From a495108ea99c64ce6b5727cb163162ba28e27bff Mon Sep 17 00:00:00 2001 From: Gaosheng Cui Date: Thu, 11 May 2023 09:27:15 +0800 Subject: [PATCH 1/7] capability: fix kernel-doc warnings in capability.c Fix all kernel-doc warnings in capability.c: kernel/capability.c:477: warning: Function parameter or member 'idmap' not described in 'privileged_wrt_inode_uidgid' kernel/capability.c:493: warning: Function parameter or member 'idmap' not described in 'capable_wrt_inode_uidgid' Signed-off-by: Gaosheng Cui Acked-by: Serge Hallyn Signed-off-by: Paul Moore --- kernel/capability.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/capability.c b/kernel/capability.c index 3e058f41df32..1a2795102ae4 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -467,6 +467,7 @@ EXPORT_SYMBOL(file_ns_capable); /** * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? * @ns: The user namespace in question + * @idmap: idmap of the mount @inode was found from * @inode: The inode in question * * Return true if the inode uid and gid are within the namespace. @@ -481,6 +482,7 @@ bool privileged_wrt_inode_uidgid(struct user_namespace *ns, /** * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped + * @idmap: idmap of the mount @inode was found from * @inode: The inode in question * @cap: The capability in question * From d031f4e8b493df299123fbb4ec13db870584ed28 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Thu, 11 May 2023 23:48:45 +0900 Subject: [PATCH 2/7] reiserfs: Initialize sec->length in reiserfs_security_init(). syzbot is reporting that sec->length is not initialized. Since security_inode_init_security() returns 0 when initxattrs is provided but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will reach to "if (sec->length && ...) {" without initializing sec->length. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c Signed-off-by: Tetsuo Handa Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()") Signed-off-by: Paul Moore --- fs/reiserfs/xattr_security.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c index 6e0a099dd788..078dd8cc312f 100644 --- a/fs/reiserfs/xattr_security.c +++ b/fs/reiserfs/xattr_security.c @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode, sec->name = NULL; sec->value = NULL; + sec->length = 0; /* Don't add selinux attributes on xattrs - they'll never get used */ if (IS_PRIVATE(dir)) From 4432b507445acf3f8e09ce253d4ca852c177b625 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 24 May 2023 23:19:53 -0400 Subject: [PATCH 3/7] lsm: fix a number of misspellings A random collection of spelling fixes for source files in the LSM layer. Reviewed-by: Casey Schaufler Signed-off-by: Paul Moore --- security/commoncap.c | 20 ++++++++++---------- security/device_cgroup.c | 2 +- security/lsm_audit.c | 2 +- security/security.c | 4 ++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 0b3fc2f3afe7..ab5742ab4362 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -314,7 +314,7 @@ int cap_inode_need_killpriv(struct dentry *dentry) * the vfsmount must be passed through @idmap. This function will then * take care to map the inode according to @idmap before checking * permissions. On non-idmapped mounts or if permission checking is to be - * performed on the raw inode simply passs @nop_mnt_idmap. + * performed on the raw inode simply pass @nop_mnt_idmap. * * Return: 0 if successful, -ve on error. */ @@ -522,7 +522,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap) * the vfsmount must be passed through @idmap. This function will then * take care to map the inode according to @idmap before checking * permissions. On non-idmapped mounts or if permission checking is to be - * performed on the raw inode simply passs @nop_mnt_idmap. + * performed on the raw inode simply pass @nop_mnt_idmap. * * Return: On success, return the new size; on error, return < 0. */ @@ -630,7 +630,7 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, * the vfsmount must be passed through @idmap. This function will then * take care to map the inode according to @idmap before checking * permissions. On non-idmapped mounts or if permission checking is to be - * performed on the raw inode simply passs @nop_mnt_idmap. + * performed on the raw inode