1 files changed, 82 insertions, 96 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 7e9fe046a0d1..68be11251447 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,24 +53,21 @@ extern int cap_settime(struct timespec *ts, struct timezone *tz);
 extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
 extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
-extern int cap_capset_check(const kernel_cap_t *effective,
+extern int cap_capset(struct cred *new, const struct cred *old,
-                            const kernel_cap_t *inheritable,
+                      const kernel_cap_t *effective,
-                            const kernel_cap_t *permitted);
+                      const kernel_cap_t *inheritable,
-extern void cap_capset_set(const kernel_cap_t *effective,
+                      const kernel_cap_t *permitted);
-                           const kernel_cap_t *inheritable,
-                           const kernel_cap_t *permitted);
 extern int cap_bprm_set_security(struct linux_binprm *bprm);
-extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
+extern int cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
 extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
                              const void *value, size_t size, int flags);
 extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
-extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
+extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
-extern void cap_task_reparent_to_init(struct task_struct *p);
 extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
-                          unsigned long arg4, unsigned long arg5, long *rc_p);
+                          unsigned long arg4, unsigned long arg5);
 extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp);
 extern int cap_task_setioprio(struct task_struct *p, int ioprio);
 extern int cap_task_setnice(struct task_struct *p, int nice);
@@ -170,8 +167,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Compute and set the security attributes of a process being transformed
 *      by an execve operation based on the old attributes (current->security)
 *      and the information saved in @bprm->security by the set_security hook.
- *      Since this hook function (and its caller) are void, this hook can not
+ *      Since this function may return an error, in which case the process will
- *      return an error.  However, it can leave the security attributes of the
+ *      be killed.  However, it can leave the security attributes of the
 *      process unchanged if an access failure occurs at this point.
 *      bprm_apply_creds is called under task_lock.  @unsafe indicates various
 *      reasons why it may be unsafe to change security state.
@@ -593,15 +590,18 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      manual page for definitions of the @clone_flags.
 *      @clone_flags contains the flags indicating what should be shared.
 *      Return 0 if permission is granted.
- * @cred_alloc_security:
- *      @cred contains the cred struct for child process.
- *      Allocate and attach a security structure to the cred->security field.
- *      The security field is initialized to NULL when the task structure is
- *      allocated.
- *      Return 0 if operation was successful.
 * @cred_free:
 *      @cred points to the credentials.
 *      Deallocate and clear the cred->security field in a set of credentials.
+ * @cred_prepare:
+ *      @new points to the new credentials.
+ *      @old points to the original credentials.
+ *      @gfp indicates the atomicity of any memory allocations.
+ *      Prepare a new set of credentials by copying the data from the old set.
+ * @cred_commit:
+ *      @new points to the new credentials.
+ *      @old points to the original credentials.
+ *      Install a new set of credentials.
 * @task_setuid:
 *      Check permission before setting one or more of the user identity
 *      attributes of the current process.  The @flags parameter indicates
@@ -614,15 +614,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @id2 contains a uid.
 *      @flags contains one of the LSM_SETID_* values.
 *      Return 0 if permission is granted.
- * @task_post_setuid:
+ * @task_fix_setuid:
 *      Update the module's state after setting one or more of the user
 *      identity attributes of the current process.  The @flags parameter
 *      indicates which of the set*uid system calls invoked this hook.  If
- *      @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other
+ *      @new is the set of credentials that will be installed.  Modifications
- *      parameters are not used.
+ *      should be made to this rather than to @current->cred.
- *      @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS).
+ *      @old is the set of credentials that are being replaces
- *      @old_euid contains the old effective uid (or -1 if LSM_SETID_FS).
- *      @old_suid contains the old saved uid (or -1 if LSM_SETID_FS).
 *      @flags contains one of the LSM_SETID_* values.
 *      Return 0 on success.
 * @task_setgid:
@@ -725,13 +723,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @arg3 contains a argument.
 *      @arg4 contains a argument.
 *      @arg5 contains a argument.
