diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 161 | ||||
-rw-r--r-- | security/keys/keyctl.c | 25 | ||||
-rw-r--r-- | security/keys/permission.c | 11 | ||||
-rw-r--r-- | security/keys/process_keys.c | 98 | ||||
-rw-r--r-- | security/keys/request_key.c | 18 | ||||
-rw-r--r-- | security/keys/request_key_auth.c | 12 | ||||
-rw-r--r-- | security/selinux/exports.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 116 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 2 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 6 | ||||
-rw-r--r-- | security/smack/smack_access.c | 4 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 77 | ||||
-rw-r--r-- | security/smack/smackfs.c | 6 |
13 files changed, 280 insertions, 258 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index fb4e240720d8..fa61679f8c73 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -30,7 +30,7 @@ | |||
30 | 30 | ||
31 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | 31 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) |
32 | { | 32 | { |
33 | NETLINK_CB(skb).eff_cap = current->cap_effective; | 33 | NETLINK_CB(skb).eff_cap = current_cap(); |
34 | return 0; | 34 | return 0; |
35 | } | 35 | } |
36 | 36 | ||
@@ -52,7 +52,7 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
52 | int cap_capable(struct task_struct *tsk, int cap, int audit) | 52 | int cap_capable(struct task_struct *tsk, int cap, int audit) |
53 | { | 53 | { |
54 | /* Derived from include/linux/sched.h:capable. */ | 54 | /* Derived from include/linux/sched.h:capable. */ |
55 | if (cap_raised(tsk->cap_effective, cap)) | 55 | if (cap_raised(tsk->cred->cap_effective, cap)) |
56 | return 0; | 56 | return 0; |
57 | return -EPERM; | 57 | return -EPERM; |
58 | } | 58 | } |
@@ -67,7 +67,8 @@ int cap_settime(struct timespec *ts, struct timezone *tz) | |||
67 | int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) | 67 | int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) |
68 | { | 68 | { |
69 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ | 69 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ |
70 | if (cap_issubset(child->cap_permitted, current->cap_permitted)) | 70 | if (cap_issubset(child->cred->cap_permitted, |
71 | current->cred->cap_permitted)) | ||
71 | return 0; | 72 | return 0; |
72 | if (capable(CAP_SYS_PTRACE)) | 73 | if (capable(CAP_SYS_PTRACE)) |
73 | return 0; | 74 | return 0; |
@@ -76,8 +77,8 @@ int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) | |||
76 | 77 | ||
77 | int cap_ptrace_traceme(struct task_struct *parent) | 78 | int cap_ptrace_traceme(struct task_struct *parent) |
78 | { | 79 | { |
79 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ | 80 | if (cap_issubset(current->cred->cap_permitted, |
80 | if (cap_issubset(current->cap_permitted, parent->cap_permitted)) | 81 | parent->cred->cap_permitted)) |
81 | return 0; | 82 | return 0; |
82 | if (has_capability(parent, CAP_SYS_PTRACE)) | 83 | if (has_capability(parent, CAP_SYS_PTRACE)) |
83 | return 0; | 84 | return 0; |
@@ -87,10 +88,12 @@ int cap_ptrace_traceme(struct task_struct *parent) | |||
87 | int cap_capget (struct task_struct *target, kernel_cap_t *effective, | 88 | int cap_capget (struct task_struct *target, kernel_cap_t *effective, |
88 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | 89 | kernel_cap_t *inheritable, kernel_cap_t *permitted) |
89 | { | 90 | { |
91 | struct cred *cred = target->cred; | ||
92 | |||
90 | /* Derived from kernel/capability.c:sys_capget. */ | 93 | /* Derived from kernel/capability.c:sys_capget. */ |
91 | *effective = target->cap_effective; | 94 | *effective = cred->cap_effective; |
92 | *inheritable = target->cap_inheritable; | 95 | *inheritable = cred->cap_inheritable; |
93 | *permitted = target->cap_permitted; | 96 | *permitted = cred->cap_permitted; |
94 | return 0; | 97 | return 0; |
95 | } | 98 | } |
96 | 99 | ||
@@ -122,24 +125,26 @@ int cap_capset_check(const kernel_cap_t *effective, | |||
122 | const kernel_cap_t *inheritable, | 125 | const kernel_cap_t *inheritable, |
123 | const kernel_cap_t *permitted) | 126 | const kernel_cap_t *permitted) |
124 | { | 127 | { |
128 | const struct cred *cred = current->cred; | ||
129 | |||
125 | if (cap_inh_is_capped() | 130 | if (cap_inh_is_capped() |
126 | && !cap_issubset(*inheritable, | 131 | && !cap_issubset(*inheritable, |
127 | cap_combine(current->cap_inheritable, | 132 | cap_combine(cred->cap_inheritable, |
128 | current->cap_permitted))) { | 133 | cred->cap_permitted))) { |
129 | /* incapable of using this inheritable set */ | 134 | /* incapable of using this inheritable set */ |
130 | return -EPERM; | 135 | return -EPERM; |
131 | } | 136 | } |
132 | if (!cap_issubset(*inheritable, | 137 | if (!cap_issubset(*inheritable, |
133 | cap_combine(current->cap_inheritable, | 138 | cap_combine(cred->cap_inheritable, |
134 | current->cap_bset))) { | 139 | cred->cap_bset))) { |
135 | /* no new pI capabilities outside bounding set */ | 140 | /* no new pI capabilities outside bounding set */ |
136 | return -EPERM; | 141 | return -EPERM; |
137 | } | 142 | } |
138 | 143 | ||
139 | /* verify restrictions on target's new Permitted set */ | 144 | /* verify restrictions on target's new Permitted set */ |
140 | if (!cap_issubset (*permitted, | 145 | if (!cap_issubset (*permitted, |
141 | cap_combine (current->cap_permitted, | 146 | cap_combine (cred->cap_permitted, |
142 | current->cap_permitted))) { | 147 | cred->cap_permitted))) { |
143 | return -EPERM; | 148 | return -EPERM; |
144 | } | 149 | } |
145 | 150 | ||
@@ -155,9 +160,11 @@ void cap_capset_set(const kernel_cap_t *effective, | |||
155 | const kernel_cap_t *inheritable, | 160 | const kernel_cap_t *inheritable, |
156 | const kernel_cap_t *permitted) | 161 | const kernel_cap_t *permitted) |
157 | { | 162 | { |
158 | current->cap_effective = *effective; | 163 | struct cred *cred = current->cred; |
159 | current->cap_inheritable = *inheritable; | 164 | |
160 | current->cap_permitted = *permitted; | 165 | cred->cap_effective = *effective; |
166 | cred->cap_inheritable = *inheritable; | ||
167 | cred->cap_permitted = *permitted; | ||
161 | } | 168 | } |
162 | 169 | ||
163 | static inline void bprm_clear_caps(struct linux_binprm *bprm) | 170 | static inline void bprm_clear_caps(struct linux_binprm *bprm) |
@@ -211,8 +218,8 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, | |||
211 | * pP' = (X & fP) | (pI & fI) | 218 | * pP' = (X & fP) | (pI & fI) |
212 | */ | 219 | */ |
213 | bprm->cap_post_exec_permitted.cap[i] = | 220 | bprm->cap_post_exec_permitted.cap[i] = |
214 | (current->cap_bset.cap[i] & permitted) | | 221 | (current->cred->cap_bset.cap[i] & permitted) | |
215 | (current->cap_inheritable.cap[i] & inheritable); | 222 | (current->cred->cap_inheritable.cap[i] & inheritable); |
216 | 223 | ||
217 | if (permitted & ~bprm->cap_post_exec_permitted.cap[i]) { | 224 | if (permitted & ~bprm->cap_post_exec_permitted.cap[i]) { |
218 | /* | 225 | /* |
@@ -354,8 +361,8 @@ int cap_bprm_set_security (struct linux_binprm *bprm) | |||
354 | if (bprm->e_uid == 0 || current_uid() == 0) { | 361 | if (bprm->e_uid == 0 || current_uid() == 0) { |
355 | /* pP' = (cap_bset & ~0) | (pI & ~0) */ | 362 | /* pP' = (cap_bset & ~0) | (pI & ~0) */ |
356 | bprm->cap_post_exec_permitted = cap_combine( | 363 | bprm->cap_post_exec_permitted = cap_combine( |
357 | current->cap_bset, current->cap_inheritable | 364 | current->cred->cap_bset, |
358 | ); | 365 | current->cred->cap_inheritable); |
359 | bprm->cap_effective = (bprm->e_uid == 0); | 366 | bprm->cap_effective = (bprm->e_uid == 0); |
360 | ret = 0; | 367 | ret = 0; |
361 | } | 368 | } |
@@ -366,44 +373,39 @@ int cap_bprm_set_security (struct linux_binprm *bprm) | |||
366 | 373 | ||
367 | void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | 374 | void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) |
368 | { | 375 | { |
369 | kernel_cap_t pP = current->cap_permitted; | 376 | struct cred *cred = current->cred; |
370 | kernel_cap_t pE = current->cap_effective; | ||
371 | uid_t uid; | ||
372 | gid_t gid; | ||
373 | 377 | ||
374 | current_uid_gid(&uid, &gid); | 378 | if (bprm->e_uid != cred->uid || bprm->e_gid != cred->gid || |
375 | |||
376 | if (bprm->e_uid != uid || bprm->e_gid != gid || | ||
377 | !cap_issubset(bprm->cap_post_exec_permitted, | 379 | !cap_issubset(bprm->cap_post_exec_permitted, |
378 | current->cap_permitted)) { | 380 | cred->cap_permitted)) { |
379 | set_dumpable(current->mm, suid_dumpable); | 381 | set_dumpable(current->mm, suid_dumpable); |
380 | current->pdeath_signal = 0; | 382 | current->pdeath_signal = 0; |
381 | 383 | ||
382 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { | 384 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { |
383 | if (!capable(CAP_SETUID)) { | 385 | if (!capable(CAP_SETUID)) { |
384 | bprm->e_uid = uid; | 386 | bprm->e_uid = cred->uid; |
385 | bprm->e_gid = gid; | 387 | bprm->e_gid = cred->gid; |
386 | } | 388 | } |
387 | if (cap_limit_ptraced_target()) { | 389 | if (cap_limit_ptraced_target()) { |
388 | bprm->cap_post_exec_permitted = cap_intersect( | 390 | bprm->cap_post_exec_permitted = cap_intersect( |
389 | bprm->cap_post_exec_permitted, | 391 | bprm->cap_post_exec_permitted, |
390 | current->cap_permitted); | 392 | cred->cap_permitted); |
391 | } | 393 | } |
392 | } | 394 | } |
393 | } | 395 | } |
394 | 396 | ||
395 | current->suid = current->euid = current->fsuid = bprm->e_uid; | 397 | cred->suid = cred->euid = cred->fsuid = bprm->e_uid; |
396 | current->sgid = current->egid = current->fsgid = bprm->e_gid; | 398 | cred->sgid = cred->egid = cred->fsgid = bprm->e_gid; |
397 | 399 | ||
398 | /* For init, we want to retain the capabilities set | 400 | /* For init, we want to retain the capabilities set |
399 | * in the init_task struct. Thus we skip the usual | 401 | * in the init_task struct. Thus we skip the usual |
400 | * capability rules */ | 402 | * capability rules */ |
401 | if (!is_global_init(current)) { | 403 | if (!is_global_init(current)) { |
402 | current->cap_permitted = bprm->cap_post_exec_permitted; | 404 | cred->cap_permitted = bprm->cap_post_exec_permitted; |
403 | if (bprm->cap_effective) | 405 | if (bprm->cap_effective) |
404 | current->cap_effective = bprm->cap_post_exec_permitted; | 406 | cred->cap_effective = bprm->cap_post_exec_permitted; |
405 | else | 407 | else |
406 | cap_clear(current->cap_effective); | 408 | cap_clear(cred->cap_effective); |
407 | } | 409 | } |
408 | 410 | ||
409 | /* | 411 | /* |
@@ -418,27 +420,30 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | |||
418 | * Number 1 above might fail if you don't have a full bset, but I think | 420 | * Number 1 above might fail if you don't have a full bset, but I think |
419 | * that is interesting information to audit. | 421 | * that is interesting information to audit. |
420 | */ | 422 | */ |
421 | if (!cap_isclear(current->cap_effective)) { | 423 | if (!cap_isclear(cred->cap_effective)) { |
422 | if (!cap_issubset(CAP_FULL_SET, current->cap_effective) || | 424 | if (!cap_issubset(CAP_FULL_SET, cred->cap_effective) || |
423 | (bprm->e_uid != 0) || (current->uid != 0) || | 425 | (bprm->e_uid != 0) || (cred->uid != 0) || |
424 | issecure(SECURE_NOROOT)) | 426 | issecure(SECURE_NOROOT)) |
425 | audit_log_bprm_fcaps(bprm, &pP, &pE); | 427 | audit_log_bprm_fcaps(bprm, &cred->cap_permitted, |
428 | &cred->cap_effective); | ||
426 | } | 429 | } |
427 | 430 | ||
428 | current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); | 431 | cred->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); |
429 | } | 432 | } |
430 | 433 | ||
431 | int cap_bprm_secureexec (struct linux_binprm *bprm) | 434 | int cap_bprm_secureexec (struct linux_binprm *bprm) |
432 | { | 435 | { |
433 | if (current_uid() != 0) { | 436 | const struct cred *cred = current->cred; |
437 | |||
438 | if (cred->uid != 0) { | ||
434 | if (bprm->cap_effective) | 439 | if (bprm->cap_effective) |
435 | return 1; | 440 | return 1; |
436 | if (!cap_isclear(bprm->cap_post_exec_permitted)) | 441 | if (!cap_isclear(bprm->cap_post_exec_permitted)) |
437 | return 1; | 442 | return 1; |
438 | } | 443 | } |
