aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorMichael LeMay <mdlemay@epoch.ncsc.mil>2006-06-26 03:24:57 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-06-26 12:58:18 -0400
commit4eb582cf1fbd7b9e5f466e3718a59c957e75254e (patch)
tree4387e460a50efa8d46a54526d0cf0959c0e3b428 /fs
parent06ec7be557a1259611d6093a00463c42650dc71a (diff)
[PATCH] keys: add a way to store the appropriate context for newly-created keys
Add a /proc/<pid>/attr/keycreate entry that stores the appropriate context for newly-created keys. Modify the selinux_key_alloc hook to make use of the new entry. Update the flask headers to include a new "setkeycreate" permission for processes. Update the flask headers to include a new "create" permission for keys. Use the create permission to restrict which SIDs each task can assign to newly-created keys. Add a new parameter to the security hook "security_key_alloc" to indicate whether it is being invoked by the kernel, or from userspace. If it is being invoked by the kernel, the security hook should never fail. Update the documentation to reflect these changes. Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/proc/base.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 6afff725a8c9..c4a1ff371b8d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -121,6 +121,7 @@ enum pid_directory_inos {
121 PROC_TGID_ATTR_PREV, 121 PROC_TGID_ATTR_PREV,
122 PROC_TGID_ATTR_EXEC, 122 PROC_TGID_ATTR_EXEC,
123 PROC_TGID_ATTR_FSCREATE, 123 PROC_TGID_ATTR_FSCREATE,
124 PROC_TGID_ATTR_KEYCREATE,
124#endif 125#endif
125#ifdef CONFIG_AUDITSYSCALL 126#ifdef CONFIG_AUDITSYSCALL
126 PROC_TGID_LOGINUID, 127 PROC_TGID_LOGINUID,
@@ -162,6 +163,7 @@ enum pid_directory_inos {
162 PROC_TID_ATTR_PREV, 163 PROC_TID_ATTR_PREV,
163 PROC_TID_ATTR_EXEC, 164 PROC_TID_ATTR_EXEC,
164 PROC_TID_ATTR_FSCREATE, 165 PROC_TID_ATTR_FSCREATE,
166 PROC_TID_ATTR_KEYCREATE,
165#endif 167#endif
166#ifdef CONFIG_AUDITSYSCALL 168#ifdef CONFIG_AUDITSYSCALL
167 PROC_TID_LOGINUID, 169 PROC_TID_LOGINUID,
@@ -275,6 +277,7 @@ static struct pid_entry tgid_attr_stuff[] = {
275 E(PROC_TGID_ATTR_PREV, "prev", S_IFREG|S_IRUGO), 277 E(PROC_TGID_ATTR_PREV, "prev", S_IFREG|S_IRUGO),
276 E(PROC_TGID_ATTR_EXEC, "exec", S_IFREG|S_IRUGO|S_IWUGO), 278 E(PROC_TGID_ATTR_EXEC, "exec", S_IFREG|S_IRUGO|S_IWUGO),
277 E(PROC_TGID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO), 279 E(PROC_TGID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
280 E(PROC_TGID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
278 {0,0,NULL,0} 281 {0,0,NULL,0}
279}; 282};
280static struct pid_entry tid_attr_stuff[] = { 283static struct pid_entry tid_attr_stuff[] = {
@@ -282,6 +285,7 @@ static struct pid_entry tid_attr_stuff[] = {
282 E(PROC_TID_ATTR_PREV, "prev", S_IFREG|S_IRUGO), 285 E(PROC_TID_ATTR_PREV, "prev", S_IFREG|S_IRUGO),
283 E(PROC_TID_ATTR_EXEC, "exec", S_IFREG|S_IRUGO|S_IWUGO), 286 E(PROC_TID_ATTR_EXEC, "exec", S_IFREG|S_IRUGO|S_IWUGO),
284 E(PROC_TID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO), 287 E(PROC_TID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
288 E(PROC_TID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
285 {0,0,NULL,0} 289 {0,0,NULL,0}
286}; 290};
287#endif 291#endif
@@ -1801,6 +1805,8 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
1801 case PROC_TGID_ATTR_EXEC: 1805 case PROC_TGID_ATTR_EXEC:
1802 case PROC_TID_ATTR_FSCREATE: 1806 case PROC_TID_ATTR_FSCREATE:
1803 case PROC_TGID_ATTR_FSCREATE: 1807 case PROC_TGID_ATTR_FSCREATE:
1808 case PROC_TID_ATTR_KEYCREATE:
1809 case PROC_TGID_ATTR_KEYCREATE:
1804 inode->i_fop = &proc_pid_attr_operations; 1810 inode->i_fop = &proc_pid_attr_operations;
1805 break; 1811 break;
1806#endif 1812#endif