diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:16 -0500 |
commit | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch) | |
tree | 9e76f972eb7ce9b84e0146c8e4126a3f86acb428 | |
parent | 15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff) |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the
security data is temporarily embedded in the task_struct with two pointers
pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
63 files changed, 832 insertions, 677 deletions
diff --git a/arch/alpha/kernel/asm-offsets.c b/arch/alpha/kernel/asm-offsets.c index 4b18cd94d59d..6ff8886e7e22 100644 --- a/arch/alpha/kernel/asm-offsets.c +++ b/arch/alpha/kernel/asm-offsets.c | |||
@@ -19,15 +19,18 @@ void foo(void) | |||
19 | BLANK(); | 19 | BLANK(); |
20 | 20 | ||
21 | DEFINE(TASK_BLOCKED, offsetof(struct task_struct, blocked)); | 21 | DEFINE(TASK_BLOCKED, offsetof(struct task_struct, blocked)); |
22 | DEFINE(TASK_UID, offsetof(struct task_struct, uid)); | 22 | DEFINE(TASK_CRED, offsetof(struct task_struct, cred)); |
23 | DEFINE(TASK_EUID, offsetof(struct task_struct, euid)); | ||
24 | DEFINE(TASK_GID, offsetof(struct task_struct, gid)); | ||
25 | DEFINE(TASK_EGID, offsetof(struct task_struct, egid)); | ||
26 | DEFINE(TASK_REAL_PARENT, offsetof(struct task_struct, real_parent)); | 23 | DEFINE(TASK_REAL_PARENT, offsetof(struct task_struct, real_parent)); |
27 | DEFINE(TASK_GROUP_LEADER, offsetof(struct task_struct, group_leader)); | 24 | DEFINE(TASK_GROUP_LEADER, offsetof(struct task_struct, group_leader)); |
28 | DEFINE(TASK_TGID, offsetof(struct task_struct, tgid)); | 25 | DEFINE(TASK_TGID, offsetof(struct task_struct, tgid)); |
29 | BLANK(); | 26 | BLANK(); |
30 | 27 | ||
28 | DEFINE(CRED_UID, offsetof(struct cred, uid)); | ||
29 | DEFINE(CRED_EUID, offsetof(struct cred, euid)); | ||
30 | DEFINE(CRED_GID, offsetof(struct cred, gid)); | ||
31 | DEFINE(CRED_EGID, offsetof(struct cred, egid)); | ||
32 | BLANK(); | ||
33 | |||
31 | DEFINE(SIZEOF_PT_REGS, sizeof(struct pt_regs)); | 34 | DEFINE(SIZEOF_PT_REGS, sizeof(struct pt_regs)); |
32 | DEFINE(PT_PTRACED, PT_PTRACED); | 35 | DEFINE(PT_PTRACED, PT_PTRACED); |
33 | DEFINE(CLONE_VM, CLONE_VM); | 36 | DEFINE(CLONE_VM, CLONE_VM); |
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S index 5fc61e281ac7..f77345bc66a9 100644 --- a/arch/alpha/kernel/entry.S +++ b/arch/alpha/kernel/entry.S | |||
@@ -850,8 +850,9 @@ osf_getpriority: | |||
850 | sys_getxuid: | 850 | sys_getxuid: |
851 | .prologue 0 | 851 | .prologue 0 |
852 | ldq $2, TI_TASK($8) | 852 | ldq $2, TI_TASK($8) |
853 | ldl $0, TASK_UID($2) | 853 | ldq $3, TASK_CRED($2) |
854 | ldl $1, TASK_EUID($2) | 854 | ldl $0, CRED_UID($3) |
855 | ldl $1, CRED_EUID($3) | ||
855 | stq $1, 80($sp) | 856 | stq $1, 80($sp) |
856 | ret | 857 | ret |
857 | .end sys_getxuid | 858 | .end sys_getxuid |
@@ -862,8 +863,9 @@ sys_getxuid: | |||
862 | sys_getxgid: | 863 | sys_getxgid: |
863 | .prologue 0 | 864 | .prologue 0 |
864 | ldq $2, TI_TASK($8) | 865 | ldq $2, TI_TASK($8) |
865 | ldl $0, TASK_GID($2) | 866 | ldq $3, TASK_CRED($2) |
866 | ldl $1, TASK_EGID($2) | 867 | ldl $0, CRED_GID($3) |
868 | ldl $1, CRED_EGID($3) | ||
867 | stq $1, 80($sp) | 869 | stq $1, 80($sp) |
868 | ret | 870 | ret |
869 | .end sys_getxgid | 871 | .end sys_getxgid |
diff --git a/arch/ia64/ia32/sys_ia32.c b/arch/ia64/ia32/sys_ia32.c index 5e92ae00bdbb..2445a9d3488e 100644 --- a/arch/ia64/ia32/sys_ia32.c +++ b/arch/ia64/ia32/sys_ia32.c | |||
@@ -1772,20 +1772,20 @@ sys32_getgroups16 (int gidsetsize, short __user *grouplist) | |||
1772 | if (gidsetsize < 0) | 1772 | if (gidsetsize < 0) |
1773 | return -EINVAL; | 1773 | return -EINVAL; |
1774 | 1774 | ||
1775 | get_group_info(current->group_info); | 1775 | get_group_info(current->cred->group_info); |
1776 | i = current->group_info->ngroups; | 1776 | i = current->cred->group_info->ngroups; |
1777 | if (gidsetsize) { | 1777 | if (gidsetsize) { |
1778 | if (i > gidsetsize) { | 1778 | if (i > gidsetsize) { |
1779 | i = -EINVAL; | 1779 | i = -EINVAL; |
1780 | goto out; | 1780 | goto out; |
1781 | } | 1781 | } |
1782 | if (groups16_to_user(grouplist, current->group_info)) { | 1782 | if (groups16_to_user(grouplist, current->cred->group_info)) { |
1783 | i = -EFAULT; | 1783 | i = -EFAULT; |
1784 | goto out; | 1784 | goto out; |
1785 | } | 1785 | } |
1786 | } | 1786 | } |
1787 | out: | 1787 | out: |
1788 | put_group_info(current->group_info); | 1788 | put_group_info(current->cred->group_info); |
1789 | return i; | 1789 | return i; |
1790 | } | 1790 | } |
1791 | 1791 | ||
diff --git a/arch/mips/kernel/kspd.c b/arch/mips/kernel/kspd.c index b0591ae0ce56..fd6e51224034 100644 --- a/arch/mips/kernel/kspd.c +++ b/arch/mips/kernel/kspd.c | |||
@@ -174,8 +174,8 @@ static unsigned int translate_open_flags(int flags) | |||
174 | 174 | ||
175 | static void sp_setfsuidgid( uid_t uid, gid_t gid) | 175 | static void sp_setfsuidgid( uid_t uid, gid_t gid) |
176 | { | 176 | { |
177 | current->fsuid = uid; | 177 | current->cred->fsuid = uid; |
178 | current->fsgid = gid; | 178 | current->cred->fsgid = gid; |
179 | 179 | ||
180 | key_fsuid_changed(current); | 180 | key_fsuid_changed(current); |
181 | key_fsgid_changed(current); | 181 | key_fsgid_changed(current); |
diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c index 4646382af34f..6cc87d8c8682 100644 --- a/arch/s390/kernel/compat_linux.c +++ b/arch/s390/kernel/compat_linux.c | |||
@@ -148,9 +148,9 @@ asmlinkage long sys32_getresuid16(u16 __user *ruid, u16 __user *euid, u16 __user | |||
148 | { | 148 | { |
149 | int retval; | 149 | int retval; |
150 | 150 | ||
151 | if (!(retval = put_user(high2lowuid(current->uid), ruid)) && | 151 | if (!(retval = put_user(high2lowuid(current->cred->uid), ruid)) && |
152 | !(retval = put_user(high2lowuid(current->euid), euid))) | 152 | !(retval = put_user(high2lowuid(current->cred->euid), euid))) |
153 | retval = put_user(high2lowuid(current->suid), suid); | 153 | retval = put_user(high2lowuid(current->cred->suid), suid); |
154 | 154 | ||
155 | return retval; | 155 | return retval; |
156 | } | 156 | } |
@@ -165,9 +165,9 @@ asmlinkage long sys32_getresgid16(u16 __user *rgid, u16 __user *egid, u16 __user | |||
165 | { | 165 | { |
166 | int retval; | 166 | int retval; |
167 | 167 | ||
168 | if (!(retval = put_user(high2lowgid(current->gid), rgid)) && | 168 | if (!(retval = put_user(high2lowgid(current->cred->gid), rgid)) && |
169 | !(retval = put_user(high2lowgid(current->egid), egid))) | 169 | !(retval = put_user(high2lowgid(current->cred->egid), egid))) |
170 | retval = put_user(high2lowgid(current->sgid), sgid); | 170 | retval = put_user(high2lowgid(current->cred->sgid), sgid); |
171 | 171 | ||
172 | return retval; | 172 | return retval; |
173 | } | 173 | } |
@@ -217,20 +217,20 @@ asmlinkage long sys32_getgroups16(int gidsetsize, u16 __user *grouplist) | |||
217 | if (gidsetsize < 0) | 217 | if (gidsetsize < 0) |
218 | return -EINVAL; | 218 | return -EINVAL; |
219 | 219 | ||
220 | get_group_info(current->group_info); | 220 | get_group_info(current->cred->group_info); |
221 | i = current->group_info->ngroups; | 221 | i = current->cred->group_info->ngroups; |
222 | if (gidsetsize) { | 222 | if (gidsetsize) { |
223 | if (i > gidsetsize) { | 223 | if (i > gidsetsize) { |
224 | i = -EINVAL; | 224 | i = -EINVAL; |
225 | goto out; | 225 | goto out; |
226 | } | 226 | } |
227 | if (groups16_to_user(grouplist, current->group_info)) { | 227 | if (groups16_to_user(grouplist, current->cred->group_info)) { |
228 | i = -EFAULT; | 228 | i = -EFAULT; |
229 | goto out; | 229 | goto out; |
230 | } | 230 | } |
231 | } | 231 | } |
232 | out: | 232 | out: |
233 | put_group_info(current->group_info); | 233 | put_group_info(current->cred->group_info); |
234 | return i; | 234 | return i; |
235 | } | 235 | } |
236 | 236 | ||
@@ -261,22 +261,22 @@ asmlinkage long sys32_setgroups16(int gidsetsize, u16 __user *grouplist) | |||
261 | 261 | ||
262 | asmlinkage long sys32_getuid16(void) | 262 | asmlinkage long sys32_getuid16(void) |
263 | { | 263 | { |
264 | return high2lowuid(current->uid); | 264 | return high2lowuid(current->cred->uid); |
265 | } | 265 | } |
266 | 266 | ||
267 | asmlinkage long sys32_geteuid16(void) | 267 | asmlinkage long sys32_geteuid16(void) |
268 | { | 268 | { |
269 | return high2lowuid(current->euid); | 269 | return high2lowuid(current->cred->euid); |
270 | } | 270 | } |
271 | 271 | ||
272 | asmlinkage long sys32_getgid16(void) | 272 | asmlinkage long sys32_getgid16(void) |
273 | { | 273 | { |
274 | return high2lowgid(current->gid); | 274 | return high2lowgid(current->cred->gid); |
275 | } | 275 | } |
276 | 276 | ||
277 | asmlinkage long sys32_getegid16(void) | 277 | asmlinkage long sys32_getegid16(void) |
278 | { | 278 | { |
279 | return high2lowgid(current->egid); | 279 | return high2lowgid(current->cred->egid); |
280 | } | 280 | } |
281 | 281 | ||
282 | /* | 282 | /* |
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index 5c9f67f98d10..354c1ff17159 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c | |||
@@ -116,11 +116,11 @@ void proc_id_connector(struct task_struct *task, int which_id) | |||
116 | ev->event_data.id.process_pid = task->pid; | 116 | ev->event_data.id.process_pid = task->pid; |
117 | ev->event_data.id.process_tgid = task->tgid; | 117 | ev->event_data.id.process_tgid = task->tgid; |
118 | if (which_id == PROC_EVENT_UID) { | 118 | if (which_id == PROC_EVENT_UID) { |
119 | ev->event_data.id.r.ruid = task->uid; | 119 | ev->event_data.id.r.ruid = task->cred->uid; |
120 | ev->event_data.id.e.euid = task->euid; | 120 | ev->event_data.id.e.euid = task->cred->euid; |
121 | } else if (which_id == PROC_EVENT_GID) { | 121 | } else if (which_id == PROC_EVENT_GID) { |
122 | ev->event_data.id.r.rgid = task->gid; | 122 | ev->event_data.id.r.rgid = task->cred->gid; |
123 | ev->event_data.id.e.egid = task->egid; | 123 | ev->event_data.id.e.egid = task->cred->egid; |
124 | } else | 124 | } else |
125 | return; | 125 | return; |
126 | get_seq(&msg->seq, &ev->cpu); | 126 | get_seq(&msg->seq, &ev->cpu); |
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 8fcfa398d350..7a52477ce493 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c | |||
@@ -223,10 +223,10 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, | |||
223 | NEW_AUX_ENT(AT_BASE, interp_load_addr); | 223 | NEW_AUX_ENT(AT_BASE, interp_load_addr); |
224 | NEW_AUX_ENT(AT_FLAGS, 0); | 224 | NEW_AUX_ENT(AT_FLAGS, 0); |
225 | NEW_AUX_ENT(AT_ENTRY, exec->e_entry); | 225 | NEW_AUX_ENT(AT_ENTRY, exec->e_entry); |
226 | NEW_AUX_ENT(AT_UID, tsk->uid); | 226 | NEW_AUX_ENT(AT_UID, tsk->cred->uid); |
227 | NEW_AUX_ENT(AT_EUID, tsk->euid); | 227 | NEW_AUX_ENT(AT_EUID, tsk->cred->euid); |
228 | NEW_AUX_ENT(AT_GID, tsk->gid); | 228 | NEW_AUX_ENT(AT_GID, tsk->cred->gid); |
229 | NEW_AUX_ENT(AT_EGID, tsk->egid); | 229 | NEW_AUX_ENT(AT_EGID, tsk->cred->egid); |
230 | NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); | 230 | NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); |
231 | NEW_AUX_ENT(AT_EXECFN, bprm->exec); | 231 | NEW_AUX_ENT(AT_EXECFN, bprm->exec); |
232 | if (k_platform) { | 232 | if (k_platform) { |
@@ -1388,8 +1388,8 @@ static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, | |||
1388 | psinfo->pr_zomb = psinfo->pr_sname == 'Z'; | 1388 | psinfo->pr_zomb = psinfo->pr_sname == 'Z'; |
1389 | psinfo->pr_nice = task_nice(p); | 1389 | psinfo->pr_nice = task_nice(p); |
1390 | psinfo->pr_flag = p->flags; | 1390 | psinfo->pr_flag = p->flags; |
1391 | SET_UID(psinfo->pr_uid, p->uid); | 1391 | SET_UID(psinfo->pr_uid, p->cred->uid); |
1392 | SET_GID(psinfo->pr_gid, p->gid); | 1392 | SET_GID(psinfo->pr_gid, p->cred->gid); |
1393 | strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname)); | 1393 | strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname)); |
1394 | 1394 | ||
1395 | return 0; | 1395 | return 0; |
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index 488584c87512..9f67054c2c4e 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c | |||
@@ -623,10 +623,10 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, | |||
623 | NEW_AUX_ENT(AT_BASE, interp_params->elfhdr_addr); | 623 | NEW_AUX_ENT(AT_BASE, interp_params->elfhdr_addr); |
624 | NEW_AUX_ENT(AT_FLAGS, 0); | 624 | NEW_AUX_ENT(AT_FLAGS, 0); |
625 | NEW_AUX_ENT(AT_ENTRY, exec_params->entry_addr); | 625 | NEW_AUX_ENT(AT_ENTRY, exec_params->entry_addr); |
626 | NEW_AUX_ENT(AT_UID, (elf_addr_t) current_uid()); | 626 | NEW_AUX_ENT(AT_UID, (elf_addr_t) current->cred->uid); |
627 | NEW_AUX_ENT(AT_EUID, (elf_addr_t) current_euid()); | 627 | NEW_AUX_ENT(AT_EUID, (elf_addr_t) current->cred->euid); |
628 | NEW_AUX_ENT(AT_GID, (elf_addr_t) current_gid()); | 628 | NEW_AUX_ENT(AT_GID, (elf_addr_t) current->cred->gid); |
629 | NEW_AUX_ENT(AT_EGID, (elf_addr_t) current_egid()); | 629 | NEW_AUX_ENT(AT_EGID, (elf_addr_t) current->cred->egid); |
630 | NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); | 630 | NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); |
631 | NEW_AUX_ENT(AT_EXECFN, bprm->exec); | 631 | NEW_AUX_ENT(AT_EXECFN, bprm->exec); |
632 | 632 | ||
@@ -1440,8 +1440,8 @@ static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p, | |||
1440 | psinfo->pr_zomb = psinfo->pr_sname == 'Z'; | 1440 | psinfo->pr_zomb = psinfo->pr_sname == 'Z'; |
1441 | psinfo->pr_nice = task_nice(p); | 1441 | psinfo->pr_nice = task_nice(p); |
1442 | psinfo->pr_flag = p->flags; | 1442 | psinfo->pr_flag = p->flags; |
1443 | SET_UID(psinfo->pr_uid, p->uid); | 1443 | SET_UID(psinfo->pr_uid, p->cred->uid); |
1444 | SET_GID(psinfo->pr_gid, p->gid); | 1444 | SET_GID(psinfo->pr_gid, p->cred->gid); |
1445 | strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname)); | 1445 | strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname)); |
1446 | 1446 | ||
1447 | return 0; | 1447 | return 0; |
@@ -1738,7 +1738,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) | |||
1738 | */ | 1738 | */ |
1739 | if (get_dumpable(mm) == 2) { /* Setuid core dump mode */ | 1739 | if (get_dumpable(mm) == 2) { /* Setuid core dump mode */ |
1740 | flag = O_EXCL; /* Stop rewrite attacks */ | 1740 | flag = O_EXCL; /* Stop rewrite attacks */ |
1741 | current->fsuid = 0; /* Dump root private */ | 1741 | current->cred->fsuid = 0; /* Dump root private */ |
1742 | } | 1742 | } |
1743 | 1743 | ||
1744 | retval = coredump_wait(exit_code, &core_state); | 1744 | retval = coredump_wait(exit_code, &core_state); |
@@ -1834,7 +1834,7 @@ fail_unlock: | |||
1834 | if (helper_argv) | 1834 | if (helper_argv) |
1835 | argv_free(helper_argv); | 1835 | argv_free(helper_argv); |
1836 | 1836 | ||
1837 | current->fsuid = fsuid; | 1837 | current->cred->fsuid = fsuid; |
1838 | coredump_finish(mm); | 1838 | coredump_finish(mm); |
1839 | fail: | 1839 | fail: |
1840 | return retval; | 1840 | return retval; |
diff --git a/fs/fcntl.c b/fs/fcntl.c index bf049a805e59..63964d863ad6 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c | |||
@@ -401,8 +401,8 @@ static inline int sigio_perm(struct task_struct *p, | |||
401 | struct fown_struct *fown, int sig) | 401 | struct fown_struct *fown, int sig) |
402 | { | 402 | { |
403 | return (((fown->euid == 0) || | 403 | return (((fown->euid == 0) || |
404 | (fown->euid == p->suid) || (fown->euid == p->uid) || | 404 | (fown->euid == p->cred->suid) || (fown->euid == p->cred->uid) || |
405 | (fown->uid == p->suid) || (fown->uid == p->uid)) && | 405 | (fown->uid == p->cred->suid) || (fown->uid == p->cred->uid)) && |
406 | !security_file_send_sigiotask(p, fown, sig)); | 406 | !security_file_send_sigiotask(p, fown, sig)); |
407 | } | 407 | } |
408 | 408 | ||
diff --git a/fs/file_table.c b/fs/file_table.c index 5ad0eca6eea2..3152b53cfab0 100644 --- a/fs/file_table.c +++ b/fs/file_table.c | |||
@@ -122,8 +122,8 @@ struct file *get_empty_filp(void) | |||
122 | INIT_LIST_HEAD(&f->f_u.fu_list); | 122 | INIT_LIST_HEAD(&f->f_u.fu_list); |
123 | atomic_long_set(&f->f_count, 1); | 123 | atomic_long_set(&f->f_count, 1); |
124 | rwlock_init(&f->f_owner.lock); | 124 | rwlock_init(&f->f_owner.lock); |
125 | f->f_uid = tsk->fsuid; | 125 | f->f_uid = tsk->cred->fsuid; |
126 | f->f_gid = tsk->fsgid; | 126 | f->f_gid = tsk->cred->fsgid; |
127 | eventpoll_init_file(f); | 127 | eventpoll_init_file(f); |
128 | /* f->f_version: 0 */ | 128 | /* f->f_version: 0 */ |
129 | return f; | 129 | return f; |
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index fd03330cadeb..e97a98981862 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c | |||
@@ -872,12 +872,12 @@ int fuse_allow_task(struct fuse_conn *fc, struct task_struct *task) | |||
872 | if (fc->flags & FUSE_ALLOW_OTHER) | 872 | if (fc->flags & FUSE_ALLOW_OTHER) |
873 | return 1; | 873 | return 1; |
874 | 874 | ||
875 | if (task->euid == fc->user_id && | 875 | if (task->cred->euid == fc->user_id && |
876 | task->suid == fc->user_id && | 876 | task->cred->suid == fc->user_id && |
877 | task->uid == fc->user_id && | 877 | task->cred->uid == fc->user_id && |
878 | task->egid == fc->group_id && | 878 | task->cred->egid == fc->group_id && |
879 | task->sgid == fc->group_id && | 879 | task->cred->sgid == fc->group_id && |
880 | task->gid == fc->group_id) | 880 | task->cred->gid == fc->group_id) |
881 | return 1; | 881 | return 1; |
882 | 882 | ||
883 | return 0; | 883 | return 0; |
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 08ad76c79b49..870a721b8bd2 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c | |||
@@ -958,7 +958,7 @@ struct file *hugetlb_file_setup(const char *name, size_t size) | |||
958 | if (!can_do_hugetlb_shm()) | 958 | if (!can_do_hugetlb_shm()) |
959 | return ERR_PTR(-EPERM); | 959 | return ERR_PTR(-EPERM); |
960 | 960 | ||
961 | if (!user_shm_lock(size, current->user)) | 961 | if (!user_shm_lock(size, current->cred->user)) |
962 | return ERR_PTR(-ENOMEM); | 962 | return ERR_PTR(-ENOMEM); |
963 | 963 | ||
964 | root = hugetlbfs_vfsmount->mnt_root; | 964 | root = hugetlbfs_vfsmount->mnt_root; |
@@ -998,7 +998,7 @@ out_inode: | |||
998 | out_dentry: | 998 | out_dentry: |
999 | dput(dentry); | 999 | dput(dentry); |
1000 | out_shm_unlock: | 1000 | out_shm_unlock: |
1001 | user_shm_unlock(size, current->user); | 1001 | user_shm_unlock(size, current->cred->user); |
1002 | return ERR_PTR(error); | 1002 | return ERR_PTR(error); |
1003 | } | 1003 | } |
1004 | 1004 | ||
diff --git a/fs/ioprio.c b/fs/ioprio.c index 68d2cd807118..bb5210af77c2 100644 --- a/fs/ioprio.c +++ b/fs/ioprio.c | |||
@@ -32,8 +32,8 @@ static int set_task_ioprio(struct task_struct *task, int ioprio) | |||
32 | int err; | 32 | int err; |
33 | struct io_context *ioc; | 33 | struct io_context *ioc; |
34 | 34 | ||
35 | if (task->uid != current_euid() && | 35 | if (task->cred->uid != current_euid() && |
36 | task->uid != current_uid() && !capable(CAP_SYS_NICE)) | 36 | task->cred->uid != current_uid() && !capable(CAP_SYS_NICE)) |
37 | return -EPERM; | 37 | return -EPERM; |
38 | 38 | ||
39 | err = security_task_setioprio(task, ioprio); | 39 | err = security_task_setioprio(task, ioprio); |
@@ -123,7 +123,7 @@ asmlinkage long sys_ioprio_set(int which, int who, int ioprio) | |||
123 | break; | 123 | break; |
124 | case IOPRIO_WHO_USER: | 124 | case IOPRIO_WHO_USER: |
125 | if (!who) | 125 | if (!who) |
126 | user = current->user; | 126 | user = current->cred->user; |
127 | else | 127 | else |
128 | user = find_user(who); | 128 | user = find_user(who); |
129 | 129 | ||
@@ -131,7 +131,7 @@ asmlinkage long sys_ioprio_set(int which, int who, int ioprio) | |||
131 | break; | 131 | break; |
132 | 132 | ||
133 | do_each_thread(g, p) { | 133 | do_each_thread(g, p) { |
134 | if (p->uid != who) | 134 | if (p->cred->uid != who) |
135 | continue; | 135 | continue; |
136 | ret = set_task_ioprio(p, ioprio); | 136 | ret = set_task_ioprio(p, ioprio); |
137 | if (ret) | 137 | if (ret) |
@@ -216,7 +216,7 @@ asmlinkage long sys_ioprio_get(int which, int who) | |||
216 | break; | 216 | break; |
217 | case IOPRIO_WHO_USER: | 217 | case IOPRIO_WHO_USER: |
218 | if (!who) | 218 | if (!who) |
219 | user = current->user; | 219 | user = current->cred->user; |
220 | else | 220 | else |
221 | user = find_user(who); | 221 | user = find_user(who); |
222 | 222 | ||
@@ -224,7 +224,7 @@ asmlinkage long sys_ioprio_get(int which, int who) | |||
224 | break; | 224 | break; |
225 | 225 | ||
226 | do_each_thread(g, p) { | 226 | do_each_thread(g, p) { |
227 | if (p->uid != user->uid) | 227 | if (p->cred->uid != user->uid) |
228 | continue; | 228 | continue; |
229 | tmpio = get_task_ioprio(p); | 229 | tmpio = get_task_ioprio(p); |
230 | if (tmpio < 0) | 230 | if (tmpio < 0) |
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 294992e9bf69..808fc03a6fbd 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c | |||
@@ -27,6 +27,7 @@ int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) | |||
27 | 27 | ||
28 | int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) | 28 | int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) |
29 | { | 29 | { |
30 | struct cred *act_as = current->cred ; | ||
30 | struct svc_cred cred = rqstp->rq_cred; | 31 | struct svc_cred cred = rqstp->rq_cred; |
31 | int i; | 32 | int i; |
32 | int flags = nfsexp_flags(rqstp, exp); | 33 | int flags = nfsexp_flags(rqstp, exp); |
@@ -55,25 +56,26 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) | |||
55 | get_group_info(cred.cr_group_info); | 56 | get_group_info(cred.cr_group_info); |
56 | 57 | ||
57 | if (cred.cr_uid != (uid_t) -1) | 58 | if (cred.cr_uid != (uid_t) -1) |
58 | current->fsuid = cred.cr_uid; | 59 | act_as->fsuid = cred.cr_uid; |
59 | else | 60 | else |
60 | current->fsuid = exp->ex_anon_uid; | 61 | act_as->fsuid = exp->ex_anon_uid; |
61 | if (cred.cr_gid != (gid_t) -1) | 62 | if (cred.cr_gid != (gid_t) -1) |
62 | current->fsgid = cred.cr_gid; | 63 | act_as->fsgid = cred.cr_gid; |
63 | else | 64 | else |
64 | current->fsgid = exp->ex_anon_gid; | 65 | act_as->fsgid = exp->ex_anon_gid; |
65 | 66 | ||
66 | if (!cred.cr_group_info) | 67 | if (!cred.cr_group_info) |
67 | return -ENOMEM; | 68 | return -ENOMEM; |
68 | ret = set_current_groups(cred.cr_group_info); | 69 | ret = set_groups(act_as, cred.cr_group_info); |
69 | put_group_info(cred.cr_group_info); | 70 | put_group_info(cred.cr_group_info); |
70 | if ((cred.cr_uid)) { | 71 | if ((cred.cr_uid)) { |
71 | current->cap_effective = | 72 | act_as->cap_effective = |
72 | cap_drop_nfsd_set(current->cap_effective); | 73 | cap_drop_nfsd_set(act_as->cap_effective); |
73 | } else { | 74 | } else { |
74 | current->cap_effective = | 75 | act_as->cap_effective = |
75 | cap_raise_nfsd_set(current->cap_effective, | 76 | cap_raise_nfsd_set(act_as->cap_effective, |
76 | current->cap_permitted); | 77 | act_as->cap_permitted); |
77 | } | 78 | } |
78 | return ret; | 79 | return ret; |
79 | } | 80 | } |
81 | |||
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c index bb93946ace22..a5e14e8695ea 100644 --- a/fs/nfsd/nfs4recover.c +++ b/fs/nfsd/nfs4recover.c | |||
@@ -57,17 +57,17 @@ static int rec_dir_init = 0; | |||
57 | static void | 57 | static void |
58 | nfs4_save_user(uid_t *saveuid, gid_t *savegid) | 58 | nfs4_save_user(uid_t *saveuid, gid_t *savegid) |
59 | { | 59 | { |
60 | *saveuid = current->fsuid; | 60 | *saveuid = current->cred->fsuid; |
61 | *savegid = current->fsgid; | 61 | *savegid = current->cred->fsgid; |
62 | current->fsuid = 0; | 62 | current->cred->fsuid = 0; |
63 | current->fsgid = 0; | 63 | current->cred->fsgid = 0; |
64 | } | 64 | } |
65 | 65 | ||
66 | static void | 66 | static void |
67 | nfs4_reset_user(uid_t saveuid, gid_t savegid) | 67 | nfs4_reset_user(uid_t saveuid, gid_t savegid) |
68 | { | 68 | { |
69 | current->fsuid = saveuid; | 69 | current->cred->fsuid = saveuid; |
70 | current->fsgid = savegid; | 70 | current->cred->fsgid = savegid; |
71 | } | 71 | } |
72 | 72 | ||
73 | static void | 73 | static void |
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index cd25d91895a1..e67cfaea0865 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c | |||
@@ -186,9 +186,9 @@ static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct svc_fh *fhp) | |||
186 | * access control settings being in effect, we cannot | 186 | * access control settings being in effect, we cannot |
187 | * fix that case easily. | 187 | * fix that case easily. |
188 | */ | 188 | */ |
189 | current->cap_effective = | 189 | current->cred->cap_effective = |
190 | cap_raise_nfsd_set(current->cap_effective, | 190 | cap_raise_nfsd_set(current->cred->cap_effective, |
191 | current->cap_permitted); | 191 | current->cred->cap_permitted); |
192 | } else { | 192 | } else { |
193 | error = nfsd_setuser_and_check_port(rqstp, exp); | 193 | error = nfsd_setuser_and_check_port(rqstp, exp); |
194 | if (error) | 194 | if (error) |
@@ -425,6 +425,7 @@ out: | |||
425 | */ | 425 | */ |
426 | asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode) | 426 | asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode) |
427 | { | 427 | { |
428 | struct cred *cred = current->cred; | ||
428 | struct path path; | 429 | struct path path; |
429 | struct inode *inode; | 430 | struct inode *inode; |
430 | int old_fsuid, old_fsgid; | 431 | int old_fsuid, old_fsgid; |
@@ -434,18 +435,18 @@ asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode) | |||
434 | if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ | 435 | if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ |
435 | return -EINVAL; | 436 | return -EINVAL; |
436 | 437 | ||
437 | old_fsuid = current->fsuid; | 438 | old_fsuid = cred->fsuid; |
438 | old_fsgid = current->fsgid; | 439 | old_fsgid = cred->fsgid; |
439 | 440 | ||
440 | current->fsuid = current->uid; | 441 | cred->fsuid = cred->uid; |
441 | current->fsgid = current->gid; | 442 | cred->fsgid = cred->gid; |
442 | 443 | ||
443 | if (!issecure(SECURE_NO_SETUID_FIXUP)) { | 444 | if (!issecure(SECURE_NO_SETUID_FIXUP)) { |
444 | /* Clear the capabilities if we switch to a non-root user */ | 445 | /* Clear the capabilities if we switch to a non-root user */ |
445 | if (current->uid) | 446 | if (current->cred->uid) |
446 | old_cap = cap_set_effective(__cap_empty_set); | 447 | old_cap = cap_set_effective(__cap_empty_set); |
447 | else | 448 | else |
448 | old_cap = cap_set_effective(current->cap_permitted); | 449 | old_cap = cap_set_effective(cred->cap_permitted); |
449 | } | 450 | } |
450 | 451 | ||
451 | res = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path); | 452 | res = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path); |
@@ -484,8 +485,8 @@ asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode) | |||
484 | out_path_release: | 485 | out_path_release: |
485 | path_put(&path); | 486 | path_put(&path); |
486 | out: | 487 | out: |
487 | current->fsuid = old_fsuid; | 488 | cred->fsuid = old_fsuid; |
488 | current->fsgid = old_fsgid; | 489 | cred->fsgid = old_fsgid; |
489 | 490 | ||
490 | if (!issecure(SECURE_NO_SETUID_FIXUP)) | 491 | if (!issecure(SECURE_NO_SETUID_FIXUP)) |
491 | cap_set_effective(old_cap); | 492 | cap_set_effective(old_cap); |
diff --git a/fs/proc/array.c b/fs/proc/array.c index 6af7fba7abb1..62fe9b2009b6 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c | |||
@@ -182,8 +182,8 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns, | |||
182 | task_tgid_nr_ns(p, ns), | 182 | task_tgid_nr_ns(p, ns), |
183 | pid_nr_ns(pid, ns), | 183 | pid_nr_ns(pid, ns), |
184 | ppid, tpid, | 184 | ppid, tpid, |
185 | p->uid, p->euid, p->suid, p->fsuid, | 185 | p->cred->uid, p->cred->euid, p->cred->suid, p->cred->fsuid, |
