diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:16 -0500 |
commit | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch) | |
tree | 9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/selinux/hooks.c | |
parent | 15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff) |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the
security data is temporarily embedded in the task_struct with two pointers
pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 116 |
1 files changed, 59 insertions, 57 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9f6da154cc82..328308f2882a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -167,21 +167,21 @@ static int task_alloc_security(struct task_struct *task) | |||
167 | return -ENOMEM; | 167 | return -ENOMEM; |
168 | 168 | ||
169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; | 169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; |
170 | task->security = tsec; | 170 | task->cred->security = tsec; |
171 | 171 | ||
172 | return 0; | 172 | return 0; |
173 | } | 173 | } |
174 | 174 | ||
175 | static void task_free_security(struct task_struct *task) | 175 | static void task_free_security(struct task_struct *task) |
176 | { | 176 | { |
177 | struct task_security_struct *tsec = task->security; | 177 | struct task_security_struct *tsec = task->cred->security; |
178 | task->security = NULL; | 178 | task->cred->security = NULL; |
179 | kfree(tsec); | 179 | kfree(tsec); |
180 | } | 180 | } |
181 | 181 | ||
182 | static int inode_alloc_security(struct inode *inode) | 182 | static int inode_alloc_security(struct inode *inode) |
183 | { | 183 | { |
184 | struct task_security_struct *tsec = current->security; | 184 | struct task_security_struct *tsec = current->cred->security; |
185 | struct inode_security_struct *isec; | 185 | struct inode_security_struct *isec; |
186 | 186 | ||
187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); | 187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); |
@@ -215,7 +215,7 @@ static void inode_free_security(struct inode *inode) | |||
215 | 215 | ||
216 | static int file_alloc_security(struct file *file) | 216 | static int file_alloc_security(struct file *file) |
217 | { | 217 | { |
218 | struct task_security_struct *tsec = current->security; | 218 | struct task_security_struct *tsec = current->cred->security; |
219 | struct file_security_struct *fsec; | 219 | struct file_security_struct *fsec; |
220 | 220 | ||
221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); | 221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); |
@@ -554,7 +554,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
554 | struct security_mnt_opts *opts) | 554 | struct security_mnt_opts *opts) |
555 | { | 555 | { |
556 | int rc = 0, i; | 556 | int rc = 0, i; |
557 | struct task_security_struct *tsec = current->security; | 557 | struct task_security_struct *tsec = current->cred->security; |
558 | struct superblock_security_struct *sbsec = sb->s_security; | 558 | struct superblock_security_struct *sbsec = sb->s_security; |
559 | const char *name = sb->s_type->name; | 559 | const char *name = sb->s_type->name; |
560 | struct inode *inode = sbsec->sb->s_root->d_inode; | 560 | struct inode *inode = sbsec->sb->s_root->d_inode; |
@@ -1353,8 +1353,8 @@ static int task_has_perm(struct task_struct *tsk1, | |||
1353 | { | 1353 | { |
1354 | struct task_security_struct *tsec1, *tsec2; | 1354 | struct task_security_struct *tsec1, *tsec2; |
1355 | 1355 | ||
1356 | tsec1 = tsk1->security; | 1356 | tsec1 = tsk1->cred->security; |
1357 | tsec2 = tsk2->security; | 1357 | tsec2 = tsk2->cred->security; |
1358 | return avc_has_perm(tsec1->sid, tsec2->sid, | 1358 | return avc_has_perm(tsec1->sid, tsec2->sid, |
1359 | SECCLASS_PROCESS, perms, NULL); | 1359 | SECCLASS_PROCESS, perms, NULL); |
1360 | } | 1360 | } |
@@ -1374,7 +1374,7 @@ static int task_has_capability(struct task_struct *tsk, | |||
1374 | u32 av = CAP_TO_MASK(cap); | 1374 | u32 av = CAP_TO_MASK(cap); |
1375 | int rc; | 1375 | int rc; |
1376 | 1376 | ||
1377 | tsec = tsk->security; | 1377 | tsec = tsk->cred->security; |
