1 files changed, 53 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index 4989fb65e662..e59a1e1514ee 100644
--- a/security/security.c
+++ b/security/security.c
@@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
        if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
                blob_sizes.lbs_inode = sizeof(struct rcu_head);
        lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
+        lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 }
 /* Prepare LSM for initialization. */
@@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void)
        init_debug("cred blob size     = %d\n", blob_sizes.lbs_cred);
        init_debug("file blob size     = %d\n", blob_sizes.lbs_file);
        init_debug("inode blob size    = %d\n", blob_sizes.lbs_inode);
+        init_debug("task blob size     = %d\n", blob_sizes.lbs_task);
        /*
         * Create any kmem_caches needed for blobs
@@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode)
        return 0;
 }
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+        if (blob_sizes.lbs_task == 0) {
+                task->security = NULL;
+                return 0;
+        }
+        task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+        if (task->security == NULL)
+                return -ENOMEM;
+        return 0;
+}
+/**
+ * lsm_early_task - during initialization allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules if it's not already there
+ */
+void __init lsm_early_task(struct task_struct *task)
+{
+        int rc;
+        if (task == NULL)
+                panic("%s: task cred.\n", __func__);
+        if (task->security != NULL)
+                return;
+        rc = lsm_task_alloc(task);
+        if (rc)
+                panic("%s: Early task alloc failed.\n", __func__);
+}
 /*
 * Hook list operation macros.
 *
@@ -1359,12 +1401,22 @@ int security_file_open(struct file *file)
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
 {
-        return call_int_hook(task_alloc, 0, task, clone_flags);
+        int rc = lsm_task_alloc(task);
+        if (rc)
+                return rc;
+        rc = call_int_hook(task_alloc, 0, task, clone_flags);
+        if (unlikely(rc))
+                security_task_free(task);
+        return rc;
 }
 void security_task_free(struct task_struct *task)
 {
        call_void_hook(task_free, task);
+        kfree(task->security);
+        task->security = NULL;
 }
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)

diff --git a/security/security.c b/security/security.c index 4989fb65e662..e59a1e1514ee 100644 --- a/security/security.c +++ b/security/security.c
@@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
169	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)	169	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
170	blob_sizes.lbs_inode = sizeof(struct rcu_head);	170	blob_sizes.lbs_inode = sizeof(struct rcu_head);
171	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);	171	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
		172	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
172	}	173	}
173		174
174	/* Prepare LSM for initialization. */	175	/* Prepare LSM for initialization. */
@@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void)
292	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);	293	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
293	init_debug("file blob size = %d\n", blob_sizes.lbs_file);	294	init_debug("file blob size = %d\n", blob_sizes.lbs_file);
294	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);	295	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
		296	init_debug("task blob size = %d\n", blob_sizes.lbs_task);
295		297
296	/*	298	/*
297	* Create any kmem_caches needed for blobs	299	* Create any kmem_caches needed for blobs
@@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode)
515	return 0;	517	return 0;
516	}	518	}
517		519
		520	/**
		521	* lsm_task_alloc - allocate a composite task blob
		522	* @task: the task that needs a blob
		523	*
		524	* Allocate the task blob for all the modules
		525	*
		526	* Returns 0, or -ENOMEM if memory can't be allocated.
		527	*/
		528	int lsm_task_alloc(struct task_struct *task)
		529	{
		530	if (blob_sizes.lbs_task == 0) {
		531	task->security = NULL;
		532	return 0;
		533	}
		534
		535	task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
		536	if (task->security == NULL)
		537	return -ENOMEM;
		538	return 0;
		539	}
		540
		541	/**
		542	* lsm_early_task - during initialization allocate a composite task blob
		543	* @task: the task that needs a blob
		544	*
		545	* Allocate the task blob for all the modules if it's not already there
		546	*/
		547	void __init lsm_early_task(struct task_struct *task)
		548	{
		549	int rc;
		550
		551	if (task == NULL)
		552	panic("%s: task cred.\n", __func__);
		553	if (task->security != NULL)
		554	return;
		555	rc = lsm_task_alloc(task);
		556	if (rc)
		557	panic("%s: Early task alloc failed.\n", __func__);
		558	}
		559
518	/*	560	/*
519	* Hook list operation macros.	561	* Hook list operation macros.
520	*	562	*
@@ -1359,12 +1401,22 @@ int security_file_open(struct file *file)
1359		1401
1360	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)	1402	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
1361	{	1403	{
1362	return call_int_hook(task_alloc, 0, task, clone_flags);	1404	int rc = lsm_task_alloc(task);
		1405
		1406	if (rc)
		1407	return rc;
		1408	rc = call_int_hook(task_alloc, 0, task, clone_flags);
		1409	if (unlikely(rc))
		1410	security_task_free(task);
		1411	return rc;
1363	}	1412	}
1364		1413
1365	void security_task_free(struct task_struct *task)	1414	void security_task_free(struct task_struct *task)
1366	{	1415	{
1367	call_void_hook(task_free, task);	1416	call_void_hook(task_free, task);
		1417
		1418	kfree(task->security);
		1419	task->security = NULL;
1368	}	1420	}
1369		1421
1370	int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)	1422	int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)