aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-11-13 18:39:16 -0500
committerJames Morris <jmorris@namei.org>2008-11-13 18:39:16 -0500
commitb6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch)
tree9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/selinux/hooks.c
parent15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff)
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the security data is temporarily embedded in the task_struct with two pointers pointing to it. Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in entry.S via asm-offsets. With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c116
1 files changed, 59 insertions, 57 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9f6da154cc82..328308f2882a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -167,21 +167,21 @@ static int task_alloc_security(struct task_struct *task)
167 return -ENOMEM; 167 return -ENOMEM;
168 168
169 tsec->osid = tsec->sid = SECINITSID_UNLABELED; 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
170 task->security = tsec; 170 task->cred->security = tsec;
171 171
172 return 0; 172 return 0;
173} 173}
174 174
175static void task_free_security(struct task_struct *task) 175static void task_free_security(struct task_struct *task)
176{ 176{
177 struct task_security_struct *tsec = task->security; 177 struct task_security_struct *tsec = task->cred->security;
178 task->security = NULL; 178 task->cred->security = NULL;
179 kfree(tsec); 179 kfree(tsec);
180} 180}
181 181
182static int inode_alloc_security(struct inode *inode) 182static int inode_alloc_security(struct inode *inode)
183{ 183{
184 struct task_security_struct *tsec = current->security; 184 struct task_security_struct *tsec = current->cred->security;
185 struct inode_security_struct *isec; 185 struct inode_security_struct *isec;
186 186
187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
@@ -215,7 +215,7 @@ static void inode_free_security(struct inode *inode)
215 215
216static int file_alloc_security(struct file *file) 216static int file_alloc_security(struct file *file)
217{ 217{
218 struct task_security_struct *tsec = current->security; 218 struct task_security_struct *tsec = current->cred->security;
219 struct file_security_struct *fsec; 219 struct file_security_struct *fsec;
220 220
221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
@@ -554,7 +554,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
554 struct security_mnt_opts *opts) 554 struct security_mnt_opts *opts)
555{ 555{
556 int rc = 0, i; 556 int rc = 0, i;
557 struct task_security_struct *tsec = current->security; 557 struct task_security_struct *tsec = current->cred->security;
558 struct superblock_security_struct *sbsec = sb->s_security; 558 struct superblock_security_struct *sbsec = sb->s_security;
559 const char *name = sb->s_type->name; 559 const char *name = sb->s_type->name;
560 struct inode *inode = sbsec->sb->s_root->d_inode; 560 struct inode *inode = sbsec->sb->s_root->d_inode;
@@ -1353,8 +1353,8 @@ static int task_has_perm(struct task_struct *tsk1,
1353{ 1353{
1354 struct task_security_struct *tsec1, *tsec2; 1354 struct task_security_struct *tsec1, *tsec2;
1355 1355
1356 tsec1 = tsk1->security; 1356 tsec1 = tsk1->cred->security;
1357 tsec2 = tsk2->security; 1357 tsec2 = tsk2->cred->security;
1358 return avc_has_perm(tsec1->sid, tsec2->sid, 1358 return avc_has_perm(tsec1->sid, tsec2->sid,
1359 SECCLASS_PROCESS, perms, NULL); 1359 SECCLASS_PROCESS, perms, NULL);
1360} 1360}
@@ -1374,7 +1374,7 @@ static int task_has_capability(struct task_struct *tsk,
1374 u32 av = CAP_TO_MASK(cap); 1374 u32 av = CAP_TO_MASK(cap);
1375 int rc; 1375 int rc;