simply pass @nop_mnt_idmap. */ int get_vfs_caps_from_disk(struct mnt_idmap *idmap, const struct dentry *dentry, @@ -1133,7 +1133,7 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) break; case LSM_SETID_FS: - /* juggle the capabilties to follow FSUID changes, unless + /* juggle the capabilities to follow FSUID changes, unless * otherwise suppressed * * FIXME - is fsuser used for all CAP_FS_MASK capabilities? @@ -1184,10 +1184,10 @@ static int cap_safe_nice(struct task_struct *p) } /** - * cap_task_setscheduler - Detemine if scheduler policy change is permitted + * cap_task_setscheduler - Determine if scheduler policy change is permitted * @p: The task to affect * - * Detemine if the requested scheduler policy change is permitted for the + * Determine if the requested scheduler policy change is permitted for the * specified task. * * Return: 0 if permission is granted, -ve if denied. @@ -1198,11 +1198,11 @@ int cap_task_setscheduler(struct task_struct *p) } /** - * cap_task_setioprio - Detemine if I/O priority change is permitted + * cap_task_setioprio - Determine if I/O priority change is permitted * @p: The task to affect * @ioprio: The I/O priority to set * - * Detemine if the requested I/O priority change is permitted for the specified + * Determine if the requested I/O priority change is permitted for the specified * task. * * Return: 0 if permission is granted, -ve if denied. @@ -1213,11 +1213,11 @@ int cap_task_setioprio(struct task_struct *p, int ioprio) } /** - * cap_task_setnice - Detemine if task priority change is permitted + * cap_task_setnice - Determine if task priority change is permitted * @p: The task to affect * @nice: The nice value to set * - * Detemine if the requested task priority change is permitted for the + * Determine if the requested task priority change is permitted for the * specified task. * * Return: 0 if permission is granted, -ve if denied. diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 7507d14eacc7..41fca6487ca3 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -421,7 +421,7 @@ static bool verify_new_ex(struct dev_cgroup *dev_cgroup, } else { /* * new exception in the child will add more devices - * that can be acessed, so it can't match any of + * that can be accessed, so it can't match any of * parent's exceptions, even slightly */ match = match_exception_partial(&dev_cgroup->exceptions, diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 368e77ca43c4..849e832719e2 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -200,7 +200,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, char comm[sizeof(current->comm)]; /* - * To keep stack sizes in check force programers to notice if they + * To keep stack sizes in check force programmers to notice if they * start making this union too large! See struct lsm_network_audit * as an example of how to deal with large data. */ diff --git a/security/security.c b/security/security.c index d5ff7ff45b77..ee4f1cc4902e 100644 --- a/security/security.c +++ b/security/security.c @@ -2491,7 +2491,7 @@ int security_inode_copy_up_xattr(const char *name) /* * The implementation can return 0 (accept the xattr), 1 (discard the * xattr), -EOPNOTSUPP if it does not know anything about the xattr or - * any other error code incase of an error. + * any other error code in case of an error. */ hlist_for_each_entry(hp, &security_hook_heads.inode_copy_up_xattr, list) { @@ -4676,7 +4676,7 @@ EXPORT_SYMBOL(security_sctp_assoc_established); * @subnet_prefix: subnet prefix of the port * @pkey: IB pkey * - * Check permission to access a pkey when modifing a QP. + * Check permission to access a pkey when modifying a QP. * * Return: Returns 0 if permission is granted. */ From 55382134366e641e97cd83264c22c60c7dc10ccd Mon Sep 17 00:00:00 2001 From: "GONG, Ruiqi" Date: Fri, 2 Jun 2023 13:45:27 +0800 Subject: [PATCH 4/7] capability: erase checker warnings about struct __user_cap_data_struct Currently Sparse warns the following when compiling kernel/capability.c: kernel/capability.c:191:35: warning: incorrect type in argument 2 (different address spaces) kernel/capability.c:191:35: expected void const *from kernel/capability.c:191:35: got struct __user_cap_data_struct [noderef] __user * kernel/capability.c:168:14: warning: dereference of noderef expression ...... (multiple noderef warnings on different locations) kernel/capability.c:244:29: warning: incorrect type in argument 1 (different address spaces) kernel/capability.c:244:29: expected void *to kernel/capability.c:244:29: got struct __user_cap_data_struct [noderef] __user ( * )[2] kernel/capability.c:247:42: warning: dereference of noderef expression ...... (multiple noderef warnings on different locations) It seems that defining `struct __user_cap_data_struct` together with `cap_user_data_t` make Sparse believe that the struct is `noderef` as well. Separate their definitions to clarify their respective attributes. Signed-off-by: GONG, Ruiqi Acked-by: Serge Hallyn [PM: wrapped long lines in the description] Signed-off-by: Paul Moore --- include/uapi/linux/capability.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 3d61a0ae055d..5bb906098697 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -41,11 +41,12 @@ typedef struct __user_cap_header_struct { int pid; } __user *cap_user_header_t; -typedef struct __user_cap_data_struct { +struct __user_cap_data_struct { __u32 effective; __u32 permitted; __u32 inheritable; -} __user *cap_user_data_t; +}; +typedef struct __user_cap_data_struct __user *cap_user_data_t; #define VFS_CAP_REVISION_MASK 0xFF000000 From b432b55176443e96b6f3bc39ed140ab00cddd84f Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 8 Jun 2023 14:58:28 -0400 Subject: [PATCH 5/7] MAINTAINERS: move labeled networking to "supported" My current employer, Microsoft, cares very much about the development and maintenance of the upstream Linux Kernel so we can consider labeled networking to be "supported" according to the definition in MAINTAINERS: S: *Status*, one of the following: Supported: Someone is actually paid to look after this. Maintained: Someone actually looks after it. ... Signed-off-by: Paul Moore --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 7e0b87d5aa2e..8818cd866009 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14667,7 +14667,7 @@ NETWORKING [LABELED] (NetLabel, Labeled IPsec, SECMARK) M: Paul Moore L: netdev@vger.kernel.org L: linux-security-module@vger.kernel.org -S: Maintained +S: Supported W: https://github.com/netlabel F: Documentation/netlabel/ F: include/net/calipso.h From 970ebb8a26a120340dcbb4e6c2fb4ecfbad0d190 Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Wed, 3 May 2023 08:43:44 +0200 Subject: [PATCH 6/7] SafeSetID: fix UID printed instead of GID pr_warn message clearly says that GID should be printed, but we have UID there. Let's fix that. Found accidentally during the work on isolated user namespaces. Signed-off-by: Alexander Mikhalitsyn [PM: fix spelling errors in description, subject tweak] Signed-off-by: Paul Moore --- security/safesetid/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index e806739f7868..5be5894aa0ea 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -131,7 +131,7 @@ static int safesetid_security_capable(const struct cred *cred, * set*gid() (e.g. setting up userns gid mappings). */ pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n", - __kuid_val(cred->uid)); + __kgid_val(cred->gid)); return -EPERM; default: /* Error, the only capabilities were checking for is CAP_SETUID/GID */ From 4be22f16a4a1a1667e79b52b56cca2c64b3747e2 Mon Sep 17 00:00:00 2001 From: Gaosheng Cui Date: Wed, 21 Jun 2023 15:44:18 +0800 Subject: [PATCH 7/7] device_cgroup: Fix kernel-doc warnings in device_cgroup Fix kernel-doc warnings in device_cgroup: security/device_cgroup.c:835: warning: Excess function parameter 'dev_cgroup' description in 'devcgroup_legacy_check_permission'. Signed-off-by: Gaosheng Cui Signed-off-by: Paul Moore --- security/device_cgroup.c | 1 - 1 file changed, 1 deletion(-) diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 41fca6487ca3..dc4df7475081 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -822,7 +822,6 @@ struct cgroup_subsys devices_cgrp_subsys = { /** * devcgroup_legacy_check_permission - checks if an inode operation is permitted - * @dev_cgroup: the dev cgroup to be tested against * @type: device type * @major: device major number * @minor: device minor number