diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/capability.c | 3 | ||||
-rw-r--r-- | security/security.c | 5 | ||||
-rw-r--r-- | security/selinux/hooks.c | 12 |
3 files changed, 13 insertions, 7 deletions
diff --git a/security/capability.c b/security/capability.c index a0bbf30fb6dc..95a6599a37bb 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -411,7 +411,8 @@ static int cap_task_getioprio(struct task_struct *p) | |||
411 | return 0; | 411 | return 0; |
412 | } | 412 | } |
413 | 413 | ||
414 | static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | 414 | static int cap_task_setrlimit(struct task_struct *p, unsigned int resource, |
415 | struct rlimit *new_rlim) | ||
415 | { | 416 | { |
416 | return 0; | 417 | return 0; |
417 | } | 418 | } |
diff --git a/security/security.c b/security/security.c index 7461b1bc296c..c53949f17d9e 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -780,9 +780,10 @@ int security_task_getioprio(struct task_struct *p) | |||
780 | return security_ops->task_getioprio(p); | 780 | return security_ops->task_getioprio(p); |
781 | } | 781 | } |
782 | 782 | ||
783 | int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | 783 | int security_task_setrlimit(struct task_struct *p, unsigned int resource, |
784 | struct rlimit *new_rlim) | ||
784 | { | 785 | { |
785 | return security_ops->task_setrlimit(resource, new_rlim); | 786 | return security_ops->task_setrlimit(p, resource, new_rlim); |
786 | } | 787 | } |
787 | 788 | ||
788 | int security_task_setscheduler(struct task_struct *p, | 789 | int security_task_setscheduler(struct task_struct *p, |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9b40f4c0ac70..42043f96e54f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -2284,12 +2284,15 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) | |||
2284 | rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, | 2284 | rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, |
2285 | PROCESS__RLIMITINH, NULL); | 2285 | PROCESS__RLIMITINH, NULL); |
2286 | if (rc) { | 2286 | if (rc) { |
2287 | /* protect against do_prlimit() */ | ||
2288 | task_lock(current); | ||
2287 | for (i = 0; i < RLIM_NLIMITS; i++) { | 2289 | for (i = 0; i < RLIM_NLIMITS; i++) { |
2288 | rlim = current->signal->rlim + i; | 2290 | rlim = current->signal->rlim + i; |
2289 | initrlim = init_task.signal->rlim + i; | 2291 | initrlim = init_task.signal->rlim + i; |
2290 | rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); | 2292 | rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); |
2291 | } | 2293 | } |
2292 | update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur); | 2294 | task_unlock(current); |
2295 | update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); | ||
2293 | } | 2296 | } |
2294 | } | 2297 | } |
2295 | 2298 | ||
@@ -3333,16 +3336,17 @@ static int selinux_task_getioprio(struct task_struct *p) | |||
3333 | return current_has_perm(p, PROCESS__GETSCHED); | 3336 | return current_has_perm(p, PROCESS__GETSCHED); |
3334 | } | 3337 | } |
3335 | 3338 | ||
3336 | static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | 3339 | static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, |
3340 | struct rlimit *new_rlim) | ||
3337 | { | 3341 | { |
3338 | struct rlimit *old_rlim = current->signal->rlim + resource; | 3342 | struct rlimit *old_rlim = p->signal->rlim + resource; |
3339 | 3343 | ||
3340 | /* Control the ability to change the hard limit (whether | 3344 | /* Control the ability to change the hard limit (whether |
3341 | lowering or raising it), so that the hard limit can | 3345 | lowering or raising it), so that the hard limit can |
3342 | later be used as a safe reset point for the soft limit | 3346 | later be used as a safe reset point for the soft limit |
3343 | upon context transitions. See selinux_bprm_committing_creds. */ | 3347 | upon context transitions. See selinux_bprm_committing_creds. */ |
3344 | if (old_rlim->rlim_max != new_rlim->rlim_max) | 3348 | if (old_rlim->rlim_max != new_rlim->rlim_max) |
3345 | return current_has_perm(current, PROCESS__SETRLIMIT); | 3349 | return current_has_perm(p, PROCESS__SETRLIMIT); |
3346 | 3350 | ||
3347 | return 0; | 3351 | return 0; |
3348 | } | 3352 | } |