diff options
| author | Eric Paris <eparis@redhat.com> | 2012-01-03 12:25:16 -0500 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-03-11 16:01:28 +0100 |
| commit | 2907c63164e760c45af71ba78effb2fb6ac1048c (patch) | |
| tree | 27b1bb9bfc9e02f89fff397bcd21e7fa85ea08b5 /security | |
| parent | 0c872e788687fa211856b9a5bc145525431a656c (diff) | |
| download | kernel_samsung_espresso10-2907c63164e760c45af71ba78effb2fb6ac1048c.zip kernel_samsung_espresso10-2907c63164e760c45af71ba78effb2fb6ac1048c.tar.gz kernel_samsung_espresso10-2907c63164e760c45af71ba78effb2fb6ac1048c.tar.bz2 | |
security: remove the security_netlink_recv hook as it is equivalent to capable()
Once upon a time netlink was not sync and we had to get the effective
capabilities from the skb that was being received. Today we instead get
the capabilities from the current task. This has rendered the entire
purpose of the hook moot as it is now functionally equivalent to the
capable() call.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 1 | ||||
| -rw-r--r-- | security/commoncap.c | 8 | ||||
| -rw-r--r-- | security/security.c | 6 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 19 |
4 files changed, 0 insertions, 34 deletions
diff --git a/security/capability.c b/security/capability.c index ac5793c..755aebc 100644 --- a/security/capability.c +++ b/security/capability.c @@ -1023,7 +1023,6 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, sem_semctl); set_to_cap_if_null(ops, sem_semop); set_to_cap_if_null(ops, netlink_send); - set_to_cap_if_null(ops, netlink_recv); set_to_cap_if_null(ops, d_instantiate); set_to_cap_if_null(ops, getprocattr); set_to_cap_if_null(ops, setprocattr); diff --git a/security/commoncap.c b/security/commoncap.c index 02b69b0..0a80697 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -61,14 +61,6 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb) return 0; } -int cap_netlink_recv(struct sk_buff *skb, int cap) -{ - if (!cap_raised(current_cap(), cap)) - return -EPERM; - return 0; -} -EXPORT_SYMBOL(cap_netlink_recv); - /** * cap_capable - Determine whether a task has a particular effective capability * @cred: The credentials to use diff --git a/security/security.c b/security/security.c index 0de3679..b668e1c 100644 --- a/security/security.c +++ b/security/security.c @@ -967,12 +967,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb) return security_ops->netlink_send(sk, skb); } -int security_netlink_recv(struct sk_buff *skb, int cap) -{ - return security_ops->netlink_recv(skb, cap); -} -EXPORT_SYMBOL(security_netlink_recv); - int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { return security_ops->secid_to_secctx(secid, secdata, seclen); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cf9054e5..6623f27 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4794,24 +4794,6 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) return selinux_nlmsg_perm(sk, skb); } -static int selinux_netlink_recv(struct sk_buff *skb, int capability) -{ - int err; - struct common_audit_data ad; - u32 sid; - - err = cap_netlink_recv(skb, capability); - if (err) - return err; - - COMMON_AUDIT_DATA_INIT(&ad, CAP); - ad.u.cap = capability; - - security_task_getsecid(current, &sid); - return avc_has_perm(sid, sid, SECCLASS_CAPABILITY, - CAP_TO_MASK(capability), &ad); -} - static int ipc_alloc_security(struct task_struct *task, struct kern_ipc_perm *perm, u16 sclass) @@ -5545,7 +5527,6 @@ static struct security_operations selinux_ops = { .vm_enough_memory = selinux_vm_enough_memory, .netlink_send = selinux_netlink_send, - .netlink_recv = selinux_netlink_recv, .bprm_set_creds = selinux_bprm_set_creds, .bprm_committing_creds = selinux_bprm_committing_creds, |