1378 | 1378 | ||
1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
1380 | ad.tsk = tsk; | 1380 | ad.tsk = tsk; |
@@ -1405,7 +1405,7 @@ static int task_has_system(struct task_struct *tsk, | |||
1405 | { | 1405 | { |
1406 | struct task_security_struct *tsec; | 1406 | struct task_security_struct *tsec; |
1407 | 1407 | ||
1408 | tsec = tsk->security; | 1408 | tsec = tsk->cred->security; |
1409 | 1409 | ||
1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, | 1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, |
1411 | SECCLASS_SYSTEM, perms, NULL); | 1411 | SECCLASS_SYSTEM, perms, NULL); |
@@ -1426,7 +1426,7 @@ static int inode_has_perm(struct task_struct *tsk, | |||
1426 | if (unlikely(IS_PRIVATE(inode))) | 1426 | if (unlikely(IS_PRIVATE(inode))) |
1427 | return 0; | 1427 | return 0; |
1428 | 1428 | ||
1429 | tsec = tsk->security; | 1429 | tsec = tsk->cred->security; |
1430 | isec = inode->i_security; | 1430 | isec = inode->i_security; |
1431 | 1431 | ||
1432 | if (!adp) { | 1432 | if (!adp) { |
@@ -1466,7 +1466,7 @@ static int file_has_perm(struct task_struct *tsk, | |||
1466 | struct file *file, | 1466 | struct file *file, |
1467 | u32 av) | 1467 | u32 av) |
1468 | { | 1468 | { |
1469 | struct task_security_struct *tsec = tsk->security; | 1469 | struct task_security_struct *tsec = tsk->cred->security; |
1470 | struct file_security_struct *fsec = file->f_security; | 1470 | struct file_security_struct *fsec = file->f_security; |
1471 | struct inode *inode = file->f_path.dentry->d_inode; | 1471 | struct inode *inode = file->f_path.dentry->d_inode; |
1472 | struct avc_audit_data ad; | 1472 | struct avc_audit_data ad; |
@@ -1503,7 +1503,7 @@ static int may_create(struct inode *dir, | |||
1503 | struct avc_audit_data ad; | 1503 | struct avc_audit_data ad; |
1504 | int rc; | 1504 | int rc; |
1505 | 1505 | ||
1506 | tsec = current->security; | 1506 | tsec = current->cred->security; |
1507 | dsec = dir->i_security; | 1507 | dsec = dir->i_security; |
1508 | sbsec = dir->i_sb->s_security; | 1508 | sbsec = dir->i_sb->s_security; |
1509 | 1509 | ||
@@ -1540,7 +1540,7 @@ static int may_create_key(u32 ksid, | |||
1540 | { | 1540 | { |
1541 | struct task_security_struct *tsec; | 1541 | struct task_security_struct *tsec; |
1542 | 1542 | ||
1543 | tsec = ctx->security; | 1543 | tsec = ctx->cred->security; |
1544 | 1544 | ||
1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); | 1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); |
1546 | } | 1546 | } |
@@ -1561,7 +1561,7 @@ static int may_link(struct inode *dir, | |||
1561 | u32 av; | 1561 | u32 av; |
1562 | int rc; | 1562 | int rc; |
1563 | 1563 | ||
1564 | tsec = current->security; | 1564 | tsec = current->cred->security; |
1565 | dsec = dir->i_security; | 1565 | dsec = dir->i_security; |
1566 | isec = dentry->d_inode->i_security; | 1566 | isec = dentry->d_inode->i_security; |
1567 | 1567 | ||
@@ -1606,7 +1606,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1606 | int old_is_dir, new_is_dir; | 1606 | int old_is_dir, new_is_dir; |
1607 | int rc; | 1607 | int rc; |
1608 | 1608 | ||
1609 | tsec = current->security; | 1609 | tsec = current->cred->security; |
1610 | old_dsec = old_dir->i_security; | 1610 | old_dsec = old_dir->i_security; |
1611 | old_isec = old_dentry->d_inode->i_security; | 1611 | old_isec = old_dentry->d_inode->i_security; |
1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
@@ -1659,7 +1659,7 @@ static int superblock_has_perm(struct task_struct *tsk, | |||
1659 | struct task_security_struct *tsec; | 1659 | struct task_security_struct *tsec; |
1660 | struct superblock_security_struct *sbsec; | 1660 | struct superblock_security_struct *sbsec; |
1661 | 1661 | ||
1662 | tsec = tsk->security; | 1662 | tsec = tsk->cred->security; |
1663 | sbsec = sb->s_security; | 1663 | sbsec = sb->s_security; |
1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | 1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, |
1665 | perms, ad); | 1665 | perms, ad); |
@@ -1758,8 +1758,8 @@ static int selinux_ptrace_may_access(struct task_struct *child, | |||
