提交 01a16b21 编写于 作者: P Patrick McHardy 提交者: David S. Miller

netlink: kill eff_cap from struct netlink_skb_parms

Netlink message processing in the kernel is synchronous these days,
capabilities can be checked directly in security_netlink_recv() from
the current process.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Reviewed-by: NJames Morris <jmorris@namei.org>
[chrisw: update to include pohmelfs and uvesafb]
Signed-off-by: NChris Wright <chrisw@sous-sol.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 63f97425
...@@ -2177,7 +2177,7 @@ static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms ...@@ -2177,7 +2177,7 @@ static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms
return; return;
} }
if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) { if (!cap_raised(current_cap(), CAP_SYS_ADMIN)) {
retcode = ERR_PERM; retcode = ERR_PERM;
goto fail; goto fail;
} }
......
...@@ -134,7 +134,7 @@ static void cn_ulog_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp) ...@@ -134,7 +134,7 @@ static void cn_ulog_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp)
{ {
struct dm_ulog_request *tfr = (struct dm_ulog_request *)(msg + 1); struct dm_ulog_request *tfr = (struct dm_ulog_request *)(msg + 1);
if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) if (!cap_raised(current_cap(), CAP_SYS_ADMIN))
return; return;
spin_lock(&receiving_list_lock); spin_lock(&receiving_list_lock);
......
...@@ -525,7 +525,7 @@ static void pohmelfs_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *n ...@@ -525,7 +525,7 @@ static void pohmelfs_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *n
{ {
int err; int err;
if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) if (!cap_raised(current_cap(), CAP_SYS_ADMIN))
return; return;
switch (msg->flags) { switch (msg->flags) {
......
...@@ -73,7 +73,7 @@ static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *ns ...@@ -73,7 +73,7 @@ static void uvesafb_cn_callback(struct cn_msg *msg, struct netlink_skb_parms *ns
struct uvesafb_task *utask; struct uvesafb_task *utask;
struct uvesafb_ktask *task; struct uvesafb_ktask *task;
if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) if (!cap_raised(current_cap(), CAP_SYS_ADMIN))
return; return;
if (msg->seq >= UVESAFB_TASKS_MAX) if (msg->seq >= UVESAFB_TASKS_MAX)
......
...@@ -160,7 +160,6 @@ struct netlink_skb_parms { ...@@ -160,7 +160,6 @@ struct netlink_skb_parms {
struct ucred creds; /* Skb credentials */ struct ucred creds; /* Skb credentials */
__u32 pid; __u32 pid;
__u32 dst_group; __u32 dst_group;
kernel_cap_t eff_cap;
}; };
#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
......
...@@ -1364,12 +1364,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, ...@@ -1364,12 +1364,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).dst_group = dst_group;
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
/* What can I do? Netlink is asynchronous, so that
we will have to save current capabilities to
check them, when this message will be delivered
to corresponding kernel module. --ANK (980802)
*/
err = -EFAULT; err = -EFAULT;
if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) { if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
kfree_skb(skb); kfree_skb(skb);
......
...@@ -52,13 +52,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) ...@@ -52,13 +52,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
int cap_netlink_send(struct sock *sk, struct sk_buff *skb) int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
{ {
NETLINK_CB(skb).eff_cap = current_cap();
return 0; return 0;
} }
int cap_netlink_recv(struct sk_buff *skb, int cap) int cap_netlink_recv(struct sk_buff *skb, int cap)
{ {
if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) if (!cap_raised(current_cap(), cap))
return -EPERM; return -EPERM;
return 0; return 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册