aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2008-12-28 14:43:54 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2008-12-28 14:43:54 -0500
commitbb26c6c29b7cc9f39e491b074b09f3c284738d36 (patch)
treec7867af2bb4ff0feae889183efcd4d79b0f9a325 /security/smack/smack_lsm.c
parente14e61e967f2b3bdf23f05e4ae5b9aa830151a44 (diff)
parentcbacc2c7f066a1e01b33b0e27ae5efbf534bc2db (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (105 commits) SELinux: don't check permissions for kernel mounts security: pass mount flags to security_sb_kern_mount() SELinux: correctly detect proc filesystems of the form "proc/foo" Audit: Log TIOCSTI user namespaces: document CFS behavior user namespaces: require cap_set{ug}id for CLONE_NEWUSER user namespaces: let user_ns be cloned with fairsched CRED: fix sparse warnings User namespaces: use the current_user_ns() macro User namespaces: set of cleanups (v2) nfsctl: add headers for credentials coda: fix creds reference capabilities: define get_vfs_caps_from_disk when file caps are not enabled CRED: Allow kernel services to override LSM settings for task actions CRED: Add a kernel_service object class to SELinux CRED: Differentiate objective and effective subjective credentials on a task CRED: Documentation CRED: Use creds in file structs CRED: Prettify commoncap.c CRED: Make execve() take advantage of copy-on-write credentials ...
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c176
1 files changed, 114 insertions, 62 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6e2dc0bab70d..1b5551dfc1f7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -30,6 +30,8 @@
30 30
31#include "smack.h" 31#include "smack.h"
32 32
33#define task_security(task) (task_cred_xxx((task), security))
34
33/* 35/*
34 * I hope these are the hokeyist lines of code in the module. Casey. 36 * I hope these are the hokeyist lines of code in the module. Casey.
35 */ 37 */
@@ -102,7 +104,7 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
102 if (rc != 0) 104 if (rc != 0)
103 return rc; 105 return rc;
104 106
105 rc = smk_access(current->security, ctp->security, MAY_READWRITE); 107 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE);
106 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 108 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
107 return 0; 109 return 0;
108 return rc; 110 return rc;
@@ -124,7 +126,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
124 if (rc != 0) 126 if (rc != 0)
125 return rc; 127 return rc;
126 128
127 rc = smk_access(ptp->security, current->security, MAY_READWRITE); 129 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE);
128 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 130 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
129 return 0; 131 return 0;
130 return rc; 132 return rc;
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
141static int smack_syslog(int type) 143static int smack_syslog(int type)
142{ 144{
143 int rc; 145 int rc;
144 char *sp = current->security; 146 char *sp = current_security();
145 147
146 rc = cap_syslog(type); 148 rc = cap_syslog(type);
147 if (rc != 0) 149 if (rc != 0)
@@ -248,11 +250,12 @@ static int smack_sb_copy_data(char *orig, char *smackopts)
248/** 250/**
249 * smack_sb_kern_mount - Smack specific mount processing 251 * smack_sb_kern_mount - Smack specific mount processing
250 * @sb: the file system superblock 252 * @sb: the file system superblock
253 * @flags: the mount flags
251 * @data: the smack mount options 254 * @data: the smack mount options
252 * 255 *
253 * Returns 0 on success, an error code on failure 256 * Returns 0 on success, an error code on failure
254 */ 257 */
255static int smack_sb_kern_mount(struct super_block *sb, void *data) 258static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
256{ 259{
257 struct dentry *root = sb->s_root; 260 struct dentry *root = sb->s_root;
258 struct inode *inode = root->d_inode; 261 struct inode *inode = root->d_inode;
@@ -373,7 +376,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
373 */ 376 */
374static int smack_inode_alloc_security(struct inode *inode) 377static int smack_inode_alloc_security(struct inode *inode)