1758 | return rc; | 1758 | return rc; |
1759 | 1759 | ||
1760 | if (mode == PTRACE_MODE_READ) { | 1760 | if (mode == PTRACE_MODE_READ) { |
1761 | struct task_security_struct *tsec = current->security; | 1761 | struct task_security_struct *tsec = current->cred->security; |
1762 | struct task_security_struct *csec = child->security; | 1762 | struct task_security_struct *csec = child->cred->security; |
1763 | return avc_has_perm(tsec->sid, csec->sid, | 1763 | return avc_has_perm(tsec->sid, csec->sid, |
1764 | SECCLASS_FILE, FILE__READ, NULL); | 1764 | SECCLASS_FILE, FILE__READ, NULL); |
1765 | } | 1765 | } |
@@ -1874,7 +1874,7 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1874 | if (rc) | 1874 | if (rc) |
1875 | return rc; | 1875 | return rc; |
1876 | 1876 | ||
1877 | tsec = current->security; | 1877 | tsec = current->cred->security; |
1878 | 1878 | ||
1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); | 1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); |
@@ -2025,7 +2025,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
2025 | if (bsec->set) | 2025 | if (bsec->set) |
2026 | return 0; | 2026 | return 0; |
2027 | 2027 | ||
2028 | tsec = current->security; | 2028 | tsec = current->cred->security; |
2029 | isec = inode->i_security; | 2029 | isec = inode->i_security; |
2030 | 2030 | ||
2031 | /* Default to the current task SID. */ | 2031 | /* Default to the current task SID. */ |
@@ -2090,7 +2090,7 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm) | |||
2090 | 2090 | ||
2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) | 2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) |
2092 | { | 2092 | { |
2093 | struct task_security_struct *tsec = current->security; | 2093 | struct task_security_struct *tsec = current->cred->security; |
2094 | int atsecure = 0; | 2094 | int atsecure = 0; |
2095 | 2095 | ||
2096 | if (tsec->osid != tsec->sid) { | 2096 | if (tsec->osid != tsec->sid) { |
@@ -2214,7 +2214,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2214 | 2214 | ||
2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); | 2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); |
2216 | 2216 | ||
2217 | tsec = current->security; | 2217 | tsec = current->cred->security; |
2218 | 2218 | ||
2219 | bsec = bprm->security; | 2219 | bsec = bprm->security; |
2220 | sid = bsec->sid; | 2220 | sid = bsec->sid; |
@@ -2243,7 +2243,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2243 | rcu_read_lock(); | 2243 | rcu_read_lock(); |
2244 | tracer = tracehook_tracer_task(current); | 2244 | tracer = tracehook_tracer_task(current); |
2245 | if (likely(tracer != NULL)) { | 2245 | if (likely(tracer != NULL)) { |
2246 | sec = tracer->security; | 2246 | sec = tracer->cred->security; |
2247 | ptsid = sec->sid; | 2247 | ptsid = sec->sid; |
2248 | } | 2248 | } |
2249 | rcu_read_unlock(); | 2249 | rcu_read_unlock(); |
@@ -2274,7 +2274,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | |||
2274 | int rc, i; | 2274 | int rc, i; |
2275 | unsigned long flags; | 2275 | unsigned long flags; |
2276 | 2276 | ||
2277 | tsec = current->security; | 2277 | tsec = current->cred->security; |
2278 | bsec = bprm->security; | 2278 | bsec = bprm->security; |
2279 | 2279 | ||
2280 | if (bsec->unsafe) { | 2280 | if (bsec->unsafe) { |
@@ -2521,7 +2521,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2521 | int rc; | 2521 | int rc; |
2522 | char *namep = NULL, *context; | 2522 | char *namep = NULL, *context; |
2523 | 2523 | ||
2524 | tsec = current->security; | 2524 | tsec = current->cred->security; |
2525 | dsec = dir->i_security; | 2525 | dsec = dir->i_security; |
2526 | sbsec = dir->i_sb->s_security; | 2526 | sbsec = dir->i_sb->s_security; |
2527 | 2527 | ||
@@ -2706,7 +2706,7 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) | |||
2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | 2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, |
2707 | const void *value, size_t size, int flags) | 2707 | const void *value, size_t size, int flags) |
2708 | { | 2708 | { |
