5 files changed, 48 insertions, 92 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 0b2fcb698a63..e8ce2c4c7ac7 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -508,22 +508,6 @@ static inline int audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
        return 0;
 }
-/*
- * ieieeeeee, an audit function without a return code!
- *
- * This function might fail!  I decided that it didn't matter.  We are too late
- * to fail the syscall and the information isn't REQUIRED for any purpose.  It's
- * just nice to have.  We should be able to look at past audit logs to figure
- * out this process's current cap set along with the fcaps from the PATH record
- * and use that to come up with the final set.  Yeah, its ugly, but all the info
- * is still in the audit log.  So I'm not going to bother mentioning we failed
- * if we couldn't allocate memory.
- *
- * If someone changes their mind they could create the aux record earlier and
- * then search here and use that earlier allocation.  But I don't wanna.
- *
- * -Eric
- */
 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
                                       const struct cred *new,
                                       const struct cred *old)
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index 7394b5b349ff..6cbfbe297180 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -35,16 +35,20 @@ struct linux_binprm{
        struct mm_struct *mm;
        unsigned long p; /* current top of mem */
        unsigned int sh_bang:1,
-                     misc_bang:1;
+                misc_bang:1,
+                cred_prepared:1,/* true if creds already prepared (multiple
+                                 * preps happen for interpreters) */
+                cap_effective:1;/* true if has elevated effective capabilities,
+                                 * false if not; except for init which inherits
+                                 * its parent's caps anyway */
 #ifdef __alpha__
        unsigned int taso:1;
 #endif
        unsigned int recursion_depth;
        struct file * file;
-        int e_uid, e_gid;
+        struct cred *cred;      /* new credentials */
-        kernel_cap_t cap_post_exec_permitted;
+        int unsafe;             /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
-        bool cap_effective;
+        unsigned int per_clear; /* bits to clear in current->personality */
-        void *security;
        int argc, envc;
        char * filename;        /* Name of binary as seen by procps */
        char * interp;          /* Name of the binary really executed. Most
@@ -101,7 +105,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm,
                           int executable_stack);
 extern int bprm_mm_init(struct linux_binprm *bprm);
 extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm);
-extern void compute_creds(struct linux_binprm *binprm);
+extern void install_exec_creds(struct linux_binprm *bprm);
 extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
 extern int set_binfmt(struct linux_binfmt *new);
 extern void free_bprm(struct linux_binprm *);
diff --git a/include/linux/cred.h b/include/linux/cred.h
index eaf6fa695a04..8edb4d1d5427 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -84,8 +84,6 @@ struct thread_group_cred {
        struct key      *process_keyring;       /* keyring private to this process */
        struct rcu_head rcu;                    /* RCU deletion hook */
 };
-extern void release_tgcred(struct cred *cred);
 #endif
 /*
@@ -144,6 +142,7 @@ struct cred {
 extern void __put_cred(struct cred *);
 extern int copy_creds(struct task_struct *, unsigned long);
 extern struct cred *prepare_creds(void);
+extern struct cred *prepare_exec_creds(void);
 extern struct cred *prepare_usermodehelper_creds(void);
 extern int commit_creds(struct cred *);
 extern void abort_creds(struct cred *);
diff --git a/include/linux/key.h b/include/linux/key.h
index 69ecf0934b02..21d32a142c00 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -278,7 +278,6 @@ extern ctl_table key_sysctls[];
 * the userspace interface
 */
 extern int install_thread_keyring_to_cred(struct cred *cred);
-extern int exec_keys(struct task_struct *tsk);
 extern void key_fsuid_changed(struct task_struct *tsk);
 extern void key_fsgid_changed(struct task_struct *tsk);
 extern void key_init(void);
@@ -294,7 +293,6 @@ extern void key_init(void);
 #define make_key_ref(k, p)              NULL
 #define key_ref_to_ptr(k)               NULL
 #define is_key_possessed(k)             0
-#define exec_keys(t)                    do { } while(0)
