aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/capability.c56
-rw-r--r--security/commoncap.c824
-rw-r--r--security/keys/internal.h49
-rw-r--r--security/keys/key.c25
-rw-r--r--security/keys/keyctl.c210
-rw-r--r--security/keys/keyring.c15
-rw-r--r--security/keys/permission.c29
-rw-r--r--security/keys/proc.c8
-rw-r--r--security/keys/process_keys.c469
-rw-r--r--security/keys/request_key.c135
-rw-r--r--security/keys/request_key_auth.c46
-rw-r--r--security/root_plug.c13
-rw-r--r--security/security.c99
-rw-r--r--security/selinux/exports.c8
-rw-r--r--security/selinux/hooks.c1246
-rw-r--r--security/selinux/include/av_perm_to_string.h2
-rw-r--r--security/selinux/include/av_permissions.h2
-rw-r--r--security/selinux/include/class_to_string.h5
-rw-r--r--security/selinux/include/flask.h1
-rw-r--r--security/selinux/include/objsec.h11
-rw-r--r--security/selinux/nlmsgtab.c3
-rw-r--r--security/selinux/selinuxfs.c13
-rw-r--r--security/selinux/xfrm.c6
-rw-r--r--security/smack/smack_access.c4
-rw-r--r--security/smack/smack_lsm.c173
-rw-r--r--security/smack/smackfs.c6
26 files changed, 1971 insertions, 1487 deletions
diff --git a/security/capability.c b/security/capability.c
index 245874819036..b9e391425e6f 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -32,24 +32,19 @@ static int cap_quota_on(struct dentry *dentry)
32 return 0; 32 return 0;
33} 33}
34 34
35static int cap_bprm_alloc_security(struct linux_binprm *bprm) 35static int cap_bprm_check_security (struct linux_binprm *bprm)
36{ 36{
37 return 0; 37 return 0;
38} 38}
39 39
40static void cap_bprm_free_security(struct linux_binprm *bprm) 40static void cap_bprm_committing_creds(struct linux_binprm *bprm)
41{ 41{
42} 42}
43 43
44static void cap_bprm_post_apply_creds(struct linux_binprm *bprm) 44static void cap_bprm_committed_creds(struct linux_binprm *bprm)
45{ 45{
46} 46}
47 47
48static int cap_bprm_check_security(struct linux_binprm *bprm)
49{
50 return 0;
51}
52
53static int cap_sb_alloc_security(struct super_block *sb) 48static int cap_sb_alloc_security(struct super_block *sb)
54{ 49{
55 return 0; 50 return 0;
@@ -330,7 +325,7 @@ static int cap_file_receive(struct file *file)
330 return 0; 325 return 0;
331} 326}
332 327
333static int cap_dentry_open(struct file *file) 328static int cap_dentry_open(struct file *file, const struct cred *cred)
334{ 329{
335 return 0; 330 return 0;
336} 331}
@@ -340,15 +335,29 @@ static int cap_task_create(unsigned long clone_flags)
340 return 0; 335 return 0;
341} 336}
342 337
343static int cap_task_alloc_security(struct task_struct *p) 338static void cap_cred_free(struct cred *cred)
339{
340}
341
342static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp)
344{ 343{
345 return 0; 344 return 0;
346} 345}
347 346
348static void cap_task_free_security(struct task_struct *p) 347static void cap_cred_commit(struct cred *new, const struct cred *old)
349{ 348{
350} 349}
351 350
351static int cap_kernel_act_as(struct cred *new, u32 secid)
352{
353 return 0;
354}
355
356static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
357{
358 return 0;
359}
360
352static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 361static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
353{ 362{
354 return 0; 363 return 0;
@@ -750,7 +759,7 @@ static void cap_release_secctx(char *secdata, u32 seclen)
750} 759}
751 760
752#ifdef CONFIG_KEYS 761#ifdef CONFIG_KEYS
753static int cap_key_alloc(struct key *key, struct task_struct *ctx, 762static int cap_key_alloc(struct key *key, const struct cred *cred,
754 unsigned long flags) 763 unsigned long flags)
755{ 764{
756 return 0; 765 return 0;
@@ -760,7 +769,7 @@ static void cap_key_free(struct key *key)
760{ 769{
761} 770}
762 771
763static int cap_key_permission(key_ref_t key_ref, struct task_struct *context, 772static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
764 key_perm_t perm) 773 key_perm_t perm)
765{ 774{
766 return 0; 775 return 0;
@@ -814,8 +823,7 @@ void security_fixup_ops(struct security_operations *ops)
814 set_to_cap_if_null(ops, ptrace_may_access); 823 set_to_cap_if_null(ops, ptrace_may_access);
815 set_to_cap_if_null(ops, ptrace_traceme); 824 set_to_cap_if_null(ops, ptrace_traceme);
816 set_to_cap_if_null(ops, capget); 825 set_to_cap_if_null(ops, capget);
817 set_to_cap_if_null(ops, capset_check); 826 set_to_cap_if_null(ops, capset);
818 set_to_cap_if_null(ops, capset_set);
819 set_to_cap_if_null(ops, acct); 827 set_to_cap_if_null(ops, acct);
820 set_to_cap_if_null(ops, capable); 828 set_to_cap_if_null(ops, capable);
821 set_to_cap_if_null(ops, quotactl); 829 set_to_cap_if_null(ops, quotactl);
@@ -824,11 +832,9 @@ void security_fixup_ops(struct security_operations *ops)
824 set_to_cap_if_null(ops, syslog); 832 set_to_cap_if_null(ops, syslog);
825 set_to_cap_if_null(ops, settime); 833 set_to_cap_if_null(ops, settime);
826 set_to_cap_if_null(ops, vm_enough_memory); 834 set_to_cap_if_null(ops, vm_enough_memory);
827 set_to_cap_if_null(ops, bprm_alloc_security); 835 set_to_cap_if_null(ops, bprm_set_creds);
828 set_to_cap_if_null(ops, bprm_free_security); 836 set_to_cap_if_null(ops, bprm_committing_creds);
829 set_to_cap_if_null(ops, bprm_apply_creds); 837 set_to_cap_if_null(ops, bprm_committed_creds);
830 set_to_cap_if_null(ops, bprm_post_apply_creds);
831 set_to_cap_if_null(ops, bprm_set_security);
832 set_to_cap_if_null(ops, bprm_check_security); 838 set_to_cap_if_null(ops, bprm_check_security);
833 set_to_cap_if_null(ops, bprm_secureexec); 839 set_to_cap_if_null(ops, bprm_secureexec);
834 set_to_cap_if_null(ops, sb_alloc_security); 840 set_to_cap_if_null(ops, sb_alloc_security);
@@ -890,10 +896,13 @@ void security_fixup_ops(struct security_operations *ops)
890 set_to_cap_if_null(ops, file_receive); 896 set_to_cap_if_null(ops, file_receive);
891 set_to_cap_if_null(ops, dentry_open); 897 set_to_cap_if_null(ops, dentry_open);
892 set_to_cap_if_null(ops, task_create); 898 set_to_cap_if_null(ops, task_create);
893 set_to_cap_if_null(ops, task_alloc_security); 899 set_to_cap_if_null(ops, cred_free);
894 set_to_cap_if_null(ops, task_free_security); 900 set_to_cap_if_null(ops, cred_prepare);
901 set_to_cap_if_null(ops, cred_commit);
902 set_to_cap_if_null(ops, kernel_act_as);
903 set_to_cap_if_null(ops, kernel_create_files_as);
895 set_to_cap_if_null(ops, task_setuid); 904 set_to_cap_if_null(ops, task_setuid);
896 set_to_cap_if_null(ops, task_post_setuid); 905 set_to_cap_if_null(ops, task_fix_setuid);
897 set_to_cap_if_null(ops, task_setgid); 906 set_to_cap_if_null(ops, task_setgid);
898 set_to_cap_if_null(ops, task_setpgid); 907 set_to_cap_if_null(ops, task_setpgid);
899 set_to_cap_if_null(ops, task_getpgid); 908 set_to_cap_if_null(ops, task_getpgid);
@@ -910,7 +919,6 @@ void security_fixup_ops(struct security_operations *ops)
910 set_to_cap_if_null(ops, task_wait); 919 set_to_cap_if_null(ops, task_wait);
911 set_to_cap_if_null(ops, task_kill); 920 set_to_cap_if_null(ops, task_kill);
912 set_to_cap_if_null(ops, task_prctl); 921 set_to_cap_if_null(ops, task_prctl);
913 set_to_cap_if_null(ops, task_reparent_to_init);
914 set_to_cap_if_null(ops, task_to_inode); 922 set_to_cap_if_null(ops, task_to_inode);
915 set_to_cap_if_null(ops, ipc_permission); 923 set_to_cap_if_null(ops, ipc_permission);
916 set_to_cap_if_null(ops, ipc_getsecid); 924 set_to_cap_if_null(ops, ipc_getsecid);
diff --git a/security/commoncap.c b/security/commoncap.c
index 3976613db829..19cb398431ee 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -8,6 +8,7 @@
8 */ 8 */
9 9
10#include <linux/capability.h> 10#include <linux/capability.h>
11#include <linux/audit.h>
11#include <linux/module.h> 12#include <linux/module.h>
12#include <linux/init.h> 13#include <linux/init.h>
13#include <linux/kernel.h> 14#include <linux/kernel.h>
@@ -29,7 +30,7 @@
29 30
30int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 31int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
31{ 32{
32 NETLINK_CB(skb).eff_cap = current->cap_effective; 33 NETLINK_CB(skb).eff_cap = current_cap();
33 return 0; 34 return 0;
34} 35}
35 36
@@ -39,23 +40,41 @@ int cap_netlink_recv(struct sk_buff *skb, int cap)
39 return -EPERM; 40 return -EPERM;
40 return 0; 41 return 0;
41} 42}
42
43EXPORT_SYMBOL(cap_netlink_recv); 43EXPORT_SYMBOL(cap_netlink_recv);
44 44
45/* 45/**
46 * cap_capable - Determine whether a task has a particular effective capability
47 * @tsk: The task to query
48 * @cap: The capability to check for
49 * @audit: Whether to write an audit message or not
50 *
51 * Determine whether the nominated task has the specified capability amongst
52 * its effective set, returning 0 if it does, -ve if it does not.
53 *
46 * NOTE WELL: cap_capable() cannot be used like the kernel's capable() 54 * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
47 * function. That is, it has the reverse semantics: cap_capable() 55 * function. That is, it has the reverse semantics: cap_capable() returns 0
48 * returns 0 when a task has a capability, but the kernel's capable() 56 * when a task has a capability, but the kernel's capable() returns 1 for this
49 * returns 1 for this case. 57 * case.
50 */ 58 */
51int cap_capable (struct task_struct *tsk, int cap) 59int cap_capable(struct task_struct *tsk, int cap, int audit)
52{ 60{
61 __u32 cap_raised;
62
53 /* Derived from include/linux/sched.h:capable. */ 63 /* Derived from include/linux/sched.h:capable. */
54 if (cap_raised(tsk->cap_effective, cap)) 64 rcu_read_lock();
55 return 0; 65 cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap);
56 return -EPERM; 66 rcu_read_unlock();
67 return cap_raised ? 0 : -EPERM;
57} 68}
58 69
70/**
71 * cap_settime - Determine whether the current process may set the system clock
72 * @ts: The time to set
73 * @tz: The timezone to set
74 *
75 * Determine whether the current process may set the system clock and timezone
76 * information, returning 0 if permission granted, -ve if denied.
77 */
59int cap_settime(struct timespec *ts, struct timezone *tz) 78int cap_settime(struct timespec *ts, struct timezone *tz)
60{ 79{
61 if (!capable(CAP_SYS_TIME)) 80 if (!capable(CAP_SYS_TIME))
@@ -63,121 +82,157 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
63 return 0; 82 return 0;
64} 83}
65 84
85/**
86 * cap_ptrace_may_access - Determine whether the current process may access
87 * another
88 * @child: The process to be accessed
89 * @mode: The mode of attachment.
90 *
91 * Determine whether a process may access another, returning 0 if permission
92 * granted, -ve if denied.
93 */
66int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) 94int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
67{ 95{
68 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 96 int ret = 0;
69 if (cap_issubset(child->cap_permitted, current->cap_permitted)) 97
70 return 0; 98 rcu_read_lock();
71 if (capable(CAP_SYS_PTRACE)) 99 if (!cap_issubset(__task_cred(child)->cap_permitted,
72 return 0; 100 current_cred()->cap_permitted) &&
73 return -EPERM; 101 !capable(CAP_SYS_PTRACE))
102 ret = -EPERM;
103 rcu_read_unlock();
104 return ret;
74} 105}
75 106
107/**
108 * cap_ptrace_traceme - Determine whether another process may trace the current
109 * @parent: The task proposed to be the tracer
110 *
111 * Determine whether the nominated task is permitted to trace the current
112 * process, returning 0 if permission is granted, -ve if denied.
113 */
76int cap_ptrace_traceme(struct task_struct *parent) 114int cap_ptrace_traceme(struct task_struct *parent)
77{ 115{
78 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 116 int ret = 0;
79 if (cap_issubset(current->cap_permitted, parent->cap_permitted)) 117
80 return 0; 118 rcu_read_lock();
81 if (has_capability(parent, CAP_SYS_PTRACE)) 119 if (!cap_issubset(current_cred()->cap_permitted,
82 return 0; 120 __task_cred(parent)->cap_permitted) &&
83 return -EPERM; 121 !has_capability(parent, CAP_SYS_PTRACE))
122 ret = -EPERM;
123 rcu_read_unlock();
124 return ret;
84} 125}
85 126
86int cap_capget (struct task_struct *target, kernel_cap_t *effective, 127/**
87 kernel_cap_t *inheritable, kernel_cap_t *permitted) 128 * cap_capget - Retrieve a task's capability sets
129 * @target: The task from which to retrieve the capability sets
130 * @effective: The place to record the effective set
131 * @inheritable: The place to record the inheritable set
132 * @permitted: The place to record the permitted set
133 *
134 * This function retrieves the capabilities of the nominated task and returns
135 * them to the caller.
136 */
137int cap_capget(struct task_struct *target, kernel_cap_t *effective,
138 kernel_cap_t *inheritable, kernel_cap_t *permitted)
88{ 139{
140 const struct cred *cred;
141
89 /* Derived from kernel/capability.c:sys_capget. */ 142 /* Derived from kernel/capability.c:sys_capget. */
90 *effective = target->cap_effective; 143 rcu_read_lock();
91 *inheritable = target->cap_inheritable; 144 cred = __task_cred(target);
92 *permitted = target->cap_permitted; 145 *effective = cred->cap_effective;
146 *inheritable = cred->cap_inheritable;
147 *permitted = cred->cap_permitted;
148 rcu_read_unlock();
93 return 0; 149 return 0;
94} 150}
95 151
96#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 152/*
97 153 * Determine whether the inheritable capabilities are limited to the old
98static inline int cap_block_setpcap(struct task_struct *target) 154 * permitted set. Returns 1 if they are limited, 0 if they are not.
99{ 155 */
100 /*
101 * No support for remote process capability manipulation with
102 * filesystem capability support.
103 */
104 return (target != current);
105}
106
107static inline int cap_inh_is_capped(void) 156static inline int cap_inh_is_capped(void)
108{ 157{
109 /* 158#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
110 * Return 1 if changes to the inheritable set are limited
111 * to the old permitted set. That is, if the current task
112 * does *not* possess the CAP_SETPCAP capability.
113 */
114 return (cap_capable(current, CAP_SETPCAP) != 0);
115}
116
117static inline int cap_limit_ptraced_target(void) { return 1; }
118
119#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
120 159
121static inline int cap_block_setpcap(struct task_struct *t) { return 0; } 160 /* they are so limited unless the current task has the CAP_SETPCAP
122static inline int cap_inh_is_capped(void) { return 1; } 161 * capability
123static inline int cap_limit_ptraced_target(void) 162 */
124{ 163 if (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
125 return !capable(CAP_SETPCAP); 164 return 0;
165#endif
166 return 1;
126} 167}
127 168
128#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 169/**
129 170 * cap_capset - Validate and apply proposed changes to current's capabilities
130int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 171 * @new: The proposed new credentials; alterations should be made here
131 kernel_cap_t *inheritable, kernel_cap_t *permitted) 172 * @old: The current task's current credentials
132{ 173 * @effective: A pointer to the proposed new effective capabilities set
133 if (cap_block_setpcap(target)) { 174 * @inheritable: A pointer to the proposed new inheritable capabilities set
134 return -EPERM; 175 * @permitted: A pointer to the proposed new permitted capabilities set
135 } 176 *
136 if (cap_inh_is_capped() 177 * This function validates and applies a proposed mass change to the current
137 && !cap_issubset(*inheritable, 178 * process's capability sets. The changes are made to the proposed new
138 cap_combine(target->cap_inheritable, 179 * credentials, and assuming no error, will be committed by the caller of LSM.
139 current->cap_permitted))) { 180 */
181int cap_capset(struct cred *new,
182 const struct cred *old,
183 const kernel_cap_t *effective,
184 const kernel_cap_t *inheritable,
185 const kernel_cap_t *permitted)
186{
187 if (cap_inh_is_capped() &&
188 !cap_issubset(*inheritable,
189 cap_combine(old->cap_inheritable,
190 old->cap_permitted)))
140 /* incapable of using this inheritable set */ 191 /* incapable of using this inheritable set */
141 return -EPERM; 192 return -EPERM;
142 } 193
143 if (!cap_issubset(*inheritable, 194 if (!cap_issubset(*inheritable,
144 cap_combine(target->cap_inheritable, 195 cap_combine(old->cap_inheritable,
145 current->cap_bset))) { 196 old->cap_bset)))
146 /* no new pI capabilities outside bounding set */ 197 /* no new pI capabilities outside bounding set */
147 return -EPERM; 198 return -EPERM;
148 }
149 199
150 /* verify restrictions on target's new Permitted set */ 200 /* verify restrictions on target's new Permitted set */
151 if (!cap_issubset (*permitted, 201 if (!cap_issubset(*permitted, old->cap_permitted))
152 cap_combine (target->cap_permitted,
153 current->cap_permitted))) {
154 return -EPERM; 202 return -EPERM;
155 }
156 203
157 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 204 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
158 if (!cap_issubset (*effective, *permitted)) { 205 if (!cap_issubset(*effective, *permitted))
159 return -EPERM; 206 return -EPERM;
160 }
161 207
208 new->cap_effective = *effective;
209 new->cap_inheritable = *inheritable;
210 new->cap_permitted = *permitted;
162 return 0; 211 return 0;
163} 212}
164 213
165void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 214/*
166 kernel_cap_t *inheritable, kernel_cap_t *permitted) 215 * Clear proposed capability sets for execve().
167{ 216 */
168 target->cap_effective = *effective;
169 target->cap_inheritable = *inheritable;
170 target->cap_permitted = *permitted;
171}
172
173static inline void bprm_clear_caps(struct linux_binprm *bprm) 217static inline void bprm_clear_caps(struct linux_binprm *bprm)
174{ 218{
175 cap_clear(bprm->cap_post_exec_permitted); 219 cap_clear(bprm->cred->cap_permitted);
176 bprm->cap_effective = false; 220 bprm->cap_effective = false;
177} 221}
178 222
179#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 223#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
180 224
225/**
226 * cap_inode_need_killpriv - Determine if inode change affects privileges
227 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
228 *
229 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
230 * affects the security markings on that inode, and if it is, should
231 * inode_killpriv() be invoked or the change rejected?
232 *
233 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
234 * -ve to deny the change.
235 */
181int cap_inode_need_killpriv(struct dentry *dentry) 236int cap_inode_need_killpriv(struct dentry *dentry)
182{ 237{
183 struct inode *inode = dentry->d_inode; 238 struct inode *inode = dentry->d_inode;
@@ -192,6 +247,14 @@ int cap_inode_need_killpriv(struct dentry *dentry)
192 return 1; 247 return 1;
193} 248}
194 249
250/**
251 * cap_inode_killpriv - Erase the security markings on an inode
252 * @dentry: The inode/dentry to alter
253 *
254 * Erase the privilege-enhancing security markings on an inode.
255 *
256 * Returns 0 if successful, -ve on error.
257 */
195int cap_inode_killpriv(struct dentry *dentry) 258int cap_inode_killpriv(struct dentry *dentry)
196{ 259{
197 struct inode *inode = dentry->d_inode; 260 struct inode *inode = dentry->d_inode;
@@ -202,19 +265,75 @@ int cap_inode_killpriv(struct dentry *dentry)
202 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 265 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
203} 266}
204 267
205static inline int cap_from_disk(struct vfs_cap_data *caps, 268/*
206 struct linux_binprm *bprm, unsigned size) 269 * Calculate the new process capability sets from the capability sets attached
270 * to a file.
271 */
272static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
273 struct linux_binprm *bprm,
274 bool *effective)
207{ 275{
276 struct cred *new = bprm->cred;
277 unsigned i;
278 int ret = 0;
279
280 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
281 *effective = true;
282
283 CAP_FOR_EACH_U32(i) {
284 __u32 permitted = caps->permitted.cap[i];
285 __u32 inheritable = caps->inheritable.cap[i];
286
287 /*
288 * pP' = (X & fP) | (pI & fI)
289 */
290 new->cap_permitted.cap[i] =
291 (new->cap_bset.cap[i] & permitted) |
292 (new->cap_inheritable.cap[i] & inheritable);
293
294 if (permitted & ~new->cap_permitted.cap[i])
295 /* insufficient to execute correctly */
296 ret = -EPERM;
297 }
298
299 /*
300 * For legacy apps, with no internal support for recognizing they
301 * do not have enough capabilities, we return an error if they are
302 * missing some "forced" (aka file-permitted) capabilities.
303 */
304 return *effective ? ret : 0;
305}
306
307/*
308 * Extract the on-exec-apply capability sets for an executable file.
309 */
310int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
311{
312 struct inode *inode = dentry->d_inode;
208 __u32 magic_etc; 313 __u32 magic_etc;
209 unsigned tocopy, i; 314 unsigned tocopy, i;
210 int ret; 315 int size;
316 struct vfs_cap_data caps;
317
318 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
319
320 if (!inode || !inode->i_op || !inode->i_op->getxattr)
321 return -ENODATA;
322
323 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
324 XATTR_CAPS_SZ);
325 if (size == -ENODATA || size == -EOPNOTSUPP)
326 /* no data, that's ok */
327 return -ENODATA;
328 if (size < 0)
329 return size;
211 330
212 if (size < sizeof(magic_etc)) 331 if (size < sizeof(magic_etc))
213 return -EINVAL; 332 return -EINVAL;
214 333
215 magic_etc = le32_to_cpu(caps->magic_etc); 334 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
216 335
217 switch ((magic_etc & VFS_CAP_REVISION_MASK)) { 336 switch (magic_etc & VFS_CAP_REVISION_MASK) {
218 case VFS_CAP_REVISION_1: 337 case VFS_CAP_REVISION_1:
219 if (size != XATTR_CAPS_SZ_1) 338 if (size != XATTR_CAPS_SZ_1)
220 return -EINVAL; 339 return -EINVAL;
@@ -229,77 +348,48 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
229 return -EINVAL; 348 return -EINVAL;
230 } 349 }
231 350
232 if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
233 bprm->cap_effective = true;
234 } else {
235 bprm->cap_effective = false;
236 }
237
238 ret = 0;
239
240 CAP_FOR_EACH_U32(i) { 351 CAP_FOR_EACH_U32(i) {
241 __u32 value_cpu; 352 if (i >= tocopy)
242 353 break;
243 if (i >= tocopy) { 354 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
244 /* 355 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
245 * Legacy capability sets have no upper bits
246 */
247 bprm->cap_post_exec_permitted.cap[i] = 0;
248 continue;
249 }
250 /*
251 * pP' = (X & fP) | (pI & fI)
252 */
253 value_cpu = le32_to_cpu(caps->data[i].permitted);
254 bprm->cap_post_exec_permitted.cap[i] =
255 (current->cap_bset.cap[i] & value_cpu) |
256 (current->cap_inheritable.cap[i] &
257 le32_to_cpu(caps->data[i].inheritable));
258 if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
259 /*
260 * insufficient to execute correctly
261 */
262 ret = -EPERM;
263 }
264 } 356 }
265 357
266 /* 358 return 0;
267 * For legacy apps, with no internal support for recognizing they
268 * do not have enough capabilities, we return an error if they are
269 * missing some "forced" (aka file-permitted) capabilities.
270 */
271 return bprm->cap_effective ? ret : 0;
272} 359}
273 360
274/* Locate any VFS capabilities: */ 361/*
275static int get_file_caps(struct linux_binprm *bprm) 362 * Attempt to get the on-exec apply capability sets for an executable file from
363 * its xattrs and, if present, apply them to the proposed credentials being
364 * constructed by execve().
365 */
366static int get_file_caps(struct linux_binprm *bprm, bool *effective)
276{ 367{
277 struct dentry *dentry; 368 struct dentry *dentry;
278 int rc = 0; 369 int rc = 0;
279 struct vfs_cap_data vcaps; 370 struct cpu_vfs_cap_data vcaps;
280 struct inode *inode;
281 371
282 bprm_clear_caps(bprm); 372 bprm_clear_caps(bprm);
283 373
374 if (!file_caps_enabled)
375 return 0;
376
284 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 377 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
285 return 0; 378 return 0;
286 379
287 dentry = dget(bprm->file->f_dentry); 380 dentry = dget(bprm->file->f_dentry);
288 inode = dentry->d_inode;
289 if (!inode->i_op || !inode->i_op->getxattr)
290 goto out;
291 381
292 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps, 382 rc = get_vfs_caps_from_disk(dentry, &vcaps);
293 XATTR_CAPS_SZ); 383 if (rc < 0) {
294 if (rc == -ENODATA || rc == -EOPNOTSUPP) { 384 if (rc == -EINVAL)
295 /* no data, that's ok */ 385 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
296 rc = 0; 386 __func__, rc, bprm->filename);
387 else if (rc == -ENODATA)
388 rc = 0;
297 goto out; 389 goto out;
298 } 390 }
299 if (rc < 0)
300 goto out;
301 391
302 rc = cap_from_disk(&vcaps, bprm, rc); 392 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
303 if (rc == -EINVAL) 393 if (rc == -EINVAL)
304 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 394 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
305 __func__, rc, bprm->filename); 395 __func__, rc, bprm->filename);
@@ -323,18 +413,51 @@ int cap_inode_killpriv(struct dentry *dentry)
323 return 0; 413 return 0;
324} 414}
325 415
326static inline int get_file_caps(struct linux_binprm *bprm) 416static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
327{ 417{
328 bprm_clear_caps(bprm); 418 bprm_clear_caps(bprm);
329 return 0; 419 return 0;
330} 420}
331#endif 421#endif
332 422
333int cap_bprm_set_security (struct linux_binprm *bprm) 423/*
424 * Determine whether a exec'ing process's new permitted capabilities should be
425 * limited to just what it already has.