439 | 444 | ||
440 | return (current_euid() != current_uid() || | 445 | return (cred->euid != cred->uid || |
441 | current_egid() != current_gid()); | 446 | cred->egid != cred->gid); |
442 | } | 447 | } |
443 | 448 | ||
444 | int cap_inode_setxattr(struct dentry *dentry, const char *name, | 449 | int cap_inode_setxattr(struct dentry *dentry, const char *name, |
@@ -501,25 +506,27 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name) | |||
501 | static inline void cap_emulate_setxuid (int old_ruid, int old_euid, | 506 | static inline void cap_emulate_setxuid (int old_ruid, int old_euid, |
502 | int old_suid) | 507 | int old_suid) |
503 | { | 508 | { |
504 | uid_t euid = current_euid(); | 509 | struct cred *cred = current->cred; |
505 | 510 | ||
506 | if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && | 511 | if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && |
507 | (current_uid() != 0 && euid != 0 && current_suid() != 0) && | 512 | (cred->uid != 0 && cred->euid != 0 && cred->suid != 0) && |
508 | !issecure(SECURE_KEEP_CAPS)) { | 513 | !issecure(SECURE_KEEP_CAPS)) { |
509 | cap_clear (current->cap_permitted); | 514 | cap_clear (cred->cap_permitted); |
510 | cap_clear (current->cap_effective); | 515 | cap_clear (cred->cap_effective); |
511 | } | 516 | } |
512 | if (old_euid == 0 && euid != 0) { | 517 | if (old_euid == 0 && cred->euid != 0) { |
513 | cap_clear (current->cap_effective); | 518 | cap_clear (cred->cap_effective); |
514 | } | 519 | } |
515 | if (old_euid != 0 && euid == 0) { | 520 | if (old_euid != 0 && cred->euid == 0) { |
516 | current->cap_effective = current->cap_permitted; | 521 | cred->cap_effective = cred->cap_permitted; |
517 | } | 522 | } |
518 | } | 523 | } |
519 | 524 | ||
520 | int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | 525 | int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, |
521 | int flags) | 526 | int flags) |
522 | { | 527 | { |
528 | struct cred *cred = current->cred; | ||
529 | |||
523 | switch (flags) { | 530 | switch (flags) { |
524 | case LSM_SETID_RE: | 531 | case LSM_SETID_RE: |
525 | case LSM_SETID_ID: | 532 | case LSM_SETID_ID: |
@@ -541,16 +548,16 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | |||
541 | */ | 548 | */ |
542 | 549 | ||
543 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { | 550 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { |
544 | if (old_fsuid == 0 && current_fsuid() != 0) { | 551 | if (old_fsuid == 0 && cred->fsuid != 0) { |
545 | current->cap_effective = | 552 | cred->cap_effective = |
546 | cap_drop_fs_set( | 553 | cap_drop_fs_set( |
547 | current->cap_effective); | 554 | cred->cap_effective); |
548 | } | 555 | } |
549 | if (old_fsuid != 0 && current_fsuid() == 0) { | 556 | if (old_fsuid != 0 && cred->fsuid == 0) { |
550 | current->cap_effective = | 557 | cred->cap_effective = |
551 | cap_raise_fs_set( | 558 | cap_raise_fs_set( |
552 | current->cap_effective, | 559 | cred->cap_effective, |
553 | current->cap_permitted); | 560 | cred->cap_permitted); |
554 | } | 561 | } |
555 | } | 562 | } |
556 | break; | 563 | break; |
@@ -575,7 +582,8 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | |||
575 | */ | 582 | */ |
576 | static int cap_safe_nice(struct task_struct *p) | 583 | static int cap_safe_nice(struct task_struct *p) |
577 | { | 584 | { |
578 | if (!cap_issubset(p->cap_permitted, current->cap_permitted) && | 585 | if (!cap_issubset(p->cred->cap_permitted, |
586 | current->cred->cap_permitted) && | ||
579 | !capable(CAP_SYS_NICE)) | 587 | !capable(CAP_SYS_NICE)) |
580 | return -EPERM; | 588 | return -EPERM; |
581 | return 0; | 589 | return 0; |
@@ -610,7 +618,7 @@ static long cap_prctl_drop(unsigned long cap) | |||
610 | return -EPERM; | 618 | return -EPERM; |
611 | if (!cap_valid(cap)) | 619 | if (!cap_valid(cap)) |
612 | return -EINVAL; | 620 | return -EINVAL; |
613 | cap_lower(current->cap_bset, cap); | 621 | cap_lower(current->cred->cap_bset, cap); |
614 | return 0; | 622 | return 0; |
615 | } | 623 | } |
616 | 624 | ||
@@ -633,6 +641,7 @@ int cap_task_setnice (struct task_struct *p, int nice) | |||
633 | int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 641 | int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
634 | unsigned long arg4, unsigned long arg5, long *rc_p) | 642 | unsigned long arg4, unsigned long arg5, long *rc_p) |
635 | { | 643 | { |
644 | struct cred *cred = current->cred; | ||
636 | long error = 0; | 645 | long error = 0; |
637 | 646 | ||
638 | switch (option) { | 647 | switch (option) { |
@@ -640,7 +649,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
640 | if (!cap_valid(arg2)) | 649 | if (!cap_valid(arg2)) |
641 | error = -EINVAL; | 650 | error = -EINVAL; |
642 | else | 651 | else |
643 | error = !!cap_raised(current->cap_bset, arg2); | 652 | error = !!cap_raised(cred->cap_bset, arg2); |
644 | break; | 653 | break; |
645 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES | 654 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES |
646 | case PR_CAPBSET_DROP: | 655 | case PR_CAPBSET_DROP: |
@@ -667,9 +676,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
667 | * capability-based-privilege environment. | 676 | * capability-based-privilege environment. |
668 | */ | 677 | */ |
669 | case PR_SET_SECUREBITS: | 678 | case PR_SET_SECUREBITS: |
670 | if ((((current->securebits & SECURE_ALL_LOCKS) >> 1) | 679 | if ((((cred->securebits & SECURE_ALL_LOCKS) >> 1) |
671 | & (current->securebits ^ arg2)) /*[1]*/ | 680 | & (cred->securebits ^ arg2)) /*[1]*/ |
672 | || ((current->securebits & SECURE_ALL_LOCKS | 681 | || ((cred->securebits & SECURE_ALL_LOCKS |
673 | & ~arg2)) /*[2]*/ | 682 | & ~arg2)) /*[2]*/ |
674 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 683 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
675 | || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0)) { /*[4]*/ | 684 | || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0)) { /*[4]*/ |
@@ -682,11 +691,11 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
682 | */ | 691 | */ |
683 | error = -EPERM; /* cannot change a locked bit */ | 692 | error = -EPERM; /* cannot change a locked bit */ |
684 | } else { | 693 | } else { |
685 | current->securebits = arg2; | 694 | cred->securebits = arg2; |
686 | } | 695 | } |
687 | break; | 696 | break; |
688 | case PR_GET_SECUREBITS: | 697 | case PR_GET_SECUREBITS: |
689 | error = current->securebits; | 698 | error = cred->securebits; |
690 | break; | 699 | break; |
691 | 700 | ||
692 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ | 701 | #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ |
@@ -701,10 +710,9 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
701 | else if (issecure(SECURE_KEEP_CAPS_LOCKED)) | 710 | else if (issecure(SECURE_KEEP_CAPS_LOCKED)) |
702 | error = -EPERM; | 711 | error = -EPERM; |
703 | else if (arg2) | 712 | else if (arg2) |
704 | current->securebits |= issecure_mask(SECURE_KEEP_CAPS); | 713 | cred->securebits |= issecure_mask(SECURE_KEEP_CAPS); |
705 | else | 714 | else |
706 | current->securebits &= | 715 | cred->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); |
707 | ~issecure_mask(SECURE_KEEP_CAPS); | ||
708 | break; | 716 | break; |
709 | 717 | ||
710 | default: | 718 | default: |
@@ -719,11 +727,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
719 | 727 | ||
720 | void cap_task_reparent_to_init (struct task_struct *p) | 728 | void cap_task_reparent_to_init (struct task_struct *p) |
721 | { | 729 | { |
722 | cap_set_init_eff(p->cap_effective); | 730 | struct cred *cred = p->cred; |
723 | cap_clear(p->cap_inheritable); | 731 | |
724 | cap_set_full(p->cap_permitted); | 732 | cap_set_init_eff(cred->cap_effective); |
725 | p->securebits = SECUREBITS_DEFAULT; | 733 | cap_clear(cred->cap_inheritable); |
726 | return; | 734 | cap_set_full(cred->cap_permitted); |
735 | p->cred->securebits = SECUREBITS_DEFAULT; | ||
727 | } | 736 | } |
728 | 737 | ||
729 | int cap_syslog (int type) | 738 | int cap_syslog (int type) |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index fcce331eca72..8833b447adef 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -889,7 +889,7 @@ long keyctl_instantiate_key(key_serial_t id, | |||
889 | /* the appropriate instantiation authorisation key must have been | 889 | /* the appropriate instantiation authorisation key must have been |
890 | * assumed before calling this */ | 890 | * assumed before calling this */ |
891 | ret = -EPERM; | 891 | ret = -EPERM; |
892 | instkey = current->request_key_auth; | 892 | instkey = current->cred->request_key_auth; |
893 | if (!instkey) | 893 | if (!instkey) |
894 | goto error; | 894 | goto error; |
895 | 895 | ||
@@ -932,8 +932,8 @@ long keyctl_instantiate_key(key_serial_t id, | |||
932 | /* discard the assumed authority if it's just been disabled by | 932 | /* discard the assumed authority if it's just been disabled by |
933 | * instantiation of the key */ | 933 | * instantiation of the key */ |
934 | if (ret == 0) { | 934 | if (ret == 0) { |
935 | key_put(current->request_key_auth); | 935 | key_put(current->cred->request_key_auth); |
936 | current->request_key_auth = NULL; | 936 | current->cred->request_key_auth = NULL; |
937 | } | 937 | } |
938 | 938 | ||
939 | error2: | 939 | error2: |
@@ -960,7 +960,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
960 | /* the appropriate instantiation authorisation key must have been | 960 | /* the appropriate instantiation authorisation key must have been |
961 | * assumed before calling this */ | 961 | * assumed before calling this */ |
962 | ret = -EPERM; | 962 | ret = -EPERM; |
963 | instkey = current->request_key_auth; | 963 | instkey = current->cred->request_key_auth; |
964 | if (!instkey) | 964 | if (!instkey) |
965 | goto error; | 965 | goto error; |
966 | 966 | ||
@@ -983,8 +983,8 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
983 | /* discard the assumed authority if it's just been disabled by | 983 | /* discard the assumed authority if it's just been disabled by |
984 | * instantiation of the key */ | 984 | * instantiation of the key */ |
985 | if (ret == 0) { | 985 | if (ret == 0) { |
986 | key_put(current->request_key_auth); | 986 | key_put(current->cred->request_key_auth); |
987 | current->request_key_auth = NULL; | 987 | current->cred->request_key_auth = NULL; |
988 | } | 988 | } |
989 | 989 | ||
990 | error: | 990 | error: |
@@ -999,6 +999,7 @@ error: | |||
999 | */ | 999 | */ |
1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) | 1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) |
1001 | { | 1001 | { |
1002 | struct cred *cred = current->cred; | ||
1002 | int ret; | 1003 | int ret; |
1003 | 1004 | ||
1004 | switch (reqkey_defl) { | 1005 | switch (reqkey_defl) { |
@@ -1018,10 +1019,10 @@ long keyctl_set_reqkey_keyring(int reqkey_defl) | |||
1018 | case KEY_REQKEY_DEFL_USER_KEYRING: | 1019 | case KEY_REQKEY_DEFL_USER_KEYRING: |
1019 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 1020 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
1020 | set: | 1021 | set: |
1021 | current->jit_keyring = reqkey_defl; | 1022 | cred->jit_keyring = reqkey_defl; |
1022 | 1023 | ||
1023 | case KEY_REQKEY_DEFL_NO_CHANGE: | 1024 | case KEY_REQKEY_DEFL_NO_CHANGE: |
1024 | return current->jit_keyring; | 1025 | return cred->jit_keyring; |
1025 | 1026 | ||
1026 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 1027 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
1027 | default: | 1028 | default: |
@@ -1086,8 +1087,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1086 | 1087 | ||
1087 | /* we divest ourselves of authority if given an ID of 0 */ | 1088 | /* we divest ourselves of authority if given an ID of 0 */ |
1088 | if (id == 0) { | 1089 | if (id == 0) { |
1089 | key_put(current->request_key_auth); | 1090 | key_put(current->cred->request_key_auth); |
1090 | current->request_key_auth = NULL; | 1091 | current->cred->request_key_auth = NULL; |
1091 | ret = 0; | 1092 | ret = 0; |
1092 | goto error; | 1093 | goto error; |
1093 | } | 1094 | } |
@@ -1103,8 +1104,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1103 | goto error; | 1104 | goto error; |
1104 | } | 1105 | } |
