Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit fd778461524849afd035679030ae8e8873c72b81

Authored by Eric Paris
1 parent 69f594a389
Exists in master and in 38 other branches 8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, imx_4.1.15_1.0.0_ga, pitx_8mp_lf-5.10.y, rt-smarc-imx_4.1.15_1.0.0_ga, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-imx_4.1.15_1.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_1.2.0_ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y, smarc_imx_lf-5.15.y

security: remove the security_netlink_recv hook as it is equivalent to capable() 

Once upon a time netlink was not sync and we had to get the effective
capabilities from the skb that was being received.  Today we instead get
the capabilities from the current task.  This has rendered the entire
purpose of the hook moot as it is now functionally equivalent to the
capable() call.

Signed-off-by: Eric Paris <eparis@redhat.com>

Showing 14 changed files with 10 additions and 58 deletions Side-by-side Diff

drivers/scsi/scsi_netlink.c
Diff comments   View file @ fd77846
... ... @@ -111,7 +111,7 @@
111 111 goto next_msg;
112 112 }
113 113  
114   - if (security_netlink_recv(skb, CAP_SYS_ADMIN)) {
  114 + if (!capable(CAP_SYS_ADMIN)) {
115 115 err = -EPERM;
116 116 goto next_msg;
117 117 }
include/linux/security.h
Diff comments   View file @ fd77846
... ... @@ -95,7 +95,6 @@
95 95 struct seq_file;
96 96  
97 97 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
98   -extern int cap_netlink_recv(struct sk_buff *skb, int cap);
99 98  
100 99 void reset_security_ops(void);
101 100  
... ... @@ -792,12 +791,6 @@
792 791 * @skb contains the sk_buff structure for the netlink message.
793 792 * Return 0 if the information was successfully saved and message
794 793 * is allowed to be transmitted.
795   - * @netlink_recv:
796   - * Check permission before processing the received netlink message in
797   - * @skb.
798   - * @skb contains the sk_buff structure for the netlink message.
799   - * @cap indicates the capability required
800   - * Return 0 if permission is granted.
801 794 *
802 795 * Security hooks for Unix domain networking.
803 796 *
... ... @@ -1556,7 +1549,6 @@
1556 1549 struct sembuf *sops, unsigned nsops, int alter);
1557 1550  
1558 1551 int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
1559   - int (*netlink_recv) (struct sk_buff *skb, int cap);
1560 1552  
1561 1553 void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
1562 1554  
... ... @@ -1803,7 +1795,6 @@
1803 1795 int security_getprocattr(struct task_struct *p, char *name, char **value);
1804 1796 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
1805 1797 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
1806   -int security_netlink_recv(struct sk_buff *skb, int cap);
1807 1798 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
1808 1799 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
1809 1800 void security_release_secctx(char *secdata, u32 seclen);
... ... @@ -2476,11 +2467,6 @@
2476 2467 static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
2477 2468 {
2478 2469 return cap_netlink_send(sk, skb);
2479   -}
2480   -
2481   -static inline int security_netlink_recv(struct sk_buff *skb, int cap)
2482   -{
2483   - return cap_netlink_recv(skb, cap);
2484 2470 }
2485 2471  
2486 2472 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
... ... @@ -601,13 +601,13 @@
601 601 case AUDIT_TTY_SET:
602 602 case AUDIT_TRIM:
603 603 case AUDIT_MAKE_EQUIV:
604   - if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
  604 + if (!capable(CAP_AUDIT_CONTROL))
605 605 err = -EPERM;
606 606 break;
607 607 case AUDIT_USER:
608 608 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
609 609 case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
610   - if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
  610 + if (!capable(CAP_AUDIT_WRITE))
611 611 err = -EPERM;
612 612 break;
613 613 default: /* bad msg */
net/core/rtnetlink.c
Diff comments   View file @ fd77846
... ... @@ -1931,7 +1931,7 @@
1931 1931 sz_idx = type>>2;
1932 1932 kind = type&3;
1933 1933  
1934   - if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN))
  1934 + if (kind != 2 && !capable(CAP_NET_ADMIN))
1935 1935 return -EPERM;
1936 1936  
1937 1937 if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
net/decnet/netfilter/dn_rtmsg.c
Diff comments   View file @ fd77846
... ... @@ -108,7 +108,7 @@
