Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6d6f3328 authored by Tetsuo Handa's avatar Tetsuo Handa Committed by James Morris
Browse files

commoncap: don't alloc the credential unless needed in cap_task_prctl 



In function cap_task_prctl(), we would allocate a credential
unconditionally and then check if we support the requested function.
If not we would release this credential with abort_creds() by using
RCU method. But on some archs such as powerpc, the sys_prctl is heavily
used to get/set the floating point exception mode. So the unnecessary
allocating/releasing of credential not only introduce runtime overhead
but also do cause OOM due to the RCU implementation.

This patch removes abort_creds() from cap_task_prctl() by calling
prepare_creds() only when we need to modify it.

Reported-by: default avatarKevin Hao <haokexin@gmail.com>
Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent fd33c436

security/commoncap.c

+30 −42
Original line number Diff line number Diff line
@@ -822,15 +822,20 @@ int cap_task_setnice(struct task_struct *p, int nice) 
 * Implement PR_CAPBSET_DROP.  Attempt to remove the specified capability from

 * the current task's bounding set.  Returns 0 on success, -ve on error.

 */

static long cap_prctl_drop(struct cred *new, unsigned long cap)

static int cap_prctl_drop(unsigned long cap)

{

	struct cred *new;



	if (!ns_capable(current_user_ns(), CAP_SETPCAP))

		return -EPERM;

	if (!cap_valid(cap))

		return -EINVAL;



	new = prepare_creds();

	if (!new)

		return -ENOMEM;

	cap_lower(new->cap_bset, cap);

	return 0;

	return commit_creds(new);

}



/**
@@ -848,26 +853,17 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap) 
int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,

		   unsigned long arg4, unsigned long arg5)

{

	const struct cred *old = current_cred();

	struct cred *new;

	long error = 0;



	new = prepare_creds();

	if (!new)

		return -ENOMEM;



	switch (option) {

	case PR_CAPBSET_READ:

		error = -EINVAL;

		if (!cap_valid(arg2))

			goto error;

		error = !!cap_raised(new->cap_bset, arg2);

		goto no_change;

			return -EINVAL;

		return !!cap_raised(old->cap_bset, arg2);



	case PR_CAPBSET_DROP:

		error = cap_prctl_drop(new, arg2);

		if (error < 0)

			goto error;

		goto changed;

		return cap_prctl_drop(arg2);



	/*

	 * The next four prctl's remain to assist with transitioning a
@@ -889,10 +885,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 
	 * capability-based-privilege environment.

	 */

	case PR_SET_SECUREBITS:

		error = -EPERM;

		if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)

		     & (new->securebits ^ arg2))			/*[1]*/

		    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/

		if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)

		     & (old->securebits ^ arg2))			/*[1]*/

		    || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/

		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))	/*[3]*/

		    || (cap_capable(current_cred(),

				    current_cred()->user_ns, CAP_SETPCAP,
@@ -906,46 +901,39 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 
			 */

		    )

			/* cannot change a locked bit */

			goto error;

			return -EPERM;



		new = prepare_creds();

		if (!new)

			return -ENOMEM;

		new->securebits = arg2;

		goto changed;

		return commit_creds(new);



	case PR_GET_SECUREBITS:

		error = new->securebits;

		goto no_change;

		return old->securebits;



	case PR_GET_KEEPCAPS:

		if (issecure(SECURE_KEEP_CAPS))

			error = 1;

		goto no_change;

		return !!issecure(SECURE_KEEP_CAPS);



	case PR_SET_KEEPCAPS:

		error = -EINVAL;

		if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */

			goto error;

		error = -EPERM;

			return -EINVAL;

		if (issecure(SECURE_KEEP_CAPS_LOCKED))

			goto error;

			return -EPERM;



		new = prepare_creds();

		if (!new)

			return -ENOMEM;

		if (arg2)

			new->securebits |= issecure_mask(SECURE_KEEP_CAPS);

		else

			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);

		goto changed;

		return commit_creds(new);



	default:

		/* No functionality available - continue with default */

		error = -ENOSYS;

		goto error;

		return -ENOSYS;

	}



	/* Functionality provided */

changed:

	return commit_creds(new);



no_change:

error:

	abort_creds(new);

	return error;

}



/**