186 | p->gid, p->egid, p->sgid, p->fsgid); | 186 | p->cred->gid, p->cred->egid, p->cred->sgid, p->cred->fsgid); |
187 | 187 | ||
188 | task_lock(p); | 188 | task_lock(p); |
189 | if (p->files) | 189 | if (p->files) |
@@ -194,7 +194,7 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns, | |||
194 | fdt ? fdt->max_fds : 0); | 194 | fdt ? fdt->max_fds : 0); |
195 | rcu_read_unlock(); | 195 | rcu_read_unlock(); |
196 | 196 | ||
197 | group_info = p->group_info; | 197 | group_info = p->cred->group_info; |
198 | get_group_info(group_info); | 198 | get_group_info(group_info); |
199 | task_unlock(p); | 199 | task_unlock(p); |
200 | 200 | ||
@@ -262,7 +262,7 @@ static inline void task_sig(struct seq_file *m, struct task_struct *p) | |||
262 | blocked = p->blocked; | 262 | blocked = p->blocked; |
263 | collect_sigign_sigcatch(p, &ignored, &caught); | 263 | collect_sigign_sigcatch(p, &ignored, &caught); |
264 | num_threads = atomic_read(&p->signal->count); | 264 | num_threads = atomic_read(&p->signal->count); |
265 | qsize = atomic_read(&p->user->sigpending); | 265 | qsize = atomic_read(&p->cred->user->sigpending); |
266 | qlim = p->signal->rlim[RLIMIT_SIGPENDING].rlim_cur; | 266 | qlim = p->signal->rlim[RLIMIT_SIGPENDING].rlim_cur; |
267 | unlock_task_sighand(p, &flags); | 267 | unlock_task_sighand(p, &flags); |
268 | } | 268 | } |
@@ -293,10 +293,12 @@ static void render_cap_t(struct seq_file *m, const char *header, | |||
293 | 293 | ||
294 | static inline void task_cap(struct seq_file *m, struct task_struct *p) | 294 | static inline void task_cap(struct seq_file *m, struct task_struct *p) |
295 | { | 295 | { |
296 | render_cap_t(m, "CapInh:\t", &p->cap_inheritable); | 296 | struct cred *cred = p->cred; |
297 | render_cap_t(m, "CapPrm:\t", &p->cap_permitted); | 297 | |
298 | render_cap_t(m, "CapEff:\t", &p->cap_effective); | 298 | render_cap_t(m, "CapInh:\t", &cred->cap_inheritable); |
299 | render_cap_t(m, "CapBnd:\t", &p->cap_bset); | 299 | render_cap_t(m, "CapPrm:\t", &cred->cap_permitted); |
300 | render_cap_t(m, "CapEff:\t", &cred->cap_effective); | ||
301 | render_cap_t(m, "CapBnd:\t", &cred->cap_bset); | ||
300 | } | 302 | } |
301 | 303 | ||
302 | static inline void task_context_switch_counts(struct seq_file *m, | 304 | static inline void task_context_switch_counts(struct seq_file *m, |
diff --git a/fs/proc/base.c b/fs/proc/base.c index 486cf3fe7139..6862b360c36c 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c | |||
@@ -1428,8 +1428,8 @@ static struct inode *proc_pid_make_inode(struct super_block * sb, struct task_st | |||
1428 | inode->i_uid = 0; | 1428 | inode->i_uid = 0; |
1429 | inode->i_gid = 0; | 1429 | inode->i_gid = 0; |
1430 | if (task_dumpable(task)) { | 1430 | if (task_dumpable(task)) { |
1431 | inode->i_uid = task->euid; | 1431 | inode->i_uid = task->cred->euid; |
1432 | inode->i_gid = task->egid; | 1432 | inode->i_gid = task->cred->egid; |
1433 | } | 1433 | } |
1434 | security_task_to_inode(task, inode); | 1434 | security_task_to_inode(task, inode); |
1435 | 1435 | ||
@@ -1454,8 +1454,8 @@ static int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat | |||
1454 | if (task) { | 1454 | if (task) { |
1455 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || | 1455 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || |
1456 | task_dumpable(task)) { | 1456 | task_dumpable(task)) { |
1457 | stat->uid = task->euid; | 1457 | stat->uid = task->cred->euid; |
1458 | stat->gid = task->egid; | 1458 | stat->gid = task->cred->egid; |
1459 | } | 1459 | } |
1460 | } | 1460 | } |
1461 | rcu_read_unlock(); | 1461 | rcu_read_unlock(); |
@@ -1486,8 +1486,8 @@ static int pid_revalidate(struct dentry *dentry, struct nameidata *nd) | |||
1486 | if (task) { | 1486 | if (task) { |
1487 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || | 1487 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || |
1488 | task_dumpable(task)) { | 1488 | task_dumpable(task)) { |
1489 | inode->i_uid = task->euid; | 1489 | inode->i_uid = task->cred->euid; |
1490 | inode->i_gid = task->egid; | 1490 | inode->i_gid = task->cred->egid; |
1491 | } else { | 1491 | } else { |
1492 | inode->i_uid = 0; | 1492 | inode->i_uid = 0; |
1493 | inode->i_gid = 0; | 1493 | inode->i_gid = 0; |
@@ -1658,8 +1658,8 @@ static int tid_fd_revalidate(struct dentry *dentry, struct nameidata *nd) | |||
1658 | rcu_read_unlock(); | 1658 | rcu_read_unlock(); |
1659 | put_files_struct(files); | 1659 | put_files_struct(files); |
1660 | if (task_dumpable(task)) { | 1660 | if (task_dumpable(task)) { |
1661 | inode->i_uid = task->euid; | 1661 | inode->i_uid = task->cred->euid; |
1662 | inode->i_gid = task->egid; | 1662 | inode->i_gid = task->cred->egid; |
1663 | } else { | 1663 | } else { |
1664 | inode->i_uid = 0; | 1664 | inode->i_uid = 0; |
1665 | inode->i_gid = 0; | 1665 | inode->i_gid = 0; |
diff --git a/fs/xfs/linux-2.6/xfs_cred.h b/fs/xfs/linux-2.6/xfs_cred.h index 293043a5573a..8c022cd0ad67 100644 --- a/fs/xfs/linux-2.6/xfs_cred.h +++ b/fs/xfs/linux-2.6/xfs_cred.h | |||
@@ -23,11 +23,9 @@ | |||
23 | /* | 23 | /* |
24 | * Credentials | 24 | * Credentials |
25 | */ | 25 | */ |
26 | typedef struct cred { | 26 | typedef const struct cred cred_t; |
27 | /* EMPTY */ | ||
28 | } cred_t; | ||
29 | 27 | ||
30 | extern struct cred *sys_cred; | 28 | extern cred_t *sys_cred; |
31 | 29 | ||
32 | /* this is a hack.. (assumes sys_cred is the only cred_t in the system) */ | 30 | /* this is a hack.. (assumes sys_cred is the only cred_t in the system) */ |
33 | static inline int capable_cred(cred_t *cr, int cid) | 31 | static inline int capable_cred(cred_t *cr, int cid) |
diff --git a/fs/xfs/linux-2.6/xfs_globals.h b/fs/xfs/linux-2.6/xfs_globals.h index 2770b0085ee8..6eda8a3eb6f1 100644 --- a/fs/xfs/linux-2.6/xfs_globals.h +++ b/fs/xfs/linux-2.6/xfs_globals.h | |||
@@ -19,6 +19,6 @@ | |||
19 | #define __XFS_GLOBALS_H__ | 19 | #define __XFS_GLOBALS_H__ |
20 | 20 | ||
21 | extern uint64_t xfs_panic_mask; /* set to cause more panics */ | 21 | extern uint64_t xfs_panic_mask; /* set to cause more panics */ |
22 | extern struct cred *sys_cred; | 22 | extern cred_t *sys_cred; |
23 | 23 | ||
24 | #endif /* __XFS_GLOBALS_H__ */ | 24 | #endif /* __XFS_GLOBALS_H__ */ |
diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h index 1420c49674d7..6be310d41daf 100644 --- a/fs/xfs/xfs_inode.h +++ b/fs/xfs/xfs_inode.h | |||
@@ -497,7 +497,7 @@ int xfs_iread(struct xfs_mount *, struct xfs_trans *, xfs_ino_t, | |||
497 | xfs_inode_t **, xfs_daddr_t, uint); | 497 | xfs_inode_t **, xfs_daddr_t, uint); |
498 | int xfs_iread_extents(struct xfs_trans *, xfs_inode_t *, int); | 498 | int xfs_iread_extents(struct xfs_trans *, xfs_inode_t *, int); |
499 | int xfs_ialloc(struct xfs_trans *, xfs_inode_t *, mode_t, | 499 | int xfs_ialloc(struct xfs_trans *, xfs_inode_t *, mode_t, |
500 | xfs_nlink_t, xfs_dev_t, struct cred *, xfs_prid_t, | 500 | xfs_nlink_t, xfs_dev_t, cred_t *, xfs_prid_t, |
501 | int, struct xfs_buf **, boolean_t *, xfs_inode_t **); | 501 | int, struct xfs_buf **, boolean_t *, xfs_inode_t **); |
502 | void xfs_dinode_from_disk(struct xfs_icdinode *, | 502 | void xfs_dinode_from_disk(struct xfs_icdinode *, |
503 | struct xfs_dinode_core *); | 503 | struct xfs_dinode_core *); |
diff --git a/fs/xfs/xfs_vnodeops.h b/fs/xfs/xfs_vnodeops.h index e932a96bec54..7b0c2ab88333 100644 --- a/fs/xfs/xfs_vnodeops.h +++ b/fs/xfs/xfs_vnodeops.h | |||
@@ -16,7 +16,7 @@ struct xfs_iomap; | |||
16 | 16 | ||
17 | int xfs_open(struct xfs_inode *ip); | 17 | int xfs_open(struct xfs_inode *ip); |
18 | int xfs_setattr(struct xfs_inode *ip, struct iattr *vap, int flags, | 18 | int xfs_setattr(struct xfs_inode *ip, struct iattr *vap, int flags, |
19 | struct cred *credp); | 19 | cred_t *credp); |
20 | #define XFS_ATTR_DMI 0x01 /* invocation from a DMI function */ | 20 | #define XFS_ATTR_DMI 0x01 /* invocation from a DMI function */ |
21 | #define XFS_ATTR_NONBLOCK 0x02 /* return EAGAIN if operation would block */ | 21 | #define XFS_ATTR_NONBLOCK 0x02 /* return EAGAIN if operation would block */ |
22 | #define XFS_ATTR_NOLOCK 0x04 /* Don't grab any conflicting locks */ | 22 | #define XFS_ATTR_NOLOCK 0x04 /* Don't grab any conflicting locks */ |
@@ -28,24 +28,24 @@ int xfs_inactive(struct xfs_inode *ip); | |||
28 | int xfs_lookup(struct xfs_inode *dp, struct xfs_name *name, | 28 | int xfs_lookup(struct xfs_inode *dp, struct xfs_name *name, |
29 | struct xfs_inode **ipp, struct xfs_name *ci_name); | 29 | struct xfs_inode **ipp, struct xfs_name *ci_name); |
30 | int xfs_create(struct xfs_inode *dp, struct xfs_name *name, mode_t mode, | 30 | int xfs_create(struct xfs_inode *dp, struct xfs_name *name, mode_t mode, |
31 | xfs_dev_t rdev, struct xfs_inode **ipp, struct cred *credp); | 31 | xfs_dev_t rdev, struct xfs_inode **ipp, cred_t *credp); |
32 | int xfs_remove(struct xfs_inode *dp, struct xfs_name *name, | 32 | int xfs_remove(struct xfs_inode *dp, struct xfs_name *name, |
33 | struct xfs_inode *ip); | 33 | struct xfs_inode *ip); |
34 | int xfs_link(struct xfs_inode *tdp, struct xfs_inode *sip, | 34 | int xfs_link(struct xfs_inode *tdp, struct xfs_inode *sip, |
35 | struct xfs_name *target_name); | 35 | struct xfs_name *target_name); |
36 | int xfs_mkdir(struct xfs_inode *dp, struct xfs_name *dir_name, | 36 | int xfs_mkdir(struct xfs_inode *dp, struct xfs_name *dir_name, |
37 | mode_t mode, struct xfs_inode **ipp, struct cred *credp); | 37 | mode_t mode, struct xfs_inode **ipp, cred_t *credp); |
38 | int xfs_readdir(struct xfs_inode *dp, void *dirent, size_t bufsize, | 38 | int xfs_readdir(struct xfs_inode *dp, void *dirent, size_t bufsize, |
39 | xfs_off_t *offset, filldir_t filldir); | 39 | xfs_off_t *offset, filldir_t filldir); |
40 | int xfs_symlink(struct xfs_inode *dp, struct xfs_name *link_name, | 40 | int xfs_symlink(struct xfs_inode *dp, struct xfs_name *link_name, |
41 | const char *target_path, mode_t mode, struct xfs_inode **ipp, | 41 | const char *target_path, mode_t mode, struct xfs_inode **ipp, |
42 | struct cred *credp); | 42 | cred_t *credp); |
43 | int xfs_inode_flush(struct xfs_inode *ip, int flags); | 43 | int xfs_inode_flush(struct xfs_inode *ip, int flags); |
44 | int xfs_set_dmattrs(struct xfs_inode *ip, u_int evmask, u_int16_t state); | 44 | int xfs_set_dmattrs(struct xfs_inode *ip, u_int evmask, u_int16_t state); |
45 | int xfs_reclaim(struct xfs_inode *ip); | 45 | int xfs_reclaim(struct xfs_inode *ip); |
46 | int xfs_change_file_space(struct xfs_inode *ip, int cmd, | 46 | int xfs_change_file_space(struct xfs_inode *ip, int cmd, |
47 | xfs_flock64_t *bf, xfs_off_t offset, | 47 | xfs_flock64_t *bf, xfs_off_t offset, |
48 | struct cred *credp, int attr_flags); | 48 | cred_t *credp, int attr_flags); |
49 | int xfs_rename(struct xfs_inode *src_dp, struct xfs_name *src_name, | 49 | int xfs_rename(struct xfs_inode *src_dp, struct xfs_name *src_name, |
50 | struct xfs_inode *src_ip, struct xfs_inode *target_dp, | 50 | struct xfs_inode *src_ip, struct xfs_inode *target_dp, |
51 | struct xfs_name *target_name, struct xfs_inode *target_ip); | 51 | struct xfs_name *target_name, struct xfs_inode *target_ip); |
diff --git a/include/linux/cred.h b/include/linux/cred.h index b69222cc1fd2..3e65587a72e5 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h | |||
@@ -12,39 +12,150 @@ | |||
12 | #ifndef _LINUX_CRED_H | 12 | #ifndef _LINUX_CRED_H |
13 | #define _LINUX_CRED_H | 13 | #define _LINUX_CRED_H |
14 | 14 | ||
15 | #define get_current_user() (get_uid(current->user)) | 15 | #include <linux/capability.h> |
16 | 16 | #include <linux/key.h> | |
17 | #define task_uid(task) ((task)->uid) | 17 | #include <asm/atomic.h> |
18 | #define task_gid(task) ((task)->gid) | 18 | |
19 | #define task_euid(task) ((task)->euid) | 19 | struct user_struct; |
20 | #define task_egid(task) ((task)->egid) | 20 | struct cred; |
21 | 21 | ||
22 | #define current_uid() (current->uid) | 22 | /* |
23 | #define current_gid() (current->gid) | 23 | * COW Supplementary groups list |
24 | #define current_euid() (current->euid) | 24 | */ |
25 | #define current_egid() (current->egid) | 25 | #define NGROUPS_SMALL 32 |
26 | #define current_suid() (current->suid) | 26 | #define NGROUPS_PER_BLOCK ((unsigned int)(PAGE_SIZE / sizeof(gid_t))) |
27 | #define current_sgid() (current->sgid) | 27 | |
28 | #define current_fsuid() (current->fsuid) | 28 | struct group_info { |
29 | #define current_fsgid() (current->fsgid) | 29 | atomic_t usage; |
30 | #define current_cap() (current->cap_effective) | 30 | int ngroups; |
31 | int nblocks; | ||
32 | gid_t small_block[NGROUPS_SMALL]; | ||
33 | gid_t *blocks[0]; | ||
34 | }; | ||
35 | |||
36 | /** | ||
37 | * get_group_info - Get a reference to a group info structure | ||
38 | * @group_info: The group info to reference | ||
39 | * | ||
40 | * This must be called with the owning task locked (via task_lock()) when task | ||
41 | * != current. The reason being that the vast majority of callers are looking | ||
42 | * at current->group_info, which can not be changed except by the current task. | ||
43 | * Changing current->group_info requires the task lock, too. | ||
44 | */ | ||
45 | #define get_group_info(group_info) \ | ||
46 | do { \ | ||
47 | atomic_inc(&(group_info)->usage); \ | ||
48 | } while (0) | ||
49 | |||
50 | /** | ||
51 | * put_group_info - Release a reference to a group info structure | ||
52 | * @group_info: The group info to release | ||
53 | */ | ||
54 | #define put_group_info(group_info) \ | ||
55 | do { \ | ||
56 | if (atomic_dec_and_test(&(group_info)->usage)) \ | ||
57 | groups_free(group_info); \ | ||
58 | } while (0) | ||
59 | |||
60 | extern struct group_info *groups_alloc(int); | ||
61 | extern void groups_free(struct group_info *); | ||
62 | extern int set_current_groups(struct group_info *); | ||
63 | extern int set_groups(struct cred *, struct group_info *); | ||
64 | extern int groups_search(struct group_info *, gid_t); | ||
65 | |||
66 | /* access the groups "array" with this macro */ | ||
67 | #define GROUP_AT(gi, i) \ | ||
68 | ((gi)->blocks[(i) / NGROUPS_PER_BLOCK][(i) % NGROUPS_PER_BLOCK]) | ||
69 | |||
70 | extern int in_group_p(gid_t); | ||
71 | extern int in_egroup_p(gid_t); | ||
72 | |||
73 | /* | ||
74 | * The security context of a task | ||
75 | * | ||
76 | * The parts of the context break down into two categories: | ||
77 | * | ||
78 | * (1) The objective context of a task. These parts are used when some other | ||
79 | * task is attempting to affect this one. | ||
80 | * | ||
81 | * (2) The subjective context. These details are used when the task is acting | ||
82 | * upon another object, be that a file, a task, a key or whatever. | ||
83 | * | ||
84 | * Note that some members of this structure belong to both categories - the | ||
85 | * LSM security pointer for instance. | ||
86 | * | ||
87 | * A task has two security pointers. task->real_cred points to the objective | ||
88 | * context that defines that task's actual details. The objective part of this | ||
89 | * context is used whenever that task is acted upon. | ||
90 | * | ||
91 | * task->cred points to the subjective context that defines the details of how | ||
92 | * that task is going to act upon another object. This may be overridden | ||
93 | * temporarily to point to another security context, but normally points to the | ||
94 | * same context as task->real_cred. | ||
95 | */ | ||
96 | struct cred { | ||
97 | atomic_t usage; | ||
98 | uid_t uid; /* real UID of the task */ | ||
99 | gid_t gid; /* real GID of the task */ | ||
100 | uid_t suid; /* saved UID of the task */ | ||
101 | gid_t sgid; /* saved GID of the task */ | ||
102 | uid_t euid; /* effective UID of the task */ | ||
103 | gid_t egid; /* effective GID of the task */ | ||
104 | uid_t fsuid; /* UID for VFS ops */ | ||
105 | gid_t fsgid; /* GID for VFS ops */ | ||
106 | unsigned securebits; /* SUID-less security management */ | ||
107 | kernel_cap_t cap_inheritable; /* caps our children can inherit */ | ||
108 | kernel_cap_t cap_permitted; /* caps we're permitted */ | ||
109 | kernel_cap_t cap_effective; /* caps we can actually use */ | ||
110 | kernel_cap_t cap_bset; /* capability bounding set */ | ||
111 | #ifdef CONFIG_KEYS | ||
112 | unsigned char jit_keyring; /* default keyring to attach requested | ||
113 | * keys to */ | ||
114 | struct key *thread_keyring; /* keyring private to this thread */ | ||
115 | struct key *request_key_auth; /* assumed request_key authority */ | ||
116 | #endif | ||
117 | #ifdef CONFIG_SECURITY | ||
118 | void *security; /* subjective LSM security */ | ||
119 | #endif | ||
120 | struct user_struct *user; /* real user ID subscription */ | ||
121 | struct group_info *group_info; /* supplementary groups for euid/fsgid */ | ||
122 | struct rcu_head rcu; /* RCU deletion hook */ | ||
123 | spinlock_t lock; /* lock for pointer changes */ | ||
124 | }; | ||
125 | |||
126 | #define get_current_user() (get_uid(current->cred->user)) | ||
127 | |||
128 | #define task_uid(task) ((task)->cred->uid) | ||
129 | #define task_gid(task) ((task)->cred->gid) | ||
130 | #define task_euid(task) ((task)->cred->euid) | ||
131 | #define task_egid(task) ((task)->cred->egid) | ||
132 | |||
133 | #define current_uid() (current->cred->uid) | ||
134 | #define current_gid() (current->cred->gid) | ||
135 | #define current_euid() (current->cred->euid) | ||
136 | #define current_egid() (current->cred->egid) | ||
137 | #define current_suid() (current->cred->suid) | ||
138 | #define current_sgid() (current->cred->sgid) | ||
139 | #define current_fsuid() (current->cred->fsuid) | ||
140 | #define current_fsgid() (current->cred->fsgid) | ||
141 | #define current_cap() (current->cred->cap_effective) | ||
31 | 142 | ||
32 | #define current_uid_gid(_uid, _gid) \ | 143 | #define current_uid_gid(_uid, _gid) \ |
33 | do { \ | 144 | do { \ |
34 | *(_uid) = current->uid; \ | 145 | *(_uid) = current->cred->uid; \ |
35 | *(_gid) = current->gid; \ | 146 | *(_gid) = current->cred->gid; \ |
36 | } while(0) | 147 | } while(0) |
37 | 148 | ||
38 | #define current_euid_egid(_uid, _gid) \ | 149 | #define current_euid_egid(_uid, _gid) \ |
39 | do { \ | 150 | do { \ |
40 | *(_uid) = current->euid; \ | 151 | *(_uid) = current->cred->euid; \ |
41 | *(_gid) = current->egid; \ | 152 | *(_gid) = current->cred->egid; \ |
42 | } while(0) | 153 | } while(0) |
43 | 154 | ||
44 | #define current_fsuid_fsgid(_uid, _gid) \ | 155 | #define current_fsuid_fsgid(_uid, _gid) \ |
45 | do { \ | 156 | do { \ |
46 | *(_uid) = current->fsuid; \ | 157 | *(_uid) = current->cred->fsuid; \ |
47 | *(_gid) = current->fsgid; \ | 158 | *(_gid) = current->cred->fsgid; \ |
48 | } while(0) | 159 | } while(0) |
49 | 160 | ||
50 | #endif /* _LINUX_CRED_H */ | 161 | #endif /* _LINUX_CRED_H */ |
diff --git a/include/linux/init_task.h b/include/linux/init_task.h index 23fd8909b9e5..9de41ccd67b5 100644 --- a/include/linux/init_task.h +++ b/include/linux/init_task.h | |||
@@ -113,6 +113,21 @@ extern struct group_info init_groups; | |||
113 | # define CAP_INIT_BSET CAP_INIT_EFF_SET | 113 | # define CAP_INIT_BSET CAP_INIT_EFF_SET |
114 | #endif | 114 | #endif |
115 | 115 | ||
116 | extern struct cred init_cred; | ||
117 | |||
118 | #define INIT_CRED(p) \ | ||
119 | { \ | ||
120 | .usage = ATOMIC_INIT(3), \ | ||
121 | .securebits = SECUREBITS_DEFAULT, \ | ||
122 | .cap_inheritable = CAP_INIT_INH_SET, \ | ||
123 | .cap_permitted = CAP_FULL_SET, \ | ||
124 | .cap_effective = CAP_INIT_EFF_SET, \ | ||
125 | .cap_bset = CAP_INIT_BSET, \ | ||
126 | .user = INIT_USER, \ | ||
127 | .group_info = &init_groups, \ | ||
128 | .lock = __SPIN_LOCK_UNLOCKED(p.lock), \ | ||
129 | } | ||
130 | |||
116 | /* | 131 | /* |
117 | * INIT_TASK is used to set up the first task table, touch at | 132 | * INIT_TASK is used to set up the first task table, touch at |
118 | * your own risk!. Base=0, limit=0x1fffff (=2MB) | 133 | * your own risk!. Base=0, limit=0x1fffff (=2MB) |
@@ -147,13 +162,8 @@ extern struct group_info init_groups; | |||
147 | .children = LIST_HEAD_INIT(tsk.children), \ | 162 | .children = LIST_HEAD_INIT(tsk.children), \ |
148 | .sibling = LIST_HEAD_INIT(tsk.sibling), \ | 163 | .sibling = LIST_HEAD_INIT(tsk.sibling), \ |
149 | .group_leader = &tsk, \ | 164 | .group_leader = &tsk, \ |
150 | .group_info = &init_groups, \ | 165 | .__temp_cred = INIT_CRED(tsk.__temp_cred), \ |
151 | .cap_effective = CAP_INIT_EFF_SET, \ | 166 | .cred = &tsk.__temp_cred, \ |
152 | .cap_inheritable = CAP_INIT_INH_SET, \ | ||
153 | .cap_permitted = CAP_FULL_SET, \ | ||
154 | .cap_bset = CAP_INIT_BSET, \ | ||
155 | .securebits = SECUREBITS_DEFAULT, \ | ||
156 | .user = INIT_USER, \ | ||
157 | .comm = "swapper", \ | 167 | .comm = "swapper", \ |
158 | .thread = INIT_THREAD, \ | 168 | .thread = INIT_THREAD, \ |
159 | .fs = &init_fs, \ | 169 | .fs = &init_fs, \ |
diff --git a/include/linux/sched.h b/include/linux/sched.h index b483f39a7112..c8b92502354d 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h | |||
@@ -660,6 +660,7 @@ extern struct user_struct *find_user(uid_t); | |||
660 | extern struct user_struct root_user; | 660 | extern struct user_struct root_user; |
661 | #define INIT_USER (&root_user) | 661 | #define INIT_USER (&root_user) |
662 | 662 | ||
663 | |||
663 | struct backing_dev_info; | 664 | struct backing_dev_info; |
664 | struct reclaim_state; | 665 | struct reclaim_state; |
665 | 666 | ||
@@ -883,38 +884,7 @@ partition_sched_domains(int ndoms_new, cpumask_t *doms_new, | |||
883 | #endif /* !CONFIG_SMP */ | 884 | #endif /* !CONFIG_SMP */ |
884 | 885 | ||
885 | struct io_context; /* See blkdev.h */ | 886 | struct io_context; /* See blkdev.h */ |
886 | #define NGROUPS_SMALL 32 | ||
887 | #define NGROUPS_PER_BLOCK ((unsigned int)(PAGE_SIZE / sizeof(gid_t))) | ||
888 | struct group_info { | ||
889 | int ngroups; | ||
890 | atomic_t usage; | ||
891 | gid_t small_block[NGROUPS_SMALL]; | ||
892 | int nblocks; | ||
893 | gid_t *blocks[0]; | ||
894 | }; | ||
895 | |||
896 | /* | ||
897 | * get_group_info() must be called with the owning task locked (via task_lock()) | ||
898 | * when task != current. The reason being that the vast majority of callers are | ||
899 | * looking at current->group_info, which can not be changed except by the | ||
900 | * current task. Changing current->group_info requires the task lock, too. | ||
901 | */ | ||
902 | #define get_group_info(group_info) do { \ | ||
903 | atomic_inc(&(group_info)->usage); \ | ||
904 | } while (0) | ||
905 | 887 | ||
906 | #define put_group_info(group_info) do { \ | ||
907 | if (atomic_dec_and_test(&(group_info)->usage)) \ | ||
908 | groups_free(group_info); \ | ||
909 | } while (0) | ||
910 | |||
911 | extern struct group_info *groups_alloc(int gidsetsize); | ||
912 | extern void groups_free(struct group_info *group_info); | ||
913 | extern int set_current_groups(struct group_info *group_info); | ||
914 | extern int groups_search(struct group_info *group_info, gid_t grp); | ||
915 | /* access the groups "array" with this macro */ | ||
916 | #define GROUP_AT(gi, i) \ | ||
917 | ((gi)->blocks[(i)/NGROUPS_PER_BLOCK][(i)%NGROUPS_PER_BLOCK]) | ||
918 | 888 | ||
919 | #ifdef ARCH_HAS_PREFETCH_SWITCH_STACK | 889 | #ifdef ARCH_HAS_PREFETCH_SWITCH_STACK |
920 | extern void prefetch_stack(struct task_struct *t); | 890 | extern void prefetch_stack(struct task_struct *t); |
@@ -1181,17 +1151,9 @@ struct task_struct { | |||
1181 | struct list_head cpu_timers[3]; | 1151 | struct list_head cpu_timers[3]; |
1182 | 1152 | ||
1183 | /* process credentials */ | 1153 | /* process credentials */ |
1184 | uid_t uid,euid,suid,fsuid; | 1154 | struct cred __temp_cred __deprecated; /* temporary credentials to be removed */ |
1185 | gid_t gid,egid,sgid,fsgid; | 1155 | struct cred *cred; /* actual/objective task credentials */ |
1186 | struct group_info *group_info; | 1156 | |
1187 | kernel_cap_t cap_effective, cap_inheritable, cap_permitted, cap_bset; | ||
1188 | struct user_struct *user; | ||
1189 | unsigned securebits; | ||
1190 | #ifdef CONFIG_KEYS | ||
1191 | unsigned char jit_keyring; /* default keyring to attach requested keys to */ | ||
1192 | struct key *request_key_auth; /* assumed request_key authority */ | ||
1193 | struct key *thread_keyring; /* keyring private to this thread */ | ||
1194 | #endif | ||
1195 | char comm[TASK_COMM_LEN]; /* executable name excluding path | 1157 | char comm[TASK_COMM_LEN]; /* executable name excluding path |
1196 | - access with [gs]et_task_comm (which lock | 1158 | - access with [gs]et_task_comm (which lock |
1197 | it with task_lock()) | 1159 | it with task_lock()) |
@@ -1228,9 +1190,6 @@ struct task_struct { | |||
1228 | int (*notifier)(void *priv); | 1190 | int (*notifier)(void *priv); |
1229 | void *notifier_data; | 1191 | void *notifier_data; |
1230 | sigset_t *notifier_mask; | 1192 | sigset_t *notifier_mask; |
1231 | #ifdef CONFIG_SECURITY | ||
1232 | void *security; | ||
1233 | #endif | ||
1234 | struct audit_context *audit_context; | 1193 | struct audit_context *audit_context; |
1235 | #ifdef CONFIG_AUDITSYSCALL | 1194 | #ifdef CONFIG_AUDITSYSCALL |
1236 | uid_t loginuid; | 1195 | uid_t loginuid; |
@@ -1787,9 +1746,6 @@ extern void wake_up_new_task(struct task_struct *tsk, | |||
1787 | extern void sched_fork(struct task_struct *p, int clone_flags); | 1746 | extern void sched_fork(struct task_struct *p, int clone_flags); |
1788 | extern void sched_dead(struct task_struct *p); | 1747 | extern void sched_dead(struct task_struct *p); |
1789 | 1748 | ||
1790 | extern int in_group_p(gid_t); | ||
1791 | extern int in_egroup_p(gid_t); | ||
1792 | |||
1793 | extern void proc_caches_init(void); | 1749 | extern void proc_caches_init(void); |
1794 | extern void flush_signals(struct task_struct *); | 1750 | extern void flush_signals(struct task_struct *); |
1795 | extern void ignore_signals(struct task_struct *); | 1751 | extern void ignore_signals(struct task_struct *); |
diff --git a/include/linux/securebits.h b/include/linux/securebits.h index 92f09bdf1175..6d389491bfa2 100644 --- a/include/linux/securebits.h +++ b/include/linux/securebits.h | |||
@@ -32,7 +32,7 @@ | |||
32 | setting is locked or not. A setting which is locked cannot be | 32 | setting is locked or not. A setting which is locked cannot be |
33 | changed from user-level. */ | 33 | changed from user-level. */ |
34 | #define issecure_mask(X) (1 << (X)) | 34 | #define issecure_mask(X) (1 << (X)) |
35 | #define issecure(X) (issecure_mask(X) & current->securebits) | 35 | #define issecure(X) (issecure_mask(X) & current->cred->securebits) |
36 | 36 | ||
37 | #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ | 37 | #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ |
38 | issecure_mask(SECURE_NO_SETUID_FIXUP) | \ | 38 | issecure_mask(SECURE_NO_SETUID_FIXUP) | \ |
diff --git a/ipc/mqueue.c b/ipc/mqueue.c index abda5991d7e3..e1885b494bac 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c | |||
@@ -126,7 +126,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, int mode, | |||
126 | if (S_ISREG(mode)) { | 126 | if (S_ISREG(mode)) { |
127 | struct mqueue_inode_info *info; | 127 | struct mqueue_inode_info *info; |
128 | struct task_struct *p = current; | 128 | struct task_struct *p = current; |
129 | struct user_struct *u = p->user; | 129 | struct user_struct *u = p->cred->user; |
130 | unsigned long mq_bytes, mq_msg_tblsz; | 130 | unsigned long mq_bytes, mq_msg_tblsz; |
131 | 131 | ||
132 | inode->i_fop = &mqueue_file_operations; | 132 | inode->i_fop = &mqueue_file_operations; |
