提交 ed868a56 编写于 作者: E Eric Paris 提交者: James Morris

Creds: creds->security can be NULL is selinux is disabled

__validate_process_creds should check if selinux is actually enabled before
running tests on the selinux portion of the credentials struct.
Signed-off-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 86d71014
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/capability.h> #include <linux/capability.h>
#include <linux/init.h> #include <linux/init.h>
#include <linux/key.h> #include <linux/key.h>
#include <linux/selinux.h>
#include <asm/atomic.h> #include <asm/atomic.h>
struct user_struct; struct user_struct;
...@@ -182,11 +183,13 @@ static inline bool creds_are_invalid(const struct cred *cred) ...@@ -182,11 +183,13 @@ static inline bool creds_are_invalid(const struct cred *cred)
if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers)) if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
return true; return true;
#ifdef CONFIG_SECURITY_SELINUX #ifdef CONFIG_SECURITY_SELINUX
if ((unsigned long) cred->security < PAGE_SIZE) if (selinux_is_enabled()) {
return true; if ((unsigned long) cred->security < PAGE_SIZE)
if ((*(u32*)cred->security & 0xffffff00) == return true;
(POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) if ((*(u32 *)cred->security & 0xffffff00) ==
return true; (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
return true;
}
#endif #endif
return false; return false;
} }
......
...@@ -61,6 +61,11 @@ void selinux_secmark_refcount_inc(void); ...@@ -61,6 +61,11 @@ void selinux_secmark_refcount_inc(void);
* existing SECMARK targets has been removed/flushed. * existing SECMARK targets has been removed/flushed.
*/ */
void selinux_secmark_refcount_dec(void); void selinux_secmark_refcount_dec(void);
/**
* selinux_is_enabled - is SELinux enabled?
*/
bool selinux_is_enabled(void);
#else #else
static inline int selinux_string_to_sid(const char *str, u32 *sid) static inline int selinux_string_to_sid(const char *str, u32 *sid)
...@@ -84,6 +89,10 @@ static inline void selinux_secmark_refcount_dec(void) ...@@ -84,6 +89,10 @@ static inline void selinux_secmark_refcount_dec(void)
return; return;
} }
static bool selinux_is_enabled(void)
{
return false;
}
#endif /* CONFIG_SECURITY_SELINUX */ #endif /* CONFIG_SECURITY_SELINUX */
#endif /* _LINUX_SELINUX_H */ #endif /* _LINUX_SELINUX_H */
...@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void) ...@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void)
atomic_dec(&selinux_secmark_refcount); atomic_dec(&selinux_secmark_refcount);
} }
EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
bool selinux_is_enabled(void)
{
return selinux_enabled;
}
EXPORT_SYMBOL_GPL(selinux_is_enabled);
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册