375{ 378{
376 inode->i_security = new_inode_smack(current->security); 379 inode->i_security = new_inode_smack(current_security());
377 if (inode->i_security == NULL) 380 if (inode->i_security == NULL)
378 return -ENOMEM; 381 return -ENOMEM;
379 return 0; 382 return 0;
@@ -818,7 +821,7 @@ static int smack_file_permission(struct file *file, int mask)
818 */ 821 */
819static int smack_file_alloc_security(struct file *file) 822static int smack_file_alloc_security(struct file *file)
820{ 823{
821 file->f_security = current->security; 824 file->f_security = current_security();
822 return 0; 825 return 0;
823} 826}
824 827
@@ -916,7 +919,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
916 */ 919 */
917static int smack_file_set_fowner(struct file *file) 920static int smack_file_set_fowner(struct file *file)
918{ 921{
919 file->f_security = current->security; 922 file->f_security = current_security();
920 return 0; 923 return 0;
921} 924}
922 925
@@ -941,7 +944,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
941 * struct fown_struct is never outside the context of a struct file 944 * struct fown_struct is never outside the context of a struct file
942 */ 945 */
943 file = container_of(fown, struct file, f_owner); 946 file = container_of(fown, struct file, f_owner);
944 rc = smk_access(file->f_security, tsk->security, MAY_WRITE); 947 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE);
945 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 948 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
946 return 0; 949 return 0;
947 return rc; 950 return rc;
@@ -973,33 +976,75 @@ static int smack_file_receive(struct file *file)
973 */ 976 */
974 977
975/** 978/**
976 * smack_task_alloc_security - "allocate" a task blob 979 * smack_cred_free - "free" task-level security credentials
977 * @tsk: the task in need of a blob 980 * @cred: the credentials in question
978 * 981 *
979 * Smack isn't using copies of blobs. Everyone 982 * Smack isn't using copies of blobs. Everyone
980 * points to an immutable list. No alloc required. 983 * points to an immutable list. The blobs never go away.
981 * No data copy required. 984 * There is no leak here.
985 */
986static void smack_cred_free(struct cred *cred)
987{
988 cred->security = NULL;
989}
990
991/**
992 * smack_cred_prepare - prepare new set of credentials for modification
993 * @new: the new credentials
994 * @old: the original credentials
995 * @gfp: the atomicity of any memory allocations
996 *
997 * Prepare a new set of credentials for modification.
998 */
999static int smack_cred_prepare(struct cred *new, const struct cred *old,
1000 gfp_t gfp)
1001{
1002 new->security = old->security;
1003 return 0;
1004}
1005
1006/*
1007 * commit new credentials
1008 * @new: the new credentials
1009 * @old: the original credentials
1010 */
1011static void smack_cred_commit(struct cred *new, const struct cred *old)
1012{
1013}
1014
1015/**
1016 * smack_kernel_act_as - Set the subjective context in a set of credentials
1017 * @new points to the set of credentials to be modified.
1018 * @secid specifies the security ID to be set
982 * 1019 *
983 * Always returns 0 1020 * Set the security data for a kernel service.
984 */ 1021 */
985static int smack_task_alloc_security(struct task_struct *tsk) 1022static int smack_kernel_act_as(struct cred *new, u32 secid)
986{ 1023{
987 tsk->security = current->security; 1024 char *smack = smack_from_secid(secid);
1025
1026 if (smack == NULL)
1027 return -EINVAL;
988 1028
1029 new->security = smack;
989 return 0; 1030 return 0;
990} 1031}
991 1032
992/** 1033/**
993 * smack_task_free_security - "free" a task blob 1034 * smack_kernel_create_files_as - Set the file creation label in a set of creds
994 * @task: the task with the blob 1035 * @new points to the set of credentials to be modified
1036 * @inode points to the inode to use as a reference
995 * 1037 *
996 * Smack isn't using copies of blobs. Everyone 1038 * Set the file creation context in a set of credentials to the same
997 * points to an immutable list. The blobs never go away. 1039 * as the objective context of the specified inode
998 * There is no leak here.
