--- zzzz-none-000/linux-3.10.107/security/yama/yama_lsm.c 2017-06-27 09:49:32.000000000 +0000 +++ scorpion-7490-727/linux-3.10.107/security/yama/yama_lsm.c 2021-02-04 17:41:59.000000000 +0000 @@ -12,7 +12,7 @@ * */ -#include +#include #include #include #include @@ -154,13 +154,9 @@ int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { - int rc; + int rc = -ENOSYS; struct task_struct *myself = current; - rc = cap_task_prctl(option, arg2, arg3, arg4, arg5); - if (rc != -ENOSYS) - return rc; - switch (option) { case PR_SET_PTRACER: /* Since a thread can call prctl(), find the group leader @@ -279,17 +275,10 @@ * * Returns 0 if following the ptrace is allowed, -ve on error. */ -int yama_ptrace_access_check(struct task_struct *child, +static int yama_ptrace_access_check(struct task_struct *child, unsigned int mode) { - int rc; - - /* If standard caps disallows it, so does Yama. We should - * only tighten restrictions further. - */ - rc = cap_ptrace_access_check(child, mode); - if (rc) - return rc; + int rc = 0; /* require ptrace target be a child of ptracer on attach */ if (mode & PTRACE_MODE_ATTACH) { @@ -335,14 +324,7 @@ */ int yama_ptrace_traceme(struct task_struct *parent) { - int rc; - - /* If standard caps disallows it, so does Yama. We should - * only tighten restrictions further. - */ - rc = cap_ptrace_traceme(parent); - if (rc) - return rc; + int rc = 0; /* Only disallow PTRACE_TRACEME on more aggressive settings. */ switch (ptrace_scope) { @@ -364,35 +346,28 @@ return rc; } -#ifndef CONFIG_SECURITY_YAMA_STACKED -static struct security_operations yama_ops = { - .name = "yama", - - .ptrace_access_check = yama_ptrace_access_check, - .ptrace_traceme = yama_ptrace_traceme, - .task_prctl = yama_task_prctl, - .task_free = yama_task_free, +static struct security_hook_list yama_hooks[] = { + LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), + LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), + LSM_HOOK_INIT(task_prctl, yama_task_prctl), + LSM_HOOK_INIT(task_free, yama_task_free), }; -#endif #ifdef CONFIG_SYSCTL static int yama_dointvec_minmax(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - int rc; + struct ctl_table table_copy; if (write && !capable(CAP_SYS_PTRACE)) return -EPERM; - rc = proc_dointvec_minmax(table, write, buffer, lenp, ppos); - if (rc) - return rc; - /* Lock the max value if it ever gets set. */ - if (write && *(int *)table->data == *(int *)table->extra2) - table->extra1 = table->extra2; + table_copy = *table; + if (*(int *)table_copy.data == *(int *)table_copy.extra2) + table_copy.extra1 = table_copy.extra2; - return rc; + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); } static int zero; @@ -416,28 +391,18 @@ }, { } }; -#endif /* CONFIG_SYSCTL */ - -static __init int yama_init(void) +static void __init yama_init_sysctl(void) { -#ifndef CONFIG_SECURITY_YAMA_STACKED - if (!security_module_enable(&yama_ops)) - return 0; -#endif - - printk(KERN_INFO "Yama: becoming mindful.\n"); - -#ifndef CONFIG_SECURITY_YAMA_STACKED - if (register_security(&yama_ops)) - panic("Yama: kernel registration failed.\n"); -#endif - -#ifdef CONFIG_SYSCTL if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) panic("Yama: sysctl registration failed.\n"); -#endif - - return 0; } +#else +static inline void yama_init_sysctl(void) { } +#endif /* CONFIG_SYSCTL */ -security_initcall(yama_init); +void __init yama_add_hooks(void) +{ + pr_info("Yama: becoming mindful.\n"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks)); + yama_init_sysctl(); +}