108 108 if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
109 109 return;
110 110  
111   - if (security_netlink_recv(skb, CAP_NET_ADMIN))
  111 + if (!capable(CAP_NET_ADMIN))
112 112 RCV_SKB_FAIL(-EPERM);
113 113  
114 114 /* Eventually we might send routing messages too */
net/ipv4/netfilter/ip_queue.c
Diff comments   View file @ fd77846
... ... @@ -430,7 +430,7 @@
430 430 if (type <= IPQM_BASE)
431 431 return;
432 432  
433   - if (security_netlink_recv(skb, CAP_NET_ADMIN))
  433 + if (!capable(CAP_NET_ADMIN))
434 434 RCV_SKB_FAIL(-EPERM);
435 435  
436 436 spin_lock_bh(&queue_lock);
net/ipv6/netfilter/ip6_queue.c
Diff comments   View file @ fd77846
... ... @@ -431,7 +431,7 @@
431 431 if (type <= IPQM_BASE)
432 432 return;
433 433  
434   - if (security_netlink_recv(skb, CAP_NET_ADMIN))
  434 + if (!capable(CAP_NET_ADMIN))
435 435 RCV_SKB_FAIL(-EPERM);
436 436  
437 437 spin_lock_bh(&queue_lock);
net/netfilter/nfnetlink.c
Diff comments   View file @ fd77846
... ... @@ -130,7 +130,7 @@
130 130 const struct nfnetlink_subsystem *ss;
131 131 int type, err;
132 132  
133   - if (security_netlink_recv(skb, CAP_NET_ADMIN))
  133 + if (!capable(CAP_NET_ADMIN))
134 134 return -EPERM;
135 135  
136 136 /* All the messages must at least contain nfgenmsg */
net/netlink/genetlink.c
Diff comments   View file @ fd77846
... ... @@ -516,7 +516,7 @@
516 516 return -EOPNOTSUPP;
517 517  
518 518 if ((ops->flags & GENL_ADMIN_PERM) &&
519   - security_netlink_recv(skb, CAP_NET_ADMIN))
  519 + !capable(CAP_NET_ADMIN))
520 520 return -EPERM;
521 521  
522 522 if (nlh->nlmsg_flags & NLM_F_DUMP) {
net/xfrm/xfrm_user.c
Diff comments   View file @ fd77846
... ... @@ -2290,7 +2290,7 @@
2290 2290 link = &xfrm_dispatch[type];
2291 2291  
2292 2292 /* All operations require privileges, even GET */
2293   - if (security_netlink_recv(skb, CAP_NET_ADMIN))
  2293 + if (!capable(CAP_NET_ADMIN))
2294 2294 return -EPERM;
2295 2295  
2296 2296 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
security/capability.c
Diff comments   View file @ fd77846
... ... @@ -999,7 +999,6 @@
999 999 set_to_cap_if_null(ops, sem_semctl);
1000 1000 set_to_cap_if_null(ops, sem_semop);
1001 1001 set_to_cap_if_null(ops, netlink_send);
1002   - set_to_cap_if_null(ops, netlink_recv);
1003 1002 set_to_cap_if_null(ops, d_instantiate);
1004 1003 set_to_cap_if_null(ops, getprocattr);
1005 1004 set_to_cap_if_null(ops, setprocattr);
security/commoncap.c
Diff comments   View file @ fd77846
... ... @@ -56,14 +56,6 @@
56 56 return 0;
57 57 }
58 58  
59   -int cap_netlink_recv(struct sk_buff *skb, int cap)
60   -{
61   - if (!cap_raised(current_cap(), cap))
62   - return -EPERM;
63   - return 0;
64   -}
65   -EXPORT_SYMBOL(cap_netlink_recv);
66   -
67 59 /**
68 60 * cap_capable - Determine whether a task has a particular effective capability
69 61 * @cred: The credentials to use
... ... @@ -922,12 +922,6 @@
922 922 return security_ops->netlink_send(sk, skb);
923 923 }
924 924  
925   -int security_netlink_recv(struct sk_buff *skb, int cap)
926   -{
927   - return security_ops->netlink_recv(skb, cap);
928   -}
929   -EXPORT_SYMBOL(security_netlink_recv);
930   -
931 925 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
932 926 {
933 927 return security_ops->secid_to_secctx(secid, secdata, seclen);
security/selinux/hooks.c
Diff comments   View file @ fd77846
... ... @@ -4713,24 +4713,6 @@
4713 4713 return selinux_nlmsg_perm(sk, skb);
4714 4714 }
4715 4715  
4716   -static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4717   -{
4718   - int err;
4719   - struct common_audit_data ad;
4720   - u32 sid;
4721   -
4722   - err = cap_netlink_recv(skb, capability);
4723   - if (err)
4724   - return err;
4725   -
4726   - COMMON_AUDIT_DATA_INIT(&ad, CAP);
4727   - ad.u.cap = capability;
4728   -
4729   - security_task_getsecid(current, &sid);
4730   - return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4731   - CAP_TO_MASK(capability), &ad);
4732   -}
4733   -
4734 4716 static int ipc_alloc_security(struct task_struct *task,
4735 4717 struct kern_ipc_perm *perm,
4736 4718 u16 sclass)
... ... @@ -5459,7 +5441,6 @@
5459 5441 .vm_enough_memory = selinux_vm_enough_memory,
5460 5442  
5461 5443 .netlink_send = selinux_netlink_send,
5462   - .netlink_recv = selinux_netlink_recv,
5463 5444  
5464 5445 .bprm_set_creds = selinux_bprm_set_creds,
5465 5446 .bprm_committing_creds = selinux_bprm_committing_creds,