aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-11-13 18:39:16 -0500
committerJames Morris <jmorris@namei.org>2008-11-13 18:39:16 -0500
commitb6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch)
tree9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/smack/smack_lsm.c
parent15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff)
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the security data is temporarily embedded in the task_struct with two pointers pointing to it. Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in entry.S via asm-offsets. With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c77
1 files changed, 40 insertions, 37 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6e2dc0bab70d..791da238d049 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -102,7 +102,8 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
102 if (rc != 0) 102 if (rc != 0)
103 return rc; 103 return rc;
104 104
105 rc = smk_access(current->security, ctp->security, MAY_READWRITE); 105 rc = smk_access(current->cred->security, ctp->cred->security,
106 MAY_READWRITE);
106 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 107 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
107 return 0; 108 return 0;
108 return rc; 109 return rc;
@@ -124,7 +125,8 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
124 if (rc != 0) 125 if (rc != 0)
125 return rc; 126 return rc;
126 127
127 rc = smk_access(ptp->security, current->security, MAY_READWRITE); 128 rc = smk_access(ptp->cred->security, current->cred->security,
129 MAY_READWRITE);
128 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 130 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
129 return 0; 131 return 0;
130 return rc; 132 return rc;
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
141static int smack_syslog(int type) 143static int smack_syslog(int type)
142{ 144{
143 int rc; 145 int rc;
144 char *sp = current->security; 146 char *sp = current->cred->security;
145 147
146 rc = cap_syslog(type); 148 rc = cap_syslog(type);
147 if (rc != 0) 149 if (rc != 0)
@@ -373,7 +375,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
373 */ 375 */
374static int smack_inode_alloc_security(struct inode *inode) 376static int smack_inode_alloc_security(struct inode *inode)
375{ 377{
376 inode->i_security = new_inode_smack(current->security); 378 inode->i_security = new_inode_smack(current->cred->security);
377 if (inode->i_security == NULL) 379 if (inode->i_security == NULL)
378 return -ENOMEM; 380 return -ENOMEM;
379 return 0; 381 return 0;
@@ -818,7 +820,7 @@ static int smack_file_permission(struct file *file, int mask)
818 */ 820 */
819static int smack_file_alloc_security(struct file *file) 821static int smack_file_alloc_security(struct file *file)
820{ 822{
821 file->f_security = current->security; 823 file->f_security = current->cred->security;
822 return 0; 824 return 0;
823} 825}
824 826
@@ -916,7 +918,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
916 */ 918 */
917static int smack_file_set_fowner(struct file *file) 919static int smack_file_set_fowner(struct file *file)
918{ 920{
919 file->f_security = current->security; 921 file->f_security = current->cred->security;
920 return 0; 922 return 0;
921} 923}
922 924
@@ -941,7 +943,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
941 * struct fown_struct is never outside the context of a struct file 943 * struct fown_struct is never outside the context of a struct file
942 */ 944 */
943 file = container_of(fown, struct file, f_owner); 945 file = container_of(fown, struct file, f_owner);
944 rc = smk_access(file->f_security, tsk->security, MAY_WRITE); 946 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE);
945 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 947 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
946 return 0; 948 return 0;
947 return rc; 949 return rc;
@@ -984,7 +986,7 @@ static int smack_file_receive(struct file *file)
984 */ 986 */
985static int smack_task_alloc_security(struct task_struct *tsk) 987static int smack_task_alloc_security(struct task_struct *tsk)
986{ 988{
987 tsk->security = current->security; 989 tsk->cred->security = current->cred->security;
988 990
989 return 0; 991 return 0;
990} 992}
@@ -999,7 +1001,7 @@ static int smack_task_alloc_security(struct task_struct *tsk)
999 */ 1001 */