1105 | 1106 | ||
1106 | key_put(current->request_key_auth); | 1107 | key_put(current->cred->request_key_auth); |
1107 | current->request_key_auth = authkey; | 1108 | current->cred->request_key_auth = authkey; |
1108 | ret = authkey->serial; | 1109 | ret = authkey->serial; |
1109 | 1110 | ||
1110 | error: | 1111 | error: |
diff --git a/security/keys/permission.c b/security/keys/permission.c index 3b41f9b52537..baf3d5f31e71 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -22,6 +22,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
22 | struct task_struct *context, | 22 | struct task_struct *context, |
23 | key_perm_t perm) | 23 | key_perm_t perm) |
24 | { | 24 | { |
25 | struct cred *cred = context->cred; | ||
25 | struct key *key; | 26 | struct key *key; |
26 | key_perm_t kperm; | 27 | key_perm_t kperm; |
27 | int ret; | 28 | int ret; |
@@ -29,7 +30,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
29 | key = key_ref_to_ptr(key_ref); | 30 | key = key_ref_to_ptr(key_ref); |
30 | 31 | ||
31 | /* use the second 8-bits of permissions for keys the caller owns */ | 32 | /* use the second 8-bits of permissions for keys the caller owns */ |
32 | if (key->uid == context->fsuid) { | 33 | if (key->uid == cred->fsuid) { |
33 | kperm = key->perm >> 16; | 34 | kperm = key->perm >> 16; |
34 | goto use_these_perms; | 35 | goto use_these_perms; |
35 | } | 36 | } |
@@ -37,14 +38,14 @@ int key_task_permission(const key_ref_t key_ref, | |||
37 | /* use the third 8-bits of permissions for keys the caller has a group | 38 | /* use the third 8-bits of permissions for keys the caller has a group |
38 | * membership in common with */ | 39 | * membership in common with */ |
39 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | 40 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { |
40 | if (key->gid == context->fsgid) { | 41 | if (key->gid == cred->fsgid) { |
41 | kperm = key->perm >> 8; | 42 | kperm = key->perm >> 8; |
42 | goto use_these_perms; | 43 | goto use_these_perms; |
43 | } | 44 | } |
44 | 45 | ||
45 | task_lock(context); | 46 | spin_lock(&cred->lock); |
46 | ret = groups_search(context->group_info, key->gid); | 47 | ret = groups_search(cred->group_info, key->gid); |
47 | task_unlock(context); | 48 | spin_unlock(&cred->lock); |
48 | 49 | ||
49 | if (ret) { | 50 | if (ret) { |
50 | kperm = key->perm >> 8; | 51 | kperm = key->perm >> 8; |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 1c793b7090a7..b0904cdda2e7 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -42,7 +42,7 @@ struct key_user root_key_user = { | |||
42 | */ | 42 | */ |
43 | int install_user_keyrings(void) | 43 | int install_user_keyrings(void) |
44 | { | 44 | { |
45 | struct user_struct *user = current->user; | 45 | struct user_struct *user = current->cred->user; |
46 | struct key *uid_keyring, *session_keyring; | 46 | struct key *uid_keyring, *session_keyring; |
47 | char buf[20]; | 47 | char buf[20]; |
48 | int ret; | 48 | int ret; |
@@ -156,7 +156,7 @@ int install_thread_keyring(void) | |||
156 | 156 | ||
157 | sprintf(buf, "_tid.%u", tsk->pid); | 157 | sprintf(buf, "_tid.%u", tsk->pid); |
158 | 158 | ||
159 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 159 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
161 | if (IS_ERR(keyring)) { | 161 | if (IS_ERR(keyring)) { |
162 | ret = PTR_ERR(keyring); | 162 | ret = PTR_ERR(keyring); |
@@ -164,8 +164,8 @@ int install_thread_keyring(void) | |||
164 | } | 164 | } |
165 | 165 | ||
166 | task_lock(tsk); | 166 | task_lock(tsk); |
167 | old = tsk->thread_keyring; | 167 | old = tsk->cred->thread_keyring; |
168 | tsk->thread_keyring = keyring; | 168 | tsk->cred->thread_keyring = keyring; |
169 | task_unlock(tsk); | 169 | task_unlock(tsk); |
170 | 170 | ||
171 | ret = 0; | 171 | ret = 0; |
@@ -192,7 +192,7 @@ int install_process_keyring(void) | |||
192 | if (!tsk->signal->process_keyring) { | 192 | if (!tsk->signal->process_keyring) { |
193 | sprintf(buf, "_pid.%u", tsk->tgid); | 193 | sprintf(buf, "_pid.%u", tsk->tgid); |
194 | 194 | ||
195 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 195 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
197 | if (IS_ERR(keyring)) { | 197 | if (IS_ERR(keyring)) { |
198 | ret = PTR_ERR(keyring); | 198 | ret = PTR_ERR(keyring); |
@@ -238,7 +238,7 @@ static int install_session_keyring(struct key *keyring) | |||
238 | if (tsk->signal->session_keyring) | 238 | if (tsk->signal->session_keyring) |
239 | flags = KEY_ALLOC_IN_QUOTA; | 239 | flags = KEY_ALLOC_IN_QUOTA; |
240 | 240 | ||
241 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 241 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
242 | flags, NULL); | 242 | flags, NULL); |
243 | if (IS_ERR(keyring)) | 243 | if (IS_ERR(keyring)) |
244 | return PTR_ERR(keyring); | 244 | return PTR_ERR(keyring); |
@@ -292,14 +292,14 @@ int copy_thread_group_keys(struct task_struct *tsk) | |||
292 | */ | 292 | */ |
293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) | 293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) |
294 | { | 294 | { |
295 | key_check(tsk->thread_keyring); | 295 | key_check(tsk->cred->thread_keyring); |
296 | key_check(tsk->request_key_auth); | 296 | key_check(tsk->cred->request_key_auth); |
297 | 297 | ||
298 | /* no thread keyring yet */ | 298 | /* no thread keyring yet */ |
299 | tsk->thread_keyring = NULL; | 299 | tsk->cred->thread_keyring = NULL; |
300 | 300 | ||
301 | /* copy the request_key() authorisation for this thread */ | 301 | /* copy the request_key() authorisation for this thread */ |
302 | key_get(tsk->request_key_auth); | 302 | key_get(tsk->cred->request_key_auth); |
303 | 303 | ||
304 | return 0; | 304 | return 0; |
305 | 305 | ||
@@ -322,8 +322,8 @@ void exit_thread_group_keys(struct signal_struct *tg) | |||
322 | */ | 322 | */ |
323 | void exit_keys(struct task_struct *tsk) | 323 | void exit_keys(struct task_struct *tsk) |
324 | { | 324 | { |
325 | key_put(tsk->thread_keyring); | 325 | key_put(tsk->cred->thread_keyring); |
326 | key_put(tsk->request_key_auth); | 326 | key_put(tsk->cred->request_key_auth); |
327 | 327 | ||
328 | } /* end exit_keys() */ | 328 | } /* end exit_keys() */ |
329 | 329 | ||
@@ -337,8 +337,8 @@ int exec_keys(struct task_struct *tsk) | |||
337 | 337 | ||
338 | /* newly exec'd tasks don't get a thread keyring */ | 338 | /* newly exec'd tasks don't get a thread keyring */ |
339 | task_lock(tsk); | 339 | task_lock(tsk); |
340 | old = tsk->thread_keyring; | 340 | old = tsk->cred->thread_keyring; |
341 | tsk->thread_keyring = NULL; | 341 | tsk->cred->thread_keyring = NULL; |
342 | task_unlock(tsk); | 342 | task_unlock(tsk); |
343 | 343 | ||
344 | key_put(old); | 344 | key_put(old); |
@@ -373,10 +373,11 @@ int suid_keys(struct task_struct *tsk) | |||
373 | void key_fsuid_changed(struct task_struct *tsk) | 373 | void key_fsuid_changed(struct task_struct *tsk) |
374 | { | 374 | { |
375 | /* update the ownership of the thread keyring */ | 375 | /* update the ownership of the thread keyring */ |
376 | if (tsk->thread_keyring) { | 376 | BUG_ON(!tsk->cred); |
377 | down_write(&tsk->thread_keyring->sem); | 377 | if (tsk->cred->thread_keyring) { |
378 | tsk->thread_keyring->uid = tsk->fsuid; | 378 | down_write(&tsk->cred->thread_keyring->sem); |
379 | up_write(&tsk->thread_keyring->sem); | 379 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; |
380 | up_write(&tsk->cred->thread_keyring->sem); | ||
380 | } | 381 | } |
381 | 382 | ||
382 | } /* end key_fsuid_changed() */ | 383 | } /* end key_fsuid_changed() */ |
@@ -388,10 +389,11 @@ void key_fsuid_changed(struct task_struct *tsk) | |||
388 | void key_fsgid_changed(struct task_struct *tsk) | 389 | void key_fsgid_changed(struct task_struct *tsk) |
389 | { | 390 | { |
390 | /* update the ownership of the thread keyring */ | 391 | /* update the ownership of the thread keyring */ |
391 | if (tsk->thread_keyring) { | 392 | BUG_ON(!tsk->cred); |
392 | down_write(&tsk->thread_keyring->sem); | 393 | if (tsk->cred->thread_keyring) { |
393 | tsk->thread_keyring->gid = tsk->fsgid; | 394 | down_write(&tsk->cred->thread_keyring->sem); |
394 | up_write(&tsk->thread_keyring->sem); | 395 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; |
396 | up_write(&tsk->cred->thread_keyring->sem); | ||
395 | } | 397 | } |
396 | 398 | ||
397 | } /* end key_fsgid_changed() */ | 399 | } /* end key_fsgid_changed() */ |
@@ -426,9 +428,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
426 | err = ERR_PTR(-EAGAIN); | 428 | err = ERR_PTR(-EAGAIN); |
427 | 429 | ||
428 | /* search the thread keyring first */ | 430 | /* search the thread keyring first */ |
429 | if (context->thread_keyring) { | 431 | if (context->cred->thread_keyring) { |
430 | key_ref = keyring_search_aux( | 432 | key_ref = keyring_search_aux( |
431 | make_key_ref(context->thread_keyring, 1), | 433 | make_key_ref(context->cred->thread_keyring, 1), |
432 | context, type, description, match); | 434 | context, type, description, match); |
433 | if (!IS_ERR(key_ref)) | 435 | if (!IS_ERR(key_ref)) |
434 | goto found; | 436 | goto found; |
@@ -493,9 +495,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
493 | } | 495 | } |
494 | } | 496 | } |
495 | /* or search the user-session keyring */ | 497 | /* or search the user-session keyring */ |
496 | else if (context->user->session_keyring) { | 498 | else if (context->cred->user->session_keyring) { |
497 | key_ref = keyring_search_aux( | 499 | key_ref = keyring_search_aux( |
498 | make_key_ref(context->user->session_keyring, 1), | 500 | make_key_ref(context->cred->user->session_keyring, 1), |
499 | context, type, description, match); | 501 | context, type, description, match); |
500 | if (!IS_ERR(key_ref)) | 502 | if (!IS_ERR(key_ref)) |
501 | goto found; | 503 | goto found; |
@@ -517,20 +519,20 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
517 | * search the keyrings of the process mentioned there | 519 | * search the keyrings of the process mentioned there |
518 | * - we don't permit access to request_key auth keys via this method | 520 | * - we don't permit access to request_key auth keys via this method |
519 | */ | 521 | */ |
520 | if (context->request_key_auth && | 522 | if (context->cred->request_key_auth && |
521 | context == current && | 523 | context == current && |
522 | type != &key_type_request_key_auth | 524 | type != &key_type_request_key_auth |
523 | ) { | 525 | ) { |
524 | /* defend against the auth key being revoked */ | 526 | /* defend against the auth key being revoked */ |
525 | down_read(&context->request_key_auth->sem); | 527 | down_read(&context->cred->request_key_auth->sem); |
526 | 528 | ||
527 | if (key_validate(context->request_key_auth) == 0) { | 529 | if (key_validate(context->cred->request_key_auth) == 0) { |
528 | rka = context->request_key_auth->payload.data; | 530 | rka = context->cred->request_key_auth->payload.data; |
529 | 531 | ||
530 | key_ref = search_process_keyrings(type, description, | 532 | key_ref = search_process_keyrings(type, description, |
531 | match, rka->context); | 533 | match, rka->context); |
532 | 534 | ||
533 | up_read(&context->request_key_auth->sem); | 535 | up_read(&context->cred->request_key_auth->sem); |
534 | 536 | ||
535 | if (!IS_ERR(key_ref)) | 537 | if (!IS_ERR(key_ref)) |
536 | goto found; | 538 | goto found; |
@@ -547,7 +549,7 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
547 | break; | 549 | break; |
548 | } | 550 | } |
549 | } else { | 551 | } else { |
550 | up_read(&context->request_key_auth->sem); | 552 | up_read(&context->cred->request_key_auth->sem); |
551 | } | 553 | } |
552 | } | 554 | } |
553 | 555 | ||
@@ -580,15 +582,16 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
580 | { | 582 | { |
581 | struct request_key_auth *rka; | 583 | struct request_key_auth *rka; |
582 | struct task_struct *t = current; | 584 | struct task_struct *t = current; |
583 | key_ref_t key_ref, skey_ref; | 585 | struct cred *cred = t->cred; |
584 | struct key *key; | 586 | struct key *key; |
587 | key_ref_t key_ref, skey_ref; | ||
585 | int ret; | 588 | int ret; |
586 | 589 | ||
587 | key_ref = ERR_PTR(-ENOKEY); | 590 | key_ref = ERR_PTR(-ENOKEY); |