999 */ 1040 */
1000static void smack_task_free_security(struct task_struct *task) 1041static int smack_kernel_create_files_as(struct cred *new,
1042 struct inode *inode)
1001{ 1043{
1002 task->security = NULL; 1044 struct inode_smack *isp = inode->i_security;
1045
1046 new->security = isp->smk_inode;
1047 return 0;
1003} 1048}
1004 1049
1005/** 1050/**
@@ -1011,7 +1056,7 @@ static void smack_task_free_security(struct task_struct *task)
1011 */ 1056 */
1012static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1057static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1013{ 1058{
1014 return smk_curacc(p->security, MAY_WRITE); 1059 return smk_curacc(task_security(p), MAY_WRITE);
1015} 1060}
1016 1061
1017/** 1062/**
@@ -1022,7 +1067,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1022 */ 1067 */
1023static int smack_task_getpgid(struct task_struct *p) 1068static int smack_task_getpgid(struct task_struct *p)
1024{ 1069{
1025 return smk_curacc(p->security, MAY_READ); 1070 return smk_curacc(task_security(p), MAY_READ);
1026} 1071}
1027 1072
1028/** 1073/**
@@ -1033,7 +1078,7 @@ static int smack_task_getpgid(struct task_struct *p)
1033 */ 1078 */
1034static int smack_task_getsid(struct task_struct *p) 1079static int smack_task_getsid(struct task_struct *p)
1035{ 1080{
1036 return smk_curacc(p->security, MAY_READ); 1081 return smk_curacc(task_security(p), MAY_READ);
1037} 1082}
1038 1083
1039/** 1084/**
@@ -1045,7 +1090,7 @@ static int smack_task_getsid(struct task_struct *p)
1045 */ 1090 */
1046static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1091static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1047{ 1092{
1048 *secid = smack_to_secid(p->security); 1093 *secid = smack_to_secid(task_security(p));
1049} 1094}
1050 1095
1051/** 1096/**
@@ -1061,7 +1106,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1061 1106
1062 rc = cap_task_setnice(p, nice); 1107 rc = cap_task_setnice(p, nice);
1063 if (rc == 0) 1108 if (rc == 0)
1064 rc = smk_curacc(p->security, MAY_WRITE); 1109 rc = smk_curacc(task_security(p), MAY_WRITE);
1065 return rc; 1110 return rc;
1066} 1111}
1067 1112
@@ -1078,7 +1123,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1078 1123
1079 rc = cap_task_setioprio(p, ioprio); 1124 rc = cap_task_setioprio(p, ioprio);
1080 if (rc == 0) 1125 if (rc == 0)
1081 rc = smk_curacc(p->security, MAY_WRITE); 1126 rc = smk_curacc(task_security(p), MAY_WRITE);
1082 return rc; 1127 return rc;
1083} 1128}
1084 1129
@@ -1090,7 +1135,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1090 */ 1135 */
1091static int smack_task_getioprio(struct task_struct *p) 1136static int smack_task_getioprio(struct task_struct *p)
1092{ 1137{
1093 return smk_curacc(p->security, MAY_READ); 1138 return smk_curacc(task_security(p), MAY_READ);
1094} 1139}
1095 1140
1096/** 1141/**
@@ -1108,7 +1153,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1108 1153
1109 rc = cap_task_setscheduler(p, policy, lp); 1154 rc = cap_task_setscheduler(p, policy, lp);
1110 if (rc == 0) 1155 if (rc == 0)
1111 rc = smk_curacc(p->security, MAY_WRITE); 1156 rc = smk_curacc(task_security(p), MAY_WRITE);
1112 return rc; 1157 return rc;
1113} 1158}
1114 1159
@@ -1120,7 +1165,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1120 */ 1165 */
1121static int smack_task_getscheduler(struct task_struct *p) 1166static int smack_task_getscheduler(struct task_struct *p)
1122{ 1167{
1123 return smk_curacc(p->security, MAY_READ); 1168 return smk_curacc(task_security(p), MAY_READ);
1124} 1169}
1125 1170
1126/** 1171/**
@@ -1131,7 +1176,7 @@ static int smack_task_getscheduler(struct task_struct *p)
1131 */ 1176 */
1132static int smack_task_movememory(struct task_struct *p) 1177static int smack_task_movememory(struct task_struct *p)
1133{ 1178{
1134 return smk_curacc(p->security, MAY_WRITE); 1179 return smk_curacc(task_security(p), MAY_WRITE);
1135} 1180}
1136 1181
1137/** 1182/**
@@ -1154,13 +1199,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1154 * can write the receiver. 1199 * can write the receiver.
