diff options
author | Karol Lewandowski <k.lewandowsk@samsung.com> | 2016-06-23 15:02:50 +0200 |
---|---|---|
committer | Seung-Woo Kim <sw0312.kim@samsung.com> | 2016-12-14 13:52:20 +0900 |
commit | 6d83e3d703f7464ccd12b78c5b3e9041be24ea8c (patch) | |
tree | 091ce555339a4dac9a7acfc14c618a27d338a478 /ipc | |
parent | c170bbb6cff411fb98f5624bde8e227fa32fcdc5 (diff) |
kdbus: Remove kdbus Linux Security Module hooks
This commit removes support for kdbus-LSM hooks as policy decisions
are handled solely by userspace (libdbuspolicy library). This commit
reverts following:
- 802de9506 ("lsm: smack: smack callbacks for kdbus security hooks")
- f13b7e7bd ("kdbus: use LSM hooks in kdbus code")
- 067afa709 ("lsm: smack: Make ipc/kdbus includes visible so smack callbacks could see them")
- 442f047fd ("lsm: make security_file_receive available for external modules")
- 3b556db4b ("lsm: kdbus security hooks")
Change-Id: Iae90cdb9577a9e706288b28d70bd57574398276e
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Diffstat (limited to 'ipc')
-rw-r--r-- | ipc/kdbus/connection.c | 25 | ||||
-rw-r--r-- | ipc/kdbus/connection.h | 5 | ||||
-rw-r--r-- | ipc/kdbus/names.c | 3 | ||||
-rw-r--r-- | ipc/kdbus/queue.c | 30 |
4 files changed, 12 insertions, 51 deletions
diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c index 880007724bef..02a68724c2f2 100644 --- a/ipc/kdbus/connection.c +++ b/ipc/kdbus/connection.c @@ -31,7 +31,6 @@ #include <linux/slab.h> #include <linux/syscalls.h> #include <linux/uio.h> -#include <linux/security.h> #include "bus.h" #include "connection.h" @@ -54,7 +53,7 @@ #define KDBUS_CONN_ACTIVE_NEW (INT_MIN + 1) /* Disable internal kdbus policy - possibilities of connections to own, see and - * talk to names are restricted by libdbuspolicy library and LSM hooks + * talk to names are restricted by libdbuspolicy library */ #define DISABLE_KDBUS_POLICY @@ -228,10 +227,6 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged, } } - ret = security_kdbus_conn_alloc(conn); - if (ret) - goto exit_unref; - if (atomic_inc_return(&conn->user->connections) > KDBUS_USER_MAX_CONN) { /* decremented by destructor as conn->user is valid */ ret = -EMFILE; @@ -286,7 +281,6 @@ static void __kdbus_conn_free(struct kref *kref) kdbus_pool_free(conn->pool); kdbus_ep_unref(conn->ep); put_cred(conn->cred); - security_kdbus_conn_free(conn); kfree(conn->description); kfree(conn->quota); kfree(conn); @@ -1126,10 +1120,6 @@ static int kdbus_conn_reply(struct kdbus_conn *src, struct kdbus_kmsg *kmsg) if (ret < 0) goto exit; - ret = security_kdbus_talk(src, dst); - if (ret) - goto exit; - mutex_lock(&dst->lock); reply = kdbus_reply_find(src, dst, kmsg->msg.cookie_reply); if (reply) { @@ -1219,12 +1209,8 @@ static struct kdbus_reply *kdbus_conn_call(struct kdbus_conn *src, if (ret < 0) goto exit; - ret = security_kdbus_talk(src, dst); - if (ret) - goto exit; - /* Disable internal kdbus policy - possibilities of connections to own, - * see and talk to well-known names are restricted by LSM hooks + * see and talk to well-known names are restricted by libdbuspolicy if (!kdbus_conn_policy_talk(src, current_cred(), dst)) { ret = -EPERM; goto exit; @@ -1296,10 +1282,6 @@ static int kdbus_conn_unicast(struct kdbus_conn *src, struct kdbus_kmsg *kmsg) if (ret < 0) goto exit; - ret = security_kdbus_talk(src, dst); - if (ret) - goto exit; - if (is_signal) { /* like broadcasts we eavesdrop even if the msg is dropped */ kdbus_bus_eavesdrop(bus, src, kmsg); @@ -1308,12 +1290,9 @@ static int kdbus_conn_unicast(struct kdbus_conn *src, struct kdbus_kmsg *kmsg) if (!kdbus_match_db_match_kmsg(dst->match_db, src, kmsg) || !kdbus_conn_policy_talk(dst, NULL, src)) goto exit; - /* Disable internal kdbus policy - possibilities of connections to own, - * see and talk to well-known names are restricted by LSM hooks } else if (!kdbus_conn_policy_talk(src, current_cred(), dst)) { ret = -EPERM; goto exit; - */ } else if (kmsg->msg.flags & KDBUS_MSG_EXPECT_REPLY) { wait = kdbus_reply_new(dst, src, &kmsg->msg, name, false); if (IS_ERR(wait)) { diff --git a/ipc/kdbus/connection.h b/ipc/kdbus/connection.h index 4a5c1205b6d3..d1ffe909cb31 100644 --- a/ipc/kdbus/connection.h +++ b/ipc/kdbus/connection.h @@ -73,7 +73,6 @@ struct kdbus_kmsg; * @names_queue_list: Well-known names this connection waits for * @privileged: Whether this connection is privileged on the bus * @faked_meta: Whether the metadata was faked on HELLO - * @security: LSM security blob */ struct kdbus_conn { struct kref kref; @@ -114,10 +113,6 @@ struct kdbus_conn { bool privileged:1; bool faked_meta:1; - -#ifdef CONFIG_SECURITY - void *security; -#endif }; struct kdbus_conn *kdbus_conn_ref(struct kdbus_conn *conn); diff --git a/ipc/kdbus/names.c b/ipc/kdbus/names.c index 90e0c016f66e..df99e4df815b 100644 --- a/ipc/kdbus/names.c +++ b/ipc/kdbus/names.c @@ -290,13 +290,10 @@ int kdbus_name_acquire(struct kdbus_name_registry *reg, down_write(®->rwlock); - /* Disable internal kdbus policy - possibilities of connections to own, - * see and talk to well-known names are restricted by LSM hooks if (!kdbus_conn_policy_own_name(conn, current_cred(), name)) { ret = -EPERM; goto exit_unlock; } - */ hash = kdbus_strhash(name); e = kdbus_name_find(reg, hash, name); diff --git a/ipc/kdbus/queue.c b/ipc/kdbus/queue.c index e04aee6786fc..a449464a3975 100644 --- a/ipc/kdbus/queue.c +++ b/ipc/kdbus/queue.c @@ -28,7 +28,6 @@ #include <linux/slab.h> #include <linux/syscalls.h> #include <linux/uio.h> -#include <linux/security.h> #include "util.h" #include "domain.h" @@ -515,17 +514,12 @@ int kdbus_queue_entry_install(struct kdbus_queue_entry *entry, for (i = 0; i < res->fds_count; i++) { if (install_fds) { - if (security_file_receive(res->fds[i])) { - fds[i] = -1; + fds[i] = get_unused_fd_flags(O_CLOEXEC); + if (fds[i] >= 0) + fd_install(fds[i], + get_file(res->fds[i])); + else incomplete_fds = true; - } else { - fds[i] = get_unused_fd_flags(O_CLOEXEC); - if (fds[i] >= 0) - fd_install(fds[i], - get_file(res->fds[i])); - else - incomplete_fds = true; - } } else { fds[i] = -1; } @@ -563,17 +557,13 @@ int kdbus_queue_entry_install(struct kdbus_queue_entry *entry, m.fd = -1; if (install_fds) { - if (security_file_receive(d->memfd.file)) { + m.fd = get_unused_fd_flags(O_CLOEXEC); + if (m.fd < 0) { + m.fd = -1; incomplete_fds = true; } else { - m.fd = get_unused_fd_flags(O_CLOEXEC); - if (m.fd < 0) { - m.fd = -1; - incomplete_fds = true; - } else { - fd_install(m.fd, - get_file(d->memfd.file)); - } + fd_install(m.fd, + get_file(d->memfd.file)); } } |