588 | 591 | ||
589 | switch (id) { | 592 | switch (id) { |
590 | case KEY_SPEC_THREAD_KEYRING: | 593 | case KEY_SPEC_THREAD_KEYRING: |
591 | if (!t->thread_keyring) { | 594 | if (!cred->thread_keyring) { |
592 | if (!create) | 595 | if (!create) |
593 | goto error; | 596 | goto error; |
594 | 597 | ||
@@ -599,7 +602,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
599 | } | 602 | } |
600 | } | 603 | } |
601 | 604 | ||
602 | key = t->thread_keyring; | 605 | key = cred->thread_keyring; |
603 | atomic_inc(&key->usage); | 606 | atomic_inc(&key->usage); |
604 | key_ref = make_key_ref(key, 1); | 607 | key_ref = make_key_ref(key, 1); |
605 | break; | 608 | break; |
@@ -628,7 +631,8 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
628 | ret = install_user_keyrings(); | 631 | ret = install_user_keyrings(); |
629 | if (ret < 0) | 632 | if (ret < 0) |
630 | goto error; | 633 | goto error; |
631 | ret = install_session_keyring(t->user->session_keyring); | 634 | ret = install_session_keyring( |
635 | cred->user->session_keyring); | ||
632 | if (ret < 0) | 636 | if (ret < 0) |
633 | goto error; | 637 | goto error; |
634 | } | 638 | } |
@@ -641,25 +645,25 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
641 | break; | 645 | break; |
642 | 646 | ||
643 | case KEY_SPEC_USER_KEYRING: | 647 | case KEY_SPEC_USER_KEYRING: |
644 | if (!t->user->uid_keyring) { | 648 | if (!cred->user->uid_keyring) { |
645 | ret = install_user_keyrings(); | 649 | ret = install_user_keyrings(); |
646 | if (ret < 0) | 650 | if (ret < 0) |
647 | goto error; | 651 | goto error; |
648 | } | 652 | } |
649 | 653 | ||
650 | key = t->user->uid_keyring; | 654 | key = cred->user->uid_keyring; |
651 | atomic_inc(&key->usage); | 655 | atomic_inc(&key->usage); |
652 | key_ref = make_key_ref(key, 1); | 656 | key_ref = make_key_ref(key, 1); |
653 | break; | 657 | break; |
654 | 658 | ||
655 | case KEY_SPEC_USER_SESSION_KEYRING: | 659 | case KEY_SPEC_USER_SESSION_KEYRING: |
656 | if (!t->user->session_keyring) { | 660 | if (!cred->user->session_keyring) { |
657 | ret = install_user_keyrings(); | 661 | ret = install_user_keyrings(); |
658 | if (ret < 0) | 662 | if (ret < 0) |
659 | goto error; | 663 | goto error; |
660 | } | 664 | } |
661 | 665 | ||
662 | key = t->user->session_keyring; | 666 | key = cred->user->session_keyring; |
663 | atomic_inc(&key->usage); | 667 | atomic_inc(&key->usage); |
664 | key_ref = make_key_ref(key, 1); | 668 | key_ref = make_key_ref(key, 1); |
665 | break; | 669 | break; |
@@ -670,7 +674,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
670 | goto error; | 674 | goto error; |
671 | 675 | ||
672 | case KEY_SPEC_REQKEY_AUTH_KEY: | 676 | case KEY_SPEC_REQKEY_AUTH_KEY: |
673 | key = t->request_key_auth; | 677 | key = cred->request_key_auth; |
674 | if (!key) | 678 | if (!key) |
675 | goto error; | 679 | goto error; |
676 | 680 | ||
@@ -679,19 +683,19 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
679 | break; | 683 | break; |
680 | 684 | ||
681 | case KEY_SPEC_REQUESTOR_KEYRING: | 685 | case KEY_SPEC_REQUESTOR_KEYRING: |
682 | if (!t->request_key_auth) | 686 | if (!cred->request_key_auth) |
683 | goto error; | 687 | goto error; |
684 | 688 | ||
685 | down_read(&t->request_key_auth->sem); | 689 | down_read(&cred->request_key_auth->sem); |
686 | if (t->request_key_auth->flags & KEY_FLAG_REVOKED) { | 690 | if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) { |
687 | key_ref = ERR_PTR(-EKEYREVOKED); | 691 | key_ref = ERR_PTR(-EKEYREVOKED); |
688 | key = NULL; | 692 | key = NULL; |
689 | } else { | 693 | } else { |
690 | rka = t->request_key_auth->payload.data; | 694 | rka = cred->request_key_auth->payload.data; |
691 | key = rka->dest_keyring; | 695 | key = rka->dest_keyring; |
692 | atomic_inc(&key->usage); | 696 | atomic_inc(&key->usage); |
693 | } | 697 | } |
694 | up_read(&t->request_key_auth->sem); | 698 | up_read(&cred->request_key_auth->sem); |
695 | if (!key) | 699 | if (!key) |
696 | goto error; | 700 | goto error; |
697 | key_ref = make_key_ref(key, 1); | 701 | key_ref = make_key_ref(key, 1); |
@@ -791,7 +795,7 @@ long join_session_keyring(const char *name) | |||
791 | keyring = find_keyring_by_name(name, false); | 795 | keyring = find_keyring_by_name(name, false); |
792 | if (PTR_ERR(keyring) == -ENOKEY) { | 796 | if (PTR_ERR(keyring) == -ENOKEY) { |
793 | /* not found - try and create a new one */ | 797 | /* not found - try and create a new one */ |
794 | keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, | 798 | keyring = keyring_alloc(name, tsk->cred->uid, tsk->cred->gid, tsk, |
795 | KEY_ALLOC_IN_QUOTA, NULL); | 799 | KEY_ALLOC_IN_QUOTA, NULL); |
796 | if (IS_ERR(keyring)) { | 800 | if (IS_ERR(keyring)) { |
797 | ret = PTR_ERR(keyring); | 801 | ret = PTR_ERR(keyring); |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 8e9d93b4a402..3e9b9eb1dd28 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -104,7 +104,8 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
104 | 104 | ||
105 | /* we specify the process's default keyrings */ | 105 | /* we specify the process's default keyrings */ |
106 | sprintf(keyring_str[0], "%d", | 106 | sprintf(keyring_str[0], "%d", |
107 | tsk->thread_keyring ? tsk->thread_keyring->serial : 0); | 107 | tsk->cred->thread_keyring ? |
108 | tsk->cred->thread_keyring->serial : 0); | ||
108 | 109 | ||
109 | prkey = 0; | 110 | prkey = 0; |
110 | if (tsk->signal->process_keyring) | 111 | if (tsk->signal->process_keyring) |
@@ -117,7 +118,7 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
117 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; | 118 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; |
118 | rcu_read_unlock(); | 119 | rcu_read_unlock(); |
119 | } else { | 120 | } else { |
120 | sskey = tsk->user->session_keyring->serial; | 121 | sskey = tsk->cred->user->session_keyring->serial; |
121 | } | 122 | } |
122 | 123 | ||
123 | sprintf(keyring_str[2], "%d", sskey); | 124 | sprintf(keyring_str[2], "%d", sskey); |
@@ -232,11 +233,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
232 | } else { | 233 | } else { |
233 | /* use a default keyring; falling through the cases until we | 234 | /* use a default keyring; falling through the cases until we |
234 | * find one that we actually have */ | 235 | * find one that we actually have */ |
235 | switch (tsk->jit_keyring) { | 236 | switch (tsk->cred->jit_keyring) { |
236 | case KEY_REQKEY_DEFL_DEFAULT: | 237 | case KEY_REQKEY_DEFL_DEFAULT: |
237 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: | 238 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: |
238 | if (tsk->request_key_auth) { | 239 | if (tsk->cred->request_key_auth) { |
239 | authkey = tsk->request_key_auth; | 240 | authkey = tsk->cred->request_key_auth; |
240 | down_read(&authkey->sem); | 241 | down_read(&authkey->sem); |
241 | rka = authkey->payload.data; | 242 | rka = authkey->payload.data; |
242 | if (!test_bit(KEY_FLAG_REVOKED, | 243 | if (!test_bit(KEY_FLAG_REVOKED, |
@@ -249,7 +250,7 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
249 | } | 250 | } |
250 | 251 | ||
251 | case KEY_REQKEY_DEFL_THREAD_KEYRING: | 252 | case KEY_REQKEY_DEFL_THREAD_KEYRING: |
252 | dest_keyring = key_get(tsk->thread_keyring); | 253 | dest_keyring = key_get(tsk->cred->thread_keyring); |
253 | if (dest_keyring) | 254 | if (dest_keyring) |
254 | break; | 255 | break; |
255 | 256 | ||
@@ -268,11 +269,12 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
268 | break; | 269 | break; |
269 | 270 | ||
270 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 271 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
271 | dest_keyring = key_get(tsk->user->session_keyring); | 272 | dest_keyring = |
273 | key_get(tsk->cred->user->session_keyring); | ||
272 | break; | 274 | break; |
273 | 275 | ||
274 | case KEY_REQKEY_DEFL_USER_KEYRING: | 276 | case KEY_REQKEY_DEFL_USER_KEYRING: |
275 | dest_keyring = key_get(tsk->user->uid_keyring); | 277 | dest_keyring = key_get(tsk->cred->user->uid_keyring); |
276 | break; | 278 | break; |
277 | 279 | ||
278 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 280 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 1762d44711d5..2125579d5d73 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -164,22 +164,22 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
164 | 164 | ||
165 | /* see if the calling process is already servicing the key request of | 165 | /* see if the calling process is already servicing the key request of |
166 | * another process */ | 166 | * another process */ |
167 | if (current->request_key_auth) { | 167 | if (current->cred->request_key_auth) { |
168 | /* it is - use that instantiation context here too */ | 168 | /* it is - use that instantiation context here too */ |
169 | down_read(¤t->request_key_auth->sem); | 169 | down_read(¤t->cred->request_key_auth->sem); |
170 | 170 | ||
171 | /* if the auth key has been revoked, then the key we're | 171 | /* if the auth key has been revoked, then the key we're |
172 | * servicing is already instantiated */ | 172 | * servicing is already instantiated */ |
173 | if (test_bit(KEY_FLAG_REVOKED, | 173 | if (test_bit(KEY_FLAG_REVOKED, |
174 | ¤t->request_key_auth->flags)) | 174 | ¤t->cred->request_key_auth->flags)) |
175 | goto auth_key_revoked; | 175 | goto auth_key_revoked; |
176 | 176 | ||
177 | irka = current->request_key_auth->payload.data; | 177 | irka = current->cred->request_key_auth->payload.data; |
178 | rka->context = irka->context; | 178 | rka->context = irka->context; |
179 | rka->pid = irka->pid; | 179 | rka->pid = irka->pid; |
180 | get_task_struct(rka->context); | 180 | get_task_struct(rka->context); |
181 | 181 | ||
182 | up_read(¤t->request_key_auth->sem); | 182 | up_read(¤t->cred->request_key_auth->sem); |
183 | } | 183 | } |
184 | else { | 184 | else { |
185 | /* it isn't - use this process as the context */ | 185 | /* it isn't - use this process as the context */ |
@@ -214,7 +214,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
214 | return authkey; | 214 | return authkey; |
215 | 215 | ||
216 | auth_key_revoked: | 216 | auth_key_revoked: |
217 | up_read(¤t->request_key_auth->sem); | 217 | up_read(¤t->cred->request_key_auth->sem); |
218 | kfree(rka->callout_info); | 218 | kfree(rka->callout_info); |
219 | kfree(rka); | 219 | kfree(rka); |
220 | kleave("= -EKEYREVOKED"); | 220 | kleave("= -EKEYREVOKED"); |
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index 64af2d3409ef..cf02490cd1eb 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
@@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(selinux_string_to_sid); | |||
39 | int selinux_secmark_relabel_packet_permission(u32 sid) | 39 | int selinux_secmark_relabel_packet_permission(u32 sid) |
40 | { | 40 | { |
41 | if (selinux_enabled) { | 41 | if (selinux_enabled) { |
42 | struct task_security_struct *tsec = current->security; | 42 | struct task_security_struct *tsec = current->cred->security; |
43 | 43 | ||
44 | return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, | 44 | return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, |
45 | PACKET__RELABELTO, NULL); | 45 | PACKET__RELABELTO, NULL); |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9f6da154cc82..328308f2882a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -167,21 +167,21 @@ static int task_alloc_security(struct task_struct *task) | |||
167 | return -ENOMEM; | 167 | return -ENOMEM; |
168 | 168 | ||
169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; | 169 | tsec->osid = tsec->sid = SECINITSID_UNLABELED; |
170 | task->security = tsec; | 170 | task->cred->security = tsec; |
171 | 171 | ||
172 | return 0; | 172 | return 0; |
173 | } | 173 | } |
174 | 174 | ||
175 | static void task_free_security(struct task_struct *task) | 175 | static void task_free_security(struct task_struct *task) |
176 | { | 176 | { |
177 | struct task_security_struct *tsec = task->security; | 177 | struct task_security_struct *tsec = task->cred->security; |
178 | task->security = NULL; | 178 | task->cred->security = NULL; |
179 | kfree(tsec); | 179 | kfree(tsec); |
180 | } | 180 | } |
181 | 181 | ||
