2 files changed, 33 insertions, 5 deletions
diff --git a/security/dummy.c b/security/dummy.c
index eddedf7c61b4..bbbfda70e131 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -505,6 +505,9 @@ static int dummy_task_getsid (struct task_struct *p)
        return 0;
 }
+static void dummy_task_getsecid (struct task_struct *p, u32 *secid)
+{ }
 static int dummy_task_setgroups (struct group_info *group_info)
 {
        return 0;
@@ -520,6 +523,11 @@ static int dummy_task_setioprio (struct task_struct *p, int ioprio)
        return 0;
 }
+static int dummy_task_getioprio (struct task_struct *p)
+{
+        return 0;
+}
 static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)
 {
        return 0;
@@ -547,7 +555,7 @@ static int dummy_task_wait (struct task_struct *p)
 }
 static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
-                            int sig)
+                            int sig, u32 secid)
 {
        return 0;
 }
@@ -980,9 +988,11 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, task_setpgid);
        set_to_dummy_if_null(ops, task_getpgid);
        set_to_dummy_if_null(ops, task_getsid);
+        set_to_dummy_if_null(ops, task_getsecid);
        set_to_dummy_if_null(ops, task_setgroups);
        set_to_dummy_if_null(ops, task_setnice);
        set_to_dummy_if_null(ops, task_setioprio);
+        set_to_dummy_if_null(ops, task_getioprio);
        set_to_dummy_if_null(ops, task_setrlimit);
        set_to_dummy_if_null(ops, task_setscheduler);
        set_to_dummy_if_null(ops, task_getscheduler);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3e593587651d..24caaeec8894 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2643,6 +2643,11 @@ static int selinux_task_getsid(struct task_struct *p)
        return task_has_perm(current, p, PROCESS__GETSESSION);
 }
+static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
+{
+        selinux_get_task_sid(p, secid);
+}
 static int selinux_task_setgroups(struct group_info *group_info)
 {
        /* See the comment for setuid above. */
@@ -2665,6 +2670,11 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
        return task_has_perm(current, p, PROCESS__SETSCHED);
 }
+static int selinux_task_getioprio(struct task_struct *p)
+{
+        return task_has_perm(current, p, PROCESS__GETSCHED);
+}
 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
 {
        struct rlimit *old_rlim = current->signal->rlim + resource;
@@ -2699,12 +2709,14 @@ static int selinux_task_movememory(struct task_struct *p)
        return task_has_perm(current, p, PROCESS__SETSCHED);
 }
-static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
+static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
+                                int sig, u32 secid)
 {
        u32 perm;
        int rc;
+        struct task_security_struct *tsec;
-        rc = secondary_ops->task_kill(p, info, sig);
+        rc = secondary_ops->task_kill(p, info, sig, secid);
        if (rc)
                return rc;
@@ -2715,8 +2727,12 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int si
                perm = PROCESS__SIGNULL; /* null signal; existence test */
        else
                perm = signal_to_av(sig);
+        tsec = p->security;
-        return task_has_perm(current, p, perm);
+        if (secid)
+                rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
+        else
+                rc = task_has_perm(current, p, perm);
+        return rc;
 }
 static int selinux_task_prctl(int option,
@@ -4433,9 +4449,11 @@ static struct security_operations selinux_ops = {
        .task_setpgid =                 selinux_task_setpgid,
        .task_getpgid =                 selinux_task_getpgid,
        .task_getsid =                  selinux_task_getsid,
+        .task_getsecid =                selinux_task_getsecid,
        .task_setgroups =               selinux_task_setgroups,
        .task_setnice =                 selinux_task_setnice,
        .task_setioprio =               selinux_task_setioprio,
+        .task_getioprio =               selinux_task_getioprio,
        .task_setrlimit =               selinux_task_setrlimit,
        .task_setscheduler =            selinux_task_setscheduler,
        .task_getscheduler =            selinux_task_getscheduler,

diff --git a/security/dummy.c b/security/dummy.c index eddedf7c61b4..bbbfda70e131 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -505,6 +505,9 @@ static int dummy_task_getsid (struct task_struct *p)
505	return 0;	505	return 0;
506	}	506	}
507		507
		508	static void dummy_task_getsecid (struct task_struct p, u32 secid)
		509	{ }
		510
508	static int dummy_task_setgroups (struct group_info *group_info)	511	static int dummy_task_setgroups (struct group_info *group_info)
509	{	512	{
510	return 0;	513	return 0;
@@ -520,6 +523,11 @@ static int dummy_task_setioprio (struct task_struct *p, int ioprio)
520	return 0;	523	return 0;
521	}	524	}
522		525
		526	static int dummy_task_getioprio (struct task_struct *p)
		527	{
		528	return 0;
		529	}
		530
523	static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)	531	static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)