- *      @rc_p contains a pointer to communicate back the forced return code
+ *      Return -ENOSYS if no-one wanted to handle this op, any other value to
- *      Return 0 if permission is granted, and non-zero if the security module
+ *      cause prctl() to return immediately with that value.
- *      has taken responsibility (setting *rc_p) for the prctl call.
- * @task_reparent_to_init:
- *      Set the security attributes in @p->security for a kernel thread that
- *      is being reparented to the init task.
- *      @p contains the task_struct for the kernel thread.
 * @task_to_inode:
 *      Set the security attributes for an inode based on an associated task's
 *      security attributes, e.g. for /proc/pid inodes.
@@ -1008,7 +1001,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      See whether a specific operational right is granted to a process on a
 *      key.
 *      @key_ref refers to the key (key pointer + possession attribute bit).
- *      @context points to the process to provide the context against which to
+ *      @cred points to the credentials to provide the context against which to
 *      evaluate the security data on the key.
 *      @perm describes the combination of permissions required of this key.
 *      Return 1 if permission granted, 0 if permission denied and -ve it the
@@ -1170,6 +1163,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @child process.
 *      Security modules may also want to perform a process tracing check
 *      during an execve in the set_security or apply_creds hooks of
+ *      tracing check during an execve in the bprm_set_creds hook of
 *      binprm_security_ops if the process is being traced and its security
 *      attributes would be changed by the execve.
 *      @child contains the task_struct structure for the target process.
@@ -1193,19 +1187,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @inheritable contains the inheritable capability set.
 *      @permitted contains the permitted capability set.
 *      Return 0 if the capability sets were successfully obtained.
- * @capset_check:
+ * @capset:
- *      Check permission before setting the @effective, @inheritable, and
- *      @permitted capability sets for the current process.
- *      @effective contains the effective capability set.
- *      @inheritable contains the inheritable capability set.
- *      @permitted contains the permitted capability set.
- *      Return 0 if permission is granted.
- * @capset_set:
 *      Set the @effective, @inheritable, and @permitted capability sets for
 *      the current process.
+ *      @new contains the new credentials structure for target process.
+ *      @old contains the current credentials structure for target process.
 *      @effective contains the effective capability set.
 *      @inheritable contains the inheritable capability set.
 *      @permitted contains the permitted capability set.
+ *      Return 0 and update @new if permission is granted.
 * @capable:
 *      Check whether the @tsk process has the @cap capability.
 *      @tsk contains the task_struct for the process.
@@ -1297,12 +1287,11 @@ struct security_operations {
        int (*capget) (struct task_struct *target,
                       kernel_cap_t *effective,
                       kernel_cap_t *inheritable, kernel_cap_t *permitted);
-        int (*capset_check) (const kernel_cap_t *effective,
+        int (*capset) (struct cred *new,
-                             const kernel_cap_t *inheritable,
+                       const struct cred *old,
-                             const kernel_cap_t *permitted);
+                       const kernel_cap_t *effective,
-        void (*capset_set) (const kernel_cap_t *effective,
+                       const kernel_cap_t *inheritable,
-                            const kernel_cap_t *inheritable,
+                       const kernel_cap_t *permitted);
-                            const kernel_cap_t *permitted);
        int (*capable) (struct task_struct *tsk, int cap, int audit);
        int (*acct) (struct file *file);
        int (*sysctl) (struct ctl_table *table, int op);
@@ -1314,7 +1303,7 @@ struct security_operations {
        int (*bprm_alloc_security) (struct linux_binprm *bprm);
        void (*bprm_free_security) (struct linux_binprm *bprm);
-        void (*bprm_apply_creds) (struct linux_binprm *bprm, int unsafe);
+        int (*bprm_apply_creds) (struct linux_binprm *bprm, int unsafe);
        void (*bprm_post_apply_creds) (struct linux_binprm *bprm);
        int (*bprm_set_security) (struct linux_binprm *bprm);
        int (*bprm_check_security) (struct linux_binprm *bprm);
@@ -1405,11 +1394,13 @@ struct security_operations {
        int (*dentry_open) (struct file *file, const struct cred *cred);
        int (*task_create) (unsigned long clone_flags);
-        int (*cred_alloc_security) (struct cred *cred);
        void (*cred_free) (struct cred *cred);
