From 0968d0060a3c885e53d453380266c7792a55d302 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 7 Apr 2010 15:14:56 -0400 Subject: security: remove dead hook cred_commit Unused hook. Remove. Signed-off-by: Eric Paris Signed-off-by: James Morris --- kernel/cred.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'kernel') diff --git a/kernel/cred.c b/kernel/cred.c index 1b1129d0cce8..fecb34640482 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -520,8 +520,6 @@ int commit_creds(struct cred *new) #endif BUG_ON(atomic_read(&new->usage) < 1); - security_commit_creds(new, old); - get_cred(new); /* we will require a ref for the subj creds too */ /* dumpability changes */ -- cgit v1.2.3 From 43ed8c3b4573d5f5cd314937fee63b4ab046ac5f Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 7 Apr 2010 15:15:02 -0400 Subject: security: remove dead hook task_setuid Unused hook. Remove. Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/security.h | 20 -------------------- kernel/sys.c | 15 --------------- security/capability.c | 6 ------ security/security.c | 5 ----- 4 files changed, 46 deletions(-) (limited to 'kernel') diff --git a/include/linux/security.h b/include/linux/security.h index 33b0c1b27f82..447c57fcec88 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -674,18 +674,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * userspace to load a kernel module with the given name. * @kmod_name name of the module requested by the kernel * Return 0 if successful. - * @task_setuid: - * Check permission before setting one or more of the user identity - * attributes of the current process. The @flags parameter indicates - * which of the set*uid system calls invoked this hook and how to - * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID - * definitions at the beginning of this file for the @flags values and - * their meanings. - * @id0 contains a uid. - * @id1 contains a uid. - * @id2 contains a uid. - * @flags contains one of the LSM_SETID_* values. - * Return 0 if permission is granted. * @task_fix_setuid: * Update the module's state after setting one or more of the user * identity attributes of the current process. The @flags parameter @@ -1536,7 +1524,6 @@ struct security_operations { int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(char *kmod_name); - int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); int (*task_fix_setuid) (struct cred *new, const struct cred *old, int flags); int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); @@ -1793,7 +1780,6 @@ void security_transfer_creds(struct cred *new, const struct cred *old); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); -int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags); int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); @@ -2330,12 +2316,6 @@ static inline int security_kernel_module_request(char *kmod_name) return 0; } -static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, - int flags) -{ - return 0; -} - static inline int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags) diff --git a/kernel/sys.c b/kernel/sys.c index 8298878f4f71..396c11cd9a20 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -609,10 +609,6 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) return -ENOMEM; old = current_cred(); - retval = security_task_setuid(ruid, euid, (uid_t)-1, LSM_SETID_RE); - if (retval) - goto error; - retval = -EPERM; if (ruid != (uid_t) -1) { new->uid = ruid; @@ -674,10 +670,6 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) return -ENOMEM; old = current_cred(); - retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_ID); - if (retval) - goto error; - retval = -EPERM; if (capable(CAP_SETUID)) { new->suid = new->uid = uid; @@ -718,9 +710,6 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) if (!new) return -ENOMEM; - retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); - if (retval) - goto error; old = current_cred(); retval = -EPERM; @@ -850,9 +839,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) old = current_cred(); old_fsuid = old->fsuid; - if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0) - goto error; - if (uid == old->uid || uid == old->euid || uid == old->suid || uid == old->fsuid || capable(CAP_SETUID)) { @@ -863,7 +849,6 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) } } -error: abort_creds(new); return old_fsuid; diff --git a/security/capability.c b/security/capability.c index a927bdea1816..41ff54f3b4d8 100644 --- a/security/capability.c +++ b/security/capability.c @@ -392,11 +392,6 @@ static int cap_kernel_module_request(char *kmod_name) return 0; } -static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - return 