2709 | struct task_security_struct *tsec = current->security; | 2709 | struct task_security_struct *tsec = current->cred->security; |
2710 | struct inode *inode = dentry->d_inode; | 2710 | struct inode *inode = dentry->d_inode; |
2711 | struct inode_security_struct *isec = inode->i_security; | 2711 | struct inode_security_struct *isec = inode->i_security; |
2712 | struct superblock_security_struct *sbsec; | 2712 | struct superblock_security_struct *sbsec; |
@@ -2918,7 +2918,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) | |||
2918 | static int selinux_file_permission(struct file *file, int mask) | 2918 | static int selinux_file_permission(struct file *file, int mask) |
2919 | { | 2919 | { |
2920 | struct inode *inode = file->f_path.dentry->d_inode; | 2920 | struct inode *inode = file->f_path.dentry->d_inode; |
2921 | struct task_security_struct *tsec = current->security; | 2921 | struct task_security_struct *tsec = current->cred->security; |
2922 | struct file_security_struct *fsec = file->f_security; | 2922 | struct file_security_struct *fsec = file->f_security; |
2923 | struct inode_security_struct *isec = inode->i_security; | 2923 | struct inode_security_struct *isec = inode->i_security; |
2924 | 2924 | ||
@@ -2995,7 +2995,8 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
2995 | unsigned long addr, unsigned long addr_only) | 2995 | unsigned long addr, unsigned long addr_only) |
2996 | { | 2996 | { |
2997 | int rc = 0; | 2997 | int rc = 0; |
2998 | u32 sid = ((struct task_security_struct *)(current->security))->sid; | 2998 | u32 sid = ((struct task_security_struct *) |
2999 | (current->cred->security))->sid; | ||
2999 | 3000 | ||
3000 | if (addr < mmap_min_addr) | 3001 | if (addr < mmap_min_addr) |
3001 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, | 3002 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, |
@@ -3107,7 +3108,7 @@ static int selinux_file_set_fowner(struct file *file) | |||
3107 | struct task_security_struct *tsec; | 3108 | struct task_security_struct *tsec; |
3108 | struct file_security_struct *fsec; | 3109 | struct file_security_struct *fsec; |
3109 | 3110 | ||
3110 | tsec = current->security; | 3111 | tsec = current->cred->security; |
3111 | fsec = file->f_security; | 3112 | fsec = file->f_security; |
3112 | fsec->fown_sid = tsec->sid; | 3113 | fsec->fown_sid = tsec->sid; |
3113 | 3114 | ||
@@ -3125,7 +3126,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, | |||
3125 | /* struct fown_struct is never outside the context of a struct file */ | 3126 | /* struct fown_struct is never outside the context of a struct file */ |
3126 | file = container_of(fown, struct file, f_owner); | 3127 | file = container_of(fown, struct file, f_owner); |
3127 | 3128 | ||
3128 | tsec = tsk->security; | 3129 | tsec = tsk->cred->security; |
3129 | fsec = file->f_security; | 3130 | fsec = file->f_security; |
3130 | 3131 | ||
3131 | if (!signum) | 3132 | if (!signum) |
@@ -3188,12 +3189,12 @@ static int selinux_task_alloc_security(struct task_struct *tsk) | |||
3188 | struct task_security_struct *tsec1, *tsec2; | 3189 | struct task_security_struct *tsec1, *tsec2; |
3189 | int rc; | 3190 | int rc; |
3190 | 3191 | ||
3191 | tsec1 = current->security; | 3192 | tsec1 = current->cred->security; |
3192 | 3193 | ||
3193 | rc = task_alloc_security(tsk); | 3194 | rc = task_alloc_security(tsk); |
3194 | if (rc) | 3195 | if (rc) |
3195 | return rc; | 3196 | return rc; |
3196 | tsec2 = tsk->security; | 3197 | tsec2 = tsk->cred->security; |
3197 | 3198 | ||
3198 | tsec2->osid = tsec1->osid; | 3199 | tsec2->osid = tsec1->osid; |
3199 | tsec2->sid = tsec1->sid; | 3200 | tsec2->sid = tsec1->sid; |
@@ -3251,7 +3252,7 @@ static int selinux_task_getsid(struct task_struct *p) | |||
3251 | 3252 | ||
3252 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) | 3253 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) |
3253 | { | 3254 | { |
3254 | struct task_security_struct *tsec = p->security; | 3255 | struct task_security_struct *tsec = p->cred->security; |
3255 | *secid = tsec->sid; | 3256 | *secid = tsec->sid; |
3256 | } | 3257 | } |
3257 | 3258 | ||