182 | static int inode_alloc_security(struct inode *inode) | 182 | static int inode_alloc_security(struct inode *inode) |
183 | { | 183 | { |
184 | struct task_security_struct *tsec = current->security; | 184 | struct task_security_struct *tsec = current->cred->security; |
185 | struct inode_security_struct *isec; | 185 | struct inode_security_struct *isec; |
186 | 186 | ||
187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); | 187 | isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); |
@@ -215,7 +215,7 @@ static void inode_free_security(struct inode *inode) | |||
215 | 215 | ||
216 | static int file_alloc_security(struct file *file) | 216 | static int file_alloc_security(struct file *file) |
217 | { | 217 | { |
218 | struct task_security_struct *tsec = current->security; | 218 | struct task_security_struct *tsec = current->cred->security; |
219 | struct file_security_struct *fsec; | 219 | struct file_security_struct *fsec; |
220 | 220 | ||
221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); | 221 | fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); |
@@ -554,7 +554,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
554 | struct security_mnt_opts *opts) | 554 | struct security_mnt_opts *opts) |
555 | { | 555 | { |
556 | int rc = 0, i; | 556 | int rc = 0, i; |
557 | struct task_security_struct *tsec = current->security; | 557 | struct task_security_struct *tsec = current->cred->security; |
558 | struct superblock_security_struct *sbsec = sb->s_security; | 558 | struct superblock_security_struct *sbsec = sb->s_security; |
559 | const char *name = sb->s_type->name; | 559 | const char *name = sb->s_type->name; |
560 | struct inode *inode = sbsec->sb->s_root->d_inode; | 560 | struct inode *inode = sbsec->sb->s_root->d_inode; |
@@ -1353,8 +1353,8 @@ static int task_has_perm(struct task_struct *tsk1, | |||
1353 | { | 1353 | { |
1354 | struct task_security_struct *tsec1, *tsec2; | 1354 | struct task_security_struct *tsec1, *tsec2; |
1355 | 1355 | ||
1356 | tsec1 = tsk1->security; | 1356 | tsec1 = tsk1->cred->security; |
1357 | tsec2 = tsk2->security; | 1357 | tsec2 = tsk2->cred->security; |
1358 | return avc_has_perm(tsec1->sid, tsec2->sid, | 1358 | return avc_has_perm(tsec1->sid, tsec2->sid, |
1359 | SECCLASS_PROCESS, perms, NULL); | 1359 | SECCLASS_PROCESS, perms, NULL); |
1360 | } | 1360 | } |
@@ -1374,7 +1374,7 @@ static int task_has_capability(struct task_struct *tsk, | |||
1374 | u32 av = CAP_TO_MASK(cap); | 1374 | u32 av = CAP_TO_MASK(cap); |
1375 | int rc; | 1375 | int rc; |
1376 | 1376 | ||
1377 | tsec = tsk->security; | 1377 | tsec = tsk->cred->security; |
1378 | 1378 | ||
1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 1379 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
1380 | ad.tsk = tsk; | 1380 | ad.tsk = tsk; |
@@ -1405,7 +1405,7 @@ static int task_has_system(struct task_struct *tsk, | |||
1405 | { | 1405 | { |
1406 | struct task_security_struct *tsec; | 1406 | struct task_security_struct *tsec; |
1407 | 1407 | ||
1408 | tsec = tsk->security; | 1408 | tsec = tsk->cred->security; |
1409 | 1409 | ||
1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, | 1410 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, |
1411 | SECCLASS_SYSTEM, perms, NULL); | 1411 | SECCLASS_SYSTEM, perms, NULL); |
@@ -1426,7 +1426,7 @@ static int inode_has_perm(struct task_struct *tsk, | |||
1426 | if (unlikely(IS_PRIVATE(inode))) | 1426 | if (unlikely(IS_PRIVATE(inode))) |
1427 | return 0; | 1427 | return 0; |
1428 | 1428 | ||
1429 | tsec = tsk->security; | 1429 | tsec = tsk->cred->security; |
1430 | isec = inode->i_security; | 1430 | isec = inode->i_security; |
1431 | 1431 | ||
1432 | if (!adp) { | 1432 | if (!adp) { |
@@ -1466,7 +1466,7 @@ static int file_has_perm(struct task_struct *tsk, | |||
1466 | struct file *file, | 1466 | struct file *file, |
1467 | u32 av) | 1467 | u32 av) |
1468 | { | 1468 | { |
1469 | struct task_security_struct *tsec = tsk->security; | 1469 | struct task_security_struct *tsec = tsk->cred->security; |
1470 | struct file_security_struct *fsec = file->f_security; | 1470 | struct file_security_struct *fsec = file->f_security; |
1471 | struct inode *inode = file->f_path.dentry->d_inode; | 1471 | struct inode *inode = file->f_path.dentry->d_inode; |
1472 | struct avc_audit_data ad; | 1472 | struct avc_audit_data ad; |
@@ -1503,7 +1503,7 @@ static int may_create(struct inode *dir, | |||
1503 | struct avc_audit_data ad; | 1503 | struct avc_audit_data ad; |
1504 | int rc; | 1504 | int rc; |
1505 | 1505 | ||
1506 | tsec = current->security; | 1506 | tsec = current->cred->security; |
1507 | dsec = dir->i_security; | 1507 | dsec = dir->i_security; |
1508 | sbsec = dir->i_sb->s_security; | 1508 | sbsec = dir->i_sb->s_security; |
1509 | 1509 | ||
@@ -1540,7 +1540,7 @@ static int may_create_key(u32 ksid, | |||
1540 | { | 1540 | { |
1541 | struct task_security_struct *tsec; | 1541 | struct task_security_struct *tsec; |
1542 | 1542 | ||
1543 | tsec = ctx->security; | 1543 | tsec = ctx->cred->security; |
1544 | 1544 | ||
1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); | 1545 | return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); |
1546 | } | 1546 | } |
@@ -1561,7 +1561,7 @@ static int may_link(struct inode *dir, | |||
1561 | u32 av; | 1561 | u32 av; |
1562 | int rc; | 1562 | int rc; |
1563 | 1563 | ||
1564 | tsec = current->security; | 1564 | tsec = current->cred->security; |
1565 | dsec = dir->i_security; | 1565 | dsec = dir->i_security; |
1566 | isec = dentry->d_inode->i_security; | 1566 | isec = dentry->d_inode->i_security; |
1567 | 1567 | ||
@@ -1606,7 +1606,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1606 | int old_is_dir, new_is_dir; | 1606 | int old_is_dir, new_is_dir; |
1607 | int rc; | 1607 | int rc; |
1608 | 1608 | ||
1609 | tsec = current->security; | 1609 | tsec = current->cred->security; |
1610 | old_dsec = old_dir->i_security; | 1610 | old_dsec = old_dir->i_security; |
1611 | old_isec = old_dentry->d_inode->i_security; | 1611 | old_isec = old_dentry->d_inode->i_security; |
1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1612 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
@@ -1659,7 +1659,7 @@ static int superblock_has_perm(struct task_struct *tsk, | |||
1659 | struct task_security_struct *tsec; | 1659 | struct task_security_struct *tsec; |
1660 | struct superblock_security_struct *sbsec; | 1660 | struct superblock_security_struct *sbsec; |
1661 | 1661 | ||
1662 | tsec = tsk->security; | 1662 | tsec = tsk->cred->security; |
1663 | sbsec = sb->s_security; | 1663 | sbsec = sb->s_security; |
1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | 1664 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, |
1665 | perms, ad); | 1665 | perms, ad); |
@@ -1758,8 +1758,8 @@ static int selinux_ptrace_may_access(struct task_struct *child, | |||
1758 | return rc; | 1758 | return rc; |
1759 | 1759 | ||
1760 | if (mode == PTRACE_MODE_READ) { | 1760 | if (mode == PTRACE_MODE_READ) { |
1761 | struct task_security_struct *tsec = current->security; | 1761 | struct task_security_struct *tsec = current->cred->security; |
1762 | struct task_security_struct *csec = child->security; | 1762 | struct task_security_struct *csec = child->cred->security; |
1763 | return avc_has_perm(tsec->sid, csec->sid, | 1763 | return avc_has_perm(tsec->sid, csec->sid, |
1764 | SECCLASS_FILE, FILE__READ, NULL); | 1764 | SECCLASS_FILE, FILE__READ, NULL); |
1765 | } | 1765 | } |
@@ -1874,7 +1874,7 @@ static int selinux_sysctl(ctl_table *table, int op) | |||
1874 | if (rc) | 1874 | if (rc) |
1875 | return rc; | 1875 | return rc; |
1876 | 1876 | ||
1877 | tsec = current->security; | 1877 | tsec = current->cred->security; |
1878 | 1878 | ||
1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? | 1879 | rc = selinux_sysctl_get_sid(table, (op == 0001) ? |
1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); | 1880 | SECCLASS_DIR : SECCLASS_FILE, &tsid); |
@@ -2025,7 +2025,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
2025 | if (bsec->set) | 2025 | if (bsec->set) |
2026 | return 0; | 2026 | return 0; |
2027 | 2027 | ||
2028 | tsec = current->security; | 2028 | tsec = current->cred->security; |
2029 | isec = inode->i_security; | 2029 | isec = inode->i_security; |
2030 | 2030 | ||
2031 | /* Default to the current task SID. */ | 2031 | /* Default to the current task SID. */ |
@@ -2090,7 +2090,7 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm) | |||
2090 | 2090 | ||
2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) | 2091 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) |
2092 | { | 2092 | { |
2093 | struct task_security_struct *tsec = current->security; | 2093 | struct task_security_struct *tsec = current->cred->security; |
2094 | int atsecure = 0; | 2094 | int atsecure = 0; |
2095 | 2095 | ||
2096 | if (tsec->osid != tsec->sid) { | 2096 | if (tsec->osid != tsec->sid) { |
@@ -2214,7 +2214,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2214 | 2214 | ||
2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); | 2215 | secondary_ops->bprm_apply_creds(bprm, unsafe); |
2216 | 2216 | ||
2217 | tsec = current->security; | 2217 | tsec = current->cred->security; |
2218 | 2218 | ||
2219 | bsec = bprm->security; | 2219 | bsec = bprm->security; |
2220 | sid = bsec->sid; | 2220 | sid = bsec->sid; |
@@ -2243,7 +2243,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2243 | rcu_read_lock(); | 2243 | rcu_read_lock(); |
2244 | tracer = tracehook_tracer_task(current); | 2244 | tracer = tracehook_tracer_task(current); |
2245 | if (likely(tracer != NULL)) { | 2245 | if (likely(tracer != NULL)) { |
2246 | sec = tracer->security; | 2246 | sec = tracer->cred->security; |
2247 | ptsid = sec->sid; | 2247 | ptsid = sec->sid; |
2248 | } | 2248 | } |
2249 | rcu_read_unlock(); | 2249 | rcu_read_unlock(); |
@@ -2274,7 +2274,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | |||
2274 | int rc, i; | 2274 | int rc, i; |
2275 | unsigned long flags; | 2275 | unsigned long flags; |
2276 | 2276 | ||
2277 | tsec = current->security; | 2277 | tsec = current->cred->security; |
2278 | bsec = bprm->security; | 2278 | bsec = bprm->security; |
2279 | 2279 | ||
2280 | if (bsec->unsafe) { | 2280 | if (bsec->unsafe) { |
@@ -2521,7 +2521,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2521 | int rc; | 2521 | int rc; |
2522 | char *namep = NULL, *context; | 2522 | char *namep = NULL, *context; |
2523 | 2523 | ||
2524 | tsec = current->security; | 2524 | tsec = current->cred->security; |
2525 | dsec = dir->i_security; | 2525 | dsec = dir->i_security; |
2526 | sbsec = dir->i_sb->s_security; | 2526 | sbsec = dir->i_sb->s_security; |
2527 | 2527 | ||
@@ -2706,7 +2706,7 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) | |||
2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | 2706 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, |
2707 | const void *value, size_t size, int flags) | 2707 | const void *value, size_t size, int flags) |
2708 | { | 2708 | { |
2709 | struct task_security_struct *tsec = current->security; | 2709 | struct task_security_struct *tsec = current->cred->security; |
2710 | struct inode *inode = dentry->d_inode; | 2710 | struct inode *inode = dentry->d_inode; |
2711 | struct inode_security_struct *isec = inode->i_security; | 2711 | struct inode_security_struct *isec = inode->i_security; |
2712 | struct superblock_security_struct *sbsec; | 2712 | struct superblock_security_struct *sbsec; |
@@ -2918,7 +2918,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) | |||
2918 | static int selinux_file_permission(struct file *file, int mask) | 2918 | static int selinux_file_permission(struct file *file, int mask) |
2919 | { | 2919 | { |
2920 | struct inode *inode = file->f_path.dentry->d_inode; | 2920 | struct inode *inode = file->f_path.dentry->d_inode; |
2921 | struct task_security_struct *tsec = current->security; | 2921 | struct task_security_struct *tsec = current->cred->security; |
2922 | struct file_security_struct *fsec = file->f_security; | 2922 | struct file_security_struct *fsec = file->f_security; |
2923 | struct inode_security_struct *isec = inode->i_security; | 2923 | struct inode_security_struct *isec = inode->i_security; |