426 *
427 * This prevents processes that are being ptraced from gaining access to
428 * CAP_SETPCAP, unless the process they're tracing already has it, and the
429 * binary they're executing has filecaps that elevate it.
430 *
431 * Returns 1 if they should be limited, 0 if they are not.
432 */
433static inline int cap_limit_ptraced_target(void)
334{ 434{
435#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
436 if (capable(CAP_SETPCAP))
437 return 0;
438#endif
439 return 1;
440}
441
442/**
443 * cap_bprm_set_creds - Set up the proposed credentials for execve().
444 * @bprm: The execution parameters, including the proposed creds
445 *
446 * Set up the proposed credentials for a new execution context being
447 * constructed by execve(). The proposed creds in @bprm->cred is altered,
448 * which won't take effect immediately. Returns 0 if successful, -ve on error.
449 */
450int cap_bprm_set_creds(struct linux_binprm *bprm)
451{
452 const struct cred *old = current_cred();
453 struct cred *new = bprm->cred;
454 bool effective;
335 int ret; 455 int ret;
336 456
337 ret = get_file_caps(bprm); 457 effective = false;
458 ret = get_file_caps(bprm, &effective);
459 if (ret < 0)
460 return ret;
338 461
339 if (!issecure(SECURE_NOROOT)) { 462 if (!issecure(SECURE_NOROOT)) {
340 /* 463 /*
@@ -342,75 +465,113 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
342 * executables under compatibility mode, we override the 465 * executables under compatibility mode, we override the
343 * capability sets for the file. 466 * capability sets for the file.
344 * 467 *
345 * If only the real uid is 0, we do not set the effective 468 * If only the real uid is 0, we do not set the effective bit.
346 * bit.
347 */ 469 */
348 if (bprm->e_uid == 0 || current->uid == 0) { 470 if (new->euid == 0 || new->uid == 0) {
349 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 471 /* pP' = (cap_bset & ~0) | (pI & ~0) */
350 bprm->cap_post_exec_permitted = cap_combine( 472 new->cap_permitted = cap_combine(old->cap_bset,
351 current->cap_bset, current->cap_inheritable 473 old->cap_inheritable);
352 );
353 bprm->cap_effective = (bprm->e_uid == 0);
354 ret = 0;
355 } 474 }
475 if (new->euid == 0)
476 effective = true;
356 } 477 }
357 478
358 return ret; 479 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
359} 480 * credentials unless they have the appropriate permit
360 481 */
361void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 482 if ((new->euid != old->uid ||
362{ 483 new->egid != old->gid ||
363 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 484 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
364 !cap_issubset(bprm->cap_post_exec_permitted, 485 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
365 current->cap_permitted)) { 486 /* downgrade; they get no more than they had, and maybe less */
366 set_dumpable(current->mm, suid_dumpable); 487 if (!capable(CAP_SETUID)) {
367 current->pdeath_signal = 0; 488 new->euid = new->uid;
368 489 new->egid = new->gid;
369 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
370 if (!capable(CAP_SETUID)) {
371 bprm->e_uid = current->uid;
372 bprm->e_gid = current->gid;
373 }
374 if (cap_limit_ptraced_target()) {
375 bprm->cap_post_exec_permitted = cap_intersect(
376 bprm->cap_post_exec_permitted,
377 current->cap_permitted);
378 }
379 } 490 }
491 if (cap_limit_ptraced_target())
492 new->cap_permitted = cap_intersect(new->cap_permitted,
493 old->cap_permitted);
380 } 494 }
381 495
382 current->suid = current->euid = current->fsuid = bprm->e_uid; 496 new->suid = new->fsuid = new->euid;
383 current->sgid = current->egid = current->fsgid = bprm->e_gid; 497 new->sgid = new->fsgid = new->egid;
384 498
385 /* For init, we want to retain the capabilities set 499 /* For init, we want to retain the capabilities set in the initial
386 * in the init_task struct. Thus we skip the usual 500 * task. Thus we skip the usual capability rules
387 * capability rules */ 501 */
388 if (!is_global_init(current)) { 502 if (!is_global_init(current)) {
389 current->cap_permitted = bprm->cap_post_exec_permitted; 503 if (effective)
390 if (bprm->cap_effective) 504 new->cap_effective = new->cap_permitted;
391 current->cap_effective = bprm->cap_post_exec_permitted;
392 else 505 else
393 cap_clear(current->cap_effective); 506 cap_clear(new->cap_effective);
394 } 507 }
508 bprm->cap_effective = effective;
395 509
396 /* AUD: Audit candidate if current->cap_effective is set */ 510 /*
511 * Audit candidate if current->cap_effective is set
512 *
513 * We do not bother to audit if 3 things are true:
514 * 1) cap_effective has all caps
515 * 2) we are root
516 * 3) root is supposed to have all caps (SECURE_NOROOT)
517 * Since this is just a normal root execing a process.
518 *
519 * Number 1 above might fail if you don't have a full bset, but I think
520 * that is interesting information to audit.
521 */
522 if (!cap_isclear(new->cap_effective)) {
523 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
524 new->euid != 0 || new->uid != 0 ||
525 issecure(SECURE_NOROOT)) {
526 ret = audit_log_bprm_fcaps(bprm, new, old);
527 if (ret < 0)
528 return ret;
529 }
530 }
397 531
398 current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 532 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
533 return 0;
399} 534}
400 535
401int cap_bprm_secureexec (struct linux_binprm *bprm) 536/**
537 * cap_bprm_secureexec - Determine whether a secure execution is required
538 * @bprm: The execution parameters
539 *
540 * Determine whether a secure execution is required, return 1 if it is, and 0
541 * if it is not.
542 *
543 * The credentials have been committed by this point, and so are no longer
544 * available through @bprm->cred.
545 */
546int cap_bprm_secureexec(struct linux_binprm *bprm)
402{ 547{
403 if (current->uid != 0) { 548 const struct cred *cred = current_cred();
549
550 if (cred->uid != 0) {
404 if (bprm->cap_effective) 551 if (bprm->cap_effective)
405 return 1; 552 return 1;
406 if (!cap_isclear(bprm->cap_post_exec_permitted)) 553 if (!cap_isclear(cred->cap_permitted))
407 return 1; 554 return 1;
408 } 555 }
409 556
410 return (current->euid != current->uid || 557 return (cred->euid != cred->uid ||
411 current->egid != current->gid); 558 cred->egid != cred->gid);
412} 559}
413 560
561/**
562 * cap_inode_setxattr - Determine whether an xattr may be altered
563 * @dentry: The inode/dentry being altered
564 * @name: The name of the xattr to be changed
565 * @value: The value that the xattr will be changed to
566 * @size: The size of value
567 * @flags: The replacement flag
568 *
569 * Determine whether an xattr may be altered or set on an inode, returning 0 if
570 * permission is granted, -ve if denied.
571 *
572 * This is used to make sure security xattrs don't get updated or set by those
573 * who aren't privileged to do so.
574 */
414int cap_inode_setxattr(struct dentry *dentry, const char *name, 575int cap_inode_setxattr(struct dentry *dentry, const char *name,
415 const void *value, size_t size, int flags) 576 const void *value, size_t size, int flags)
416{ 577{
@@ -418,28 +579,42 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
418 if (!capable(CAP_SETFCAP)) 579 if (!capable(CAP_SETFCAP))
419 return -EPERM; 580 return -EPERM;
420 return 0; 581 return 0;
421 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 582 }
583
584 if (!strncmp(name, XATTR_SECURITY_PREFIX,
422 sizeof(XATTR_SECURITY_PREFIX) - 1) && 585 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
423 !capable(CAP_SYS_ADMIN)) 586 !capable(CAP_SYS_ADMIN))
424 return -EPERM; 587 return -EPERM;
425 return 0; 588 return 0;
426} 589}
427 590
591/**
592 * cap_inode_removexattr - Determine whether an xattr may be removed
593 * @dentry: The inode/dentry being altered
594 * @name: The name of the xattr to be changed
595 *
596 * Determine whether an xattr may be removed from an inode, returning 0 if
597 * permission is granted, -ve if denied.
598 *
599 * This is used to make sure security xattrs don't get removed by those who
600 * aren't privileged to remove them.
601 */
428int cap_inode_removexattr(struct dentry *dentry, const char *name) 602int cap_inode_removexattr(struct dentry *dentry, const char *name)
429{ 603{
430 if (!strcmp(name, XATTR_NAME_CAPS)) { 604 if (!strcmp(name, XATTR_NAME_CAPS)) {
431 if (!capable(CAP_SETFCAP)) 605 if (!capable(CAP_SETFCAP))
432 return -EPERM; 606 return -EPERM;
433 return 0; 607 return 0;
434 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 608 }
609
610 if (!strncmp(name, XATTR_SECURITY_PREFIX,
435 sizeof(XATTR_SECURITY_PREFIX) - 1) && 611 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
436 !capable(CAP_SYS_ADMIN)) 612 !capable(CAP_SYS_ADMIN))
437 return -EPERM; 613 return -EPERM;
438 return 0; 614 return 0;
439} 615}
440 616
441/* moved from kernel/sys.c. */ 617/*
442/*
443 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 618 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
444 * a process after a call to setuid, setreuid, or setresuid. 619 * a process after a call to setuid, setreuid, or setresuid.
445 * 620 *
@@ -453,10 +628,10 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
453 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 628 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
454 * capabilities are set to the permitted capabilities. 629 * capabilities are set to the permitted capabilities.
455 * 630 *
456 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 631 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
457 * never happen. 632 * never happen.
458 * 633 *
459 * -astor 634 * -astor
460 * 635 *
461 * cevans - New behaviour, Oct '99 636 * cevans - New behaviour, Oct '99
462 * A process may, via prctl(), elect to keep its capabilities when it 637 * A process may, via prctl(), elect to keep its capabilities when it
@@ -468,61 +643,60 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
468 * files.. 643 * files..
469 * Thanks to Olaf Kirch and Peter Benie for spotting this. 644 * Thanks to Olaf Kirch and Peter Benie for spotting this.
470 */ 645 */
471static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 646static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
472 int old_suid)
473{ 647{
474 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 648 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
475 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 649 (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
476 !issecure(SECURE_KEEP_CAPS)) { 650 !issecure(SECURE_KEEP_CAPS)) {
477 cap_clear (current->cap_permitted); 651 cap_clear(new->cap_permitted);
478 cap_clear (current->cap_effective); 652 cap_clear(new->cap_effective);
479 }
480 if (old_euid == 0 && current->euid != 0) {
481 cap_clear (current->cap_effective);
482 }
483 if (old_euid != 0 && current->euid == 0) {
484 current->cap_effective = current->cap_permitted;
485 } 653 }
654 if (old->euid == 0 && new->euid != 0)
655 cap_clear(new->cap_effective);
656 if (old->euid != 0 && new->euid == 0)
657 new->cap_effective = new->cap_permitted;
486} 658}
487 659
488int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 660/**
489 int flags) 661 * cap_task_fix_setuid - Fix up the results of setuid() call
662 * @new: The proposed credentials
663 * @old: The current task's current credentials
664 * @flags: Indications of what has changed
665 *
666 * Fix up the results of setuid() call before the credential changes are
667 * actually applied, returning 0 to grant the changes, -ve to deny them.
668 */
669int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
490{ 670{
491 switch (flags) { 671 switch (flags) {
492 case LSM_SETID_RE: 672 case LSM_SETID_RE:
493 case LSM_SETID_ID: 673 case LSM_SETID_ID:
494 case LSM_SETID_RES: 674 case LSM_SETID_RES:
495 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 675 /* juggle the capabilities to follow [RES]UID changes unless
496 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 676 * otherwise suppressed */
497 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 677 if (!issecure(SECURE_NO_SETUID_FIXUP))
498 } 678 cap_emulate_setxuid(new, old);
499 break; 679 break;
500 case LSM_SETID_FS:
501 {
502 uid_t old_fsuid = old_ruid;
503 680
504 /* Copied from kernel/sys.c:setfsuid. */ 681 case LSM_SETID_FS:
505 682 /* juggle the capabilties to follow FSUID changes, unless
506 /* 683 * otherwise suppressed
507 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 684 *
508 * if not, we might be a bit too harsh here. 685 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
509 */ 686 * if not, we might be a bit too harsh here.
510 687 */
511 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 688 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
512 if (old_fsuid == 0 && current->fsuid != 0) { 689 if (old->fsuid == 0 && new->fsuid != 0)
513 current->cap_effective = 690 new->cap_effective =
514 cap_drop_fs_set( 691 cap_drop_fs_set(new->cap_effective);
515 current->cap_effective); 692
516 } 693 if (old->fsuid != 0 && new->fsuid == 0)
517 if (old_fsuid != 0 && current->fsuid == 0) { 694 new->cap_effective =
518 current->cap_effective = 695 cap_raise_fs_set(new->cap_effective,
519 cap_raise_fs_set( 696 new->cap_permitted);
520 current->cap_effective,
521 current->cap_permitted);
522 }
523 }
524 break;
525 } 697 }
698 break;
699
526 default: 700 default:
527 return -EINVAL; 701 return -EINVAL;
528 } 702 }
@@ -543,42 +717,71 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
543 */ 717 */
544static int cap_safe_nice(struct task_struct *p) 718static int cap_safe_nice(struct task_struct *p)
545{ 719{
546 if (!cap_issubset(p->cap_permitted, current->cap_permitted) && 720 int is_subset;
547 !capable(CAP_SYS_NICE)) 721
722 rcu_read_lock();
723 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
724 current_cred()->cap_permitted);
725 rcu_read_unlock();
726
727 if (!is_subset && !capable(CAP_SYS_NICE))
548 return -EPERM; 728 return -EPERM;
549 return 0; 729 return 0;
550} 730}
551 731
552int cap_task_setscheduler (struct task_struct *p, int policy, 732/**
733 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
734 * @p: The task to affect
735 * @policy: The policy to effect
736 * @lp: The parameters to the scheduling policy
737 *
738 * Detemine if the requested scheduler policy change is permitted for the
739 * specified task, returning 0 if permission is granted, -ve if denied.
740 */
741int cap_task_setscheduler(struct task_struct *p, int policy,
553 struct sched_param *lp) 742 struct sched_param *lp)
554{ 743{
555 return cap_safe_nice(p); 744 return cap_safe_nice(p);
556} 745}
557 746
558int cap_task_setioprio (struct task_struct *p, int ioprio) 747/**
748 * cap_task_ioprio - Detemine if I/O priority change is permitted
749 * @p: The task to affect
750 * @ioprio: The I/O priority to set
751 *
752 * Detemine if the requested I/O priority change is permitted for the specified
753 * task, returning 0 if permission is granted, -ve if denied.
754 */
755int cap_task_setioprio(struct task_struct *p, int ioprio)
559{ 756{
560 return cap_safe_nice(p); 757 return cap_safe_nice(p);
561} 758}
562 759
563int cap_task_setnice (struct task_struct *p, int nice) 760/**
761 * cap_task_ioprio - Detemine if task priority change is permitted
762 * @p: The task to affect
763 * @nice: The nice value to set
764 *
765 * Detemine if the requested task priority change is permitted for the
766 * specified task, returning 0 if permission is granted, -ve if denied.
767 */
768int cap_task_setnice(struct task_struct *p, int nice)
564{ 769{
565 return cap_safe_nice(p); 770 return cap_safe_nice(p);
566} 771}
567 772
568/* 773/*
569 * called from kernel/sys.c for prctl(PR_CABSET_DROP) 774 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
570 * done without task_capability_lock() because it introduces 775 * the current task's bounding set. Returns 0 on success, -ve on error.
571 * no new races - i.e. only another task doing capget() on
572 * this task could get inconsistent info. There can be no
573 * racing writer bc a task can only change its own caps.
574 */ 776 */
575static long cap_prctl_drop(unsigned long cap) 777static long cap_prctl_drop(struct cred *new, unsigned long cap)
576{ 778{
577 if (!capable(CAP_SETPCAP)) 779 if (!capable(CAP_SETPCAP))
578 return -EPERM; 780 return -EPERM;
579 if (!cap_valid(cap)) 781 if (!cap_valid(cap))
580 return -EINVAL; 782 return -EINVAL;
581 cap_lower(current->cap_bset, cap); 783
784 cap_lower(new->cap_bset, cap);
582 return 0; 785 return 0;
583} 786}
584 787
@@ -598,22 +801,42 @@ int cap_task_setnice (struct task_struct *p, int nice)
598} 801}
599#endif 802#endif
600 803
804/**
805 * cap_task_prctl - Implement process control functions for this security module
806 * @option: The process control function requested
807 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
808 *
809 * Allow process control functions (sys_prctl()) to alter capabilities; may
810 * also deny access to other functions not otherwise implemented here.
811 *
812 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
813 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
814 * modules will consider performing the function.
815 */
601int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 816int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
602 unsigned long arg4, unsigned long arg5, long *rc_p) 817 unsigned long arg4, unsigned long arg5)
603{ 818{
819 struct cred *new;
604 long error = 0; 820 long error = 0;
605 821
822 new = prepare_creds();
823 if (!new)
824 return -ENOMEM;
825
606 switch (option) { 826 switch (option) {
607 case PR_CAPBSET_READ: 827 case PR_CAPBSET_READ:
828 error = -EINVAL;
608 if (!cap_valid(arg2)) 829 if (!cap_valid(arg2))
609 error = -EINVAL; 830 goto error;
610 else 831 error = !!cap_raised(new->cap_bset, arg2);
611 error = !!cap_raised(current->cap_bset, arg2); 832 goto no_change;
612 break; 833
613#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 834#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
614 case PR_CAPBSET_DROP: 835 case PR_CAPBSET_DROP:
615 error = cap_prctl_drop(arg2); 836 error = cap_prctl_drop(new, arg2);
616 break; 837 if (error < 0)
838 goto error;
839 goto changed;
617 840
618 /* 841 /*
619 * The next four prctl's remain to assist with transitioning a 842 * The next four prctl's remain to assist with transitioning a
@@ -635,12 +858,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
635 * capability-based-privilege environment. 858 * capability-based-privilege environment.
636 */ 859 */
637 case PR_SET_SECUREBITS: 860 case PR_SET_SECUREBITS:
638 if ((((current->securebits & SECURE_ALL_LOCKS) >> 1) 861 error = -EPERM;
639 & (current->securebits ^ arg2)) /*[1]*/ 862 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
640 || ((current->securebits & SECURE_ALL_LOCKS 863 & (new->securebits ^ arg2)) /*[1]*/
641 & ~arg2)) /*[2]*/ 864 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
642 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 865 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
643 || (cap_capable(current, CAP_SETPCAP) != 0)) { /*[4]*/ 866 || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/
644 /* 867 /*
645 * [1] no changing of bits that are locked 868 * [1] no changing of bits that are locked
646 * [2] no unlocking of locks 869 * [2] no unlocking of locks
@@ -648,65 +871,80 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
648 * [4] doing anything requires privilege (go read about 871 * [4] doing anything requires privilege (go read about
649 * the "sendmail capabilities bug") 872 * the "sendmail capabilities bug")
650 */ 873 */
651 error = -EPERM; /* cannot change a locked bit */ 874 )
652 } else { 875 /* cannot change a locked bit */
653 current->securebits = arg2; 876 goto error;
654 } 877 new->securebits = arg2;
655 break; 878 goto changed;
879
656 case PR_GET_SECUREBITS: 880 case PR_GET_SECUREBITS:
657 error = current->securebits; 881 error = new->securebits;
658 break; 882 goto no_change;
659 883
660#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 884#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
661 885
662 case PR_GET_KEEPCAPS: 886 case PR_GET_KEEPCAPS:
663 if (issecure(SECURE_KEEP_CAPS)) 887 if (issecure(SECURE_KEEP_CAPS))
664 error = 1; 888 error = 1;
665 break; 889 goto no_change;
890
666 case PR_SET_KEEPCAPS: 891 case PR_SET_KEEPCAPS:
892 error = -EINVAL;
667 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 893 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
668 error = -EINVAL; 894 goto error;
669 else if (issecure(SECURE_KEEP_CAPS_LOCKED)) 895 error = -EPERM;
670 error = -EPERM; 896 if (issecure(SECURE_KEEP_CAPS_LOCKED))
671 else if (arg2) 897 goto error;
672 current->securebits |= issecure_mask(SECURE_KEEP_CAPS); 898 if (arg2)
899 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
673 else 900 else
674 current->securebits &= 901 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
675 ~issecure_mask(SECURE_KEEP_CAPS); 902 goto changed;
676 break;
677 903
678 default: 904 default:
679 /* No functionality available - continue with default */ 905 /* No functionality available - continue with default */
680 return 0; 906 error = -ENOSYS;
907 goto error;
681 } 908 }
682 909
683 /* Functionality provided */ 910 /* Functionality provided */
684 *rc_p = error; 911changed:
685 return 1; 912 return commit_creds(new);
686}
687 913
688void cap_task_reparent_to_init (struct task_struct *p) 914no_change:
689{ 915 error = 0;
690 cap_set_init_eff(p->cap_effective); 916error:
691 cap_clear(p->cap_inheritable); 917 abort_creds(new);
692 cap_set_full(p->cap_permitted); 918 return error;
693 p->securebits = SECUREBITS_DEFAULT;
694 return;
695} 919}
696 920
697int cap_syslog (int type) 921/**
922 * cap_syslog - Determine whether syslog function is permitted
923 * @type: Function requested
924 *
925 * Determine whether the current process is permitted to use a particular
926 * syslog function, returning 0 if permission is granted, -ve if not.
927 */
928int cap_syslog(int type)
698{ 929{
699 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 930 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
700 return -EPERM; 931 return -EPERM;
701 return 0; 932 return 0;
702} 933}
703 934
935/**
936 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
937 * @mm: The VM space in which the new mapping is to be made
938 * @pages: The size of the mapping
939 *
940 * Determine whether the allocation of a new virtual mapping by the current
941 * task is permitted, returning 0 if permission is granted, -ve if not.
942 */
704int cap_vm_enough_memory(struct mm_struct *mm, long pages) 943int cap_vm_enough_memory(struct mm_struct *mm, long pages)
705{ 944{
706 int cap_sys_admin = 0; 945 int cap_sys_admin = 0;
707 946
708 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 947 if (cap_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT) == 0)
709 cap_sys_admin = 1; 948 cap_sys_admin = 1;
710 return __vm_enough_memory(mm, pages, cap_sys_admin); 949 return __vm_enough_memory(mm, pages, cap_sys_admin);
711} 950}
712
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 239098f0fd76..81932abefe7b 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -12,8 +12,8 @@
12#ifndef _INTERNAL_H 12#ifndef _INTERNAL_H
13#define _INTERNAL_H 13#define _INTERNAL_H
14 14
15#include <linux/sched.h>
15#include <linux/key-type.h> 16#include <linux/key-type.h>
16#include <linux/key-ui.h>
17 17
18static inline __attribute__((format(printf, 1, 2))) 18static inline __attribute__((format(printf, 1, 2)))
19void no_printk(const char *fmt, ...) 19void no_printk(const char *fmt, ...)
@@ -26,7 +26,7 @@ void no_printk(const char *fmt, ...)
