	279	+/**
	280	+ * key_is_instantiated - Determine if a key has been positively instantiated
	281	+ * @key: The key to check.
	282	+ *
	283	+ * Return true if the specified key has been positively instantiated, false
	284	+ * otherwise.
	285	+ */
	286	+static inline bool key_is_instantiated(const struct key *key)
	287	+{
	288	+ return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
	289	+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags);
	290	+}
	291	+
279	292	#define rcu_dereference_key(KEY) \
280	293	(rcu_dereference_protected((KEY)->payload.rcudata, \
281	294	rwsem_is_locked(&((struct key *)(KEY))->sem)))
...	...	@@ -24,6 +24,7 @@
24	24	#include <linux/errno.h>
25	25	#include <linux/compiler.h>
26	26	#include <linux/workqueue.h>
	27	+#include <linux/sysctl.h>
27	28
28	29	#define KMOD_PATH_LEN 256
29	30
...	...	@@ -108,6 +109,8 @@
108	109	return call_usermodehelper_fns(path, argv, envp, wait,
109	110	NULL, NULL, NULL);
110	111	}
	112	+
	113	+extern struct ctl_table usermodehelper_table[];
111	114
112	115	extern void usermodehelper_init(void);
113	116
...	...	@@ -22,12 +22,8 @@
22	22	*/
23	23
24	24	const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
25		-const kernel_cap_t __cap_full_set = CAP_FULL_SET;
26		-const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
27	25
28	26	EXPORT_SYMBOL(__cap_empty_set);
29		-EXPORT_SYMBOL(__cap_full_set);
30		-EXPORT_SYMBOL(__cap_init_eff_set);
31	27
32	28	int file_caps_enabled = 1;
33	29
...	...	@@ -49,10 +49,10 @@
49	49	.magic = CRED_MAGIC,
50	50	#endif
51	51	.securebits = SECUREBITS_DEFAULT,
52		- .cap_inheritable = CAP_INIT_INH_SET,
	52	+ .cap_inheritable = CAP_EMPTY_SET,
53	53	.cap_permitted = CAP_FULL_SET,
54		- .cap_effective = CAP_INIT_EFF_SET,
55		- .cap_bset = CAP_INIT_BSET,
	54	+ .cap_effective = CAP_FULL_SET,
	55	+ .cap_bset = CAP_FULL_SET,
56	56	.user = INIT_USER,
57	57	.user_ns = &init_user_ns,
58	58	.group_info = &init_groups,
...	...	@@ -25,6 +25,7 @@
25	25	#include <linux/kmod.h>
26	26	#include <linux/slab.h>
27	27	#include <linux/completion.h>
	28	+#include <linux/cred.h>
28	29	#include <linux/file.h>
29	30	#include <linux/fdtable.h>
30	31	#include <linux/workqueue.h>
...	...	@@ -43,6 +44,13 @@
43	44
44	45	static struct workqueue_struct *khelper_wq;
45	46
	47	+#define CAP_BSET (void *)1
	48	+#define CAP_PI (void *)2
	49	+
	50	+static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
	51	+static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
	52	+static DEFINE_SPINLOCK(umh_sysctl_lock);
	53	+
46	54	#ifdef CONFIG_MODULES
47	55
48	56	/*
...	...	@@ -132,6 +140,7 @@
132	140	static int ____call_usermodehelper(void *data)
133	141	{
134	142	struct subprocess_info *sub_info = data;
	143	+ struct cred *new;
135	144	int retval;
136	145
137	146	spin_lock_irq(&current->sighand->siglock);
...	...	@@ -153,6 +162,19 @@
153	162	goto fail;
154	163	}
155	164
	165	+ retval = -ENOMEM;
	166	+ new = prepare_kernel_cred(current);
	167	+ if (!new)
	168	+ goto fail;
	169	+
	170	+ spin_lock(&umh_sysctl_lock);
	171	+ new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset);
	172	+ new->cap_inheritable = cap_intersect(usermodehelper_inheritable,
	173	+ new->cap_inheritable);
	174	+ spin_unlock(&umh_sysctl_lock);
	175	+
	176	+ commit_creds(new);
	177	+
156	178	retval = kernel_execve(sub_info->path,
157	179	(const char const )sub_info->argv,
158	180	(const char const )sub_info->envp);
...	...	@@ -419,6 +441,84 @@
419	441	return retval;
420	442	}
421	443	EXPORT_SYMBOL(call_usermodehelper_exec);
	444	+
	445	+static int proc_cap_handler(struct ctl_table *table, int write,
	446	+ void __user buffer, size_t lenp, loff_t *ppos)
	447	+{
	448	+ struct ctl_table t;
	449	+ unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
	450	+ kernel_cap_t new_cap;
	451	+ int err, i;
	452	+
	453	+ if (write && (!capable(CAP_SETPCAP) \|\|
	454	+ !capable(CAP_SYS_MODULE)))
	455	+ return -EPERM;
	456	+
	457	+ /*
	458	+ * convert from the global kernel_cap_t to the ulong array to print to
	459	+ * userspace if this is a read.