0; -} - static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) { return 0; @@ -972,7 +967,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, kernel_act_as); set_to_cap_if_null(ops, kernel_create_files_as); set_to_cap_if_null(ops, kernel_module_request); - set_to_cap_if_null(ops, task_setuid); set_to_cap_if_null(ops, task_fix_setuid); set_to_cap_if_null(ops, task_setgid); set_to_cap_if_null(ops, task_setpgid); diff --git a/security/security.c b/security/security.c index 6e5942653d4f..3900da3da87b 100644 --- a/security/security.c +++ b/security/security.c @@ -732,11 +732,6 @@ int security_kernel_module_request(char *kmod_name) return security_ops->kernel_module_request(kmod_name); } -int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) -{ - return security_ops->task_setuid(id0, id1, id2, flags); -} - int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags) { -- cgit v1.2.3 From 06ad187e280e725e356c62c3a30ddcd01564f8be Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 7 Apr 2010 15:15:08 -0400 Subject: security: remove dead hook task_setgid Unused hook. Remove. Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/security.h | 20 -------------------- kernel/sys.c | 16 ---------------- security/capability.c | 6 ------ security/security.c | 5 ----- 4 files changed, 47 deletions(-) (limited to 'kernel') diff --git a/include/linux/security.h b/include/linux/security.h index 447c57fcec88..04ce0d6e4edf 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -683,18 +683,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @old is the set of credentials that are being replaces * @flags contains one of the LSM_SETID_* values. * Return 0 on success. - * @task_setgid: - * Check permission before setting one or more of the group identity - * attributes of the current process. The @flags parameter indicates - * which of the set*gid system calls invoked this hook and how to - * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID - * definitions at the beginning of this file for the @flags values and - * their meanings. - * @id0 contains a gid. - * @id1 contains a gid. - * @id2 contains a gid. - * @flags contains one of the LSM_SETID_* values. - * Return 0 if permission is granted. * @task_setpgid: * Check permission before setting the process group identifier of the * process @p to @pgid. @@ -1526,7 +1514,6 @@ struct security_operations { int (*kernel_module_request)(char *kmod_name); int (*task_fix_setuid) (struct cred *new, const struct cred *old, int flags); - int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); int (*task_setpgid) (struct task_struct *p, pid_t pgid); int (*task_getpgid) (struct task_struct *p); int (*task_getsid) (struct task_struct *p); @@ -1782,7 +1769,6 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags); -int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); @@ -2323,12 +2309,6 @@ static inline int security_task_fix_setuid(struct cred *new, return cap_task_fix_setuid(new, old, flags); } -static inline int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, - int flags) -{ - return 0; -} - static inline int security_task_setpgid(struct task_struct *p, pid_t pgid) { return 0; diff --git a/kernel/sys.c b/kernel/sys.c index 396c11cd9a20..eb1ec5c7f03b 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -491,10 +491,6 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) return -ENOMEM; old = current_cred(); - retval = security_task_setgid(rgid, egid, (gid_t)-1, LSM_SETID_RE); - if (retval) - goto error; - retval = -EPERM; if (rgid != (gid_t) -1) { if (old->gid == rgid || @@ -542,10 +538,6 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) return -ENOMEM; old = current_cred(); - retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID); - if (retval) - goto error; - retval = -EPERM; if (capable(CAP_SETGID)) new->gid = new->egid = new->sgid = new->fsgid = gid; @@ -776,10 +768,6 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) return -ENOMEM; old = current_cred(); - retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES); - if (retval) - goto error; - retval = -EPERM; if (!capable(CAP_SETGID)) { if (rgid != (gid_t) -1 && rgid != old->gid && @@ -872,9 +860,6 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) old = current_cred(); old_fsgid = old->fsgid; - if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS)) - goto error; - if (gid == old->gid || gid == old->egid || gid == old->sgid || gid == old->fsgid || capable(CAP_SETGID)) { @@ -884,7 +869,6 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) } } -error: abort_creds(new); return old_fsgid; diff --git a/security/capability.c b/security/capability.c index 41ff54f3b4d8..66cd7453563f 100644 --- a/security/capability.c +++ b/security/capability.c @@ -392,11 +392,6 @@ static int cap_kernel_module_request(char *kmod_name) return 0; } -static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - return 0; -} - static int cap_task_setpgid(struct task_struct *p, pid_t pgid) { return 0; @@ -968,7 +963,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, kernel_create_files_as); set_to_cap_if_null(ops, kernel_module_request); set_to_cap_if_null(ops, task_fix_setuid); - set_to_cap_if_null(ops, task_setgid); set_to_cap_if_null(ops, task_setpgid); set_to_cap_if_null(ops, task_getpgid); set_to_cap_if_null(ops, task_getsid); diff --git a/security/security.c b/security/security.c index 3900da3da87b..1e35dd669209 100644 --- a/security/security.c +++ b/security/security.c @@ -738,11 +738,6 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old, return security_ops->task_fix_setuid(new, old, flags); } -int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) -{ - return security_ops->task_setgid(id0, id1, id2, flags); -} - int security_task_setpgid(struct task_struct *p, pid_t pgid) { return security_ops->task_setpgid(p, pgid); -- cgit v1.2.3 From 6307f8fee295b364716d28686df6e69c2fee751a Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 7 Apr 2010 15:15:13 -0400 Subject: security: remove dead hook task_setgroups Unused hook. Remove. Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/security.h | 12 ------------ kernel/groups.c | 6 ------ security/capability.c | 6 ------ security/security.c | 5 ----- 4 files changed, 29 deletions(-) (limited to 'kernel') diff --git a/include/linux/security.h b/include/linux/security.h index 04ce0d6e4edf..73505f0c9b75 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -704,11 +704,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @p contains the task_struct for the process and place is into @secid. * In case of failure, @secid will be set to zero. * - * @task_setgroups: - * Check permission before setting the supplementary group set of the - * current process. - * @group_info contains the new group information. - * Return 0 if permission is granted. * @task_setnice: * Check permission before setting the nice value of @p to @nice. * @p contains the task_struct of process. @@ -1518,7 +1513,6 @@ struct security_operations { int (*task_getpgid) (struct task_struct *p); int (*task_getsid) (struct task_struct *p); void (*task_getsecid) (struct task_struct *p, u32 *secid); - int (*task_setgroups) (struct group_info *group_info); int (*task_setnice) (struct task_struct *p, int nice); int (*task_setioprio) (struct task_struct *p, int ioprio); int (*task_getioprio) (struct task_struct *p); @@ -1773,7 +1767,6 @@ int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); void security_task_getsecid(struct task_struct *p, u32 *secid); -int security_task_setgroups(struct group_info *group_info); int security_task_setnice(struct task_struct *p, int nice); int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_getioprio(struct task_struct *p); @@ -2329,11 +2322,6 @@ static inline void security_task_getsecid(struct task_struct *p, u32 *secid) *secid = 0; } -static inline int security_task_setgroups(struct group_info *group_info) -{ - return 0; -} - static inline int security_task_setnice(struct task_struct *p, int nice) { return cap_task_setnice(p, nice); diff --git a/kernel/groups.c b/kernel/groups.c index 2b45b2ee3964..53b1916c9492 100644 --- a/kernel/groups.c +++ b/kernel/groups.c @@ -164,12 +164,6 @@ int groups_search(const struct group_info *group_info, gid_t grp) */ int set_groups(struct cred *new, struct group_info *group_info) { - int retval; - - retval = security_task_setgroups(group_info); - if (retval) - return retval; - put_group_info(new->group_info); groups_sort(group_info); get_group_info(group_info); diff --git a/security/capability.c b/security/capability.c index 66cd7453563f..247c04edd468 100644 --- a/security/capability.c +++ b/security/capability.c @@ -412,11 +412,6 @@ static void cap_task_getsecid(struct task_struct *p, u32 *secid) *secid = 0; } -static int cap_task_setgroups(struct group_info *group_info) -{ - return 0; -} - static int cap_task_getioprio(struct task_struct *p) { return 0; @@ -967,7 +962,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, task_getpgid); set_to_cap_if_null(ops, task_getsid); set_to_cap_if_null(ops, task_getsecid); - set_to_cap_if_null(ops, task_setgroups); set_to_cap_if_null(ops, task_setnice); set_to_cap_if_null(ops, task_setioprio); set_to_cap_if_null(ops, task_getioprio); diff --git a/security/security.c b/security/security.c index 1e35dd669209..5cf9ca6890f6 100644 --- a/security/security.c +++ b/security/security.c @@ -759,11 +759,6 @@ void security_task_getsecid(struct task_struct *p, u32 *secid) } EXPORT_SYMBOL(security_task_getsecid); -int security_task_setgroups(struct group_info *group_info) -{ - return security_ops->task_setgroups(group_info); -} - int security_task_setnice(struct task_struct *p, int nice) { return security_ops->task_setnice(p, nice); -- cgit v1.2.3 From 05b90496f2f366b9d3eea468351888ddf010782a Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 7 Apr 2010 15:15:25 -0400 Subject: security: remove dead hook acct Unused hook. Remove. Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/security.h | 14 -------------- kernel/acct.c | 20 +++++--------------- security/capability.c | 6 ------ security/security.c | 5 ----- 4 files changed, 5 insertions(+), 40 deletions(-) (limited to 'kernel') diff --git a/include/linux/security.h b/include/linux/security.h index ac536eedec90..d670c9a3ec2b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1254,13 +1254,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @cap contains the capability . * @audit: Whether to write an audit message or not * Return 0 if the capability is granted for @tsk. - * @acct: - * Check permission before enabling or disabling process accounting. If - * accounting is being enabled, then @file refers to the open file used to - * store accounting records. If accounting is being disabled, then @file - * is NULL. - * @file contains the file structure for the accounting file (may be NULL). - * Return 0 if permission is granted. * @sysctl: * Check permission before accessing the @table sysctl variable in the * manner specified by @op. @@ -1383,7 +1376,6 @@ struct security_operations { const kernel_cap_t *permitted); int (*capable) (struct task_struct *tsk, const struct cred *cred, int cap, int audit); - int (*acct) (struct file *file); int (*sysctl) (struct ctl_table *table, int op); int (*quotactl) (int cmds, int type, int id, struct super_block *sb); int (*quota_on) (struct dentry *dentry); @@ -1665,7 +1657,6 @@ int security_capset(struct cred *new, const struct cred *old, int security_capable(int cap); int security_real_capable(struct task_struct *tsk, int cap); int security_real_capable_noaudit(struct task_struct *tsk, int cap); -int security_acct(struct file *file); int security_sysctl(struct ctl_table *table, int op); int security_quotactl(int cmds, int type, int id, struct super_block *sb); int security_quota_on(struct dentry *dentry); @@ -1883,11 +1874,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap) return ret; } -static inline int security_acct(struct file *file) -{ - return 0; -} - static inline int security_sysctl(struct ctl_table *table, int op) { return 0; diff --git a/kernel/acct.c b/kernel/acct.c index 24f8c81fc48d..9e53bb2acfff 100644 --- a/kernel/acct.c +++ b/kernel/acct.c @@ -216,7 +216,6 @@ static int acct_on(char *name) { struct file *file; struct vfsmount *mnt; - int error; struct pid_namespace *ns; struct bsd_acct_struct *acct = NULL; @@ -244,13 +243,6 @@ static int acct_on(char *name) } } - error = security_acct(file); - if (error) { - kfree(acct); - filp_close(file, NULL); - return error; - } - spin_lock(&acct_lock); if (ns->bacct == NULL) { ns->bacct = acct; @@ -281,7 +273,7 @@ static int acct_on(char *name) */ SYSCALL_DEFINE1(acct, const char __user *, name) { - int error; + int error = 0; if (!capable(CAP_SYS_PACCT)) return -EPERM; @@ -299,13 +291,11 @@ SYSCALL_DEFINE1(acct, const char __user *, name) if (acct == NULL) return 0; - error = security_acct(NULL); - if (!error) { - spin_lock(&acct_lock); - acct_file_reopen(acct, NULL, NULL); - spin_unlock(&acct_lock); - } + spin_lock(&acct_lock); + acct_file_reopen(acct, NULL, NULL); + spin_unlock(&acct_lock); } + return error; } diff --git a/security/capability.c b/security/capability.c index 8cc2b8f3b166..7f093d573ede 100644 --- a/security/capability.c +++ b/security/capability.c @@ -12,11 +12,6 @@ #include -static int cap_acct(struct file *file) -{ - return 0; -} - static int cap_sysctl(ctl_table *table, int op) { return 0; @@ -865,7 +860,6 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, ptrace_traceme); set_to_cap_if_null(ops, capget); set_to_cap_if_null(ops, capset); - set_to_cap_if_null(ops, acct); set_to_cap_if_null(ops, capable); set_to_cap_if_null(ops, quotactl); set_to_cap_if_null(ops, quota_on); diff --git a/security/security.c b/security/security.c index 490f77753b2d..8585019a1a59 100644 --- a/security/security.c +++ b/security/security.c @@ -190,11 +190,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap) return ret; } -int security_acct(struct file *file) -{ - return security_ops->acct(file); -} - int security_sysctl(struct ctl_table *table, int op) { return security_ops->sysctl(table, op); -- cgit v1.2.3