 #define key_fsuid_changed(t)            do { } while(0)
 #define key_fsgid_changed(t)            do { } while(0)
 #define key_init()                      do { } while(0)
diff --git a/include/linux/security.h b/include/linux/security.h
index 68be11251447..56a0eed65673 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -57,8 +57,7 @@ extern int cap_capset(struct cred *new, const struct cred *old,
                      const kernel_cap_t *effective,
                      const kernel_cap_t *inheritable,
                      const kernel_cap_t *permitted);
-extern int cap_bprm_set_security(struct linux_binprm *bprm);
+extern int cap_bprm_set_creds(struct linux_binprm *bprm);
-extern int cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
 extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
                              const void *value, size_t size, int flags);
@@ -110,7 +109,7 @@ extern unsigned long mmap_min_addr;
 struct sched_param;
 struct request_sock;
-/* bprm_apply_creds unsafe reasons */
+/* bprm->unsafe reasons */
 #define LSM_UNSAFE_SHARE        1
 #define LSM_UNSAFE_PTRACE       2
 #define LSM_UNSAFE_PTRACE_CAP   4
@@ -154,36 +153,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *
 * Security hooks for program execution operations.
 *
- * @bprm_alloc_security:
+ * @bprm_set_creds:
- *      Allocate and attach a security structure to the @bprm->security field.
- *      The security field is initialized to NULL when the bprm structure is
- *      allocated.
- *      @bprm contains the linux_binprm structure to be modified.
- *      Return 0 if operation was successful.
- * @bprm_free_security:
- *      @bprm contains the linux_binprm structure to be modified.
- *      Deallocate and clear the @bprm->security field.
- * @bprm_apply_creds:
- *      Compute and set the security attributes of a process being transformed
- *      by an execve operation based on the old attributes (current->security)
- *      and the information saved in @bprm->security by the set_security hook.
- *      Since this function may return an error, in which case the process will
- *      be killed.  However, it can leave the security attributes of the
- *      process unchanged if an access failure occurs at this point.
- *      bprm_apply_creds is called under task_lock.  @unsafe indicates various
- *      reasons why it may be unsafe to change security state.
- *      @bprm contains the linux_binprm structure.
- * @bprm_post_apply_creds:
- *      Runs after bprm_apply_creds with the task_lock dropped, so that
- *      functions which cannot be called safely under the task_lock can
- *      be used.  This hook is a good place to perform state changes on
- *      the process such as closing open file descriptors to which access
- *      is no longer granted if the attributes were changed.
- *      Note that a security module might need to save state between
- *      bprm_apply_creds and bprm_post_apply_creds to store the decision
- *      on whether the process may proceed.
- *      @bprm contains the linux_binprm structure.
- * @bprm_set_security:
 *      Save security information in the bprm->security field, typically based
 *      on information about the bprm->file, for later use by the apply_creds
 *      hook.  This hook may also optionally check permissions (e.g. for
@@ -196,15 +166,30 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @bprm contains the linux_binprm structure.
 *      Return 0 if the hook is successful and permission is granted.
 * @bprm_check_security:
- *      This hook mediates the point when a search for a binary handler will
+ *      This hook mediates the point when a search for a binary handler will
- *      begin.  It allows a check the @bprm->security value which is set in
+ *      begin.  It allows a check the @bprm->security value which is set in the
- *      the preceding set_security call.  The primary difference from
+ *      preceding set_creds call.  The primary difference from set_creds is
- *      set_security is that the argv list and envp list are reliably
+ *      that the argv list and envp list are reliably available in @bprm.  This
- *      available in @bprm.  This hook may be called multiple times
+ *      hook may be called multiple times during a single execve; and in each
- *      during a single execve; and in each pass set_security is called
+ *      pass set_creds is called first.
- *      first.
 *      @bprm contains the linux_binprm structure.
 *      Return 0 if the hook is successful and permission is granted.
