From: Greg Kroah-Hartman Date: Thu, 17 Feb 2011 00:33:34 +0000 (-0800) Subject: .37 patches X-Git-Tag: v2.6.36.4~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=426bc6a2e382e8b0b93a7a088e6a453efe17be26;p=thirdparty%2Fkernel%2Fstable-queue.git .37 patches --- diff --git a/queue-2.6.37/pci-use-security_capable-when-checking-capablities-during-config-space-read.patch b/queue-2.6.37/pci-use-security_capable-when-checking-capablities-during-config-space-read.patch new file mode 100644 index 00000000000..94e3087e569 --- /dev/null +++ b/queue-2.6.37/pci-use-security_capable-when-checking-capablities-during-config-space-read.patch @@ -0,0 +1,56 @@ +From a628e7b87e100befac9702aa0c3b9848a7685e49 Mon Sep 17 00:00:00 2001 +From: Chris Wright +Date: Mon, 14 Feb 2011 17:21:49 -0800 +Subject: pci: use security_capable() when checking capablities during config space read + +From: Chris Wright + +commit a628e7b87e100befac9702aa0c3b9848a7685e49 upstream. + +This reintroduces commit 47970b1b which was subsequently reverted +as f00eaeea. The original change was broken and caused X startup +failures and generally made privileged processes incapable of reading +device dependent config space. The normal capable() interface returns +true on success, but the LSM interface returns 0 on success. This thinko +is now fixed in this patch, and has been confirmed to work properly. + +So, once again...Eric Paris noted that commit de139a3 ("pci: check caps +from sysfs file open to read device dependent config space") caused the +capability check to bypass security modules and potentially auditing. +Rectify this by calling security_capable() when checking the open file's +capabilities for config space reads. + +Reported-by: Eric Paris +Tested-by: Dave Young +Acked-by: James Morris +Cc: Dave Airlie +Cc: Alex Riesen +Cc: Sedat Dilek +Cc: Linus Torvalds +Signed-off-by: Chris Wright +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include "pci.h" +@@ -368,7 +369,7 @@ pci_read_config(struct file *filp, struc + u8 *data = (u8*) buf; + + /* Several chips lock up trying to read undefined config space */ +- if (cap_raised(filp->f_cred->cap_effective, CAP_SYS_ADMIN)) { ++ if (security_capable(filp->f_cred, CAP_SYS_ADMIN) == 0) { + size = dev->cfg_size; + } else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) { + size = 128; diff --git a/queue-2.6.37/security-add-cred-argument-to-security_capable.patch b/queue-2.6.37/security-add-cred-argument-to-security_capable.patch new file mode 100644 index 00000000000..f650b5f9fbf --- /dev/null +++ b/queue-2.6.37/security-add-cred-argument-to-security_capable.patch @@ -0,0 +1,72 @@ +From 6037b715d6fab139742c3df8851db4c823081561 Mon Sep 17 00:00:00 2001 +From: Chris Wright +Date: Wed, 9 Feb 2011 22:11:51 -0800 +Subject: security: add cred argument to security_capable() + +From: Chris Wright + +commit 6037b715d6fab139742c3df8851db4c823081561 upstream. + +Expand security_capable() to include cred, so that it can be usable in a +wider range of call sites. + +Signed-off-by: Chris Wright +Acked-by: Serge Hallyn +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/security.h | 6 +++--- + kernel/capability.c | 2 +- + security/security.c | 5 ++--- + 3 files changed, 6 insertions(+), 7 deletions(-) + +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1664,7 +1664,7 @@ int security_capset(struct cred *new, co + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); +-int security_capable(int cap); ++int security_capable(const struct cred *cred, int cap); + int security_real_capable(struct task_struct *tsk, int cap); + int security_real_capable_noaudit(struct task_struct *tsk, int cap); + int security_sysctl(struct ctl_table *table, int op); +@@ -1857,9 +1857,9 @@ static inline int security_capset(struct + return cap_capset(new, old, effective, inheritable, permitted); + } + +-static inline int security_capable(int cap) ++static inline int security_capable(const struct cred *cred, int cap) + { +- return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); ++ return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT); + } + + static inline int security_real_capable(struct task_struct *tsk, int cap) +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -306,7 +306,7 @@ int capable(int cap) + BUG(); + } + +- if (security_capable(cap) == 0) { ++ if (security_capable(current_cred(), cap) == 0) { + current->flags |= PF_SUPERPRIV; + return 1; + } +--- a/security/security.c ++++ b/security/security.c +@@ -154,10 +154,9 @@ int security_capset(struct cred *new, co + effective, inheritable, permitted); + } + +-int security_capable(int cap) ++int security_capable(const struct cred *cred, int cap) + { +- return security_ops->capable(current, current_cred(), cap, +- SECURITY_CAP_AUDIT); ++ return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); + } + + int security_real_capable(struct task_struct *tsk, int cap) diff --git a/queue-2.6.37/series b/queue-2.6.37/series index 7a4d319a1b9..1a64f4c09fb 100644 --- a/queue-2.6.37/series +++ b/queue-2.6.37/series @@ -26,3 +26,5 @@ btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch cred-fix-bug-upon-security_cred_alloc_blank-failure.patch cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch +security-add-cred-argument-to-security_capable.patch +pci-use-security_capable-when-checking-capablities-during-config-space-read.patch