Loading drivers/android/binder.c +9 −6 Original line number Diff line number Diff line Loading @@ -552,6 +552,7 @@ struct binder_proc { struct task_struct *tsk; struct files_struct *files; struct mutex files_lock; const struct cred *cred; struct hlist_node deferred_work_node; int deferred_work; bool is_dead; Loading Loading @@ -2503,7 +2504,7 @@ static int binder_translate_binder(struct flat_binder_object *fp, ret = -EINVAL; goto done; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2549,7 +2550,7 @@ static int binder_translate_handle(struct flat_binder_object *fp, proc->pid, thread->pid, fp->handle); return -EINVAL; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2633,7 +2634,7 @@ static int binder_translate_fd(int fd, ret = -EBADF; goto err_fget; } ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); if (ret < 0) { ret = -EPERM; goto err_security; Loading Loading @@ -3024,8 +3025,8 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_invalid_target_handle; } if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { if (security_binder_transaction(proc->cred, target_proc->cred) < 0) { return_error = BR_FAILED_REPLY; return_error_param = -EPERM; return_error_line = __LINE__; Loading Loading @@ -4555,6 +4556,7 @@ static void binder_free_proc(struct binder_proc *proc) BUG_ON(!list_empty(&proc->delivered_death)); binder_alloc_deferred_release(&proc->alloc); put_task_struct(proc->tsk); put_cred(proc->cred); binder_stats_deleted(BINDER_STAT_PROC); kfree(proc); } Loading Loading @@ -4757,7 +4759,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp, ret = -EBUSY; goto out; } ret = security_binder_set_context_mgr(proc->tsk); ret = security_binder_set_context_mgr(proc->cred); if (ret < 0) goto out; if (uid_valid(context->binder_context_mgr_uid)) { Loading Loading @@ -5078,6 +5080,7 @@ static int binder_open(struct inode *nodp, struct file *filp) atomic_set(&proc->tmp_ref, 0); get_task_struct(current->group_leader); proc->tsk = current->group_leader; proc->cred = get_cred(filp->f_cred); mutex_init(&proc->files_lock); INIT_LIST_HEAD(&proc->todo); if (binder_supported_policy(current->policy)) { Loading include/linux/lsm_hooks.h +16 −16 Original line number Diff line number Diff line Loading @@ -1121,22 +1121,22 @@ * * @binder_set_context_mgr * Check whether @mgr is allowed to be the binder context manager. * @mgr contains the task_struct for the task being registered. * @mgr contains the struct cred for the current binder process. * Return 0 if permission is granted. * @binder_transaction * Check whether @from is allowed to invoke a binder transaction call * to @to. * @from contains the task_struct for the sending task. * @to contains the task_struct for the receiving task. * @binder_transfer_binder * @from contains the struct cred for the sending process. * @to contains the struct cred for the receiving process. * @binder_transfer_binder: * Check whether @from is allowed to transfer a binder reference to @to. * @from contains the task_struct for the sending task. * @to contains the task_struct for the receiving task. * @binder_transfer_file * @from contains the struct cred for the sending process. * @to contains the struct cred for the receiving process. * @binder_transfer_file: * Check whether @from is allowed to transfer @file to @to. * @from contains the task_struct for the sending task. * @from contains the struct cred for the sending process. * @file contains the struct file being transferred. * @to contains the task_struct for the receiving task. * @to contains the struct cred for the receiving process. * * @ptrace_access_check: * Check permission before allowing the current process to trace the Loading Loading @@ -1301,13 +1301,13 @@ */ union security_list_options { int (*binder_set_context_mgr)(struct task_struct *mgr); int (*binder_transaction)(struct task_struct *from, struct task_struct *to); int (*binder_transfer_binder)(struct task_struct *from, struct task_struct *to); int (*binder_transfer_file)(struct task_struct *from, struct task_struct *to, int (*binder_set_context_mgr)(const struct cred *mgr); int (*binder_transaction)(const struct cred *from, const struct cred *to); int (*binder_transfer_binder)(const struct cred *from, const struct cred *to); int (*binder_transfer_file)(const struct cred *from, const struct cred *to, struct file *file); int (*ptrace_access_check)(struct task_struct *child, Loading include/linux/security.h +14 −14 Original line number Diff line number Diff line Loading @@ -183,13 +183,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) extern int security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); int security_binder_transaction(struct task_struct *from, struct task_struct *to); int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to); int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file); int security_binder_set_context_mgr(const struct cred *mgr); int security_binder_transaction(const struct cred *from, const struct cred *to); int security_binder_transfer_binder(const struct cred *from, const struct cred *to); int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file); int security_ptrace_access_check(struct task_struct *child, unsigned int mode); int security_ptrace_traceme(struct task_struct *parent); int security_capget(struct task_struct *target, Loading Loading @@ -380,25 +380,25 @@ static inline int security_init(void) return 0; } static inline int security_binder_set_context_mgr(struct task_struct *mgr) static inline int security_binder_set_context_mgr(const struct cred *mgr) { return 0; } static inline int security_binder_transaction(struct task_struct *from, struct task_struct *to) static inline int security_binder_transaction(const struct cred *from, const struct cred *to) { return 0; } static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to) static inline int security_binder_transfer_binder(const struct cred *from, const struct cred *to) { return 0; } static inline int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, static inline int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file) { return 0; Loading net/ipv4/ip_gre.c +4 −0 Original line number Diff line number Diff line Loading @@ -502,6 +502,10 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static struct sk_buff *gre_handle_offloads(struct sk_buff *skb, bool csum) { unsigned char *skb_checksum_start = skb->head + skb->csum_start; if (csum && skb_checksum_start < skb->data) return ERR_PTR(-EINVAL); return iptunnel_handle_offloads(skb, csum, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } Loading security/security.c +7 −7 Original line number Diff line number Diff line Loading @@ -130,25 +130,25 @@ int __init security_module_enable(const char *module) /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr) int security_binder_set_context_mgr(const struct cred *mgr) { return call_int_hook(binder_set_context_mgr, 0, mgr); } int security_binder_transaction(struct task_struct *from, struct task_struct *to) int security_binder_transaction(const struct cred *from, const struct cred *to) { return call_int_hook(binder_transaction, 0, from, to); } int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to) int security_binder_transfer_binder(const struct cred *from, const struct cred *to) { return call_int_hook(binder_transfer_binder, 0, from, to); } int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file) int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file) { return call_int_hook(binder_transfer_file, 0, from, to, file); } Loading Loading
drivers/android/binder.c +9 −6 Original line number Diff line number Diff line Loading @@ -552,6 +552,7 @@ struct binder_proc { struct task_struct *tsk; struct files_struct *files; struct mutex files_lock; const struct cred *cred; struct hlist_node deferred_work_node; int deferred_work; bool is_dead; Loading Loading @@ -2503,7 +2504,7 @@ static int binder_translate_binder(struct flat_binder_object *fp, ret = -EINVAL; goto done; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2549,7 +2550,7 @@ static int binder_translate_handle(struct flat_binder_object *fp, proc->pid, thread->pid, fp->handle); return -EINVAL; } if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { ret = -EPERM; goto done; } Loading Loading @@ -2633,7 +2634,7 @@ static int binder_translate_fd(int fd, ret = -EBADF; goto err_fget; } ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); if (ret < 0) { ret = -EPERM; goto err_security; Loading Loading @@ -3024,8 +3025,8 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_invalid_target_handle; } if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { if (security_binder_transaction(proc->cred, target_proc->cred) < 0) { return_error = BR_FAILED_REPLY; return_error_param = -EPERM; return_error_line = __LINE__; Loading Loading @@ -4555,6 +4556,7 @@ static void binder_free_proc(struct binder_proc *proc) BUG_ON(!list_empty(&proc->delivered_death)); binder_alloc_deferred_release(&proc->alloc); put_task_struct(proc->tsk); put_cred(proc->cred); binder_stats_deleted(BINDER_STAT_PROC); kfree(proc); } Loading Loading @@ -4757,7 +4759,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp, ret = -EBUSY; goto out; } ret = security_binder_set_context_mgr(proc->tsk); ret = security_binder_set_context_mgr(proc->cred); if (ret < 0) goto out; if (uid_valid(context->binder_context_mgr_uid)) { Loading Loading @@ -5078,6 +5080,7 @@ static int binder_open(struct inode *nodp, struct file *filp) atomic_set(&proc->tmp_ref, 0); get_task_struct(current->group_leader); proc->tsk = current->group_leader; proc->cred = get_cred(filp->f_cred); mutex_init(&proc->files_lock); INIT_LIST_HEAD(&proc->todo); if (binder_supported_policy(current->policy)) { Loading