@@ -366,7 +366,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) | |||
366 | if (shmflg & SHM_HUGETLB) { | 366 | if (shmflg & SHM_HUGETLB) { |
367 | /* hugetlb_file_setup takes care of mlock user accounting */ | 367 | /* hugetlb_file_setup takes care of mlock user accounting */ |
368 | file = hugetlb_file_setup(name, size); | 368 | file = hugetlb_file_setup(name, size); |
369 | shp->mlock_user = current->user; | 369 | shp->mlock_user = current->cred->user; |
370 | } else { | 370 | } else { |
371 | int acctflag = VM_ACCOUNT; | 371 | int acctflag = VM_ACCOUNT; |
372 | /* | 372 | /* |
@@ -767,7 +767,7 @@ asmlinkage long sys_shmctl(int shmid, int cmd, struct shmid_ds __user *buf) | |||
767 | goto out_unlock; | 767 | goto out_unlock; |
768 | 768 | ||
769 | if(cmd==SHM_LOCK) { | 769 | if(cmd==SHM_LOCK) { |
770 | struct user_struct * user = current->user; | 770 | struct user_struct *user = current->cred->user; |
771 | if (!is_file_hugepages(shp->shm_file)) { | 771 | if (!is_file_hugepages(shp->shm_file)) { |
772 | err = shmem_lock(shp->shm_file, 1, user); | 772 | err = shmem_lock(shp->shm_file, 1, user); |
773 | if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){ | 773 | if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){ |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9c7e47ae4576..2febf5165fad 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
447 | struct audit_names *name, | 447 | struct audit_names *name, |
448 | enum audit_state *state) | 448 | enum audit_state *state) |
449 | { | 449 | { |
450 | struct cred *cred = tsk->cred; | ||
450 | int i, j, need_sid = 1; | 451 | int i, j, need_sid = 1; |
451 | u32 sid; | 452 | u32 sid; |
452 | 453 | ||
@@ -466,28 +467,28 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
466 | } | 467 | } |
467 | break; | 468 | break; |
468 | case AUDIT_UID: | 469 | case AUDIT_UID: |
469 | result = audit_comparator(tsk->uid, f->op, f->val); | 470 | result = audit_comparator(cred->uid, f->op, f->val); |
470 | break; | 471 | break; |
471 | case AUDIT_EUID: | 472 | case AUDIT_EUID: |
472 | result = audit_comparator(tsk->euid, f->op, f->val); | 473 | result = audit_comparator(cred->euid, f->op, f->val); |
473 | break; | 474 | break; |
474 | case AUDIT_SUID: | 475 | case AUDIT_SUID: |
475 | result = audit_comparator(tsk->suid, f->op, f->val); | 476 | result = audit_comparator(cred->suid, f->op, f->val); |
476 | break; | 477 | break; |
477 | case AUDIT_FSUID: | 478 | case AUDIT_FSUID: |
478 | result = audit_comparator(tsk->fsuid, f->op, f->val); | 479 | result = audit_comparator(cred->fsuid, f->op, f->val); |
479 | break; | 480 | break; |
480 | case AUDIT_GID: | 481 | case AUDIT_GID: |
481 | result = audit_comparator(tsk->gid, f->op, f->val); | 482 | result = audit_comparator(cred->gid, f->op, f->val); |
482 | break; | 483 | break; |
483 | case AUDIT_EGID: | 484 | case AUDIT_EGID: |
484 | result = audit_comparator(tsk->egid, f->op, f->val); | 485 | result = audit_comparator(cred->egid, f->op, f->val); |
485 | break; | 486 | break; |
486 | case AUDIT_SGID: | 487 | case AUDIT_SGID: |
487 | result = audit_comparator(tsk->sgid, f->op, f->val); | 488 | result = audit_comparator(cred->sgid, f->op, f->val); |
488 | break; | 489 | break; |
489 | case AUDIT_FSGID: | 490 | case AUDIT_FSGID: |
490 | result = audit_comparator(tsk->fsgid, f->op, f->val); | 491 | result = audit_comparator(cred->fsgid, f->op, f->val); |
491 | break; | 492 | break; |
492 | case AUDIT_PERS: | 493 | case AUDIT_PERS: |
493 | result = audit_comparator(tsk->personality, f->op, f->val); | 494 | result = audit_comparator(tsk->personality, f->op, f->val); |
@@ -1228,6 +1229,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) | |||
1228 | 1229 | ||
1229 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) | 1230 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) |
1230 | { | 1231 | { |
1232 | struct cred *cred = tsk->cred; | ||
1231 | int i, call_panic = 0; | 1233 | int i, call_panic = 0; |
1232 | struct audit_buffer *ab; | 1234 | struct audit_buffer *ab; |
1233 | struct audit_aux_data *aux; | 1235 | struct audit_aux_data *aux; |
@@ -1237,14 +1239,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1237 | context->pid = tsk->pid; | 1239 | context->pid = tsk->pid; |
1238 | if (!context->ppid) | 1240 | if (!context->ppid) |
1239 | context->ppid = sys_getppid(); | 1241 | context->ppid = sys_getppid(); |
1240 | context->uid = tsk->uid; | 1242 | context->uid = cred->uid; |
1241 | context->gid = tsk->gid; | 1243 | context->gid = cred->gid; |
1242 | context->euid = tsk->euid; | 1244 | context->euid = cred->euid; |
1243 | context->suid = tsk->suid; | 1245 | context->suid = cred->suid; |
1244 | context->fsuid = tsk->fsuid; | 1246 | context->fsuid = cred->fsuid; |
1245 | context->egid = tsk->egid; | 1247 | context->egid = cred->egid; |
1246 | context->sgid = tsk->sgid; | 1248 | context->sgid = cred->sgid; |
1247 | context->fsgid = tsk->fsgid; | 1249 | context->fsgid = cred->fsgid; |
1248 | context->personality = tsk->personality; | 1250 | context->personality = tsk->personality; |
1249 | 1251 | ||
1250 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); | 1252 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); |
@@ -2086,7 +2088,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
2086 | audit_log_format(ab, "login pid=%d uid=%u " | 2088 | audit_log_format(ab, "login pid=%d uid=%u " |
2087 | "old auid=%u new auid=%u" | 2089 | "old auid=%u new auid=%u" |
2088 | " old ses=%u new ses=%u", | 2090 | " old ses=%u new ses=%u", |
2089 | task->pid, task->uid, | 2091 | task->pid, task->cred->uid, |
2090 | task->loginuid, loginuid, | 2092 | task->loginuid, loginuid, |
2091 | task->sessionid, sessionid); | 2093 | task->sessionid, sessionid); |
2092 | audit_log_end(ab); | 2094 | audit_log_end(ab); |
@@ -2469,7 +2471,7 @@ void __audit_ptrace(struct task_struct *t) | |||
2469 | 2471 | ||
2470 | context->target_pid = t->pid; | 2472 | context->target_pid = t->pid; |
2471 | context->target_auid = audit_get_loginuid(t); | 2473 | context->target_auid = audit_get_loginuid(t); |
2472 | context->target_uid = t->uid; | 2474 | context->target_uid = t->cred->uid; |
2473 | context->target_sessionid = audit_get_sessionid(t); | 2475 | context->target_sessionid = audit_get_sessionid(t); |
2474 | security_task_getsecid(t, &context->target_sid); | 2476 | security_task_getsecid(t, &context->target_sid); |
2475 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); | 2477 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); |
@@ -2495,7 +2497,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2495 | if (tsk->loginuid != -1) | 2497 | if (tsk->loginuid != -1) |
2496 | audit_sig_uid = tsk->loginuid; | 2498 | audit_sig_uid = tsk->loginuid; |
2497 | else | 2499 | else |
2498 | audit_sig_uid = tsk->uid; | 2500 | audit_sig_uid = tsk->cred->uid; |
2499 | security_task_getsecid(tsk, &audit_sig_sid); | 2501 | security_task_getsecid(tsk, &audit_sig_sid); |
2500 | } | 2502 | } |
2501 | if (!audit_signals || audit_dummy_context()) | 2503 | if (!audit_signals || audit_dummy_context()) |
@@ -2507,7 +2509,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2507 | if (!ctx->target_pid) { | 2509 | if (!ctx->target_pid) { |
2508 | ctx->target_pid = t->tgid; | 2510 | ctx->target_pid = t->tgid; |
2509 | ctx->target_auid = audit_get_loginuid(t); | 2511 | ctx->target_auid = audit_get_loginuid(t); |
2510 | ctx->target_uid = t->uid; | 2512 | ctx->target_uid = t->cred->uid; |
2511 | ctx->target_sessionid = audit_get_sessionid(t); | 2513 | ctx->target_sessionid = audit_get_sessionid(t); |
2512 | security_task_getsecid(t, &ctx->target_sid); | 2514 | security_task_getsecid(t, &ctx->target_sid); |
2513 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); | 2515 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); |
@@ -2528,7 +2530,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2528 | 2530 | ||
2529 | axp->target_pid[axp->pid_count] = t->tgid; | 2531 | axp->target_pid[axp->pid_count] = t->tgid; |
2530 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); | 2532 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); |
2531 | axp->target_uid[axp->pid_count] = t->uid; | 2533 | axp->target_uid[axp->pid_count] = t->cred->uid; |
2532 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); | 2534 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); |
2533 | security_task_getsecid(t, &axp->target_sid[axp->pid_count]); | 2535 | security_task_getsecid(t, &axp->target_sid[axp->pid_count]); |
2534 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); | 2536 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); |
@@ -2575,12 +2577,12 @@ void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_ | |||
2575 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; | 2577 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; |
2576 | 2578 | ||
2577 | ax->old_pcap.permitted = *pP; | 2579 | ax->old_pcap.permitted = *pP; |
2578 | ax->old_pcap.inheritable = current->cap_inheritable; | 2580 | ax->old_pcap.inheritable = current->cred->cap_inheritable; |
2579 | ax->old_pcap.effective = *pE; | 2581 | ax->old_pcap.effective = *pE; |
2580 | 2582 | ||
2581 | ax->new_pcap.permitted = current->cap_permitted; | 2583 | ax->new_pcap.permitted = current->cred->cap_permitted; |
2582 | ax->new_pcap.inheritable = current->cap_inheritable; | 2584 | ax->new_pcap.inheritable = current->cred->cap_inheritable; |
2583 | ax->new_pcap.effective = current->cap_effective; | 2585 | ax->new_pcap.effective = current->cred->cap_effective; |
2584 | } | 2586 | } |
2585 | 2587 | ||
2586 | /** | 2588 | /** |
diff --git a/kernel/capability.c b/kernel/capability.c index 58b00519624a..a404b980b1bd 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
@@ -171,8 +171,8 @@ kernel_cap_t cap_set_effective(const kernel_cap_t pE_new) | |||
171 | 171 | ||
172 | spin_lock(&task_capability_lock); | 172 | spin_lock(&task_capability_lock); |
173 | 173 | ||
174 | pE_old = current->cap_effective; | 174 | pE_old = current->cred->cap_effective; |
175 | current->cap_effective = pE_new; | 175 | current->cred->cap_effective = pE_new; |
176 | 176 | ||
177 | spin_unlock(&task_capability_lock); | 177 | spin_unlock(&task_capability_lock); |
178 | 178 | ||
diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 78f9b310c4f3..e210526e6401 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c | |||
@@ -1293,7 +1293,9 @@ static int attach_task_by_pid(struct cgroup *cgrp, u64 pid) | |||
1293 | rcu_read_unlock(); | 1293 | rcu_read_unlock(); |
1294 | 1294 | ||
1295 | euid = current_euid(); | 1295 | euid = current_euid(); |
1296 | if (euid && euid != tsk->uid && euid != tsk->suid) { | 1296 | if (euid && |
1297 | euid != tsk->cred->uid && | ||
1298 | euid != tsk->cred->suid) { | ||
1297 | put_task_struct(tsk); | 1299 | put_task_struct(tsk); |
1298 | return -EACCES; | 1300 | return -EACCES; |
1299 | } | 1301 | } |
diff --git a/kernel/exit.c b/kernel/exit.c index 80137a5d9467..e0f6e1892fb9 100644 --- a/kernel/exit.c +++ b/kernel/exit.c | |||
@@ -160,7 +160,7 @@ void release_task(struct task_struct * p) | |||
160 | int zap_leader; | 160 | int zap_leader; |
161 | repeat: | 161 | repeat: |
162 | tracehook_prepare_release_task(p); | 162 | tracehook_prepare_release_task(p); |
163 | atomic_dec(&p->user->processes); | 163 | atomic_dec(&p->cred->user->processes); |
164 | proc_flush_task(p); | 164 | proc_flush_task(p); |
165 | write_lock_irq(&tasklist_lock); | 165 | write_lock_irq(&tasklist_lock); |
166 | tracehook_finish_release_task(p); | 166 | tracehook_finish_release_task(p); |
@@ -1272,7 +1272,7 @@ static int wait_task_zombie(struct task_struct *p, int options, | |||
1272 | return 0; | 1272 | return 0; |
1273 | 1273 | ||
1274 | if (unlikely(options & WNOWAIT)) { | 1274 | if (unlikely(options & WNOWAIT)) { |
1275 | uid_t uid = p->uid; | 1275 | uid_t uid = p->cred->uid; |
1276 | int exit_code = p->exit_code; | 1276 | int exit_code = p->exit_code; |
1277 | int why, status; | 1277 | int why, status; |
1278 | 1278 | ||
@@ -1393,7 +1393,7 @@ static int wait_task_zombie(struct task_struct *p, int options, | |||
1393 | if (!retval && infop) | 1393 | if (!retval && infop) |
1394 | retval = put_user(pid, &infop->si_pid); | 1394 | retval = put_user(pid, &infop->si_pid); |
1395 | if (!retval && infop) | 1395 | if (!retval && infop) |
1396 | retval = put_user(p->uid, &infop->si_uid); | 1396 | retval = put_user(p->cred->uid, &infop->si_uid); |
1397 | if (!retval) | 1397 | if (!retval) |
1398 | retval = pid; | 1398 | retval = pid; |
1399 | 1399 | ||
@@ -1458,7 +1458,7 @@ static int wait_task_stopped(int ptrace, struct task_struct *p, | |||
1458 | if (!unlikely(options & WNOWAIT)) | 1458 | if (!unlikely(options & WNOWAIT)) |
1459 | p->exit_code = 0; | 1459 | p->exit_code = 0; |
1460 | 1460 | ||
1461 | uid = p->uid; | 1461 | uid = p->cred->uid; |
1462 | unlock_sig: | 1462 | unlock_sig: |
1463 | spin_unlock_irq(&p->sighand->siglock); | 1463 | spin_unlock_irq(&p->sighand->siglock); |
1464 | if (!exit_code) | 1464 | if (!exit_code) |
@@ -1535,7 +1535,7 @@ static int wait_task_continued(struct task_struct *p, int options, | |||
1535 | spin_unlock_irq(&p->sighand->siglock); | 1535 | spin_unlock_irq(&p->sighand->siglock); |
1536 | 1536 | ||
1537 | pid = task_pid_vnr(p); | 1537 | pid = task_pid_vnr(p); |
1538 | uid = p->uid; | 1538 | uid = p->cred->uid; |
1539 | get_task_struct(p); | 1539 | get_task_struct(p); |
1540 | read_unlock(&tasklist_lock); | 1540 | read_unlock(&tasklist_lock); |
1541 | 1541 | ||
diff --git a/kernel/fork.c b/kernel/fork.c index f6083561dfe0..81fdc7733908 100644 --- a/kernel/fork.c +++ b/kernel/fork.c | |||
@@ -147,8 +147,8 @@ void __put_task_struct(struct task_struct *tsk) | |||
147 | WARN_ON(tsk == current); | 147 | WARN_ON(tsk == current); |
148 | 148 | ||
149 | security_task_free(tsk); | 149 | security_task_free(tsk); |
150 | free_uid(tsk->user); | 150 | free_uid(tsk->__temp_cred.user); |
151 | put_group_info(tsk->group_info); | 151 | put_group_info(tsk->__temp_cred.group_info); |
152 | delayacct_tsk_free(tsk); | 152 | delayacct_tsk_free(tsk); |
153 | 153 | ||
154 | if (!profile_handoff_task(tsk)) | 154 | if (!profile_handoff_task(tsk)) |
@@ -969,17 +969,18 @@ static struct task_struct *copy_process(unsigned long clone_flags, | |||
969 | DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled); | 969 | DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled); |
970 | DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); | 970 | DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); |
971 | #endif | 971 | #endif |
972 | p->cred = &p->__temp_cred; | ||
972 | retval = -EAGAIN; | 973 | retval = -EAGAIN; |
973 | if (atomic_read(&p->user->processes) >= | 974 | if (atomic_read(&p->cred->user->processes) >= |
974 | p->signal->rlim[RLIMIT_NPROC].rlim_cur) { | 975 | p->signal->rlim[RLIMIT_NPROC].rlim_cur) { |
975 | if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && | 976 | if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && |
976 | p->user != current->nsproxy->user_ns->root_user) | 977 | p->cred->user != current->nsproxy->user_ns->root_user) |
977 | goto bad_fork_free; | 978 | goto bad_fork_free; |
978 | } | 979 | } |
979 | 980 | ||
980 | atomic_inc(&p->user->__count); | 981 | atomic_inc(&p->cred->user->__count); |
981 | atomic_inc(&p->user->processes); | 982 | atomic_inc(&p->cred->user->processes); |
982 | get_group_info(p->group_info); | 983 | get_group_info(p->cred->group_info); |
983 | 984 | ||
984 | /* | 985 | /* |
985 | * If multiple threads are within copy_process(), then this check | 986 | * If multiple threads are within copy_process(), then this check |
@@ -1035,9 +1036,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, | |||
1035 | p->real_start_time = p->start_time; | 1036 | p->real_start_time = p->start_time; |
1036 | monotonic_to_bootbased(&p->real_start_time); | 1037 | monotonic_to_bootbased(&p->real_start_time); |
1037 | #ifdef CONFIG_SECURITY | 1038 | #ifdef CONFIG_SECURITY |
1038 | p->security = NULL; | 1039 | p->cred->security = NULL; |
1039 | #endif | 1040 | #endif |
1040 | p->cap_bset = current->cap_bset; | ||
1041 | p->io_context = NULL; | 1041 | p->io_context = NULL; |
1042 | p->audit_context = NULL; | 1042 | p->audit_context = NULL; |
1043 | cgroup_fork(p); | 1043 | cgroup_fork(p); |
@@ -1298,9 +1298,9 @@ bad_fork_cleanup_cgroup: | |||
1298 | bad_fork_cleanup_put_domain: | 1298 | bad_fork_cleanup_put_domain: |
1299 | module_put(task_thread_info(p)->exec_domain->module); | 1299 | module_put(task_thread_info(p)->exec_domain->module); |
1300 | bad_fork_cleanup_count: | 1300 | bad_fork_cleanup_count: |
1301 | put_group_info(p->group_info); | 1301 | put_group_info(p->cred->group_info); |
1302 | atomic_dec(&p->user->processes); | 1302 | atomic_dec(&p->cred->user->processes); |
1303 | free_uid(p->user); | 1303 | free_uid(p->cred->user); |
1304 | bad_fork_free: | 1304 | bad_fork_free: |
1305 | free_task(p); | 1305 | free_task(p); |
1306 | fork_out: | 1306 | fork_out: |
diff --git a/kernel/futex.c b/kernel/futex.c index e06962132aaf..28421d8210b8 100644 --- a/kernel/futex.c +++ b/kernel/futex.c | |||
@@ -443,7 +443,8 @@ static struct task_struct * futex_find_get_task(pid_t pid) | |||
443 | 443 | ||
444 | rcu_read_lock(); | 444 | rcu_read_lock(); |
445 | p = find_task_by_vpid(pid); | 445 | p = find_task_by_vpid(pid); |
446 | if (!p || (euid != p->euid && euid != p->uid)) | 446 | if (!p || (euid != p->cred->euid && |
447 | euid != p->cred->uid)) | ||
447 | p = ERR_PTR(-ESRCH); | 448 | p = ERR_PTR(-ESRCH); |
448 | else | 449 | else |
449 | get_task_struct(p); | 450 | get_task_struct(p); |
@@ -1846,7 +1847,8 @@ sys_get_robust_list(int pid, struct robust_list_head __user * __user *head_ptr, | |||
1846 | if (!p) | 1847 | if (!p) |
1847 | goto err_unlock; | 1848 | goto err_unlock; |
1848 | ret = -EPERM; | 1849 | ret = -EPERM; |
1849 | if (euid != p->euid && euid != p->uid && | 1850 | if (euid != p->cred->euid && |
1851 | euid != p->cred->uid && | ||
1850 | !capable(CAP_SYS_PTRACE)) | 1852 | !capable(CAP_SYS_PTRACE)) |
1851 | goto err_unlock; | 1853 | goto err_unlock; |
1852 | head = p->robust_list; | 1854 | head = p->robust_list; |
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c index 3254d4e41e88..2c3fd5ed34f5 100644 --- a/kernel/futex_compat.c +++ b/kernel/futex_compat.c | |||
@@ -151,8 +151,9 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, | |||
151 | if (!p) | 151 | if (!p) |
152 | goto err_unlock; | 152 | goto err_unlock; |
153 | ret = -EPERM; | 153 | ret = -EPERM; |
154 | if (euid != p->euid && euid != p->uid && | 154 | if (euid != p->cred->euid && |
155 | !capable(CAP_SYS_PTRACE)) | 155 | euid != p->cred->uid && |
156 | !capable(CAP_SYS_PTRACE)) | ||
156 | goto err_unlock; | 157 | goto err_unlock; |
157 | head = p->compat_robust_list; | 158 | head = p->compat_robust_list; |
158 | read_unlock(&tasklist_lock); | 159 | read_unlock(&tasklist_lock); |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 937f6b5b2008..49849d12dd12 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
@@ -115,6 +115,8 @@ int ptrace_check_attach(struct task_struct *child, int kill) | |||
115 | 115 | ||
116 | int __ptrace_may_access(struct task_struct *task, unsigned int mode) | 116 | int __ptrace_may_access(struct task_struct *task, unsigned int mode) |
117 | { | 117 | { |
118 | struct cred *cred = current->cred, *tcred = task->cred; | ||
119 | |||
118 | /* May we inspect the given task? | 120 | /* May we inspect the given task? |
119 | * This check is used both for attaching with ptrace | 121 | * This check is used both for attaching with ptrace |
120 | * and for allowing access to sensitive information in /proc. | 122 | * and for allowing access to sensitive information in /proc. |
@@ -123,19 +125,18 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) | |||
123 | * because setting up the necessary parent/child relationship | 125 | * because setting up the necessary parent/child relationship |
124 | * or halting the specified task is impossible. | 126 | * or halting the specified task is impossible. |
125 | */ | 127 | */ |
126 | uid_t uid; | 128 | uid_t uid = cred->uid; |
127 | gid_t gid; | 129 | gid_t gid = cred->gid; |
128 | int dumpable = 0; | 130 | int dumpable = 0; |
129 | /* Don't let security modules deny introspection */ | 131 | /* Don't let security modules deny introspection */ |
130 | if (task == current) | 132 | if (task == current) |
131 | return 0; | 133 | return 0; |
132 | current_uid_gid(&uid, &gid); | 134 | if ((uid != tcred->euid || |
133 | if ((uid != task->euid || | 135 | uid != tcred->suid || |
134 | uid != task->suid || | 136 | uid != tcred->uid || |
135 | uid != task->uid || | 137 | gid != tcred->egid || |
136 | gid != task->egid || | 138 | gid != tcred->sgid || |
137 | gid != task->sgid || | 139 | gid != tcred->gid) && !capable(CAP_SYS_PTRACE)) |
138 | gid != task->gid) && !capable(CAP_SYS_PTRACE)) | ||
139 | return -EPERM; | 140 | return -EPERM; |
140 | smp_rmb(); | 141 | smp_rmb(); |
141 | if (task->mm) | 142 | if (task->mm) |
diff --git a/kernel/sched.c b/kernel/sched.c index c3b8b1fcde0d..733c59e645aa 100644 --- a/kernel/sched.c +++ b/kernel/sched.c | |||
@@ -345,7 +345,7 @@ static inline struct task_group *task_group(struct task_struct *p) | |||
345 | struct task_group *tg; | 345 | struct task_group *tg; |
346 | 346 | ||
347 | #ifdef CONFIG_USER_SCHED | 347 | #ifdef CONFIG_USER_SCHED |
348 | tg = p->user->tg; | 348 | tg = p->cred->user->tg; |
349 | #elif defined(CONFIG_CGROUP_SCHED) | 349 | #elif defined(CONFIG_CGROUP_SCHED) |
350 | tg = container_of(task_subsys_state(p, cpu_cgroup_subsys_id), | 350 | tg = container_of(task_subsys_state(p, cpu_cgroup_subsys_id), |
351 | struct task_group, css); | 351 | struct task_group, css); |
@@ -5182,8 +5182,8 @@ recheck: | |||
5182 | 5182 | ||
5183 | /* can't change other user's priorities */ | 5183 | /* can't change other user's priorities */ |
5184 | euid = current_euid(); | 5184 | euid = current_euid(); |
5185 | if (euid != p->euid && | 5185 | if (euid != p->cred->euid && |
5186 | euid != p->uid) | 5186 | euid != p->cred->uid) |
5187 | return -EPERM; | 5187 | return -EPERM; |
5188 | } | 5188 | } |
5189 | 5189 | ||
@@ -5417,7 +5417,9 @@ long sched_setaffinity(pid_t pid, const cpumask_t *in_mask) | |||
5417 | 5417 | ||
5418 | euid = current_euid(); | 5418 | euid = current_euid(); |
5419 | retval = -EPERM; | 5419 | retval = -EPERM; |
5420 | if (euid != p->euid && euid != p->uid && !capable(CAP_SYS_NICE)) | 5420 | if (euid != p->cred->euid && |
5421 | euid != p->cred->uid && | ||
5422 | !capable(CAP_SYS_NICE)) | ||
5421 | goto out_unlock; | 5423 | goto out_unlock; |
5422 | 5424 | ||
5423 | retval = security_task_setscheduler(p, 0, NULL); | 5425 | retval = security_task_setscheduler(p, 0, NULL); |
diff --git a/kernel/signal.c b/kernel/signal.c index 167b535fe1a9..80e8a6489f97 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
@@ -187,7 +187,7 @@ static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags, | |||
187 | * In order to avoid problems with "switch_user()", we want to make | 187 | * In order to avoid problems with "switch_user()", we want to make |
188 | * sure that the compiler doesn't re-load "t->user" | 188 | * sure that the compiler doesn't re-load "t->user" |
189 | */ | 189 | */ |
190 | user = t->user; | 190 | user = t->cred->user; |
191 | barrier(); | 191 | barrier(); |
192 | atomic_inc(&user->sigpending); | 192 | atomic_inc(&user->sigpending); |
193 | if (override_rlimit || | 193 | if (override_rlimit || |
@@ -582,8 +582,8 @@ static int check_kill_permission(int sig, struct siginfo *info, | |||
582 | 582 | ||
583 | uid = current_uid(); | 583 | uid = current_uid(); |
584 | euid = current_euid(); | 584 | euid = current_euid(); |
585 | if ((euid ^ t->suid) && (euid ^ t->uid) && | 585 | if ((euid ^ t->cred->suid) && (euid ^ t->cred->uid) && |
586 | (uid ^ t->suid) && (uid ^ t->uid) && | 586 | (uid ^ t->cred->suid) && (uid ^ t->cred->uid) && |
587 | !capable(CAP_KILL)) { | 587 | !capable(CAP_KILL)) { |
588 | switch (sig) { | 588 | switch (sig) { |
589 | case SIGCONT: | 589 | case SIGCONT: |
@@ -1100,8 +1100,8 @@ int kill_pid_info_as_uid(int sig, struct siginfo *info, struct pid *pid, | |||
1100 | goto out_unlock; | 1100 | goto out_unlock; |
1101 | } | 1101 | } |
1102 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) | 1102 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) |
1103 | && (euid != p->suid) && (euid != p->uid) | 1103 | && (euid != p->cred->suid) && (euid != p->cred->uid) |
1104 | && (uid != p->suid) && (uid != p->uid)) { | 1104 | && (uid != p->cred->suid) && (uid != p->cred->uid)) { |
1105 | ret = -EPERM; | 1105 | ret = -EPERM; |
1106 | goto out_unlock; | 1106 | goto out_unlock; |
1107 | } | 1107 | } |
@@ -1374,7 +1374,7 @@ int do_notify_parent(struct task_struct *tsk, int sig) | |||
1374 | info.si_pid = task_pid_nr_ns(tsk, tsk->parent->nsproxy->pid_ns); | 1374 | info.si_pid = task_pid_nr_ns(tsk, tsk->parent->nsproxy->pid_ns); |
1375 | rcu_read_unlock(); | 1375 | rcu_read_unlock(); |
1376 | 1376 | ||
1377 | info.si_uid = tsk->uid; | 1377 | info.si_uid = tsk->cred->uid; |
1378 | 1378 | ||
1379 | thread_group_cputime(tsk, &cputime); | 1379 | thread_group_cputime(tsk, &cputime); |
1380 | info.si_utime = cputime_to_jiffies(cputime.utime); | 1380 | info.si_utime = cputime_to_jiffies(cputime.utime); |
@@ -1445,7 +1445,7 @@ static void do_notify_parent_cldstop(struct task_struct *tsk, int why) | |||
1445 | info.si_pid = task_pid_nr_ns(tsk, tsk->parent->nsproxy->pid_ns); | 1445 | info.si_pid = task_pid_nr_ns(tsk, tsk->parent->nsproxy->pid_ns); |
1446 | rcu_read_unlock(); | 1446 | rcu_read_unlock(); |
1447 | 1447 | ||
1448 | info.si_uid = tsk->uid; | 1448 | info.si_uid = tsk->cred->uid; |
1449 | 1449 | ||
1450 | info.si_utime = cputime_to_clock_t(tsk->utime); | 1450 | info.si_utime = cputime_to_clock_t(tsk->utime); |
1451 | info.si_stime = cputime_to_clock_t(tsk->stime); | 1451 | info.si_stime = cputime_to_clock_t(tsk->stime); |
@@ -1713,7 +1713,7 @@ static int ptrace_signal(int signr, siginfo_t *info, | |||
1713 | info->si_errno = 0; | 1713 | info->si_errno = 0; |
1714 | info->si_code = SI_USER; | 1714 | info->si_code = SI_USER; |
1715 | info->si_pid = task_pid_vnr(current->parent); | 1715 | info->si_pid = task_pid_vnr(current->parent); |
1716 | info->si_uid = current->parent->uid; | 1716 | info->si_uid = current->parent->cred->uid; |
1717 | } | 1717 | } |
1718 | 1718 | ||
1719 | /* If the (new) signal is now blocked, requeue it. */ | 1719 | /* If the (new) signal is now blocked, requeue it. */ |
diff --git a/kernel/sys.c b/kernel/sys.c index ed5c29c748ac..5d81f07c0150 100644 --- a/kernel/sys.c +++ b/kernel/sys.c | |||
@@ -117,7 +117,9 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) | |||
117 | uid_t euid = current_euid(); | 117 | uid_t euid = current_euid(); |
118 | int no_nice; | 118 | int no_nice; |
119 | 119 | ||
120 | if (p->uid != euid && p->euid != euid && !capable(CAP_SYS_NICE)) { | 120 | if (p->cred->uid != euid && |
121 | p->cred->euid != euid && | ||
122 | !capable(CAP_SYS_NICE)) { | ||
121 | error = -EPERM; | 123 | error = -EPERM; |
122 | goto out; | 124 | goto out; |
123 | } | 125 | } |
@@ -174,7 +176,7 @@ asmlinkage long sys_setpriority(int which, int who, int niceval) | |||
174 | } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); | 176 | } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); |
175 | break; | 177 | break; |