2924 | 2924 | ||
@@ -2995,7 +2995,8 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot, | |||
2995 | unsigned long addr, unsigned long addr_only) | 2995 | unsigned long addr, unsigned long addr_only) |
2996 | { | 2996 | { |
2997 | int rc = 0; | 2997 | int rc = 0; |
2998 | u32 sid = ((struct task_security_struct *)(current->security))->sid; | 2998 | u32 sid = ((struct task_security_struct *) |
2999 | (current->cred->security))->sid; | ||
2999 | 3000 | ||
3000 | if (addr < mmap_min_addr) | 3001 | if (addr < mmap_min_addr) |
3001 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, | 3002 | rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, |
@@ -3107,7 +3108,7 @@ static int selinux_file_set_fowner(struct file *file) | |||
3107 | struct task_security_struct *tsec; | 3108 | struct task_security_struct *tsec; |
3108 | struct file_security_struct *fsec; | 3109 | struct file_security_struct *fsec; |
3109 | 3110 | ||
3110 | tsec = current->security; | 3111 | tsec = current->cred->security; |
3111 | fsec = file->f_security; | 3112 | fsec = file->f_security; |
3112 | fsec->fown_sid = tsec->sid; | 3113 | fsec->fown_sid = tsec->sid; |
3113 | 3114 | ||
@@ -3125,7 +3126,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, | |||
3125 | /* struct fown_struct is never outside the context of a struct file */ | 3126 | /* struct fown_struct is never outside the context of a struct file */ |
3126 | file = container_of(fown, struct file, f_owner); | 3127 | file = container_of(fown, struct file, f_owner); |
3127 | 3128 | ||
3128 | tsec = tsk->security; | 3129 | tsec = tsk->cred->security; |
3129 | fsec = file->f_security; | 3130 | fsec = file->f_security; |
3130 | 3131 | ||
3131 | if (!signum) | 3132 | if (!signum) |
@@ -3188,12 +3189,12 @@ static int selinux_task_alloc_security(struct task_struct *tsk) | |||
3188 | struct task_security_struct *tsec1, *tsec2; | 3189 | struct task_security_struct *tsec1, *tsec2; |
3189 | int rc; | 3190 | int rc; |
3190 | 3191 | ||
3191 | tsec1 = current->security; | 3192 | tsec1 = current->cred->security; |
3192 | 3193 | ||
3193 | rc = task_alloc_security(tsk); | 3194 | rc = task_alloc_security(tsk); |
3194 | if (rc) | 3195 | if (rc) |
3195 | return rc; | 3196 | return rc; |
3196 | tsec2 = tsk->security; | 3197 | tsec2 = tsk->cred->security; |
3197 | 3198 | ||
3198 | tsec2->osid = tsec1->osid; | 3199 | tsec2->osid = tsec1->osid; |
3199 | tsec2->sid = tsec1->sid; | 3200 | tsec2->sid = tsec1->sid; |
@@ -3251,7 +3252,7 @@ static int selinux_task_getsid(struct task_struct *p) | |||
3251 | 3252 | ||
3252 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) | 3253 | static void selinux_task_getsecid(struct task_struct *p, u32 *secid) |
3253 | { | 3254 | { |
3254 | struct task_security_struct *tsec = p->security; | 3255 | struct task_security_struct *tsec = p->cred->security; |
3255 | *secid = tsec->sid; | 3256 | *secid = tsec->sid; |
3256 | } | 3257 | } |
3257 | 3258 | ||
@@ -3343,7 +3344,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3343 | perm = PROCESS__SIGNULL; /* null signal; existence test */ | 3344 | perm = PROCESS__SIGNULL; /* null signal; existence test */ |
3344 | else | 3345 | else |
3345 | perm = signal_to_av(sig); | 3346 | perm = signal_to_av(sig); |
3346 | tsec = p->security; | 3347 | tsec = p->cred->security; |
3347 | if (secid) | 3348 | if (secid) |
3348 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); | 3349 | rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); |
3349 | else | 3350 | else |
@@ -3375,7 +3376,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3375 | 3376 | ||
3376 | secondary_ops->task_reparent_to_init(p); | 3377 | secondary_ops->task_reparent_to_init(p); |
3377 | 3378 | ||
3378 | tsec = p->security; | 3379 | tsec = p->cred->security; |
3379 | tsec->osid = tsec->sid; | 3380 | tsec->osid = tsec->sid; |
3380 | tsec->sid = SECINITSID_KERNEL; | 3381 | tsec->sid = SECINITSID_KERNEL; |
3381 | return; | 3382 | return; |
@@ -3384,7 +3385,7 @@ static void selinux_task_reparent_to_init(struct task_struct *p) | |||
3384 | static void selinux_task_to_inode(struct task_struct *p, | 3385 | static void selinux_task_to_inode(struct task_struct *p, |
3385 | struct inode *inode) | 3386 | struct inode *inode) |
3386 | { | 3387 | { |
3387 | struct task_security_struct *tsec = p->security; | 3388 | struct task_security_struct *tsec = p->cred->security; |
3388 | struct inode_security_struct *isec = inode->i_security; | 3389 | struct inode_security_struct *isec = inode->i_security; |
3389 | 3390 | ||
3390 | isec->sid = tsec->sid; | 3391 | isec->sid = tsec->sid; |
@@ -3632,7 +3633,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3632 | struct avc_audit_data ad; | 3633 | struct avc_audit_data ad; |
3633 | int err = 0; | 3634 | int err = 0; |
3634 | 3635 | ||
3635 | tsec = task->security; | 3636 | tsec = task->cred->security; |
3636 | isec = SOCK_INODE(sock)->i_security; | 3637 | isec = SOCK_INODE(sock)->i_security; |
3637 | 3638 | ||
3638 | if (isec->sid == SECINITSID_KERNEL) | 3639 | if (isec->sid == SECINITSID_KERNEL) |
@@ -3656,7 +3657,7 @@ static int selinux_socket_create(int family, int type, | |||
3656 | if (kern) | 3657 | if (kern) |
3657 | goto out; | 3658 | goto out; |
3658 | 3659 | ||
3659 | tsec = current->security; | 3660 | tsec = current->cred->security; |
3660 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3661 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3661 | err = avc_has_perm(tsec->sid, newsid, | 3662 | err = avc_has_perm(tsec->sid, newsid, |
3662 | socket_type_to_security_class(family, type, | 3663 | socket_type_to_security_class(family, type, |
@@ -3677,7 +3678,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, | |||
3677 | 3678 | ||
3678 | isec = SOCK_INODE(sock)->i_security; | 3679 | isec = SOCK_INODE(sock)->i_security; |
3679 | 3680 | ||
3680 | tsec = current->security; | 3681 | tsec = current->cred->security; |
3681 | newsid = tsec->sockcreate_sid ? : tsec->sid; | 3682 | newsid = tsec->sockcreate_sid ? : tsec->sid; |
3682 | isec->sclass = socket_type_to_security_class(family, type, protocol); | 3683 | isec->sclass = socket_type_to_security_class(family, type, protocol); |
3683 | isec->sid = kern ? SECINITSID_KERNEL : newsid; | 3684 | isec->sid = kern ? SECINITSID_KERNEL : newsid; |
@@ -3723,7 +3724,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3723 | struct sock *sk = sock->sk; | 3724 | struct sock *sk = sock->sk; |
3724 | u32 sid, node_perm; | 3725 | u32 sid, node_perm; |
3725 | 3726 | ||
3726 | tsec = current->security; | 3727 | tsec = current->cred->security; |
3727 | isec = SOCK_INODE(sock)->i_security; | 3728 | isec = SOCK_INODE(sock)->i_security; |
3728 | 3729 | ||
3729 | if (family == PF_INET) { | 3730 | if (family == PF_INET) { |
@@ -4764,7 +4765,7 @@ static int ipc_alloc_security(struct task_struct *task, | |||
4764 | struct kern_ipc_perm *perm, | 4765 | struct kern_ipc_perm *perm, |
4765 | u16 sclass) | 4766 | u16 sclass) |
4766 | { | 4767 | { |
4767 | struct task_security_struct *tsec = task->security; | 4768 | struct task_security_struct *tsec = task->cred->security; |
4768 | struct ipc_security_struct *isec; | 4769 | struct ipc_security_struct *isec; |
4769 | 4770 | ||
4770 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); | 4771 | isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); |
@@ -4814,7 +4815,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
4814 | struct ipc_security_struct *isec; | 4815 | struct ipc_security_struct *isec; |
4815 | struct avc_audit_data ad; | 4816 | struct avc_audit_data ad; |
4816 | 4817 | ||
4817 | tsec = current->security; | 4818 | tsec = current->cred->security; |
4818 | isec = ipc_perms->security; | 4819 | isec = ipc_perms->security; |
4819 | 4820 | ||
4820 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4821 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4845,7 +4846,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4845 | if (rc) | 4846 | if (rc) |
4846 | return rc; | 4847 | return rc; |
4847 | 4848 | ||
4848 | tsec = current->security; | 4849 | tsec = current->cred->security; |
4849 | isec = msq->q_perm.security; | 4850 | isec = msq->q_perm.security; |
4850 | 4851 | ||
4851 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4852 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4871,7 +4872,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | |||
4871 | struct ipc_security_struct *isec; | 4872 | struct ipc_security_struct *isec; |
4872 | struct avc_audit_data ad; | 4873 | struct avc_audit_data ad; |
4873 | 4874 | ||
4874 | tsec = current->security; | 4875 | tsec = current->cred->security; |
4875 | isec = msq->q_perm.security; | 4876 | isec = msq->q_perm.security; |
4876 | 4877 | ||
4877 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4878 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -4917,7 +4918,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4917 | struct avc_audit_data ad; | 4918 | struct avc_audit_data ad; |
4918 | int rc; | 4919 | int rc; |
4919 | 4920 | ||
4920 | tsec = current->security; | 4921 | tsec = current->cred->security; |
4921 | isec = msq->q_perm.security; | 4922 | isec = msq->q_perm.security; |
4922 | msec = msg->security; | 4923 | msec = msg->security; |
4923 | 4924 | ||
@@ -4965,7 +4966,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4965 | struct avc_audit_data ad; | 4966 | struct avc_audit_data ad; |
4966 | int rc; | 4967 | int rc; |
4967 | 4968 | ||
4968 | tsec = target->security; | 4969 | tsec = target->cred->security; |
4969 | isec = msq->q_perm.security; | 4970 | isec = msq->q_perm.security; |
4970 | msec = msg->security; | 4971 | msec = msg->security; |
4971 | 4972 | ||
@@ -4992,7 +4993,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4992 | if (rc) | 4993 | if (rc) |
4993 | return rc; | 4994 | return rc; |
4994 | 4995 | ||
4995 | tsec = current->security; | 4996 | tsec = current->cred->security; |
4996 | isec = shp->shm_perm.security; | 4997 | isec = shp->shm_perm.security; |
4997 | 4998 | ||
4998 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4999 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5018,7 +5019,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | |||
5018 | struct ipc_security_struct *isec; | 5019 | struct ipc_security_struct *isec; |
5019 | struct avc_audit_data ad; | 5020 | struct avc_audit_data ad; |
5020 | 5021 | ||
5021 | tsec = current->security; | 5022 | tsec = current->cred->security; |
5022 | isec = shp->shm_perm.security; | 5023 | isec = shp->shm_perm.security; |
5023 | 5024 | ||
5024 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5025 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5091,7 +5092,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
5091 | if (rc) | 5092 | if (rc) |
5092 | return rc; | 5093 | return rc; |
5093 | 5094 | ||
5094 | tsec = current->security; | 5095 | tsec = current->cred->security; |
5095 | isec = sma->sem_perm.security; | 5096 | isec = sma->sem_perm.security; |
5096 | 5097 | ||
5097 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5098 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5117,7 +5118,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg) | |||
5117 | struct ipc_security_struct *isec; | 5118 | struct ipc_security_struct *isec; |
5118 | struct avc_audit_data ad; | 5119 | struct avc_audit_data ad; |
5119 | 5120 | ||
5120 | tsec = current->security; | 5121 | tsec = current->cred->security; |
5121 | isec = sma->sem_perm.security; | 5122 | isec = sma->sem_perm.security; |
5122 | 5123 | ||
5123 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 5124 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
@@ -5224,7 +5225,7 @@ static int selinux_getprocattr(struct task_struct *p, | |||
5224 | return error; | 5225 | return error; |
5225 | } | 5226 | } |
5226 | 5227 | ||
5227 | tsec = p->security; | 5228 | tsec = p->cred->security; |
5228 | 5229 | ||
5229 | if (!strcmp(name, "current")) | 5230 | if (!strcmp(name, "current")) |
5230 | sid = tsec->sid; | 5231 | sid = tsec->sid; |
@@ -5308,7 +5309,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5308 | operation. See selinux_bprm_set_security for the execve | 5309 | operation. See selinux_bprm_set_security for the execve |