@@ -3343,7 +3344,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3343 | perm = PROCESS__SIGNULL; /* null signal; existence test */ | 3344 | perm = PROCESS__SIGNULL; /* null signal; existence test */ |
3344 | else | 3345 | else |
3345 | perm = signal_to_av(sig); | 3346 | perm = signal_to_av(sig); |
3346 | tsec = p->security; | 3347 | tsec = p->cred->security; |
3347 | if (secid) | 3348 | if (secid) |
3348 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); | 3349 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); |
3349 | else | 3350 | else |
@@ -3375,7 +3376,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3375 | 3376 | ||
3376 | secondary_ops->task_reparent_to_init(p); | 3377 | secondary_ops->task_reparent_to_init(p); |
3377 | 3378 | ||
3378 | tsec = p->security; | 3379 | tsec = p->cred->security; |
3379 | tsec->osid = tsec->sid; | 3380 | tsec->osid = tsec->sid; |
3380 | tsec->sid = SECINITSID_KERNEL; | 3381 | tsec->sid = SECINITSID_KERNEL; |
3381 | return; | 3382 | return; |
@@ -3384,7 +3385,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3384 | static void selinux_task_to_inode(struct task_struct *p, | 3385 | static void selinux_task_to_inode(struct task_struct *p, |
3385 | struct inode *inode) | 3386 | struct inode *inode) |
3386 | { | 3387 | { |
3387 | struct task_security_struct *tsec = p->security; | 3388 | struct task_security_struct *tsec = p->cred->security; |
3388 | struct inode_security_struct *isec = inode->i_security; | 3389 | struct inode_security_struct *isec = inode->i_security; |
3389 | 3390 | ||
3390 | isec->sid = tsec->sid; | 3391 | isec->sid = tsec->sid; |
@@ -3632,7 +3633,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3632 | struct avc_audit_data ad; | 3633 | struct avc_audit_data ad; |
3633 | int err = 0; | 3634 | int err = 0; |
3634 | 3635 | ||
3635 | tsec = task->security; | 3636 | tsec = task->cred->security; |
3636 | isec = SOCK_INODE(sock)->i_security; | 3637 | isec = SOCK_INODE(sock)->i_security; |
3637 | 3638 | ||
3638 | if (isec->sid == SECINITSID_KERNEL) | 3639 | if (isec->sid == SECINITSID_KERNEL) |
@@ -3656,7 +3657,7 @@ static int selinux_socket_create(int family, int type, | |||
3656 | if (kern) | 3657 | if (kern) |
3657 | goto out; | 3658 | goto out; |
3658 | 3659 | ||
3659 | tsec = current->security; | 3660 | tsec = current->cred->security; |
3660 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3661 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3661 | err = avc_has_perm(tsec->sid, newsid, | 3662 | err = avc_has_perm(tsec->sid, newsid, |
3662 | socket_type_to_security_class(family, type, | 3663 | socket_type_to_security_class(family, type, |
@@ -3677,7 +3678,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, | |||
3677 | 3678 | ||
3678 | isec = SOCK_INODE(sock)->i_security; | 3679 | isec = SOCK_INODE(sock)->i_security; |
3679 | 3680 | ||
3680 | tsec = current->security; | 3681 | tsec = current->cred->security; |
3681 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3682 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3682 | isec->sclass = socket_type_to_security_class(family, type, protocol); | 3683 | isec->sclass = socket_type_to_security_class(family, type, protocol); |
3683 | isec->sid = kern ? SECINITSID_KERNEL : newsid; | 3684 | isec->sid = kern ? SECINITSID_KERNEL : newsid; |
@@ -3723,7 +3724,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3723 | struct sock *sk = sock->sk; | 3724 | struct sock *sk = sock->sk; |
3724 | u32 sid, node_perm; | 3725 | u32 sid, node_perm; |
3725 | 3726 | ||
3726 | tsec = current->security; | 3727 | tsec = current->cred->security; |
3727 | isec = SOCK_INODE(sock)->i_security; | 3728 | isec = SOCK_INODE(sock)->i_security; |
3728 | 3729 | ||
3729 | if (family == PF_INET) { | 3730 | if (family == PF_INET) { |
@@ -4764,7 +4765,7 @@ static int ipc_alloc_security(struct task_struct *task, | |||
4764 | struct kern_ipc_perm *perm, | 4765 | struct kern_ipc_perm *perm, |
4765 | u16 sclass) | 4766 | u16 sclass) |
4766 | { | 4767 | { |
4767 | struct task_security_struct *tsec = task->security; | 4768 | struct task_security_struct *tsec = task->cred->security; |