176 | case PRIO_USER: | 178 | case PRIO_USER: |
177 | user = current->user; | 179 | user = current->cred->user; |
178 | if (!who) | 180 | if (!who) |
179 | who = current_uid(); | 181 | who = current_uid(); |
180 | else | 182 | else |
@@ -182,7 +184,7 @@ asmlinkage long sys_setpriority(int which, int who, int niceval) | |||
182 | goto out_unlock; /* No processes for this user */ | 184 | goto out_unlock; /* No processes for this user */ |
183 | 185 | ||
184 | do_each_thread(g, p) | 186 | do_each_thread(g, p) |
185 | if (p->uid == who) | 187 | if (p->cred->uid == who) |
186 | error = set_one_prio(p, niceval, error); | 188 | error = set_one_prio(p, niceval, error); |
187 | while_each_thread(g, p); | 189 | while_each_thread(g, p); |
188 | if (who != current_uid()) | 190 | if (who != current_uid()) |
@@ -236,7 +238,7 @@ asmlinkage long sys_getpriority(int which, int who) | |||
236 | } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); | 238 | } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); |
237 | break; | 239 | break; |
238 | case PRIO_USER: | 240 | case PRIO_USER: |
239 | user = current->user; | 241 | user = current->cred->user; |
240 | if (!who) | 242 | if (!who) |
241 | who = current_uid(); | 243 | who = current_uid(); |
242 | else | 244 | else |
@@ -244,7 +246,7 @@ asmlinkage long sys_getpriority(int which, int who) | |||
244 | goto out_unlock; /* No processes for this user */ | 246 | goto out_unlock; /* No processes for this user */ |
245 | 247 | ||
246 | do_each_thread(g, p) | 248 | do_each_thread(g, p) |
247 | if (p->uid == who) { | 249 | if (p->cred->uid == who) { |
248 | niceval = 20 - task_nice(p); | 250 | niceval = 20 - task_nice(p); |
249 | if (niceval > retval) | 251 | if (niceval > retval) |
250 | retval = niceval; | 252 | retval = niceval; |
@@ -472,8 +474,9 @@ void ctrl_alt_del(void) | |||
472 | */ | 474 | */ |
473 | asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | 475 | asmlinkage long sys_setregid(gid_t rgid, gid_t egid) |
474 | { | 476 | { |
475 | int old_rgid = current->gid; | 477 | struct cred *cred = current->cred; |
476 | int old_egid = current->egid; | 478 | int old_rgid = cred->gid; |
479 | int old_egid = cred->egid; | ||
477 | int new_rgid = old_rgid; | 480 | int new_rgid = old_rgid; |
478 | int new_egid = old_egid; | 481 | int new_egid = old_egid; |
479 | int retval; | 482 | int retval; |
@@ -484,7 +487,7 @@ asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | |||
484 | 487 | ||
485 | if (rgid != (gid_t) -1) { | 488 | if (rgid != (gid_t) -1) { |
486 | if ((old_rgid == rgid) || | 489 | if ((old_rgid == rgid) || |
487 | (current->egid==rgid) || | 490 | (cred->egid == rgid) || |
488 | capable(CAP_SETGID)) | 491 | capable(CAP_SETGID)) |
489 | new_rgid = rgid; | 492 | new_rgid = rgid; |
490 | else | 493 | else |
@@ -492,8 +495,8 @@ asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | |||
492 | } | 495 | } |
493 | if (egid != (gid_t) -1) { | 496 | if (egid != (gid_t) -1) { |
494 | if ((old_rgid == egid) || | 497 | if ((old_rgid == egid) || |
495 | (current->egid == egid) || | 498 | (cred->egid == egid) || |
496 | (current->sgid == egid) || | 499 | (cred->sgid == egid) || |
497 | capable(CAP_SETGID)) | 500 | capable(CAP_SETGID)) |
498 | new_egid = egid; | 501 | new_egid = egid; |
499 | else | 502 | else |
@@ -505,10 +508,10 @@ asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | |||
505 | } | 508 | } |
506 | if (rgid != (gid_t) -1 || | 509 | if (rgid != (gid_t) -1 || |
507 | (egid != (gid_t) -1 && egid != old_rgid)) | 510 | (egid != (gid_t) -1 && egid != old_rgid)) |
508 | current->sgid = new_egid; | 511 | cred->sgid = new_egid; |
509 | current->fsgid = new_egid; | 512 | cred->fsgid = new_egid; |
510 | current->egid = new_egid; | 513 | cred->egid = new_egid; |
511 | current->gid = new_rgid; | 514 | cred->gid = new_rgid; |
512 | key_fsgid_changed(current); | 515 | key_fsgid_changed(current); |
513 | proc_id_connector(current, PROC_EVENT_GID); | 516 | proc_id_connector(current, PROC_EVENT_GID); |
514 | return 0; | 517 | return 0; |
@@ -521,7 +524,8 @@ asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | |||
521 | */ | 524 | */ |
522 | asmlinkage long sys_setgid(gid_t gid) | 525 | asmlinkage long sys_setgid(gid_t gid) |
523 | { | 526 | { |
524 | int old_egid = current->egid; | 527 | struct cred *cred = current->cred; |
528 | int old_egid = cred->egid; | ||
525 | int retval; | 529 | int retval; |
526 | 530 | ||
527 | retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID); | 531 | retval = security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_ID); |
@@ -533,13 +537,13 @@ asmlinkage long sys_setgid(gid_t gid) | |||
533 | set_dumpable(current->mm, suid_dumpable); | 537 | set_dumpable(current->mm, suid_dumpable); |
534 | smp_wmb(); | 538 | smp_wmb(); |
535 | } | 539 | } |
536 | current->gid = current->egid = current->sgid = current->fsgid = gid; | 540 | cred->gid = cred->egid = cred->sgid = cred->fsgid = gid; |
537 | } else if ((gid == current->gid) || (gid == current->sgid)) { | 541 | } else if ((gid == cred->gid) || (gid == cred->sgid)) { |
538 | if (old_egid != gid) { | 542 | if (old_egid != gid) { |
539 | set_dumpable(current->mm, suid_dumpable); | 543 | set_dumpable(current->mm, suid_dumpable); |
540 | smp_wmb(); | 544 | smp_wmb(); |
541 | } | 545 | } |
542 | current->egid = current->fsgid = gid; | 546 | cred->egid = cred->fsgid = gid; |
543 | } | 547 | } |
544 | else | 548 | else |
545 | return -EPERM; | 549 | return -EPERM; |
@@ -570,7 +574,7 @@ static int set_user(uid_t new_ruid, int dumpclear) | |||
570 | set_dumpable(current->mm, suid_dumpable); | 574 | set_dumpable(current->mm, suid_dumpable); |
571 | smp_wmb(); | 575 | smp_wmb(); |
572 | } | 576 | } |
573 | current->uid = new_ruid; | 577 | current->cred->uid = new_ruid; |
574 | return 0; | 578 | return 0; |
575 | } | 579 | } |
576 | 580 | ||
@@ -591,6 +595,7 @@ static int set_user(uid_t new_ruid, int dumpclear) | |||
591 | */ | 595 | */ |
592 | asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | 596 | asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) |
593 | { | 597 | { |
598 | struct cred *cred = current->cred; | ||
594 | int old_ruid, old_euid, old_suid, new_ruid, new_euid; | 599 | int old_ruid, old_euid, old_suid, new_ruid, new_euid; |
595 | int retval; | 600 | int retval; |
596 | 601 | ||
@@ -598,14 +603,14 @@ asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | |||
598 | if (retval) | 603 | if (retval) |
599 | return retval; | 604 | return retval; |
600 | 605 | ||
601 | new_ruid = old_ruid = current->uid; | 606 | new_ruid = old_ruid = cred->uid; |
602 | new_euid = old_euid = current->euid; | 607 | new_euid = old_euid = cred->euid; |
603 | old_suid = current->suid; | 608 | old_suid = cred->suid; |
604 | 609 | ||
605 | if (ruid != (uid_t) -1) { | 610 | if (ruid != (uid_t) -1) { |
606 | new_ruid = ruid; | 611 | new_ruid = ruid; |
607 | if ((old_ruid != ruid) && | 612 | if ((old_ruid != ruid) && |
608 | (current->euid != ruid) && | 613 | (cred->euid != ruid) && |
609 | !capable(CAP_SETUID)) | 614 | !capable(CAP_SETUID)) |
610 | return -EPERM; | 615 | return -EPERM; |
611 | } | 616 | } |
@@ -613,8 +618,8 @@ asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | |||
613 | if (euid != (uid_t) -1) { | 618 | if (euid != (uid_t) -1) { |
614 | new_euid = euid; | 619 | new_euid = euid; |
615 | if ((old_ruid != euid) && | 620 | if ((old_ruid != euid) && |
616 | (current->euid != euid) && | 621 | (cred->euid != euid) && |
617 | (current->suid != euid) && | 622 | (cred->suid != euid) && |
618 | !capable(CAP_SETUID)) | 623 | !capable(CAP_SETUID)) |
619 | return -EPERM; | 624 | return -EPERM; |
620 | } | 625 | } |
@@ -626,11 +631,11 @@ asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | |||
626 | set_dumpable(current->mm, suid_dumpable); | 631 | set_dumpable(current->mm, suid_dumpable); |
627 | smp_wmb(); | 632 | smp_wmb(); |
628 | } | 633 | } |
629 | current->fsuid = current->euid = new_euid; | 634 | cred->fsuid = cred->euid = new_euid; |
630 | if (ruid != (uid_t) -1 || | 635 | if (ruid != (uid_t) -1 || |
631 | (euid != (uid_t) -1 && euid != old_ruid)) | 636 | (euid != (uid_t) -1 && euid != old_ruid)) |
632 | current->suid = current->euid; | 637 | cred->suid = cred->euid; |
633 | current->fsuid = current->euid; | 638 | cred->fsuid = cred->euid; |
634 | 639 | ||
635 | key_fsuid_changed(current); | 640 | key_fsuid_changed(current); |
636 | proc_id_connector(current, PROC_EVENT_UID); | 641 | proc_id_connector(current, PROC_EVENT_UID); |
@@ -653,7 +658,8 @@ asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | |||
653 | */ | 658 | */ |
654 | asmlinkage long sys_setuid(uid_t uid) | 659 | asmlinkage long sys_setuid(uid_t uid) |
655 | { | 660 | { |
656 | int old_euid = current->euid; | 661 | struct cred *cred = current->cred; |
662 | int old_euid = cred->euid; | ||
657 | int old_ruid, old_suid, new_suid; | 663 | int old_ruid, old_suid, new_suid; |
658 | int retval; | 664 | int retval; |
659 | 665 | ||
@@ -661,23 +667,23 @@ asmlinkage long sys_setuid(uid_t uid) | |||
661 | if (retval) | 667 | if (retval) |
662 | return retval; | 668 | return retval; |
663 | 669 | ||
664 | old_ruid = current->uid; | 670 | old_ruid = cred->uid; |
665 | old_suid = current->suid; | 671 | old_suid = cred->suid; |
666 | new_suid = old_suid; | 672 | new_suid = old_suid; |
667 | 673 | ||
668 | if (capable(CAP_SETUID)) { | 674 | if (capable(CAP_SETUID)) { |
669 | if (uid != old_ruid && set_user(uid, old_euid != uid) < 0) | 675 | if (uid != old_ruid && set_user(uid, old_euid != uid) < 0) |
670 | return -EAGAIN; | 676 | return -EAGAIN; |
671 | new_suid = uid; | 677 | new_suid = uid; |
672 | } else if ((uid != current->uid) && (uid != new_suid)) | 678 | } else if ((uid != cred->uid) && (uid != new_suid)) |
673 | return -EPERM; | 679 | return -EPERM; |
674 | 680 | ||
675 | if (old_euid != uid) { | 681 | if (old_euid != uid) { |
676 | set_dumpable(current->mm, suid_dumpable); | 682 | set_dumpable(current->mm, suid_dumpable); |
677 | smp_wmb(); | 683 | smp_wmb(); |
678 | } | 684 | } |
679 | current->fsuid = current->euid = uid; | 685 | cred->fsuid = cred->euid = uid; |
680 | current->suid = new_suid; | 686 | cred->suid = new_suid; |
681 | 687 | ||
682 | key_fsuid_changed(current); | 688 | key_fsuid_changed(current); |
683 | proc_id_connector(current, PROC_EVENT_UID); | 689 | proc_id_connector(current, PROC_EVENT_UID); |
@@ -692,9 +698,10 @@ asmlinkage long sys_setuid(uid_t uid) | |||
692 | */ | 698 | */ |
693 | asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) | 699 | asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) |
694 | { | 700 | { |
695 | int old_ruid = current->uid; | 701 | struct cred *cred = current->cred; |
696 | int old_euid = current->euid; | 702 | int old_ruid = cred->uid; |
697 | int old_suid = current->suid; | 703 | int old_euid = cred->euid; |
704 | int old_suid = cred->suid; | ||
698 | int retval; | 705 | int retval; |
699 | 706 | ||
700 | retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); | 707 | retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); |
@@ -702,30 +709,31 @@ asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) | |||
702 | return retval; | 709 | return retval; |
703 | 710 | ||
704 | if (!capable(CAP_SETUID)) { | 711 | if (!capable(CAP_SETUID)) { |
705 | if ((ruid != (uid_t) -1) && (ruid != current->uid) && | 712 | if ((ruid != (uid_t) -1) && (ruid != cred->uid) && |
706 | (ruid != current->euid) && (ruid != current->suid)) | 713 | (ruid != cred->euid) && (ruid != cred->suid)) |
707 | return -EPERM; | 714 | return -EPERM; |
708 | if ((euid != (uid_t) -1) && (euid != current->uid) && | 715 | if ((euid != (uid_t) -1) && (euid != cred->uid) && |
709 | (euid != current->euid) && (euid != current->suid)) | 716 | (euid != cred->euid) && (euid != cred->suid)) |
710 | return -EPERM; | 717 | return -EPERM; |
711 | if ((suid != (uid_t) -1) && (suid != current->uid) && | 718 | if ((suid != (uid_t) -1) && (suid != cred->uid) && |
712 | (suid != current->euid) && (suid != current->suid)) | 719 | (suid != cred->euid) && (suid != cred->suid)) |
713 | return -EPERM; | 720 | return -EPERM; |
714 | } | 721 | } |
715 | if (ruid != (uid_t) -1) { | 722 | if (ruid != (uid_t) -1) { |
716 | if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0) | 723 | if (ruid != cred->uid && |
724 | set_user(ruid, euid != cred->euid) < 0) | ||
717 | return -EAGAIN; | 725 | return -EAGAIN; |
718 | } | 726 | } |
719 | if (euid != (uid_t) -1) { | 727 | if (euid != (uid_t) -1) { |
720 | if (euid != current->euid) { | 728 | if (euid != cred->euid) { |
721 | set_dumpable(current->mm, suid_dumpable); | 729 | set_dumpable(current->mm, suid_dumpable); |
722 | smp_wmb(); | 730 | smp_wmb(); |
723 | } | 731 | } |
724 | current->euid = euid; | 732 | cred->euid = euid; |
725 | } | 733 | } |
726 | current->fsuid = current->euid; | 734 | cred->fsuid = cred->euid; |
727 | if (suid != (uid_t) -1) | 735 | if (suid != (uid_t) -1) |
728 | current->suid = suid; | 736 | cred->suid = suid; |
729 | 737 | ||
730 | key_fsuid_changed(current); | 738 | key_fsuid_changed(current); |
731 | proc_id_connector(current, PROC_EVENT_UID); | 739 | proc_id_connector(current, PROC_EVENT_UID); |
@@ -735,11 +743,12 @@ asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) | |||
735 | 743 | ||
736 | asmlinkage long sys_getresuid(uid_t __user *ruid, uid_t __user *euid, uid_t __user *suid) | 744 | asmlinkage long sys_getresuid(uid_t __user *ruid, uid_t __user *euid, uid_t __user *suid) |
737 | { | 745 | { |
746 | struct cred *cred = current->cred; | ||
738 | int retval; | 747 | int retval; |
739 | 748 | ||
740 | if (!(retval = put_user(current->uid, ruid)) && | 749 | if (!(retval = put_user(cred->uid, ruid)) && |
741 | !(retval = put_user(current->euid, euid))) | 750 | !(retval = put_user(cred->euid, euid))) |
742 | retval = put_user(current->suid, suid); | 751 | retval = put_user(cred->suid, suid); |
743 | 752 | ||
744 | return retval; | 753 | return retval; |
745 | } | 754 | } |
@@ -749,6 +758,7 @@ asmlinkage long sys_getresuid(uid_t __user *ruid, uid_t __user *euid, uid_t __us | |||
749 | */ | 758 | */ |
750 | asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) | 759 | asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) |
751 | { | 760 | { |
761 | struct cred *cred = current->cred; | ||
752 | int retval; | 762 | int retval; |
753 | 763 | ||
754 | retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES); | 764 | retval = security_task_setgid(rgid, egid, sgid, LSM_SETID_RES); |
@@ -756,28 +766,28 @@ asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) | |||
756 | return retval; | 766 | return retval; |
757 | 767 | ||
758 | if (!capable(CAP_SETGID)) { | 768 | if (!capable(CAP_SETGID)) { |
759 | if ((rgid != (gid_t) -1) && (rgid != current->gid) && | 769 | if ((rgid != (gid_t) -1) && (rgid != cred->gid) && |
760 | (rgid != current->egid) && (rgid != current->sgid)) | 770 | (rgid != cred->egid) && (rgid != cred->sgid)) |
761 | return -EPERM; | 771 | return -EPERM; |
762 | if ((egid != (gid_t) -1) && (egid != current->gid) && | 772 | if ((egid != (gid_t) -1) && (egid != cred->gid) && |
763 | (egid != current->egid) && (egid != current->sgid)) | 773 | (egid != cred->egid) && (egid != cred->sgid)) |
764 | return -EPERM; | 774 | return -EPERM; |
765 | if ((sgid != (gid_t) -1) && (sgid != current->gid) && | 775 | if ((sgid != (gid_t) -1) && (sgid != cred->gid) && |
766 | (sgid != current->egid) && (sgid != current->sgid)) | 776 | (sgid != cred->egid) && (sgid != cred->sgid)) |
767 | return -EPERM; | 777 | return -EPERM; |
768 | } | 778 | } |
769 | if (egid != (gid_t) -1) { | 779 | if (egid != (gid_t) -1) { |
770 | if (egid != current->egid) { | 780 | if (egid != cred->egid) { |
771 | set_dumpable(current->mm, suid_dumpable); | 781 | set_dumpable(current->mm, suid_dumpable); |
772 | smp_wmb(); | 782 | smp_wmb(); |
773 | } | 783 | } |
774 | current->egid = egid; | 784 | cred->egid = egid; |
775 | } | 785 | } |
776 | current->fsgid = current->egid; | 786 | cred->fsgid = cred->egid; |
777 | if (rgid != (gid_t) -1) | 787 | if (rgid != (gid_t) -1) |
778 | current->gid = rgid; | 788 | cred->gid = rgid; |
779 | if (sgid != (gid_t) -1) | 789 | if (sgid != (gid_t) -1) |
780 | current->sgid = sgid; | 790 | cred->sgid = sgid; |
781 | 791 | ||
782 | key_fsgid_changed(current); | 792 | key_fsgid_changed(current); |
783 | proc_id_connector(current, PROC_EVENT_GID); | 793 | proc_id_connector(current, PROC_EVENT_GID); |
@@ -786,11 +796,12 @@ asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) | |||
786 | 796 | ||
787 | asmlinkage long sys_getresgid(gid_t __user *rgid, gid_t __user *egid, gid_t __user *sgid) | 797 | asmlinkage long sys_getresgid(gid_t __user *rgid, gid_t __user *egid, gid_t __user *sgid) |
788 | { | 798 | { |
799 | struct cred *cred = current->cred; | ||
789 | int retval; | 800 | int retval; |
790 | 801 | ||
791 | if (!(retval = put_user(current->gid, rgid)) && | 802 | if (!(retval = put_user(cred->gid, rgid)) && |
792 | !(retval = put_user(current->egid, egid))) | 803 | !(retval = put_user(cred->egid, egid))) |
793 | retval = put_user(current->sgid, sgid); | 804 | retval = put_user(cred->sgid, sgid); |
794 | 805 | ||
795 | return retval; | 806 | return retval; |
796 | } | 807 | } |
@@ -804,20 +815,21 @@ asmlinkage long sys_getresgid(gid_t __user *rgid, gid_t __user *egid, gid_t __us | |||
804 | */ | 815 | */ |
805 | asmlinkage long sys_setfsuid(uid_t uid) | 816 | asmlinkage long sys_setfsuid(uid_t uid) |
806 | { | 817 | { |
818 | struct cred *cred = current->cred; | ||
807 | int old_fsuid; | 819 | int old_fsuid; |
808 | 820 | ||
809 | old_fsuid = current->fsuid; | 821 | old_fsuid = cred->fsuid; |
810 | if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS)) | 822 | if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS)) |
811 | return old_fsuid; | 823 | return old_fsuid; |
812 | 824 | ||
813 | if (uid == current->uid || uid == current->euid || | 825 | if (uid == cred->uid || uid == cred->euid || |
814 | uid == current->suid || uid == current->fsuid || | 826 | uid == cred->suid || uid == cred->fsuid || |
815 | capable(CAP_SETUID)) { | 827 | capable(CAP_SETUID)) { |
816 | if (uid != old_fsuid) { | 828 | if (uid != old_fsuid) { |
817 | set_dumpable(current->mm, suid_dumpable); | 829 | set_dumpable(current->mm, suid_dumpable); |
818 | smp_wmb(); | 830 | smp_wmb(); |
819 | } | 831 | } |
820 | current->fsuid = uid; | 832 | cred->fsuid = uid; |
821 | } | 833 | } |
822 | 834 | ||
823 | key_fsuid_changed(current); | 835 | key_fsuid_changed(current); |
@@ -833,20 +845,21 @@ asmlinkage long sys_setfsuid(uid_t uid) | |||
833 | */ | 845 | */ |
834 | asmlinkage long sys_setfsgid(gid_t gid) | 846 | asmlinkage long sys_setfsgid(gid_t gid) |
835 | { | 847 | { |
848 | struct cred *cred = current->cred; | ||
836 | int old_fsgid; | 849 | int old_fsgid; |
837 | 850 | ||
838 | old_fsgid = current->fsgid; | 851 | old_fsgid = cred->fsgid; |
839 | if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS)) | 852 | if (security_task_setgid(gid, (gid_t)-1, (gid_t)-1, LSM_SETID_FS)) |
840 | return old_fsgid; | 853 | return old_fsgid; |
841 | 854 | ||
842 | if (gid == current->gid || gid == current->egid || | 855 | if (gid == cred->gid || gid == cred->egid || |
843 | gid == current->sgid || gid == current->fsgid || | 856 | gid == cred->sgid || gid == cred->fsgid || |
844 | capable(CAP_SETGID)) { | 857 | capable(CAP_SETGID)) { |
845 | if (gid != old_fsgid) { | 858 | if (gid != old_fsgid) { |
846 | set_dumpable(current->mm, suid_dumpable); | 859 | set_dumpable(current->mm, suid_dumpable); |
847 | smp_wmb(); | 860 | smp_wmb(); |
848 | } | 861 | } |
849 | current->fsgid = gid; | 862 | cred->fsgid = gid; |
850 | key_fsgid_changed(current); | 863 | key_fsgid_changed(current); |
851 | proc_id_connector(current, PROC_EVENT_GID); | 864 | proc_id_connector(current, PROC_EVENT_GID); |
852 | } | 865 | } |
@@ -1208,8 +1221,15 @@ int groups_search(struct group_info *group_info, gid_t grp) | |||
1208 | return 0; | 1221 | return 0; |
1209 | } | 1222 | } |
1210 | 1223 | ||
1211 | /* validate and set current->group_info */ | 1224 | /** |
1212 | int set_current_groups(struct group_info *group_info) | 1225 | * set_groups - Change a group subscription in a security record |
1226 | * @sec: The security record to alter | ||
1227 | * @group_info: The group list to impose | ||
1228 | * | ||
1229 | * Validate a group subscription and, if valid, impose it upon a task security | ||
1230 | * record. | ||
1231 | */ | ||
1232 | int set_groups(struct cred *cred, struct group_info *group_info) | ||
1213 | { | 1233 | { |
1214 | int retval; | 1234 | int retval; |
1215 | struct group_info *old_info; | 1235 | struct group_info *old_info; |
@@ -1221,20 +1241,34 @@ int set_current_groups(struct group_info *group_info) | |||
1221 | groups_sort(group_info); | 1241 | groups_sort(group_info); |
1222 | get_group_info(group_info); | 1242 | get_group_info(group_info); |
1223 | 1243 | ||
1224 | task_lock(current); | 1244 | spin_lock(&cred->lock); |
1225 | old_info = current->group_info; | 1245 | old_info = cred->group_info; |
1226 | current->group_info = group_info; | 1246 | cred->group_info = group_info; |
1227 | task_unlock(current); | 1247 | spin_unlock(&cred->lock); |
1228 | 1248 | ||
1229 | put_group_info(old_info); | 1249 | put_group_info(old_info); |
1230 | |||
1231 | return 0; | 1250 | return 0; |
1232 | } | 1251 | } |
1233 | 1252 | ||
1253 | EXPORT_SYMBOL(set_groups); | ||
1254 | |||
1255 | /** | ||
1256 | * set_current_groups - Change current's group subscription | ||
1257 | * @group_info: The group list to impose | ||
1258 | * | ||
1259 | * Validate a group subscription and, if valid, impose it upon current's task | ||
1260 | * security record. | ||
1261 | */ | ||
1262 | int set_current_groups(struct group_info *group_info) | ||
1263 | { | ||
1264 | return set_groups(current->cred, group_info); | ||
1265 | } | ||
1266 | |||
1234 | EXPORT_SYMBOL(set_current_groups); | 1267 | EXPORT_SYMBOL(set_current_groups); |
1235 | 1268 | ||
1236 | asmlinkage long sys_getgroups(int gidsetsize, gid_t __user *grouplist) | 1269 | asmlinkage long sys_getgroups(int gidsetsize, gid_t __user *grouplist) |
1237 | { | 1270 | { |
1271 | struct cred *cred = current->cred; | ||
1238 | int i = 0; | 1272 | int i = 0; |
1239 | 1273 | ||
1240 | /* | 1274 | /* |
@@ -1246,13 +1280,13 @@ asmlinkage long sys_getgroups(int gidsetsize, gid_t __user *grouplist) | |||
1246 | return -EINVAL; | 1280 | return -EINVAL; |
1247 | 1281 | ||
1248 | /* no need to grab task_lock here; it cannot change */ | 1282 | /* no need to grab task_lock here; it cannot change */ |
1249 | i = current->group_info->ngroups; | 1283 | i = cred->group_info->ngroups; |
1250 | if (gidsetsize) { | 1284 | if (gidsetsize) { |
1251 | if (i > gidsetsize) { | 1285 | if (i > gidsetsize) { |
1252 | i = -EINVAL; | 1286 | i = -EINVAL; |
1253 | goto out; | 1287 | goto out; |
1254 | } | 1288 | } |
1255 | if (groups_to_user(grouplist, current->group_info)) { | 1289 | if (groups_to_user(grouplist, cred->group_info)) { |
1256 | i = -EFAULT; | 1290 | i = -EFAULT; |
1257 | goto out; | 1291 | goto out; |
1258 | } | 1292 | } |
@@ -1296,9 +1330,10 @@ asmlinkage long sys_setgroups(int gidsetsize, gid_t __user *grouplist) | |||
1296 | */ | 1330 | */ |
1297 | int in_group_p(gid_t grp) | 1331 | int in_group_p(gid_t grp) |
1298 | { | 1332 | { |
1333 | struct cred *cred = current->cred; | ||
1299 | int retval = 1; | 1334 | int retval = 1; |
1300 | if (grp != current->fsgid) | 1335 | if (grp != cred->fsgid) |
1301 | retval = groups_search(current->group_info, grp); | 1336 | retval = groups_search(cred->group_info, grp); |
1302 | return retval; | 1337 | return retval; |
1303 | } | 1338 | } |
1304 | 1339 | ||
@@ -1306,9 +1341,10 @@ EXPORT_SYMBOL(in_group_p); | |||
1306 | 1341 | ||
1307 | int in_egroup_p(gid_t grp) | 1342 | int in_egroup_p(gid_t grp) |
1308 | { | 1343 | { |
1344 | struct cred *cred = current->cred; | ||
1309 | int retval = 1; | 1345 | int retval = 1; |
1310 | if (grp != current->egid) | 1346 | if (grp != cred->egid) |
1311 | retval = groups_search(current->group_info, grp); | 1347 | retval = groups_search(cred->group_info, grp); |
1312 | return retval; | 1348 | return retval; |
1313 | } | 1349 | } |
1314 | 1350 | ||
@@ -1624,7 +1660,9 @@ asmlinkage long sys_umask(int mask) | |||
1624 | asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, | 1660 | asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, |
1625 | unsigned long arg4, unsigned long arg5) | 1661 | unsigned long arg4, unsigned long arg5) |
1626 | { | 1662 | { |
1627 | long error = 0; | 1663 | struct task_struct *me = current; |
1664 | unsigned char comm[sizeof(me->comm)]; | ||
1665 | long error; | ||
1628 | 1666 | ||
1629 | if (security_task_prctl(option, arg2, arg3, arg4, arg5, &error)) | 1667 | if (security_task_prctl(option, arg2, arg3, arg4, arg5, &error)) |
1630 | return error; | 1668 | return error; |
@@ -1635,39 +1673,41 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
1635 | error = -EINVAL; | 1673 | error = -EINVAL; |
1636 | break; | 1674 | break; |
1637 | } | 1675 | } |
1638 | current->pdeath_signal = arg2; | 1676 | me->pdeath_signal = arg2; |
1677 | error = 0; | ||
1639 | break; | 1678 | break; |
1640 | case PR_GET_PDEATHSIG: | 1679 | case PR_GET_PDEATHSIG: |
1641 | error = put_user(current->pdeath_signal, (int __user *)arg2); | 1680 | error = put_user(me->pdeath_signal, (int __user *)arg2); |
1642 | break; | 1681 | break; |
1643 | case PR_GET_DUMPABLE: | 1682 | case PR_GET_DUMPABLE: |
1644 | error = get_dumpable(current->mm); | 1683 | error = get_dumpable(me->mm); |
1645 | break; | 1684 | break; |
1646 | case PR_SET_DUMPABLE: | 1685 | case PR_SET_DUMPABLE: |
1647 | if (arg2 < 0 || arg2 > 1) { | 1686 | if (arg2 < 0 || arg2 > 1) { |
1648 | error = -EINVAL; | 1687 | error = -EINVAL; |
1649 | break; | 1688 | break; |
1650 | } | 1689 | } |
1651 | set_dumpable(current->mm, arg2); | 1690 | set_dumpable(me->mm, arg2); |
1691 | error = 0; | ||
1652 | break; | 1692 | break; |
1653 | 1693 | ||
1654 | case PR_SET_UNALIGN: | 1694 | case PR_SET_UNALIGN: |
1655 | error = SET_UNALIGN_CTL(current, arg2); | 1695 | error = SET_UNALIGN_CTL(me, arg2); |
1656 | break; | 1696 | break; |
1657 | case PR_GET_UNALIGN: | 1697 | case PR_GET_UNALIGN: |
1658 | error = GET_UNALIGN_CTL(current, arg2); | 1698 | error = GET_UNALIGN_CTL(me, arg2); |
1659 | break; | 1699 | break; |
1660 | case PR_SET_FPEMU: | 1700 | case PR_SET_FPEMU: |
1661 | error = SET_FPEMU_CTL(current, arg2); | 1701 | error = SET_FPEMU_CTL(me, arg2); |
1662 | break; | 1702 | break; |
1663 | case PR_GET_FPEMU: | 1703 | case PR_GET_FPEMU: |
1664 | error = GET_FPEMU_CTL(current, arg2); | 1704 | error = GET_FPEMU_CTL(me, arg2); |
1665 | break; | 1705 | break; |
1666 | case PR_SET_FPEXC: | 1706 | case PR_SET_FPEXC: |
1667 | error = SET_FPEXC_CTL(current, arg2); | 1707 | error = SET_FPEXC_CTL(me, arg2); |
1668 | break; | 1708 | break; |
1669 | case PR_GET_FPEXC: | 1709 | case PR_GET_FPEXC: |
1670 | error = GET_FPEXC_CTL(current, arg2); | 1710 | error = GET_FPEXC_CTL(me, arg2); |
1671 | break; | 1711 | break; |
1672 | case PR_GET_TIMING: | 1712 | case PR_GET_TIMING: |
1673 | error = PR_TIMING_STATISTICAL; | 1713 | error = PR_TIMING_STATISTICAL; |
@@ -1675,33 +1715,28 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
1675 | case PR_SET_TIMING: | 1715 | case PR_SET_TIMING: |
1676 | if (arg2 != PR_TIMING_STATISTICAL) | 1716 | if (arg2 != PR_TIMING_STATISTICAL) |