+        int (*cred_prepare)(struct cred *new, const struct cred *old,
+                            gfp_t gfp);
+        void (*cred_commit)(struct cred *new, const struct cred *old);
        int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
-        int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ ,
+        int (*task_fix_setuid) (struct cred *new, const struct cred *old,
-                                 uid_t old_euid, uid_t old_suid, int flags);
+                                int flags);
        int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
        int (*task_setpgid) (struct task_struct *p, pid_t pgid);
        int (*task_getpgid) (struct task_struct *p);
@@ -1429,8 +1420,7 @@ struct security_operations {
        int (*task_wait) (struct task_struct *p);
        int (*task_prctl) (int option, unsigned long arg2,
                           unsigned long arg3, unsigned long arg4,
-                           unsigned long arg5, long *rc_p);
+                           unsigned long arg5);
-        void (*task_reparent_to_init) (struct task_struct *p);
        void (*task_to_inode) (struct task_struct *p, struct inode *inode);
        int (*ipc_permission) (struct kern_ipc_perm *ipcp, short flag);
@@ -1535,10 +1525,10 @@ struct security_operations {
        /* key management security hooks */
 #ifdef CONFIG_KEYS
-        int (*key_alloc) (struct key *key, struct task_struct *tsk, unsigned long flags);
+        int (*key_alloc) (struct key *key, const struct cred *cred, unsigned long flags);
        void (*key_free) (struct key *key);
        int (*key_permission) (key_ref_t key_ref,
-                               struct task_struct *context,
+                               const struct cred *cred,
                               key_perm_t perm);
        int (*key_getsecurity)(struct key *key, char **_buffer);
 #endif  /* CONFIG_KEYS */
@@ -1564,12 +1554,10 @@ int security_capget(struct task_struct *target,
                    kernel_cap_t *effective,
                    kernel_cap_t *inheritable,
                    kernel_cap_t *permitted);
-int security_capset_check(const kernel_cap_t *effective,
+int security_capset(struct cred *new, const struct cred *old,
-                          const kernel_cap_t *inheritable,
+                    const kernel_cap_t *effective,
-                          const kernel_cap_t *permitted);
+                    const kernel_cap_t *inheritable,
-void security_capset_set(const kernel_cap_t *effective,
+                    const kernel_cap_t *permitted);
-                         const kernel_cap_t *inheritable,
-                         const kernel_cap_t *permitted);
 int security_capable(struct task_struct *tsk, int cap);
 int security_capable_noaudit(struct task_struct *tsk, int cap);
 int security_acct(struct file *file);
@@ -1583,7 +1571,7 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
 int security_vm_enough_memory_kern(long pages);
 int security_bprm_alloc(struct linux_binprm *bprm);
 void security_bprm_free(struct linux_binprm *bprm);
-void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
+int security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 void security_bprm_post_apply_creds(struct linux_binprm *bprm);
 int security_bprm_set(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
@@ -1660,11 +1648,12 @@ int security_file_send_sigiotask(struct task_struct *tsk,
 int security_file_receive(struct file *file);
 int security_dentry_open(struct file *file, const struct cred *cred);
 int security_task_create(unsigned long clone_flags);
-int security_cred_alloc(struct cred *cred);
 void security_cred_free(struct cred *cred);
+int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
+void security_commit_creds(struct cred *new, const struct cred *old);
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
-int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
+int security_task_fix_setuid(struct cred *new, const struct cred *old,
-                              uid_t old_suid, int flags);
+                             int flags);
 int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags);
 int security_task_setpgid(struct task_struct *p, pid_t pgid);
 int security_task_getpgid(struct task_struct *p);
@@ -1683,8 +1672,7 @@ int security_task_kill(struct task_struct *p, struct siginfo *info,
                        int sig, u32 secid);
 int security_task_wait(struct task_struct *p);
 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
-                         unsigned long arg4, unsigned long arg5, long *rc_p);
+                        unsigned long arg4, unsigned long arg5);
-void security_task_reparent_to_init(struct task_struct *p);
 void security_task_to_inode(struct task_struct *p, struct inode *inode);
 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
 void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