1000static void smack_task_free_security(struct task_struct *task) 1002static void smack_task_free_security(struct task_struct *task)
1001{ 1003{
1002 task->security = NULL; 1004 task->cred->security = NULL;
1003} 1005}
1004 1006
1005/** 1007/**
@@ -1011,7 +1013,7 @@ static void smack_task_free_security(struct task_struct *task)
1011 */ 1013 */
1012static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1014static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1013{ 1015{
1014 return smk_curacc(p->security, MAY_WRITE); 1016 return smk_curacc(p->cred->security, MAY_WRITE);
1015} 1017}
1016 1018
1017/** 1019/**
@@ -1022,7 +1024,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1022 */ 1024 */
1023static int smack_task_getpgid(struct task_struct *p) 1025static int smack_task_getpgid(struct task_struct *p)
1024{ 1026{
1025 return smk_curacc(p->security, MAY_READ); 1027 return smk_curacc(p->cred->security, MAY_READ);
1026} 1028}
1027 1029
1028/** 1030/**
@@ -1033,7 +1035,7 @@ static int smack_task_getpgid(struct task_struct *p)
1033 */ 1035 */
1034static int smack_task_getsid(struct task_struct *p) 1036static int smack_task_getsid(struct task_struct *p)
1035{ 1037{
1036 return smk_curacc(p->security, MAY_READ); 1038 return smk_curacc(p->cred->security, MAY_READ);
1037} 1039}
1038 1040
1039/** 1041/**
@@ -1045,7 +1047,7 @@ static int smack_task_getsid(struct task_struct *p)
1045 */ 1047 */
1046static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1048static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1047{ 1049{
1048 *secid = smack_to_secid(p->security); 1050 *secid = smack_to_secid(p->cred->security);
1049} 1051}
1050 1052
1051/** 1053/**
@@ -1061,7 +1063,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1061 1063
1062 rc = cap_task_setnice(p, nice); 1064 rc = cap_task_setnice(p, nice);
1063 if (rc == 0) 1065 if (rc == 0)
1064 rc = smk_curacc(p->security, MAY_WRITE); 1066 rc = smk_curacc(p->cred->security, MAY_WRITE);
1065 return rc; 1067 return rc;
1066} 1068}
1067 1069
@@ -1078,7 +1080,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1078 1080
1079 rc = cap_task_setioprio(p, ioprio); 1081 rc = cap_task_setioprio(p, ioprio);
1080 if (rc == 0) 1082 if (rc == 0)
1081 rc = smk_curacc(p->security, MAY_WRITE); 1083 rc = smk_curacc(p->cred->security, MAY_WRITE);
1082 return rc; 1084 return rc;
1083} 1085}
1084 1086
@@ -1090,7 +1092,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1090 */ 1092 */
1091static int smack_task_getioprio(struct task_struct *p) 1093static int smack_task_getioprio(struct task_struct *p)
1092{ 1094{
1093 return smk_curacc(p->security, MAY_READ); 1095 return smk_curacc(p->cred->security, MAY_READ);
1094} 1096}
1095 1097
1096/** 1098/**
@@ -1108,7 +1110,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1108 1110
1109 rc = cap_task_setscheduler(p, policy, lp); 1111 rc = cap_task_setscheduler(p, policy, lp);
1110 if (rc == 0) 1112 if (rc == 0)
1111 rc = smk_curacc(p->security, MAY_WRITE); 1113 rc = smk_curacc(p->cred->security, MAY_WRITE);
1112 return rc; 1114 return rc;
1113} 1115}
1114 1116
@@ -1120,7 +1122,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1120 */ 1122 */
1121static int smack_task_getscheduler(struct task_struct *p) 1123static int smack_task_getscheduler(struct task_struct *p)
1122{ 1124{
1123 return smk_curacc(p->security, MAY_READ); 1125 return smk_curacc(p->cred->security, MAY_READ);
1124} 1126}
1125 1127
1126/** 1128/**
@@ -1131,7 +1133,7 @@ static int smack_task_getscheduler(struct task_struct *p)
1131 */ 1133 */
1132static int smack_task_movememory(struct task_struct *p) 1134static int smack_task_movememory(struct task_struct *p)
1133{ 1135{
1134 return smk_curacc(p->security, MAY_WRITE); 1136 return smk_curacc(p->cred->security, MAY_WRITE);
1135} 1137}
1136 1138
1137/** 1139/**
@@ -1154,13 +1156,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1154 * can write the receiver. 1156 * can write the receiver.
1155 */ 1157 */
1156 if (secid == 0) 1158 if (secid == 0)
1157 return smk_curacc(p->security, MAY_WRITE); 1159 return smk_curacc(p->cred->security, MAY_WRITE);
1158 /* 1160 /*
1159 * If the secid isn't 0 we're dealing with some USB IO 1161 * If the secid isn't 0 we're dealing with some USB IO
1160 * specific behavior. This is not clean. For one thing 1162 * specific behavior. This is not clean. For one thing
1161 * we can't take privilege into account. 1163 * we can't take privilege into account.