1677 | error = -EINVAL; | 1717 | error = -EINVAL; |
1718 | else | ||
1719 | error = 0; | ||
1678 | break; | 1720 | break; |
1679 | 1721 | ||
1680 | case PR_SET_NAME: { | 1722 | case PR_SET_NAME: |
1681 | struct task_struct *me = current; | 1723 | comm[sizeof(me->comm)-1] = 0; |
1682 | unsigned char ncomm[sizeof(me->comm)]; | 1724 | if (strncpy_from_user(comm, (char __user *)arg2, |
1683 | 1725 | sizeof(me->comm) - 1) < 0) | |
1684 | ncomm[sizeof(me->comm)-1] = 0; | ||
1685 | if (strncpy_from_user(ncomm, (char __user *)arg2, | ||
1686 | sizeof(me->comm)-1) < 0) | ||
1687 | return -EFAULT; | 1726 | return -EFAULT; |
1688 | set_task_comm(me, ncomm); | 1727 | set_task_comm(me, comm); |
1689 | return 0; | 1728 | return 0; |
1690 | } | 1729 | case PR_GET_NAME: |
1691 | case PR_GET_NAME: { | 1730 | get_task_comm(comm, me); |
1692 | struct task_struct *me = current; | 1731 | if (copy_to_user((char __user *)arg2, comm, |
1693 | unsigned char tcomm[sizeof(me->comm)]; | 1732 | sizeof(comm))) |
1694 | |||
1695 | get_task_comm(tcomm, me); | ||
1696 | if (copy_to_user((char __user *)arg2, tcomm, sizeof(tcomm))) | ||
1697 | return -EFAULT; | 1733 | return -EFAULT; |
1698 | return 0; | 1734 | return 0; |
1699 | } | ||
1700 | case PR_GET_ENDIAN: | 1735 | case PR_GET_ENDIAN: |
1701 | error = GET_ENDIAN(current, arg2); | 1736 | error = GET_ENDIAN(me, arg2); |
1702 | break; | 1737 | break; |
1703 | case PR_SET_ENDIAN: | 1738 | case PR_SET_ENDIAN: |
1704 | error = SET_ENDIAN(current, arg2); | 1739 | error = SET_ENDIAN(me, arg2); |
1705 | break; | 1740 | break; |
1706 | 1741 | ||
1707 | case PR_GET_SECCOMP: | 1742 | case PR_GET_SECCOMP: |
@@ -1725,6 +1760,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
1725 | current->default_timer_slack_ns; | 1760 | current->default_timer_slack_ns; |
1726 | else | 1761 | else |
1727 | current->timer_slack_ns = arg2; | 1762 | current->timer_slack_ns = arg2; |
1763 | error = 0; | ||
1728 | break; | 1764 | break; |
1729 | default: | 1765 | default: |
1730 | error = -EINVAL; | 1766 | error = -EINVAL; |
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 9f3b478f9171..5c97c5b4ea8f 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c | |||
@@ -246,7 +246,7 @@ __update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu) | |||
246 | 246 | ||
247 | memcpy(data->comm, tsk->comm, TASK_COMM_LEN); | 247 | memcpy(data->comm, tsk->comm, TASK_COMM_LEN); |
248 | data->pid = tsk->pid; | 248 | data->pid = tsk->pid; |
249 | data->uid = tsk->uid; | 249 | data->uid = task_uid(tsk); |
250 | data->nice = tsk->static_prio - 20 - MAX_RT_PRIO; | 250 | data->nice = tsk->static_prio - 20 - MAX_RT_PRIO; |
251 | data->policy = tsk->policy; | 251 | data->policy = tsk->policy; |
252 | data->rt_priority = tsk->rt_priority; | 252 | data->rt_priority = tsk->rt_priority; |
diff --git a/kernel/tsacct.c b/kernel/tsacct.c index 8ebcd8532dfb..6d1ed07bf312 100644 --- a/kernel/tsacct.c +++ b/kernel/tsacct.c | |||
@@ -53,8 +53,8 @@ void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk) | |||
53 | stats->ac_flag |= AXSIG; | 53 | stats->ac_flag |= AXSIG; |
54 | stats->ac_nice = task_nice(tsk); | 54 | stats->ac_nice = task_nice(tsk); |
55 | stats->ac_sched = tsk->policy; | 55 | stats->ac_sched = tsk->policy; |
56 | stats->ac_uid = tsk->uid; | 56 | stats->ac_uid = tsk->cred->uid; |
57 | stats->ac_gid = tsk->gid; | 57 | stats->ac_gid = tsk->cred->gid; |
58 | stats->ac_pid = tsk->pid; | 58 | stats->ac_pid = tsk->pid; |
59 | rcu_read_lock(); | 59 | rcu_read_lock(); |
60 | stats->ac_ppid = pid_alive(tsk) ? | 60 | stats->ac_ppid = pid_alive(tsk) ? |
diff --git a/kernel/uid16.c b/kernel/uid16.c index 3e41c1673e2f..71f07fc39fea 100644 --- a/kernel/uid16.c +++ b/kernel/uid16.c | |||
@@ -86,9 +86,9 @@ asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, | |||
86 | { | 86 | { |
87 | int retval; | 87 | int retval; |
88 | 88 | ||
89 | if (!(retval = put_user(high2lowuid(current->uid), ruid)) && | 89 | if (!(retval = put_user(high2lowuid(current->cred->uid), ruid)) && |
90 | !(retval = put_user(high2lowuid(current->euid), euid))) | 90 | !(retval = put_user(high2lowuid(current->cred->euid), euid))) |
91 | retval = put_user(high2lowuid(current->suid), suid); | 91 | retval = put_user(high2lowuid(current->cred->suid), suid); |
92 | 92 | ||
93 | return retval; | 93 | return retval; |
94 | } | 94 | } |
@@ -106,9 +106,9 @@ asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, | |||
106 | { | 106 | { |
107 | int retval; | 107 | int retval; |
108 | 108 | ||
109 | if (!(retval = put_user(high2lowgid(current->gid), rgid)) && | 109 | if (!(retval = put_user(high2lowgid(current->cred->gid), rgid)) && |
110 | !(retval = put_user(high2lowgid(current->egid), egid))) | 110 | !(retval = put_user(high2lowgid(current->cred->egid), egid))) |
111 | retval = put_user(high2lowgid(current->sgid), sgid); | 111 | retval = put_user(high2lowgid(current->cred->sgid), sgid); |
112 | 112 | ||
113 | return retval; | 113 | return retval; |
114 | } | 114 | } |
@@ -166,20 +166,20 @@ asmlinkage long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist) | |||
166 | if (gidsetsize < 0) | 166 | if (gidsetsize < 0) |
167 | return -EINVAL; | 167 | return -EINVAL; |
168 | 168 | ||
169 | get_group_info(current->group_info); | 169 | get_group_info(current->cred->group_info); |
170 | i = current->group_info->ngroups; | 170 | i = current->cred->group_info->ngroups; |
171 | if (gidsetsize) { | 171 | if (gidsetsize) { |
172 | if (i > gidsetsize) { | 172 | if (i > gidsetsize) { |
173 | i = -EINVAL; | 173 | i = -EINVAL; |
174 | goto out; | 174 | goto out; |
175 | } | 175 | } |
176 | if (groups16_to_user(grouplist, current->group_info)) { | 176 | if (groups16_to_user(grouplist, current->cred->group_info)) { |
177 | i = -EFAULT; | 177 | i = -EFAULT; |
178 | goto out; | 178 | goto out; |
179 | } | 179 | } |
180 | } | 180 | } |
181 | out: | 181 | out: |
182 | put_group_info(current->group_info); | 182 | put_group_info(current->cred->group_info); |
183 | return i; | 183 | return i; |
184 | } | 184 | } |
185 | 185 | ||
@@ -210,20 +210,20 @@ asmlinkage long sys_setgroups16(int gidsetsize, old_gid_t __user *grouplist) | |||
210 | 210 | ||
211 | asmlinkage long sys_getuid16(void) | 211 | asmlinkage long sys_getuid16(void) |
212 | { | 212 | { |
213 | return high2lowuid(current->uid); | 213 | return high2lowuid(current->cred->uid); |
214 | } | 214 | } |
215 | 215 | ||
216 | asmlinkage long sys_geteuid16(void) | 216 | asmlinkage long sys_geteuid16(void) |
217 | { | 217 | { |
218 | return high2lowuid(current->euid); | 218 | return high2lowuid(current->cred->euid); |
219 | } | 219 | } |
220 | 220 | ||
221 | asmlinkage long sys_getgid16(void) | 221 | asmlinkage long sys_getgid16(void) |
222 | { | 222 | { |
223 | return high2lowgid(current->gid); | 223 | return high2lowgid(current->cred->gid); |
224 | } | 224 | } |
225 | 225 | ||
226 | asmlinkage long sys_getegid16(void) | 226 | asmlinkage long sys_getegid16(void) |
227 | { | 227 | { |
228 | return high2lowgid(current->egid); | 228 | return high2lowgid(current->cred->egid); |
229 | } | 229 | } |
diff --git a/kernel/user.c b/kernel/user.c index 39d6159fae43..104d22ac84d5 100644 --- a/kernel/user.c +++ b/kernel/user.c | |||
@@ -457,11 +457,11 @@ void switch_uid(struct user_struct *new_user) | |||
457 | * cheaply with the new uid cache, so if it matters | 457 | * cheaply with the new uid cache, so if it matters |
458 | * we should be checking for it. -DaveM | 458 | * we should be checking for it. -DaveM |
459 | */ | 459 | */ |
460 | old_user = current->user; | 460 | old_user = current->cred->user; |
461 | atomic_inc(&new_user->processes); | 461 | atomic_inc(&new_user->processes); |
462 | atomic_dec(&old_user->processes); | 462 | atomic_dec(&old_user->processes); |
463 | switch_uid_keyring(new_user); | 463 | switch_uid_keyring(new_user); |
464 | current->user = new_user; | 464 | current->cred->user = new_user; |
465 | sched_switch_user(current); | 465 | sched_switch_user(current); |
466 | 466 | ||
467 | /* | 467 | /* |
diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 07a96474077d..b23492ee3e50 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c | |||
@@ -1110,12 +1110,12 @@ asmlinkage long sys_migrate_pages(pid_t pid, unsigned long maxnode, | |||
1110 | const unsigned long __user *old_nodes, | 1110 | const unsigned long __user *old_nodes, |
1111 | const unsigned long __user *new_nodes) | 1111 | const unsigned long __user *new_nodes) |
1112 | { | 1112 | { |
1113 | struct cred *cred, *tcred; | ||
1113 | struct mm_struct *mm; | 1114 | struct mm_struct *mm; |
1114 | struct task_struct *task; | 1115 | struct task_struct *task; |
1115 | nodemask_t old; | 1116 | nodemask_t old; |
1116 | nodemask_t new; | 1117 | nodemask_t new; |
1117 | nodemask_t task_nodes; | 1118 | nodemask_t task_nodes; |
1118 | uid_t uid, euid; | ||
1119 | int err; | 1119 | int err; |
1120 | 1120 | ||
1121 | err = get_nodes(&old, old_nodes, maxnode); | 1121 | err = get_nodes(&old, old_nodes, maxnode); |
@@ -1145,10 +1145,10 @@ asmlinkage long sys_migrate_pages(pid_t pid, unsigned long maxnode, | |||
1145 | * capabilities, superuser privileges or the same | 1145 | * capabilities, superuser privileges or the same |
1146 | * userid as the target process. | 1146 | * userid as the target process. |
1147 | */ | 1147 | */ |
1148 | uid = current_uid(); | 1148 | cred = current->cred; |
1149 | euid = current_euid(); | 1149 | tcred = task->cred; |
1150 | if (euid != task->suid && euid != task->uid && | 1150 | if (cred->euid != tcred->suid && cred->euid != tcred->uid && |
1151 | uid != task->suid && uid != task->uid && | 1151 | cred->uid != tcred->suid && cred->uid != tcred->uid && |
1152 | !capable(CAP_SYS_NICE)) { | 1152 | !capable(CAP_SYS_NICE)) { |
1153 | err = -EPERM; | 1153 | err = -EPERM; |
1154 | goto out; | 1154 | goto out; |
diff --git a/mm/migrate.c b/mm/migrate.c index 6263c24c4afe..794443da1b4f 100644 --- a/mm/migrate.c +++ b/mm/migrate.c | |||
@@ -1045,10 +1045,10 @@ asmlinkage long sys_move_pages(pid_t pid, unsigned long nr_pages, | |||
1045 | const int __user *nodes, | 1045 | const int __user *nodes, |
1046 | int __user *status, int flags) | 1046 | int __user *status, int flags) |
1047 | { | 1047 | { |
1048 | struct cred *cred, *tcred; | ||
1048 | struct task_struct *task; | 1049 | struct task_struct *task; |
1049 | struct mm_struct *mm; | 1050 | struct mm_struct *mm; |
1050 | int err; | 1051 | int err; |
1051 | uid_t uid, euid; | ||
1052 | 1052 | ||
1053 | /* Check flags */ | 1053 | /* Check flags */ |
1054 | if (flags & ~(MPOL_MF_MOVE|MPOL_MF_MOVE_ALL)) | 1054 | if (flags & ~(MPOL_MF_MOVE|MPOL_MF_MOVE_ALL)) |
@@ -1076,10 +1076,10 @@ asmlinkage long sys_move_pages(pid_t pid, unsigned long nr_pages, | |||
1076 | * capabilities, superuser privileges or the same | 1076 | * capabilities, superuser privileges or the same |
1077 | * userid as the target process. | 1077 | * userid as the target process. |
1078 | */ | 1078 | */ |
1079 | uid = current_uid(); | 1079 | cred = current->cred; |
1080 | euid = current_euid(); | 1080 | tcred = task->cred; |
1081 | if (euid != task->suid && euid != task->uid && | 1081 | if (cred->euid != tcred->suid && cred->euid != tcred->uid && |
1082 | uid != task->suid && uid != task->uid && | 1082 | cred->uid != tcred->suid && cred->uid != tcred->uid && |
1083 | !capable(CAP_SYS_NICE)) { | 1083 | !capable(CAP_SYS_NICE)) { |
1084 | err = -EPERM; | 1084 | err = -EPERM; |
1085 | goto out; | 1085 | goto out; |
diff --git a/mm/oom_kill.c b/mm/oom_kill.c index 34a458aa7997..3af787ba2077 100644 --- a/mm/oom_kill.c +++ b/mm/oom_kill.c | |||
@@ -298,7 +298,7 @@ static void dump_tasks(const struct mem_cgroup *mem) | |||
298 | 298 | ||
299 | task_lock(p); | 299 | task_lock(p); |
300 | printk(KERN_INFO "[%5d] %5d %5d %8lu %8lu %3d %3d %s\n", | 300 | printk(KERN_INFO "[%5d] %5d %5d %8lu %8lu %3d %3d %s\n", |
301 | p->pid, p->uid, p->tgid, p->mm->total_vm, | 301 | p->pid, p->cred->uid, p->tgid, p->mm->total_vm, |
302 | get_mm_rss(p->mm), (int)task_cpu(p), p->oomkilladj, | 302 | get_mm_rss(p->mm), (int)task_cpu(p), p->oomkilladj, |
303 | p->comm); | 303 | p->comm); |
304 | task_unlock(p); | 304 | task_unlock(p); |
diff --git a/net/core/scm.c b/net/core/scm.c index 4681d8f9b45b..c28ca32a7d93 100644 --- a/net/core/scm.c +++ b/net/core/scm.c | |||
@@ -44,11 +44,13 @@ | |||
44 | 44 | ||
45 | static __inline__ int scm_check_creds(struct ucred *creds) | 45 | static __inline__ int scm_check_creds(struct ucred *creds) |
46 | { | 46 | { |
47 | struct cred *cred = current->cred; | ||
48 | |||
47 | if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) && | 49 | if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) && |
48 | ((creds->uid == current_uid() || creds->uid == current_euid() || | 50 | ((creds->uid == cred->uid || creds->uid == cred->euid || |
49 | creds->uid == current_suid()) || capable(CAP_SETUID)) && | 51 | creds->uid == cred->suid) || capable(CAP_SETUID)) && |
50 | ((creds->gid == current_gid() || creds->gid == current_egid() || | 52 | ((creds->gid == cred->gid || creds->gid == cred->egid || |
51 | creds->gid == current_sgid()) || capable(CAP_SETGID))) { | 53 | creds->gid == cred->sgid) || capable(CAP_SETGID))) { |
52 | return 0; | 54 | return 0; |
53 | } | 55 | } |
54 | return -EPERM; | 56 | return -EPERM; |
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c index 8fc380578807..c79543212602 100644 --- a/net/sunrpc/auth.c +++ b/net/sunrpc/auth.c | |||
@@ -353,7 +353,7 @@ rpcauth_lookupcred(struct rpc_auth *auth, int flags) | |||
353 | struct auth_cred acred = { | 353 | struct auth_cred acred = { |
354 | .uid = current_fsuid(), | 354 | .uid = current_fsuid(), |
355 | .gid = current_fsgid(), | 355 | .gid = current_fsgid(), |
356 | .group_info = current->group_info, | 356 | .group_info = current->cred->group_info, |
357 | }; | 357 | }; |
358 | struct rpc_cred *ret; | 358 | struct rpc_cred *ret; |
359 | 359 | ||
diff --git a/security/commoncap.c b/security/commoncap.c index fb4e240720d8..fa61679f8c73 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -30,7 +30,7 @@ | |||
30 | 30 | ||
31 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | 31 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) |
32 | { | 32 | { |
33 | NETLINK_CB(skb).eff_cap = current->cap_effective; | 33 | NETLINK_CB(skb).eff_cap = current_cap(); |
34 | return 0; | 34 | return 0; |
35 | } | 35 | } |
36 | 36 | ||
@@ -52,7 +52,7 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
52 | int cap_capable(struct task_struct *tsk, int cap, int audit) | 52 | int cap_capable(struct task_struct *tsk, int cap, int audit) |
53 | { | 53 | { |
54 | /* Derived from include/linux/sched.h:capable. */ | 54 | /* Derived from include/linux/sched.h:capable. */ |
55 | if (cap_raised(tsk->cap_effective, cap)) | 55 | if (cap_raised(tsk->cred->cap_effective, cap)) |
56 | return 0; | 56 | return 0; |
57 | return -EPERM; | 57 | return -EPERM; |
58 | } | 58 | } |
@@ -67,7 +67,8 @@ int cap_settime(struct timespec *ts, struct timezone *tz) | |||
67 | int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) | 67 | int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) |
68 | { | 68 | { |
69 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ | 69 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ |
70 | if (cap_issubset(child->cap_permitted, current->cap_permitted)) | 70 | if (cap_issubset(child->cred->cap_permitted, |
71 | current->cred->cap_permitted)) | ||
71 | return 0; | 72 | return 0; |
72 | if (capable(CAP_SYS_PTRACE)) | 73 | if (capable(CAP_SYS_PTRACE)) |
73 | return 0; | 74 | return 0; |
@@ -76,8 +77,8 @@ int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) | |||
76 | 77 | ||
77 | int cap_ptrace_traceme(struct task_struct *parent) | 78 | int cap_ptrace_traceme(struct task_struct *parent) |
78 | { | 79 | { |
79 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ | 80 | if (cap_issubset(current->cred->cap_permitted, |
80 | if (cap_issubset(current->cap_permitted, parent->cap_permitted)) | 81 | parent->cred->cap_permitted)) |
81 | return 0; | 82 | return 0; |
82 | if (has_capability(parent, CAP_SYS_PTRACE)) | 83 | if (has_capability(parent, CAP_SYS_PTRACE)) |
83 | return 0; | 84 | return 0; |
@@ -87,10 +88,12 @@ int cap_ptrace_traceme(struct task_struct *parent) | |||
87 | int cap_capget (struct task_struct *target, kernel_cap_t *effective, | 88 | int cap_capget (struct task_struct *target, kernel_cap_t *effective, |
88 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 89 | kernel_cap_t *inheritable, kernel_cap_t *permitted) |
89 | { | 90 | { |
91 | struct cred *cred = target->cred; | ||
92 | |||
90 | /* Derived from kernel/capability.c:sys_capget. */ | 93 | /* Derived from kernel/capability.c:sys_capget. */ |
91 | *effective = target->cap_effective; | 94 | *effective = cred->cap_effective; |
92 | *inheritable = target->cap_inheritable; | 95 | *inheritable = cred->cap_inheritable; |
93 | *permitted = target->cap_permitted; | 96 | *permitted = cred->cap_permitted; |
94 | return 0; | 97 | return 0; |
95 | } | 98 | } |
96 | 99 | ||
@@ -122,24 +125,26 @@ int cap_capset_check(const kernel_cap_t *effective, | |||
122 | const kernel_cap_t *inheritable, | 125 | const kernel_cap_t *inheritable, |
123 | const kernel_cap_t *permitted) | 126 | const kernel_cap_t *permitted) |
124 | { | 127 | { |
128 | const struct cred *cred = current->cred; | ||
129 | |||
125 | if (cap_inh_is_capped() | 130 | if (cap_inh_is_capped() |
126 | && !cap_issubset(*inheritable, | 131 | && !cap_issubset(*inheritable, |
127 | cap_combine(current->cap_inheritable, | 132 | cap_combine(cred->cap_inheritable, |
128 | current->cap_permitted))) { | 133 | cred->cap_permitted))) { |
129 | /* incapable of using this inheritable set */ | 134 | /* incapable of using this inheritable set */ |
130 | return -EPERM; | 135 | return -EPERM; |
131 | } | 136 | } |
132 | if (!cap_issubset(*inheritable, | 137 | if (!cap_issubset(*inheritable, |
133 | cap_combine(current->cap_inheritable, | 138 | cap_combine(cred->cap_inheritable, |
134 | current->cap_bset))) { | 139 | cred->cap_bset))) { |
135 | /* no new pI capabilities outside bounding set */ | 140 | /* no new pI capabilities outside bounding set */ |
136 | return -EPERM; | 141 | return -EPERM; |
137 | } | 142 | } |
138 | 143 | ||
139 | /* verify restrictions on target's new Permitted set */ | 144 | /* verify restrictions on target's new Permitted set */ |
140 | if (!cap_issubset (*permitted, | 145 | if (!cap_issubset (*permitted, |
141 | cap_combine (current->cap_permitted, | 146 | cap_combine (cred->cap_permitted, |
142 | current->cap_permitted))) { | 147 | cred->cap_permitted))) { |
143 | return -EPERM; | 148 | return -EPERM; |
144 | } | 149 | } |
145 | 150 | ||
@@ -155,9 +160,11 @@ void cap_capset_set(const kernel_cap_t *effective, | |||
155 | const kernel_cap_t *inheritable, | 160 | const kernel_cap_t *inheritable, |
156 | const kernel_cap_t *permitted) | 161 | const kernel_cap_t *permitted) |
157 | { | 162 | { |
158 | current->cap_effective = *effective; | 163 | struct cred *cred = current->cred; |
159 | current->cap_inheritable = *inheritable; | 164 | |
160 | current->cap_permitted = *permitted; | 165 | cred->cap_effective = *effective; |
166 | cred->cap_inheritable = *inheritable; | ||
167 | cred->cap_permitted = *permitted; | ||
161 | } | 168 | } |
162 | 169 | ||
163 | static inline void bprm_clear_caps(struct linux_binprm *bprm) | 170 | static inline void bprm_clear_caps(struct linux_binprm *bprm) |
@@ -211,8 +218,8 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, | |||
211 | * pP' = (X & fP) | (pI & fI) | 218 | * pP' = (X & fP) | (pI & fI) |
212 | */ | 219 | */ |
213 | bprm->cap_post_exec_permitted.cap[i] = | 220 | bprm->cap_post_exec_permitted.cap[i] = |
214 | (current->cap_bset.cap[i] & permitted) | | 221 | (current->cred->cap_bset.cap[i] & permitted) | |
215 | (current->cap_inheritable.cap[i] & inheritable); | 222 | (current->cred->cap_inheritable.cap[i] & inheritable); |
216 | 223 | ||
217 | if (permitted & ~bprm->cap_post_exec_permitted.cap[i]) { | 224 | if (permitted & ~bprm->cap_post_exec_permitted.cap[i]) { |
218 | /* | 225 | /* |
@@ -354,8 +361,8 @@ int cap_bprm_set_security (struct linux_binprm *bprm) | |||
354 | if (bprm->e_uid == 0 || current_uid() == 0) { | 361 | if (bprm->e_uid == 0 || current_uid() == 0) { |
355 | /* pP' = (cap_bset & ~0) | (pI & ~0) */ | 362 | /* pP' = (cap_bset & ~0) | (pI & ~0) */ |
356 | bprm->cap_post_exec_permitted = cap_combine( | 363 | bprm->cap_post_exec_permitted = cap_combine( |
357 | current->cap_bset, current->cap_inheritable | 364 | current->cred->cap_bset, |
358 | ); | 365 | current->cred->cap_inheritable); |
359 | bprm->cap_effective = (bprm->e_uid == 0); | 366 | bprm->cap_effective = (bprm->e_uid == 0); |
360 | ret = 0; | 367 | ret = 0; |
361 | } | 368 | } |
@@ -366,44 +373,39 @@ int cap_bprm_set_security (struct linux_binprm *bprm) | |||
366 | 373 | ||
367 | void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | 374 | void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) |
368 | { | 375 | { |
369 | kernel_cap_t pP = current->cap_permitted; | 376 | struct cred *cred = current->cred; |
370 | kernel_cap_t pE = current->cap_effective; | ||
371 | uid_t uid; | ||
372 | gid_t gid; | ||
373 | 377 | ||
374 | current_uid_gid(&uid, &gid); | 378 | if (bprm->e_uid != cred->uid || bprm->e_gid != cred->gid || |
375 | |||
376 | if (bprm->e_uid != uid || bprm->e_gid != gid || | ||
377 | !cap_issubset(bprm->cap_post_exec_permitted, | 379 | !cap_issubset(bprm->cap_post_exec_permitted, |
378 | current->cap_permitted)) { | 380 | cred->cap_permitted)) { |
379 | set_dumpable(current->mm, suid_dumpable); | 381 | set_dumpable(current->mm, suid_dumpable); |
380 | current->pdeath_signal = 0; | 382 | current->pdeath_signal = 0; |
381 | 383 | ||
382 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { | 384 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { |
383 | if (!capable(CAP_SETUID)) { | 385 | if (!capable(CAP_SETUID)) { |
384 | bprm->e_uid = uid; | 386 | bprm->e_uid = cred->uid; |
385 | bprm->e_gid = gid; | 387 | bprm->e_gid = cred->gid; |
386 | } | 388 | } |
387 | if (cap_limit_ptraced_target()) { | 389 | if (cap_limit_ptraced_target()) { |
388 | bprm->cap_post_exec_permitted = cap_intersect( | 390 | bprm->cap_post_exec_permitted = cap_intersect( |
389 | bprm->cap_post_exec_permitted, | 391 | bprm->cap_post_exec_permitted, |
390 | current->cap_permitted); | 392 | cred->cap_permitted); |
391 | } | 393 | } |
392 | } | 394 | } |
393 | } | 395 | } |
394 | 396 | ||
395 | current->suid = current->euid = current->fsuid = bprm->e_uid; | 397 | cred->suid = cred->euid = cred->fsuid = bprm->e_uid; |
396 | current->sgid = current->egid = current->fsgid = bprm->e_gid; | 398 | cred->sgid = cred->egid = cred->fsgid = bprm->e_gid; |
397 | 399 | ||
398 | /* For init, we want to retain the capabilities set | 400 | /* For init, we want to retain the capabilities set |
399 | * in the init_task struct. Thus we skip the usual | 401 | * in the init_task struct. Thus we skip the usual |
400 | * capability rules */ | 402 | * capability rules */ |
401 | if (!is_global_init(current)) { | 403 | if (!is_global_init(current)) { |
402 | current->cap_permitted = bprm->cap_post_exec_permitted; | 404 | cred->cap_permitted = bprm->cap_post_exec_permitted; |
403 | if (bprm->cap_effective) | 405 | if (bprm->cap_effective) |
404 | current->cap_effective = bprm->cap_post_exec_permitted; | 406 | cred->cap_effective = bprm->cap_post_exec_permitted; |
405 | else | 407 | else |
406 | cap_clear(current->cap_effective); | 408 | cap_clear(cred->cap_effective); |
407 | } | 409 | } |
408 | 410 | ||
409 | /* | 411 | /* |
@@ -418,27 +420,30 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | |||
418 | * Number 1 above might fail if you don't have a full bset, but I think | 420 | * Number 1 above might fail if you don't have a full bset, but I think |
419 | * that is interesting information to audit. | 421 | * that is interesting information to audit. |
420 | */ | 422 | */ |
421 | if (!cap_isclear(current->cap_effective)) { | 423 | if (!cap_isclear(cred->cap_effective)) { |
422 | if (!cap_issubset(CAP_FULL_SET, current->cap_effective) || | 424 | if (!cap_issubset(CAP_FULL_SET, cred->cap_effective) || |
423 | (bprm->e_uid != 0) || (current->uid != 0) || | 425 | (bprm->e_uid != 0) || (cred->uid != 0) || |
424 | issecure(SECURE_NOROOT)) | 426 | issecure(SECURE_NOROOT)) |
425 | audit_log_bprm_fcaps(bprm, &pP, &pE); | 427 | audit_log_bprm_fcaps(bprm, &cred->cap_permitted, |
428 | &cred->cap_effective); | ||
426 | } | 429 | } |
427 | 430 | ||
428 | current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); | 431 | cred->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); |
429 | } | 432 | } |
430 | 433 | ||
431 | int cap_bprm_secureexec (struct linux_binprm *bprm) | 434 | int cap_bprm_secureexec (struct linux_binprm *bprm) |
432 | { | 435 | { |
433 | if (current_uid() != 0) { | 436 | const struct cred *cred = current->cred; |
437 | |||
438 | if (cred->uid != 0) { | ||
434 | if (bprm->cap_effective) | 439 | if (bprm->cap_effective) |
435 | return 1; | 440 | return 1; |
436 | if (!cap_isclear(bprm->cap_post_exec_permitted)) | 441 | if (!cap_isclear(bprm->cap_post_exec_permitted)) |
437 | return 1; | 442 | return 1; |
438 | } | 443 | } |
439 | 444 | ||
440 | return (current_euid() != current_uid() || | 445 | return (cred->euid != cred->uid || |
441 | current_egid() != current_gid()); | 446 | cred->egid != cred->gid); |
442 | } | 447 | } |
443 | 448 | ||
444 | int cap_inode_setxattr(struct dentry *dentry, const char *name, | 449 | int cap_inode_setxattr(struct dentry *dentry, const char *name, |
@@ -501,25 +506,27 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) | |||
501 | static inline void cap_emulate_setxuid (int old_ruid, int old_euid, | 506 | static inline void cap_emulate_setxuid (int old_ruid, int old_euid, |
502 | int old_suid) | 507 | int old_suid) |
503 | { | 508 | { |
504 | uid_t euid = current_euid(); | 509 | struct cred *cred = current->cred; |
505 | 510 | ||
506 | if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && | 511 | if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && |
507 | (current_uid() != 0 && euid != 0 && current_suid() != 0) && | 512 | (cred->uid != 0 && cred->euid != 0 && cred->suid != 0) && |
508 | !issecure(SECURE_KEEP_CAPS)) { | 513 | !issecure(SECURE_KEEP_CAPS)) { |
509 | cap_clear (current->cap_permitted); | 514 | cap_clear (cred->cap_permitted); |
510 | cap_clear (current->cap_effective); | 515 | cap_clear (cred->cap_effective); |
511 | } | 516 | } |
512 | if (old_euid == 0 && euid != 0) { | 517 | if (old_euid == 0 && cred->euid != 0) { |
513 | cap_clear (current->cap_effective); | 518 | cap_clear (cred->cap_effective); |
514 | } | 519 | } |
515 | if (old_euid != 0 && euid == 0) { | 520 | if (old_euid != 0 && cred->euid == 0) { |
516 | current->cap_effective = current->cap_permitted; | 521 | cred->cap_effective = cred->cap_permitted; |
517 | } | 522 | } |
518 | } | 523 | } |
519 | 524 | ||
520 | int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | 525 | int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, |
521 | int flags) | 526 | int flags) |
522 | { | 527 | { |
528 | struct cred *cred = current->cred; | ||
529 | |||
523 | switch (flags) { | 530 | switch (flags) { |
524 | case LSM_SETID_RE: | 531 | case LSM_SETID_RE: |
525 | case LSM_SETID_ID: | 532 | case LSM_SETID_ID: |
