diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:16 -0500 |
commit | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch) | |
tree | 9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/smack/smack_lsm.c | |
parent | 15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff) |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the
security data is temporarily embedded in the task_struct with two pointers
pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r-- | security/smack/smack_lsm.c | 77 |
1 files changed, 40 insertions, 37 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6e2dc0bab70d..791da238d049 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -102,7 +102,8 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | |||
102 | if (rc != 0) | 102 | if (rc != 0) |
103 | return rc; | 103 | return rc; |
104 | 104 | ||
105 | rc = smk_access(current->security, ctp->security, MAY_READWRITE); | 105 | rc = smk_access(current->cred->security, ctp->cred->security, |
106 | MAY_READWRITE); | ||
106 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) | 107 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) |
107 | return 0; | 108 | return 0; |
108 | return rc; | 109 | return rc; |
@@ -124,7 +125,8 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
124 | if (rc != 0) | 125 | if (rc != 0) |
125 | return rc; | 126 | return rc; |
126 | 127 | ||
127 | rc = smk_access(ptp->security, current->security, MAY_READWRITE); | 128 | rc = smk_access(ptp->cred->security, current->cred->security, |
129 | MAY_READWRITE); | ||
128 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) | 130 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) |
129 | return 0; | 131 | return 0; |
130 | return rc; | 132 | return rc; |
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
141 | static int smack_syslog(int type) | 143 | static int smack_syslog(int type) |
142 | { | 144 | { |
143 | int rc; | 145 | int rc; |
144 | char *sp = current->security; | 146 | char *sp = current->cred->security; |
145 | 147 | ||
146 | rc = cap_syslog(type); | 148 | rc = cap_syslog(type); |
147 | if (rc != 0) | 149 | if (rc != 0) |
@@ -373,7 +375,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags) | |||
373 | */ | 375 | */ |
374 | static int smack_inode_alloc_security(struct inode *inode) | 376 | static int smack_inode_alloc_security(struct inode *inode) |
375 | { | 377 | { |
376 | inode->i_security = new_inode_smack(current->security); | 378 | inode->i_security = new_inode_smack(current->cred->security); |
377 | if (inode->i_security == NULL) | 379 | if (inode->i_security == NULL) |
378 | return -ENOMEM; | 380 | return -ENOMEM; |
379 | return 0; | 381 | return 0; |
@@ -818,7 +820,7 @@ static int smack_file_permission(struct file *file, int mask) | |||
818 | */ | 820 | */ |
819 | static int smack_file_alloc_security(struct file *file) | 821 | static int smack_file_alloc_security(struct file *file) |
820 | { | 822 | { |
821 | file->f_security = current->security; | 823 | file->f_security = current->cred->security; |
822 | return 0; | 824 | return 0; |
823 | } | 825 | } |
824 | 826 | ||
@@ -916,7 +918,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd, | |||
916 | */ | 918 | */ |
917 | static int smack_file_set_fowner(struct file *file) | 919 | static int smack_file_set_fowner(struct file *file) |
918 | { | 920 | { |
919 | file->f_security = current->security; | 921 | file->f_security = current->cred->security; |
920 | return 0; | 922 | return 0; |
921 | } | 923 | } |
922 | 924 | ||
@@ -941,7 +943,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, | |||
941 | * struct fown_struct is never outside the context of a struct file | 943 | * struct fown_struct is never outside the context of a struct file |
942 | */ | 944 | */ |
943 | file = container_of(fown, struct file, f_owner); | 945 | file = container_of(fown, struct file, f_owner); |
944 | rc = smk_access(file->f_security, tsk->security, MAY_WRITE); | 946 | rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); |
945 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) | 947 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) |