26#define kleave(FMT, ...) \ 26#define kleave(FMT, ...) \
27 printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__) 27 printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
28#define kdebug(FMT, ...) \ 28#define kdebug(FMT, ...) \
29 printk(KERN_DEBUG "xxx" FMT"yyy\n", ##__VA_ARGS__) 29 printk(KERN_DEBUG " "FMT"\n", ##__VA_ARGS__)
30#else 30#else
31#define kenter(FMT, ...) \ 31#define kenter(FMT, ...) \
32 no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__) 32 no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
@@ -82,6 +82,9 @@ extern struct mutex key_construction_mutex;
82extern wait_queue_head_t request_key_conswq; 82extern wait_queue_head_t request_key_conswq;
83 83
84 84
85extern struct key_type *key_type_lookup(const char *type);
86extern void key_type_put(struct key_type *ktype);
87
85extern int __key_link(struct key *keyring, struct key *key); 88extern int __key_link(struct key *keyring, struct key *key);
86 89
87extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 90extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
@@ -95,7 +98,7 @@ extern struct key *keyring_search_instkey(struct key *keyring,
95typedef int (*key_match_func_t)(const struct key *, const void *); 98typedef int (*key_match_func_t)(const struct key *, const void *);
96 99
97extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, 100extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
98 struct task_struct *tsk, 101 const struct cred *cred,
99 struct key_type *type, 102 struct key_type *type,
100 const void *description, 103 const void *description,
101 key_match_func_t match); 104 key_match_func_t match);
@@ -103,13 +106,13 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
103extern key_ref_t search_process_keyrings(struct key_type *type, 106extern key_ref_t search_process_keyrings(struct key_type *type,
104 const void *description, 107 const void *description,
105 key_match_func_t match, 108 key_match_func_t match,
106 struct task_struct *tsk); 109 const struct cred *cred);
107 110
108extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); 111extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
109 112
110extern int install_user_keyrings(struct task_struct *tsk); 113extern int install_user_keyrings(void);
111extern int install_thread_keyring(struct task_struct *tsk); 114extern int install_thread_keyring_to_cred(struct cred *);
112extern int install_process_keyring(struct task_struct *tsk); 115extern int install_process_keyring_to_cred(struct cred *);
113 116
114extern struct key *request_key_and_link(struct key_type *type, 117extern struct key *request_key_and_link(struct key_type *type,
115 const char *description, 118 const char *description,
@@ -119,12 +122,39 @@ extern struct key *request_key_and_link(struct key_type *type,
119 struct key *dest_keyring, 122 struct key *dest_keyring,
120 unsigned long flags); 123 unsigned long flags);
121 124
125extern key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
126 key_perm_t perm);
127
128extern long join_session_keyring(const char *name);
129
130/*
131 * check to see whether permission is granted to use a key in the desired way
132 */
133extern int key_task_permission(const key_ref_t key_ref,
134 const struct cred *cred,
135 key_perm_t perm);
136
137static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
138{
139 return key_task_permission(key_ref, current_cred(), perm);
140}
141
142/* required permissions */
143#define KEY_VIEW 0x01 /* require permission to view attributes */
144#define KEY_READ 0x02 /* require permission to read content */
145#define KEY_WRITE 0x04 /* require permission to update / modify */
146#define KEY_SEARCH 0x08 /* require permission to search (keyring) or find (key) */
147#define KEY_LINK 0x10 /* require permission to link */
148#define KEY_SETATTR 0x20 /* require permission to change attributes */
149#define KEY_ALL 0x3f /* all the above permissions */
150
122/* 151/*
123 * request_key authorisation 152 * request_key authorisation
124 */ 153 */
125struct request_key_auth { 154struct request_key_auth {
126 struct key *target_key; 155 struct key *target_key;
127 struct task_struct *context; 156 struct key *dest_keyring;
157 const struct cred *cred;
128 void *callout_info; 158 void *callout_info;
129 size_t callout_len; 159 size_t callout_len;
130 pid_t pid; 160 pid_t pid;
@@ -133,7 +163,8 @@ struct request_key_auth {
133extern struct key_type key_type_request_key_auth; 163extern struct key_type key_type_request_key_auth;
134extern struct key *request_key_auth_new(struct key *target, 164extern struct key *request_key_auth_new(struct key *target,
135 const void *callout_info, 165 const void *callout_info,
136 size_t callout_len); 166 size_t callout_len,
167 struct key *dest_keyring);
137 168
138extern struct key *key_get_instantiation_authkey(key_serial_t target_id); 169extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
139 170
diff --git a/security/keys/key.c b/security/keys/key.c
index 14948cf83ef6..f76c8a546fd3 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -218,7 +218,7 @@ serial_exists:
218 * instantiate the key or discard it before returning 218 * instantiate the key or discard it before returning
219 */ 219 */
220struct key *key_alloc(struct key_type *type, const char *desc, 220struct key *key_alloc(struct key_type *type, const char *desc,
221 uid_t uid, gid_t gid, struct task_struct *ctx, 221 uid_t uid, gid_t gid, const struct cred *cred,
222 key_perm_t perm, unsigned long flags) 222 key_perm_t perm, unsigned long flags)
223{ 223{
224 struct key_user *user = NULL; 224 struct key_user *user = NULL;
@@ -294,7 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
294#endif 294#endif
295 295
296 /* let the security module know about the key */ 296 /* let the security module know about the key */
297 ret = security_key_alloc(key, ctx, flags); 297 ret = security_key_alloc(key, cred, flags);
298 if (ret < 0) 298 if (ret < 0)
299 goto security_error; 299 goto security_error;
300 300
@@ -391,7 +391,7 @@ static int __key_instantiate_and_link(struct key *key,
391 const void *data, 391 const void *data,
392 size_t datalen, 392 size_t datalen,
393 struct key *keyring, 393 struct key *keyring,
394 struct key *instkey) 394 struct key *authkey)
395{ 395{
396 int ret, awaken; 396 int ret, awaken;
397 397
@@ -421,8 +421,8 @@ static int __key_instantiate_and_link(struct key *key,
421 ret = __key_link(keyring, key); 421 ret = __key_link(keyring, key);
422 422
423 /* disable the authorisation key */ 423 /* disable the authorisation key */
424 if (instkey) 424 if (authkey)
425 key_revoke(instkey); 425 key_revoke(authkey);
426 } 426 }
427 } 427 }
428 428
@@ -444,14 +444,14 @@ int key_instantiate_and_link(struct key *key,
444 const void *data, 444 const void *data,
445 size_t datalen, 445 size_t datalen,
446 struct key *keyring, 446 struct key *keyring,
447 struct key *instkey) 447 struct key *authkey)
448{ 448{
449 int ret; 449 int ret;
450 450
451 if (keyring) 451 if (keyring)
452 down_write(&keyring->sem); 452 down_write(&keyring->sem);
453 453
454 ret = __key_instantiate_and_link(key, data, datalen, keyring, instkey); 454 ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey);
455 455
456 if (keyring) 456 if (keyring)
457 up_write(&keyring->sem); 457 up_write(&keyring->sem);
@@ -469,7 +469,7 @@ EXPORT_SYMBOL(key_instantiate_and_link);
469int key_negate_and_link(struct key *key, 469int key_negate_and_link(struct key *key,
470 unsigned timeout, 470 unsigned timeout,
471 struct key *keyring, 471 struct key *keyring,
472 struct key *instkey) 472 struct key *authkey)
473{ 473{
474 struct timespec now; 474 struct timespec now;
475 int ret, awaken; 475 int ret, awaken;
@@ -504,8 +504,8 @@ int key_negate_and_link(struct key *key,
504 ret = __key_link(keyring, key); 504 ret = __key_link(keyring, key);
505 505
506 /* disable the authorisation key */ 506 /* disable the authorisation key */
507 if (instkey) 507 if (authkey)
508 key_revoke(instkey); 508 key_revoke(authkey);
509 } 509 }
510 510
511 mutex_unlock(&key_construction_mutex); 511 mutex_unlock(&key_construction_mutex);
@@ -743,6 +743,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
743 key_perm_t perm, 743 key_perm_t perm,
744 unsigned long flags) 744 unsigned long flags)
745{ 745{
746 const struct cred *cred = current_cred();
746 struct key_type *ktype; 747 struct key_type *ktype;
747 struct key *keyring, *key = NULL; 748 struct key *keyring, *key = NULL;
748 key_ref_t key_ref; 749 key_ref_t key_ref;
@@ -802,8 +803,8 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
802 } 803 }
803 804
804 /* allocate a new key */ 805 /* allocate a new key */
805 key = key_alloc(ktype, description, current->fsuid, current->fsgid, 806 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred,
806 current, perm, flags); 807 perm, flags);
807 if (IS_ERR(key)) { 808 if (IS_ERR(key)) {
808 key_ref = ERR_CAST(key); 809 key_ref = ERR_CAST(key);
809 goto error_3; 810 goto error_3;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index acc9c89e40a8..7c72baa02f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -103,7 +103,7 @@ asmlinkage long sys_add_key(const char __user *_type,
103 } 103 }
104 104
105 /* find the target keyring (which must be writable) */ 105 /* find the target keyring (which must be writable) */
106 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 106 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
107 if (IS_ERR(keyring_ref)) { 107 if (IS_ERR(keyring_ref)) {
108 ret = PTR_ERR(keyring_ref); 108 ret = PTR_ERR(keyring_ref);
109 goto error3; 109 goto error3;
@@ -185,7 +185,7 @@ asmlinkage long sys_request_key(const char __user *_type,
185 /* get the destination keyring if specified */ 185 /* get the destination keyring if specified */
186 dest_ref = NULL; 186 dest_ref = NULL;
187 if (destringid) { 187 if (destringid) {
188 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 188 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE);
189 if (IS_ERR(dest_ref)) { 189 if (IS_ERR(dest_ref)) {
190 ret = PTR_ERR(dest_ref); 190 ret = PTR_ERR(dest_ref);
191 goto error3; 191 goto error3;
@@ -235,7 +235,7 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
235 key_ref_t key_ref; 235 key_ref_t key_ref;
236 long ret; 236 long ret;
237 237
238 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 238 key_ref = lookup_user_key(id, create, 0, KEY_SEARCH);
239 if (IS_ERR(key_ref)) { 239 if (IS_ERR(key_ref)) {
240 ret = PTR_ERR(key_ref); 240 ret = PTR_ERR(key_ref);
241 goto error; 241 goto error;
@@ -308,7 +308,7 @@ long keyctl_update_key(key_serial_t id,
308 } 308 }
309 309
310 /* find the target key (which must be writable) */ 310 /* find the target key (which must be writable) */
311 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 311 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE);
312 if (IS_ERR(key_ref)) { 312 if (IS_ERR(key_ref)) {
313 ret = PTR_ERR(key_ref); 313 ret = PTR_ERR(key_ref);
314 goto error2; 314 goto error2;
@@ -336,7 +336,7 @@ long keyctl_revoke_key(key_serial_t id)
336 key_ref_t key_ref; 336 key_ref_t key_ref;
337 long ret; 337 long ret;
338 338
339 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 339 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE);
340 if (IS_ERR(key_ref)) { 340 if (IS_ERR(key_ref)) {
341 ret = PTR_ERR(key_ref); 341 ret = PTR_ERR(key_ref);
342 goto error; 342 goto error;
@@ -362,7 +362,7 @@ long keyctl_keyring_clear(key_serial_t ringid)
362 key_ref_t keyring_ref; 362 key_ref_t keyring_ref;
363 long ret; 363 long ret;
364 364
365 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 365 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
366 if (IS_ERR(keyring_ref)) { 366 if (IS_ERR(keyring_ref)) {
367 ret = PTR_ERR(keyring_ref); 367 ret = PTR_ERR(keyring_ref);
368 goto error; 368 goto error;
@@ -388,13 +388,13 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
388 key_ref_t keyring_ref, key_ref; 388 key_ref_t keyring_ref, key_ref;
389 long ret; 389 long ret;
390 390
391 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 391 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
392 if (IS_ERR(keyring_ref)) { 392 if (IS_ERR(keyring_ref)) {
393 ret = PTR_ERR(keyring_ref); 393 ret = PTR_ERR(keyring_ref);
394 goto error; 394 goto error;
395 } 395 }
396 396
397 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 397 key_ref = lookup_user_key(id, 1, 0, KEY_LINK);
398 if (IS_ERR(key_ref)) { 398 if (IS_ERR(key_ref)) {
399 ret = PTR_ERR(key_ref); 399 ret = PTR_ERR(key_ref);
400 goto error2; 400 goto error2;
@@ -422,13 +422,13 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
422 key_ref_t keyring_ref, key_ref; 422 key_ref_t keyring_ref, key_ref;
423 long ret; 423 long ret;
424 424
425 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 425 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_WRITE);
426 if (IS_ERR(keyring_ref)) { 426 if (IS_ERR(keyring_ref)) {
427 ret = PTR_ERR(keyring_ref); 427 ret = PTR_ERR(keyring_ref);
428 goto error; 428 goto error;
429 } 429 }
430 430
431 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 431 key_ref = lookup_user_key(id, 0, 0, 0);
432 if (IS_ERR(key_ref)) { 432 if (IS_ERR(key_ref)) {
433 ret = PTR_ERR(key_ref); 433 ret = PTR_ERR(key_ref);
434 goto error2; 434 goto error2;
@@ -464,7 +464,7 @@ long keyctl_describe_key(key_serial_t keyid,
464 char *tmpbuf; 464 char *tmpbuf;
465 long ret; 465 long ret;
466 466
467 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 467 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW);
468 if (IS_ERR(key_ref)) { 468 if (IS_ERR(key_ref)) {
469 /* viewing a key under construction is permitted if we have the 469 /* viewing a key under construction is permitted if we have the
470 * authorisation token handy */ 470 * authorisation token handy */
@@ -472,7 +472,7 @@ long keyctl_describe_key(key_serial_t keyid,
472 instkey = key_get_instantiation_authkey(keyid); 472 instkey = key_get_instantiation_authkey(keyid);
473 if (!IS_ERR(instkey)) { 473 if (!IS_ERR(instkey)) {
474 key_put(instkey); 474 key_put(instkey);
475 key_ref = lookup_user_key(NULL, keyid, 475 key_ref = lookup_user_key(keyid,
476 0, 1, 0); 476 0, 1, 0);
477 if (!IS_ERR(key_ref)) 477 if (!IS_ERR(key_ref))
478 goto okay; 478 goto okay;
@@ -557,7 +557,7 @@ long keyctl_keyring_search(key_serial_t ringid,
557 } 557 }
558 558
559 /* get the keyring at which to begin the search */ 559 /* get the keyring at which to begin the search */
560 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 560 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_SEARCH);
561 if (IS_ERR(keyring_ref)) { 561 if (IS_ERR(keyring_ref)) {
562 ret = PTR_ERR(keyring_ref); 562 ret = PTR_ERR(keyring_ref);
563 goto error2; 563 goto error2;
@@ -566,7 +566,7 @@ long keyctl_keyring_search(key_serial_t ringid,
566 /* get the destination keyring if specified */ 566 /* get the destination keyring if specified */
567 dest_ref = NULL; 567 dest_ref = NULL;
568 if (destringid) { 568 if (destringid) {
569 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 569 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE);
570 if (IS_ERR(dest_ref)) { 570 if (IS_ERR(dest_ref)) {
571 ret = PTR_ERR(dest_ref); 571 ret = PTR_ERR(dest_ref);
572 goto error3; 572 goto error3;
@@ -636,7 +636,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
636 long ret; 636 long ret;
637 637
638 /* find the key first */ 638 /* find the key first */
639 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 639 key_ref = lookup_user_key(keyid, 0, 0, 0);
640 if (IS_ERR(key_ref)) { 640 if (IS_ERR(key_ref)) {
641 ret = -ENOKEY; 641 ret = -ENOKEY;
642 goto error; 642 goto error;
@@ -699,7 +699,7 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
699 if (uid == (uid_t) -1 && gid == (gid_t) -1) 699 if (uid == (uid_t) -1 && gid == (gid_t) -1)
700 goto error; 700 goto error;
701 701
702 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 702 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
703 if (IS_ERR(key_ref)) { 703 if (IS_ERR(key_ref)) {
704 ret = PTR_ERR(key_ref); 704 ret = PTR_ERR(key_ref);
705 goto error; 705 goto error;
@@ -804,7 +804,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
804 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 804 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
805 goto error; 805 goto error;
806 806
807 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 807 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
808 if (IS_ERR(key_ref)) { 808 if (IS_ERR(key_ref)) {
809 ret = PTR_ERR(key_ref); 809 ret = PTR_ERR(key_ref);
810 goto error; 810 goto error;
@@ -817,7 +817,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
817 down_write(&key->sem); 817 down_write(&key->sem);
818 818
819 /* if we're not the sysadmin, we can only change a key that we own */ 819 /* if we're not the sysadmin, we can only change a key that we own */
820 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 820 if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) {
821 key->perm = perm; 821 key->perm = perm;
822 ret = 0; 822 ret = 0;
823 } 823 }
@@ -829,6 +829,60 @@ error:
829 829
830} /* end keyctl_setperm_key() */ 830} /* end keyctl_setperm_key() */
831 831
832/*
833 * get the destination keyring for instantiation
834 */
835static long get_instantiation_keyring(key_serial_t ringid,
836 struct request_key_auth *rka,
837 struct key **_dest_keyring)
838{
839 key_ref_t dkref;
840
841 /* just return a NULL pointer if we weren't asked to make a link */
842 if (ringid == 0) {
843 *_dest_keyring = NULL;
844 return 0;
845 }
846
847 /* if a specific keyring is nominated by ID, then use that */
848 if (ringid > 0) {
849 dkref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
850 if (IS_ERR(dkref))
851 return PTR_ERR(dkref);
852 *_dest_keyring = key_ref_to_ptr(dkref);
853 return 0;
854 }
855
856 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)
857 return -EINVAL;
858
859 /* otherwise specify the destination keyring recorded in the
860 * authorisation key (any KEY_SPEC_*_KEYRING) */
861 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
862 *_dest_keyring = rka->dest_keyring;
863 return 0;
864 }
865
866 return -ENOKEY;
867}
868
869/*
870 * change the request_key authorisation key on the current process
871 */
872static int keyctl_change_reqkey_auth(struct key *key)
873{
874 struct cred *new;
875
876 new = prepare_creds();
877 if (!new)
878 return -ENOMEM;
879
880 key_put(new->request_key_auth);
881 new->request_key_auth = key_get(key);
882
883 return commit_creds(new);
884}
885
832/*****************************************************************************/ 886/*****************************************************************************/
833/* 887/*
834 * instantiate the key with the specified payload, and, if one is given, link 888 * instantiate the key with the specified payload, and, if one is given, link
@@ -839,13 +893,15 @@ long keyctl_instantiate_key(key_serial_t id,
839 size_t plen, 893 size_t plen,
840 key_serial_t ringid) 894 key_serial_t ringid)
841{ 895{
896 const struct cred *cred = current_cred();
842 struct request_key_auth *rka; 897 struct request_key_auth *rka;
843 struct key *instkey; 898 struct key *instkey, *dest_keyring;
844 key_ref_t keyring_ref;
845 void *payload; 899 void *payload;
846 long ret; 900 long ret;
847 bool vm = false; 901 bool vm = false;
848 902
903 kenter("%d,,%zu,%d", id, plen, ringid);
904
849 ret = -EINVAL; 905 ret = -EINVAL;
850 if (plen > 1024 * 1024 - 1) 906 if (plen > 1024 * 1024 - 1)
851 goto error; 907 goto error;
@@ -853,7 +909,7 @@ long keyctl_instantiate_key(key_serial_t id,
853 /* the appropriate instantiation authorisation key must have been 909 /* the appropriate instantiation authorisation key must have been
854 * assumed before calling this */ 910 * assumed before calling this */
855 ret = -EPERM; 911 ret = -EPERM;
856 instkey = current->request_key_auth; 912 instkey = cred->request_key_auth;
857 if (!instkey) 913 if (!instkey)
858 goto error; 914 goto error;
859 915
@@ -883,28 +939,20 @@ long keyctl_instantiate_key(key_serial_t id,
883 939
884 /* find the destination keyring amongst those belonging to the 940 /* find the destination keyring amongst those belonging to the
885 * requesting task */ 941 * requesting task */
886 keyring_ref = NULL; 942 ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
887 if (ringid) { 943 if (ret < 0)
888 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 944 goto error2;
889 KEY_WRITE);
890 if (IS_ERR(keyring_ref)) {
891 ret = PTR_ERR(keyring_ref);
892 goto error2;
893 }
894 }
895 945
896 /* instantiate the key and link it into a keyring */ 946 /* instantiate the key and link it into a keyring */
897 ret = key_instantiate_and_link(rka->target_key, payload, plen, 947 ret = key_instantiate_and_link(rka->target_key, payload, plen,
898 key_ref_to_ptr(keyring_ref), instkey); 948 dest_keyring, instkey);
899 949
900 key_ref_put(keyring_ref); 950 key_put(dest_keyring);
901 951
902 /* discard the assumed authority if it's just been disabled by 952 /* discard the assumed authority if it's just been disabled by
903 * instantiation of the key */ 953 * instantiation of the key */
904 if (ret == 0) { 954 if (ret == 0)
905 key_put(current->request_key_auth); 955 keyctl_change_reqkey_auth(NULL);
906 current->request_key_auth = NULL;
907 }
908 956
909error2: 957error2:
910 if (!vm) 958 if (!vm)
@@ -923,15 +971,17 @@ error:
923 */ 971 */
924long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 972long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
925{ 973{
974 const struct cred *cred = current_cred();
926 struct request_key_auth *rka; 975 struct request_key_auth *rka;
927 struct key *instkey; 976 struct key *instkey, *dest_keyring;
928 key_ref_t keyring_ref;
929 long ret; 977 long ret;
930 978
979 kenter("%d,%u,%d", id, timeout, ringid);
980
931 /* the appropriate instantiation authorisation key must have been 981 /* the appropriate instantiation authorisation key must have been
932 * assumed before calling this */ 982 * assumed before calling this */
933 ret = -EPERM; 983 ret = -EPERM;
934 instkey = current->request_key_auth; 984 instkey = cred->request_key_auth;
935 if (!instkey) 985 if (!instkey)
936 goto error; 986 goto error;
937 987
@@ -941,27 +991,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
941 991
942 /* find the destination keyring if present (which must also be 992 /* find the destination keyring if present (which must also be
943 * writable) */ 993 * writable) */
944 keyring_ref = NULL; 994 ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
945 if (ringid) { 995 if (ret < 0)
946 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 996 goto error;
947 if (IS_ERR(keyring_ref)) {
948 ret = PTR_ERR(keyring_ref);
949 goto error;
950 }
951 }
952 997
953 /* instantiate the key and link it into a keyring */ 998 /* instantiate the key and link it into a keyring */
954 ret = key_negate_and_link(rka->target_key, timeout, 999 ret = key_negate_and_link(rka->target_key, timeout,
955 key_ref_to_ptr(keyring_ref), instkey); 1000 dest_keyring, instkey);
956 1001
957 key_ref_put(keyring_ref); 1002 key_put(dest_keyring);
958 1003
959 /* discard the assumed authority if it's just been disabled by 1004 /* discard the assumed authority if it's just been disabled by
960 * instantiation of the key */ 1005 * instantiation of the key */
961 if (ret == 0) { 1006 if (ret == 0)
962 key_put(current->request_key_auth); 1007 keyctl_change_reqkey_auth(NULL);
963 current->request_key_auth = NULL;
964 }
965 1008
966error: 1009error:
967 return ret; 1010 return ret;
@@ -975,35 +1018,56 @@ error:
975 */ 1018 */
976long keyctl_set_reqkey_keyring(int reqkey_defl) 1019long keyctl_set_reqkey_keyring(int reqkey_defl)
977{ 1020{
978 int ret; 1021 struct cred *new;
1022 int ret, old_setting;
1023
1024 old_setting = current_cred_xxx(jit_keyring);
1025
1026 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)
1027 return old_setting;
1028
1029 new = prepare_creds();
1030 if (!new)
1031 return -ENOMEM;
979 1032
980 switch (reqkey_defl) { 1033 switch (reqkey_defl) {
981 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1034 case KEY_REQKEY_DEFL_THREAD_KEYRING:
982 ret = install_thread_keyring(current); 1035 ret = install_thread_keyring_to_cred(new);
983 if (ret < 0) 1036 if (ret < 0)
984 return ret; 1037 goto error;
985 goto set; 1038 goto set;
986 1039
987 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1040 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
988 ret = install_process_keyring(current); 1041 ret = install_process_keyring_to_cred(new);
989 if (ret < 0) 1042 if (ret < 0) {
990 return ret; 1043 if (ret != -EEXIST)
1044 goto error;
1045 ret = 0;
1046 }
1047 goto set;
991 1048
992 case KEY_REQKEY_DEFL_DEFAULT: 1049 case KEY_REQKEY_DEFL_DEFAULT:
993 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1050 case KEY_REQKEY_DEFL_SESSION_KEYRING:
994 case KEY_REQKEY_DEFL_USER_KEYRING: 1051 case KEY_REQKEY_DEFL_USER_KEYRING:
995 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1052 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
996 set: 1053 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
997 current->jit_keyring = reqkey_defl; 1054 goto set;
998 1055
999 case KEY_REQKEY_DEFL_NO_CHANGE: 1056 case KEY_REQKEY_DEFL_NO_CHANGE:
1000 return current->jit_keyring;
1001
1002 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1057 case KEY_REQKEY_DEFL_GROUP_KEYRING:
1003 default: 1058 default:
1004 return -EINVAL; 1059 ret = -EINVAL;
1060 goto error;
1005 } 1061 }
1006 1062
1063set:
1064 new->jit_keyring = reqkey_defl;
1065 commit_creds(new);
1066 return old_setting;
1067error:
1068 abort_creds(new);
1069 return -EINVAL;
1070
1007} /* end keyctl_set_reqkey_keyring() */ 1071} /* end keyctl_set_reqkey_keyring() */
1008 1072
1009/*****************************************************************************/ 1073/*****************************************************************************/
@@ -1018,7 +1082,7 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1018 time_t expiry; 1082 time_t expiry;
1019 long ret; 1083 long ret;
1020 1084
1021 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 1085 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
1022 if (IS_ERR(key_ref)) { 1086 if (IS_ERR(key_ref)) {
1023 ret = PTR_ERR(key_ref); 1087 ret = PTR_ERR(key_ref);
1024 goto error; 1088 goto error;
@@ -1062,9 +1126,7 @@ long keyctl_assume_authority(key_serial_t id)
1062 1126
1063 /* we divest ourselves of authority if given an ID of 0 */ 1127 /* we divest ourselves of authority if given an ID of 0 */
1064 if (id == 0) { 1128 if (id == 0) {
1065 key_put(current->request_key_auth); 1129 ret = keyctl_change_reqkey_auth(NULL);
1066 current->request_key_auth = NULL;
1067 ret = 0;
1068 goto error; 1130 goto error;
1069 } 1131 }
1070 1132
@@ -1079,10 +1141,12 @@ long keyctl_assume_authority(key_serial_t id)
1079 goto error; 1141 goto error;
1080 } 1142 }
1081 1143
1082 key_put(current->request_key_auth); 1144 ret = keyctl_change_reqkey_auth(authkey);
1083 current->request_key_auth = authkey; 1145 if (ret < 0)
1084 ret = authkey->serial; 1146 goto error;
1147 key_put(authkey);
1085 1148
1149 ret = authkey->serial;
1086error: 1150error:
1087 return ret; 1151 return ret;
1088 1152
@@ -1105,7 +1169,7 @@ long keyctl_get_security(key_serial_t keyid,
1105 char *context; 1169 char *context;
1106 long ret; 1170 long ret;
1107 1171
1108 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 1172 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW);
1109 if (IS_ERR(key_ref)) { 1173 if (IS_ERR(key_ref)) {
1110 if (PTR_ERR(key_ref) != -EACCES) 1174 if (PTR_ERR(key_ref) != -EACCES)
1111 return PTR_ERR(key_ref); 1175 return PTR_ERR(key_ref);
@@ -1117,7 +1181,7 @@ long keyctl_get_security(key_serial_t keyid,
1117 return PTR_ERR(key_ref); 1181 return PTR_ERR(key_ref);
1118 key_put(instkey); 1182 key_put(instkey);
1119 1183
1120 key_ref = lookup_user_key(NULL, keyid, 0, 1, 0); 1184 key_ref = lookup_user_key(keyid, 0, 1, 0);
1121 if (IS_ERR(key_ref)) 1185 if (IS_ERR(key_ref))
1122 return PTR_ERR(key_ref); 1186 return PTR_ERR(key_ref);
1123 } 1187 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index a9ab8affc092..ed851574d073 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -16,6 +16,7 @@
16#include <linux/security.h> 16#include <linux/security.h>
17#include <linux/seq_file.h> 17#include <linux/seq_file.h>
18#include <linux/err.h> 18#include <linux/err.h>
19#include <keys/keyring-type.h>
19#include <asm/uaccess.h> 20#include <asm/uaccess.h>
20#include "internal.h" 21#include "internal.h"
21 22
@@ -244,14 +245,14 @@ static long keyring_read(const struct key *keyring,
244 * allocate a keyring and link into the destination keyring 245 * allocate a keyring and link into the destination keyring
245 */ 246 */
246struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 247struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
247 struct task_struct *ctx, unsigned long flags, 248 const struct cred *cred, unsigned long flags,
248 struct key *dest) 249 struct key *dest)
249{ 250{
250 struct key *keyring; 251 struct key *keyring;
251 int ret; 252 int ret;
252 253
253 keyring = key_alloc(&key_type_keyring, description, 254 keyring = key_alloc(&key_type_keyring, description,
254 uid, gid, ctx, 255 uid, gid, cred,
255 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL, 256 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
256 flags); 257 flags);
257 258
@@ -280,7 +281,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
280 * - we propagate the possession attribute from the keyring ref to the key ref 281 * - we propagate the possession attribute from the keyring ref to the key ref
281 */ 282 */
282key_ref_t keyring_search_aux(key_ref_t keyring_ref, 283key_ref_t keyring_search_aux(key_ref_t keyring_ref,
283 struct task_struct *context, 284 const struct cred *cred,
284 struct key_type *type, 285 struct key_type *type,
285 const void *description, 286 const void *description,
286 key_match_func_t match) 287 key_match_func_t match)
@@ -303,7 +304,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
303 key_check(keyring); 304 key_check(keyring);
304 305
305 /* top keyring must have search permission to begin the search */ 306 /* top keyring must have search permission to begin the search */
306 err = key_task_permission(keyring_ref, context, KEY_SEARCH); 307 err = key_task_permission(keyring_ref, cred, KEY_SEARCH);
307 if (err < 0) { 308 if (err < 0) {
308 key_ref = ERR_PTR(err); 309 key_ref = ERR_PTR(err);
309 goto error; 310 goto error;
@@ -376,7 +377,7 @@ descend:
376 377
377 /* key must have search permissions */ 378 /* key must have search permissions */
378 if (key_task_permission(make_key_ref(key, possessed), 379 if (key_task_permission(make_key_ref(key, possessed),
379 context, KEY_SEARCH) < 0) 380 cred, KEY_SEARCH) < 0)
380 continue; 381 continue;
381 382
382 /* we set a different error code if we pass a negative key */ 383 /* we set a different error code if we pass a negative key */
@@ -403,7 +404,7 @@ ascend:
403 continue; 404 continue;
404 405
405 if (key_task_permission(make_key_ref(key, possessed), 406 if (key_task_permission(make_key_ref(key, possessed),
406 context, KEY_SEARCH) < 0) 407 cred, KEY_SEARCH) < 0)
407 continue; 408 continue;
408 409
409 /* stack the current position */ 410 /* stack the current position */
@@ -458,7 +459,7 @@ key_ref_t keyring_search(key_ref_t keyring,
458 if (!type->match) 459 if (!type->match)
459 return ERR_PTR(-ENOKEY); 460 return ERR_PTR(-ENOKEY);
460 461
461 return keyring_search_aux(keyring, current, 462 return keyring_search_aux(keyring, current->cred,
462 type, description, type->match); 463 type, description, type->match);
463 464
464} /* end keyring_search() */ 465} /* end keyring_search() */
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 3b41f9b52537..5d9fc7b93f2e 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -14,12 +14,19 @@
14#include "internal.h" 14#include "internal.h"
15 15
16/*****************************************************************************/ 16/*****************************************************************************/
17/* 17/**
18 * check to see whether permission is granted to use a key in the desired way, 18 * key_task_permission - Check a key can be used
19 * but permit the security modules to override 19 * @key_ref: The key to check
20 * @cred: The credentials to use
21 * @perm: The permissions to check for
22 *
23 * Check to see whether permission is granted to use a key in the desired way,
24 * but permit the security modules to override.
