aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJames Morris2019-01-22 14:33:10 -0800
committerJames Morris2019-01-22 14:33:10 -0800
commit9624d5c9c7ff6836bbf9f9b230fd1fcf3d56f91a (patch)
treee9c1e5d2400ad20c5a9cd633b52a42a00d1d98cb /security
parent3e8c73671244af16f1a6042f1c10d13b75cd1156 (diff)
parent49a57857aeea06ca831043acbb0fa5e0f50602fd (diff)
Merge tag 'v5.0-rc3' into next-general
Sync to Linux 5.0-rc3 to pull in the VFS changes which impacted a lot of the LSM code.
Diffstat (limited to 'security')
-rw-r--r--security/security.c7
-rw-r--r--security/selinux/ss/policydb.c3
-rw-r--r--security/yama/yama_lsm.c4
3 files changed, 12 insertions, 2 deletions
diff --git a/security/security.c b/security/security.c
index 3664fb9d5cf7..b6bff646d373 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1472,6 +1472,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
void security_cred_free(struct cred *cred)
{
+ /*
+ * There is a failure case in prepare_creds() that
+ * may result in a call here with ->security being NULL.
+ */
+ if (unlikely(cred->security == NULL))
+ return;
+
call_void_hook(cred_free, cred);
kfree(cred->security);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index a50d625e7946..c1c31e33657a 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -732,7 +732,8 @@ static int sens_destroy(void *key, void *datum, void *p)
kfree(key);
if (datum) {
levdatum = datum;
- ebitmap_destroy(&levdatum->level->cat);
+ if (levdatum->level)
+ ebitmap_destroy(&levdatum->level->cat);
kfree(levdatum->level);
}
kfree(datum);
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index eb1da1303d2e..57cc60722dd3 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -368,7 +368,9 @@ static int yama_ptrace_access_check(struct task_struct *child,
break;
case YAMA_SCOPE_RELATIONAL:
rcu_read_lock();
- if (!task_is_descendant(current, child) &&
+ if (!pid_alive(child))
+ rc = -EPERM;
+ if (!rc && !task_is_descendant(current, child) &&
!ptracer_exception_found(current, child) &&
!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
rc = -EPERM;