@@ -541,16 +548,16 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | |||
541 | */ | 548 | */ |
542 | 549 | ||
543 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { | 550 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { |
544 | if (old_fsuid == 0 && current_fsuid() != 0) { | 551 | if (old_fsuid == 0 && cred->fsuid != 0) { |
545 | current->cap_effective = | 552 | cred->cap_effective = |
546 | cap_drop_fs_set( | 553 | cap_drop_fs_set( |
547 | current->cap_effective); | 554 | cred->cap_effective); |
548 | } | 555 | } |
549 | if (old_fsuid != 0 && current_fsuid() == 0) { | 556 | if (old_fsuid != 0 && cred->fsuid == 0) { |
550 | current->cap_effective = | 557 | cred->cap_effective = |
551 | cap_raise_fs_set( | 558 | cap_raise_fs_set( |
552 | current->cap_effective, | 559 | cred->cap_effective, |
553 | current->cap_permitted); | 560 | cred->cap_permitted); |
554 | } | 561 | } |
555 | } | 562 | } |
556 | break; | 563 | break; |
@@ -575,7 +582,8 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | |||
575 | */ | 582 | */ |
576 | static int cap_safe_nice(struct task_struct *p) | 583 | static int cap_safe_nice(struct task_struct *p) |
577 | { | 584 | { |
578 | if (!cap_issubset(p->cap_permitted, current->cap_permitted) && | 585 | if (!cap_issubset(p->cred->cap_permitted, |
586 | current->cred->cap_permitted) && | ||
579 | !capable(CAP_SYS_NICE)) | 587 | !capable(CAP_SYS_NICE)) |
580 | return -EPERM; | 588 | return -EPERM; |
581 | return 0; | 589 | return 0; |
@@ -610,7 +618,7 @@ static long cap_prctl_drop(unsigned long cap) | |||
610 | return -EPERM; | 618 | return -EPERM; |
611 | if (!cap_valid(cap)) | 619 | if (!cap_valid(cap)) |
612 | return -EINVAL; | 620 | return -EINVAL; |
613 | cap_lower(current->cap_bset, cap); | 621 | cap_lower(current->cred->cap_bset, cap); |
614 | return 0; | 622 | return 0; |
615 | } | 623 | } |
616 | 624 | ||
@@ -633,6 +641,7 @@ int cap_task_setnice (struct task_struct *p, int nice) | |||
633 | int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 641 | int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
634 | unsigned long arg4, unsigned long arg5, long *rc_p) | 642 | unsigned long arg4, unsigned long arg5, long *rc_p) |
635 | { | 643 | { |
644 | struct cred *cred = current->cred; | ||
636 | long error = 0; | 645 | long error = 0; |
637 | 646 | ||
638 | switch (option) { | 647 | switch (option) { |
@@ -640,7 +649,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
640 | if (!cap_valid(arg2)) | 649 | if (!cap_valid(arg2)) |
641 | error = -EINVAL; | 650 | error = -EINVAL; |
642 | else | 651 | else |
643 | error = !!cap_raised(current->cap_bset, arg2); | 652 | error = !!cap_raised(cred->cap_bset, arg2); |
644 | break; | 653 | break; |
645 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES | 654 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES |
646 | case PR_CAPBSET_DROP: | 655 | case PR_CAPBSET_DROP: |
@@ -667,9 +676,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
667 | * capability-based-privilege environment. | 676 | * capability-based-privilege environment. |
668 | */ | 677 | */ |
669 | case PR_SET_SECUREBITS: | 678 | case PR_SET_SECUREBITS: |
670 | if ((((current->securebits & SECURE_ALL_LOCKS) >> 1) | 679 | if ((((cred->securebits & SECURE_ALL_LOCKS) >> 1) |
671 | & (current->securebits ^ arg2)) /*[1]*/ | 680 | & (cred->securebits ^ arg2)) /*[1]*/ |
672 | || ((current->securebits & SECURE_ALL_LOCKS | 681 | || ((cred->securebits & SECURE_ALL_LOCKS |
673 | & ~arg2)) /*[2]*/ | 682 | & ~arg2)) /*[2]*/ |
674 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 683 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
675 | || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0)) { /*[4]*/ | 684 | || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0)) { /*[4]*/ |
@@ -682,11 +691,11 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
682 | */ | 691 | */ |
683 | error = -EPERM; /* cannot change a locked bit */ | 692 | error = -EPERM; /* cannot change a locked bit */ |
684 | } else { | 693 | } else { |
685 | current->securebits = arg2; | 694 | cred->securebits = arg2; |
686 | } | 695 | } |
687 | break; | 696 | break; |
688 | case PR_GET_SECUREBITS: | 697 | case PR_GET_SECUREBITS: |
689 | error = current->securebits; | 698 | error = cred->securebits; |
690 | break; | 699 | break; |
691 | 700 | ||
692 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ | 701 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ |
@@ -701,10 +710,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
701 | else if (issecure(SECURE_KEEP_CAPS_LOCKED)) | 710 | else if (issecure(SECURE_KEEP_CAPS_LOCKED)) |
702 | error = -EPERM; | 711 | error = -EPERM; |
703 | else if (arg2) | 712 | else if (arg2) |
704 | current->securebits |= issecure_mask(SECURE_KEEP_CAPS); | 713 | cred->securebits |= issecure_mask(SECURE_KEEP_CAPS); |
705 | else | 714 | else |
706 | current->securebits &= | 715 | cred->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); |
707 | ~issecure_mask(SECURE_KEEP_CAPS); | ||
708 | break; | 716 | break; |
709 | 717 | ||
710 | default: | 718 | default: |
@@ -719,11 +727,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
719 | 727 | ||
720 | void cap_task_reparent_to_init (struct task_struct *p) | 728 | void cap_task_reparent_to_init (struct task_struct *p) |
721 | { | 729 | { |
722 | cap_set_init_eff(p->cap_effective); | 730 | struct cred *cred = p->cred; |
723 | cap_clear(p->cap_inheritable); | 731 | |
724 | cap_set_full(p->cap_permitted); | 732 | cap_set_init_eff(cred->cap_effective); |
725 | p->securebits = SECUREBITS_DEFAULT; | 733 | cap_clear(cred->cap_inheritable); |
726 | return; | 734 | cap_set_full(cred->cap_permitted); |
735 | p->cred->securebits = SECUREBITS_DEFAULT; | ||
727 | } | 736 | } |
728 | 737 | ||
729 | int cap_syslog (int type) | 738 | int cap_syslog (int type) |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index fcce331eca72..8833b447adef 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -889,7 +889,7 @@ long keyctl_instantiate_key(key_serial_t id, | |||
889 | /* the appropriate instantiation authorisation key must have been | 889 | /* the appropriate instantiation authorisation key must have been |
890 | * assumed before calling this */ | 890 | * assumed before calling this */ |
891 | ret = -EPERM; | 891 | ret = -EPERM; |
892 | instkey = current->request_key_auth; | 892 | instkey = current->cred->request_key_auth; |
893 | if (!instkey) | 893 | if (!instkey) |
894 | goto error; | 894 | goto error; |
895 | 895 | ||
@@ -932,8 +932,8 @@ long keyctl_instantiate_key(key_serial_t id, | |||
932 | /* discard the assumed authority if it's just been disabled by | 932 | /* discard the assumed authority if it's just been disabled by |
933 | * instantiation of the key */ | 933 | * instantiation of the key */ |
934 | if (ret == 0) { | 934 | if (ret == 0) { |
935 | key_put(current->request_key_auth); | 935 | key_put(current->cred->request_key_auth); |
936 | current->request_key_auth = NULL; | 936 | current->cred->request_key_auth = NULL; |
937 | } | 937 | } |
938 | 938 | ||
939 | error2: | 939 | error2: |
@@ -960,7 +960,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
960 | /* the appropriate instantiation authorisation key must have been | 960 | /* the appropriate instantiation authorisation key must have been |
961 | * assumed before calling this */ | 961 | * assumed before calling this */ |
962 | ret = -EPERM; | 962 | ret = -EPERM; |
963 | instkey = current->request_key_auth; | 963 | instkey = current->cred->request_key_auth; |
964 | if (!instkey) | 964 | if (!instkey) |
965 | goto error; | 965 | goto error; |
966 | 966 | ||
@@ -983,8 +983,8 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
983 | /* discard the assumed authority if it's just been disabled by | 983 | /* discard the assumed authority if it's just been disabled by |
984 | * instantiation of the key */ | 984 | * instantiation of the key */ |
985 | if (ret == 0) { | 985 | if (ret == 0) { |
986 | key_put(current->request_key_auth); | 986 | key_put(current->cred->request_key_auth); |
987 | current->request_key_auth = NULL; | 987 | current->cred->request_key_auth = NULL; |
988 | } | 988 | } |
989 | 989 | ||
990 | error: | 990 | error: |
@@ -999,6 +999,7 @@ error: | |||
999 | */ | 999 | */ |
1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) | 1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) |
1001 | { | 1001 | { |
1002 | struct cred *cred = current->cred; | ||
1002 | int ret; | 1003 | int ret; |
1003 | 1004 | ||
1004 | switch (reqkey_defl) { | 1005 | switch (reqkey_defl) { |
@@ -1018,10 +1019,10 @@ long keyctl_set_reqkey_keyring(int reqkey_defl) | |||
1018 | case KEY_REQKEY_DEFL_USER_KEYRING: | 1019 | case KEY_REQKEY_DEFL_USER_KEYRING: |
1019 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 1020 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
1020 | set: | 1021 | set: |
1021 | current->jit_keyring = reqkey_defl; | 1022 | cred->jit_keyring = reqkey_defl; |
1022 | 1023 | ||
1023 | case KEY_REQKEY_DEFL_NO_CHANGE: | 1024 | case KEY_REQKEY_DEFL_NO_CHANGE: |
1024 | return current->jit_keyring; | 1025 | return cred->jit_keyring; |
1025 | 1026 | ||
1026 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 1027 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
1027 | default: | 1028 | default: |
@@ -1086,8 +1087,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1086 | 1087 | ||
1087 | /* we divest ourselves of authority if given an ID of 0 */ | 1088 | /* we divest ourselves of authority if given an ID of 0 */ |
1088 | if (id == 0) { | 1089 | if (id == 0) { |
1089 | key_put(current->request_key_auth); | 1090 | key_put(current->cred->request_key_auth); |
1090 | current->request_key_auth = NULL; | 1091 | current->cred->request_key_auth = NULL; |
1091 | ret = 0; | 1092 | ret = 0; |
1092 | goto error; | 1093 | goto error; |
1093 | } | 1094 | } |
@@ -1103,8 +1104,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1103 | goto error; | 1104 | goto error; |
1104 | } | 1105 | } |
1105 | 1106 | ||
1106 | key_put(current->request_key_auth); | 1107 | key_put(current->cred->request_key_auth); |
1107 | current->request_key_auth = authkey; | 1108 | current->cred->request_key_auth = authkey; |
1108 | ret = authkey->serial; | 1109 | ret = authkey->serial; |
1109 | 1110 | ||
1110 | error: | 1111 | error: |
diff --git a/security/keys/permission.c b/security/keys/permission.c index 3b41f9b52537..baf3d5f31e71 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -22,6 +22,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
22 | struct task_struct *context, | 22 | struct task_struct *context, |
23 | key_perm_t perm) | 23 | key_perm_t perm) |
24 | { | 24 | { |
25 | struct cred *cred = context->cred; | ||
25 | struct key *key; | 26 | struct key *key; |
26 | key_perm_t kperm; | 27 | key_perm_t kperm; |
27 | int ret; | 28 | int ret; |
@@ -29,7 +30,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
29 | key = key_ref_to_ptr(key_ref); | 30 | key = key_ref_to_ptr(key_ref); |
30 | 31 | ||
31 | /* use the second 8-bits of permissions for keys the caller owns */ | 32 | /* use the second 8-bits of permissions for keys the caller owns */ |
32 | if (key->uid == context->fsuid) { | 33 | if (key->uid == cred->fsuid) { |
33 | kperm = key->perm >> 16; | 34 | kperm = key->perm >> 16; |
34 | goto use_these_perms; | 35 | goto use_these_perms; |
35 | } | 36 | } |
@@ -37,14 +38,14 @@ int key_task_permission(const key_ref_t key_ref, | |||
37 | /* use the third 8-bits of permissions for keys the caller has a group | 38 | /* use the third 8-bits of permissions for keys the caller has a group |
38 | * membership in common with */ | 39 | * membership in common with */ |
39 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | 40 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { |
40 | if (key->gid == context->fsgid) { | 41 | if (key->gid == cred->fsgid) { |
41 | kperm = key->perm >> 8; | 42 | kperm = key->perm >> 8; |
42 | goto use_these_perms; | 43 | goto use_these_perms; |
43 | } | 44 | } |
44 | 45 | ||
45 | task_lock(context); | 46 | spin_lock(&cred->lock); |
46 | ret = groups_search(context->group_info, key->gid); | 47 | ret = groups_search(cred->group_info, key->gid); |
47 | task_unlock(context); | 48 | spin_unlock(&cred->lock); |
48 | 49 | ||
49 | if (ret) { | 50 | if (ret) { |
50 | kperm = key->perm >> 8; | 51 | kperm = key->perm >> 8; |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 1c793b7090a7..b0904cdda2e7 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -42,7 +42,7 @@ struct key_user root_key_user = { | |||
42 | */ | 42 | */ |
43 | int install_user_keyrings(void) | 43 | int install_user_keyrings(void) |
44 | { | 44 | { |
45 | struct user_struct *user = current->user; | 45 | struct user_struct *user = current->cred->user; |
46 | struct key *uid_keyring, *session_keyring; | 46 | struct key *uid_keyring, *session_keyring; |
47 | char buf[20]; | 47 | char buf[20]; |
48 | int ret; | 48 | int ret; |
@@ -156,7 +156,7 @@ int install_thread_keyring(void) | |||
156 | 156 | ||
157 | sprintf(buf, "_tid.%u", tsk->pid); | 157 | sprintf(buf, "_tid.%u", tsk->pid); |
158 | 158 | ||
159 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 159 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
161 | if (IS_ERR(keyring)) { | 161 | if (IS_ERR(keyring)) { |
162 | ret = PTR_ERR(keyring); | 162 | ret = PTR_ERR(keyring); |
@@ -164,8 +164,8 @@ int install_thread_keyring(void) | |||
164 | } | 164 | } |
165 | 165 | ||
166 | task_lock(tsk); | 166 | task_lock(tsk); |
167 | old = tsk->thread_keyring; | 167 | old = tsk->cred->thread_keyring; |
168 | tsk->thread_keyring = keyring; | 168 | tsk->cred->thread_keyring = keyring; |
169 | task_unlock(tsk); | 169 | task_unlock(tsk); |
170 | 170 | ||
171 | ret = 0; | 171 | ret = 0; |
@@ -192,7 +192,7 @@ int install_process_keyring(void) | |||
192 | if (!tsk->signal->process_keyring) { | 192 | if (!tsk->signal->process_keyring) { |
193 | sprintf(buf, "_pid.%u", tsk->tgid); | 193 | sprintf(buf, "_pid.%u", tsk->tgid); |
194 | 194 | ||
195 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 195 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
197 | if (IS_ERR(keyring)) { | 197 | if (IS_ERR(keyring)) { |
198 | ret = PTR_ERR(keyring); | 198 | ret = PTR_ERR(keyring); |
@@ -238,7 +238,7 @@ static int install_session_keyring(struct key *keyring) | |||
238 | if (tsk->signal->session_keyring) | 238 | if (tsk->signal->session_keyring) |
239 | flags = KEY_ALLOC_IN_QUOTA; | 239 | flags = KEY_ALLOC_IN_QUOTA; |
240 | 240 | ||
241 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 241 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
242 | flags, NULL); | 242 | flags, NULL); |
243 | if (IS_ERR(keyring)) | 243 | if (IS_ERR(keyring)) |
244 | return PTR_ERR(keyring); | 244 | return PTR_ERR(keyring); |
@@ -292,14 +292,14 @@ int copy_thread_group_keys(struct task_struct *tsk) | |||
292 | */ | 292 | */ |
293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) | 293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) |
294 | { | 294 | { |
295 | key_check(tsk->thread_keyring); | 295 | key_check(tsk->cred->thread_keyring); |
296 | key_check(tsk->request_key_auth); | 296 | key_check(tsk->cred->request_key_auth); |
297 | 297 | ||
298 | /* no thread keyring yet */ | 298 | /* no thread keyring yet */ |
299 | tsk->thread_keyring = NULL; | 299 | tsk->cred->thread_keyring = NULL; |
300 | 300 | ||
301 | /* copy the request_key() authorisation for this thread */ | 301 | /* copy the request_key() authorisation for this thread */ |
302 | key_get(tsk->request_key_auth); | 302 | key_get(tsk->cred->request_key_auth); |
303 | 303 | ||
304 | return 0; | 304 | return 0; |
305 | 305 | ||
@@ -322,8 +322,8 @@ void exit_thread_group_keys(struct signal_struct *tg) | |||
322 | */ | 322 | */ |
323 | void exit_keys(struct task_struct *tsk) | 323 | void exit_keys(struct task_struct *tsk) |
324 | { | 324 | { |
325 | key_put(tsk->thread_keyring); | 325 | key_put(tsk->cred->thread_keyring); |
326 | key_put(tsk->request_key_auth); | 326 | key_put(tsk->cred->request_key_auth); |
327 | 327 | ||
328 | } /* end exit_keys() */ | 328 | } /* end exit_keys() */ |
329 | 329 | ||
@@ -337,8 +337,8 @@ int exec_keys(struct task_struct *tsk) | |||
337 | 337 | ||
338 | /* newly exec'd tasks don't get a thread keyring */ | 338 | /* newly exec'd tasks don't get a thread keyring */ |
339 | task_lock(tsk); | 339 | task_lock(tsk); |
340 | old = tsk->thread_keyring; | 340 | old = tsk->cred->thread_keyring; |
341 | tsk->thread_keyring = NULL; | 341 | tsk->cred->thread_keyring = NULL; |
342 | task_unlock(tsk); | 342 | task_unlock(tsk); |
343 | 343 | ||
344 | key_put(old); | 344 | key_put(old); |
@@ -373,10 +373,11 @@ int suid_keys(struct task_struct *tsk) | |||
373 | void key_fsuid_changed(struct task_struct *tsk) | 373 | void key_fsuid_changed(struct task_struct *tsk) |
374 | { | 374 | { |
375 | /* update the ownership of the thread keyring */ | 375 | /* update the ownership of the thread keyring */ |
376 | if (tsk->thread_keyring) { | 376 | BUG_ON(!tsk->cred); |
377 | down_write(&tsk->thread_keyring->sem); | 377 | if (tsk->cred->thread_keyring) { |
378 | tsk->thread_keyring->uid = tsk->fsuid; | 378 | down_write(&tsk->cred->thread_keyring->sem); |
379 | up_write(&tsk->thread_keyring->sem); | 379 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; |
380 | up_write(&tsk->cred->thread_keyring->sem); | ||
380 | } | 381 | } |
381 | 382 | ||
382 | } /* end key_fsuid_changed() */ | 383 | } /* end key_fsuid_changed() */ |
@@ -388,10 +389,11 @@ void key_fsuid_changed(struct task_struct *tsk) | |||
388 | void key_fsgid_changed(struct task_struct *tsk) | 389 | void key_fsgid_changed(struct task_struct *tsk) |
389 | { | 390 | { |
390 | /* update the ownership of the thread keyring */ | 391 | /* update the ownership of the thread keyring */ |
391 | if (tsk->thread_keyring) { | 392 | BUG_ON(!tsk->cred); |
392 | down_write(&tsk->thread_keyring->sem); | 393 | if (tsk->cred->thread_keyring) { |
393 | tsk->thread_keyring->gid = tsk->fsgid; | 394 | down_write(&tsk->cred->thread_keyring->sem); |
394 | up_write(&tsk->thread_keyring->sem); | 395 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; |
396 | up_write(&tsk->cred->thread_keyring->sem); | ||
395 | } | 397 | } |
396 | 398 | ||
397 | } /* end key_fsgid_changed() */ | 399 | } /* end key_fsgid_changed() */ |
@@ -426,9 +428,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
426 | err = ERR_PTR(-EAGAIN); | 428 | err = ERR_PTR(-EAGAIN); |
427 | 429 | ||
428 | /* search the thread keyring first */ | 430 | /* search the thread keyring first */ |
429 | if (context->thread_keyring) { | 431 | if (context->cred->thread_keyring) { |
430 | key_ref = keyring_search_aux( | 432 | key_ref = keyring_search_aux( |
431 | make_key_ref(context->thread_keyring, 1), | 433 | make_key_ref(context->cred->thread_keyring, 1), |
432 | context, type, description, match); | 434 | context, type, description, match); |
433 | if (!IS_ERR(key_ref)) | 435 | if (!IS_ERR(key_ref)) |
434 | goto found; | 436 | goto found; |
@@ -493,9 +495,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
493 | } | 495 | } |
494 | } | 496 | } |
495 | /* or search the user-session keyring */ | 497 | /* or search the user-session keyring */ |
496 | else if (context->user->session_keyring) { | 498 | else if (context->cred->user->session_keyring) { |
497 | key_ref = keyring_search_aux( | 499 | key_ref = keyring_search_aux( |
498 | make_key_ref(context->user->session_keyring, 1), | 500 | make_key_ref(context->cred->user->session_keyring, 1), |
499 | context, type, description, match); | 501 | context, type, description, match); |
500 | if (!IS_ERR(key_ref)) | 502 | if (!IS_ERR(key_ref)) |
501 | goto found; | 503 | goto found; |
@@ -517,20 +519,20 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
517 | * search the keyrings of the process mentioned there | 519 | * search the keyrings of the process mentioned there |
518 | * - we don't permit access to request_key auth keys via this method | 520 | * - we don't permit access to request_key auth keys via this method |
519 | */ | 521 | */ |
520 | if (context->request_key_auth && | 522 | if (context->cred->request_key_auth && |
521 | context == current && | 523 | context == current && |
522 | type != &key_type_request_key_auth | 524 | type != &key_type_request_key_auth |
523 | ) { | 525 | ) { |
524 | /* defend against the auth key being revoked */ | 526 | /* defend against the auth key being revoked */ |
525 | down_read(&context->request_key_auth->sem); | 527 | down_read(&context->cred->request_key_auth->sem); |
526 | 528 | ||
527 | if (key_validate(context->request_key_auth) == 0) { | 529 | if (key_validate(context->cred->request_key_auth) == 0) { |
528 | rka = context->request_key_auth->payload.data; | 530 | rka = context->cred->request_key_auth->payload.data; |
529 | 531 | ||
530 | key_ref = search_process_keyrings(type, description, | 532 | key_ref = search_process_keyrings(type, description, |
531 | match, rka->context); | 533 | match, rka->context); |
532 | 534 | ||
533 | up_read(&context->request_key_auth->sem); | 535 | up_read(&context->cred->request_key_auth->sem); |
534 | 536 | ||
535 | if (!IS_ERR(key_ref)) | 537 | if (!IS_ERR(key_ref)) |
536 | goto found; | 538 | goto found; |
@@ -547,7 +549,7 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
547 | break; | 549 | break; |
548 | } | 550 | } |
549 | } else { | 551 | } else { |
550 | up_read(&context->request_key_auth->sem); | 552 | up_read(&context->cred->request_key_auth->sem); |
551 | } | 553 | } |
552 | } | 554 | } |
553 | 555 | ||
@@ -580,15 +582,16 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
580 | { | 582 | { |
581 | struct request_key_auth *rka; | 583 | struct request_key_auth *rka; |
582 | struct task_struct *t = current; | 584 | struct task_struct *t = current; |
583 | key_ref_t key_ref, skey_ref; | 585 | struct cred *cred = t->cred; |
584 | struct key *key; | 586 | struct key *key; |
587 | key_ref_t key_ref, skey_ref; | ||
585 | int ret; | 588 | int ret; |
586 | 589 | ||
587 | key_ref = ERR_PTR(-ENOKEY); | 590 | key_ref = ERR_PTR(-ENOKEY); |
588 | 591 | ||
589 | switch (id) { | 592 | switch (id) { |
590 | case KEY_SPEC_THREAD_KEYRING: | 593 | case KEY_SPEC_THREAD_KEYRING: |
591 | if (!t->thread_keyring) { | 594 | if (!cred->thread_keyring) { |
592 | if (!create) | 595 | if (!create) |
593 | goto error; | 596 | goto error; |
594 | 597 | ||
@@ -599,7 +602,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
599 | } | 602 | } |
600 | } | 603 | } |
601 | 604 | ||
602 | key = t->thread_keyring; | 605 | key = cred->thread_keyring; |
603 | atomic_inc(&key->usage); | 606 | atomic_inc(&key->usage); |
604 | key_ref = make_key_ref(key, 1); | 607 | key_ref = make_key_ref(key, 1); |
605 | break; | 608 | break; |
@@ -628,7 +631,8 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
628 | ret = install_user_keyrings(); | 631 | ret = install_user_keyrings(); |
629 | if (ret < 0) | 632 | if (ret < 0) |
630 | goto error; | 633 | goto error; |
631 | ret = install_session_keyring(t->user->session_keyring); | 634 | ret = install_session_keyring( |
635 | cred->user->session_keyring); | ||
632 | if (ret < 0) | 636 | if (ret < 0) |
633 | goto error; | 637 | goto error; |
634 | } | 638 | } |
@@ -641,25 +645,25 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
641 | break; | 645 | break; |
642 | 646 | ||
643 | case KEY_SPEC_USER_KEYRING: | 647 | case KEY_SPEC_USER_KEYRING: |
644 | if (!t->user->uid_keyring) { | 648 | if (!cred->user->uid_keyring) { |
645 | ret = install_user_keyrings(); | 649 | ret = install_user_keyrings(); |
646 | if (ret < 0) | 650 | if (ret < 0) |
647 | goto error; | 651 | goto error; |
648 | } | 652 | } |
649 | 653 | ||
650 | key = t->user->uid_keyring; | 654 | key = cred->user->uid_keyring; |
651 | atomic_inc(&key->usage); | 655 | atomic_inc(&key->usage); |
652 | key_ref = make_key_ref(key, 1); | 656 | key_ref = make_key_ref(key, 1); |
653 | break; | 657 | break; |
654 | 658 | ||
655 | case KEY_SPEC_USER_SESSION_KEYRING: | 659 | case KEY_SPEC_USER_SESSION_KEYRING: |
656 | if (!t->user->session_keyring) { | 660 | if (!cred->user->session_keyring) { |
657 | ret = install_user_keyrings(); | 661 | ret = install_user_keyrings(); |
658 | if (ret < 0) | 662 | if (ret < 0) |
659 | goto error; | 663 | goto error; |
660 | } | 664 | } |
661 | 665 | ||
662 | key = t->user->session_keyring; | 666 | key = cred->user->session_keyring; |
663 | atomic_inc(&key->usage); | 667 | atomic_inc(&key->usage); |
664 | key_ref = make_key_ref(key, 1); | 668 | key_ref = make_key_ref(key, 1); |
665 | break; | 669 | break; |
@@ -670,7 +674,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
670 | goto error; | 674 | goto error; |
671 | 675 | ||
672 | case KEY_SPEC_REQKEY_AUTH_KEY: | 676 | case KEY_SPEC_REQKEY_AUTH_KEY: |
673 | key = t->request_key_auth; | 677 | key = cred->request_key_auth; |
674 | if (!key) | 678 | if (!key) |
675 | goto error; | 679 | goto error; |
676 | 680 | ||
@@ -679,19 +683,19 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
679 | break; | 683 | break; |
680 | 684 | ||
681 | case KEY_SPEC_REQUESTOR_KEYRING: | 685 | case KEY_SPEC_REQUESTOR_KEYRING: |
682 | if (!t->request_key_auth) | 686 | if (!cred->request_key_auth) |
683 | goto error; | 687 | goto error; |
684 | 688 | ||
685 | down_read(&t->request_key_auth->sem); | 689 | down_read(&cred->request_key_auth->sem); |
686 | if (t->request_key_auth->flags & KEY_FLAG_REVOKED) { | 690 | if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) { |
687 | key_ref = ERR_PTR(-EKEYREVOKED); | 691 | key_ref = ERR_PTR(-EKEYREVOKED); |
688 | key = NULL; | 692 | key = NULL; |
689 | } else { | 693 | } else { |
690 | rka = t->request_key_auth->payload.data; | 694 | rka = cred->request_key_auth->payload.data; |
691 | key = rka->dest_keyring; | 695 | key = rka->dest_keyring; |
692 | atomic_inc(&key->usage); | 696 | atomic_inc(&key->usage); |
693 | } | 697 | } |
694 | up_read(&t->request_key_auth->sem); | 698 | up_read(&cred->request_key_auth->sem); |
695 | if (!key) | 699 | if (!key) |
696 | goto error; | 700 | goto error; |
697 | key_ref = make_key_ref(key, 1); | 701 | key_ref = make_key_ref(key, 1); |
@@ -791,7 +795,7 @@ long join_session_keyring(const char *name) | |||
791 | keyring = find_keyring_by_name(name, false); | 795 | keyring = find_keyring_by_name(name, false); |
792 | if (PTR_ERR(keyring) == -ENOKEY) { | 796 | if (PTR_ERR(keyring) == -ENOKEY) { |
793 | /* not found - try and create a new one */ | 797 | /* not found - try and create a new one */ |
794 | keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, | 798 | keyring = keyring_alloc(name, tsk->cred->uid, tsk->cred->gid, tsk, |
795 | KEY_ALLOC_IN_QUOTA, NULL); | 799 | KEY_ALLOC_IN_QUOTA, NULL); |
796 | if (IS_ERR(keyring)) { | 800 | if (IS_ERR(keyring)) { |
797 | ret = PTR_ERR(keyring); | 801 | ret = PTR_ERR(keyring); |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 8e9d93b4a402..3e9b9eb1dd28 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -104,7 +104,8 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
104 | 104 | ||
105 | /* we specify the process's default keyrings */ | 105 | /* we specify the process's default keyrings */ |
106 | sprintf(keyring_str[0], "%d", | 106 | sprintf(keyring_str[0], "%d", |
107 | tsk->thread_keyring ? tsk->thread_keyring->serial : 0); | 107 | tsk->cred->thread_keyring ? |
108 | tsk->cred->thread_keyring->serial : 0); | ||
108 | 109 | ||