25 *
26 * The caller must hold either a ref on cred or must hold the RCU readlock or a
27 * spinlock.
20 */ 28 */
21int key_task_permission(const key_ref_t key_ref, 29int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
22 struct task_struct *context,
23 key_perm_t perm) 30 key_perm_t perm)
24{ 31{
25 struct key *key; 32 struct key *key;
@@ -29,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref,
29 key = key_ref_to_ptr(key_ref); 36 key = key_ref_to_ptr(key_ref);
30 37
31 /* use the second 8-bits of permissions for keys the caller owns */ 38 /* use the second 8-bits of permissions for keys the caller owns */
32 if (key->uid == context->fsuid) { 39 if (key->uid == cred->fsuid) {
33 kperm = key->perm >> 16; 40 kperm = key->perm >> 16;
34 goto use_these_perms; 41 goto use_these_perms;
35 } 42 }
@@ -37,15 +44,12 @@ int key_task_permission(const key_ref_t key_ref,
37 /* use the third 8-bits of permissions for keys the caller has a group 44 /* use the third 8-bits of permissions for keys the caller has a group
38 * membership in common with */ 45 * membership in common with */
39 if (key->gid != -1 && key->perm & KEY_GRP_ALL) { 46 if (key->gid != -1 && key->perm & KEY_GRP_ALL) {
40 if (key->gid == context->fsgid) { 47 if (key->gid == cred->fsgid) {
41 kperm = key->perm >> 8; 48 kperm = key->perm >> 8;
42 goto use_these_perms; 49 goto use_these_perms;
43 } 50 }
44 51
45 task_lock(context); 52 ret = groups_search(cred->group_info, key->gid);
46 ret = groups_search(context->group_info, key->gid);
47 task_unlock(context);
48
49 if (ret) { 53 if (ret) {
50 kperm = key->perm >> 8; 54 kperm = key->perm >> 8;
51 goto use_these_perms; 55 goto use_these_perms;
@@ -56,6 +60,7 @@ int key_task_permission(const key_ref_t key_ref,
56 kperm = key->perm; 60 kperm = key->perm;
57 61
58use_these_perms: 62use_these_perms:
63
59 /* use the top 8-bits of permissions for keys the caller possesses 64 /* use the top 8-bits of permissions for keys the caller possesses
60 * - possessor permissions are additive with other permissions 65 * - possessor permissions are additive with other permissions
61 */ 66 */
@@ -68,7 +73,7 @@ use_these_perms:
68 return -EACCES; 73 return -EACCES;
69 74
70 /* let LSM be the final arbiter */ 75 /* let LSM be the final arbiter */
71 return security_key_permission(key_ref, context, perm); 76 return security_key_permission(key_ref, cred, perm);
72 77
73} /* end key_task_permission() */ 78} /* end key_task_permission() */
74 79
diff --git a/security/keys/proc.c b/security/keys/proc.c
index f619170da760..7f508def50e3 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -136,8 +136,12 @@ static int proc_keys_show(struct seq_file *m, void *v)
136 int rc; 136 int rc;
137 137
138 /* check whether the current task is allowed to view the key (assuming 138 /* check whether the current task is allowed to view the key (assuming
139 * non-possession) */ 139 * non-possession)
140 rc = key_task_permission(make_key_ref(key, 0), current, KEY_VIEW); 140 * - the caller holds a spinlock, and thus the RCU read lock, making our
141 * access to __current_cred() safe
142 */
143 rc = key_task_permission(make_key_ref(key, 0), current_cred(),
144 KEY_VIEW);
141 if (rc < 0) 145 if (rc < 0)
142 return 0; 146 return 0;
143 147
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 45b240af6dbe..2f5d89e92b85 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -40,13 +40,17 @@ struct key_user root_key_user = {
40/* 40/*
41 * install user and user session keyrings for a particular UID 41 * install user and user session keyrings for a particular UID
42 */ 42 */
43int install_user_keyrings(struct task_struct *tsk) 43int install_user_keyrings(void)
44{ 44{
45 struct user_struct *user = tsk->user; 45 struct user_struct *user;
46 const struct cred *cred;
46 struct key *uid_keyring, *session_keyring; 47 struct key *uid_keyring, *session_keyring;
47 char buf[20]; 48 char buf[20];
48 int ret; 49 int ret;
49 50
51 cred = current_cred();
52 user = cred->user;
53
50 kenter("%p{%u}", user, user->uid); 54 kenter("%p{%u}", user, user->uid);
51 55
52 if (user->uid_keyring) { 56 if (user->uid_keyring) {
@@ -67,7 +71,7 @@ int install_user_keyrings(struct task_struct *tsk)
67 uid_keyring = find_keyring_by_name(buf, true); 71 uid_keyring = find_keyring_by_name(buf, true);
68 if (IS_ERR(uid_keyring)) { 72 if (IS_ERR(uid_keyring)) {
69 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 73 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
70 tsk, KEY_ALLOC_IN_QUOTA, 74 cred, KEY_ALLOC_IN_QUOTA,
71 NULL); 75 NULL);
72 if (IS_ERR(uid_keyring)) { 76 if (IS_ERR(uid_keyring)) {
73 ret = PTR_ERR(uid_keyring); 77 ret = PTR_ERR(uid_keyring);
@@ -83,7 +87,7 @@ int install_user_keyrings(struct task_struct *tsk)
83 if (IS_ERR(session_keyring)) { 87 if (IS_ERR(session_keyring)) {
84 session_keyring = 88 session_keyring =
85 keyring_alloc(buf, user->uid, (gid_t) -1, 89 keyring_alloc(buf, user->uid, (gid_t) -1,
86 tsk, KEY_ALLOC_IN_QUOTA, NULL); 90 cred, KEY_ALLOC_IN_QUOTA, NULL);
87 if (IS_ERR(session_keyring)) { 91 if (IS_ERR(session_keyring)) {
88 ret = PTR_ERR(session_keyring); 92 ret = PTR_ERR(session_keyring);
89 goto error_release; 93 goto error_release;
@@ -115,140 +119,128 @@ error:
115 return ret; 119 return ret;
116} 120}
117 121
118/*****************************************************************************/
119/* 122/*
120 * deal with the UID changing 123 * install a fresh thread keyring directly to new credentials
121 */ 124 */
122void switch_uid_keyring(struct user_struct *new_user) 125int install_thread_keyring_to_cred(struct cred *new)
123{ 126{
124#if 0 /* do nothing for now */ 127 struct key *keyring;
125 struct key *old;
126
127 /* switch to the new user's session keyring if we were running under
128 * root's default session keyring */
129 if (new_user->uid != 0 &&
130 current->session_keyring == &root_session_keyring
131 ) {
132 atomic_inc(&new_user->session_keyring->usage);
133
134 task_lock(current);
135 old = current->session_keyring;
136 current->session_keyring = new_user->session_keyring;
137 task_unlock(current);
138 128
139 key_put(old); 129 keyring = keyring_alloc("_tid", new->uid, new->gid, new,
140 } 130 KEY_ALLOC_QUOTA_OVERRUN, NULL);
141#endif 131 if (IS_ERR(keyring))
132 return PTR_ERR(keyring);
142 133
143} /* end switch_uid_keyring() */ 134 new->thread_keyring = keyring;
135 return 0;
136}
144 137
145/*****************************************************************************/
146/* 138/*
147 * install a fresh thread keyring, discarding the old one 139 * install a fresh thread keyring, discarding the old one
148 */ 140 */
149int install_thread_keyring(struct task_struct *tsk) 141static int install_thread_keyring(void)
150{ 142{
151 struct key *keyring, *old; 143 struct cred *new;
152 char buf[20];
153 int ret; 144 int ret;
154 145
155 sprintf(buf, "_tid.%u", tsk->pid); 146 new = prepare_creds();
147 if (!new)
148 return -ENOMEM;
156 149
157 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, 150 BUG_ON(new->thread_keyring);
158 KEY_ALLOC_QUOTA_OVERRUN, NULL); 151
159 if (IS_ERR(keyring)) { 152 ret = install_thread_keyring_to_cred(new);
160 ret = PTR_ERR(keyring); 153 if (ret < 0) {
161 goto error; 154 abort_creds(new);
155 return ret;
162 } 156 }
163 157
164 task_lock(tsk); 158 return commit_creds(new);
165 old = tsk->thread_keyring; 159}
166 tsk->thread_keyring = keyring;
167 task_unlock(tsk);
168 160
169 ret = 0; 161/*
162 * install a process keyring directly to a credentials struct
163 * - returns -EEXIST if there was already a process keyring, 0 if one installed,
164 * and other -ve on any other error
165 */
166int install_process_keyring_to_cred(struct cred *new)
167{
168 struct key *keyring;
169 int ret;
170 170
171 key_put(old); 171 if (new->tgcred->process_keyring)
172error: 172 return -EEXIST;
173
174 keyring = keyring_alloc("_pid", new->uid, new->gid,
175 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
176 if (IS_ERR(keyring))
177 return PTR_ERR(keyring);
178
179 spin_lock_irq(&new->tgcred->lock);
180 if (!new->tgcred->process_keyring) {
181 new->tgcred->process_keyring = keyring;
182 keyring = NULL;
183 ret = 0;
184 } else {
185 ret = -EEXIST;
186 }
187 spin_unlock_irq(&new->tgcred->lock);
188 key_put(keyring);
173 return ret; 189 return ret;
190}
174 191
175} /* end install_thread_keyring() */
176
177/*****************************************************************************/
178/* 192/*
179 * make sure a process keyring is installed 193 * make sure a process keyring is installed
194 * - we
180 */ 195 */
181int install_process_keyring(struct task_struct *tsk) 196static int install_process_keyring(void)
182{ 197{
183 struct key *keyring; 198 struct cred *new;
184 char buf[20];
185 int ret; 199 int ret;
186 200
187 might_sleep(); 201 new = prepare_creds();
188 202 if (!new)
189 if (!tsk->signal->process_keyring) { 203 return -ENOMEM;
190 sprintf(buf, "_pid.%u", tsk->tgid);
191
192 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
193 KEY_ALLOC_QUOTA_OVERRUN, NULL);
194 if (IS_ERR(keyring)) {
195 ret = PTR_ERR(keyring);
196 goto error;
197 }
198
199 /* attach keyring */
200 spin_lock_irq(&tsk->sighand->siglock);
201 if (!tsk->signal->process_keyring) {
202 tsk->signal->process_keyring = keyring;
203 keyring = NULL;
204 }
205 spin_unlock_irq(&tsk->sighand->siglock);
206 204
207 key_put(keyring); 205 ret = install_process_keyring_to_cred(new);
206 if (ret < 0) {
207 abort_creds(new);
208 return ret != -EEXIST ?: 0;
208 } 209 }
209 210
210 ret = 0; 211 return commit_creds(new);
211error: 212}
212 return ret;
213
214} /* end install_process_keyring() */
215 213
216/*****************************************************************************/
217/* 214/*
218 * install a session keyring, discarding the old one 215 * install a session keyring directly to a credentials struct
219 * - if a keyring is not supplied, an empty one is invented
220 */ 216 */
221static int install_session_keyring(struct task_struct *tsk, 217static int install_session_keyring_to_cred(struct cred *cred,
222 struct key *keyring) 218 struct key *keyring)
223{ 219{
224 unsigned long flags; 220 unsigned long flags;
225 struct key *old; 221 struct key *old;
226 char buf[20];
227 222
228 might_sleep(); 223 might_sleep();
229 224
230 /* create an empty session keyring */ 225 /* create an empty session keyring */
231 if (!keyring) { 226 if (!keyring) {
232 sprintf(buf, "_ses.%u", tsk->tgid);
233
234 flags = KEY_ALLOC_QUOTA_OVERRUN; 227 flags = KEY_ALLOC_QUOTA_OVERRUN;
235 if (tsk->signal->session_keyring) 228 if (cred->tgcred->session_keyring)
236 flags = KEY_ALLOC_IN_QUOTA; 229 flags = KEY_ALLOC_IN_QUOTA;
237 230
238 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, 231 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
239 flags, NULL); 232 cred, flags, NULL);
240 if (IS_ERR(keyring)) 233 if (IS_ERR(keyring))
241 return PTR_ERR(keyring); 234 return PTR_ERR(keyring);
242 } 235 } else {
243 else {
244 atomic_inc(&keyring->usage); 236 atomic_inc(&keyring->usage);
245 } 237 }
246 238
247 /* install the keyring */ 239 /* install the keyring */
248 spin_lock_irq(&tsk->sighand->siglock); 240 spin_lock_irq(&cred->tgcred->lock);
249 old = tsk->signal->session_keyring; 241 old = cred->tgcred->session_keyring;
250 rcu_assign_pointer(tsk->signal->session_keyring, keyring); 242 rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
251 spin_unlock_irq(&tsk->sighand->siglock); 243 spin_unlock_irq(&cred->tgcred->lock);
252 244
253 /* we're using RCU on the pointer, but there's no point synchronising 245 /* we're using RCU on the pointer, but there's no point synchronising
254 * on it if it didn't previously point to anything */ 246 * on it if it didn't previously point to anything */
@@ -258,110 +250,29 @@ static int install_session_keyring(struct task_struct *tsk,
258 } 250 }
259 251
260 return 0; 252 return 0;
253}
261 254
262} /* end install_session_keyring() */
263
264/*****************************************************************************/
265/*
266 * copy the keys in a thread group for fork without CLONE_THREAD
267 */
268int copy_thread_group_keys(struct task_struct *tsk)
269{
270 key_check(current->thread_group->session_keyring);
271 key_check(current->thread_group->process_keyring);
272
273 /* no process keyring yet */
274 tsk->signal->process_keyring = NULL;
275
276 /* same session keyring */
277 rcu_read_lock();
278 tsk->signal->session_keyring =
279 key_get(rcu_dereference(current->signal->session_keyring));
280 rcu_read_unlock();
281
282 return 0;
283
284} /* end copy_thread_group_keys() */
285
286/*****************************************************************************/
287/*
288 * copy the keys for fork
289 */
290int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
291{
292 key_check(tsk->thread_keyring);
293 key_check(tsk->request_key_auth);
294
295 /* no thread keyring yet */
296 tsk->thread_keyring = NULL;
297
298 /* copy the request_key() authorisation for this thread */
299 key_get(tsk->request_key_auth);
300
301 return 0;
302
303} /* end copy_keys() */
304
305/*****************************************************************************/
306/*
307 * dispose of thread group keys upon thread group destruction
308 */
309void exit_thread_group_keys(struct signal_struct *tg)
310{
311 key_put(tg->session_keyring);
312 key_put(tg->process_keyring);
313
314} /* end exit_thread_group_keys() */
315
316/*****************************************************************************/
317/*
318 * dispose of per-thread keys upon thread exit
319 */
320void exit_keys(struct task_struct *tsk)
321{
322 key_put(tsk->thread_keyring);
323 key_put(tsk->request_key_auth);
324
325} /* end exit_keys() */
326
327/*****************************************************************************/
328/* 255/*
329 * deal with execve() 256 * install a session keyring, discarding the old one
257 * - if a keyring is not supplied, an empty one is invented
330 */ 258 */
331int exec_keys(struct task_struct *tsk) 259static int install_session_keyring(struct key *keyring)
332{ 260{
333 struct key *old; 261 struct cred *new;
334 262 int ret;
335 /* newly exec'd tasks don't get a thread keyring */
336 task_lock(tsk);
337 old = tsk->thread_keyring;
338 tsk->thread_keyring = NULL;
339 task_unlock(tsk);
340
341 key_put(old);
342
343 /* discard the process keyring from a newly exec'd task */
344 spin_lock_irq(&tsk->sighand->siglock);
345 old = tsk->signal->process_keyring;
346 tsk->signal->process_keyring = NULL;
347 spin_unlock_irq(&tsk->sighand->siglock);
348
349 key_put(old);
350
351 return 0;
352 263
353} /* end exec_keys() */ 264 new = prepare_creds();
265 if (!new)
266 return -ENOMEM;
354 267
355/*****************************************************************************/ 268 ret = install_session_keyring_to_cred(new, NULL);
356/* 269 if (ret < 0) {
357 * deal with SUID programs 270 abort_creds(new);
358 * - we might want to make this invent a new session keyring 271 return ret;
359 */ 272 }
360int suid_keys(struct task_struct *tsk)
361{
362 return 0;
363 273
364} /* end suid_keys() */ 274 return commit_creds(new);
275}
365 276
366/*****************************************************************************/ 277/*****************************************************************************/
367/* 278/*
@@ -370,10 +281,11 @@ int suid_keys(struct task_struct *tsk)
370void key_fsuid_changed(struct task_struct *tsk) 281void key_fsuid_changed(struct task_struct *tsk)
371{ 282{
372 /* update the ownership of the thread keyring */ 283 /* update the ownership of the thread keyring */
373 if (tsk->thread_keyring) { 284 BUG_ON(!tsk->cred);
374 down_write(&tsk->thread_keyring->sem); 285 if (tsk->cred->thread_keyring) {
375 tsk->thread_keyring->uid = tsk->fsuid; 286 down_write(&tsk->cred->thread_keyring->sem);
376 up_write(&tsk->thread_keyring->sem); 287 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
288 up_write(&tsk->cred->thread_keyring->sem);
377 } 289 }
378 290
379} /* end key_fsuid_changed() */ 291} /* end key_fsuid_changed() */
@@ -385,10 +297,11 @@ void key_fsuid_changed(struct task_struct *tsk)
385void key_fsgid_changed(struct task_struct *tsk) 297void key_fsgid_changed(struct task_struct *tsk)
386{ 298{
387 /* update the ownership of the thread keyring */ 299 /* update the ownership of the thread keyring */
388 if (tsk->thread_keyring) { 300 BUG_ON(!tsk->cred);
389 down_write(&tsk->thread_keyring->sem); 301 if (tsk->cred->thread_keyring) {
390 tsk->thread_keyring->gid = tsk->fsgid; 302 down_write(&tsk->cred->thread_keyring->sem);
391 up_write(&tsk->thread_keyring->sem); 303 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
304 up_write(&tsk->cred->thread_keyring->sem);
392 } 305 }
393 306
394} /* end key_fsgid_changed() */ 307} /* end key_fsgid_changed() */
@@ -404,7 +317,7 @@ void key_fsgid_changed(struct task_struct *tsk)
404key_ref_t search_process_keyrings(struct key_type *type, 317key_ref_t search_process_keyrings(struct key_type *type,
405 const void *description, 318 const void *description,
406 key_match_func_t match, 319 key_match_func_t match,
407 struct task_struct *context) 320 const struct cred *cred)
408{ 321{
409 struct request_key_auth *rka; 322 struct request_key_auth *rka;
410 key_ref_t key_ref, ret, err; 323 key_ref_t key_ref, ret, err;
@@ -423,10 +336,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
423 err = ERR_PTR(-EAGAIN); 336 err = ERR_PTR(-EAGAIN);
424 337
425 /* search the thread keyring first */ 338 /* search the thread keyring first */
426 if (context->thread_keyring) { 339 if (cred->thread_keyring) {
427 key_ref = keyring_search_aux( 340 key_ref = keyring_search_aux(
428 make_key_ref(context->thread_keyring, 1), 341 make_key_ref(cred->thread_keyring, 1),
429 context, type, description, match); 342 cred, type, description, match);
430 if (!IS_ERR(key_ref)) 343 if (!IS_ERR(key_ref))
431 goto found; 344 goto found;
432 345
@@ -444,10 +357,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
444 } 357 }
445 358
446 /* search the process keyring second */ 359 /* search the process keyring second */
447 if (context->signal->process_keyring) { 360 if (cred->tgcred->process_keyring) {
448 key_ref = keyring_search_aux( 361 key_ref = keyring_search_aux(
449 make_key_ref(context->signal->process_keyring, 1), 362 make_key_ref(cred->tgcred->process_keyring, 1),
450 context, type, description, match); 363 cred, type, description, match);
451 if (!IS_ERR(key_ref)) 364 if (!IS_ERR(key_ref))
452 goto found; 365 goto found;
453 366
@@ -465,13 +378,13 @@ key_ref_t search_process_keyrings(struct key_type *type,
465 } 378 }
466 379
467 /* search the session keyring */ 380 /* search the session keyring */
468 if (context->signal->session_keyring) { 381 if (cred->tgcred->session_keyring) {
469 rcu_read_lock(); 382 rcu_read_lock();
470 key_ref = keyring_search_aux( 383 key_ref = keyring_search_aux(
471 make_key_ref(rcu_dereference( 384 make_key_ref(rcu_dereference(
472 context->signal->session_keyring), 385 cred->tgcred->session_keyring),
473 1), 386 1),
474 context, type, description, match); 387 cred, type, description, match);
475 rcu_read_unlock(); 388 rcu_read_unlock();
476 389
477 if (!IS_ERR(key_ref)) 390 if (!IS_ERR(key_ref))
@@ -490,10 +403,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
490 } 403 }
491 } 404 }
492 /* or search the user-session keyring */ 405 /* or search the user-session keyring */
493 else if (context->user->session_keyring) { 406 else if (cred->user->session_keyring) {
494 key_ref = keyring_search_aux( 407 key_ref = keyring_search_aux(
495 make_key_ref(context->user->session_keyring, 1), 408 make_key_ref(cred->user->session_keyring, 1),
496 context, type, description, match); 409 cred, type, description, match);
497 if (!IS_ERR(key_ref)) 410 if (!IS_ERR(key_ref))
498 goto found; 411 goto found;
499 412
@@ -514,20 +427,20 @@ key_ref_t search_process_keyrings(struct key_type *type,
514 * search the keyrings of the process mentioned there 427 * search the keyrings of the process mentioned there
515 * - we don't permit access to request_key auth keys via this method 428 * - we don't permit access to request_key auth keys via this method
516 */ 429 */
517 if (context->request_key_auth && 430 if (cred->request_key_auth &&
518 context == current && 431 cred == current_cred() &&
519 type != &key_type_request_key_auth 432 type != &key_type_request_key_auth
520 ) { 433 ) {
521 /* defend against the auth key being revoked */ 434 /* defend against the auth key being revoked */
522 down_read(&context->request_key_auth->sem); 435 down_read(&cred->request_key_auth->sem);
523 436
524 if (key_validate(context->request_key_auth) == 0) { 437 if (key_validate(cred->request_key_auth) == 0) {
525 rka = context->request_key_auth->payload.data; 438 rka = cred->request_key_auth->payload.data;
526 439
527 key_ref = search_process_keyrings(type, description, 440 key_ref = search_process_keyrings(type, description,
528 match, rka->context); 441 match, rka->cred);
529 442
530 up_read(&context->request_key_auth->sem); 443 up_read(&cred->request_key_auth->sem);
531 444
532 if (!IS_ERR(key_ref)) 445 if (!IS_ERR(key_ref))
533 goto found; 446 goto found;
@@ -544,7 +457,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
544 break; 457 break;
545 } 458 }
546 } else { 459 } else {
547 up_read(&context->request_key_auth->sem); 460 up_read(&cred->request_key_auth->sem);
548 } 461 }
549 } 462 }
550 463
@@ -572,93 +485,98 @@ static int lookup_user_key_possessed(const struct key *key, const void *target)
572 * - don't create special keyrings unless so requested 485 * - don't create special keyrings unless so requested
573 * - partially constructed keys aren't found unless requested 486 * - partially constructed keys aren't found unless requested
574 */ 487 */
575key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id, 488key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
576 int create, int partial, key_perm_t perm) 489 key_perm_t perm)
577{ 490{
578 key_ref_t key_ref, skey_ref; 491 struct request_key_auth *rka;
492 const struct cred *cred;
579 struct key *key; 493 struct key *key;
494 key_ref_t key_ref, skey_ref;
580 int ret; 495 int ret;
581 496
582 if (!context) 497try_again:
583 context = current; 498 cred = get_current_cred();
584
585 key_ref = ERR_PTR(-ENOKEY); 499 key_ref = ERR_PTR(-ENOKEY);
586 500
587 switch (id) { 501 switch (id) {
588 case KEY_SPEC_THREAD_KEYRING: 502 case KEY_SPEC_THREAD_KEYRING:
589 if (!context->thread_keyring) { 503 if (!cred->thread_keyring) {
590 if (!create) 504 if (!create)