946 | return 0; | 948 | return 0; |
947 | return rc; | 949 | return rc; |
@@ -984,7 +986,7 @@ static int smack_file_receive(struct file *file) | |||
984 | */ | 986 | */ |
985 | static int smack_task_alloc_security(struct task_struct *tsk) | 987 | static int smack_task_alloc_security(struct task_struct *tsk) |
986 | { | 988 | { |
987 | tsk->security = current->security; | 989 | tsk->cred->security = current->cred->security; |
988 | 990 | ||
989 | return 0; | 991 | return 0; |
990 | } | 992 | } |
@@ -999,7 +1001,7 @@ static int smack_task_alloc_security(struct task_struct *tsk) | |||
999 | */ | 1001 | */ |
1000 | static void smack_task_free_security(struct task_struct *task) | 1002 | static void smack_task_free_security(struct task_struct *task) |
1001 | { | 1003 | { |
1002 | task->security = NULL; | 1004 | task->cred->security = NULL; |
1003 | } | 1005 | } |
1004 | 1006 | ||
1005 | /** | 1007 | /** |
@@ -1011,7 +1013,7 @@ static void smack_task_free_security(struct task_struct *task) | |||
1011 | */ | 1013 | */ |
1012 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | 1014 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) |
1013 | { | 1015 | { |
1014 | return smk_curacc(p->security, MAY_WRITE); | 1016 | return smk_curacc(p->cred->security, MAY_WRITE); |
1015 | } | 1017 | } |
1016 | 1018 | ||
1017 | /** | 1019 | /** |
@@ -1022,7 +1024,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | |||
1022 | */ | 1024 | */ |
1023 | static int smack_task_getpgid(struct task_struct *p) | 1025 | static int smack_task_getpgid(struct task_struct *p) |
1024 | { | 1026 | { |
1025 | return smk_curacc(p->security, MAY_READ); | 1027 | return smk_curacc(p->cred->security, MAY_READ); |
1026 | } | 1028 | } |
1027 | 1029 | ||
1028 | /** | 1030 | /** |
@@ -1033,7 +1035,7 @@ static int smack_task_getpgid(struct task_struct *p) | |||
1033 | */ | 1035 | */ |
1034 | static int smack_task_getsid(struct task_struct *p) | 1036 | static int smack_task_getsid(struct task_struct *p) |
1035 | { | 1037 | { |
1036 | return smk_curacc(p->security, MAY_READ); | 1038 | return smk_curacc(p->cred->security, MAY_READ); |
1037 | } | 1039 | } |
1038 | 1040 | ||
1039 | /** | 1041 | /** |
@@ -1045,7 +1047,7 @@ static int smack_task_getsid(struct task_struct *p) | |||
1045 | */ | 1047 | */ |
1046 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) | 1048 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) |
1047 | { | 1049 | { |
1048 | *secid = smack_to_secid(p->security); | 1050 | *secid = smack_to_secid(p->cred->security); |
1049 | } | 1051 | } |
1050 | 1052 | ||
1051 | /** | 1053 | /** |
@@ -1061,7 +1063,7 @@ static int smack_task_setnice(struct task_struct *p, int nice) | |||
1061 | 1063 | ||
1062 | rc = cap_task_setnice(p, nice); | 1064 | rc = cap_task_setnice(p, nice); |
1063 | if (rc == 0) | 1065 | if (rc == 0) |
1064 | rc = smk_curacc(p->security, MAY_WRITE); | 1066 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1065 | return rc; | 1067 | return rc; |
1066 | } | 1068 | } |
1067 | 1069 | ||
@@ -1078,7 +1080,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1078 | 1080 | ||
1079 | rc = cap_task_setioprio(p, ioprio); | 1081 | rc = cap_task_setioprio(p, ioprio); |
1080 | if (rc == 0) | 1082 | if (rc == 0) |
1081 | rc = smk_curacc(p->security, MAY_WRITE); | 1083 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1082 | return rc; | 1084 | return rc; |
1083 | } | 1085 | } |
1084 | 1086 | ||
@@ -1090,7 +1092,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1090 | */ | 1092 | */ |
1091 | static int smack_task_getioprio(struct task_struct *p) | 1093 | static int smack_task_getioprio(struct task_struct *p) |
1092 | { | 1094 | { |
1093 | return smk_curacc(p->security, MAY_READ); | 1095 | return smk_curacc(p->cred->security, MAY_READ); |
1094 | } | 1096 | } |
1095 | 1097 | ||
1096 | /** | 1098 | /** |
@@ -1108,7 +1110,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1108 | 1110 | ||
1109 | rc = cap_task_setscheduler(p, policy, lp); | 1111 | rc = cap_task_setscheduler(p, policy, lp); |
1110 | if (rc == 0) | 1112 | if (rc == 0) |
1111 | rc = smk_curacc(p->security, MAY_WRITE); | 1113 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1112 | return rc; | 1114 | return rc; |