4768 | struct ipc_security_struct *isec; | 4769 | struct ipc_security_struct *isec; |
4769 | 4770 | ||
4770 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); | 4771 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); |
@@ -4814,7 +4815,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
4814 | struct ipc_security_struct *isec; | 4815 | struct ipc_security_struct *isec; |
4815 | struct avc_audit_data ad; | 4816 | struct avc_audit_data ad; |
4816 | 4817 | ||
4817 | tsec = current->security; | 4818 | tsec = current->cred->security; |
4818 | isec = ipc_perms->security; | 4819 | isec = ipc_perms->security; |
4819 | 4820 | ||
4820 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4821 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4845,7 +4846,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4845 | if (rc) | 4846 | if (rc) |
4846 | return rc; | 4847 | return rc; |
4847 | 4848 | ||
4848 | tsec = current->security; | 4849 | tsec = current->cred->security; |
4849 | isec = msq->q_perm.security; | 4850 | isec = msq->q_perm.security; |
4850 | 4851 | ||
4851 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4852 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4871,7 +4872,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | |||
4871 | struct ipc_security_struct *isec; | 4872 | struct ipc_security_struct *isec; |
4872 | struct avc_audit_data ad; | 4873 | struct avc_audit_data ad; |
4873 | 4874 | ||
4874 | tsec = current->security; | 4875 | tsec = current->cred->security; |
4875 | isec = msq->q_perm.security; | 4876 | isec = msq->q_perm.security; |
4876 | 4877 | ||
4877 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4878 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4917,7 +4918,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4917 | struct avc_audit_data ad; | 4918 | struct avc_audit_data ad; |
4918 | int rc; | 4919 | int rc; |
4919 | 4920 | ||
4920 | tsec = current->security; | 4921 | tsec = current->cred->security; |
4921 | isec = msq->q_perm.security; | 4922 | isec = msq->q_perm.security; |
4922 | msec = msg->security; | 4923 | msec = msg->security; |
4923 | 4924 | ||
@@ -4965,7 +4966,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4965 | struct avc_audit_data ad; | 4966 | struct avc_audit_data ad; |
4966 | int rc; | 4967 | int rc; |
4967 | 4968 | ||
4968 | tsec = target->security; | 4969 | tsec = target->cred->security; |
4969 | isec = msq->q_perm.security; | 4970 | isec = msq->q_perm.security; |
4970 | msec = msg->security; | 4971 | msec = msg->security; |
4971 | 4972 | ||
@@ -4992,7 +4993,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4992 | if (rc) | 4993 | if (rc) |
4993 | return rc; | 4994 | return rc; |
4994 | 4995 | ||
4995 | tsec = current->security; | 4996 | tsec = current->cred->security; |
4996 | isec = shp->shm_perm.security; | 4997 | isec = shp->shm_perm.security; |
4997 | 4998 | ||
4998 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4999 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5018,7 +5019,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | |||
5018 | struct ipc_security_struct *isec; | 5019 | struct ipc_security_struct *isec; |
5019 | struct avc_audit_data ad; | 5020 | struct avc_audit_data ad; |
5020 | 5021 | ||
5021 | tsec = current->security; | 5022 | tsec = current->cred->security; |
5022 | isec = shp->shm_perm.security; | 5023 | isec = shp->shm_perm.security; |
5023 | 5024 | ||
5024 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5025 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5091,7 +5092,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
5091 | if (rc) | 5092 | if (rc) |
5092 | return rc; | 5093 | return rc; |
5093 | 5094 | ||
5094 | tsec = current->security; | 5095 | tsec = current->cred->security; |
5095 | isec = sma->sem_perm.security; | 5096 | isec = sma->sem_perm.security; |
5096 | 5097 | ||
5097 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5098 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5117,7 +5118,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg) | |||