591 goto error; 505 goto error;
592 506
593 ret = install_thread_keyring(context); 507 ret = install_thread_keyring();
594 if (ret < 0) { 508 if (ret < 0) {
595 key = ERR_PTR(ret); 509 key = ERR_PTR(ret);
596 goto error; 510 goto error;
597 } 511 }
512 goto reget_creds;
598 } 513 }
599 514
600 key = context->thread_keyring; 515 key = cred->thread_keyring;
601 atomic_inc(&key->usage); 516 atomic_inc(&key->usage);
602 key_ref = make_key_ref(key, 1); 517 key_ref = make_key_ref(key, 1);
603 break; 518 break;
604 519
605 case KEY_SPEC_PROCESS_KEYRING: 520 case KEY_SPEC_PROCESS_KEYRING:
606 if (!context->signal->process_keyring) { 521 if (!cred->tgcred->process_keyring) {
607 if (!create) 522 if (!create)
608 goto error; 523 goto error;
609 524
610 ret = install_process_keyring(context); 525 ret = install_process_keyring();
611 if (ret < 0) { 526 if (ret < 0) {
612 key = ERR_PTR(ret); 527 key = ERR_PTR(ret);
613 goto error; 528 goto error;
614 } 529 }
530 goto reget_creds;
615 } 531 }
616 532
617 key = context->signal->process_keyring; 533 key = cred->tgcred->process_keyring;
618 atomic_inc(&key->usage); 534 atomic_inc(&key->usage);
619 key_ref = make_key_ref(key, 1); 535 key_ref = make_key_ref(key, 1);
620 break; 536 break;
621 537
622 case KEY_SPEC_SESSION_KEYRING: 538 case KEY_SPEC_SESSION_KEYRING:
623 if (!context->signal->session_keyring) { 539 if (!cred->tgcred->session_keyring) {
624 /* always install a session keyring upon access if one 540 /* always install a session keyring upon access if one
625 * doesn't exist yet */ 541 * doesn't exist yet */
626 ret = install_user_keyrings(context); 542 ret = install_user_keyrings();
627 if (ret < 0) 543 if (ret < 0)
628 goto error; 544 goto error;
629 ret = install_session_keyring( 545 ret = install_session_keyring(
630 context, context->user->session_keyring); 546 cred->user->session_keyring);
547
631 if (ret < 0) 548 if (ret < 0)
632 goto error; 549 goto error;
550 goto reget_creds;
633 } 551 }
634 552
635 rcu_read_lock(); 553 rcu_read_lock();
636 key = rcu_dereference(context->signal->session_keyring); 554 key = rcu_dereference(cred->tgcred->session_keyring);
637 atomic_inc(&key->usage); 555 atomic_inc(&key->usage);
638 rcu_read_unlock(); 556 rcu_read_unlock();
639 key_ref = make_key_ref(key, 1); 557 key_ref = make_key_ref(key, 1);
640 break; 558 break;
641 559
642 case KEY_SPEC_USER_KEYRING: 560 case KEY_SPEC_USER_KEYRING:
643 if (!context->user->uid_keyring) { 561 if (!cred->user->uid_keyring) {
644 ret = install_user_keyrings(context); 562 ret = install_user_keyrings();
645 if (ret < 0) 563 if (ret < 0)
646 goto error; 564 goto error;
647 } 565 }
648 566
649 key = context->user->uid_keyring; 567 key = cred->user->uid_keyring;
650 atomic_inc(&key->usage); 568 atomic_inc(&key->usage);
651 key_ref = make_key_ref(key, 1); 569 key_ref = make_key_ref(key, 1);
652 break; 570 break;
653 571
654 case KEY_SPEC_USER_SESSION_KEYRING: 572 case KEY_SPEC_USER_SESSION_KEYRING:
655 if (!context->user->session_keyring) { 573 if (!cred->user->session_keyring) {
656 ret = install_user_keyrings(context); 574 ret = install_user_keyrings();
657 if (ret < 0) 575 if (ret < 0)
658 goto error; 576 goto error;
659 } 577 }
660 578
661 key = context->user->session_keyring; 579 key = cred->user->session_keyring;
662 atomic_inc(&key->usage); 580 atomic_inc(&key->usage);
663 key_ref = make_key_ref(key, 1); 581 key_ref = make_key_ref(key, 1);
664 break; 582 break;
@@ -669,7 +587,7 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
669 goto error; 587 goto error;
670 588
671 case KEY_SPEC_REQKEY_AUTH_KEY: 589 case KEY_SPEC_REQKEY_AUTH_KEY:
672 key = context->request_key_auth; 590 key = cred->request_key_auth;
673 if (!key) 591 if (!key)
674 goto error; 592 goto error;
675 593
@@ -677,6 +595,25 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
677 key_ref = make_key_ref(key, 1); 595 key_ref = make_key_ref(key, 1);
678 break; 596 break;
679 597
598 case KEY_SPEC_REQUESTOR_KEYRING:
599 if (!cred->request_key_auth)
600 goto error;
601
602 down_read(&cred->request_key_auth->sem);
603 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
604 key_ref = ERR_PTR(-EKEYREVOKED);
605 key = NULL;
606 } else {
607 rka = cred->request_key_auth->payload.data;
608 key = rka->dest_keyring;
609 atomic_inc(&key->usage);
610 }
611 up_read(&cred->request_key_auth->sem);
612 if (!key)
613 goto error;
614 key_ref = make_key_ref(key, 1);
615 break;
616
680 default: 617 default:
681 key_ref = ERR_PTR(-EINVAL); 618 key_ref = ERR_PTR(-EINVAL);
682 if (id < 1) 619 if (id < 1)
@@ -693,7 +630,7 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
693 /* check to see if we possess the key */ 630 /* check to see if we possess the key */
694 skey_ref = search_process_keyrings(key->type, key, 631 skey_ref = search_process_keyrings(key->type, key,
695 lookup_user_key_possessed, 632 lookup_user_key_possessed,
696 current); 633 cred);
697 634
698 if (!IS_ERR(skey_ref)) { 635 if (!IS_ERR(skey_ref)) {
699 key_put(key); 636 key_put(key);
@@ -725,11 +662,12 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
725 goto invalid_key; 662 goto invalid_key;
726 663
727 /* check the permissions */ 664 /* check the permissions */
728 ret = key_task_permission(key_ref, context, perm); 665 ret = key_task_permission(key_ref, cred, perm);
729 if (ret < 0) 666 if (ret < 0)
730 goto invalid_key; 667 goto invalid_key;
731 668
732error: 669error:
670 put_cred(cred);
733 return key_ref; 671 return key_ref;
734 672
735invalid_key: 673invalid_key:
@@ -737,6 +675,12 @@ invalid_key:
737 key_ref = ERR_PTR(ret); 675 key_ref = ERR_PTR(ret);
738 goto error; 676 goto error;
739 677
678 /* if we attempted to install a keyring, then it may have caused new
679 * creds to be installed */
680reget_creds:
681 put_cred(cred);
682 goto try_again;
683
740} /* end lookup_user_key() */ 684} /* end lookup_user_key() */
741 685
742/*****************************************************************************/ 686/*****************************************************************************/
@@ -748,20 +692,33 @@ invalid_key:
748 */ 692 */
749long join_session_keyring(const char *name) 693long join_session_keyring(const char *name)
750{ 694{
751 struct task_struct *tsk = current; 695 const struct cred *old;
696 struct cred *new;
752 struct key *keyring; 697 struct key *keyring;
753 long ret; 698 long ret, serial;
699
700 /* only permit this if there's a single thread in the thread group -
701 * this avoids us having to adjust the creds on all threads and risking
702 * ENOMEM */
703 if (!is_single_threaded(current))
704 return -EMLINK;
705
706 new = prepare_creds();
707 if (!new)
708 return -ENOMEM;
709 old = current_cred();
754 710
755 /* if no name is provided, install an anonymous keyring */ 711 /* if no name is provided, install an anonymous keyring */
756 if (!name) { 712 if (!name) {
757 ret = install_session_keyring(tsk, NULL); 713 ret = install_session_keyring_to_cred(new, NULL);
758 if (ret < 0) 714 if (ret < 0)
759 goto error; 715 goto error;
760 716
761 rcu_read_lock(); 717 serial = new->tgcred->session_keyring->serial;
762 ret = rcu_dereference(tsk->signal->session_keyring)->serial; 718 ret = commit_creds(new);
763 rcu_read_unlock(); 719 if (ret == 0)
764 goto error; 720 ret = serial;
721 goto okay;
765 } 722 }
766 723
767 /* allow the user to join or create a named keyring */ 724 /* allow the user to join or create a named keyring */
@@ -771,29 +728,33 @@ long join_session_keyring(const char *name)
771 keyring = find_keyring_by_name(name, false); 728 keyring = find_keyring_by_name(name, false);
772 if (PTR_ERR(keyring) == -ENOKEY) { 729 if (PTR_ERR(keyring) == -ENOKEY) {
773 /* not found - try and create a new one */ 730 /* not found - try and create a new one */
774 keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, 731 keyring = keyring_alloc(name, old->uid, old->gid, old,
775 KEY_ALLOC_IN_QUOTA, NULL); 732 KEY_ALLOC_IN_QUOTA, NULL);
776 if (IS_ERR(keyring)) { 733 if (IS_ERR(keyring)) {
777 ret = PTR_ERR(keyring); 734 ret = PTR_ERR(keyring);
778 goto error2; 735 goto error2;
779 } 736 }
780 } 737 } else if (IS_ERR(keyring)) {
781 else if (IS_ERR(keyring)) {
782 ret = PTR_ERR(keyring); 738 ret = PTR_ERR(keyring);
783 goto error2; 739 goto error2;
784 } 740 }
785 741
786 /* we've got a keyring - now to install it */ 742 /* we've got a keyring - now to install it */
787 ret = install_session_keyring(tsk, keyring); 743 ret = install_session_keyring_to_cred(new, keyring);
788 if (ret < 0) 744 if (ret < 0)
789 goto error2; 745 goto error2;
790 746
747 commit_creds(new);
748 mutex_unlock(&key_session_mutex);
749
791 ret = keyring->serial; 750 ret = keyring->serial;
792 key_put(keyring); 751 key_put(keyring);
752okay:
753 return ret;
793 754
794error2: 755error2:
795 mutex_unlock(&key_session_mutex); 756 mutex_unlock(&key_session_mutex);
796error: 757error:
758 abort_creds(new);
797 return ret; 759 return ret;
798 760}
799} /* end join_session_keyring() */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index abea08f87fe2..0e04f72ef2d4 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -19,6 +19,8 @@
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include "internal.h" 20#include "internal.h"
21 21
22#define key_negative_timeout 60 /* default timeout on a negative key's existence */
23
22/* 24/*
23 * wait_on_bit() sleep function for uninterruptible waiting 25 * wait_on_bit() sleep function for uninterruptible waiting
24 */ 26 */
@@ -64,7 +66,7 @@ static int call_sbin_request_key(struct key_construction *cons,
64 const char *op, 66 const char *op,
65 void *aux) 67 void *aux)
66{ 68{
67 struct task_struct *tsk = current; 69 const struct cred *cred = current_cred();
68 key_serial_t prkey, sskey; 70 key_serial_t prkey, sskey;
69 struct key *key = cons->key, *authkey = cons->authkey, *keyring; 71 struct key *key = cons->key, *authkey = cons->authkey, *keyring;
70 char *argv[9], *envp[3], uid_str[12], gid_str[12]; 72 char *argv[9], *envp[3], uid_str[12], gid_str[12];
@@ -74,15 +76,17 @@ static int call_sbin_request_key(struct key_construction *cons,
74 76
75 kenter("{%d},{%d},%s", key->serial, authkey->serial, op); 77 kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
76 78
77 ret = install_user_keyrings(tsk); 79 ret = install_user_keyrings();
78 if (ret < 0) 80 if (ret < 0)
79 goto error_alloc; 81 goto error_alloc;
80 82
81 /* allocate a new session keyring */ 83 /* allocate a new session keyring */
82 sprintf(desc, "_req.%u", key->serial); 84 sprintf(desc, "_req.%u", key->serial);
83 85
84 keyring = keyring_alloc(desc, current->fsuid, current->fsgid, current, 86 cred = get_current_cred();
87 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
85 KEY_ALLOC_QUOTA_OVERRUN, NULL); 88 KEY_ALLOC_QUOTA_OVERRUN, NULL);
89 put_cred(cred);
86 if (IS_ERR(keyring)) { 90 if (IS_ERR(keyring)) {
87 ret = PTR_ERR(keyring); 91 ret = PTR_ERR(keyring);
88 goto error_alloc; 92 goto error_alloc;
@@ -94,29 +98,24 @@ static int call_sbin_request_key(struct key_construction *cons,
94 goto error_link; 98 goto error_link;
95 99
96 /* record the UID and GID */ 100 /* record the UID and GID */
97 sprintf(uid_str, "%d", current->fsuid); 101 sprintf(uid_str, "%d", cred->fsuid);
98 sprintf(gid_str, "%d", current->fsgid); 102 sprintf(gid_str, "%d", cred->fsgid);
99 103
100 /* we say which key is under construction */ 104 /* we say which key is under construction */
101 sprintf(key_str, "%d", key->serial); 105 sprintf(key_str, "%d", key->serial);
102 106
103 /* we specify the process's default keyrings */ 107 /* we specify the process's default keyrings */
104 sprintf(keyring_str[0], "%d", 108 sprintf(keyring_str[0], "%d",
105 tsk->thread_keyring ? tsk->thread_keyring->serial : 0); 109 cred->thread_keyring ? cred->thread_keyring->serial : 0);
106 110
107 prkey = 0; 111 prkey = 0;
108 if (tsk->signal->process_keyring) 112 if (cred->tgcred->process_keyring)
109 prkey = tsk->signal->process_keyring->serial; 113 prkey = cred->tgcred->process_keyring->serial;
110
111 sprintf(keyring_str[1], "%d", prkey);
112 114
113 if (tsk->signal->session_keyring) { 115 if (cred->tgcred->session_keyring)
114 rcu_read_lock(); 116 sskey = rcu_dereference(cred->tgcred->session_keyring)->serial;
115 sskey = rcu_dereference(tsk->signal->session_keyring)->serial; 117 else
116 rcu_read_unlock(); 118 sskey = cred->user->session_keyring->serial;
117 } else {
118 sskey = tsk->user->session_keyring->serial;
119 }
120 119
121 sprintf(keyring_str[2], "%d", sskey); 120 sprintf(keyring_str[2], "%d", sskey);
122 121
@@ -157,8 +156,8 @@ error_link:
157 key_put(keyring); 156 key_put(keyring);
158 157
159error_alloc: 158error_alloc:
160 kleave(" = %d", ret);
161 complete_request_key(cons, ret); 159 complete_request_key(cons, ret);
160 kleave(" = %d", ret);
162 return ret; 161 return ret;
163} 162}
164 163
@@ -167,7 +166,8 @@ error_alloc:
167 * - we ignore program failure and go on key status instead 166 * - we ignore program failure and go on key status instead
168 */ 167 */
169static int construct_key(struct key *key, const void *callout_info, 168static int construct_key(struct key *key, const void *callout_info,
170 size_t callout_len, void *aux) 169 size_t callout_len, void *aux,
170 struct key *dest_keyring)
171{ 171{
172 struct key_construction *cons; 172 struct key_construction *cons;
173 request_key_actor_t actor; 173 request_key_actor_t actor;
@@ -181,7 +181,8 @@ static int construct_key(struct key *key, const void *callout_info,
181 return -ENOMEM; 181 return -ENOMEM;
182 182
183 /* allocate an authorisation key */ 183 /* allocate an authorisation key */
184 authkey = request_key_auth_new(key, callout_info, callout_len); 184 authkey = request_key_auth_new(key, callout_info, callout_len,
185 dest_keyring);
185 if (IS_ERR(authkey)) { 186 if (IS_ERR(authkey)) {
186 kfree(cons); 187 kfree(cons);
187 ret = PTR_ERR(authkey); 188 ret = PTR_ERR(authkey);
@@ -209,46 +210,67 @@ static int construct_key(struct key *key, const void *callout_info,
209} 210}
210 211
211/* 212/*
212 * link a key to the appropriate destination keyring 213 * get the appropriate destination keyring for the request
213 * - the caller must hold a write lock on the destination keyring 214 * - we return whatever keyring we select with an extra reference upon it which
215 * the caller must release
214 */ 216 */
215static void construct_key_make_link(struct key *key, struct key *dest_keyring) 217static void construct_get_dest_keyring(struct key **_dest_keyring)
216{ 218{
217 struct task_struct *tsk = current; 219 struct request_key_auth *rka;
218 struct key *drop = NULL; 220 const struct cred *cred = current_cred();
221 struct key *dest_keyring = *_dest_keyring, *authkey;
219 222
220 kenter("{%d},%p", key->serial, dest_keyring); 223 kenter("%p", dest_keyring);
221 224
222 /* find the appropriate keyring */ 225 /* find the appropriate keyring */
223 if (!dest_keyring) { 226 if (dest_keyring) {
224 switch (tsk->jit_keyring) { 227 /* the caller supplied one */
228 key_get(dest_keyring);
229 } else {
230 /* use a default keyring; falling through the cases until we
231 * find one that we actually have */
232 switch (cred->jit_keyring) {
225 case KEY_REQKEY_DEFL_DEFAULT: 233 case KEY_REQKEY_DEFL_DEFAULT:
234 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
235 if (cred->request_key_auth) {
236 authkey = cred->request_key_auth;
237 down_read(&authkey->sem);
238 rka = authkey->payload.data;
239 if (!test_bit(KEY_FLAG_REVOKED,
240 &authkey->flags))
241 dest_keyring =
242 key_get(rka->dest_keyring);
243 up_read(&authkey->sem);
244 if (dest_keyring)
245 break;
246 }
247
226 case KEY_REQKEY_DEFL_THREAD_KEYRING: 248 case KEY_REQKEY_DEFL_THREAD_KEYRING:
227 dest_keyring = tsk->thread_keyring; 249 dest_keyring = key_get(cred->thread_keyring);
228 if (dest_keyring) 250 if (dest_keyring)
229 break; 251 break;
230 252
231 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 253 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
232 dest_keyring = tsk->signal->process_keyring; 254 dest_keyring = key_get(cred->tgcred->process_keyring);
233 if (dest_keyring) 255 if (dest_keyring)
234 break; 256 break;
235 257
236 case KEY_REQKEY_DEFL_SESSION_KEYRING: 258 case KEY_REQKEY_DEFL_SESSION_KEYRING:
237 rcu_read_lock(); 259 rcu_read_lock();
238 dest_keyring = key_get( 260 dest_keyring = key_get(
239 rcu_dereference(tsk->signal->session_keyring)); 261 rcu_dereference(cred->tgcred->session_keyring));
240 rcu_read_unlock(); 262 rcu_read_unlock();
241 drop = dest_keyring;
242 263
243 if (dest_keyring) 264 if (dest_keyring)
244 break; 265 break;
245 266
246 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 267 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
247 dest_keyring = tsk->user->session_keyring; 268 dest_keyring =
269 key_get(cred->user->session_keyring);
248 break; 270 break;
249 271
250 case KEY_REQKEY_DEFL_USER_KEYRING: 272 case KEY_REQKEY_DEFL_USER_KEYRING:
251 dest_keyring = tsk->user->uid_keyring; 273 dest_keyring = key_get(cred->user->uid_keyring);
252 break; 274 break;
253 275
254 case KEY_REQKEY_DEFL_GROUP_KEYRING: 276 case KEY_REQKEY_DEFL_GROUP_KEYRING:
@@ -257,10 +279,9 @@ static void construct_key_make_link(struct key *key, struct key *dest_keyring)
257 } 279 }
258 } 280 }
259 281
260 /* and attach the key to it */ 282 *_dest_keyring = dest_keyring;
261 __key_link(dest_keyring, key); 283 kleave(" [dk %d]", key_serial(dest_keyring));
262 key_put(drop); 284 return;
263 kleave("");
264} 285}
265 286
266/* 287/*
@@ -275,6 +296,7 @@ static int construct_alloc_key(struct key_type *type,
275 struct key_user *user, 296 struct key_user *user,
276 struct key **_key) 297 struct key **_key)
277{ 298{
299 const struct cred *cred = current_cred();
278 struct key *key; 300 struct key *key;
279 key_ref_t key_ref; 301 key_ref_t key_ref;
280 302
@@ -282,33 +304,28 @@ static int construct_alloc_key(struct key_type *type,
282 304
283 mutex_lock(&user->cons_lock); 305 mutex_lock(&user->cons_lock);
284 306
285 key = key_alloc(type, description, 307 key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred,
286 current->fsuid, current->fsgid, current, KEY_POS_ALL, 308 KEY_POS_ALL, flags);
287 flags);
288 if (IS_ERR(key)) 309 if (IS_ERR(key))
289 goto alloc_failed; 310 goto alloc_failed;
290 311
291 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 312 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
292 313
293 if (dest_keyring) 314 down_write(&dest_keyring->sem);
294 down_write(&dest_keyring->sem);
295 315
296 /* attach the key to the destination keyring under lock, but we do need 316 /* attach the key to the destination keyring under lock, but we do need
297 * to do another check just in case someone beat us to it whilst we 317 * to do another check just in case someone beat us to it whilst we
298 * waited for locks */ 318 * waited for locks */
299 mutex_lock(&key_construction_mutex); 319 mutex_lock(&key_construction_mutex);
300 320
301 key_ref = search_process_keyrings(type, description, type->match, 321 key_ref = search_process_keyrings(type, description, type->match, cred);
302 current);
303 if (!IS_ERR(key_ref)) 322 if (!IS_ERR(key_ref))
304 goto key_already_present; 323 goto key_already_present;
305 324
306 if (dest_keyring) 325 __key_link(dest_keyring, key);
307 construct_key_make_link(key, dest_keyring);
308 326
309 mutex_unlock(&key_construction_mutex); 327 mutex_unlock(&key_construction_mutex);
310 if (dest_keyring) 328 up_write(&dest_keyring->sem);
311 up_write(&dest_keyring->sem);
312 mutex_unlock(&user->cons_lock); 329 mutex_unlock(&user->cons_lock);
313 *_key = key; 330 *_key = key;
314 kleave(" = 0 [%d]", key_serial(key)); 331 kleave(" = 0 [%d]", key_serial(key));
@@ -346,25 +363,36 @@ static struct key *construct_key_and_link(struct key_type *type,
346 struct key *key; 363 struct key *key;
347 int ret; 364 int ret;
348 365
349 user = key_user_lookup(current->fsuid); 366 kenter("");
367
368 user = key_user_lookup(current_fsuid());
350 if (!user) 369 if (!user)
351 return ERR_PTR(-ENOMEM); 370 return ERR_PTR(-ENOMEM);
352 371
372 construct_get_dest_keyring(&dest_keyring);
373
353 ret = construct_alloc_key(type, description, dest_keyring, flags, user, 374 ret = construct_alloc_key(type, description, dest_keyring, flags, user,
354 &key); 375 &key);
355 key_user_put(user); 376 key_user_put(user);
356 377
357 if (ret == 0) { 378 if (ret == 0) {
358 ret = construct_key(key, callout_info, callout_len, aux); 379 ret = construct_key(key, callout_info, callout_len, aux,
359 if (ret < 0) 380 dest_keyring);
381 if (ret < 0) {
382 kdebug("cons failed");
360 goto construction_failed; 383 goto construction_failed;
384 }
361 } 385 }
362 386
387 key_put(dest_keyring);
388 kleave(" = key %d", key_serial(key));
363 return key; 389 return key;
364 390
365construction_failed: 391construction_failed:
366 key_negate_and_link(key, key_negative_timeout, NULL, NULL); 392 key_negate_and_link(key, key_negative_timeout, NULL, NULL);
367 key_put(key); 393 key_put(key);
394 key_put(dest_keyring);
395 kleave(" = %d", ret);
368 return ERR_PTR(ret); 396 return ERR_PTR(ret);
369} 397}
370 398
@@ -383,6 +411,7 @@ struct key *request_key_and_link(struct key_type *type,
383 struct key *dest_keyring, 411 struct key *dest_keyring,
384 unsigned long flags) 412 unsigned long flags)
385{ 413{
414 const struct cred *cred = current_cred();
386 struct key *key; 415 struct key *key;
387 key_ref_t key_ref; 416 key_ref_t key_ref;
388 417
@@ -392,7 +421,7 @@ struct key *request_key_and_link(struct key_type *type,
392 421
393 /* search all the process keyrings for a key */ 422 /* search all the process keyrings for a key */
394 key_ref = search_process_keyrings(type, description, type->match, 423 key_ref = search_process_keyrings(type, description, type->match,
395 current); 424 cred);
396 425
397 if (!IS_ERR(key_ref)) { 426 if (!IS_ERR(key_ref)) {
398 key = key_ref_to_ptr(key_ref); 427 key = key_ref_to_ptr(key_ref);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index bd237b0a6331..86747151ee5b 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -105,9 +105,9 @@ static void request_key_auth_revoke(struct key *key)
105 105
106 kenter("{%d}", key->serial); 106 kenter("{%d}", key->serial);
107 107
108 if (rka->context) { 108 if (rka->cred) {
109 put_task_struct(rka->context); 109 put_cred(rka->cred);
110 rka->context = NULL; 110 rka->cred = NULL;
111 } 111 }
112 112
113} /* end request_key_auth_revoke() */ 113} /* end request_key_auth_revoke() */
@@ -122,12 +122,13 @@ static void request_key_auth_destroy(struct key *key)
122 122
123 kenter("{%d}", key->serial); 123 kenter("{%d}", key->serial);
