diff options
author | James Morris | 2019-01-22 14:33:10 -0800 |
---|---|---|
committer | James Morris | 2019-01-22 14:33:10 -0800 |
commit | 9624d5c9c7ff6836bbf9f9b230fd1fcf3d56f91a (patch) | |
tree | e9c1e5d2400ad20c5a9cd633b52a42a00d1d98cb /security | |
parent | 3e8c73671244af16f1a6042f1c10d13b75cd1156 (diff) | |
parent | 49a57857aeea06ca831043acbb0fa5e0f50602fd (diff) |
Merge tag 'v5.0-rc3' into next-general
Sync to Linux 5.0-rc3 to pull in the VFS changes which impacted a lot
of the LSM code.
Diffstat (limited to 'security')
-rw-r--r-- | security/security.c | 7 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 3 | ||||
-rw-r--r-- | security/yama/yama_lsm.c | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/security/security.c b/security/security.c index 3664fb9d5cf7..b6bff646d373 100644 --- a/security/security.c +++ b/security/security.c @@ -1472,6 +1472,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) void security_cred_free(struct cred *cred) { + /* + * There is a failure case in prepare_creds() that + * may result in a call here with ->security being NULL. + */ + if (unlikely(cred->security == NULL)) + return; + call_void_hook(cred_free, cred); kfree(cred->security); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index a50d625e7946..c1c31e33657a 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -732,7 +732,8 @@ static int sens_destroy(void *key, void *datum, void *p) kfree(key); if (datum) { levdatum = datum; - ebitmap_destroy(&levdatum->level->cat); + if (levdatum->level) + ebitmap_destroy(&levdatum->level->cat); kfree(levdatum->level); } kfree(datum); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index eb1da1303d2e..57cc60722dd3 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -368,7 +368,9 @@ static int yama_ptrace_access_check(struct task_struct *child, break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM; |