From 5678d87ea4726e607185d9ff7ab838ffa6ce2fec Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Fri, 21 Sep 2018 17:17:25 -0700 Subject: [PATCH] UPSTREAM: SELinux: Remove cred security blob poisoning The SELinux specific credential poisioning only makes sense if SELinux is managing the credentials. As the intent of this patch set is to move the blob management out of the modules and into the infrastructure, the SELinux specific code has to go. The poisioning could be introduced into the infrastructure at some later date. Change-Id: I815715bc05f62f5011f269b7e10c3059697a47a2 Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- kernel/cred.c | 13 ------------- security/selinux/hooks.c | 6 ------ 2 files changed, 19 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index a9f0f8b21d8c..ec0413389723 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -730,19 +730,6 @@ bool creds_are_invalid(const struct cred *cred) { if (cred->magic != CRED_MAGIC) return true; -#ifdef CONFIG_SECURITY_SELINUX - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - if (selinux_is_enabled() && cred->security) { - if ((unsigned long) cred->security < PAGE_SIZE) - return true; - if ((*(u32 *)cred->security & 0xffffff00) == - (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) - return true; - } -#endif return false; } EXPORT_SYMBOL(creds_are_invalid); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6224ebcb4792..80a9b8788e33 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4045,12 +4045,6 @@ static void selinux_cred_free(struct cred *cred) { struct task_security_struct *tsec = cred->security; - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); - cred->security = (void *) 0x7UL; kfree(tsec); }