524	{	532	{
525	return 0;	533	return 0;
@@ -547,7 +555,7 @@ static int dummy_task_wait (struct task_struct *p)
547	}	555	}
548		556
549	static int dummy_task_kill (struct task_struct p, struct siginfo info,	557	static int dummy_task_kill (struct task_struct p, struct siginfo info,
550	int sig)	558	int sig, u32 secid)
551	{	559	{
552	return 0;	560	return 0;
553	}	561	}
@@ -980,9 +988,11 @@ void security_fixup_ops (struct security_operations *ops)
980	set_to_dummy_if_null(ops, task_setpgid);	988	set_to_dummy_if_null(ops, task_setpgid);
981	set_to_dummy_if_null(ops, task_getpgid);	989	set_to_dummy_if_null(ops, task_getpgid);
982	set_to_dummy_if_null(ops, task_getsid);	990	set_to_dummy_if_null(ops, task_getsid);
		991	set_to_dummy_if_null(ops, task_getsecid);
983	set_to_dummy_if_null(ops, task_setgroups);	992	set_to_dummy_if_null(ops, task_setgroups);
984	set_to_dummy_if_null(ops, task_setnice);	993	set_to_dummy_if_null(ops, task_setnice);
985	set_to_dummy_if_null(ops, task_setioprio);	994	set_to_dummy_if_null(ops, task_setioprio);
		995	set_to_dummy_if_null(ops, task_getioprio);
986	set_to_dummy_if_null(ops, task_setrlimit);	996	set_to_dummy_if_null(ops, task_setrlimit);
987	set_to_dummy_if_null(ops, task_setscheduler);	997	set_to_dummy_if_null(ops, task_setscheduler);
988	set_to_dummy_if_null(ops, task_getscheduler);	998	set_to_dummy_if_null(ops, task_getscheduler);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3e593587651d..24caaeec8894 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -2643,6 +2643,11 @@ static int selinux_task_getsid(struct task_struct *p)
2643	return task_has_perm(current, p, PROCESS__GETSESSION);	2643	return task_has_perm(current, p, PROCESS__GETSESSION);
2644	}	2644	}
2645		2645
		2646	static void selinux_task_getsecid(struct task_struct p, u32 secid)
		2647	{
		2648	selinux_get_task_sid(p, secid);
		2649	}
		2650
2646	static int selinux_task_setgroups(struct group_info *group_info)	2651	static int selinux_task_setgroups(struct group_info *group_info)
2647	{	2652	{
2648	/* See the comment for setuid above. */	2653	/* See the comment for setuid above. */
@@ -2665,6 +2670,11 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2665	return task_has_perm(current, p, PROCESS__SETSCHED);	2670	return task_has_perm(current, p, PROCESS__SETSCHED);
2666	}	2671	}
2667		2672
		2673	static int selinux_task_getioprio(struct task_struct *p)
		2674	{
		2675	return task_has_perm(current, p, PROCESS__GETSCHED);
		2676	}
		2677
2668	static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)	2678	static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2669	{	2679	{
2670	struct rlimit *old_rlim = current->signal->rlim + resource;	2680	struct rlimit *old_rlim = current->signal->rlim + resource;
@@ -2699,12 +2709,14 @@ static int selinux_task_movememory(struct task_struct *p)
2699	return task_has_perm(current, p, PROCESS__SETSCHED);	2709	return task_has_perm(current, p, PROCESS__SETSCHED);
2700	}	2710	}
2701		2711
2702	static int selinux_task_kill(struct task_struct p, struct siginfo info, int sig)	2712	static int selinux_task_kill(struct task_struct p, struct siginfo info,
		2713	int sig, u32 secid)
2703	{	2714	{
2704	u32 perm;	2715	u32 perm;
2705	int rc;	2716	int rc;
		2717	struct task_security_struct *tsec;
2706		2718
2707	rc = secondary_ops->task_kill(p, info, sig);	2719	rc = secondary_ops->task_kill(p, info, sig, secid);
2708	if (rc)	2720	if (rc)
2709	return rc;	2721	return rc;
2710		2722
@@ -2715,8 +2727,12 @@ static int selinux_task_kill(struct task_struct p, struct siginfo info, int si
2715	perm = PROCESS__SIGNULL; /* null signal; existence test */	2727	perm = PROCESS__SIGNULL; /* null signal; existence test */
2716	else	2728	else
2717	perm = signal_to_av(sig);	2729	perm = signal_to_av(sig);
2718		2730	tsec = p->security;
2719	return task_has_perm(current, p, perm);	2731	if (secid)
		2732	rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
		2733	else
		2734	rc = task_has_perm(current, p, perm);
		2735	return rc;
2720	}	2736	}
2721		2737
2722	static int selinux_task_prctl(int option,	2738	static int selinux_task_prctl(int option,
@@ -4433,9 +4449,11 @@ static struct security_operations selinux_ops = {
4433	.task_setpgid = selinux_task_setpgid,	4449	.task_setpgid = selinux_task_setpgid,
4434	.task_getpgid = selinux_task_getpgid,	4450	.task_getpgid = selinux_task_getpgid,
4435	.task_getsid = selinux_task_getsid,	4451	.task_getsid = selinux_task_getsid,
		4452	.task_getsecid = selinux_task_getsecid,
4436	.task_setgroups = selinux_task_setgroups,	4453	.task_setgroups = selinux_task_setgroups,
4437	.task_setnice = selinux_task_setnice,	4454	.task_setnice = selinux_task_setnice,
4438	.task_setioprio = selinux_task_setioprio,	4455	.task_setioprio = selinux_task_setioprio,
		4456	.task_getioprio = selinux_task_getioprio,
4439	.task_setrlimit = selinux_task_setrlimit,	4457	.task_setrlimit = selinux_task_setrlimit,
4440	.task_setscheduler = selinux_task_setscheduler,	4458	.task_setscheduler = selinux_task_setscheduler,
4441	.task_getscheduler = selinux_task_getscheduler,	4459	.task_getscheduler = selinux_task_getscheduler,