diff options
| author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:17 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:17 -0500 |
| commit | f1752eec6145c97163dbce62d17cf5d928e28a27 (patch) | |
| tree | 16bc51166d38815092de36a461b845b0b4b522f9 /security/selinux | |
| parent | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (diff) | |
CRED: Detach the credentials from task_struct
Detach the credentials from task_struct, duplicating them in copy_process()
and releasing them in __put_task_struct().
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 328308f2882a..658435dce37c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -158,7 +158,7 @@ static int selinux_secmark_enabled(void) | |||
| 158 | 158 | ||
| 159 | /* Allocate and free functions for each kind of security blob. */ | 159 | /* Allocate and free functions for each kind of security blob. */ |
| 160 | 160 | ||
| 161 | static int task_alloc_security(struct task_struct *task) | 161 | static int cred_alloc_security(struct cred *cred) |
| 162 | { | 162 | { |
| 163 | struct task_security_struct *tsec; | 163 | struct task_security_struct *tsec; |
| 164 | 164 | ||
| @@ -167,18 +167,11 @@ static int task_alloc_security(struct task_struct *task) | |||
| 167 | return -ENOMEM; | 167 | return -ENOMEM; |
| 168 | 168 | ||
| 169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; | 169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; |
| 170 | task->cred->security = tsec; | 170 | cred->security = tsec; |
| 171 | 171 | ||
| 172 | return 0; | 172 | return 0; |
| 173 | } | 173 | } |
| 174 | 174 | ||
| 175 | static void task_free_security(struct task_struct *task) | ||
| 176 | { | ||
| 177 | struct task_security_struct *tsec = task->cred->security; | ||
| 178 | task->cred->security = NULL; | ||
| 179 | kfree(tsec); | ||
| 180 | } | ||
| 181 | |||
| 182 | static int inode_alloc_security(struct inode *inode) | 175 | static int inode_alloc_security(struct inode *inode) |
| 183 | { | 176 | { |
| 184 | struct task_security_struct *tsec = current->cred->security; | 177 | struct task_security_struct *tsec = current->cred->security; |
| @@ -3184,17 +3177,17 @@ static int selinux_task_create(unsigned long clone_flags) | |||
| 3184 | return task_has_perm(current, current, PROCESS__FORK); | 3177 | return task_has_perm(current, current, PROCESS__FORK); |
| 3185 | } | 3178 | } |
| 3186 | 3179 | ||
| 3187 | static int selinux_task_alloc_security(struct task_struct *tsk) | 3180 | static int selinux_cred_alloc_security(struct cred *cred) |
| 3188 | { | 3181 | { |
| 3189 | struct task_security_struct *tsec1, *tsec2; | 3182 | struct task_security_struct *tsec1, *tsec2; |
| 3190 | int rc; | 3183 | int rc; |
| 3191 | 3184 | ||
| 3192 | tsec1 = current->cred->security; | 3185 | tsec1 = current->cred->security; |
| 3193 | 3186 | ||
| 3194 | rc = task_alloc_security(tsk); | 3187 | rc = cred_alloc_security(cred); |
| 3195 | if (rc) | 3188 | if (rc) |
| 3196 | return rc; | 3189 | return rc; |
| 3197 | tsec2 = tsk->cred->security; | 3190 | tsec2 = cred->security; |
| 3198 | 3191 | ||
| 3199 | tsec2->osid = tsec1->osid; | 3192 | tsec2->osid = tsec1->osid; |
| 3200 | tsec2->sid = tsec1->sid; | 3193 | tsec2->sid = tsec1->sid; |
| @@ -3208,9 +3201,14 @@ static int selinux_task_alloc_security(struct task_struct *tsk) | |||
| 3208 | return 0; | 3201 | return 0; |
| 3209 | } | 3202 | } |
| 3210 | 3203 | ||
| 3211 | static void selinux_task_free_security(struct task_struct *tsk) | 3204 | /* |
| 3205 | * detach and free the LSM part of a set of credentials | ||
| 3206 | */ | ||
| 3207 | static void selinux_cred_free(struct cred *cred) | ||
| 3212 | { | 3208 | { |
| 3213 | task_free_security(tsk); | 3209 | struct task_security_struct *tsec = cred->security; |
| 3210 | cred->security = NULL; | ||
| 3211 | kfree(tsec); | ||
| 3214 | } | 3212 | } |
| 3215 | 3213 | ||
| 3216 | static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | 3214 | static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) |
| @@ -5552,8 +5550,8 @@ static struct security_operations selinux_ops = { | |||
| 5552 | .dentry_open = selinux_dentry_open, | 5550 | .dentry_open = selinux_dentry_open, |
| 5553 | 5551 | ||
| 5554 | .task_create = selinux_task_create, | 5552 | .task_create = selinux_task_create, |
| 5555 | .task_alloc_security = selinux_task_alloc_security, | 5553 | .cred_alloc_security = selinux_cred_alloc_security, |
| 5556 | .task_free_security = selinux_task_free_security, | 5554 | .cred_free = selinux_cred_free, |
| 5557 | .task_setuid = selinux_task_setuid, | 5555 | .task_setuid = selinux_task_setuid, |
| 5558 | .task_post_setuid = selinux_task_post_setuid, | 5556 | .task_post_setuid = selinux_task_post_setuid, |
| 5559 | .task_setgid = selinux_task_setgid, | 5557 | .task_setgid = selinux_task_setgid, |
| @@ -5683,7 +5681,7 @@ static __init int selinux_init(void) | |||
| 5683 | printk(KERN_INFO "SELinux: Initializing.\n"); | 5681 | printk(KERN_INFO "SELinux: Initializing.\n"); |
| 5684 | 5682 | ||
| 5685 | /* Set the security state for the initial task. */ | 5683 | /* Set the security state for the initial task. */ |
| 5686 | if (task_alloc_security(current)) | 5684 | if (cred_alloc_security(current->cred)) |
| 5687 | panic("SELinux: Failed to initialize initial task.\n"); | 5685 | panic("SELinux: Failed to initialize initial task.\n"); |
| 5688 | tsec = current->cred->security; | 5686 | tsec = current->cred->security; |
| 5689 | tsec->osid = tsec->sid = SECINITSID_KERNEL; | 5687 | tsec->osid = tsec->sid = SECINITSID_KERNEL; |