[PATCH 05/10] drivers: use new capable_any functionality
Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.
Reorder CAP_SYS_ADMIN last.
Signed-off-by: Christian Göttsche
Acked-by: Alexander Gordeev (s390 portion)
---
v4:
Additional usage in kfd_ioctl()
v3:
rename to capable_any()
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +--
drivers/net/caif/caif_serial.c | 2 +-
drivers/s390/block/dasd_eckd.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index dfa8c69532d4..8c7ebca01c17 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -3290,8 +3290,7 @@ static long kfd_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
* more priviledged access.
*/
if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) {
- if (!capable(CAP_CHECKPOINT_RESTORE) &&
- !capable(CAP_SYS_ADMIN)) {
+ if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) {
retcode = -EACCES;
goto err_i1;
}
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index ed3a589def6b..e908b9ce57dc 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty)
/* No write no play */
if (tty->ops->write == NULL)
return -EOPNOTSUPP;
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG))
+ if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN))
return -EPERM;
/* release devices to avoid name collision */
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index 373c1a86c33e..8f9a5136306a 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -5384,7 +5384,7 @@ static int dasd_symm_io(struct dasd_device *device, void
__user *argp)
char psf0, psf1;
int rc;
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO))
+ if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN))
return -EACCES;
psf0 = psf1 = 0;
--
2.43.0
Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Wed, 19 Jul 2023 at 09:40, Kefeng Wang wrote:
>
> Use the helpers to simplify code.
>
> Cc: Paul Moore
> Cc: Stephen Smalley
> Cc: Eric Paris
> Acked-by: Paul Moore
> Signed-off-by: Kefeng Wang
> ---
> security/selinux/hooks.c | 7 ++-
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d06e350fedee..ee8575540a8e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct
> vm_area_struct *vma,
> if (default_noexec &&
> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> int rc = 0;
> - if (vma->vm_start >= vma->vm_mm->start_brk &&
> - vma->vm_end <= vma->vm_mm->brk) {
> + if (vma_is_initial_heap(vma)) {
This seems to change the condition from
vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= vma->vm_mm->brk
to
vma->vm_start <= vma->vm_mm->brk && vma->vm_end >= vma->vm_mm->start_brk
(or AND arguments swapped)
vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <= vma->vm_mm->brk
Is this intended?
> rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
> PROCESS__EXECHEAP, NULL);
> - } else if (!vma->vm_file &&
> - ((vma->vm_start <= vma->vm_mm->start_stack &&
> -vma->vm_end >= vma->vm_mm->start_stack) ||
> + } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
> vma_is_stack_for_current(vma))) {
> rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
> PROCESS__EXECSTACK, NULL);
> --
> 2.27.0
>
Re: [PATCH 1/5] mm: introduce vma_is_stack() and vma_is_heap()
On Wed, 12 Jul 2023 at 16:25, Kefeng Wang wrote:
>
> Introduce the two helpers for general use.
>
> Signed-off-by: Kefeng Wang
> ---
> include/linux/mm.h | 12
> 1 file changed, 12 insertions(+)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 1462cf15badf..0bbeb31ac750 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -926,6 +926,18 @@ static inline bool vma_is_anonymous(struct
> vm_area_struct *vma)
> return !vma->vm_ops;
> }
>
> +static inline bool vma_is_heap(struct vm_area_struct *vma)
What about declaring the parameters const to document in code these
functions do not modify any state, and allow callers to pass pointers
to const?
> +{
> + return vma->vm_start <= vma->vm_mm->brk &&
> + vma->vm_end >= vma->vm_mm->start_brk;
> +}
> +
> +static inline bool vma_is_stack(struct vm_area_struct *vma)
> +{
> + return vma->vm_start <= vma->vm_mm->start_stack &&
> + vma->vm_end >= vma->vm_mm->start_stack;
> +}
> +
> static inline bool vma_is_temporary_stack(struct vm_area_struct *vma)
> {
> int maybe_stack = vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP);
> --
> 2.41.0
>
[PATCH v4 5/9] drivers: use new capable_any functionality
Use the new added capable_any function in appropriate cases, where a
task is required to have any of two capabilities.
Reorder CAP_SYS_ADMIN last.
Signed-off-by: Christian Göttsche
---
v4:
Additional usage in kfd_ioctl()
v3:
rename to capable_any()
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +--
drivers/net/caif/caif_serial.c | 2 +-
drivers/s390/block/dasd_eckd.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 1b54a9aaae70..d21fb9d1556b 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -2896,8 +2896,7 @@ static long kfd_ioctl(struct file *filep, unsigned int
cmd, unsigned long arg)
* more priviledged access.
*/
if (unlikely(ioctl->flags & KFD_IOC_FLAG_CHECKPOINT_RESTORE)) {
- if (!capable(CAP_CHECKPOINT_RESTORE) &&
- !capable(CAP_SYS_ADMIN)) {
+ if (!capable_any(CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN)) {
retcode = -EACCES;
goto err_i1;
}
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 688075859ae4..ca3f82a0e3a6 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -326,7 +326,7 @@ static int ldisc_open(struct tty_struct *tty)
/* No write no play */
if (tty->ops->write == NULL)
return -EOPNOTSUPP;
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_TTY_CONFIG))
+ if (!capable_any(CAP_SYS_TTY_CONFIG, CAP_SYS_ADMIN))
return -EPERM;
/* release devices to avoid name collision */
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index ade1369fe5ed..67d1058bce1b 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -5370,7 +5370,7 @@ static int dasd_symm_io(struct dasd_device *device, void
__user *argp)
char psf0, psf1;
int rc;
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO))
+ if (!capable_any(CAP_SYS_RAWIO, CAP_SYS_ADMIN))
return -EACCES;
psf0 = psf1 = 0;
--
2.40.1
