diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-09-24 10:18:15 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-09-24 10:18:15 -0700 |
commit | 5c36498d06b9b00393c2f35edbf16b28194375fa (patch) | |
tree | f9170a1fc6a234b2c069359a2d4ad68001f79a53 | |
parent | abf2050f51fdca0fd146388f83cddd95a57a008d (diff) | |
parent | f89722faa31466ff41aed21bdeb9cf34c2312858 (diff) |
Merge tag 'lsm-pr-20240923' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm
Pull LSM fixes from Paul Moore:
- Add a missing security_mmap_file() check to the remap_file_pages()
syscall
- Properly reference the SELinux and Smack LSM blobs in the
security_watch_key() LSM hook
- Fix a random IPE selftest crash caused by a missing list terminator
in the test
* tag 'lsm-pr-20240923' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
ipe: Add missing terminator to list of unit tests
selinux,smack: properly reference the LSM blob in security_watch_key()
mm: call the security_mmap_file() LSM hook in remap_file_pages()
-rw-r--r-- | mm/mmap.c | 4 | ||||
-rw-r--r-- | security/ipe/policy_tests.c | 1 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 13 |
4 files changed, 9 insertions, 11 deletions
diff --git a/mm/mmap.c b/mm/mmap.c index ee8f91eaadb9..dd4b35a25aeb 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1689,8 +1689,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm); diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c index 89521f6b9994..5f1654deeb04 100644 --- a/security/ipe/policy_tests.c +++ b/security/ipe/policy_tests.c @@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test) static struct kunit_case ipe_parser_test_cases[] = { KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params), KUNIT_CASE(ipe_parser_widestring_test), + { } }; static struct kunit_suite ipe_parser_test_suite = { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bd3293021488..94c523140125 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6735,7 +6735,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #ifdef CONFIG_KEY_NOTIFICATIONS static int selinux_watch_key(struct key *key) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); u32 sid = current_sid(); return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8069f17d4404..370fd594da12 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4629,16 +4629,9 @@ static int smack_watch_key(struct key *key) { struct smk_audit_info ad; struct smack_known *tkp = smk_of_current(); + struct smack_known **blob = smack_key(key); int rc; - if (key == NULL) - return -EINVAL; - /* - * If the key hasn't been initialized give it access so that - * it may do so. - */ - if (key->security == NULL) - return 0; /* * This should not occur */ @@ -4653,8 +4646,8 @@ static int smack_watch_key(struct key *key) ad.a.u.key_struct.key = key->serial; ad.a.u.key_struct.key_desc = key->description; #endif - rc = smk_access(tkp, key->security, MAY_READ, &ad); - rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); + rc = smk_access(tkp, *blob, MAY_READ, &ad); + rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); return rc; } #endif /* CONFIG_KEY_NOTIFICATIONS */ |