1376 1376
1377 tsec = tsk->security; 1377 tsec = tsk->cred->security;
1378 1378
1379 AVC_AUDIT_DATA_INIT(&ad, CAP); 1379 AVC_AUDIT_DATA_INIT(&ad, CAP);
1380 ad.tsk = tsk; 1380 ad.tsk = tsk;
@@ -1405,7 +1405,7 @@ static int task_has_system(struct task_struct *tsk,
1405{ 1405{
1406 struct task_security_struct *tsec; 1406 struct task_security_struct *tsec;
1407 1407
1408 tsec = tsk->security; 1408 tsec = tsk->cred->security;
1409 1409
1410 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1410 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1411 SECCLASS_SYSTEM, perms, NULL); 1411 SECCLASS_SYSTEM, perms, NULL);
@@ -1426,7 +1426,7 @@ static int inode_has_perm(struct task_struct *tsk,
1426 if (unlikely(IS_PRIVATE(inode))) 1426 if (unlikely(IS_PRIVATE(inode)))
1427 return 0; 1427 return 0;
1428 1428
1429 tsec = tsk->security; 1429 tsec = tsk->cred->security;
1430 isec = inode->i_security; 1430 isec = inode->i_security;
1431 1431
1432 if (!adp) { 1432 if (!adp) {
@@ -1466,7 +1466,7 @@ static int file_has_perm(struct task_struct *tsk,
1466 struct file *file, 1466 struct file *file,
1467 u32 av) 1467 u32 av)
1468{ 1468{
1469 struct task_security_struct *tsec = tsk->security; 1469 struct task_security_struct *tsec = tsk->cred->security;
1470 struct file_security_struct *fsec = file->f_security; 1470 struct file_security_struct *fsec = file->f_security;
1471 struct inode *inode = file->f_path.dentry->d_inode; 1471 struct inode *inode = file->f_path.dentry->d_inode;
1472 struct avc_audit_data ad; 1472 struct avc_audit_data ad;
@@ -1503,7 +1503,7 @@ static int may_create(struct inode *dir,
1503 struct avc_audit_data ad; 1503 struct avc_audit_data ad;
1504 int rc; 1504 int rc;
1505 1505
1506 tsec = current->security; 1506 tsec = current->cred->security;
1507 dsec = dir->i_security; 1507 dsec = dir->i_security;
1508 sbsec = dir->i_sb->s_security; 1508 sbsec = dir->i_sb->s_security;
1509 1509
@@ -1540,7 +1540,7 @@ static int may_create_key(u32 ksid,
1540{ 1540{
1541 struct task_security_struct *tsec; 1541 struct task_security_struct *tsec;
1542 1542
1543 tsec = ctx->security; 1543 tsec = ctx->cred->security;
1544 1544
1545 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1545 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1546} 1546}
@@ -1561,7 +1561,7 @@ static int may_link(struct inode *dir,
1561 u32 av; 1561 u32 av;
1562 int rc; 1562 int rc;
1563 1563
1564 tsec = current->security; 1564 tsec = current->cred->security;
1565 dsec = dir->i_security; 1565 dsec = dir->i_security;
1566 isec = dentry->d_inode->i_security; 1566 isec = dentry->d_inode->i_security;
1567 1567
@@ -1606,7 +1606,7 @@ static inline int may_rename(struct inode *old_dir,
1606 int old_is_dir, new_is_dir; 1606 int old_is_dir, new_is_dir;
1607 int rc; 1607 int rc;
1608 1608
1609 tsec = current->security; 1609 tsec = current->cred->security;
1610 old_dsec = old_dir->i_security; 1610 old_dsec = old_dir->i_security;
1611 old_isec = old_dentry->d_inode->i_security; 1611 old_isec = old_dentry->d_inode->i_security;
1612 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1612 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
@@ -1659,7 +1659,7 @@ static int superblock_has_perm(struct task_struct *tsk,
1659 struct task_security_struct *tsec; 1659 struct task_security_struct *tsec;
1660 struct superblock_security_struct *sbsec; 1660 struct superblock_security_struct *sbsec;
1661 1661
1662 tsec = tsk->security; 1662 tsec = tsk->cred->security;
1663 sbsec = sb->s_security; 1663 sbsec = sb->s_security;
1664 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1664 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1665 perms, ad); 1665 perms, ad);