@@ -1759,18 +1747,13 @@ static inline int security_capget(struct task_struct *target,
        return cap_capget(target, effective, inheritable, permitted);
 }
-static inline int security_capset_check(const kernel_cap_t *effective,
+static inline int security_capset(struct cred *new,
-                                        const kernel_cap_t *inheritable,
+                                   const struct cred *old,
-                                        const kernel_cap_t *permitted)
+                                   const kernel_cap_t *effective,
+                                   const kernel_cap_t *inheritable,
+                                   const kernel_cap_t *permitted)
 {
-        return cap_capset_check(effective, inheritable, permitted);
+        return cap_capset(new, old, effective, inheritable, permitted);
-}
-static inline void security_capset_set(const kernel_cap_t *effective,
-                                       const kernel_cap_t *inheritable,
-                                       const kernel_cap_t *permitted)
-{
-        cap_capset_set(effective, inheritable, permitted);
 }
 static inline int security_capable(struct task_struct *tsk, int cap)
@@ -1837,9 +1820,9 @@ static inline int security_bprm_alloc(struct linux_binprm *bprm)
 static inline void security_bprm_free(struct linux_binprm *bprm)
 { }
-static inline void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
+static inline int security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
 {
-        cap_bprm_apply_creds(bprm, unsafe);
+        return cap_bprm_apply_creds(bprm, unsafe);
 }
 static inline void security_bprm_post_apply_creds(struct linux_binprm *bprm)
@@ -2182,13 +2165,20 @@ static inline int security_task_create(unsigned long clone_flags)
        return 0;
 }
-static inline int security_cred_alloc(struct cred *cred)
+static inline void security_cred_free(struct cred *cred)
+{ }
+static inline int security_prepare_creds(struct cred *new,
+                                         const struct cred *old,
+                                         gfp_t gfp)
 {
        return 0;
 }
-static inline void security_cred_free(struct cred *cred)
+static inline void security_commit_creds(struct cred *new,
-{ }
+                                         const struct cred *old)
+{
+}
 static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
                                       int flags)
@@ -2196,10 +2186,11 @@ static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
        return 0;
 }
-static inline int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
+static inline int security_task_fix_setuid(struct cred *new,
-                                            uid_t old_suid, int flags)
+                                           const struct cred *old,
+                                           int flags)
 {
-        return cap_task_post_setuid(old_ruid, old_euid, old_suid, flags);
+        return cap_task_fix_setuid(new, old, flags);
 }
 static inline int security_task_setgid(gid_t id0, gid_t id1, gid_t id2,
@@ -2286,14 +2277,9 @@ static inline int security_task_wait(struct task_struct *p)
 static inline int security_task_prctl(int option, unsigned long arg2,
                                      unsigned long arg3,
                                      unsigned long arg4,
-                                      unsigned long arg5, long *rc_p)
+                                      unsigned long arg5)
-{
-        return cap_task_prctl(option, arg2, arg3, arg3, arg5, rc_p);
-}
-static inline void security_task_reparent_to_init(struct task_struct *p)
 {
-        cap_task_reparent_to_init(p);
+        return cap_task_prctl(option, arg2, arg3, arg3, arg5);
 }
 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
@@ -2719,16 +2705,16 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
 #ifdef CONFIG_KEYS
 #ifdef CONFIG_SECURITY
-int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags);
+int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
 void security_key_free(struct key *key);
 int security_key_permission(key_ref_t key_ref,
-                            struct task_struct *context, key_perm_t perm);
+                            const struct cred *cred, key_perm_t perm);
 int security_key_getsecurity(struct key *key, char **_buffer);
 #else
 static inline int security_key_alloc(struct key *key,
-                                     struct task_struct *tsk,
+                                     const struct cred *cred,
                                     unsigned long flags)
 {
        return 0;
@@ -2739,7 +2725,7 @@ static inline void security_key_free(struct key *key)
 }
 static inline int security_key_permission(key_ref_t key_ref,
-                                          struct task_struct *context,
+                                          const struct cred *cred,
                                          key_perm_t perm)
 {
        return 0;