124 124
125 if (rka->context) { 125 if (rka->cred) {
126 put_task_struct(rka->context); 126 put_cred(rka->cred);
127 rka->context = NULL; 127 rka->cred = NULL;
128 } 128 }
129 129
130 key_put(rka->target_key); 130 key_put(rka->target_key);
131 key_put(rka->dest_keyring);
131 kfree(rka->callout_info); 132 kfree(rka->callout_info);
132 kfree(rka); 133 kfree(rka);
133 134
@@ -139,9 +140,10 @@ static void request_key_auth_destroy(struct key *key)
139 * access to the caller's security data 140 * access to the caller's security data
140 */ 141 */
141struct key *request_key_auth_new(struct key *target, const void *callout_info, 142struct key *request_key_auth_new(struct key *target, const void *callout_info,
142 size_t callout_len) 143 size_t callout_len, struct key *dest_keyring)
143{ 144{
144 struct request_key_auth *rka, *irka; 145 struct request_key_auth *rka, *irka;
146 const struct cred *cred = current->cred;
145 struct key *authkey = NULL; 147 struct key *authkey = NULL;
146 char desc[20]; 148 char desc[20];
147 int ret; 149 int ret;
@@ -163,31 +165,29 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
163 165
164 /* see if the calling process is already servicing the key request of 166 /* see if the calling process is already servicing the key request of
165 * another process */ 167 * another process */
166 if (current->request_key_auth) { 168 if (cred->request_key_auth) {
167 /* it is - use that instantiation context here too */ 169 /* it is - use that instantiation context here too */
168 down_read(&current->request_key_auth->sem); 170 down_read(&cred->request_key_auth->sem);
169 171
170 /* if the auth key has been revoked, then the key we're 172 /* if the auth key has been revoked, then the key we're
171 * servicing is already instantiated */ 173 * servicing is already instantiated */
172 if (test_bit(KEY_FLAG_REVOKED, 174 if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
173 &current->request_key_auth->flags))
174 goto auth_key_revoked; 175 goto auth_key_revoked;
175 176
176 irka = current->request_key_auth->payload.data; 177 irka = cred->request_key_auth->payload.data;
177 rka->context = irka->context; 178 rka->cred = get_cred(irka->cred);
178 rka->pid = irka->pid; 179 rka->pid = irka->pid;
179 get_task_struct(rka->context);
180 180
181 up_read(&current->request_key_auth->sem); 181 up_read(&cred->request_key_auth->sem);
182 } 182 }
183 else { 183 else {
184 /* it isn't - use this process as the context */ 184 /* it isn't - use this process as the context */
185 rka->context = current; 185 rka->cred = get_cred(cred);
186 rka->pid = current->pid; 186 rka->pid = current->pid;
187 get_task_struct(rka->context);
188 } 187 }
189 188
190 rka->target_key = key_get(target); 189 rka->target_key = key_get(target);
190 rka->dest_keyring = key_get(dest_keyring);
191 memcpy(rka->callout_info, callout_info, callout_len); 191 memcpy(rka->callout_info, callout_info, callout_len);
192 rka->callout_len = callout_len; 192 rka->callout_len = callout_len;
193 193
@@ -195,7 +195,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
195 sprintf(desc, "%x", target->serial); 195 sprintf(desc, "%x", target->serial);
196 196
197 authkey = key_alloc(&key_type_request_key_auth, desc, 197 authkey = key_alloc(&key_type_request_key_auth, desc,
198 current->fsuid, current->fsgid, current, 198 cred->fsuid, cred->fsgid, cred,
199 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | 199 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
200 KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA); 200 KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
201 if (IS_ERR(authkey)) { 201 if (IS_ERR(authkey)) {
@@ -203,16 +203,16 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
203 goto error_alloc; 203 goto error_alloc;
204 } 204 }
205 205
206 /* construct and attach to the keyring */ 206 /* construct the auth key */
207 ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL); 207 ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
208 if (ret < 0) 208 if (ret < 0)
209 goto error_inst; 209 goto error_inst;
210 210
211 kleave(" = {%d}", authkey->serial); 211 kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
212 return authkey; 212 return authkey;
213 213
214auth_key_revoked: 214auth_key_revoked:
215 up_read(&current->request_key_auth->sem); 215 up_read(&cred->request_key_auth->sem);
216 kfree(rka->callout_info); 216 kfree(rka->callout_info);
217 kfree(rka); 217 kfree(rka);
218 kleave("= -EKEYREVOKED"); 218 kleave("= -EKEYREVOKED");
@@ -223,6 +223,7 @@ error_inst:
223 key_put(authkey); 223 key_put(authkey);
224error_alloc: 224error_alloc:
225 key_put(rka->target_key); 225 key_put(rka->target_key);
226 key_put(rka->dest_keyring);
226 kfree(rka->callout_info); 227 kfree(rka->callout_info);
227 kfree(rka); 228 kfree(rka);
228 kleave("= %d", ret); 229 kleave("= %d", ret);
@@ -254,6 +255,7 @@ static int key_get_instantiation_authkey_match(const struct key *key,
254 */ 255 */
255struct key *key_get_instantiation_authkey(key_serial_t target_id) 256struct key *key_get_instantiation_authkey(key_serial_t target_id)
256{ 257{
258 const struct cred *cred = current_cred();
257 struct key *authkey; 259 struct key *authkey;
258 key_ref_t authkey_ref; 260 key_ref_t authkey_ref;
259 261
@@ -261,7 +263,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
261 &key_type_request_key_auth, 263 &key_type_request_key_auth,
262 (void *) (unsigned long) target_id, 264 (void *) (unsigned long) target_id,
263 key_get_instantiation_authkey_match, 265 key_get_instantiation_authkey_match,
264 current); 266 cred);
265 267
266 if (IS_ERR(authkey_ref)) { 268 if (IS_ERR(authkey_ref)) {
267 authkey = ERR_CAST(authkey_ref); 269 authkey = ERR_CAST(authkey_ref);
diff --git a/security/root_plug.c b/security/root_plug.c
index c3f68b5b372d..40fb4f15e27b 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -55,9 +55,9 @@ static int rootplug_bprm_check_security (struct linux_binprm *bprm)
55 struct usb_device *dev; 55 struct usb_device *dev;
56 56
57 root_dbg("file %s, e_uid = %d, e_gid = %d\n", 57 root_dbg("file %s, e_uid = %d, e_gid = %d\n",
58 bprm->filename, bprm->e_uid, bprm->e_gid); 58 bprm->filename, bprm->cred->euid, bprm->cred->egid);
59 59
60 if (bprm->e_gid == 0) { 60 if (bprm->cred->egid == 0) {
61 dev = usb_find_device(vendor_id, product_id); 61 dev = usb_find_device(vendor_id, product_id);
62 if (!dev) { 62 if (!dev) {
63 root_dbg("e_gid = 0, and device not found, " 63 root_dbg("e_gid = 0, and device not found, "
@@ -75,15 +75,12 @@ static struct security_operations rootplug_security_ops = {
75 .ptrace_may_access = cap_ptrace_may_access, 75 .ptrace_may_access = cap_ptrace_may_access,
76 .ptrace_traceme = cap_ptrace_traceme, 76 .ptrace_traceme = cap_ptrace_traceme,
77 .capget = cap_capget, 77 .capget = cap_capget,
78 .capset_check = cap_capset_check, 78 .capset = cap_capset,
79 .capset_set = cap_capset_set,
80 .capable = cap_capable, 79 .capable = cap_capable,
81 80
82 .bprm_apply_creds = cap_bprm_apply_creds, 81 .bprm_set_creds = cap_bprm_set_creds,
83 .bprm_set_security = cap_bprm_set_security,
84 82
85 .task_post_setuid = cap_task_post_setuid, 83 .task_fix_setuid = cap_task_fix_setuid,
86 .task_reparent_to_init = cap_task_reparent_to_init,
87 .task_prctl = cap_task_prctl, 84 .task_prctl = cap_task_prctl,
88 85
89 .bprm_check_security = rootplug_bprm_check_security, 86 .bprm_check_security = rootplug_bprm_check_security,
diff --git a/security/security.c b/security/security.c
index c0acfa7177e5..038ef04b2c7f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -145,25 +145,23 @@ int security_capget(struct task_struct *target,
145 return security_ops->capget(target, effective, inheritable, permitted); 145 return security_ops->capget(target, effective, inheritable, permitted);
146} 146}
147 147
148int security_capset_check(struct task_struct *target, 148int security_capset(struct cred *new, const struct cred *old,
149 kernel_cap_t *effective, 149 const kernel_cap_t *effective,
150 kernel_cap_t *inheritable, 150 const kernel_cap_t *inheritable,
151 kernel_cap_t *permitted) 151 const kernel_cap_t *permitted)
152{ 152{
153 return security_ops->capset_check(target, effective, inheritable, permitted); 153 return security_ops->capset(new, old,
154 effective, inheritable, permitted);
154} 155}
155 156
156void security_capset_set(struct task_struct *target, 157int security_capable(struct task_struct *tsk, int cap)
157 kernel_cap_t *effective,
158 kernel_cap_t *inheritable,
159 kernel_cap_t *permitted)
160{ 158{
161 security_ops->capset_set(target, effective, inheritable, permitted); 159 return security_ops->capable(tsk, cap, SECURITY_CAP_AUDIT);
162} 160}
163 161
164int security_capable(struct task_struct *tsk, int cap) 162int security_capable_noaudit(struct task_struct *tsk, int cap)
165{ 163{
166 return security_ops->capable(tsk, cap); 164 return security_ops->capable(tsk, cap, SECURITY_CAP_NOAUDIT);
167} 165}
168 166
169int security_acct(struct file *file) 167int security_acct(struct file *file)
@@ -215,34 +213,24 @@ int security_vm_enough_memory_kern(long pages)
215 return security_ops->vm_enough_memory(current->mm, pages); 213 return security_ops->vm_enough_memory(current->mm, pages);
216} 214}
217 215
218int security_bprm_alloc(struct linux_binprm *bprm) 216int security_bprm_set_creds(struct linux_binprm *bprm)
219{
220 return security_ops->bprm_alloc_security(bprm);
221}
222
223void security_bprm_free(struct linux_binprm *bprm)
224{
225 security_ops->bprm_free_security(bprm);
226}
227
228void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
229{ 217{
230 security_ops->bprm_apply_creds(bprm, unsafe); 218 return security_ops->bprm_set_creds(bprm);
231} 219}
232 220
233void security_bprm_post_apply_creds(struct linux_binprm *bprm) 221int security_bprm_check(struct linux_binprm *bprm)
234{ 222{
235 security_ops->bprm_post_apply_creds(bprm); 223 return security_ops->bprm_check_security(bprm);
236} 224}
237 225
238int security_bprm_set(struct linux_binprm *bprm) 226void security_bprm_committing_creds(struct linux_binprm *bprm)
239{ 227{
240 return security_ops->bprm_set_security(bprm); 228 return security_ops->bprm_committing_creds(bprm);
241} 229}
242 230
243int security_bprm_check(struct linux_binprm *bprm) 231void security_bprm_committed_creds(struct linux_binprm *bprm)
244{ 232{
245 return security_ops->bprm_check_security(bprm); 233 return security_ops->bprm_committed_creds(bprm);
246} 234}
247 235
248int security_bprm_secureexec(struct linux_binprm *bprm) 236int security_bprm_secureexec(struct linux_binprm *bprm)
@@ -603,9 +591,9 @@ int security_file_receive(struct file *file)
603 return security_ops->file_receive(file); 591 return security_ops->file_receive(file);
604} 592}
605 593
606int security_dentry_open(struct file *file) 594int security_dentry_open(struct file *file, const struct cred *cred)
607{ 595{
608 return security_ops->dentry_open(file); 596 return security_ops->dentry_open(file, cred);
609} 597}
610 598
611int security_task_create(unsigned long clone_flags) 599int security_task_create(unsigned long clone_flags)
@@ -613,14 +601,29 @@ int security_task_create(unsigned long clone_flags)
613 return security_ops->task_create(clone_flags); 601 return security_ops->task_create(clone_flags);
614} 602}
615 603
616int security_task_alloc(struct task_struct *p) 604void security_cred_free(struct cred *cred)
617{ 605{
618 return security_ops->task_alloc_security(p); 606 security_ops->cred_free(cred);
619} 607}
620 608
621void security_task_free(struct task_struct *p) 609int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
622{ 610{
623 security_ops->task_free_security(p); 611 return security_ops->cred_prepare(new, old, gfp);
612}
613
614void security_commit_creds(struct cred *new, const struct cred *old)
615{
616 return security_ops->cred_commit(new, old);
617}
618
619int security_kernel_act_as(struct cred *new, u32 secid)
620{
621 return security_ops->kernel_act_as(new, secid);
622}
623
624int security_kernel_create_files_as(struct cred *new, struct inode *inode)
625{
626 return security_ops->kernel_create_files_as(new, inode);
624} 627}
625 628
626int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 629int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
@@ -628,10 +631,10 @@ int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
628 return security_ops->task_setuid(id0, id1, id2, flags); 631 return security_ops->task_setuid(id0, id1, id2, flags);
629} 632}
630 633
631int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, 634int security_task_fix_setuid(struct cred *new, const struct cred *old,
632 uid_t old_suid, int flags) 635 int flags)
633{ 636{
634 return security_ops->task_post_setuid(old_ruid, old_euid, old_suid, flags); 637 return security_ops->task_fix_setuid(new, old, flags);
635} 638}
636 639
637int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 640int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -713,14 +716,9 @@ int security_task_wait(struct task_struct *p)
713} 716}
714 717
715int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, 718int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
716 unsigned long arg4, unsigned long arg5, long *rc_p) 719 unsigned long arg4, unsigned long arg5)
717{
718 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
719}
720
721void security_task_reparent_to_init(struct task_struct *p)
722{ 720{
723 security_ops->task_reparent_to_init(p); 721 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
724} 722}
725 723
726void security_task_to_inode(struct task_struct *p, struct inode *inode) 724void security_task_to_inode(struct task_struct *p, struct inode *inode)
@@ -1120,9 +1118,10 @@ EXPORT_SYMBOL(security_skb_classify_flow);
1120 1118
1121#ifdef CONFIG_KEYS 1119#ifdef CONFIG_KEYS
1122 1120
1123int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags) 1121int security_key_alloc(struct key *key, const struct cred *cred,
1122 unsigned long flags)
1124{ 1123{
1125 return security_ops->key_alloc(key, tsk, flags); 1124 return security_ops->key_alloc(key, cred, flags);
1126} 1125}
1127 1126
1128void security_key_free(struct key *key) 1127void security_key_free(struct key *key)
@@ -1131,9 +1130,9 @@ void security_key_free(struct key *key)
1131} 1130}
1132 1131
1133int security_key_permission(key_ref_t key_ref, 1132int security_key_permission(key_ref_t key_ref,
1134 struct task_struct *context, key_perm_t perm) 1133 const struct cred *cred, key_perm_t perm)
1135{ 1134{
1136 return security_ops->key_permission(key_ref, context, perm); 1135 return security_ops->key_permission(key_ref, cred, perm);
1137} 1136}
1138 1137
1139int security_key_getsecurity(struct key *key, char **_buffer) 1138int security_key_getsecurity(struct key *key, char **_buffer)
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index 64af2d3409ef..c73aeaa008e8 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -39,9 +39,13 @@ EXPORT_SYMBOL_GPL(selinux_string_to_sid);
39int selinux_secmark_relabel_packet_permission(u32 sid) 39int selinux_secmark_relabel_packet_permission(u32 sid)
40{ 40{
41 if (selinux_enabled) { 41 if (selinux_enabled) {
42 struct task_security_struct *tsec = current->security; 42 const struct task_security_struct *__tsec;
43 u32 tsid;
43 44
44 return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, 45 __tsec = current_security();
46 tsid = __tsec->sid;
47
48 return avc_has_perm(tsid, sid, SECCLASS_PACKET,
45 PACKET__RELABELTO, NULL); 49 PACKET__RELABELTO, NULL);
46 } 50 }
47 return 0; 51 return 0;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f85597a4d733..520f82ab3fbf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -156,33 +156,62 @@ static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0); 156 return (atomic_read(&selinux_secmark_refcount) > 0);
157} 157}
158 158
159/* Allocate and free functions for each kind of security blob. */ 159/*
160 160 * initialise the security for the init task
161static int task_alloc_security(struct task_struct *task) 161 */
162static void cred_init_security(void)
162{ 163{
164 struct cred *cred = (struct cred *) current->real_cred;
163 struct task_security_struct *tsec; 165 struct task_security_struct *tsec;
164 166
165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
166 if (!tsec) 168 if (!tsec)
167 return -ENOMEM; 169 panic("SELinux: Failed to initialize initial task.\n");
168 170
169 tsec->osid = tsec->sid = SECINITSID_UNLABELED; 171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
170 task->security = tsec; 172 cred->security = tsec;
173}
171 174
172 return 0; 175/*
176 * get the security ID of a set of credentials
177 */
178static inline u32 cred_sid(const struct cred *cred)
179{
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
173} 184}
174 185
175static void task_free_security(struct task_struct *task) 186/*
187 * get the objective security ID of a task
188 */
189static inline u32 task_sid(const struct task_struct *task)
176{ 190{
177 struct task_security_struct *tsec = task->security; 191 u32 sid;
178 task->security = NULL; 192
179 kfree(tsec); 193 rcu_read_lock();
194 sid = cred_sid(__task_cred(task));
195 rcu_read_unlock();
196 return sid;
180} 197}
181 198
199/*
200 * get the subjective security ID of the current task
201 */
202static inline u32 current_sid(void)
203{
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207}
208
209/* Allocate and free functions for each kind of security blob. */
210
182static int inode_alloc_security(struct inode *inode) 211static int inode_alloc_security(struct inode *inode)
183{ 212{
184 struct task_security_struct *tsec = current->security;
185 struct inode_security_struct *isec; 213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
186 215
187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
188 if (!isec) 217 if (!isec)
@@ -193,7 +222,7 @@ static int inode_alloc_security(struct inode *inode)
193 isec->inode = inode; 222 isec->inode = inode;
194 isec->sid = SECINITSID_UNLABELED; 223 isec->sid = SECINITSID_UNLABELED;
195 isec->sclass = SECCLASS_FILE; 224 isec->sclass = SECCLASS_FILE;
196 isec->task_sid = tsec->sid; 225 isec->task_sid = sid;
197 inode->i_security = isec; 226 inode->i_security = isec;
198 227
199 return 0; 228 return 0;
@@ -215,15 +244,15 @@ static void inode_free_security(struct inode *inode)
215 244
216static int file_alloc_security(struct file *file) 245static int file_alloc_security(struct file *file)
217{ 246{
218 struct task_security_struct *tsec = current->security;
219 struct file_security_struct *fsec; 247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
220 249
221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 if (!fsec) 251 if (!fsec)
223 return -ENOMEM; 252 return -ENOMEM;
224 253
225 fsec->sid = tsec->sid; 254 fsec->sid = sid;
226 fsec->fown_sid = tsec->sid; 255 fsec->fown_sid = sid;
227 file->f_security = fsec; 256 file->f_security = fsec;
228 257
229 return 0; 258 return 0;
@@ -338,8 +367,9 @@ static const match_table_t tokens = {
338 367
339static int may_context_mount_sb_relabel(u32 sid, 368static int may_context_mount_sb_relabel(u32 sid,
340 struct superblock_security_struct *sbsec, 369 struct superblock_security_struct *sbsec,
341 struct task_security_struct *tsec) 370 const struct cred *cred)
342{ 371{
372 const struct task_security_struct *tsec = cred->security;
343 int rc; 373 int rc;
344 374
345 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
@@ -354,8 +384,9 @@ static int may_context_mount_sb_relabel(u32 sid,
354 384
355static int may_context_mount_inode_relabel(u32 sid, 385static int may_context_mount_inode_relabel(u32 sid,
356 struct superblock_security_struct *sbsec, 386 struct superblock_security_struct *sbsec,
357 struct task_security_struct *tsec) 387 const struct cred *cred)
358{ 388{
389 const struct task_security_struct *tsec = cred->security;
359 int rc; 390 int rc;
360 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__RELABELFROM, NULL); 392 FILESYSTEM__RELABELFROM, NULL);
@@ -553,8 +584,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
553static int selinux_set_mnt_opts(struct super_block *sb, 584static int selinux_set_mnt_opts(struct super_block *sb,
554 struct security_mnt_opts *opts) 585 struct security_mnt_opts *opts)
555{ 586{
587 const struct cred *cred = current_cred();
556 int rc = 0, i; 588 int rc = 0, i;
557 struct task_security_struct *tsec = current->security;
558 struct superblock_security_struct *sbsec = sb->s_security; 589 struct superblock_security_struct *sbsec = sb->s_security;
559 const char *name = sb->s_type->name; 590 const char *name = sb->s_type->name;
560 struct inode *inode = sbsec->sb->s_root->d_inode; 591 struct inode *inode = sbsec->sb->s_root->d_inode;
@@ -680,8 +711,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
680 711
681 /* sets the context of the superblock for the fs being mounted. */ 712 /* sets the context of the superblock for the fs being mounted. */
682 if (fscontext_sid) { 713 if (fscontext_sid) {
683 714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
685 if (rc) 715 if (rc)
686 goto out; 716 goto out;
687 717
@@ -695,12 +725,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
695 */ 725 */
696 if (context_sid) { 726 if (context_sid) {
697 if (!fscontext_sid) { 727 if (!fscontext_sid) {
698 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
699 if (rc) 730 if (rc)
700 goto out; 731 goto out;
701 sbsec->sid = context_sid; 732 sbsec->sid = context_sid;
702 } else { 733 } else {
703 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
704 if (rc) 736 if (rc)
705 goto out; 737 goto out;
706 } 738 }
@@ -712,7 +744,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
712 } 744 }
713 745
714 if (rootcontext_sid) { 746 if (rootcontext_sid) {
715 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
716 if (rc) 749 if (rc)
717 goto out; 750 goto out;
718 751
@@ -730,7 +763,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
730 763
731 if (defcontext_sid != sbsec->def_sid) { 764 if (defcontext_sid != sbsec->def_sid) {
732 rc = may_context_mount_inode_relabel(defcontext_sid, 765 rc = may_context_mount_inode_relabel(defcontext_sid,
733 sbsec, tsec); 766 sbsec, cred);
734 if (rc) 767 if (rc)
735 goto out; 768 goto out;
736 } 769 }
@@ -1345,18 +1378,53 @@ static inline u32 signal_to_av(int sig)
1345 return perm; 1378 return perm;
1346} 1379}
1347 1380
1348/* Check permission betweeen a pair of tasks, e.g. signal checks, 1381/*
1349 fork check, ptrace check, etc. */ 1382 * Check permission between a pair of credentials
1350static int task_has_perm(struct task_struct *tsk1, 1383 * fork check, ptrace check, etc.