1113 | } | 1115 | } |
1114 | 1116 | ||
@@ -1120,7 +1122,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1120 | */ | 1122 | */ |
1121 | static int smack_task_getscheduler(struct task_struct *p) | 1123 | static int smack_task_getscheduler(struct task_struct *p) |
1122 | { | 1124 | { |
1123 | return smk_curacc(p->security, MAY_READ); | 1125 | return smk_curacc(p->cred->security, MAY_READ); |
1124 | } | 1126 | } |
1125 | 1127 | ||
1126 | /** | 1128 | /** |
@@ -1131,7 +1133,7 @@ static int smack_task_getscheduler(struct task_struct *p) | |||
1131 | */ | 1133 | */ |
1132 | static int smack_task_movememory(struct task_struct *p) | 1134 | static int smack_task_movememory(struct task_struct *p) |
1133 | { | 1135 | { |
1134 | return smk_curacc(p->security, MAY_WRITE); | 1136 | return smk_curacc(p->cred->security, MAY_WRITE); |
1135 | } | 1137 | } |
1136 | 1138 | ||
1137 | /** | 1139 | /** |
@@ -1154,13 +1156,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, | |||
1154 | * can write the receiver. | 1156 | * can write the receiver. |
1155 | */ | 1157 | */ |
1156 | if (secid == 0) | 1158 | if (secid == 0) |
1157 | return smk_curacc(p->security, MAY_WRITE); | 1159 | return smk_curacc(p->cred->security, MAY_WRITE); |
1158 | /* | 1160 | /* |
1159 | * If the secid isn't 0 we're dealing with some USB IO | 1161 | * If the secid isn't 0 we're dealing with some USB IO |
1160 | * specific behavior. This is not clean. For one thing | 1162 | * specific behavior. This is not clean. For one thing |
1161 | * we can't take privilege into account. | 1163 | * we can't take privilege into account. |
1162 | */ | 1164 | */ |
1163 | return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); | 1165 | return smk_access(smack_from_secid(secid), p->cred->security, MAY_WRITE); |
1164 | } | 1166 | } |
1165 | 1167 | ||
1166 | /** | 1168 | /** |
@@ -1173,7 +1175,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1173 | { | 1175 | { |
1174 | int rc; | 1176 | int rc; |
1175 | 1177 | ||
1176 | rc = smk_access(current->security, p->security, MAY_WRITE); | 1178 | rc = smk_access(current->cred->security, p->cred->security, MAY_WRITE); |
1177 | if (rc == 0) | 1179 | if (rc == 0) |
1178 | return 0; | 1180 | return 0; |
1179 | 1181 | ||
@@ -1204,7 +1206,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1204 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | 1206 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) |
1205 | { | 1207 | { |
1206 | struct inode_smack *isp = inode->i_security; | 1208 | struct inode_smack *isp = inode->i_security; |
1207 | isp->smk_inode = p->security; | 1209 | isp->smk_inode = p->cred->security; |
1208 | } | 1210 | } |
1209 | 1211 | ||
1210 | /* | 1212 | /* |
@@ -1223,7 +1225,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | |||
1223 | */ | 1225 | */ |
1224 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) | 1226 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) |
1225 | { | 1227 | { |
1226 | char *csp = current->security; | 1228 | char *csp = current->cred->security; |
1227 | struct socket_smack *ssp; | 1229 | struct socket_smack *ssp; |
1228 | 1230 | ||
1229 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); | 1231 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); |
@@ -1448,7 +1450,7 @@ static int smack_flags_to_may(int flags) | |||
1448 | */ | 1450 | */ |
1449 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) | 1451 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) |
1450 | { | 1452 | { |
1451 | msg->security = current->security; | 1453 | msg->security = current->cred->security; |
1452 | return 0; | 1454 | return 0; |
1453 | } | 1455 | } |
1454 | 1456 | ||
@@ -1484,7 +1486,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp) | |||
1484 | { | 1486 | { |
1485 | struct kern_ipc_perm *isp = &shp->shm_perm; | 1487 | struct kern_ipc_perm *isp = &shp->shm_perm; |
1486 | 1488 | ||
1487 | isp->security = current->security; | 1489 | isp->security = current->cred->security; |
1488 | return 0; | 1490 | return 0; |
1489 | } | 1491 | } |
1490 | 1492 | ||