109 | prkey = 0; | 110 | prkey = 0; |
110 | if (tsk->signal->process_keyring) | 111 | if (tsk->signal->process_keyring) |
@@ -117,7 +118,7 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
117 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; | 118 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; |
118 | rcu_read_unlock(); | 119 | rcu_read_unlock(); |
119 | } else { | 120 | } else { |
120 | sskey = tsk->user->session_keyring->serial; | 121 | sskey = tsk->cred->user->session_keyring->serial; |
121 | } | 122 | } |
122 | 123 | ||
123 | sprintf(keyring_str[2], "%d", sskey); | 124 | sprintf(keyring_str[2], "%d", sskey); |
@@ -232,11 +233,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
232 | } else { | 233 | } else { |
233 | /* use a default keyring; falling through the cases until we | 234 | /* use a default keyring; falling through the cases until we |
234 | * find one that we actually have */ | 235 | * find one that we actually have */ |
235 | switch (tsk->jit_keyring) { | 236 | switch (tsk->cred->jit_keyring) { |
236 | case KEY_REQKEY_DEFL_DEFAULT: | 237 | case KEY_REQKEY_DEFL_DEFAULT: |
237 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: | 238 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: |
238 | if (tsk->request_key_auth) { | 239 | if (tsk->cred->request_key_auth) { |
239 | authkey = tsk->request_key_auth; | 240 | authkey = tsk->cred->request_key_auth; |
240 | down_read(&authkey->sem); | 241 | down_read(&authkey->sem); |
241 | rka = authkey->payload.data; | 242 | rka = authkey->payload.data; |
242 | if (!test_bit(KEY_FLAG_REVOKED, | 243 | if (!test_bit(KEY_FLAG_REVOKED, |
@@ -249,7 +250,7 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
249 | } | 250 | } |
250 | 251 | ||
251 | case KEY_REQKEY_DEFL_THREAD_KEYRING: | 252 | case KEY_REQKEY_DEFL_THREAD_KEYRING: |
252 | dest_keyring = key_get(tsk->thread_keyring); | 253 | dest_keyring = key_get(tsk->cred->thread_keyring); |
253 | if (dest_keyring) | 254 | if (dest_keyring) |
254 | break; | 255 | break; |
255 | 256 | ||
@@ -268,11 +269,12 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
268 | break; | 269 | break; |
269 | 270 | ||
270 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 271 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
271 | dest_keyring = key_get(tsk->user->session_keyring); | 272 | dest_keyring = |
273 | key_get(tsk->cred->user->session_keyring); | ||
272 | break; | 274 | break; |
273 | 275 | ||
274 | case KEY_REQKEY_DEFL_USER_KEYRING: | 276 | case KEY_REQKEY_DEFL_USER_KEYRING: |
275 | dest_keyring = key_get(tsk->user->uid_keyring); | 277 | dest_keyring = key_get(tsk->cred->user->uid_keyring); |
276 | break; | 278 | break; |
277 | 279 | ||
278 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 280 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 1762d44711d5..2125579d5d73 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -164,22 +164,22 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
164 | 164 | ||
165 | /* see if the calling process is already servicing the key request of | 165 | /* see if the calling process is already servicing the key request of |
166 | * another process */ | 166 | * another process */ |
167 | if (current->request_key_auth) { | 167 | if (current->cred->request_key_auth) { |
168 | /* it is - use that instantiation context here too */ | 168 | /* it is - use that instantiation context here too */ |
169 | down_read(¤t->request_key_auth->sem); | 169 | down_read(¤t->cred->request_key_auth->sem); |
170 | 170 | ||
171 | /* if the auth key has been revoked, then the key we're | 171 | /* if the auth key has been revoked, then the key we're |
172 | * servicing is already instantiated */ | 172 | * servicing is already instantiated */ |
173 | if (test_bit(KEY_FLAG_REVOKED, | 173 | if (test_bit(KEY_FLAG_REVOKED, |
174 | ¤t->request_key_auth->flags)) | 174 | ¤t->cred->request_key_auth->flags)) |
175 | goto auth_key_revoked; | 175 | goto auth_key_revoked; |
176 | 176 | ||
177 | irka = current->request_key_auth->payload.data; | 177 | irka = current->cred->request_key_auth->payload.data; |
178 | rka->context = irka->context; | 178 | rka->context = irka->context; |
179 | rka->pid = irka->pid; | 179 | rka->pid = irka->pid; |
180 | get_task_struct(rka->context); | 180 | get_task_struct(rka->context); |
181 | 181 | ||
182 | up_read(¤t->request_key_auth->sem); | 182 | up_read(¤t->cred->request_key_auth->sem); |
183 | } | 183 | } |
184 | else { | 184 | else { |
185 | /* it isn't - use this process as the context */ | 185 | /* it isn't - use this process as the context */ |
@@ -214,7 +214,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
214 | return authkey; | 214 | return authkey; |
215 | 215 | ||
216 | auth_key_revoked: | 216 | auth_key_revoked: |
217 | up_read(¤t->request_key_auth->sem); | 217 | up_read(¤t->cred->request_key_auth->sem); |
218 | kfree(rka->callout_info); | 218 | kfree(rka->callout_info); |
219 | kfree(rka); | 219 | kfree(rka); |
220 | kleave("= -EKEYREVOKED"); | 220 | kleave("= -EKEYREVOKED"); |
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index 64af2d3409ef..cf02490cd1eb 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
@@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(selinux_string_to_sid); | |||
39 | int selinux_secmark_relabel_packet_permission(u32 sid) | 39 | int selinux_secmark_relabel_packet_permission(u32 sid) |
40 | { | 40 | { |
41 | if (selinux_enabled) { | 41 | if (selinux_enabled) { |
42 | struct task_security_struct *tsec = current->security; | 42 | struct task_security_struct *tsec = current->cred->security; |
43 | 43 | ||
44 | return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, | 44 | return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, |
45 | PACKET__RELABELTO, NULL); | 45 | PACKET__RELABELTO, NULL); |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9f6da154cc82..328308f2882a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -167,21 +167,21 @@ static int task_alloc_security(struct task_struct *task) | |||
167 | return -ENOMEM; | 167 | return -ENOMEM; |
168 | 168 | ||
169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; | 169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; |
170 | task->security = tsec; | 170 | task->cred->security = tsec; |
171 | 171 | ||
172 | return 0; | 172 | return 0; |
173 | } | 173 | } |
174 | 174 | ||
175 | static void task_free_security(struct task_struct *task) | 175 | static void task_free_security(struct task_struct *task) |
176 | { | 176 | { |
177 | struct task_security_struct *tsec = task->security; | 177 | struct task_security_struct *tsec = task->cred->security; |
178 | task->security = NULL; | 178 | task->cred->security = NULL; |
179 | kfree(tsec); | 179 | kfree(tsec); |
180 | } | 180 | } |
181 | 181 | ||
182 | static int inode_alloc_security(struct inode *inode) | 182 | static int inode_alloc_security(struct inode *inode) |
183 | { | 183 | { |
184 | struct task_security_struct *tsec = current->security; | 184 | struct task_security_struct *tsec = current->cred->security; |
185 | struct inode_security_struct *isec; | 185 | struct inode_security_struct *isec; |
186 | 186 | ||
187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); | 187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); |
@@ -215,7 +215,7 @@ static void inode_free_security(struct inode *inode) | |||
215 | 215 | ||
216 | static int file_alloc_security(struct file *file) | 216 | static int file_alloc_security(struct file *file) |
217 | { | 217 | { |
218 | struct task_security_struct *tsec = current->security; | 218 | struct task_security_struct *tsec = current->cred->security; |
219 | struct file_security_struct *fsec; | 219 | struct file_security_struct *fsec; |
220 | 220 | ||
221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); | 221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); |
@@ -554,7 +554,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
554 | struct security_mnt_opts *opts) | 554 | struct security_mnt_opts *opts) |
555 | { | 555 | { |
556 | int rc = 0, i; | 556 | int rc = 0, i; |
557 | struct task_security_struct *tsec = current->security; | 557 | struct task_security_struct *tsec = current->cred->security; |
558 | struct superblock_security_struct *sbsec = sb->s_security; | 558 | struct superblock_security_struct *sbsec = sb->s_security; |
559 | const char *name = sb->s_type->name; | 559 | const char *name = sb->s_type->name; |
560 | struct inode *inode = sbsec->sb->s_root->d_inode; | 560 | struct inode *inode = sbsec->sb->s_root->d_inode; |
@@ -1353,8 +1353,8 @@ static int task_has_perm(struct task_struct *tsk1, | |||
1353 | { | 1353 | { |
1354 | struct task_security_struct *tsec1, *tsec2; | 1354 | struct task_security_struct *tsec1, *tsec2; |
1355 | 1355 | ||
1356 | tsec1 = tsk1->security; | 1356 | tsec1 = tsk1->cred->security; |
1357 | tsec2 = tsk2->security; | 1357 | tsec2 = tsk2->cred->security; |
1358 | return avc_has_perm(tsec1->sid, tsec2->sid, | 1358 | return avc_has_perm(tsec1->sid, tsec2->sid, |
1359 | SECCLASS_PROCESS, perms, NULL); | 1359 | SECCLASS_PROCESS, perms, NULL); |
1360 | } | 1360 | } |
@@ -1374,7 +1374,7 @@ static int task_has_capability(struct task_struct *tsk, | |||
1374 | u32 av = CAP_TO_MASK(cap); | 1374 | u32 av = CAP_TO_MASK(cap); |
1375 | int rc; | 1375 | int rc; |
1376 | 1376 | ||
1377 | tsec = tsk->security; | 1377 | tsec = tsk->cred->security; |
1378 | 1378 | ||
1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
1380 | ad.tsk = tsk; | 1380 | ad.tsk = tsk; |
@@ -1405,7 +1405,7 @@ static int task_has_system(struct task_struct *tsk, | |||
1405 | { | 1405 | { |
1406 | struct task_security_struct *tsec; | 1406 | struct task_security_struct *tsec; |
1407 | 1407 | ||
1408 | tsec = tsk->security; | 1408 | tsec = tsk->cred->security; |
1409 | 1409 | ||
1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, | 1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, |
1411 | SECCLASS_SYSTEM, perms, NULL); | 1411 | SECCLASS_SYSTEM, perms, NULL); |
@@ -1426,7 +1426,7 @@ static int inode_has_perm(struct task_struct *tsk, | |||
1426 | if (unlikely(IS_PRIVATE(inode))) | 1426 | if (unlikely(IS_PRIVATE(inode))) |
1427 | return 0; | 1427 | return 0; |
1428 | 1428 | ||
1429 | tsec = tsk->security; | 1429 | tsec = tsk->cred->security; |
1430 | isec = inode->i_security; | 1430 | isec = inode->i_security; |
1431 | 1431 | ||
1432 | if (!adp) { | 1432 | if (!adp) { |
@@ -1466,7 +1466,7 @@ static int file_has_perm(struct task_struct *tsk, | |||
1466 | struct file *file, | 1466 | struct file *file, |
1467 | u32 av) | 1467 | u32 av) |
1468 | { | 1468 | { |
1469 | struct task_security_struct *tsec = tsk->security; | 1469 | struct task_security_struct *tsec = tsk->cred->security; |
1470 | struct file_security_struct *fsec = file->f_security; | 1470 | struct file_security_struct *fsec = file->f_security; |
1471 | struct inode *inode = file->f_path.dentry->d_inode; | 1471 | struct inode *inode = file->f_path.dentry->d_inode; |
1472 | struct avc_audit_data ad; | 1472 | struct avc_audit_data ad; |
@@ -1503,7 +1503,7 @@ static int may_create(struct inode *dir, | |||
1503 | struct avc_audit_data ad; | 1503 | struct avc_audit_data ad; |
1504 | int rc; | 1504 | int rc; |
1505 | 1505 | ||
1506 | tsec = current->security; | 1506 | tsec = current->cred->security; |
1507 | dsec = dir->i_security; | 1507 | dsec = dir->i_security; |
1508 | sbsec = dir->i_sb->s_security; | 1508 | sbsec = dir->i_sb->s_security; |
1509 | 1509 | ||
@@ -1540,7 +1540,7 @@ static int may_create_key(u32 ksid, | |||
1540 | { | 1540 | { |
1541 | struct task_security_struct *tsec; | 1541 | struct task_security_struct *tsec; |
1542 | 1542 | ||
1543 | tsec = ctx->security; | 1543 | tsec = ctx->cred->security; |
1544 | 1544 | ||
1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); | 1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); |
1546 | } | 1546 | } |
@@ -1561,7 +1561,7 @@ static int may_link(struct inode *dir, | |||
1561 | u32 av; | 1561 | u32 av; |
1562 | int rc; | 1562 | int rc; |
1563 | 1563 | ||
1564 | tsec = current->security; | 1564 | tsec = current->cred->security; |
1565 | dsec = dir->i_security; | 1565 | dsec = dir->i_security; |
1566 | isec = dentry->d_inode->i_security; | 1566 | isec = dentry->d_inode->i_security; |
1567 | 1567 | ||
@@ -1606,7 +1606,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1606 | int old_is_dir, new_is_dir; | 1606 | int old_is_dir, new_is_dir; |
1607 | int rc; | 1607 | int rc; |
1608 | 1608 | ||
1609 | tsec = current->security; | 1609 | tsec = current->cred->security; |
1610 | old_dsec = old_dir->i_security; | 1610 | old_dsec = old_dir->i_security; |
1611 | old_isec = old_dentry->d_inode->i_security; | 1611 | old_isec = old_dentry->d_inode->i_security; |
1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
@@ -1659,7 +1659,7 @@ static int superblock_has_perm(struct task_struct *tsk, | |||
1659 | struct task_security_struct *tsec; | 1659 | struct task_security_struct *tsec; |
1660 | struct superblock_security_struct *sbsec; | 1660 | struct superblock_security_struct *sbsec; |
1661 | 1661 | ||
1662 | tsec = tsk->security; | 1662 | tsec = tsk->cred->security; |
1663 | sbsec = sb->s_security; | 1663 | sbsec = sb->s_security; |
1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | 1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, |
1665 | perms, ad); | 1665 | perms, ad); |
@@ -1758,8 +1758,8 @@ static int selinux_ptrace_may_access(struct task_struct *child, | |||
1758 | return rc; | 1758 | return rc; |
1759 | 1759 | ||
1760 | if (mode == PTRACE_MODE_READ) { | 1760 | if (mode == PTRACE_MODE_READ) { |
1761 | struct task_security_struct *tsec = current->security; | 1761 | struct task_security_struct *tsec = current->cred->security; |
1762 | struct task_security_struct *csec = child->security; | 1762 | struct task_security_struct *csec = child->cred->security; |
1763 | return avc_has_perm(tsec->sid, csec->sid, | 1763 | return avc_has_perm(tsec->sid, csec->sid, |
1764 | SECCLASS_FILE, FILE__READ, NULL); | 1764 | SECCLASS_FILE, FILE__READ, NULL); |
1765 | } | 1765 | } |
@@ -1874,7 +1874,7 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1874 | if (rc) | 1874 | if (rc) |
1875 | return rc; | 1875 | return rc; |
1876 | 1876 | ||
1877 | tsec = current->security; | 1877 | tsec = current->cred->security; |
1878 | 1878 | ||
1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); | 1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); |
@@ -2025,7 +2025,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
2025 | if (bsec->set) | 2025 | if (bsec->set) |
2026 | return 0; | 2026 | return 0; |
2027 | 2027 | ||
2028 | tsec = current->security; | 2028 | tsec = current->cred->security; |
2029 | isec = inode->i_security; | 2029 | isec = inode->i_security; |
2030 | 2030 | ||
2031 | /* Default to the current task SID. */ | 2031 | /* Default to the current task SID. */ |
@@ -2090,7 +2090,7 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm) | |||
2090 | 2090 | ||
2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) | 2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) |
2092 | { | 2092 | { |
2093 | struct task_security_struct *tsec = current->security; | 2093 | struct task_security_struct *tsec = current->cred->security; |
2094 | int atsecure = 0; | 2094 | int atsecure = 0; |
2095 | 2095 | ||
2096 | if (tsec->osid != tsec->sid) { | 2096 | if (tsec->osid != tsec->sid) { |
@@ -2214,7 +2214,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2214 | 2214 | ||
2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); | 2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); |
2216 | 2216 | ||
2217 | tsec = current->security; | 2217 | tsec = current->cred->security; |
2218 | 2218 | ||
2219 | bsec = bprm->security; | 2219 | bsec = bprm->security; |
2220 | sid = bsec->sid; | 2220 | sid = bsec->sid; |
@@ -2243,7 +2243,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2243 | rcu_read_lock(); | 2243 | rcu_read_lock(); |
2244 | tracer = tracehook_tracer_task(current); | 2244 | tracer = tracehook_tracer_task(current); |
2245 | if (likely(tracer != NULL)) { | 2245 | if (likely(tracer != NULL)) { |
2246 | sec = tracer->security; | 2246 | sec = tracer->cred->security; |
2247 | ptsid = sec->sid; | 2247 | ptsid = sec->sid; |
2248 | } | 2248 | } |
2249 | rcu_read_unlock(); | 2249 | rcu_read_unlock(); |
@@ -2274,7 +2274,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | |||
2274 | int rc, i; | 2274 | int rc, i; |
2275 | unsigned long flags; | 2275 | unsigned long flags; |
2276 | 2276 | ||
2277 | tsec = current->security; | 2277 | tsec = current->cred->security; |
2278 | bsec = bprm->security; | 2278 | bsec = bprm->security; |
2279 | 2279 | ||
2280 | if (bsec->unsafe) { | 2280 | if (bsec->unsafe) { |
@@ -2521,7 +2521,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2521 | int rc; | 2521 | int rc; |
2522 | char *namep = NULL, *context; | 2522 | char *namep = NULL, *context; |
2523 | 2523 | ||
2524 | tsec = current->security; | 2524 | tsec = current->cred->security; |
2525 | dsec = dir->i_security; | 2525 | dsec = dir->i_security; |
2526 | sbsec = dir->i_sb->s_security; | 2526 | sbsec = dir->i_sb->s_security; |
2527 | 2527 | ||
@@ -2706,7 +2706,7 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) | |||
2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | 2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, |
2707 | const void *value, size_t size, int flags) | 2707 | const void *value, size_t size, int flags) |
2708 | { | 2708 | { |
2709 | struct task_security_struct *tsec = current->security; | 2709 | struct task_security_struct *tsec = current->cred->security; |
2710 | struct inode *inode = dentry->d_inode; | 2710 | struct inode *inode = dentry->d_inode; |
2711 | struct inode_security_struct *isec = inode->i_security; | 2711 | struct inode_security_struct *isec = inode->i_security; |
2712 | struct superblock_security_struct *sbsec; | 2712 | struct superblock_security_struct *sbsec; |
@@ -2918,7 +2918,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) | |||
2918 | static int selinux_file_permission(struct file *file, int mask) | 2918 | static int selinux_file_permission(struct file *file, int mask) |
2919 | { | 2919 | { |
2920 | struct inode *inode = file->f_path.dentry->d_inode; | 2920 | struct inode *inode = file->f_path.dentry->d_inode; |
2921 | struct task_security_struct *tsec = current->security; | 2921 | struct task_security_struct *tsec = current->cred->security; |
2922 | struct file_security_struct *fsec = file->f_security; | 2922 | struct file_security_struct *fsec = file->f_security; |
2923 | struct inode_security_struct *isec = inode->i_security; | 2923 | struct inode_security_struct *isec = inode->i_security; |
2924 | 2924 | ||
@@ -2995,7 +2995,8 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
2995 | unsigned long addr, unsigned long addr_only) | 2995 | unsigned long addr, unsigned long addr_only) |
2996 | { | 2996 | { |
2997 | int rc = 0; | 2997 | int rc = 0; |
2998 | u32 sid = ((struct task_security_struct *)(current->security))->sid; | 2998 | u32 sid = ((struct task_security_struct *) |
2999 | (current->cred->security))->sid; | ||
2999 | 3000 | ||
3000 | if (addr < mmap_min_addr) | 3001 | if (addr < mmap_min_addr) |
3001 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, | 3002 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, |
@@ -3107,7 +3108,7 @@ static int selinux_file_set_fowner(struct file *file) | |||
3107 | struct task_security_struct *tsec; | 3108 | struct task_security_struct *tsec; |
3108 | struct file_security_struct *fsec; | 3109 | struct file_security_struct *fsec; |
3109 | 3110 | ||
3110 | tsec = current->security; | 3111 | tsec = current->cred->security; |
3111 | fsec = file->f_security; | 3112 | fsec = file->f_security; |
3112 | fsec->fown_sid = tsec->sid; | 3113 | fsec->fown_sid = tsec->sid; |
3113 | 3114 | ||
@@ -3125,7 +3126,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, | |||
3125 | /* struct fown_struct is never outside the context of a struct file */ | 3126 | /* struct fown_struct is never outside the context of a struct file */ |
3126 | file = container_of(fown, struct file, f_owner); | 3127 | file = container_of(fown, struct file, f_owner); |
3127 | 3128 | ||
3128 | tsec = tsk->security; | 3129 | tsec = tsk->cred->security; |
3129 | fsec = file->f_security; | 3130 | fsec = file->f_security; |
3130 | 3131 | ||
3131 | if (!signum) | 3132 | if (!signum) |
@@ -3188,12 +3189,12 @@ static int selinux_task_alloc_security(struct task_struct *tsk) | |||
3188 | struct task_security_struct *tsec1, *tsec2; | 3189 | struct task_security_struct *tsec1, *tsec2; |
3189 | int rc; | 3190 | int rc; |
3190 | 3191 | ||
3191 | tsec1 = current->security; | 3192 | tsec1 = current->cred->security; |
3192 | 3193 | ||
3193 | rc = task_alloc_security(tsk); | 3194 | rc = task_alloc_security(tsk); |
3194 | if (rc) | 3195 | if (rc) |
3195 | return rc; | 3196 | return rc; |
3196 | tsec2 = tsk->security; | 3197 | tsec2 = tsk->cred->security; |
3197 | 3198 | ||
3198 | tsec2->osid = tsec1->osid; | 3199 | tsec2->osid = tsec1->osid; |
3199 | tsec2->sid = tsec1->sid; | 3200 | tsec2->sid = tsec1->sid; |
@@ -3251,7 +3252,7 @@ static int selinux_task_getsid(struct task_struct *p) | |||
3251 | 3252 | ||
3252 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) | 3253 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) |
3253 | { | 3254 | { |
3254 | struct task_security_struct *tsec = p->security; | 3255 | struct task_security_struct *tsec = p->cred->security; |
3255 | *secid = tsec->sid; | 3256 | *secid = tsec->sid; |
3256 | } | 3257 | } |
3257 | 3258 | ||
@@ -3343,7 +3344,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3343 | perm = PROCESS__SIGNULL; /* null signal; existence test */ | 3344 | perm = PROCESS__SIGNULL; /* null signal; existence test */ |
3344 | else | 3345 | else |
3345 | perm = signal_to_av(sig); | 3346 | perm = signal_to_av(sig); |
3346 | tsec = p->security; | 3347 | tsec = p->cred->security; |
3347 | if (secid) | 3348 | if (secid) |
3348 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); | 3349 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); |
3349 | else | 3350 | else |
@@ -3375,7 +3376,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3375 | 3376 | ||
3376 | secondary_ops->task_reparent_to_init(p); | 3377 | secondary_ops->task_reparent_to_init(p); |
3377 | 3378 | ||
3378 | tsec = p->security; | 3379 | tsec = p->cred->security; |
3379 | tsec->osid = tsec->sid; | 3380 | tsec->osid = tsec->sid; |
3380 | tsec->sid = SECINITSID_KERNEL; | 3381 | tsec->sid = SECINITSID_KERNEL; |
3381 | return; | 3382 | return; |
@@ -3384,7 +3385,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3384 | static void selinux_task_to_inode(struct task_struct *p, | 3385 | static void selinux_task_to_inode(struct task_struct *p, |
3385 | struct inode *inode) | 3386 | struct inode *inode) |
3386 | { | 3387 | { |
3387 | struct task_security_struct *tsec = p->security; | 3388 | struct task_security_struct *tsec = p->cred->security; |
3388 | struct inode_security_struct *isec = inode->i_security; | 3389 | struct inode_security_struct *isec = inode->i_security; |
3389 | 3390 | ||
3390 | isec->sid = tsec->sid; | 3391 | isec->sid = tsec->sid; |
@@ -3632,7 +3633,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3632 | struct avc_audit_data ad; | 3633 | struct avc_audit_data ad; |
3633 | int err = 0; | 3634 | int err = 0; |
3634 | 3635 | ||
3635 | tsec = task->security; | 3636 | tsec = task->cred->security; |
3636 | isec = SOCK_INODE(sock)->i_security; | 3637 | isec = SOCK_INODE(sock)->i_security; |
3637 | 3638 | ||
3638 | if (isec->sid == SECINITSID_KERNEL) | 3639 | if (isec->sid == SECINITSID_KERNEL) |
@@ -3656,7 +3657,7 @@ static int selinux_socket_create(int family, int type, | |||
3656 | if (kern) | 3657 | if (kern) |
3657 | goto out; | 3658 | goto out; |
3658 | 3659 | ||
3659 | tsec = current->security; | 3660 | tsec = current->cred->security; |
3660 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3661 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3661 | err = avc_has_perm(tsec->sid, newsid, | 3662 | err = avc_has_perm(tsec->sid, newsid, |
3662 | socket_type_to_security_class(family, type, | 3663 | socket_type_to_security_class(family, type, |
@@ -3677,7 +3678,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, | |||
3677 | 3678 | ||
3678 | isec = SOCK_INODE(sock)->i_security; | 3679 | isec = SOCK_INODE(sock)->i_security; |
3679 | 3680 | ||
3680 | tsec = current->security; | 3681 | tsec = current->cred->security; |
3681 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3682 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3682 | isec->sclass = socket_type_to_security_class(family, type, protocol); | 3683 | isec->sclass = socket_type_to_security_class(family, type, protocol); |
3683 | isec->sid = kern ? SECINITSID_KERNEL : newsid; | 3684 | isec->sid = kern ? SECINITSID_KERNEL : newsid; |
@@ -3723,7 +3724,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3723 | struct sock *sk = sock->sk; | 3724 | struct sock *sk = sock->sk; |
3724 | u32 sid, node_perm; | 3725 | u32 sid, node_perm; |
3725 | 3726 | ||
3726 | tsec = current->security; | 3727 | tsec = current->cred->security; |
3727 | isec = SOCK_INODE(sock)->i_security; | 3728 | isec = SOCK_INODE(sock)->i_security; |
3728 | 3729 | ||
3729 | if (family == PF_INET) { | 3730 | if (family == PF_INET) { |
@@ -4764,7 +4765,7 @@ static int ipc_alloc_security(struct task_struct *task, | |||
4764 | struct kern_ipc_perm *perm, | 4765 | struct kern_ipc_perm *perm, |
4765 | u16 sclass) | 4766 | u16 sclass) |
4766 | { | 4767 | { |
4767 | struct task_security_struct *tsec = task->security; | 4768 | struct task_security_struct *tsec = task->cred->security; |
4768 | struct ipc_security_struct *isec; | 4769 | struct ipc_security_struct *isec; |
4769 | 4770 | ||
4770 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); | 4771 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); |
@@ -4814,7 +4815,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
4814 | struct ipc_security_struct *isec; | 4815 | struct ipc_security_struct *isec; |
4815 | struct avc_audit_data ad; | 4816 | struct avc_audit_data ad; |
4816 | 4817 | ||
4817 | tsec = current->security; | 4818 | tsec = current->cred->security; |
4818 | isec = ipc_perms->security; | 4819 | isec = ipc_perms->security; |
4819 | 4820 | ||
4820 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4821 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4845,7 +4846,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4845 | if (rc) | 4846 | if (rc) |
4846 | return rc; | 4847 | return rc; |
4847 | 4848 | ||
4848 | tsec = current->security; | 4849 | tsec = current->cred->security; |
4849 | isec = msq->q_perm.security; | 4850 | isec = msq->q_perm.security; |
4850 | 4851 | ||
4851 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4852 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4871,7 +4872,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | |||
4871 | struct ipc_security_struct *isec; | 4872 | struct ipc_security_struct *isec; |
4872 | struct avc_audit_data ad; | 4873 | struct avc_audit_data ad; |
4873 | 4874 | ||
4874 | tsec = current->security; | 4875 | tsec = current->cred->security; |
4875 | isec = msq->q_perm.security; | 4876 | isec = msq->q_perm.security; |
4876 | 4877 | ||
