[PATCH 05/10] drivers: use new capable_any functionality
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. Signed-off-by: Christian Göttsche Acked-by: Alexander Gordeev (s390 portion) --- v4: Additional usage in kfd_ioctl() v3: rename to capable_any() --- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +-- drivers/net/caif/caif_serial.c | 2 +- drivers/s390/block/dasd_eckd.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c index dfa8c69532d4..8c7ebca01c17 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c @@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) * more priviledged access. */ if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) { - if (!capable(CAP_CHECKPOINT_RESTORE) && - !capable(CAP_SYS_ADMIN)) { + if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) { retcode = -EACCES; goto err_i1; } diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index ed3a589def6b..e908b9ce57dc 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty) /* No write no play */ if (tty->ops->write == NULL) return -EOPNOTSUPP; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG)) + if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN)) return -EPERM; /* release devices to avoid name collision */ diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index 373c1a86c33e..8f9a5136306a 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) char psf0, psf1; int rc; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EACCES; psf0 = psf1 = 0; -- 2.43.0
Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Wed, 19 Jul 2023 at 09:40, Kefeng Wang wrote: > > Use the helpers to simplify code. > > Cc: Paul Moore > Cc: Stephen Smalley > Cc: Eric Paris > Acked-by: Paul Moore > Signed-off-by: Kefeng Wang > --- > security/selinux/hooks.c | 7 ++- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index d06e350fedee..ee8575540a8e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct > vm_area_struct *vma, > if (default_noexec && > (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { > int rc = 0; > - if (vma->vm_start >= vma->vm_mm->start_brk && > - vma->vm_end <= vma->vm_mm->brk) { > + if (vma_is_initial_heap(vma)) { This seems to change the condition from vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk to vma->vm_start <= vma->vm_mm->brk && vma->vm_end >= vma->vm_mm->start_brk (or AND arguments swapped) vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <= vma->vm_mm->brk Is this intended? > rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, > PROCESS__EXECHEAP, NULL); > - } else if (!vma->vm_file && > - ((vma->vm_start <= vma->vm_mm->start_stack && > -vma->vm_end >= vma->vm_mm->start_stack) || > + } else if (!vma->vm_file && (vma_is_initial_stack(vma) || > vma_is_stack_for_current(vma))) { > rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, > PROCESS__EXECSTACK, NULL); > -- > 2.27.0 >
Re: [PATCH 1/5] mm: introduce vma_is_stack() and vma_is_heap()
On Wed, 12 Jul 2023 at 16:25, Kefeng Wang wrote: > > Introduce the two helpers for general use. > > Signed-off-by: Kefeng Wang > --- > include/linux/mm.h | 12 > 1 file changed, 12 insertions(+) > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index 1462cf15badf..0bbeb31ac750 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -926,6 +926,18 @@ static inline bool vma_is_anonymous(struct > vm_area_struct *vma) > return !vma->vm_ops; > } > > +static inline bool vma_is_heap(struct vm_area_struct *vma) What about declaring the parameters const to document in code these functions do not modify any state, and allow callers to pass pointers to const? > +{ > + return vma->vm_start <= vma->vm_mm->brk && > + vma->vm_end >= vma->vm_mm->start_brk; > +} > + > +static inline bool vma_is_stack(struct vm_area_struct *vma) > +{ > + return vma->vm_start <= vma->vm_mm->start_stack && > + vma->vm_end >= vma->vm_mm->start_stack; > +} > + > static inline bool vma_is_temporary_stack(struct vm_area_struct *vma) > { > int maybe_stack = vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP); > -- > 2.41.0 >
[PATCH v4 5/9] drivers: use new capable_any functionality
Use the new added capable_any function in appropriate cases, where a task is required to have any of two capabilities. Reorder CAP_SYS_ADMIN last. Signed-off-by: Christian Göttsche --- v4: Additional usage in kfd_ioctl() v3: rename to capable_any() --- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +-- drivers/net/caif/caif_serial.c | 2 +- drivers/s390/block/dasd_eckd.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c index 1b54a9aaae70..d21fb9d1556b 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c @@ -2896,8 +2896,7 @@ static long kfd_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) * more priviledged access. */ if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) { - if (!capable(CAP_CHECKPOINT_RESTORE) && - !capable(CAP_SYS_ADMIN)) { + if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) { retcode = -EACCES; goto err_i1; } diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index 688075859ae4..ca3f82a0e3a6 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c @@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty) /* No write no play */ if (tty->ops->write == NULL) return -EOPNOTSUPP; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG)) + if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN)) return -EPERM; /* release devices to avoid name collision */ diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index ade1369fe5ed..67d1058bce1b 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -5370,7 +5370,7 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) char psf0, psf1; int rc; - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO)) + if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN)) return -EACCES; psf0 = psf1 = 0; -- 2.40.1