	460	+ */
	461	+ spin_lock(&umh_sysctl_lock);
	462	+ for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++) {
	463	+ if (table->data == CAP_BSET)
	464	+ cap_array[i] = usermodehelper_bset.cap[i];
	465	+ else if (table->data == CAP_PI)
	466	+ cap_array[i] = usermodehelper_inheritable.cap[i];
	467	+ else
	468	+ BUG();
	469	+ }
	470	+ spin_unlock(&umh_sysctl_lock);
	471	+
	472	+ t = *table;
	473	+ t.data = &cap_array;
	474	+
	475	+ /*
	476	+ * actually read or write and array of ulongs from userspace. Remember
	477	+ * these are least significant 32 bits first
	478	+ */
	479	+ err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos);
	480	+ if (err < 0)
	481	+ return err;
	482	+
	483	+ /*
	484	+ * convert from the sysctl array of ulongs to the kernel_cap_t
	485	+ * internal representation
	486	+ */
	487	+ for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++)
	488	+ new_cap.cap[i] = cap_array[i];
	489	+
	490	+ /*
	491	+ * Drop everything not in the new_cap (but don't add things)
	492	+ */
	493	+ spin_lock(&umh_sysctl_lock);
	494	+ if (write) {
	495	+ if (table->data == CAP_BSET)
	496	+ usermodehelper_bset = cap_intersect(usermodehelper_bset, new_cap);
	497	+ if (table->data == CAP_PI)
	498	+ usermodehelper_inheritable = cap_intersect(usermodehelper_inheritable, new_cap);
	499	+ }
	500	+ spin_unlock(&umh_sysctl_lock);
	501	+
	502	+ return 0;
	503	+}
	504	+
	505	+struct ctl_table usermodehelper_table[] = {
	506	+ {
	507	+ .procname = "bset",
	508	+ .data = CAP_BSET,
	509	+ .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
	510	+ .mode = 0600,
	511	+ .proc_handler = proc_cap_handler,
	512	+ },
	513	+ {
	514	+ .procname = "inheritable",
	515	+ .data = CAP_PI,
	516	+ .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
	517	+ .mode = 0600,
	518	+ .proc_handler = proc_cap_handler,
	519	+ },
	520	+ { }
	521	+};
422	522
423	523	void __init usermodehelper_init(void)
424	524	{
...	...	@@ -56,6 +56,7 @@
56	56	#include <linux/kprobes.h>
57	57	#include <linux/pipe_fs_i.h>
58	58	#include <linux/oom.h>
	59	+#include <linux/kmod.h>
59	60
60	61	#include <asm/uaccess.h>
61	62	#include <asm/processor.h>
...	...	@@ -614,6 +615,11 @@
614	615	.procname = "random",
615	616	.mode = 0555,
616	617	.child = random_table,
	618	+ },
	619	+ {
	620	+ .procname = "usermodehelper",
	621	+ .mode = 0555,
	622	+ .child = usermodehelper_table,
617	623	},
618	624	{
619	625	.procname = "overflowuid",
...	...	@@ -212,10 +212,12 @@
212	212	int err = key->type_data.x[0];
213	213
214	214	seq_puts(m, key->description);
215		- if (err)
216		- seq_printf(m, ": %d", err);
217		- else
218		- seq_printf(m, ": %u", key->datalen);
	215	+ if (key_is_instantiated(key)) {
	216	+ if (err)
	217	+ seq_printf(m, ": %d", err);
	218	+ else
	219	+ seq_printf(m, ": %u", key->datalen);
	220	+ }
219	221	}
220	222
221	223	/*