@@ -1758,8 +1758,8 @@ static int selinux_ptrace_may_access(struct task_struct *child,
1758 return rc; 1758 return rc;
1759 1759
1760 if (mode == PTRACE_MODE_READ) { 1760 if (mode == PTRACE_MODE_READ) {
1761 struct task_security_struct *tsec = current->security; 1761 struct task_security_struct *tsec = current->cred->security;
1762 struct task_security_struct *csec = child->security; 1762 struct task_security_struct *csec = child->cred->security;
1763 return avc_has_perm(tsec->sid, csec->sid, 1763 return avc_has_perm(tsec->sid, csec->sid,
1764 SECCLASS_FILE, FILE__READ, NULL); 1764 SECCLASS_FILE, FILE__READ, NULL);
1765 } 1765 }
@@ -1874,7 +1874,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1874 if (rc) 1874 if (rc)
1875 return rc; 1875 return rc;
1876 1876
1877 tsec = current->security; 1877 tsec = current->cred->security;
1878 1878
1879 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1879 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1880 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1880 SECCLASS_DIR : SECCLASS_FILE, &tsid);
@@ -2025,7 +2025,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2025 if (bsec->set) 2025 if (bsec->set)
2026 return 0; 2026 return 0;
2027 2027
2028 tsec = current->security; 2028 tsec = current->cred->security;
2029 isec = inode->i_security; 2029 isec = inode->i_security;
2030 2030
2031 /* Default to the current task SID. */ 2031 /* Default to the current task SID. */
@@ -2090,7 +2090,7 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm)
2090 2090
2091static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2091static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2092{ 2092{
2093 struct task_security_struct *tsec = current->security; 2093 struct task_security_struct *tsec = current->cred->security;
2094 int atsecure = 0; 2094 int atsecure = 0;
2095 2095
2096 if (tsec->osid != tsec->sid) { 2096 if (tsec->osid != tsec->sid) {
@@ -2214,7 +2214,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2214 2214
2215 secondary_ops->bprm_apply_creds(bprm, unsafe); 2215 secondary_ops->bprm_apply_creds(bprm, unsafe);
2216 2216
2217 tsec = current->security; 2217 tsec = current->cred->security;
2218 2218
2219 bsec = bprm->security; 2219 bsec = bprm->security;
2220 sid = bsec->sid; 2220 sid = bsec->sid;
@@ -2243,7 +2243,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2243 rcu_read_lock(); 2243 rcu_read_lock();
2244 tracer = tracehook_tracer_task(current); 2244 tracer = tracehook_tracer_task(current);
2245 if (likely(tracer != NULL)) { 2245 if (likely(tracer != NULL)) {
2246 sec = tracer->security; 2246 sec = tracer->cred->security;
2247 ptsid = sec->sid; 2247 ptsid = sec->sid;
2248 } 2248 }
2249 rcu_read_unlock(); 2249 rcu_read_unlock();
@@ -2274,7 +2274,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2274 int rc, i; 2274 int rc, i;
2275 unsigned long flags; 2275 unsigned long flags;
2276 2276
2277 tsec = current->security; 2277 tsec = current->cred->security;
2278 bsec = bprm->security; 2278 bsec = bprm->security;
2279 2279
2280 if (bsec->unsafe) { 2280 if (bsec->unsafe) {
@@ -2521,7 +2521,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2521 int rc; 2521 int rc;
2522 char *namep = NULL, *context; 2522 char *namep = NULL, *context;
2523 2523
2524 tsec = current->security; 2524 tsec = current->cred->security;
2525 dsec = dir->i_security; 2525 dsec = dir->i_security;
2526 sbsec = dir->i_sb->s_security; 2526 sbsec = dir->i_sb->s_security;
2527 2527
@@ -2706,7 +2706,7 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2706static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2706static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2707 const void *value, size_t size, int flags) 2707 const void *value, size_t size, int flags)
