tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'fixes-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security layer fixes from James Morris:
"Miscellaneous minor fixes"
* tag 'fixes-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
security: commoncap: clean up kernel-doc comments
security: commoncap: fix -Wstringop-overread warning
+34
-18
+34
-18
security/commoncap.c
+34
-18
security/commoncap.c
···
50
50
/**
51
51
* cap_capable - Determine whether a task has a particular effective capability
52
52
* @cred: The credentials to use
53
-
* @ns: The user namespace in which we need the capability
53
+
* @targ_ns: The user namespace in which we need the capability
54
54
* @cap: The capability to check for
55
55
* @opts: Bitmask of options defined in include/linux/security.h
56
56
*
···
289
289
* affects the security markings on that inode, and if it is, should
290
290
* inode_killpriv() be invoked or the change rejected.
291
291
*
292
-
* Returns 1 if security.capability has a value, meaning inode_killpriv()
292
+
* Return: 1 if security.capability has a value, meaning inode_killpriv()
293
293
* is required, 0 otherwise, meaning inode_killpriv() is not required.
294
294
*/
295
295
int cap_inode_need_killpriv(struct dentry *dentry)
···
315
315
* permissions. On non-idmapped mounts or if permission checking is to be
316
316
* performed on the raw inode simply passs init_user_ns.
317
317
*
318
-
* Returns 0 if successful, -ve on error.
318
+
* Return: 0 if successful, -ve on error.
319
319
*/
320
320
int cap_inode_killpriv(struct user_namespace *mnt_userns, struct dentry *dentry)
321
321
{
···
400
400
&tmpbuf, size, GFP_NOFS);
401
401
dput(dentry);
402
402
403
-
if (ret < 0)
403
+
if (ret < 0 || !tmpbuf)
404
404
return ret;
405
405
406
406
fs_ns = inode->i_sb->s_user_ns;
···
532
532
* permissions. On non-idmapped mounts or if permission checking is to be
533
533
* performed on the raw inode simply passs init_user_ns.
534
534
*
535
-
* If all is ok, we return the new size, on error return < 0.
535
+
* Return: On success, return the new size; on error, return < 0.
536
536
*/
537
537
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
538
538
const void **ivalue, size_t size)
···
881
881
*
882
882
* Set up the proposed credentials for a new execution context being
883
883
* constructed by execve(). The proposed creds in @bprm->cred is altered,
884
-
* which won't take effect immediately. Returns 0 if successful, -ve on error.
884
+
* which won't take effect immediately.
885
+
*
886
+
* Return: 0 if successful, -ve on error.
885
887
*/
886
888
int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file)
887
889
{
···
1119
1117
* @flags: Indications of what has changed
1120
1118
*
1121
1119
* Fix up the results of setuid() call before the credential changes are
1122
-
* actually applied, returning 0 to grant the changes, -ve to deny them.
1120
+
* actually applied.
1121
+
*
1122
+
* Return: 0 to grant the changes, -ve to deny them.
1123
1123
*/
1124
1124
int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
1125
1125
{
···
1191
1187
* @p: The task to affect
1192
1188
*
1193
1189
* Detemine if the requested scheduler policy change is permitted for the
1194
-
* specified task, returning 0 if permission is granted, -ve if denied.
1190
+
* specified task.
1191
+
*
1192
+
* Return: 0 if permission is granted, -ve if denied.
1195
1193
*/
1196
1194
int cap_task_setscheduler(struct task_struct *p)
1197
1195
{
···
1201
1195
}
1202
1196
1203
1197
/**
1204
-
* cap_task_ioprio - Detemine if I/O priority change is permitted
1198
+
* cap_task_setioprio - Detemine if I/O priority change is permitted
1205
1199
* @p: The task to affect
1206
1200
* @ioprio: The I/O priority to set
1207
1201
*
1208
1202
* Detemine if the requested I/O priority change is permitted for the specified
1209
-
* task, returning 0 if permission is granted, -ve if denied.
1203
+
* task.
1204
+
*
1205
+
* Return: 0 if permission is granted, -ve if denied.
1210
1206
*/
1211
1207
int cap_task_setioprio(struct task_struct *p, int ioprio)
1212
1208
{
···
1216
1208
}
1217
1209
1218
1210
/**
1219
-
* cap_task_ioprio - Detemine if task priority change is permitted
1211
+
* cap_task_setnice - Detemine if task priority change is permitted
1220
1212
* @p: The task to affect
1221
1213
* @nice: The nice value to set
1222
1214
*
1223
1215
* Detemine if the requested task priority change is permitted for the
1224
-
* specified task, returning 0 if permission is granted, -ve if denied.
1216
+
* specified task.
1217
+
*
1218
+
* Return: 0 if permission is granted, -ve if denied.
1225
1219
*/
1226
1220
int cap_task_setnice(struct task_struct *p, int nice)
1227
1221
{
···
1253
1243
/**
1254
1244
* cap_task_prctl - Implement process control functions for this security module
1255
1245
* @option: The process control function requested
1256
-
* @arg2, @arg3, @arg4, @arg5: The argument data for this function
1246
+
* @arg2: The argument data for this function
1247
+
* @arg3: The argument data for this function
1248
+
* @arg4: The argument data for this function
1249
+
* @arg5: The argument data for this function
1257
1250
*
1258
1251
* Allow process control functions (sys_prctl()) to alter capabilities; may
1259
1252
* also deny access to other functions not otherwise implemented here.
1260
1253
*
1261
-
* Returns 0 or +ve on success, -ENOSYS if this function is not implemented
1254
+
* Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1262
1255
* here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1263
1256
* modules will consider performing the function.
1264
1257
*/
···
1396
1383
* @pages: The size of the mapping
1397
1384
*
1398
1385
* Determine whether the allocation of a new virtual mapping by the current
1399
-
* task is permitted, returning 1 if permission is granted, 0 if not.
1386
+
* task is permitted.
1387
+
*
1388
+
* Return: 1 if permission is granted, 0 if not.
1400
1389
*/
1401
1390
int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1402
1391
{
···
1411
1396
return cap_sys_admin;
1412
1397
}
1413
1398
1414
-
/*
1399
+
/**
1415
1400
* cap_mmap_addr - check if able to map given addr
1416
1401
* @addr: address attempting to be mapped
1417
1402
*
1418
1403
* If the process is attempting to map memory below dac_mmap_min_addr they need
1419
1404
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
1420
-
* capability security module. Returns 0 if this mapping should be allowed
1421
-
* -EPERM if not.
1405
+
* capability security module.
1406
+
*
1407
+
* Return: 0 if this mapping should be allowed or -EPERM if not.
1422
1408
*/
1423
1409
int cap_mmap_addr(unsigned long addr)
1424
1410
{