+ * @bprm_committing_creds:
+ *      Prepare to install the new security attributes of a process being
+ *      transformed by an execve operation, based on the old credentials
+ *      pointed to by @current->cred and the information set in @bprm->cred by
+ *      the bprm_set_creds hook.  @bprm points to the linux_binprm structure.
+ *      This hook is a good place to perform state changes on the process such
+ *      as closing open file descriptors to which access will no longer be
+ *      granted when the attributes are changed.  This is called immediately
+ *      before commit_creds().
+ * @bprm_committed_creds:
+ *      Tidy up after the installation of the new security attributes of a
+ *      process being transformed by an execve operation.  The new credentials
+ *      have, by this point, been set to @current->cred.  @bprm points to the
+ *      linux_binprm structure.  This hook is a good place to perform state
+ *      changes on the process such as clearing out non-inheritable signal
+ *      state.  This is called immediately after commit_creds().
 * @bprm_secureexec:
 *      Return a boolean value (0 or 1) indicating whether a "secure exec"
 *      is required.  The flag is passed in the auxiliary table
@@ -1301,13 +1286,11 @@ struct security_operations {
        int (*settime) (struct timespec *ts, struct timezone *tz);
        int (*vm_enough_memory) (struct mm_struct *mm, long pages);
-        int (*bprm_alloc_security) (struct linux_binprm *bprm);
+        int (*bprm_set_creds) (struct linux_binprm *bprm);
-        void (*bprm_free_security) (struct linux_binprm *bprm);
-        int (*bprm_apply_creds) (struct linux_binprm *bprm, int unsafe);
-        void (*bprm_post_apply_creds) (struct linux_binprm *bprm);
-        int (*bprm_set_security) (struct linux_binprm *bprm);
        int (*bprm_check_security) (struct linux_binprm *bprm);
        int (*bprm_secureexec) (struct linux_binprm *bprm);
+        void (*bprm_committing_creds) (struct linux_binprm *bprm);
+        void (*bprm_committed_creds) (struct linux_binprm *bprm);
        int (*sb_alloc_security) (struct super_block *sb);
        void (*sb_free_security) (struct super_block *sb);
@@ -1569,12 +1552,10 @@ int security_settime(struct timespec *ts, struct timezone *tz);
 int security_vm_enough_memory(long pages);
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
 int security_vm_enough_memory_kern(long pages);
-int security_bprm_alloc(struct linux_binprm *bprm);
+int security_bprm_set_creds(struct linux_binprm *bprm);
-void security_bprm_free(struct linux_binprm *bprm);
-int security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
-void security_bprm_post_apply_creds(struct linux_binprm *bprm);
-int security_bprm_set(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
+void security_bprm_committing_creds(struct linux_binprm *bprm);
+void security_bprm_committed_creds(struct linux_binprm *bprm);
 int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
@@ -1812,32 +1793,22 @@ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
        return cap_vm_enough_memory(mm, pages);
 }
-static inline int security_bprm_alloc(struct linux_binprm *bprm)
+static inline int security_bprm_set_creds(struct linux_binprm *bprm)
-{
-        return 0;
-}
-static inline void security_bprm_free(struct linux_binprm *bprm)
-{ }
-static inline int security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
 {
-        return cap_bprm_apply_creds(bprm, unsafe);
+        return cap_bprm_set_creds(bprm);
 }
-static inline void security_bprm_post_apply_creds(struct linux_binprm *bprm)
+static inline int security_bprm_check(struct linux_binprm *bprm)
 {
-        return;
+        return 0;
 }
-static inline int security_bprm_set(struct linux_binprm *bprm)
+static inline void security_bprm_committing_creds(struct linux_binprm *bprm)
 {
-        return cap_bprm_set_security(bprm);
 }
-static inline int security_bprm_check(struct linux_binprm *bprm)
+static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
 {
-        return 0;
 }
 static inline int security_bprm_secureexec(struct linux_binprm *bprm)