5117 | struct ipc_security_struct *isec; | 5118 | struct ipc_security_struct *isec; |
5118 | struct avc_audit_data ad; | 5119 | struct avc_audit_data ad; |
5119 | 5120 | ||
5120 | tsec = current->security; | 5121 | tsec = current->cred->security; |
5121 | isec = sma->sem_perm.security; | 5122 | isec = sma->sem_perm.security; |
5122 | 5123 | ||
5123 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5124 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5224,7 +5225,7 @@ static int selinux_getprocattr(struct task_struct *p, | |||
5224 | return error; | 5225 | return error; |
5225 | } | 5226 | } |
5226 | 5227 | ||
5227 | tsec = p->security; | 5228 | tsec = p->cred->security; |
5228 | 5229 | ||
5229 | if (!strcmp(name, "current")) | 5230 | if (!strcmp(name, "current")) |
5230 | sid = tsec->sid; | 5231 | sid = tsec->sid; |
@@ -5308,7 +5309,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5308 | operation. See selinux_bprm_set_security for the execve | 5309 | operation. See selinux_bprm_set_security for the execve |
5309 | checks and may_create for the file creation checks. The | 5310 | checks and may_create for the file creation checks. The |
5310 | operation will then fail if the context is not permitted. */ | 5311 | operation will then fail if the context is not permitted. */ |
5311 | tsec = p->security; | 5312 | tsec = p->cred->security; |
5312 | if (!strcmp(name, "exec")) | 5313 | if (!strcmp(name, "exec")) |
5313 | tsec->exec_sid = sid; | 5314 | tsec->exec_sid = sid; |
5314 | else if (!strcmp(name, "fscreate")) | 5315 | else if (!strcmp(name, "fscreate")) |
@@ -5361,7 +5362,8 @@ boundary_ok: | |||
5361 | rcu_read_lock(); | 5362 | rcu_read_lock(); |
5362 | tracer = tracehook_tracer_task(p); | 5363 | tracer = tracehook_tracer_task(p); |
5363 | if (tracer != NULL) { | 5364 | if (tracer != NULL) { |
5364 | struct task_security_struct *ptsec = tracer->security; | 5365 | struct task_security_struct *ptsec = |
5366 | tracer->cred->security; | ||
5365 | u32 ptsid = ptsec->sid; | 5367 | u32 ptsid = ptsec->sid; |
5366 | rcu_read_unlock(); | 5368 | rcu_read_unlock(); |
5367 | error = avc_has_perm_noaudit(ptsid, sid, | 5369 | error = avc_has_perm_noaudit(ptsid, sid, |
@@ -5405,7 +5407,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen) | |||
5405 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, | 5407 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, |
5406 | unsigned long flags) | 5408 | unsigned long flags) |
5407 | { | 5409 | { |
5408 | struct task_security_struct *tsec = tsk->security; | 5410 | struct task_security_struct *tsec = tsk->cred->security; |
5409 | struct key_security_struct *ksec; | 5411 | struct key_security_struct *ksec; |
5410 | 5412 | ||
5411 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); | 5413 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); |
@@ -5439,7 +5441,7 @@ static int selinux_key_permission(key_ref_t key_ref, | |||
5439 | 5441 | ||
5440 | key = key_ref_to_ptr(key_ref); | 5442 | key = key_ref_to_ptr(key_ref); |
5441 | 5443 | ||
5442 | tsec = ctx->security; | 5444 | tsec = ctx->cred->security; |
5443 | ksec = key->security; | 5445 | ksec = key->security; |
5444 | 5446 | ||
5445 | /* if no specific permissions are requested, we skip the | 5447 | /* if no specific permissions are requested, we skip the |
@@ -5683,7 +5685,7 @@ static __init int selinux_init(void) | |||
5683 | /* Set the security state for the initial task. */ | 5685 | /* Set the security state for the initial task. */ |
5684 | if (task_alloc_security(current)) | 5686 | if (task_alloc_security(current)) |
5685 | panic("SELinux: Failed to initialize initial task.\n"); | 5687 | panic("SELinux: Failed to initialize initial task.\n"); |
5686 | tsec = current->security; | 5688 | tsec = current->cred->security; |
5687 | tsec->osid = tsec->sid = SECINITSID_KERNEL; | 5689 | tsec->osid = tsec->sid = SECINITSID_KERNEL; |
5688 | 5690 | ||
5689 | sel_inode_cache = kmem_cache_create("selinux_inode_security", | 5691 | sel_inode_cache = kmem_cache_create("selinux_inode_security", |