1155 */ 1200 */
1156 if (secid == 0) 1201 if (secid == 0)
1157 return smk_curacc(p->security, MAY_WRITE); 1202 return smk_curacc(task_security(p), MAY_WRITE);
1158 /* 1203 /*
1159 * If the secid isn't 0 we're dealing with some USB IO 1204 * If the secid isn't 0 we're dealing with some USB IO
1160 * specific behavior. This is not clean. For one thing 1205 * specific behavior. This is not clean. For one thing
1161 * we can't take privilege into account. 1206 * we can't take privilege into account.
1162 */ 1207 */
1163 return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); 1208 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE);
1164} 1209}
1165 1210
1166/** 1211/**
@@ -1173,7 +1218,7 @@ static int smack_task_wait(struct task_struct *p)
1173{ 1218{
1174 int rc; 1219 int rc;
1175 1220
1176 rc = smk_access(current->security, p->security, MAY_WRITE); 1221 rc = smk_access(current_security(), task_security(p), MAY_WRITE);
1177 if (rc == 0) 1222 if (rc == 0)
1178 return 0; 1223 return 0;
1179 1224
@@ -1204,7 +1249,7 @@ static int smack_task_wait(struct task_struct *p)
1204static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1249static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1205{ 1250{
1206 struct inode_smack *isp = inode->i_security; 1251 struct inode_smack *isp = inode->i_security;
1207 isp->smk_inode = p->security; 1252 isp->smk_inode = task_security(p);
1208} 1253}
1209 1254
1210/* 1255/*
@@ -1223,7 +1268,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1223 */ 1268 */
1224static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1269static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
1225{ 1270{
1226 char *csp = current->security; 1271 char *csp = current_security();
1227 struct socket_smack *ssp; 1272 struct socket_smack *ssp;
1228 1273
1229 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1274 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
@@ -1448,7 +1493,7 @@ static int smack_flags_to_may(int flags)
1448 */ 1493 */
1449static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1494static int smack_msg_msg_alloc_security(struct msg_msg *msg)
1450{ 1495{
1451 msg->security = current->security; 1496 msg->security = current_security();
1452 return 0; 1497 return 0;
1453} 1498}
1454 1499
@@ -1484,7 +1529,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
1484{ 1529{
1485 struct kern_ipc_perm *isp = &shp->shm_perm; 1530 struct kern_ipc_perm *isp = &shp->shm_perm;
1486 1531
1487 isp->security = current->security; 1532 isp->security = current_security();
1488 return 0; 1533 return 0;
1489} 1534}
1490 1535
@@ -1593,7 +1638,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
1593{ 1638{
1594 struct kern_ipc_perm *isp = &sma->sem_perm; 1639 struct kern_ipc_perm *isp = &sma->sem_perm;
1595 1640
1596 isp->security = current->security; 1641 isp->security = current_security();
1597 return 0; 1642 return 0;
1598} 1643}
1599 1644
@@ -1697,7 +1742,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
1697{ 1742{
1698 struct kern_ipc_perm *kisp = &msq->q_perm; 1743 struct kern_ipc_perm *kisp = &msq->q_perm;
1699 1744
1700 kisp->security = current->security; 1745 kisp->security = current_security();
1701 return 0; 1746 return 0;
1702} 1747}
1703 1748
@@ -1852,7 +1897,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
1852 struct super_block *sbp; 1897 struct super_block *sbp;
1853 struct superblock_smack *sbsp; 1898 struct superblock_smack *sbsp;
1854 struct inode_smack *isp; 1899 struct inode_smack *isp;
1855 char *csp = current->security; 1900 char *csp = current_security();