1351 struct task_struct *tsk2, 1384 */
1385static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388{
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392}
1393
1394/*
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1399 */
1400static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1352 u32 perms) 1402 u32 perms)
1353{ 1403{
1354 struct task_security_struct *tsec1, *tsec2; 1404 const struct task_security_struct *__tsec1, *__tsec2;
1405 u32 sid1, sid2;
1355 1406
1356 tsec1 = tsk1->security; 1407 rcu_read_lock();
1357 tsec2 = tsk2->security; 1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1358 return avc_has_perm(tsec1->sid, tsec2->sid, 1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1359 SECCLASS_PROCESS, perms, NULL); 1410 rcu_read_unlock();
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412}
1413
1414/*
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1419 */
1420static int current_has_perm(const struct task_struct *tsk,
1421 u32 perms)
1422{
1423 u32 sid, tsid;
1424
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1360} 1428}
1361 1429
1362#if CAP_LAST_CAP > 63 1430#if CAP_LAST_CAP > 63
@@ -1365,14 +1433,14 @@ static int task_has_perm(struct task_struct *tsk1,
1365 1433
1366/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1367static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1368 int cap) 1436 int cap, int audit)
1369{ 1437{
1370 struct task_security_struct *tsec;
1371 struct avc_audit_data ad; 1438 struct avc_audit_data ad;
1439 struct av_decision avd;
1372 u16 sclass; 1440 u16 sclass;
1441 u32 sid = task_sid(tsk);
1373 u32 av = CAP_TO_MASK(cap); 1442 u32 av = CAP_TO_MASK(cap);
1374 1443 int rc;
1375 tsec = tsk->security;
1376 1444
1377 AVC_AUDIT_DATA_INIT(&ad, CAP); 1445 AVC_AUDIT_DATA_INIT(&ad, CAP);
1378 ad.tsk = tsk; 1446 ad.tsk = tsk;
@@ -1390,37 +1458,39 @@ static int task_has_capability(struct task_struct *tsk,
1390 "SELinux: out of range capability %d\n", cap); 1458 "SELinux: out of range capability %d\n", cap);
1391 BUG(); 1459 BUG();
1392 } 1460 }
1393 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); 1461
1462 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1463 if (audit == SECURITY_CAP_AUDIT)
1464 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1465 return rc;
1394} 1466}
1395 1467
1396/* Check whether a task is allowed to use a system operation. */ 1468/* Check whether a task is allowed to use a system operation. */
1397static int task_has_system(struct task_struct *tsk, 1469static int task_has_system(struct task_struct *tsk,
1398 u32 perms) 1470 u32 perms)
1399{ 1471{
1400 struct task_security_struct *tsec; 1472 u32 sid = task_sid(tsk);
1401 1473
1402 tsec = tsk->security; 1474 return avc_has_perm(sid, SECINITSID_KERNEL,
1403
1404 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1405 SECCLASS_SYSTEM, perms, NULL); 1475 SECCLASS_SYSTEM, perms, NULL);
1406} 1476}
1407 1477
1408/* Check whether a task has a particular permission to an inode. 1478/* Check whether a task has a particular permission to an inode.
1409 The 'adp' parameter is optional and allows other audit 1479 The 'adp' parameter is optional and allows other audit
1410 data to be passed (e.g. the dentry). */ 1480 data to be passed (e.g. the dentry). */
1411static int inode_has_perm(struct task_struct *tsk, 1481static int inode_has_perm(const struct cred *cred,
1412 struct inode *inode, 1482 struct inode *inode,
1413 u32 perms, 1483 u32 perms,
1414 struct avc_audit_data *adp) 1484 struct avc_audit_data *adp)
1415{ 1485{
1416 struct task_security_struct *tsec;
1417 struct inode_security_struct *isec; 1486 struct inode_security_struct *isec;
1418 struct avc_audit_data ad; 1487 struct avc_audit_data ad;
1488 u32 sid;
1419 1489
1420 if (unlikely(IS_PRIVATE(inode))) 1490 if (unlikely(IS_PRIVATE(inode)))
1421 return 0; 1491 return 0;
1422 1492
1423 tsec = tsk->security; 1493 sid = cred_sid(cred);
1424 isec = inode->i_security; 1494 isec = inode->i_security;
1425 1495
1426 if (!adp) { 1496 if (!adp) {
@@ -1429,23 +1499,24 @@ static int inode_has_perm(struct task_struct *tsk,
1429 ad.u.fs.inode = inode; 1499 ad.u.fs.inode = inode;
1430 } 1500 }
1431 1501
1432 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1502 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1433} 1503}
1434 1504
1435/* Same as inode_has_perm, but pass explicit audit data containing 1505/* Same as inode_has_perm, but pass explicit audit data containing
1436 the dentry to help the auditing code to more easily generate the 1506 the dentry to help the auditing code to more easily generate the
1437 pathname if needed. */ 1507 pathname if needed. */
1438static inline int dentry_has_perm(struct task_struct *tsk, 1508static inline int dentry_has_perm(const struct cred *cred,
1439 struct vfsmount *mnt, 1509 struct vfsmount *mnt,
1440 struct dentry *dentry, 1510 struct dentry *dentry,
1441 u32 av) 1511 u32 av)
1442{ 1512{
1443 struct inode *inode = dentry->d_inode; 1513 struct inode *inode = dentry->d_inode;
1444 struct avc_audit_data ad; 1514 struct avc_audit_data ad;
1515
1445 AVC_AUDIT_DATA_INIT(&ad, FS); 1516 AVC_AUDIT_DATA_INIT(&ad, FS);
1446 ad.u.fs.path.mnt = mnt; 1517 ad.u.fs.path.mnt = mnt;
1447 ad.u.fs.path.dentry = dentry; 1518 ad.u.fs.path.dentry = dentry;
1448 return inode_has_perm(tsk, inode, av, &ad); 1519 return inode_has_perm(cred, inode, av, &ad);
1449} 1520}
1450 1521
1451/* Check whether a task can use an open file descriptor to 1522/* Check whether a task can use an open file descriptor to
@@ -1456,33 +1527,35 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1456 has the same SID as the process. If av is zero, then 1527 has the same SID as the process. If av is zero, then
1457 access to the file is not checked, e.g. for cases 1528 access to the file is not checked, e.g. for cases
1458 where only the descriptor is affected like seek. */ 1529 where only the descriptor is affected like seek. */
1459static int file_has_perm(struct task_struct *tsk, 1530static int file_has_perm(const struct cred *cred,
1460 struct file *file, 1531 struct file *file,
1461 u32 av) 1532 u32 av)
1462{ 1533{
1463 struct task_security_struct *tsec = tsk->security;
1464 struct file_security_struct *fsec = file->f_security; 1534 struct file_security_struct *fsec = file->f_security;
1465 struct inode *inode = file->f_path.dentry->d_inode; 1535 struct inode *inode = file->f_path.dentry->d_inode;
1466 struct avc_audit_data ad; 1536 struct avc_audit_data ad;
1537 u32 sid = cred_sid(cred);
1467 int rc; 1538 int rc;
1468 1539
1469 AVC_AUDIT_DATA_INIT(&ad, FS); 1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1470 ad.u.fs.path = file->f_path; 1541 ad.u.fs.path = file->f_path;
1471 1542
1472 if (tsec->sid != fsec->sid) { 1543 if (sid != fsec->sid) {
1473 rc = avc_has_perm(tsec->sid, fsec->sid, 1544 rc = avc_has_perm(sid, fsec->sid,
1474 SECCLASS_FD, 1545 SECCLASS_FD,
1475 FD__USE, 1546 FD__USE,
1476 &ad); 1547 &ad);
1477 if (rc) 1548 if (rc)
1478 return rc; 1549 goto out;
1479 } 1550 }
1480 1551
1481 /* av is zero if only checking access to the descriptor. */ 1552 /* av is zero if only checking access to the descriptor. */
1553 rc = 0;
1482 if (av) 1554 if (av)
1483 return inode_has_perm(tsk, inode, av, &ad); 1555 rc = inode_has_perm(cred, inode, av, &ad);
1484 1556
1485 return 0; 1557out:
1558 return rc;
1486} 1559}
1487 1560
1488/* Check whether a task can create a file. */ 1561/* Check whether a task can create a file. */
@@ -1490,36 +1563,36 @@ static int may_create(struct inode *dir,
1490 struct dentry *dentry, 1563 struct dentry *dentry,
1491 u16 tclass) 1564 u16 tclass)
1492{ 1565{
1493 struct task_security_struct *tsec; 1566 const struct cred *cred = current_cred();
1567 const struct task_security_struct *tsec = cred->security;
1494 struct inode_security_struct *dsec; 1568 struct inode_security_struct *dsec;
1495 struct superblock_security_struct *sbsec; 1569 struct superblock_security_struct *sbsec;
1496 u32 newsid; 1570 u32 sid, newsid;
1497 struct avc_audit_data ad; 1571 struct avc_audit_data ad;
1498 int rc; 1572 int rc;
1499 1573
1500 tsec = current->security;
1501 dsec = dir->i_security; 1574 dsec = dir->i_security;
1502 sbsec = dir->i_sb->s_security; 1575 sbsec = dir->i_sb->s_security;
1503 1576
1577 sid = tsec->sid;
1578 newsid = tsec->create_sid;
1579
1504 AVC_AUDIT_DATA_INIT(&ad, FS); 1580 AVC_AUDIT_DATA_INIT(&ad, FS);
1505 ad.u.fs.path.dentry = dentry; 1581 ad.u.fs.path.dentry = dentry;
1506 1582
1507 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1583 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1508 DIR__ADD_NAME | DIR__SEARCH, 1584 DIR__ADD_NAME | DIR__SEARCH,
1509 &ad); 1585 &ad);
1510 if (rc) 1586 if (rc)
1511 return rc; 1587 return rc;
1512 1588
1513 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1589 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1514 newsid = tsec->create_sid; 1590 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1515 } else {
1516 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1517 &newsid);
1518 if (rc) 1591 if (rc)
1519 return rc; 1592 return rc;
1520 } 1593 }
1521 1594
1522 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1595 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1523 if (rc) 1596 if (rc)
1524 return rc; 1597 return rc;
1525 1598
@@ -1532,11 +1605,9 @@ static int may_create(struct inode *dir,
1532static int may_create_key(u32 ksid, 1605static int may_create_key(u32 ksid,
1533 struct task_struct *ctx) 1606 struct task_struct *ctx)
1534{ 1607{
1535 struct task_security_struct *tsec; 1608 u32 sid = task_sid(ctx);
1536 1609
1537 tsec = ctx->security; 1610 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1538
1539 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1540} 1611}
1541 1612
1542#define MAY_LINK 0 1613#define MAY_LINK 0
@@ -1549,13 +1620,12 @@ static int may_link(struct inode *dir,
1549 int kind) 1620 int kind)
1550 1621
1551{ 1622{
1552 struct task_security_struct *tsec;
1553 struct inode_security_struct *dsec, *isec; 1623 struct inode_security_struct *dsec, *isec;
1554 struct avc_audit_data ad; 1624 struct avc_audit_data ad;
1625 u32 sid = current_sid();
1555 u32 av; 1626 u32 av;
1556 int rc; 1627 int rc;
1557 1628
1558 tsec = current->security;
1559 dsec = dir->i_security; 1629 dsec = dir->i_security;
1560 isec = dentry->d_inode->i_security; 1630 isec = dentry->d_inode->i_security;
1561 1631
@@ -1564,7 +1634,7 @@ static int may_link(struct inode *dir,
1564 1634
1565 av = DIR__SEARCH; 1635 av = DIR__SEARCH;
1566 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1636 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1567 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1637 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1568 if (rc) 1638 if (rc)
1569 return rc; 1639 return rc;
1570 1640
@@ -1584,7 +1654,7 @@ static int may_link(struct inode *dir,
1584 return 0; 1654 return 0;
1585 } 1655 }
1586 1656
1587 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1657 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1588 return rc; 1658 return rc;
1589} 1659}
1590 1660
@@ -1593,14 +1663,13 @@ static inline int may_rename(struct inode *old_dir,
1593 struct inode *new_dir, 1663 struct inode *new_dir,
1594 struct dentry *new_dentry) 1664 struct dentry *new_dentry)
1595{ 1665{
1596 struct task_security_struct *tsec;
1597 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1666 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1598 struct avc_audit_data ad; 1667 struct avc_audit_data ad;
1668 u32 sid = current_sid();
1599 u32 av; 1669 u32 av;
1600 int old_is_dir, new_is_dir; 1670 int old_is_dir, new_is_dir;
1601 int rc; 1671 int rc;
1602 1672
1603 tsec = current->security;
1604 old_dsec = old_dir->i_security; 1673 old_dsec = old_dir->i_security;
1605 old_isec = old_dentry->d_inode->i_security; 1674 old_isec = old_dentry->d_inode->i_security;
1606 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1675 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
@@ -1609,16 +1678,16 @@ static inline int may_rename(struct inode *old_dir,
1609 AVC_AUDIT_DATA_INIT(&ad, FS); 1678 AVC_AUDIT_DATA_INIT(&ad, FS);
1610 1679
1611 ad.u.fs.path.dentry = old_dentry; 1680 ad.u.fs.path.dentry = old_dentry;
1612 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1681 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1613 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1682 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1614 if (rc) 1683 if (rc)
1615 return rc; 1684 return rc;
1616 rc = avc_has_perm(tsec->sid, old_isec->sid, 1685 rc = avc_has_perm(sid, old_isec->sid,
1617 old_isec->sclass, FILE__RENAME, &ad); 1686 old_isec->sclass, FILE__RENAME, &ad);
1618 if (rc) 1687 if (rc)
1619 return rc; 1688 return rc;
1620 if (old_is_dir && new_dir != old_dir) { 1689 if (old_is_dir && new_dir != old_dir) {
1621 rc = avc_has_perm(tsec->sid, old_isec->sid, 1690 rc = avc_has_perm(sid, old_isec->sid,
1622 old_isec->sclass, DIR__REPARENT, &ad); 1691 old_isec->sclass, DIR__REPARENT, &ad);
1623 if (rc) 1692 if (rc)
1624 return rc; 1693 return rc;
@@ -1628,13 +1697,13 @@ static inline int may_rename(struct inode *old_dir,
1628 av = DIR__ADD_NAME | DIR__SEARCH; 1697 av = DIR__ADD_NAME | DIR__SEARCH;
1629 if (new_dentry->d_inode) 1698 if (new_dentry->d_inode)
1630 av |= DIR__REMOVE_NAME; 1699 av |= DIR__REMOVE_NAME;
1631 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1700 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1632 if (rc) 1701 if (rc)
1633 return rc; 1702 return rc;
1634 if (new_dentry->d_inode) { 1703 if (new_dentry->d_inode) {
1635 new_isec = new_dentry->d_inode->i_security; 1704 new_isec = new_dentry->d_inode->i_security;
1636 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1705 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1637 rc = avc_has_perm(tsec->sid, new_isec->sid, 1706 rc = avc_has_perm(sid, new_isec->sid,
1638 new_isec->sclass, 1707 new_isec->sclass,
1639 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1708 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1640 if (rc) 1709 if (rc)
@@ -1645,18 +1714,16 @@ static inline int may_rename(struct inode *old_dir,
1645} 1714}
1646 1715
1647/* Check whether a task can perform a filesystem operation. */ 1716/* Check whether a task can perform a filesystem operation. */
1648static int superblock_has_perm(struct task_struct *tsk, 1717static int superblock_has_perm(const struct cred *cred,
1649 struct super_block *sb, 1718 struct super_block *sb,
1650 u32 perms, 1719 u32 perms,
1651 struct avc_audit_data *ad) 1720 struct avc_audit_data *ad)
1652{ 1721{
1653 struct task_security_struct *tsec;
1654 struct superblock_security_struct *sbsec; 1722 struct superblock_security_struct *sbsec;
1723 u32 sid = cred_sid(cred);
1655 1724
1656 tsec = tsk->security;
1657 sbsec = sb->s_security; 1725 sbsec = sb->s_security;
1658 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1726 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1659 perms, ad);
1660} 1727}
1661 1728
1662/* Convert a Linux mode and permission mask to an access vector. */ 1729/* Convert a Linux mode and permission mask to an access vector. */
@@ -1687,15 +1754,39 @@ static inline u32 file_mask_to_av(int mode, int mask)
1687 return av; 1754 return av;
1688} 1755}
1689 1756
1757/* Convert a Linux file to an access vector. */
1758static inline u32 file_to_av(struct file *file)
1759{
1760 u32 av = 0;
1761
1762 if (file->f_mode & FMODE_READ)
1763 av |= FILE__READ;
1764 if (file->f_mode & FMODE_WRITE) {
1765 if (file->f_flags & O_APPEND)
1766 av |= FILE__APPEND;
1767 else
1768 av |= FILE__WRITE;
1769 }
1770 if (!av) {
1771 /*
1772 * Special file opened with flags 3 for ioctl-only use.
1773 */
1774 av = FILE__IOCTL;
1775 }
1776
1777 return av;
1778}
1779
1690/* 1780/*
1691 * Convert a file mask to an access vector and include the correct open 1781 * Convert a file to an access vector and include the correct open
1692 * open permission. 1782 * open permission.
1693 */ 1783 */
1694static inline u32 open_file_mask_to_av(int mode, int mask) 1784static inline u32 open_file_to_av(struct file *file)
1695{ 1785{
1696 u32 av = file_mask_to_av(mode, mask); 1786 u32 av = file_to_av(file);
1697 1787
1698 if (selinux_policycap_openperm) { 1788 if (selinux_policycap_openperm) {
1789 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1699 /* 1790 /*
1700 * lnk files and socks do not really have an 'open' 1791 * lnk files and socks do not really have an 'open'
1701 */ 1792 */
@@ -1711,34 +1802,11 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
1711 av |= DIR__OPEN; 1802 av |= DIR__OPEN;
1712 else 1803 else
1713 printk(KERN_ERR "SELinux: WARNING: inside %s with " 1804 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1714 "unknown mode:%x\n", __func__, mode); 1805 "unknown mode:%o\n", __func__, mode);
1715 } 1806 }
1716 return av; 1807 return av;
1717} 1808}
1718 1809
1719/* Convert a Linux file to an access vector. */
1720static inline u32 file_to_av(struct file *file)
1721{
1722 u32 av = 0;
1723
1724 if (file->f_mode & FMODE_READ)
1725 av |= FILE__READ;
1726 if (file->f_mode & FMODE_WRITE) {
1727 if (file->f_flags & O_APPEND)
1728 av |= FILE__APPEND;
1729 else
1730 av |= FILE__WRITE;
1731 }
1732 if (!av) {
1733 /*
1734 * Special file opened with flags 3 for ioctl-only use.