4877 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4878 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4917,7 +4918,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4917 | struct avc_audit_data ad; | 4918 | struct avc_audit_data ad; |
4918 | int rc; | 4919 | int rc; |
4919 | 4920 | ||
4920 | tsec = current->security; | 4921 | tsec = current->cred->security; |
4921 | isec = msq->q_perm.security; | 4922 | isec = msq->q_perm.security; |
4922 | msec = msg->security; | 4923 | msec = msg->security; |
4923 | 4924 | ||
@@ -4965,7 +4966,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4965 | struct avc_audit_data ad; | 4966 | struct avc_audit_data ad; |
4966 | int rc; | 4967 | int rc; |
4967 | 4968 | ||
4968 | tsec = target->security; | 4969 | tsec = target->cred->security; |
4969 | isec = msq->q_perm.security; | 4970 | isec = msq->q_perm.security; |
4970 | msec = msg->security; | 4971 | msec = msg->security; |
4971 | 4972 | ||
@@ -4992,7 +4993,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4992 | if (rc) | 4993 | if (rc) |
4993 | return rc; | 4994 | return rc; |
4994 | 4995 | ||
4995 | tsec = current->security; | 4996 | tsec = current->cred->security; |
4996 | isec = shp->shm_perm.security; | 4997 | isec = shp->shm_perm.security; |
4997 | 4998 | ||
4998 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4999 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5018,7 +5019,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | |||
5018 | struct ipc_security_struct *isec; | 5019 | struct ipc_security_struct *isec; |
5019 | struct avc_audit_data ad; | 5020 | struct avc_audit_data ad; |
5020 | 5021 | ||
5021 | tsec = current->security; | 5022 | tsec = current->cred->security; |
5022 | isec = shp->shm_perm.security; | 5023 | isec = shp->shm_perm.security; |
5023 | 5024 | ||
5024 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5025 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5091,7 +5092,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
5091 | if (rc) | 5092 | if (rc) |
5092 | return rc; | 5093 | return rc; |
5093 | 5094 | ||
5094 | tsec = current->security; | 5095 | tsec = current->cred->security; |
5095 | isec = sma->sem_perm.security; | 5096 | isec = sma->sem_perm.security; |
5096 | 5097 | ||
5097 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5098 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5117,7 +5118,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg) | |||
5117 | struct ipc_security_struct *isec; | 5118 | struct ipc_security_struct *isec; |
5118 | struct avc_audit_data ad; | 5119 | struct avc_audit_data ad; |
5119 | 5120 | ||
5120 | tsec = current->security; | 5121 | tsec = current->cred->security; |
5121 | isec = sma->sem_perm.security; | 5122 | isec = sma->sem_perm.security; |
5122 | 5123 | ||
5123 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5124 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5224,7 +5225,7 @@ static int selinux_getprocattr(struct task_struct *p, | |||
5224 | return error; | 5225 | return error; |
5225 | } | 5226 | } |
5226 | 5227 | ||
5227 | tsec = p->security; | 5228 | tsec = p->cred->security; |
5228 | 5229 | ||
5229 | if (!strcmp(name, "current")) | 5230 | if (!strcmp(name, "current")) |
5230 | sid = tsec->sid; | 5231 | sid = tsec->sid; |
@@ -5308,7 +5309,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5308 | operation. See selinux_bprm_set_security for the execve | 5309 | operation. See selinux_bprm_set_security for the execve |
5309 | checks and may_create for the file creation checks. The | 5310 | checks and may_create for the file creation checks. The |
5310 | operation will then fail if the context is not permitted. */ | 5311 | operation will then fail if the context is not permitted. */ |
5311 | tsec = p->security; | 5312 | tsec = p->cred->security; |
5312 | if (!strcmp(name, "exec")) | 5313 | if (!strcmp(name, "exec")) |
5313 | tsec->exec_sid = sid; | 5314 | tsec->exec_sid = sid; |
5314 | else if (!strcmp(name, "fscreate")) | 5315 | else if (!strcmp(name, "fscreate")) |
@@ -5361,7 +5362,8 @@ boundary_ok: | |||
5361 | rcu_read_lock(); | 5362 | rcu_read_lock(); |
5362 | tracer = tracehook_tracer_task(p); | 5363 | tracer = tracehook_tracer_task(p); |
5363 | if (tracer != NULL) { | 5364 | if (tracer != NULL) { |
5364 | struct task_security_struct *ptsec = tracer->security; | 5365 | struct task_security_struct *ptsec = |
5366 | tracer->cred->security; | ||
5365 | u32 ptsid = ptsec->sid; | 5367 | u32 ptsid = ptsec->sid; |
5366 | rcu_read_unlock(); | 5368 | rcu_read_unlock(); |
5367 | error = avc_has_perm_noaudit(ptsid, sid, | 5369 | error = avc_has_perm_noaudit(ptsid, sid, |
@@ -5405,7 +5407,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen) | |||
5405 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, | 5407 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, |
5406 | unsigned long flags) | 5408 | unsigned long flags) |
5407 | { | 5409 | { |
5408 | struct task_security_struct *tsec = tsk->security; | 5410 | struct task_security_struct *tsec = tsk->cred->security; |
5409 | struct key_security_struct *ksec; | 5411 | struct key_security_struct *ksec; |
5410 | 5412 | ||
5411 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); | 5413 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); |
@@ -5439,7 +5441,7 @@ static int selinux_key_permission(key_ref_t key_ref, | |||
5439 | 5441 | ||
5440 | key = key_ref_to_ptr(key_ref); | 5442 | key = key_ref_to_ptr(key_ref); |
5441 | 5443 | ||
5442 | tsec = ctx->security; | 5444 | tsec = ctx->cred->security; |
5443 | ksec = key->security; | 5445 | ksec = key->security; |
5444 | 5446 | ||
5445 | /* if no specific permissions are requested, we skip the | 5447 | /* if no specific permissions are requested, we skip the |
@@ -5683,7 +5685,7 @@ static __init int selinux_init(void) | |||
5683 | /* Set the security state for the initial task. */ | 5685 | /* Set the security state for the initial task. */ |
5684 | if (task_alloc_security(current)) | 5686 | if (task_alloc_security(current)) |
5685 | panic("SELinux: Failed to initialize initial task.\n"); | 5687 | panic("SELinux: Failed to initialize initial task.\n"); |
5686 | tsec = current->security; | 5688 | tsec = current->cred->security; |
5687 | tsec->osid = tsec->sid = SECINITSID_KERNEL; | 5689 | tsec->osid = tsec->sid = SECINITSID_KERNEL; |
5688 | 5690 | ||
5689 | sel_inode_cache = kmem_cache_create("selinux_inode_security", | 5691 | sel_inode_cache = kmem_cache_create("selinux_inode_security", |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 69c9dccc8cf0..10715d1330b9 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -97,7 +97,7 @@ static int task_has_security(struct task_struct *tsk, | |||
97 | { | 97 | { |
98 | struct task_security_struct *tsec; | 98 | struct task_security_struct *tsec; |
99 | 99 | ||
100 | tsec = tsk->security; | 100 | tsec = tsk->cred->security; |
101 | if (!tsec) | 101 | if (!tsec) |
102 | return -EACCES; | 102 | return -EACCES; |
103 | 103 | ||
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 8f17f542a116..d7db76617b0e 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -197,7 +197,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | |||
197 | struct xfrm_user_sec_ctx *uctx, u32 sid) | 197 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
198 | { | 198 | { |
199 | int rc = 0; | 199 | int rc = 0; |
200 | struct task_security_struct *tsec = current->security; | 200 | struct task_security_struct *tsec = current->cred->security; |
201 | struct xfrm_sec_ctx *ctx = NULL; | 201 | struct xfrm_sec_ctx *ctx = NULL; |
202 | char *ctx_str = NULL; | 202 | char *ctx_str = NULL; |
203 | u32 str_len; | 203 | u32 str_len; |
@@ -333,7 +333,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) | |||
333 | */ | 333 | */ |
334 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) | 334 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
335 | { | 335 | { |
336 | struct task_security_struct *tsec = current->security; | 336 | struct task_security_struct *tsec = current->cred->security; |
337 | int rc = 0; | 337 | int rc = 0; |
338 | 338 | ||
339 | if (ctx) { | 339 | if (ctx) { |
@@ -378,7 +378,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x) | |||
378 | */ | 378 | */ |
379 | int selinux_xfrm_state_delete(struct xfrm_state *x) | 379 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
380 | { | 380 | { |
381 | struct task_security_struct *tsec = current->security; | 381 | struct task_security_struct *tsec = current->cred->security; |
382 | struct xfrm_sec_ctx *ctx = x->security; | 382 | struct xfrm_sec_ctx *ctx = x->security; |
383 | int rc = 0; | 383 | int rc = 0; |
384 | 384 | ||
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 79ff21ed4c3b..b6dd4fc0fb0b 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -164,7 +164,7 @@ int smk_curacc(char *obj_label, u32 mode) | |||
164 | { | 164 | { |
165 | int rc; | 165 | int rc; |
166 | 166 | ||
167 | rc = smk_access(current->security, obj_label, mode); | 167 | rc = smk_access(current->cred->security, obj_label, mode); |
168 | if (rc == 0) | 168 | if (rc == 0) |
169 | return 0; | 169 | return 0; |
170 | 170 | ||
@@ -173,7 +173,7 @@ int smk_curacc(char *obj_label, u32 mode) | |||
173 | * only one that gets privilege and current does not | 173 | * only one that gets privilege and current does not |
174 | * have that label. | 174 | * have that label. |
175 | */ | 175 | */ |
176 | if (smack_onlycap != NULL && smack_onlycap != current->security) | 176 | if (smack_onlycap != NULL && smack_onlycap != current->cred->security) |
177 | return rc; | 177 | return rc; |
178 | 178 | ||
179 | if (capable(CAP_MAC_OVERRIDE)) | 179 | if (capable(CAP_MAC_OVERRIDE)) |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6e2dc0bab70d..791da238d049 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -102,7 +102,8 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | |||
102 | if (rc != 0) | 102 | if (rc != 0) |
103 | return rc; | 103 | return rc; |
104 | 104 | ||
105 | rc = smk_access(current->security, ctp->security, MAY_READWRITE); | 105 | rc = smk_access(current->cred->security, ctp->cred->security, |
106 | MAY_READWRITE); | ||
106 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) | 107 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) |
107 | return 0; | 108 | return 0; |
108 | return rc; | 109 | return rc; |
@@ -124,7 +125,8 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
124 | if (rc != 0) | 125 | if (rc != 0) |
125 | return rc; | 126 | return rc; |
126 | 127 | ||
127 | rc = smk_access(ptp->security, current->security, MAY_READWRITE); | 128 | rc = smk_access(ptp->cred->security, current->cred->security, |
129 | MAY_READWRITE); | ||
128 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) | 130 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) |
129 | return 0; | 131 | return 0; |
130 | return rc; | 132 | return rc; |
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
141 | static int smack_syslog(int type) | 143 | static int smack_syslog(int type) |
142 | { | 144 | { |
143 | int rc; | 145 | int rc; |
144 | char *sp = current->security; | 146 | char *sp = current->cred->security; |
145 | 147 | ||
146 | rc = cap_syslog(type); | 148 | rc = cap_syslog(type); |
147 | if (rc != 0) | 149 | if (rc != 0) |
@@ -373,7 +375,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags) | |||
373 | */ | 375 | */ |
374 | static int smack_inode_alloc_security(struct inode *inode) | 376 | static int smack_inode_alloc_security(struct inode *inode) |
375 | { | 377 | { |
376 | inode->i_security = new_inode_smack(current->security); | 378 | inode->i_security = new_inode_smack(current->cred->security); |
377 | if (inode->i_security == NULL) | 379 | if (inode->i_security == NULL) |
378 | return -ENOMEM; | 380 | return -ENOMEM; |
379 | return 0; | 381 | return 0; |
@@ -818,7 +820,7 @@ static int smack_file_permission(struct file *file, int mask) | |||
818 | */ | 820 | */ |
819 | static int smack_file_alloc_security(struct file *file) | 821 | static int smack_file_alloc_security(struct file *file) |
820 | { | 822 | { |
821 | file->f_security = current->security; | 823 | file->f_security = current->cred->security; |
822 | return 0; | 824 | return 0; |
823 | } | 825 | } |
824 | 826 | ||
@@ -916,7 +918,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd, | |||
916 | */ | 918 | */ |
917 | static int smack_file_set_fowner(struct file *file) | 919 | static int smack_file_set_fowner(struct file *file) |
918 | { | 920 | { |
919 | file->f_security = current->security; | 921 | file->f_security = current->cred->security; |
920 | return 0; | 922 | return 0; |
921 | } | 923 | } |
922 | 924 | ||
@@ -941,7 +943,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, | |||
941 | * struct fown_struct is never outside the context of a struct file | 943 | * struct fown_struct is never outside the context of a struct file |
942 | */ | 944 | */ |
943 | file = container_of(fown, struct file, f_owner); | 945 | file = container_of(fown, struct file, f_owner); |
944 | rc = smk_access(file->f_security, tsk->security, MAY_WRITE); | 946 | rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); |
945 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) | 947 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) |
946 | return 0; | 948 | return 0; |
947 | return rc; | 949 | return rc; |
@@ -984,7 +986,7 @@ static int smack_file_receive(struct file *file) | |||
984 | */ | 986 | */ |
985 | static int smack_task_alloc_security(struct task_struct *tsk) | 987 | static int smack_task_alloc_security(struct task_struct *tsk) |
986 | { | 988 | { |
987 | tsk->security = current->security; | 989 | tsk->cred->security = current->cred->security; |
988 | 990 | ||
989 | return 0; | 991 | return 0; |
990 | } | 992 | } |
@@ -999,7 +1001,7 @@ static int smack_task_alloc_security(struct task_struct *tsk) | |||
999 | */ | 1001 | */ |
1000 | static void smack_task_free_security(struct task_struct *task) | 1002 | static void smack_task_free_security(struct task_struct *task) |
1001 | { | 1003 | { |
1002 | task->security = NULL; | 1004 | task->cred->security = NULL; |
1003 | } | 1005 | } |
1004 | 1006 | ||
1005 | /** | 1007 | /** |
@@ -1011,7 +1013,7 @@ static void smack_task_free_security(struct task_struct *task) | |||
1011 | */ | 1013 | */ |
1012 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | 1014 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) |
1013 | { | 1015 | { |
1014 | return smk_curacc(p->security, MAY_WRITE); | 1016 | return smk_curacc(p->cred->security, MAY_WRITE); |
1015 | } | 1017 | } |
1016 | 1018 | ||
1017 | /** | 1019 | /** |
@@ -1022,7 +1024,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | |||
1022 | */ | 1024 | */ |
1023 | static int smack_task_getpgid(struct task_struct *p) | 1025 | static int smack_task_getpgid(struct task_struct *p) |
1024 | { | 1026 | { |
1025 | return smk_curacc(p->security, MAY_READ); | 1027 | return smk_curacc(p->cred->security, MAY_READ); |
1026 | } | 1028 | } |
1027 | 1029 | ||
1028 | /** | 1030 | /** |
@@ -1033,7 +1035,7 @@ static int smack_task_getpgid(struct task_struct *p) | |||
1033 | */ | 1035 | */ |
1034 | static int smack_task_getsid(struct task_struct *p) | 1036 | static int smack_task_getsid(struct task_struct *p) |
1035 | { | 1037 | { |
1036 | return smk_curacc(p->security, MAY_READ); | 1038 | return smk_curacc(p->cred->security, MAY_READ); |
1037 | } | 1039 | } |
1038 | 1040 | ||
1039 | /** | 1041 | /** |
@@ -1045,7 +1047,7 @@ static int smack_task_getsid(struct task_struct *p) | |||
1045 | */ | 1047 | */ |
1046 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) | 1048 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) |
1047 | { | 1049 | { |
1048 | *secid = smack_to_secid(p->security); | 1050 | *secid = smack_to_secid(p->cred->security); |
1049 | } | 1051 | } |
1050 | 1052 | ||
1051 | /** | 1053 | /** |
@@ -1061,7 +1063,7 @@ static int smack_task_setnice(struct task_struct *p, int nice) | |||
1061 | 1063 | ||
1062 | rc = cap_task_setnice(p, nice); | 1064 | rc = cap_task_setnice(p, nice); |
1063 | if (rc == 0) | 1065 | if (rc == 0) |
1064 | rc = smk_curacc(p->security, MAY_WRITE); | 1066 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1065 | return rc; | 1067 | return rc; |
1066 | } | 1068 | } |
1067 | 1069 | ||
@@ -1078,7 +1080,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1078 | 1080 | ||
1079 | rc = cap_task_setioprio(p, ioprio); | 1081 | rc = cap_task_setioprio(p, ioprio); |
1080 | if (rc == 0) | 1082 | if (rc == 0) |
1081 | rc = smk_curacc(p->security, MAY_WRITE); | 1083 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1082 | return rc; | 1084 | return rc; |
1083 | } | 1085 | } |
1084 | 1086 | ||
@@ -1090,7 +1092,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1090 | */ | 1092 | */ |
1091 | static int smack_task_getioprio(struct task_struct *p) | 1093 | static int smack_task_getioprio(struct task_struct *p) |
1092 | { | 1094 | { |
1093 | return smk_curacc(p->security, MAY_READ); | 1095 | return smk_curacc(p->cred->security, MAY_READ); |
1094 | } | 1096 | } |
1095 | 1097 | ||
1096 | /** | 1098 | /** |
@@ -1108,7 +1110,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1108 | 1110 | ||
1109 | rc = cap_task_setscheduler(p, policy, lp); | 1111 | rc = cap_task_setscheduler(p, policy, lp); |
1110 | if (rc == 0) | 1112 | if (rc == 0) |
1111 | rc = smk_curacc(p->security, MAY_WRITE); | 1113 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1112 | return rc; | 1114 | return rc; |
1113 | } | 1115 | } |
1114 | 1116 | ||
@@ -1120,7 +1122,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1120 | */ | 1122 | */ |
1121 | static int smack_task_getscheduler(struct task_struct *p) | 1123 | static int smack_task_getscheduler(struct task_struct *p) |
1122 | { | 1124 | { |
1123 | return smk_curacc(p->security, MAY_READ); | 1125 | return smk_curacc(p->cred->security, MAY_READ); |
1124 | } | 1126 | } |
1125 | 1127 | ||
1126 | /** | 1128 | /** |
@@ -1131,7 +1133,7 @@ static int smack_task_getscheduler(struct task_struct *p) | |||
1131 | */ | 1133 | */ |
1132 | static int smack_task_movememory(struct task_struct *p) | 1134 | static int smack_task_movememory(struct task_struct *p) |
1133 | { | 1135 | { |
1134 | return smk_curacc(p->security, MAY_WRITE); | 1136 | return smk_curacc(p->cred->security, MAY_WRITE); |
1135 | } | 1137 | } |
1136 | 1138 | ||
1137 | /** | 1139 | /** |
@@ -1154,13 +1156,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, | |||
1154 | * can write the receiver. | 1156 | * can write the receiver. |
1155 | */ | 1157 | */ |
1156 | if (secid == 0) | 1158 | if (secid == 0) |
1157 | return smk_curacc(p->security, MAY_WRITE); | 1159 | return smk_curacc(p->cred->security, MAY_WRITE); |
1158 | /* | 1160 | /* |
1159 | * If the secid isn't 0 we're dealing with some USB IO | 1161 | * If the secid isn't 0 we're dealing with some USB IO |
1160 | * specific behavior. This is not clean. For one thing | 1162 | * specific behavior. This is not clean. For one thing |
1161 | * we can't take privilege into account. | 1163 | * we can't take privilege into account. |
1162 | */ | 1164 | */ |
1163 | return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); | 1165 | return smk_access(smack_from_secid(secid), p->cred->security, MAY_WRITE); |
1164 | } | 1166 | } |
1165 | 1167 | ||
1166 | /** | 1168 | /** |
@@ -1173,7 +1175,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1173 | { | 1175 | { |
1174 | int rc; | 1176 | int rc; |
1175 | 1177 | ||
1176 | rc = smk_access(current->security, p->security, MAY_WRITE); | 1178 | rc = smk_access(current->cred->security, p->cred->security, MAY_WRITE); |
1177 | if (rc == 0) | 1179 | if (rc == 0) |
1178 | return 0; | 1180 | return 0; |
1179 | 1181 | ||
@@ -1204,7 +1206,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1204 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | 1206 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) |
1205 | { | 1207 | { |
1206 | struct inode_smack *isp = inode->i_security; | 1208 | struct inode_smack *isp = inode->i_security; |
1207 | isp->smk_inode = p->security; | 1209 | isp->smk_inode = p->cred->security; |
1208 | } | 1210 | } |
1209 | 1211 | ||
1210 | /* | 1212 | /* |
@@ -1223,7 +1225,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | |||
1223 | */ | 1225 | */ |
1224 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) | 1226 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) |
1225 | { | 1227 | { |
1226 | char *csp = current->security; | 1228 | char *csp = current->cred->security; |
1227 | struct socket_smack *ssp; | 1229 | struct socket_smack *ssp; |
1228 | 1230 | ||
1229 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); | 1231 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); |
@@ -1448,7 +1450,7 @@ static int smack_flags_to_may(int flags) | |||
1448 | */ | 1450 | */ |
1449 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) | 1451 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) |
1450 | { | 1452 | { |
1451 | msg->security = current->security; | 1453 | msg->security = current->cred->security; |
1452 | return 0; | 1454 | return 0; |
1453 | } | 1455 | } |
1454 | 1456 | ||
@@ -1484,7 +1486,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp) | |||
1484 | { | 1486 | { |
1485 | struct kern_ipc_perm *isp = &shp->shm_perm; | 1487 | struct kern_ipc_perm *isp = &shp->shm_perm; |
1486 | 1488 | ||
1487 | isp->security = current->security; | 1489 | isp->security = current->cred->security; |
1488 | return 0; | 1490 | return 0; |
1489 | } | 1491 | } |
1490 | 1492 | ||
@@ -1593,7 +1595,7 @@ static int smack_sem_alloc_security(struct sem_array *sma) | |||
1593 | { | 1595 | { |
1594 | struct kern_ipc_perm *isp = &sma->sem_perm; | 1596 | struct kern_ipc_perm *isp = &sma->sem_perm; |
1595 | 1597 | ||
1596 | isp->security = current->security; | 1598 | isp->security = current->cred->security; |
1597 | return 0; | 1599 | return 0; |
1598 | } | 1600 | } |
1599 | 1601 | ||
@@ -1697,7 +1699,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq) | |||
1697 | { | 1699 | { |
1698 | struct kern_ipc_perm *kisp = &msq->q_perm; | 1700 | struct kern_ipc_perm *kisp = &msq->q_perm; |
1699 | 1701 | ||
1700 | kisp->security = current->security; | 1702 | kisp->security = current->cred->security; |
1701 | return 0; | 1703 | return 0; |
1702 | } | 1704 | } |
1703 | 1705 | ||
@@ -1852,7 +1854,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
1852 | struct super_block *sbp; | 1854 | struct super_block *sbp; |
1853 | struct superblock_smack *sbsp; | 1855 | struct superblock_smack *sbsp; |
1854 | struct inode_smack *isp; | 1856 | struct inode_smack *isp; |
1855 | char *csp = current->security; | 1857 | char *csp = current->cred->security; |
1856 | char *fetched; | 1858 | char *fetched; |
1857 | char *final; | 1859 | char *final; |
1858 | struct dentry *dp; | 1860 | struct dentry *dp; |
@@ -2009,7 +2011,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) | |||
2009 | if (strcmp(name, "current") != 0) | 2011 | if (strcmp(name, "current") != 0) |
2010 | return -EINVAL; | 2012 | return -EINVAL; |
2011 | 2013 | ||
2012 | cp = kstrdup(p->security, GFP_KERNEL); | 2014 | cp = kstrdup(p->cred->security, GFP_KERNEL); |
2013 | if (cp == NULL) | 2015 | if (cp == NULL) |
2014 | return -ENOMEM; | 2016 | return -ENOMEM; |
2015 | 2017 | ||
@@ -2055,7 +2057,7 @@ static int smack_setprocattr(struct task_struct *p, char *name, | |||
2055 | if (newsmack == NULL) | 2057 | if (newsmack == NULL) |
2056 | return -EINVAL; | 2058 | return -EINVAL; |
2057 | 2059 | ||
2058 | p->security = newsmack; | 2060 | p->cred->security = newsmack; |
2059 | return size; | 2061 | return size; |
2060 | } | 2062 | } |
2061 | 2063 | ||
@@ -2288,8 +2290,8 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) | |||
2288 | return; | 2290 | return; |
2289 | 2291 | ||
2290 | ssp = sk->sk_security; | 2292 | ssp = sk->sk_security; |
2291 | ssp->smk_in = current->security; | 2293 | ssp->smk_in = current->cred->security; |
2292 | ssp->smk_out = current->security; | 2294 | ssp->smk_out = current->cred->security; |
2293 | ssp->smk_packet[0] = '\0'; | 2295 | ssp->smk_packet[0] = '\0'; |
2294 | 2296 | ||
2295 | rc = smack_netlabel(sk); | 2297 | rc = smack_netlabel(sk); |
@@ -2362,7 +2364,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
2362 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, | 2364 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, |
2363 | unsigned long flags) | 2365 | unsigned long flags) |
2364 | { | 2366 | { |
2365 | key->security = tsk->security; | 2367 | key->security = tsk->cred->security; |
2366 | return 0; | 2368 | return 0; |
2367 | } | 2369 | } |
2368 | 2370 | ||
@@ -2403,10 +2405,11 @@ static int smack_key_permission(key_ref_t key_ref, | |||
2403 | /* | 2405 | /* |
2404 | * This should not occur | 2406 | * This should not occur |
2405 | */ | 2407 | */ |
2406 | if (context->security == NULL) | 2408 | if (context->cred->security == NULL) |
2407 | return -EACCES; | 2409 | return -EACCES; |
2408 | 2410 | ||
2409 | return smk_access(context->security, keyp->security, MAY_READWRITE); | 2411 | return smk_access(context->cred->security, keyp->security, |
2412 | MAY_READWRITE); | ||
2410 | } | 2413 | } |
2411 | #endif /* CONFIG_KEYS */ | 2414 | #endif /* CONFIG_KEYS */ |
2412 | 2415 | ||
@@ -2726,7 +2729,7 @@ static __init int smack_init(void) | |||
2726 | /* | 2729 | /* |
2727 | * Set the security state for the initial task. | 2730 | * Set the security state for the initial task. |
2728 | */ | 2731 | */ |
2729 | current->security = &smack_known_floor.smk_known; | 2732 | current->cred->security = &smack_known_floor.smk_known; |
2730 | 2733 | ||
2731 | /* | 2734 | /* |
2732 | * Initialize locks | 2735 | * Initialize locks |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index c21d8c8bf0c7..c5ca279e0506 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -336,7 +336,7 @@ static void smk_cipso_doi(void) | |||
336 | 336 | ||
337 | audit_info.loginuid = audit_get_loginuid(current); | 337 | audit_info.loginuid = audit_get_loginuid(current); |
338 | audit_info.sessionid = audit_get_sessionid(current); | 338 | audit_info.sessionid = audit_get_sessionid(current); |
339 | audit_info.secid = smack_to_secid(current->security); | 339 | audit_info.secid = smack_to_secid(current->cred->security); |
340 | 340 | ||
341 | rc = netlbl_cfg_map_del(NULL, &audit_info); | 341 | rc = netlbl_cfg_map_del(NULL, &audit_info); |
342 | if (rc != 0) | 342 | if (rc != 0) |
@@ -371,7 +371,7 @@ static void smk_unlbl_ambient(char *oldambient) | |||
371 | 371 | ||
372 | audit_info.loginuid = audit_get_loginuid(current); | 372 | audit_info.loginuid = audit_get_loginuid(current); |
373 | audit_info.sessionid = audit_get_sessionid(current); | 373 | audit_info.sessionid = audit_get_sessionid(current); |
374 | audit_info.secid = smack_to_secid(current->security); | 374 | audit_info.secid = smack_to_secid(current->cred->security); |
375 | 375 | ||
376 | if (oldambient != NULL) { | 376 | if (oldambient != NULL) { |
377 | rc = netlbl_cfg_map_del(oldambient, &audit_info); | 377 | rc = netlbl_cfg_map_del(oldambient, &audit_info); |
@@ -843,7 +843,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, | |||
843 | size_t count, loff_t *ppos) | 843 | size_t count, loff_t *ppos) |
844 | { | 844 | { |
845 | char in[SMK_LABELLEN]; | 845 | char in[SMK_LABELLEN]; |
846 | char *sp = current->security; | 846 | char *sp = current->cred->security; |
847 | 847 | ||
848 | if (!capable(CAP_MAC_ADMIN)) | 848 | if (!capable(CAP_MAC_ADMIN)) |
849 | return -EPERM; | 849 | return -EPERM; |