5309 | checks and may_create for the file creation checks. The | 5310 | checks and may_create for the file creation checks. The |
5310 | operation will then fail if the context is not permitted. */ | 5311 | operation will then fail if the context is not permitted. */ |
5311 | tsec = p->security; | 5312 | tsec = p->cred->security; |
5312 | if (!strcmp(name, "exec")) | 5313 | if (!strcmp(name, "exec")) |
5313 | tsec->exec_sid = sid; | 5314 | tsec->exec_sid = sid; |
5314 | else if (!strcmp(name, "fscreate")) | 5315 | else if (!strcmp(name, "fscreate")) |
@@ -5361,7 +5362,8 @@ boundary_ok: | |||
5361 | rcu_read_lock(); | 5362 | rcu_read_lock(); |
5362 | tracer = tracehook_tracer_task(p); | 5363 | tracer = tracehook_tracer_task(p); |
5363 | if (tracer != NULL) { | 5364 | if (tracer != NULL) { |
5364 | struct task_security_struct *ptsec = tracer->security; | 5365 | struct task_security_struct *ptsec = |
5366 | tracer->cred->security; | ||
5365 | u32 ptsid = ptsec->sid; | 5367 | u32 ptsid = ptsec->sid; |
5366 | rcu_read_unlock(); | 5368 | rcu_read_unlock(); |
5367 | error = avc_has_perm_noaudit(ptsid, sid, | 5369 | error = avc_has_perm_noaudit(ptsid, sid, |
@@ -5405,7 +5407,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen) | |||
5405 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, | 5407 | static int selinux_key_alloc(struct key *k, struct task_struct *tsk, |
5406 | unsigned long flags) | 5408 | unsigned long flags) |
5407 | { | 5409 | { |
5408 | struct task_security_struct *tsec = tsk->security; | 5410 | struct task_security_struct *tsec = tsk->cred->security; |
5409 | struct key_security_struct *ksec; | 5411 | struct key_security_struct *ksec; |
5410 | 5412 | ||
5411 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); | 5413 | ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); |
@@ -5439,7 +5441,7 @@ static int selinux_key_permission(key_ref_t key_ref, | |||
5439 | 5441 | ||
5440 | key = key_ref_to_ptr(key_ref); | 5442 | key = key_ref_to_ptr(key_ref); |
5441 | 5443 | ||
5442 | tsec = ctx->security; | 5444 | tsec = ctx->cred->security; |
5443 | ksec = key->security; | 5445 | ksec = key->security; |
5444 | 5446 | ||
5445 | /* if no specific permissions are requested, we skip the | 5447 | /* if no specific permissions are requested, we skip the |
@@ -5683,7 +5685,7 @@ static __init int selinux_init(void) | |||
5683 | /* Set the security state for the initial task. */ | 5685 | /* Set the security state for the initial task. */ |
5684 | if (task_alloc_security(current)) | 5686 | if (task_alloc_security(current)) |
5685 | panic("SELinux: Failed to initialize initial task.\n"); | 5687 | panic("SELinux: Failed to initialize initial task.\n"); |
5686 | tsec = current->security; | 5688 | tsec = current->cred->security; |
5687 | tsec->osid = tsec->sid = SECINITSID_KERNEL; | 5689 | tsec->osid = tsec->sid = SECINITSID_KERNEL; |
5688 | 5690 | ||
5689 | sel_inode_cache = kmem_cache_create("selinux_inode_security", | 5691 | sel_inode_cache = kmem_cache_create("selinux_inode_security", |
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 69c9dccc8cf0..10715d1330b9 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -97,7 +97,7 @@ static int task_has_security(struct task_struct *tsk, | |||
97 | { | 97 | { |
98 | struct task_security_struct *tsec; | 98 | struct task_security_struct *tsec; |
99 | 99 | ||
100 | tsec = tsk->security; | 100 | tsec = tsk->cred->security; |
101 | if (!tsec) | 101 | if (!tsec) |
102 | return -EACCES; | 102 | return -EACCES; |
103 | 103 | ||
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 8f17f542a116..d7db76617b0e 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -197,7 +197,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | |||
197 | struct xfrm_user_sec_ctx *uctx, u32 sid) | 197 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
198 | { | 198 | { |
199 | int rc = 0; | 199 | int rc = 0; |
200 | struct task_security_struct *tsec = current->security; | 200 | struct task_security_struct *tsec = current->cred->security; |
201 | struct xfrm_sec_ctx *ctx = NULL; | 201 | struct xfrm_sec_ctx *ctx = NULL; |
202 | char *ctx_str = NULL; | 202 | char *ctx_str = NULL; |
203 | u32 str_len; | 203 | u32 str_len; |
@@ -333,7 +333,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) | |||
333 | */ | 333 | */ |
334 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) | 334 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
335 | { | 335 | { |
336 | struct task_security_struct *tsec = current->security; | 336 | struct task_security_struct *tsec = current->cred->security; |
337 | int rc = 0; | 337 | int rc = 0; |
338 | 338 | ||
339 | if (ctx) { | 339 | if (ctx) { |
@@ -378,7 +378,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x) | |||
378 | */ | 378 | */ |
379 | int selinux_xfrm_state_delete(struct xfrm_state *x) | 379 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
380 | { | 380 | { |
381 | struct task_security_struct *tsec = current->security; | 381 | struct task_security_struct *tsec = current->cred->security; |
382 | struct xfrm_sec_ctx *ctx = x->security; | 382 | struct xfrm_sec_ctx *ctx = x->security; |
383 | int rc = 0; | 383 | int rc = 0; |
384 | 384 | ||
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 79ff21ed4c3b..b6dd4fc0fb0b 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -164,7 +164,7 @@ int smk_curacc(char *obj_label, u32 mode) | |||
164 | { | 164 | { |
165 | int rc; | 165 | int rc; |
166 | 166 | ||
167 | rc = smk_access(current->security, obj_label, mode); | 167 | rc = smk_access(current->cred->security, obj_label, mode); |
168 | if (rc == 0) | 168 | if (rc == 0) |
169 | return 0; | 169 | return 0; |
170 | 170 | ||
@@ -173,7 +173,7 @@ int smk_curacc(char *obj_label, u32 mode) | |||
173 | * only one that gets privilege and current does not | 173 | * only one that gets privilege and current does not |
174 | * have that label. | 174 | * have that label. |
175 | */ | 175 | */ |
176 | if (smack_onlycap != NULL && smack_onlycap != current->security) | 176 | if (smack_onlycap != NULL && smack_onlycap != current->cred->security) |
177 | return rc; | 177 | return rc; |
178 | 178 | ||
179 | if (capable(CAP_MAC_OVERRIDE)) | 179 | if (capable(CAP_MAC_OVERRIDE)) |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6e2dc0bab70d..791da238d049 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -102,7 +102,8 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | |||
102 | if (rc != 0) | 102 | if (rc != 0) |
103 | return rc; | 103 | return rc; |
104 | 104 | ||
105 | rc = smk_access(current->security, ctp->security, MAY_READWRITE); | 105 | rc = smk_access(current->cred->security, ctp->cred->security, |
106 | MAY_READWRITE); | ||
106 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) | 107 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) |
107 | return 0; | 108 | return 0; |
108 | return rc; | 109 | return rc; |
@@ -124,7 +125,8 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
124 | if (rc != 0) | 125 | if (rc != 0) |
125 | return rc; | 126 | return rc; |
126 | 127 | ||
127 | rc = smk_access(ptp->security, current->security, MAY_READWRITE); | 128 | rc = smk_access(ptp->cred->security, current->cred->security, |
129 | MAY_READWRITE); | ||
128 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) | 130 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) |
129 | return 0; | 131 | return 0; |
130 | return rc; | 132 | return rc; |
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
141 | static int smack_syslog(int type) | 143 | static int smack_syslog(int type) |
142 | { | 144 | { |
143 | int rc; | 145 | int rc; |
144 | char *sp = current->security; | 146 | char *sp = current->cred->security; |
145 | 147 | ||
146 | rc = cap_syslog(type); | 148 | rc = cap_syslog(type); |
147 | if (rc != 0) | 149 | if (rc != 0) |
@@ -373,7 +375,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags) | |||
373 | */ | 375 | */ |
374 | static int smack_inode_alloc_security(struct inode *inode) | 376 | static int smack_inode_alloc_security(struct inode *inode) |
375 | { | 377 | { |
376 | inode->i_security = new_inode_smack(current->security); | 378 | inode->i_security = new_inode_smack(current->cred->security); |
377 | if (inode->i_security == NULL) | 379 | if (inode->i_security == NULL) |
378 | return -ENOMEM; | 380 | return -ENOMEM; |
379 | return 0; | 381 | return 0; |
@@ -818,7 +820,7 @@ static int smack_file_permission(struct file *file, int mask) | |||
818 | */ | 820 | */ |
819 | static int smack_file_alloc_security(struct file *file) | 821 | static int smack_file_alloc_security(struct file *file) |
820 | { | 822 | { |
821 | file->f_security = current->security; | 823 | file->f_security = current->cred->security; |
822 | return 0; | 824 | return 0; |
823 | } | 825 | } |
824 | 826 | ||
@@ -916,7 +918,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd, | |||
916 | */ | 918 | */ |
917 | static int smack_file_set_fowner(struct file *file) | 919 | static int smack_file_set_fowner(struct file *file) |
918 | { | 920 | { |
919 | file->f_security = current->security; | 921 | file->f_security = current->cred->security; |
920 | return 0; | 922 | return 0; |
921 | } | 923 | } |
922 | 924 | ||
@@ -941,7 +943,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, | |||
941 | * struct fown_struct is never outside the context of a struct file | 943 | * struct fown_struct is never outside the context of a struct file |
942 | */ | 944 | */ |
943 | file = container_of(fown, struct file, f_owner); | 945 | file = container_of(fown, struct file, f_owner); |
944 | rc = smk_access(file->f_security, tsk->security, MAY_WRITE); | 946 | rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); |
945 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) | 947 | if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) |
946 | return 0; | 948 | return 0; |
947 | return rc; | 949 | return rc; |
@@ -984,7 +986,7 @@ static int smack_file_receive(struct file *file) | |||
984 | */ | 986 | */ |
985 | static int smack_task_alloc_security(struct task_struct *tsk) | 987 | static int smack_task_alloc_security(struct task_struct *tsk) |
986 | { | 988 | { |
987 | tsk->security = current->security; | 989 | tsk->cred->security = current->cred->security; |
988 | 990 | ||
989 | return 0; | 991 | return 0; |
990 | } | 992 | } |
@@ -999,7 +1001,7 @@ static int smack_task_alloc_security(struct task_struct *tsk) | |||
999 | */ | 1001 | */ |
1000 | static void smack_task_free_security(struct task_struct *task) | 1002 | static void smack_task_free_security(struct task_struct *task) |
1001 | { | 1003 | { |
1002 | task->security = NULL; | 1004 | task->cred->security = NULL; |
1003 | } | 1005 | } |
1004 | 1006 | ||
1005 | /** | 1007 | /** |
@@ -1011,7 +1013,7 @@ static void smack_task_free_security(struct task_struct *task) | |||
1011 | */ | 1013 | */ |
1012 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | 1014 | static int smack_task_setpgid(struct task_struct *p, pid_t pgid) |
1013 | { | 1015 | { |
1014 | return smk_curacc(p->security, MAY_WRITE); | 1016 | return smk_curacc(p->cred->security, MAY_WRITE); |
1015 | } | 1017 | } |
1016 | 1018 | ||
1017 | /** | 1019 | /** |
@@ -1022,7 +1024,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid) | |||
1022 | */ | 1024 | */ |
1023 | static int smack_task_getpgid(struct task_struct *p) | 1025 | static int smack_task_getpgid(struct task_struct *p) |
1024 | { | 1026 | { |
1025 | return smk_curacc(p->security, MAY_READ); | 1027 | return smk_curacc(p->cred->security, MAY_READ); |
1026 | } | 1028 | } |
1027 | 1029 | ||
1028 | /** | 1030 | /** |
@@ -1033,7 +1035,7 @@ static int smack_task_getpgid(struct task_struct *p) | |||
1033 | */ | 1035 | */ |
1034 | static int smack_task_getsid(struct task_struct *p) | 1036 | static int smack_task_getsid(struct task_struct *p) |
1035 | { | 1037 | { |
1036 | return smk_curacc(p->security, MAY_READ); | 1038 | return smk_curacc(p->cred->security, MAY_READ); |
1037 | } | 1039 | } |
1038 | 1040 | ||
1039 | /** | 1041 | /** |
@@ -1045,7 +1047,7 @@ static int smack_task_getsid(struct task_struct *p) | |||