1856 char *fetched; 1901 char *fetched;
1857 char *final; 1902 char *final;
1858 struct dentry *dp; 1903 struct dentry *dp;
@@ -2009,7 +2054,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2009 if (strcmp(name, "current") != 0) 2054 if (strcmp(name, "current") != 0)
2010 return -EINVAL; 2055 return -EINVAL;
2011 2056
2012 cp = kstrdup(p->security, GFP_KERNEL); 2057 cp = kstrdup(task_security(p), GFP_KERNEL);
2013 if (cp == NULL) 2058 if (cp == NULL)
2014 return -ENOMEM; 2059 return -ENOMEM;
2015 2060
@@ -2033,6 +2078,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2033static int smack_setprocattr(struct task_struct *p, char *name, 2078static int smack_setprocattr(struct task_struct *p, char *name,
2034 void *value, size_t size) 2079 void *value, size_t size)
2035{ 2080{
2081 struct cred *new;
2036 char *newsmack; 2082 char *newsmack;
2037 2083
2038 /* 2084 /*
@@ -2055,7 +2101,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2055 if (newsmack == NULL) 2101 if (newsmack == NULL)
2056 return -EINVAL; 2102 return -EINVAL;
2057 2103
2058 p->security = newsmack; 2104 new = prepare_creds();
2105 if (!new)
2106 return -ENOMEM;
2107 new->security = newsmack;
2108 commit_creds(new);
2059 return size; 2109 return size;
2060} 2110}
2061 2111
@@ -2288,8 +2338,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
2288 return; 2338 return;
2289 2339
2290 ssp = sk->sk_security; 2340 ssp = sk->sk_security;
2291 ssp->smk_in = current->security; 2341 ssp->smk_in = ssp->smk_out = current_security();
2292 ssp->smk_out = current->security;
2293 ssp->smk_packet[0] = '\0'; 2342 ssp->smk_packet[0] = '\0';
2294 2343
2295 rc = smack_netlabel(sk); 2344 rc = smack_netlabel(sk);
@@ -2352,17 +2401,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2352/** 2401/**
2353 * smack_key_alloc - Set the key security blob 2402 * smack_key_alloc - Set the key security blob
2354 * @key: object 2403 * @key: object
2355 * @tsk: the task associated with the key 2404 * @cred: the credentials to use
2356 * @flags: unused 2405 * @flags: unused
2357 * 2406 *
2358 * No allocation required 2407 * No allocation required
2359 * 2408 *
2360 * Returns 0 2409 * Returns 0
2361 */ 2410 */
2362static int smack_key_alloc(struct key *key, struct task_struct *tsk, 2411static int smack_key_alloc(struct key *key, const struct cred *cred,
2363 unsigned long flags) 2412 unsigned long flags)
2364{ 2413{
2365 key->security = tsk->security; 2414 key->security = cred->security;
2366 return 0; 2415 return 0;
2367} 2416}
2368 2417
@@ -2380,14 +2429,14 @@ static void smack_key_free(struct key *key)
2380/* 2429/*
2381 * smack_key_permission - Smack access on a key 2430 * smack_key_permission - Smack access on a key
2382 * @key_ref: gets to the object 2431 * @key_ref: gets to the object
2383 * @context: task involved 2432 * @cred: the credentials to use
2384 * @perm: unused 2433 * @perm: unused
2385 * 2434 *
2386 * Return 0 if the task has read and write to the object, 2435 * Return 0 if the task has read and write to the object,
2387 * an error code otherwise 2436 * an error code otherwise
2388 */ 2437 */
2389static int smack_key_permission(key_ref_t key_ref, 2438static int smack_key_permission(key_ref_t key_ref,
2390 struct task_struct *context, key_perm_t perm) 2439 const struct cred *cred, key_perm_t perm)
2391{ 2440{
2392 struct key *keyp; 2441 struct key *keyp;
2393 2442
@@ -2403,10 +2452,10 @@ static int smack_key_permission(key_ref_t key_ref,
2403 /* 2452 /*
2404 * This should not occur 2453 * This should not occur
2405 */ 2454 */