@@ -1593,7 +1595,7 @@ static int smack_sem_alloc_security(struct sem_array *sma) | |||
1593 | { | 1595 | { |
1594 | struct kern_ipc_perm *isp = &sma->sem_perm; | 1596 | struct kern_ipc_perm *isp = &sma->sem_perm; |
1595 | 1597 | ||
1596 | isp->security = current->security; | 1598 | isp->security = current->cred->security; |
1597 | return 0; | 1599 | return 0; |
1598 | } | 1600 | } |
1599 | 1601 | ||
@@ -1697,7 +1699,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq) | |||
1697 | { | 1699 | { |
1698 | struct kern_ipc_perm *kisp = &msq->q_perm; | 1700 | struct kern_ipc_perm *kisp = &msq->q_perm; |
1699 | 1701 | ||
1700 | kisp->security = current->security; | 1702 | kisp->security = current->cred->security; |
1701 | return 0; | 1703 | return 0; |
1702 | } | 1704 | } |
1703 | 1705 | ||
@@ -1852,7 +1854,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
1852 | struct super_block *sbp; | 1854 | struct super_block *sbp; |
1853 | struct superblock_smack *sbsp; | 1855 | struct superblock_smack *sbsp; |
1854 | struct inode_smack *isp; | 1856 | struct inode_smack *isp; |
1855 | char *csp = current->security; | 1857 | char *csp = current->cred->security; |
1856 | char *fetched; | 1858 | char *fetched; |
1857 | char *final; | 1859 | char *final; |
1858 | struct dentry *dp; | 1860 | struct dentry *dp; |
@@ -2009,7 +2011,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) | |||
2009 | if (strcmp(name, "current") != 0) | 2011 | if (strcmp(name, "current") != 0) |
2010 | return -EINVAL; | 2012 | return -EINVAL; |
2011 | 2013 | ||
2012 | cp = kstrdup(p->security, GFP_KERNEL); | 2014 | cp = kstrdup(p->cred->security, GFP_KERNEL); |
2013 | if (cp == NULL) | 2015 | if (cp == NULL) |
2014 | return -ENOMEM; | 2016 | return -ENOMEM; |
2015 | 2017 | ||
@@ -2055,7 +2057,7 @@ static int smack_setprocattr(struct task_struct *p, char *name, | |||
2055 | if (newsmack == NULL) | 2057 | if (newsmack == NULL) |
2056 | return -EINVAL; | 2058 | return -EINVAL; |
2057 | 2059 | ||
2058 | p->security = newsmack; | 2060 | p->cred->security = newsmack; |
2059 | return size; | 2061 | return size; |
2060 | } | 2062 | } |
2061 | 2063 | ||
@@ -2288,8 +2290,8 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) | |||
2288 | return; | 2290 | return; |
2289 | 2291 | ||
2290 | ssp = sk->sk_security; | 2292 | ssp = sk->sk_security; |
2291 | ssp->smk_in = current->security; | 2293 | ssp->smk_in = current->cred->security; |
2292 | ssp->smk_out = current->security; | 2294 | ssp->smk_out = current->cred->security; |
2293 | ssp->smk_packet[0] = '\0'; | 2295 | ssp->smk_packet[0] = '\0'; |
2294 | 2296 | ||
2295 | rc = smack_netlabel(sk); | 2297 | rc = smack_netlabel(sk); |
@@ -2362,7 +2364,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
2362 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, | 2364 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, |
2363 | unsigned long flags) | 2365 | unsigned long flags) |
2364 | { | 2366 | { |
2365 | key->security = tsk->security; | 2367 | key->security = tsk->cred->security; |
2366 | return 0; | 2368 | return 0; |
2367 | } | 2369 | } |
2368 | 2370 | ||
@@ -2403,10 +2405,11 @@ static int smack_key_permission(key_ref_t key_ref, | |||
2403 | /* | 2405 | /* |
2404 | * This should not occur | 2406 | * This should not occur |
2405 | */ | 2407 | */ |
2406 | if (context->security == NULL) | 2408 | if (context->cred->security == NULL) |
2407 | return -EACCES; | 2409 | return -EACCES; |
2408 | 2410 | ||
2409 | return smk_access(context->security, keyp->security, MAY_READWRITE); | 2411 | return smk_access(context->cred->security, keyp->security, |
2412 | MAY_READWRITE); | ||
2410 | } | 2413 | } |
2411 | #endif /* CONFIG_KEYS */ | 2414 | #endif /* CONFIG_KEYS */ |
2412 | 2415 | ||
@@ -2726,7 +2729,7 @@ static __init int smack_init(void) | |||
2726 | /* | 2729 | /* |
2727 | * Set the security state for the initial task. | 2730 | * Set the security state for the initial task. |
2728 | */ | 2731 | */ |
2729 | current->security = &smack_known_floor.smk_known; | 2732 | current->cred->security = &smack_known_floor.smk_known; |
2730 | 2733 | ||
2731 | /* | 2734 | /* |
2732 | * Initialize locks | 2735 | * Initialize locks |