1162 */ 1164 */
1163 return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); 1165 return smk_access(smack_from_secid(secid), p->cred->security, MAY_WRITE);
1164} 1166}
1165 1167
1166/** 1168/**
@@ -1173,7 +1175,7 @@ static int smack_task_wait(struct task_struct *p)
1173{ 1175{
1174 int rc; 1176 int rc;
1175 1177
1176 rc = smk_access(current->security, p->security, MAY_WRITE); 1178 rc = smk_access(current->cred->security, p->cred->security, MAY_WRITE);
1177 if (rc == 0) 1179 if (rc == 0)
1178 return 0; 1180 return 0;
1179 1181
@@ -1204,7 +1206,7 @@ static int smack_task_wait(struct task_struct *p)
1204static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1206static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1205{ 1207{
1206 struct inode_smack *isp = inode->i_security; 1208 struct inode_smack *isp = inode->i_security;
1207 isp->smk_inode = p->security; 1209 isp->smk_inode = p->cred->security;
1208} 1210}
1209 1211
1210/* 1212/*
@@ -1223,7 +1225,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1223 */ 1225 */
1224static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1226static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
1225{ 1227{
1226 char *csp = current->security; 1228 char *csp = current->cred->security;
1227 struct socket_smack *ssp; 1229 struct socket_smack *ssp;
1228 1230
1229 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1231 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
@@ -1448,7 +1450,7 @@ static int smack_flags_to_may(int flags)
1448 */ 1450 */
1449static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1451static int smack_msg_msg_alloc_security(struct msg_msg *msg)
1450{ 1452{
1451 msg->security = current->security; 1453 msg->security = current->cred->security;
1452 return 0; 1454 return 0;
1453} 1455}
1454 1456
@@ -1484,7 +1486,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
1484{ 1486{
1485 struct kern_ipc_perm *isp = &shp->shm_perm; 1487 struct kern_ipc_perm *isp = &shp->shm_perm;
1486 1488
1487 isp->security = current->security; 1489 isp->security = current->cred->security;
1488 return 0; 1490 return 0;
1489} 1491}
1490 1492
@@ -1593,7 +1595,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
1593{ 1595{
1594 struct kern_ipc_perm *isp = &sma->sem_perm; 1596 struct kern_ipc_perm *isp = &sma->sem_perm;
1595 1597
1596 isp->security = current->security; 1598 isp->security = current->cred->security;
1597 return 0; 1599 return 0;
1598} 1600}
1599 1601
@@ -1697,7 +1699,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
1697{ 1699{
1698 struct kern_ipc_perm *kisp = &msq->q_perm; 1700 struct kern_ipc_perm *kisp = &msq->q_perm;
1699 1701
1700 kisp->security = current->security; 1702 kisp->security = current->cred->security;
1701 return 0; 1703 return 0;
1702} 1704}
1703 1705
@@ -1852,7 +1854,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
1852 struct super_block *sbp; 1854 struct super_block *sbp;
1853 struct superblock_smack *sbsp; 1855 struct superblock_smack *sbsp;
1854 struct inode_smack *isp; 1856 struct inode_smack *isp;
1855 char *csp = current->security; 1857 char *csp = current->cred->security;
1856 char *fetched; 1858 char *fetched;
1857 char *final; 1859 char *final;
1858 struct dentry *dp; 1860 struct dentry *dp;
@@ -2009,7 +2011,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2009 if (strcmp(name, "current") != 0) 2011 if (strcmp(name, "current") != 0)
2010 return -EINVAL; 2012 return -EINVAL;
2011 2013
2012 cp = kstrdup(p->security, GFP_KERNEL); 2014 cp = kstrdup(p->cred->security, GFP_KERNEL);
2013 if (cp == NULL) 2015 if (cp == NULL)
2014 return -ENOMEM; 2016 return -ENOMEM;
2015 2017
@@ -2055,7 +2057,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2055 if (newsmack == NULL) 2057 if (newsmack == NULL)
2056 return -EINVAL; 2058 return -EINVAL;
2057 2059
2058 p->security = newsmack; 2060 p->cred->security = newsmack;
2059 return size; 2061 return size;
2060} 2062}
2061 2063
@@ -2288,8 +2290,8 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
2288 return; 2290 return;
2289 2291
2290 ssp = sk->sk_security; 2292 ssp = sk->sk_security;
2291 ssp->smk_in = current->security; 2293 ssp->smk_in = current->cred->security;
2292 ssp->smk_out = current->security; 2294 ssp->smk_out = current->cred->security;
2293 ssp->smk_packet[0] = '\0'; 2295 ssp->smk_packet[0] = '\0';
2294 2296
2295 rc = smack_netlabel(sk); 2297 rc = smack_netlabel(sk);
@@ -2362,7 +2364,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2362static int smack_key_alloc(struct key *key, struct task_struct *tsk, 2364static int smack_key_alloc(struct key *key, struct task_struct *tsk,
2363 unsigned long flags) 2365 unsigned long flags)
2364{ 2366{
2365 key->security = tsk->security; 2367 key->security = tsk->cred->security;
2366 return 0; 2368 return 0;
2367} 2369}
2368 2370
@@ -2403,10 +2405,11 @@ static int smack_key_permission(key_ref_t key_ref,
2403 /* 2405 /*
2404 * This should not occur 2406 * This should not occur
2405 */ 2407 */
2406 if (context->security == NULL) 2408 if (context->cred->security == NULL)
2407 return -EACCES; 2409 return -EACCES;
2408 2410
2409 return smk_access(context->security, keyp->security, MAY_READWRITE); 2411 return smk_access(context->cred->security, keyp->security,
2412 MAY_READWRITE);
2410} 2413}
2411#endif /* CONFIG_KEYS */ 2414#endif /* CONFIG_KEYS */
2412 2415
@@ -2726,7 +2729,7 @@ static __init int smack_init(void)
2726 /* 2729 /*
2727 * Set the security state for the initial task. 2730 * Set the security state for the initial task.
2728 */ 2731 */
2729 current->security = &smack_known_floor.smk_known; 2732 current->cred->security = &smack_known_floor.smk_known;
2730 2733
2731 /* 2734 /*
2732 * Initialize locks 2735 * Initialize locks