2406 if (context->security == NULL) 2455 if (cred->security == NULL)
2407 return -EACCES; 2456 return -EACCES;
2408 2457
2409 return smk_access(context->security, keyp->security, MAY_READWRITE); 2458 return smk_access(cred->security, keyp->security, MAY_READWRITE);
2410} 2459}
2411#endif /* CONFIG_KEYS */ 2460#endif /* CONFIG_KEYS */
2412 2461
@@ -2577,15 +2626,13 @@ struct security_operations smack_ops = {
2577 .ptrace_may_access = smack_ptrace_may_access, 2626 .ptrace_may_access = smack_ptrace_may_access,
2578 .ptrace_traceme = smack_ptrace_traceme, 2627 .ptrace_traceme = smack_ptrace_traceme,
2579 .capget = cap_capget, 2628 .capget = cap_capget,
2580 .capset_check = cap_capset_check, 2629 .capset = cap_capset,
2581 .capset_set = cap_capset_set,
2582 .capable = cap_capable, 2630 .capable = cap_capable,
2583 .syslog = smack_syslog, 2631 .syslog = smack_syslog,
2584 .settime = cap_settime, 2632 .settime = cap_settime,
2585 .vm_enough_memory = cap_vm_enough_memory, 2633 .vm_enough_memory = cap_vm_enough_memory,
2586 2634
2587 .bprm_apply_creds = cap_bprm_apply_creds, 2635 .bprm_set_creds = cap_bprm_set_creds,
2588 .bprm_set_security = cap_bprm_set_security,
2589 .bprm_secureexec = cap_bprm_secureexec, 2636 .bprm_secureexec = cap_bprm_secureexec,
2590 2637
2591 .sb_alloc_security = smack_sb_alloc_security, 2638 .sb_alloc_security = smack_sb_alloc_security,
@@ -2627,9 +2674,12 @@ struct security_operations smack_ops = {
2627 .file_send_sigiotask = smack_file_send_sigiotask, 2674 .file_send_sigiotask = smack_file_send_sigiotask,
2628 .file_receive = smack_file_receive, 2675 .file_receive = smack_file_receive,
2629 2676
2630 .task_alloc_security = smack_task_alloc_security, 2677 .cred_free = smack_cred_free,
2631 .task_free_security = smack_task_free_security, 2678 .cred_prepare = smack_cred_prepare,
2632 .task_post_setuid = cap_task_post_setuid, 2679 .cred_commit = smack_cred_commit,
2680 .kernel_act_as = smack_kernel_act_as,
2681 .kernel_create_files_as = smack_kernel_create_files_as,
2682 .task_fix_setuid = cap_task_fix_setuid,
2633 .task_setpgid = smack_task_setpgid, 2683 .task_setpgid = smack_task_setpgid,
2634 .task_getpgid = smack_task_getpgid, 2684 .task_getpgid = smack_task_getpgid,
2635 .task_getsid = smack_task_getsid, 2685 .task_getsid = smack_task_getsid,
@@ -2642,7 +2692,6 @@ struct security_operations smack_ops = {
2642 .task_movememory = smack_task_movememory, 2692 .task_movememory = smack_task_movememory,
2643 .task_kill = smack_task_kill, 2693 .task_kill = smack_task_kill,
2644 .task_wait = smack_task_wait, 2694 .task_wait = smack_task_wait,
2645 .task_reparent_to_init = cap_task_reparent_to_init,
2646 .task_to_inode = smack_task_to_inode, 2695 .task_to_inode = smack_task_to_inode,
2647 .task_prctl = cap_task_prctl, 2696 .task_prctl = cap_task_prctl,
2648 2697
@@ -2718,6 +2767,8 @@ struct security_operations smack_ops = {
2718 */ 2767 */
2719static __init int smack_init(void) 2768static __init int smack_init(void)
2720{ 2769{
2770 struct cred *cred;
2771
2721 if (!security_module_enable(&smack_ops)) 2772 if (!security_module_enable(&smack_ops))
2722 return 0; 2773 return 0;
2723 2774
@@ -2726,7 +2777,8 @@ static __init int smack_init(void)
2726 /* 2777 /*
2727 * Set the security state for the initial task. 2778 * Set the security state for the initial task.
2728 */ 2779 */
2729 current->security = &smack_known_floor.smk_known; 2780 cred = (struct cred *) current->cred;
2781 cred->security = &smack_known_floor.smk_known;
2730 2782
2731 /* 2783 /*
2732 * Initialize locks 2784 * Initialize locks