2708{ 2708{
2709 struct task_security_struct *tsec = current->security; 2709 struct task_security_struct *tsec = current->cred->security;
2710 struct inode *inode = dentry->d_inode; 2710 struct inode *inode = dentry->d_inode;
2711 struct inode_security_struct *isec = inode->i_security; 2711 struct inode_security_struct *isec = inode->i_security;
2712 struct superblock_security_struct *sbsec; 2712 struct superblock_security_struct *sbsec;
@@ -2918,7 +2918,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2918static int selinux_file_permission(struct file *file, int mask) 2918static int selinux_file_permission(struct file *file, int mask)
2919{ 2919{
2920 struct inode *inode = file->f_path.dentry->d_inode; 2920 struct inode *inode = file->f_path.dentry->d_inode;
2921 struct task_security_struct *tsec = current->security; 2921 struct task_security_struct *tsec = current->cred->security;
2922 struct file_security_struct *fsec = file->f_security; 2922 struct file_security_struct *fsec = file->f_security;
2923 struct inode_security_struct *isec = inode->i_security; 2923 struct inode_security_struct *isec = inode->i_security;
2924 2924
@@ -2995,7 +2995,8 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2995 unsigned long addr, unsigned long addr_only) 2995 unsigned long addr, unsigned long addr_only)
2996{ 2996{
2997 int rc = 0; 2997 int rc = 0;
2998 u32 sid = ((struct task_security_struct *)(current->security))->sid; 2998 u32 sid = ((struct task_security_struct *)
2999 (current->cred->security))->sid;
2999 3000
3000 if (addr < mmap_min_addr) 3001 if (addr < mmap_min_addr)
3001 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3002 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3107,7 +3108,7 @@ static int selinux_file_set_fowner(struct file *file)
3107 struct task_security_struct *tsec; 3108 struct task_security_struct *tsec;
3108 struct file_security_struct *fsec; 3109 struct file_security_struct *fsec;
3109 3110
3110 tsec = current->security; 3111 tsec = current->cred->security;
3111 fsec = file->f_security; 3112 fsec = file->f_security;
3112 fsec->fown_sid = tsec->sid; 3113 fsec->fown_sid = tsec->sid;
3113 3114
@@ -3125,7 +3126,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3125 /* struct fown_struct is never outside the context of a struct file */ 3126 /* struct fown_struct is never outside the context of a struct file */
3126 file = container_of(fown, struct file, f_owner); 3127 file = container_of(fown, struct file, f_owner);
3127 3128
3128 tsec = tsk->security; 3129 tsec = tsk->cred->security;
3129 fsec = file->f_security; 3130 fsec = file->f_security;
3130 3131
3131 if (!signum) 3132 if (!signum)
@@ -3188,12 +3189,12 @@ static int selinux_task_alloc_security(struct task_struct *tsk)
3188 struct task_security_struct *tsec1, *tsec2; 3189 struct task_security_struct *tsec1, *tsec2;
3189 int rc; 3190 int rc;
3190 3191
3191 tsec1 = current->security; 3192 tsec1 = current->cred->security;
3192 3193
3193 rc = task_alloc_security(tsk); 3194 rc = task_alloc_security(tsk);
3194 if (rc) 3195 if (rc)
3195 return rc; 3196 return rc;
3196 tsec2 = tsk->security; 3197 tsec2 = tsk->cred->security;
3197 3198
3198 tsec2->osid = tsec1->osid; 3199 tsec2->osid = tsec1->osid;
3199 tsec2->sid = tsec1->sid; 3200 tsec2->sid = tsec1->sid;
@@ -3251,7 +3252,7 @@ static int selinux_task_getsid(struct task_struct *p)
3251 3252
3252static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3253static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3253{ 3254{