include/linux/lsm_hooks.h +16 −16 Original line number Diff line number Diff line Loading @@ -1121,22 +1121,22 @@ * * @binder_set_context_mgr * Check whether @mgr is allowed to be the binder context manager. * @mgr contains the task_struct for the task being registered. * @mgr contains the struct cred for the current binder process. * Return 0 if permission is granted. * @binder_transaction * Check whether @from is allowed to invoke a binder transaction call * to @to. * @from contains the task_struct for the sending task. * @to contains the task_struct for the receiving task. * @binder_transfer_binder * @from contains the struct cred for the sending process. * @to contains the struct cred for the receiving process. * @binder_transfer_binder: * Check whether @from is allowed to transfer a binder reference to @to. * @from contains the task_struct for the sending task. * @to contains the task_struct for the receiving task. * @binder_transfer_file * @from contains the struct cred for the sending process. * @to contains the struct cred for the receiving process. * @binder_transfer_file: * Check whether @from is allowed to transfer @file to @to. * @from contains the task_struct for the sending task. * @from contains the struct cred for the sending process. * @file contains the struct file being transferred. * @to contains the task_struct for the receiving task. * @to contains the struct cred for the receiving process. * * @ptrace_access_check: * Check permission before allowing the current process to trace the Loading Loading @@ -1301,13 +1301,13 @@ */ union security_list_options { int (*binder_set_context_mgr)(struct task_struct *mgr); int (*binder_transaction)(struct task_struct *from, struct task_struct *to); int (*binder_transfer_binder)(struct task_struct *from, struct task_struct *to); int (*binder_transfer_file)(struct task_struct *from, struct task_struct *to, int (*binder_set_context_mgr)(const struct cred *mgr); int (*binder_transaction)(const struct cred *from, const struct cred *to); int (*binder_transfer_binder)(const struct cred *from, const struct cred *to); int (*binder_transfer_file)(const struct cred *from, const struct cred *to, struct file *file); int (*ptrace_access_check)(struct task_struct *child, Loading
include/linux/security.h +14 −14 Original line number Diff line number Diff line Loading @@ -183,13 +183,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) extern int security_init(void); /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr); int security_binder_transaction(struct task_struct *from, struct task_struct *to); int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to); int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file); int security_binder_set_context_mgr(const struct cred *mgr); int security_binder_transaction(const struct cred *from, const struct cred *to); int security_binder_transfer_binder(const struct cred *from, const struct cred *to); int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file); int security_ptrace_access_check(struct task_struct *child, unsigned int mode); int security_ptrace_traceme(struct task_struct *parent); int security_capget(struct task_struct *target, Loading Loading @@ -380,25 +380,25 @@ static inline int security_init(void) return 0; } static inline int security_binder_set_context_mgr(struct task_struct *mgr) static inline int security_binder_set_context_mgr(const struct cred *mgr) { return 0; } static inline int security_binder_transaction(struct task_struct *from, struct task_struct *to) static inline int security_binder_transaction(const struct cred *from, const struct cred *to) { return 0; } static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to) static inline int security_binder_transfer_binder(const struct cred *from, const struct cred *to) { return 0; } static inline int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, static inline int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file) { return 0; Loading
net/ipv4/ip_gre.c +4 −0 Original line number Diff line number Diff line Loading @@ -502,6 +502,10 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static struct sk_buff *gre_handle_offloads(struct sk_buff *skb, bool csum) { unsigned char *skb_checksum_start = skb->head + skb->csum_start; if (csum && skb_checksum_start < skb->data) return ERR_PTR(-EINVAL); return iptunnel_handle_offloads(skb, csum, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } Loading
security/security.c +7 −7 Original line number Diff line number Diff line Loading @@ -130,25 +130,25 @@ int __init security_module_enable(const char *module) /* Security operations */ int security_binder_set_context_mgr(struct task_struct *mgr) int security_binder_set_context_mgr(const struct cred *mgr) { return call_int_hook(binder_set_context_mgr, 0, mgr); } int security_binder_transaction(struct task_struct *from, struct task_struct *to) int security_binder_transaction(const struct cred *from, const struct cred *to) { return call_int_hook(binder_transaction, 0, from, to); } int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to) int security_binder_transfer_binder(const struct cred *from, const struct cred *to) { return call_int_hook(binder_transfer_binder, 0, from, to); } int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file) int security_binder_transfer_file(const struct cred *from, const struct cred *to, struct file *file) { return call_int_hook(binder_transfer_file, 0, from, to, file); } Loading