1045 | */ | 1047 | */ |
1046 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) | 1048 | static void smack_task_getsecid(struct task_struct *p, u32 *secid) |
1047 | { | 1049 | { |
1048 | *secid = smack_to_secid(p->security); | 1050 | *secid = smack_to_secid(p->cred->security); |
1049 | } | 1051 | } |
1050 | 1052 | ||
1051 | /** | 1053 | /** |
@@ -1061,7 +1063,7 @@ static int smack_task_setnice(struct task_struct *p, int nice) | |||
1061 | 1063 | ||
1062 | rc = cap_task_setnice(p, nice); | 1064 | rc = cap_task_setnice(p, nice); |
1063 | if (rc == 0) | 1065 | if (rc == 0) |
1064 | rc = smk_curacc(p->security, MAY_WRITE); | 1066 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1065 | return rc; | 1067 | return rc; |
1066 | } | 1068 | } |
1067 | 1069 | ||
@@ -1078,7 +1080,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1078 | 1080 | ||
1079 | rc = cap_task_setioprio(p, ioprio); | 1081 | rc = cap_task_setioprio(p, ioprio); |
1080 | if (rc == 0) | 1082 | if (rc == 0) |
1081 | rc = smk_curacc(p->security, MAY_WRITE); | 1083 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1082 | return rc; | 1084 | return rc; |
1083 | } | 1085 | } |
1084 | 1086 | ||
@@ -1090,7 +1092,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio) | |||
1090 | */ | 1092 | */ |
1091 | static int smack_task_getioprio(struct task_struct *p) | 1093 | static int smack_task_getioprio(struct task_struct *p) |
1092 | { | 1094 | { |
1093 | return smk_curacc(p->security, MAY_READ); | 1095 | return smk_curacc(p->cred->security, MAY_READ); |
1094 | } | 1096 | } |
1095 | 1097 | ||
1096 | /** | 1098 | /** |
@@ -1108,7 +1110,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1108 | 1110 | ||
1109 | rc = cap_task_setscheduler(p, policy, lp); | 1111 | rc = cap_task_setscheduler(p, policy, lp); |
1110 | if (rc == 0) | 1112 | if (rc == 0) |
1111 | rc = smk_curacc(p->security, MAY_WRITE); | 1113 | rc = smk_curacc(p->cred->security, MAY_WRITE); |
1112 | return rc; | 1114 | return rc; |
1113 | } | 1115 | } |
1114 | 1116 | ||
@@ -1120,7 +1122,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy, | |||
1120 | */ | 1122 | */ |
1121 | static int smack_task_getscheduler(struct task_struct *p) | 1123 | static int smack_task_getscheduler(struct task_struct *p) |
1122 | { | 1124 | { |
1123 | return smk_curacc(p->security, MAY_READ); | 1125 | return smk_curacc(p->cred->security, MAY_READ); |
1124 | } | 1126 | } |
1125 | 1127 | ||
1126 | /** | 1128 | /** |
@@ -1131,7 +1133,7 @@ static int smack_task_getscheduler(struct task_struct *p) | |||
1131 | */ | 1133 | */ |
1132 | static int smack_task_movememory(struct task_struct *p) | 1134 | static int smack_task_movememory(struct task_struct *p) |
1133 | { | 1135 | { |
1134 | return smk_curacc(p->security, MAY_WRITE); | 1136 | return smk_curacc(p->cred->security, MAY_WRITE); |
1135 | } | 1137 | } |
1136 | 1138 | ||
1137 | /** | 1139 | /** |
@@ -1154,13 +1156,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, | |||
1154 | * can write the receiver. | 1156 | * can write the receiver. |
1155 | */ | 1157 | */ |
1156 | if (secid == 0) | 1158 | if (secid == 0) |
1157 | return smk_curacc(p->security, MAY_WRITE); | 1159 | return smk_curacc(p->cred->security, MAY_WRITE); |
1158 | /* | 1160 | /* |
1159 | * If the secid isn't 0 we're dealing with some USB IO | 1161 | * If the secid isn't 0 we're dealing with some USB IO |
1160 | * specific behavior. This is not clean. For one thing | 1162 | * specific behavior. This is not clean. For one thing |
1161 | * we can't take privilege into account. | 1163 | * we can't take privilege into account. |
1162 | */ | 1164 | */ |
1163 | return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); | 1165 | return smk_access(smack_from_secid(secid), p->cred->security, MAY_WRITE); |
1164 | } | 1166 | } |
1165 | 1167 | ||
1166 | /** | 1168 | /** |
@@ -1173,7 +1175,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1173 | { | 1175 | { |
1174 | int rc; | 1176 | int rc; |
1175 | 1177 | ||
1176 | rc = smk_access(current->security, p->security, MAY_WRITE); | 1178 | rc = smk_access(current->cred->security, p->cred->security, MAY_WRITE); |
1177 | if (rc == 0) | 1179 | if (rc == 0) |
1178 | return 0; | 1180 | return 0; |
1179 | 1181 | ||
@@ -1204,7 +1206,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1204 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | 1206 | static void smack_task_to_inode(struct task_struct *p, struct inode *inode) |
1205 | { | 1207 | { |
1206 | struct inode_smack *isp = inode->i_security; | 1208 | struct inode_smack *isp = inode->i_security; |
1207 | isp->smk_inode = p->security; | 1209 | isp->smk_inode = p->cred->security; |
1208 | } | 1210 | } |
1209 | 1211 | ||
1210 | /* | 1212 | /* |
@@ -1223,7 +1225,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | |||
1223 | */ | 1225 | */ |
1224 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) | 1226 | static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) |
1225 | { | 1227 | { |
1226 | char *csp = current->security; | 1228 | char *csp = current->cred->security; |
1227 | struct socket_smack *ssp; | 1229 | struct socket_smack *ssp; |
1228 | 1230 | ||
1229 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); | 1231 | ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); |
@@ -1448,7 +1450,7 @@ static int smack_flags_to_may(int flags) | |||
1448 | */ | 1450 | */ |
1449 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) | 1451 | static int smack_msg_msg_alloc_security(struct msg_msg *msg) |
1450 | { | 1452 | { |
1451 | msg->security = current->security; | 1453 | msg->security = current->cred->security; |
1452 | return 0; | 1454 | return 0; |
1453 | } | 1455 | } |
1454 | 1456 | ||
@@ -1484,7 +1486,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp) | |||
1484 | { | 1486 | { |
1485 | struct kern_ipc_perm *isp = &shp->shm_perm; | 1487 | struct kern_ipc_perm *isp = &shp->shm_perm; |
1486 | 1488 | ||
1487 | isp->security = current->security; | 1489 | isp->security = current->cred->security; |
1488 | return 0; | 1490 | return 0; |
1489 | } | 1491 | } |
1490 | 1492 | ||
@@ -1593,7 +1595,7 @@ static int smack_sem_alloc_security(struct sem_array *sma) | |||
1593 | { | 1595 | { |
1594 | struct kern_ipc_perm *isp = &sma->sem_perm; | 1596 | struct kern_ipc_perm *isp = &sma->sem_perm; |
1595 | 1597 | ||
1596 | isp->security = current->security; | 1598 | isp->security = current->cred->security; |
1597 | return 0; | 1599 | return 0; |
1598 | } | 1600 | } |
1599 | 1601 | ||
@@ -1697,7 +1699,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq) | |||
1697 | { | 1699 | { |
1698 | struct kern_ipc_perm *kisp = &msq->q_perm; | 1700 | struct kern_ipc_perm *kisp = &msq->q_perm; |
1699 | 1701 | ||
1700 | kisp->security = current->security; | 1702 | kisp->security = current->cred->security; |
1701 | return 0; | 1703 | return 0; |
1702 | } | 1704 | } |
1703 | 1705 | ||
@@ -1852,7 +1854,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
1852 | struct super_block *sbp; | 1854 | struct super_block *sbp; |
1853 | struct superblock_smack *sbsp; | 1855 | struct superblock_smack *sbsp; |
1854 | struct inode_smack *isp; | 1856 | struct inode_smack *isp; |
1855 | char *csp = current->security; | 1857 | char *csp = current->cred->security; |
1856 | char *fetched; | 1858 | char *fetched; |
1857 | char *final; | 1859 | char *final; |
1858 | struct dentry *dp; | 1860 | struct dentry *dp; |
@@ -2009,7 +2011,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) | |||
2009 | if (strcmp(name, "current") != 0) | 2011 | if (strcmp(name, "current") != 0) |
2010 | return -EINVAL; | 2012 | return -EINVAL; |
2011 | 2013 | ||
2012 | cp = kstrdup(p->security, GFP_KERNEL); | 2014 | cp = kstrdup(p->cred->security, GFP_KERNEL); |
2013 | if (cp == NULL) | 2015 | if (cp == NULL) |
2014 | return -ENOMEM; | 2016 | return -ENOMEM; |
2015 | 2017 | ||
@@ -2055,7 +2057,7 @@ static int smack_setprocattr(struct task_struct *p, char *name, | |||
2055 | if (newsmack == NULL) | 2057 | if (newsmack == NULL) |
2056 | return -EINVAL; | 2058 | return -EINVAL; |
2057 | 2059 | ||
2058 | p->security = newsmack; | 2060 | p->cred->security = newsmack; |
2059 | return size; | 2061 | return size; |
2060 | } | 2062 | } |
2061 | 2063 | ||
@@ -2288,8 +2290,8 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) | |||
2288 | return; | 2290 | return; |
2289 | 2291 | ||
2290 | ssp = sk->sk_security; | 2292 | ssp = sk->sk_security; |
2291 | ssp->smk_in = current->security; | 2293 | ssp->smk_in = current->cred->security; |
2292 | ssp->smk_out = current->security; | 2294 | ssp->smk_out = current->cred->security; |
2293 | ssp->smk_packet[0] = '\0'; | 2295 | ssp->smk_packet[0] = '\0'; |
2294 | 2296 | ||
2295 | rc = smack_netlabel(sk); | 2297 | rc = smack_netlabel(sk); |
@@ -2362,7 +2364,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
2362 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, | 2364 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, |
2363 | unsigned long flags) | 2365 | unsigned long flags) |
2364 | { | 2366 | { |
2365 | key->security = tsk->security; | 2367 | key->security = tsk->cred->security; |
2366 | return 0; | 2368 | return 0; |
2367 | } | 2369 | } |
2368 | 2370 | ||
@@ -2403,10 +2405,11 @@ static int smack_key_permission(key_ref_t key_ref, | |||
2403 | /* | 2405 | /* |
2404 | * This should not occur | 2406 | * This should not occur |
2405 | */ | 2407 | */ |
2406 | if (context->security == NULL) | 2408 | if (context->cred->security == NULL) |
2407 | return -EACCES; | 2409 | return -EACCES; |
2408 | 2410 | ||
2409 | return smk_access(context->security, keyp->security, MAY_READWRITE); | 2411 | return smk_access(context->cred->security, keyp->security, |
2412 | MAY_READWRITE); | ||
2410 | } | 2413 | } |
2411 | #endif /* CONFIG_KEYS */ | 2414 | #endif /* CONFIG_KEYS */ |
2412 | 2415 | ||
@@ -2726,7 +2729,7 @@ static __init int smack_init(void) | |||
2726 | /* | 2729 | /* |
2727 | * Set the security state for the initial task. | 2730 | * Set the security state for the initial task. |
2728 | */ | 2731 | */ |
2729 | current->security = &smack_known_floor.smk_known; | 2732 | current->cred->security = &smack_known_floor.smk_known; |
2730 | 2733 | ||
2731 | /* | 2734 | /* |
2732 | * Initialize locks | 2735 | * Initialize locks |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index c21d8c8bf0c7..c5ca279e0506 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -336,7 +336,7 @@ static void smk_cipso_doi(void) | |||
336 | 336 | ||
337 | audit_info.loginuid = audit_get_loginuid(current); | 337 | audit_info.loginuid = audit_get_loginuid(current); |
338 | audit_info.sessionid = audit_get_sessionid(current); | 338 | audit_info.sessionid = audit_get_sessionid(current); |
339 | audit_info.secid = smack_to_secid(current->security); | 339 | audit_info.secid = smack_to_secid(current->cred->security); |
340 | 340 | ||
341 | rc = netlbl_cfg_map_del(NULL, &audit_info); | 341 | rc = netlbl_cfg_map_del(NULL, &audit_info); |
342 | if (rc != 0) | 342 | if (rc != 0) |
@@ -371,7 +371,7 @@ static void smk_unlbl_ambient(char *oldambient) | |||
371 | 371 | ||
372 | audit_info.loginuid = audit_get_loginuid(current); | 372 | audit_info.loginuid = audit_get_loginuid(current); |
373 | audit_info.sessionid = audit_get_sessionid(current); | 373 | audit_info.sessionid = audit_get_sessionid(current); |
374 | audit_info.secid = smack_to_secid(current->security); | 374 | audit_info.secid = smack_to_secid(current->cred->security); |
375 | 375 | ||
376 | if (oldambient != NULL) { | 376 | if (oldambient != NULL) { |
377 | rc = netlbl_cfg_map_del(oldambient, &audit_info); | 377 | rc = netlbl_cfg_map_del(oldambient, &audit_info); |
@@ -843,7 +843,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, | |||
843 | size_t count, loff_t *ppos) | 843 | size_t count, loff_t *ppos) |
844 | { | 844 | { |
845 | char in[SMK_LABELLEN]; | 845 | char in[SMK_LABELLEN]; |
846 | char *sp = current->security; | 846 | char *sp = current->cred->security; |
847 | 847 | ||
848 | if (!capable(CAP_MAC_ADMIN)) | 848 | if (!capable(CAP_MAC_ADMIN)) |
849 | return -EPERM; | 849 | return -EPERM; |