3254 struct task_security_struct *tsec = p->security; 3255 struct task_security_struct *tsec = p->cred->security;
3255 *secid = tsec->sid; 3256 *secid = tsec->sid;
3256} 3257}
3257 3258
@@ -3343,7 +3344,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3343 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3344 perm = PROCESS__SIGNULL; /* null signal; existence test */
3344 else 3345 else
3345 perm = signal_to_av(sig); 3346 perm = signal_to_av(sig);
3346 tsec = p->security; 3347 tsec = p->cred->security;
3347 if (secid) 3348 if (secid)
3348 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3349 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3349 else 3350 else
@@ -3375,7 +3376,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p)
3375 3376
3376 secondary_ops->task_reparent_to_init(p); 3377 secondary_ops->task_reparent_to_init(p);
3377 3378
3378 tsec = p->security; 3379 tsec = p->cred->security;
3379 tsec->osid = tsec->sid; 3380 tsec->osid = tsec->sid;
3380 tsec->sid = SECINITSID_KERNEL; 3381 tsec->sid = SECINITSID_KERNEL;
3381 return; 3382 return;
@@ -3384,7 +3385,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p)
3384static void selinux_task_to_inode(struct task_struct *p, 3385static void selinux_task_to_inode(struct task_struct *p,
3385 struct inode *inode) 3386 struct inode *inode)
3386{ 3387{
3387 struct task_security_struct *tsec = p->security; 3388 struct task_security_struct *tsec = p->cred->security;
3388 struct inode_security_struct *isec = inode->i_security; 3389 struct inode_security_struct *isec = inode->i_security;
3389 3390
3390 isec->sid = tsec->sid; 3391 isec->sid = tsec->sid;
@@ -3632,7 +3633,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3632 struct avc_audit_data ad; 3633 struct avc_audit_data ad;
3633 int err = 0; 3634 int err = 0;
3634 3635
3635 tsec = task->security; 3636 tsec = task->cred->security;
3636 isec = SOCK_INODE(sock)->i_security; 3637 isec = SOCK_INODE(sock)->i_security;
3637 3638
3638 if (isec->sid == SECINITSID_KERNEL) 3639 if (isec->sid == SECINITSID_KERNEL)
@@ -3656,7 +3657,7 @@ static int selinux_socket_create(int family, int type,
3656 if (kern) 3657 if (kern)
3657 goto out; 3658 goto out;
3658 3659
3659 tsec = current->security; 3660 tsec = current->cred->security;
3660 newsid = tsec->sockcreate_sid ? : tsec->sid; 3661 newsid = tsec->sockcreate_sid ? : tsec->sid;
3661 err = avc_has_perm(tsec->sid, newsid, 3662 err = avc_has_perm(tsec->sid, newsid,
3662 socket_type_to_security_class(family, type, 3663 socket_type_to_security_class(family, type,
@@ -3677,7 +3678,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3677 3678
3678 isec = SOCK_INODE(sock)->i_security; 3679 isec = SOCK_INODE(sock)->i_security;
3679 3680
3680 tsec = current->security; 3681 tsec = current->cred->security;
3681 newsid = tsec->sockcreate_sid ? : tsec->sid; 3682 newsid = tsec->sockcreate_sid ? : tsec->sid;
3682 isec->sclass = socket_type_to_security_class(family, type, protocol); 3683 isec->sclass = socket_type_to_security_class(family, type, protocol);
3683 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3684 isec->sid = kern ? SECINITSID_KERNEL : newsid;
@@ -3723,7 +3724,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3723 struct sock *sk = sock->sk; 3724 struct sock *sk = sock->sk;
3724 u32 sid, node_perm; 3725 u32 sid, node_perm;
3725 3726
3726 tsec = current->security; 3727 tsec = current->cred->security;
3727 isec = SOCK_INODE(sock)->i_security; 3728 isec = SOCK_INODE(sock)->i_security;
3728 3729
3729 if (family == PF_INET) { 3730 if (family == PF_INET) {
@@ -4764,7 +4765,7 @@ static int ipc_alloc_security(struct task_struct *task,
4764 struct kern_ipc_perm *perm, 4765 struct kern_ipc_perm *perm,
4765 u16 sclass) 4766 u16 sclass)
4766{ 4767{
4767 struct task_security_struct *tsec = task->security; 4768 struct task_security_struct *tsec = task->cred->security;
4768 struct ipc_security_struct *isec; 4769 struct ipc_security_struct *isec;
4769 4770
4770 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4771 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
@@ -4814,7 +4815,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4814 struct ipc_security_struct *isec; 4815 struct ipc_security_struct *isec;
4815 struct avc_audit_data ad; 4816 struct avc_audit_data ad;
4816 4817
4817 tsec = current->security; 4818 tsec = current->cred->security;
4818 isec = ipc_perms->security; 4819 isec = ipc_perms->security;
4819 4820
4820 AVC_AUDIT_DATA_INIT(&ad, IPC); 4821 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -4845,7 +4846,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4845 if (rc) 4846 if (rc)
4846 return rc; 4847 return rc;
4847 4848
4848 tsec = current->security; 4849 tsec = current->cred->security;
4849 isec = msq->q_perm.security; 4850 isec = msq->q_perm.security;
4850 4851
4851 AVC_AUDIT_DATA_INIT(&ad, IPC); 4852 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -4871,7 +4872,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4871 struct ipc_security_struct *isec; 4872 struct ipc_security_struct *isec;
4872 struct avc_audit_data ad; 4873 struct avc_audit_data ad;
4873 4874
4874 tsec = current->security; 4875 tsec = current->cred->security;
4875 isec = msq->q_perm.security; 4876 isec = msq->q_perm.security;
4876 4877
4877 AVC_AUDIT_DATA_INIT(&ad, IPC); 4878 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -4917,7 +4918,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4917 struct avc_audit_data ad; 4918 struct avc_audit_data ad;
4918 int rc; 4919 int rc;
4919 4920
4920 tsec = current->security; 4921 tsec = current->cred->security;
4921 isec = msq->q_perm.security; 4922 isec = msq->q_perm.security;
4922 msec = msg->security; 4923 msec = msg->security;
4923 4924
@@ -4965,7 +4966,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4965 struct avc_audit_data ad; 4966 struct avc_audit_data ad;
4966 int rc; 4967 int rc;
4967 4968
4968 tsec = target->security; 4969 tsec = target->cred->security;
4969 isec = msq->q_perm.security; 4970 isec = msq->q_perm.security;
4970 msec = msg->security; 4971 msec = msg->security;
4971 4972
@@ -4992,7 +4993,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4992 if (rc) 4993 if (rc)
4993 return rc; 4994 return rc;
4994 4995
4995 tsec = current->security; 4996 tsec = current->cred->security;
4996 isec = shp->shm_perm.security; 4997 isec = shp->shm_perm.security;
4997 4998
4998 AVC_AUDIT_DATA_INIT(&ad, IPC); 4999 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -5018,7 +5019,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5018 struct ipc_security_struct *isec; 5019 struct ipc_security_struct *isec;
5019 struct avc_audit_data ad; 5020 struct avc_audit_data ad;
5020 5021
5021 tsec = current->security; 5022 tsec = current->cred->security;
5022 isec = shp->shm_perm.security; 5023 isec = shp->shm_perm.security;
5023 5024
5024 AVC_AUDIT_DATA_INIT(&ad, IPC); 5025 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -5091,7 +5092,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
5091 if (rc) 5092 if (rc)
5092 return rc; 5093 return rc;
5093 5094
5094 tsec = current->security; 5095 tsec = current->cred->security;
5095 isec = sma->sem_perm.security; 5096 isec = sma->sem_perm.security;
5096 5097
5097 AVC_AUDIT_DATA_INIT(&ad, IPC); 5098 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -5117,7 +5118,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
5117 struct ipc_security_struct *isec; 5118 struct ipc_security_struct *isec;
5118 struct avc_audit_data ad; 5119 struct avc_audit_data ad;
5119 5120
5120 tsec = current->security; 5121 tsec = current->cred->security;
5121 isec = sma->sem_perm.security; 5122 isec = sma->sem_perm.security;
5122 5123
5123 AVC_AUDIT_DATA_INIT(&ad, IPC); 5124 AVC_AUDIT_DATA_INIT(&ad, IPC);
@@ -5224,7 +5225,7 @@ static int selinux_getprocattr(struct task_struct *p,
5224 return error; 5225 return error;
5225 } 5226 }
5226 5227
5227 tsec = p->security; 5228 tsec = p->cred->security;
5228 5229
5229 if (!strcmp(name, "current")) 5230 if (!strcmp(name, "current"))
5230 sid = tsec->sid; 5231 sid = tsec->sid;
@@ -5308,7 +5309,7 @@ static int selinux_setprocattr(struct task_struct *p,
5308 operation. See selinux_bprm_set_security for the execve 5309 operation. See selinux_bprm_set_security for the execve
5309 checks and may_create for the file creation checks. The 5310 checks and may_create for the file creation checks. The
5310 operation will then fail if the context is not permitted. */ 5311 operation will then fail if the context is not permitted. */
5311 tsec = p->security; 5312 tsec = p->cred->security;
5312 if (!strcmp(name, "exec")) 5313 if (!strcmp(name, "exec"))
5313 tsec->exec_sid = sid; 5314 tsec->exec_sid = sid;
5314 else if (!strcmp(name, "fscreate")) 5315 else if (!strcmp(name, "fscreate"))
@@ -5361,7 +5362,8 @@ boundary_ok:
5361 rcu_read_lock(); 5362 rcu_read_lock();
5362 tracer = tracehook_tracer_task(p); 5363 tracer = tracehook_tracer_task(p);
5363 if (tracer != NULL) { 5364 if (tracer != NULL) {
5364 struct task_security_struct *ptsec = tracer->security; 5365 struct task_security_struct *ptsec =
5366 tracer->cred->security;
5365 u32 ptsid = ptsec->sid; 5367 u32 ptsid = ptsec->sid;
5366 rcu_read_unlock(); 5368 rcu_read_unlock();
5367 error = avc_has_perm_noaudit(ptsid, sid, 5369 error = avc_has_perm_noaudit(ptsid, sid,
@@ -5405,7 +5407,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
5405static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5407static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5406 unsigned long flags) 5408 unsigned long flags)
5407{ 5409{
5408 struct task_security_struct *tsec = tsk->security; 5410 struct task_security_struct *tsec = tsk->cred->security;
5409 struct key_security_struct *ksec; 5411 struct key_security_struct *ksec;
5410 5412
5411 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5413 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
@@ -5439,7 +5441,7 @@ static int selinux_key_permission(key_ref_t key_ref,
5439 5441
5440 key = key_ref_to_ptr(key_ref); 5442 key = key_ref_to_ptr(key_ref);
5441 5443
5442 tsec = ctx->security; 5444 tsec = ctx->cred->security;
5443 ksec = key->security; 5445 ksec = key->security;
5444 5446
5445 /* if no specific permissions are requested, we skip the 5447 /* if no specific permissions are requested, we skip the
@@ -5683,7 +5685,7 @@ static __init int selinux_init(void)
5683 /* Set the security state for the initial task. */ 5685 /* Set the security state for the initial task. */
5684 if (task_alloc_security(current)) 5686 if (task_alloc_security(current))
5685 panic("SELinux: Failed to initialize initial task.\n"); 5687 panic("SELinux: Failed to initialize initial task.\n");
5686 tsec = current->security; 5688 tsec = current->cred->security;
5687 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5689 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5688 5690
5689 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5691 sel_inode_cache = kmem_cache_create("selinux_inode_security",