1735 */
1736 av = FILE__IOCTL;
1737 }
1738
1739 return av;
1740}
1741
1742/* Hook functions begin here. */ 1810/* Hook functions begin here. */
1743 1811
1744static int selinux_ptrace_may_access(struct task_struct *child, 1812static int selinux_ptrace_may_access(struct task_struct *child,
@@ -1751,13 +1819,12 @@ static int selinux_ptrace_may_access(struct task_struct *child,
1751 return rc; 1819 return rc;
1752 1820
1753 if (mode == PTRACE_MODE_READ) { 1821 if (mode == PTRACE_MODE_READ) {
1754 struct task_security_struct *tsec = current->security; 1822 u32 sid = current_sid();
1755 struct task_security_struct *csec = child->security; 1823 u32 csid = task_sid(child);
1756 return avc_has_perm(tsec->sid, csec->sid, 1824 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1757 SECCLASS_FILE, FILE__READ, NULL);
1758 } 1825 }
1759 1826
1760 return task_has_perm(current, child, PROCESS__PTRACE); 1827 return current_has_perm(child, PROCESS__PTRACE);
1761} 1828}
1762 1829
1763static int selinux_ptrace_traceme(struct task_struct *parent) 1830static int selinux_ptrace_traceme(struct task_struct *parent)
@@ -1776,40 +1843,37 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1776{ 1843{
1777 int error; 1844 int error;
1778 1845
1779 error = task_has_perm(current, target, PROCESS__GETCAP); 1846 error = current_has_perm(target, PROCESS__GETCAP);
1780 if (error) 1847 if (error)
1781 return error; 1848 return error;
1782 1849
1783 return secondary_ops->capget(target, effective, inheritable, permitted); 1850 return secondary_ops->capget(target, effective, inheritable, permitted);
1784} 1851}
1785 1852
1786static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1853static int selinux_capset(struct cred *new, const struct cred *old,
1787 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1854 const kernel_cap_t *effective,
1855 const kernel_cap_t *inheritable,
1856 const kernel_cap_t *permitted)
1788{ 1857{
1789 int error; 1858 int error;
1790 1859
1791 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1860 error = secondary_ops->capset(new, old,
1861 effective, inheritable, permitted);
1792 if (error) 1862 if (error)
1793 return error; 1863 return error;
1794 1864
1795 return task_has_perm(current, target, PROCESS__SETCAP); 1865 return cred_has_perm(old, new, PROCESS__SETCAP);
1796} 1866}
1797 1867
1798static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1868static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1799 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1800{
1801 secondary_ops->capset_set(target, effective, inheritable, permitted);
1802}
1803
1804static int selinux_capable(struct task_struct *tsk, int cap)
1805{ 1869{
1806 int rc; 1870 int rc;
1807 1871
1808 rc = secondary_ops->capable(tsk, cap); 1872 rc = secondary_ops->capable(tsk, cap, audit);
1809 if (rc) 1873 if (rc)
1810 return rc; 1874 return rc;
1811 1875
1812 return task_has_capability(tsk, cap); 1876 return task_has_capability(tsk, cap, audit);
1813} 1877}
1814 1878
1815static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1857,15 +1921,14 @@ static int selinux_sysctl(ctl_table *table, int op)
1857{ 1921{
1858 int error = 0; 1922 int error = 0;
1859 u32 av; 1923 u32 av;
1860 struct task_security_struct *tsec; 1924 u32 tsid, sid;
1861 u32 tsid;
1862 int rc; 1925 int rc;
1863 1926
1864 rc = secondary_ops->sysctl(table, op); 1927 rc = secondary_ops->sysctl(table, op);
1865 if (rc) 1928 if (rc)
1866 return rc; 1929 return rc;
1867 1930
1868 tsec = current->security; 1931 sid = current_sid();
1869 1932
1870 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1933 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1871 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1934 SECCLASS_DIR : SECCLASS_FILE, &tsid);
@@ -1877,7 +1940,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1877 /* The op values are "defined" in sysctl.c, thereby creating 1940 /* The op values are "defined" in sysctl.c, thereby creating
1878 * a bad coupling between this module and sysctl.c */ 1941 * a bad coupling between this module and sysctl.c */
1879 if (op == 001) { 1942 if (op == 001) {
1880 error = avc_has_perm(tsec->sid, tsid, 1943 error = avc_has_perm(sid, tsid,
1881 SECCLASS_DIR, DIR__SEARCH, NULL); 1944 SECCLASS_DIR, DIR__SEARCH, NULL);
1882 } else { 1945 } else {
1883 av = 0; 1946 av = 0;
@@ -1886,7 +1949,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1886 if (op & 002) 1949 if (op & 002)
1887 av |= FILE__WRITE; 1950 av |= FILE__WRITE;
1888 if (av) 1951 if (av)
1889 error = avc_has_perm(tsec->sid, tsid, 1952 error = avc_has_perm(sid, tsid,
1890 SECCLASS_FILE, av, NULL); 1953 SECCLASS_FILE, av, NULL);
1891 } 1954 }
1892 1955
@@ -1895,6 +1958,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1895 1958
1896static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1959static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1897{ 1960{
1961 const struct cred *cred = current_cred();
1898 int rc = 0; 1962 int rc = 0;
1899 1963
1900 if (!sb) 1964 if (!sb)
@@ -1906,14 +1970,12 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1906 case Q_QUOTAOFF: 1970 case Q_QUOTAOFF:
1907 case Q_SETINFO: 1971 case Q_SETINFO:
1908 case Q_SETQUOTA: 1972 case Q_SETQUOTA:
1909 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD, 1973 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1910 NULL);
1911 break; 1974 break;
1912 case Q_GETFMT: 1975 case Q_GETFMT:
1913 case Q_GETINFO: 1976 case Q_GETINFO:
1914 case Q_GETQUOTA: 1977 case Q_GETQUOTA:
1915 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET, 1978 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1916 NULL);
1917 break; 1979 break;
1918 default: 1980 default:
1919 rc = 0; /* let the kernel handle invalid cmds */ 1981 rc = 0; /* let the kernel handle invalid cmds */
@@ -1924,7 +1986,9 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1924 1986
1925static int selinux_quota_on(struct dentry *dentry) 1987static int selinux_quota_on(struct dentry *dentry)
1926{ 1988{
1927 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1989 const struct cred *cred = current_cred();
1990
1991 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1928} 1992}
1929 1993
1930static int selinux_syslog(int type) 1994static int selinux_syslog(int type)
@@ -1972,16 +2036,8 @@ static int selinux_syslog(int type)
1972static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2036static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1973{ 2037{
1974 int rc, cap_sys_admin = 0; 2038 int rc, cap_sys_admin = 0;
1975 struct task_security_struct *tsec = current->security;
1976
1977 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1978 if (rc == 0)
1979 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1980 SECCLASS_CAPABILITY,
1981 CAP_TO_MASK(CAP_SYS_ADMIN),
1982 0,
1983 NULL);
1984 2039
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1985 if (rc == 0) 2041 if (rc == 0)
1986 cap_sys_admin = 1; 2042 cap_sys_admin = 1;
1987 2043
@@ -1990,59 +2046,45 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1990 2046
1991/* binprm security operations */ 2047/* binprm security operations */
1992 2048
1993static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 2049static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1994{
1995 struct bprm_security_struct *bsec;
1996
1997 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1998 if (!bsec)
1999 return -ENOMEM;
2000
2001 bsec->sid = SECINITSID_UNLABELED;
2002 bsec->set = 0;
2003
2004 bprm->security = bsec;
2005 return 0;
2006}
2007
2008static int selinux_bprm_set_security(struct linux_binprm *bprm)
2009{ 2050{
2010 struct task_security_struct *tsec; 2051 const struct task_security_struct *old_tsec;
2011 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2052 struct task_security_struct *new_tsec;
2012 struct inode_security_struct *isec; 2053 struct inode_security_struct *isec;
2013 struct bprm_security_struct *bsec;
2014 u32 newsid;
2015 struct avc_audit_data ad; 2054 struct avc_audit_data ad;
2055 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2016 int rc; 2056 int rc;
2017 2057
2018 rc = secondary_ops->bprm_set_security(bprm); 2058 rc = secondary_ops->bprm_set_creds(bprm);
2019 if (rc) 2059 if (rc)
2020 return rc; 2060 return rc;
2021 2061
2022 bsec = bprm->security; 2062 /* SELinux context only depends on initial program or script and not
2023 2063 * the script interpreter */
2024 if (bsec->set) 2064 if (bprm->cred_prepared)
2025 return 0; 2065 return 0;
2026 2066
2027 tsec = current->security; 2067 old_tsec = current_security();
2068 new_tsec = bprm->cred->security;
2028 isec = inode->i_security; 2069 isec = inode->i_security;
2029 2070
2030 /* Default to the current task SID. */ 2071 /* Default to the current task SID. */
2031 bsec->sid = tsec->sid; 2072 new_tsec->sid = old_tsec->sid;
2073 new_tsec->osid = old_tsec->sid;
2032 2074
2033 /* Reset fs, key, and sock SIDs on execve. */ 2075 /* Reset fs, key, and sock SIDs on execve. */
2034 tsec->create_sid = 0; 2076 new_tsec->create_sid = 0;
2035 tsec->keycreate_sid = 0; 2077 new_tsec->keycreate_sid = 0;
2036 tsec->sockcreate_sid = 0; 2078 new_tsec->sockcreate_sid = 0;
2037 2079
2038 if (tsec->exec_sid) { 2080 if (old_tsec->exec_sid) {
2039 newsid = tsec->exec_sid; 2081 new_tsec->sid = old_tsec->exec_sid;
2040 /* Reset exec SID on execve. */ 2082 /* Reset exec SID on execve. */
2041 tsec->exec_sid = 0; 2083 new_tsec->exec_sid = 0;
2042 } else { 2084 } else {
2043 /* Check for a default transition on this program. */ 2085 /* Check for a default transition on this program. */
2044 rc = security_transition_sid(tsec->sid, isec->sid, 2086 rc = security_transition_sid(old_tsec->sid, isec->sid,
2045 SECCLASS_PROCESS, &newsid); 2087 SECCLASS_PROCESS, &new_tsec->sid);
2046 if (rc) 2088 if (rc)
2047 return rc; 2089 return rc;
2048 } 2090 }
@@ -2051,33 +2093,63 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2051 ad.u.fs.path = bprm->file->f_path; 2093 ad.u.fs.path = bprm->file->f_path;
2052 2094
2053 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2095 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2054 newsid = tsec->sid; 2096 new_tsec->sid = old_tsec->sid;
2055 2097
2056 if (tsec->sid == newsid) { 2098 if (new_tsec->sid == old_tsec->sid) {
2057 rc = avc_has_perm(tsec->sid, isec->sid, 2099 rc = avc_has_perm(old_tsec->sid, isec->sid,
2058 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2100 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2059 if (rc) 2101 if (rc)
2060 return rc; 2102 return rc;
2061 } else { 2103 } else {
2062 /* Check permissions for the transition. */ 2104 /* Check permissions for the transition. */
2063 rc = avc_has_perm(tsec->sid, newsid, 2105 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2064 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2106 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2065 if (rc) 2107 if (rc)
2066 return rc; 2108 return rc;
2067 2109
2068 rc = avc_has_perm(newsid, isec->sid, 2110 rc = avc_has_perm(new_tsec->sid, isec->sid,
2069 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2111 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2070 if (rc) 2112 if (rc)
2071 return rc; 2113 return rc;
2072 2114
2073 /* Clear any possibly unsafe personality bits on exec: */ 2115 /* Check for shared state */
2074 current->personality &= ~PER_CLEAR_ON_SETID; 2116 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2117 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2118 SECCLASS_PROCESS, PROCESS__SHARE,
2119 NULL);
2120 if (rc)
2121 return -EPERM;
2122 }
2123
2124 /* Make sure that anyone attempting to ptrace over a task that
2125 * changes its SID has the appropriate permit */
2126 if (bprm->unsafe &
2127 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128 struct task_struct *tracer;
2129 struct task_security_struct *sec;
2130 u32 ptsid = 0;
2131
2132 rcu_read_lock();
2133 tracer = tracehook_tracer_task(current);
2134 if (likely(tracer != NULL)) {
2135 sec = __task_cred(tracer)->security;
2136 ptsid = sec->sid;
2137 }
2138 rcu_read_unlock();
2075 2139
2076 /* Set the security field to the new SID. */ 2140 if (ptsid != 0) {
2077 bsec->sid = newsid; 2141 rc = avc_has_perm(ptsid, new_tsec->sid,
2142 SECCLASS_PROCESS,
2143 PROCESS__PTRACE, NULL);
2144 if (rc)
2145 return -EPERM;
2146 }
2147 }
2148
2149 /* Clear any possibly unsafe personality bits on exec: */
2150 bprm->per_clear |= PER_CLEAR_ON_SETID;
2078 } 2151 }
2079 2152
2080 bsec->set = 1;
2081 return 0; 2153 return 0;
2082} 2154}
2083 2155
@@ -2086,35 +2158,34 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm)
2086 return secondary_ops->bprm_check_security(bprm); 2158 return secondary_ops->bprm_check_security(bprm);
2087} 2159}
2088 2160
2089
2090static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2161static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2091{ 2162{
2092 struct task_security_struct *tsec = current->security; 2163 const struct cred *cred = current_cred();
2164 const struct task_security_struct *tsec = cred->security;
2165 u32 sid, osid;
2093 int atsecure = 0; 2166 int atsecure = 0;
2094 2167
2095 if (tsec->osid != tsec->sid) { 2168 sid = tsec->sid;
2169 osid = tsec->osid;
2170
2171 if (osid != sid) {
2096 /* Enable secure mode for SIDs transitions unless 2172 /* Enable secure mode for SIDs transitions unless
2097 the noatsecure permission is granted between 2173 the noatsecure permission is granted between
2098 the two SIDs, i.e. ahp returns 0. */ 2174 the two SIDs, i.e. ahp returns 0. */
2099 atsecure = avc_has_perm(tsec->osid, tsec->sid, 2175 atsecure = avc_has_perm(osid, sid,
2100 SECCLASS_PROCESS, 2176 SECCLASS_PROCESS,
2101 PROCESS__NOATSECURE, NULL); 2177 PROCESS__NOATSECURE, NULL);
2102 } 2178 }
2103 2179
2104 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2180 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2105} 2181}
2106 2182
2107static void selinux_bprm_free_security(struct linux_binprm *bprm)
2108{
2109 kfree(bprm->security);
2110 bprm->security = NULL;
2111}
2112
2113extern struct vfsmount *selinuxfs_mount; 2183extern struct vfsmount *selinuxfs_mount;
2114extern struct dentry *selinux_null; 2184extern struct dentry *selinux_null;
2115 2185
2116/* Derived from fs/exec.c:flush_old_files. */ 2186/* Derived from fs/exec.c:flush_old_files. */
2117static inline void flush_unauthorized_files(struct files_struct *files) 2187static inline void flush_unauthorized_files(const struct cred *cred,
2188 struct files_struct *files)
2118{ 2189{
2119 struct avc_audit_data ad; 2190 struct avc_audit_data ad;
2120 struct file *file, *devnull = NULL; 2191 struct file *file, *devnull = NULL;
@@ -2136,7 +2207,7 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2136 interested in the inode-based check here. */ 2207 interested in the inode-based check here. */
2137 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list); 2208 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2138 inode = file->f_path.dentry->d_inode; 2209 inode = file->f_path.dentry->d_inode;
2139 if (inode_has_perm(current, inode, 2210 if (inode_has_perm(cred, inode,
2140 FILE__READ | FILE__WRITE, NULL)) { 2211 FILE__READ | FILE__WRITE, NULL)) {
2141 drop_tty = 1; 2212 drop_tty = 1;
2142 } 2213 }
@@ -2171,7 +2242,7 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2171 file = fget(i); 2242 file = fget(i);
2172 if (!file) 2243 if (!file)
2173 continue; 2244 continue;
2174 if (file_has_perm(current, 2245 if (file_has_perm(cred,
2175 file, 2246 file,
2176 file_to_av(file))) { 2247 file_to_av(file))) {
2177 sys_close(i); 2248 sys_close(i);
@@ -2185,7 +2256,10 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2185 if (devnull) { 2256 if (devnull) {
2186 get_file(devnull); 2257 get_file(devnull);
2187 } else { 2258 } else {
2188 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2259 devnull = dentry_open(
2260 dget(selinux_null),
2261 mntget(selinuxfs_mount),
2262 O_RDWR, cred);
2189 if (IS_ERR(devnull)) { 2263 if (IS_ERR(devnull)) {
2190 devnull = NULL; 2264 devnull = NULL;
2191 put_unused_fd(fd); 2265 put_unused_fd(fd);
@@ -2204,94 +2278,78 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2204 spin_unlock(&files->file_lock); 2278 spin_unlock(&files->file_lock);
2205} 2279}
2206 2280
2207static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2281/*
2282 * Prepare a process for imminent new credential changes due to exec
2283 */
2284static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2208{ 2285{
2209 struct task_security_struct *tsec; 2286 struct task_security_struct *new_tsec;
2210 struct bprm_security_struct *bsec; 2287 struct rlimit *rlim, *initrlim;
2211 u32 sid; 2288 int rc, i;
2212 int rc;
2213
2214 secondary_ops->bprm_apply_creds(bprm, unsafe);
2215
2216 tsec = current->security;
2217 2289
2218 bsec = bprm->security; 2290 secondary_ops->bprm_committing_creds(bprm);
2219 sid = bsec->sid;
2220 2291
2221 tsec->osid = tsec->sid; 2292 new_tsec = bprm->cred->security;
2222 bsec->unsafe = 0; 2293 if (new_tsec->sid == new_tsec->osid)
2223 if (tsec->sid != sid) { 2294 return;
2224 /* Check for shared state. If not ok, leave SID
2225 unchanged and kill. */
2226 if (unsafe & LSM_UNSAFE_SHARE) {
2227 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2228 PROCESS__SHARE, NULL);
2229 if (rc) {
2230 bsec->unsafe = 1;
2231 return;
2232 }
2233 }
2234 2295
2235 /* Check for ptracing, and update the task SID if ok. 2296 /* Close files for which the new task SID is not authorized. */
2236 Otherwise, leave SID unchanged and kill. */ 2297 flush_unauthorized_files(bprm->cred, current->files);
2237 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2238 struct task_struct *tracer;
2239 struct task_security_struct *sec;
2240 u32 ptsid = 0;
2241 2298
2242 rcu_read_lock(); 2299 /* Always clear parent death signal on SID transitions. */
2243 tracer = tracehook_tracer_task(current); 2300 current->pdeath_signal = 0;
2244 if (likely(tracer != NULL)) {
2245 sec = tracer->security;
2246 ptsid = sec->sid;
2247 }
2248 rcu_read_unlock();
2249 2301
2250 if (ptsid != 0) { 2302 /* Check whether the new SID can inherit resource limits from the old
2251 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 2303 * SID. If not, reset all soft limits to the lower of the current
2252 PROCESS__PTRACE, NULL); 2304 * task's hard limit and the init task's soft limit.
2253 if (rc) { 2305 *
2254 bsec->unsafe = 1; 2306 * Note that the setting of hard limits (even to lower them) can be
2255 return; 2307 * controlled by the setrlimit check. The inclusion of the init task's
2256 } 2308 * soft limit into the computation is to avoid resetting soft limits
2257 } 2309 * higher than the default soft limit for cases where the default is
2310 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2311 */
2312 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2313 PROCESS__RLIMITINH, NULL);
2314 if (rc) {
2315 for (i = 0; i < RLIM_NLIMITS; i++) {
2316 rlim = current->signal->rlim + i;
2317 initrlim = init_task.signal->rlim + i;
2318 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2258 } 2319 }
2259 tsec->sid = sid; 2320 update_rlimit_cpu(rlim->rlim_cur);
2260 } 2321 }
2261} 2322}
2262 2323
2263/* 2324/*
2264 * called after apply_creds without the task lock held 2325 * Clean up the process immediately after the installation of new credentials
2326 * due to exec
2265 */ 2327 */
2266static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2328static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2267{ 2329{
2268 struct task_security_struct *tsec; 2330 const struct task_security_struct *tsec = current_security();
2269 struct rlimit *rlim, *initrlim;
2270 struct itimerval itimer; 2331 struct itimerval itimer;
2271 struct bprm_security_struct *bsec; 2332 struct sighand_struct *psig;
2333 u32 osid, sid;
2272 int rc, i; 2334 int rc, i;
2335 unsigned long flags;
2273 2336
2274 tsec = current->security; 2337 secondary_ops->bprm_committed_creds(bprm);
2275 bsec = bprm->security;
2276 2338
2277 if (bsec->unsafe) { 2339 osid = tsec->osid;
2278 force_sig_specific(SIGKILL, current); 2340 sid = tsec->sid;
2279 return; 2341
2280 } 2342 if (sid == osid)
2281 if (tsec->osid == tsec->sid)
2282 return; 2343 return;
2283 2344
2284 /* Close files for which the new task SID is not authorized. */ 2345 /* Check whether the new SID can inherit signal state from the old SID.
2285 flush_unauthorized_files(current->files); 2346 * If not, clear itimers to avoid subsequent signal generation and
2286 2347 * flush and unblock signals.
2287 /* Check whether the new SID can inherit signal state 2348 *
2288 from the old SID. If not, clear itimers to avoid 2349 * This must occur _after_ the task SID has been updated so that any
2289 subsequent signal generation and flush and unblock 2350 * kill done after the flush will be checked against the new SID.
2290 signals. This must occur _after_ the task SID has 2351 */
2291 been updated so that any kill done after the flush 2352 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2292 will be checked against the new SID. */
2293 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2294 PROCESS__SIGINH, NULL);
2295 if (rc) { 2353 if (rc) {
2296 memset(&itimer, 0, sizeof itimer); 2354 memset(&itimer, 0, sizeof itimer);
2297 for (i = 0; i < 3; i++) 2355 for (i = 0; i < 3; i++)
@@ -2304,33 +2362,14 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2304 spin_unlock_irq(&current->sighand->siglock); 2362 spin_unlock_irq(&current->sighand->siglock);
2305 } 2363 }
2306 2364
2307 /* Always clear parent death signal on SID transitions. */ 2365 /* Wake up the parent if it is waiting so that it can recheck
2308 current->pdeath_signal = 0; 2366 * wait permission to the new task SID. */
2309 2367 read_lock_irq(&tasklist_lock);
2310 /* Check whether the new SID can inherit resource limits 2368 psig = current->parent->sighand;
2311 from the old SID. If not, reset all soft limits to 2369 spin_lock_irqsave(&psig->siglock, flags);
2312 the lower of the current task's hard limit and the init
2313 task's soft limit. Note that the setting of hard limits
2314 (even to lower them) can be controlled by the setrlimit
2315 check. The inclusion of the init task's soft limit into
2316 the computation is to avoid resetting soft limits higher
2317 than the default soft limit for cases where the default
2318 is lower than the hard limit, e.g. RLIMIT_CORE or
2319 RLIMIT_STACK.*/
2320 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2321 PROCESS__RLIMITINH, NULL);
2322 if (rc) {
2323 for (i = 0; i < RLIM_NLIMITS; i++) {
2324 rlim = current->signal->rlim + i;
2325 initrlim = init_task.signal->rlim+i;
2326 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2327 }
2328 update_rlimit_cpu(rlim->rlim_cur);
2329 }
2330
2331 /* Wake up the parent if it is waiting so that it can
2332 recheck wait permission to the new task SID. */
2333 wake_up_interruptible(&current->parent->signal->wait_chldexit); 2370 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2371 spin_unlock_irqrestore(&psig->siglock, flags);
2372 read_unlock_irq(&tasklist_lock);
2334} 2373}
2335 2374
2336/* superblock security operations */ 2375/* superblock security operations */
@@ -2437,6 +2476,7 @@ out:
2437 2476
2438static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2477static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2439{ 2478{
2479 const struct cred *cred = current_cred();
2440 struct avc_audit_data ad; 2480 struct avc_audit_data ad;
2441 int rc; 2481 int rc;
2442 2482
@@ -2446,16 +2486,17 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2446 2486
2447 AVC_AUDIT_DATA_INIT(&ad, FS); 2487 AVC_AUDIT_DATA_INIT(&ad, FS);
2448 ad.u.fs.path.dentry = sb->s_root; 2488 ad.u.fs.path.dentry = sb->s_root;
2449 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2489 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2450} 2490}
2451 2491
2452static int selinux_sb_statfs(struct dentry *dentry) 2492static int selinux_sb_statfs(struct dentry *dentry)
2453{ 2493{
2494 const struct cred *cred = current_cred();
2454 struct avc_audit_data ad; 2495 struct avc_audit_data ad;
2455 2496
2456 AVC_AUDIT_DATA_INIT(&ad, FS); 2497 AVC_AUDIT_DATA_INIT(&ad, FS);
2457 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2498 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2458 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2499 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2459} 2500}
2460 2501
2461static int selinux_mount(char *dev_name, 2502static int selinux_mount(char *dev_name,
@@ -2464,6 +2505,7 @@ static int selinux_mount(char *dev_name,
2464 unsigned long flags, 2505 unsigned long flags,
2465 void *data) 2506 void *data)
2466{ 2507{
2508 const struct cred *cred = current_cred();
2467 int rc; 2509 int rc;
2468 2510
2469 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); 2511 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
@@ -2471,22 +2513,23 @@ static int selinux_mount(char *dev_name,
2471 return rc; 2513 return rc;
2472 2514
2473 if (flags & MS_REMOUNT) 2515 if (flags & MS_REMOUNT)
2474 return superblock_has_perm(current, path->mnt->mnt_sb, 2516 return superblock_has_perm(cred, path->mnt->mnt_sb,
2475 FILESYSTEM__REMOUNT, NULL); 2517 FILESYSTEM__REMOUNT, NULL);
2476 else 2518 else
2477 return dentry_has_perm(current, path->mnt, path->dentry, 2519 return dentry_has_perm(cred, path->mnt, path->dentry,
2478 FILE__MOUNTON); 2520 FILE__MOUNTON);
2479} 2521}
2480 2522
2481static int selinux_umount(struct vfsmount *mnt, int flags) 2523static int selinux_umount(struct vfsmount *mnt, int flags)
2482{ 2524{
2525 const struct cred *cred = current_cred();
2483 int rc; 2526 int rc;
2484 2527
2485 rc = secondary_ops->sb_umount(mnt, flags); 2528 rc = secondary_ops->sb_umount(mnt, flags);
2486 if (rc) 2529 if (rc)
2487 return rc; 2530 return rc;
2488 2531
2489 return superblock_has_perm(current, mnt->mnt_sb, 2532 return superblock_has_perm(cred, mnt->mnt_sb,
2490 FILESYSTEM__UNMOUNT, NULL); 2533 FILESYSTEM__UNMOUNT, NULL);
2491} 2534}
2492 2535
@@ -2506,21 +2549,22 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2506 char **name, void **value, 2549 char **name, void **value,
2507 size_t *len) 2550 size_t *len)
2508{ 2551{
2509 struct task_security_struct *tsec; 2552 const struct cred *cred = current_cred();
2553 const struct task_security_struct *tsec = cred->security;
2510 struct inode_security_struct *dsec; 2554 struct inode_security_struct *dsec;
2511 struct superblock_security_struct *sbsec; 2555 struct superblock_security_struct *sbsec;
2512 u32 newsid, clen; 2556 u32 sid, newsid, clen;
2513 int rc; 2557 int rc;
2514 char *namep = NULL, *context; 2558 char *namep = NULL, *context;
2515 2559
2516 tsec = current->security;
2517 dsec = dir->i_security; 2560 dsec = dir->i_security;
2518 sbsec = dir->i_sb->s_security; 2561 sbsec = dir->i_sb->s_security;
2519 2562
2520 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2563 sid = tsec->sid;
2521 newsid = tsec->create_sid; 2564 newsid = tsec->create_sid;
2522 } else { 2565
2523 rc = security_transition_sid(tsec->sid, dsec->sid, 2566 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2567 rc = security_transition_sid(sid, dsec->sid,
2524 inode_mode_to_security_class(inode->i_mode), 2568 inode_mode_to_security_class(inode->i_mode),
2525 &newsid); 2569 &newsid);
2526 if (rc) { 2570 if (rc) {
@@ -2623,21 +2667,25 @@ static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dent
2623 2667
2624static int selinux_inode_readlink(struct dentry *dentry) 2668static int selinux_inode_readlink(struct dentry *dentry)
2625{ 2669{
2626 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2670 const struct cred *cred = current_cred();
2671
2672 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2627} 2673}
2628 2674
2629static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2675static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630{ 2676{
2677 const struct cred *cred = current_cred();
2631 int rc; 2678 int rc;
2632 2679
2633 rc = secondary_ops->inode_follow_link(dentry, nameidata); 2680 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2634 if (rc) 2681 if (rc)
2635 return rc; 2682 return rc;
2636 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2683 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2637} 2684}
2638 2685
2639static int selinux_inode_permission(struct inode *inode, int mask) 2686static int selinux_inode_permission(struct inode *inode, int mask)
2640{ 2687{
2688 const struct cred *cred = current_cred();
2641 int rc; 2689 int rc;
2642 2690
2643 rc = secondary_ops->inode_permission(inode, mask); 2691 rc = secondary_ops->inode_permission(inode, mask);
@@ -2649,12 +2697,13 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2649 return 0; 2697 return 0;
2650 } 2698 }
2651 2699
2652 return inode_has_perm(current, inode, 2700 return inode_has_perm(cred, inode,
2653 open_file_mask_to_av(inode->i_mode, mask), NULL); 2701 file_mask_to_av(inode->i_mode, mask), NULL);
2654} 2702}
2655 2703
2656static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2704static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2657{ 2705{
2706 const struct cred *cred = current_cred();
2658 int rc; 2707 int rc;
2659 2708
2660 rc = secondary_ops->inode_setattr(dentry, iattr); 2709 rc = secondary_ops->inode_setattr(dentry, iattr);
@@ -2666,18 +2715,22 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2666 2715
2667 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2716 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2668 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2717 ATTR_ATIME_SET | ATTR_MTIME_SET))
2669 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2718 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2670 2719
2671 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2720 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2672} 2721}
2673 2722
2674static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2723static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2675{ 2724{
2676 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2725 const struct cred *cred = current_cred();
2726
2727 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2677} 2728}
2678 2729
2679static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2730static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2680{ 2731{
2732 const struct cred *cred = current_cred();
2733
2681 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2734 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2682 sizeof XATTR_SECURITY_PREFIX - 1)) { 2735 sizeof XATTR_SECURITY_PREFIX - 1)) {
2683 if (!strcmp(name, XATTR_NAME_CAPS)) { 2736 if (!strcmp(name, XATTR_NAME_CAPS)) {
@@ -2692,18 +2745,17 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2692 2745
2693 /* Not an attribute we recognize, so just check the 2746 /* Not an attribute we recognize, so just check the
2694 ordinary setattr permission. */ 2747 ordinary setattr permission. */
2695 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2748 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2696} 2749}
2697 2750
2698static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2751static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2699 const void *value, size_t size, int flags) 2752 const void *value, size_t size, int flags)
2700{ 2753{
2701 struct task_security_struct *tsec = current->security;
2702 struct inode *inode = dentry->d_inode; 2754 struct inode *inode = dentry->d_inode;
2703 struct inode_security_struct *isec = inode->i_security; 2755 struct inode_security_struct *isec = inode->i_security;
2704 struct superblock_security_struct *sbsec; 2756 struct superblock_security_struct *sbsec;
2705 struct avc_audit_data ad; 2757 struct avc_audit_data ad;
2706 u32 newsid; 2758 u32 newsid, sid = current_sid();
2707 int rc = 0; 2759 int rc = 0;
2708 2760
2709 if (strcmp(name, XATTR_NAME_SELINUX)) 2761 if (strcmp(name, XATTR_NAME_SELINUX))
@@ -2719,7 +2771,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2719 AVC_AUDIT_DATA_INIT(&ad, FS); 2771 AVC_AUDIT_DATA_INIT(&ad, FS);
2720 ad.u.fs.path.dentry = dentry; 2772 ad.u.fs.path.dentry = dentry;
2721 2773
2722 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2774 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2723 FILE__RELABELFROM, &ad); 2775 FILE__RELABELFROM, &ad);
2724 if (rc) 2776 if (rc)
2725 return rc; 2777 return rc;
@@ -2733,12 +2785,12 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2733 if (rc) 2785 if (rc)
2734 return rc; 2786 return rc;
2735 2787
2736 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2788 rc = avc_has_perm(sid, newsid, isec->sclass,
2737 FILE__RELABELTO, &ad); 2789 FILE__RELABELTO, &ad);
2738 if (rc) 2790 if (rc)
2739 return rc; 2791 return rc;
2740 2792
2741 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2793 rc = security_validate_transition(isec->sid, newsid, sid,
2742 isec->sclass); 2794 isec->sclass);
2743 if (rc) 2795 if (rc)
2744 return rc; 2796 return rc;
@@ -2778,12 +2830,16 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2778 2830
2779static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2831static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2780{ 2832{
2781 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2833 const struct cred *cred = current_cred();
2834
2835 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2782} 2836}
2783 2837
2784static int selinux_inode_listxattr(struct dentry *dentry) 2838static int selinux_inode_listxattr(struct dentry *dentry)
2785{ 2839{
2786 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2840 const struct cred *cred = current_cred();
2841
2842 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2787} 2843}
2788 2844
2789static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2845static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
@@ -2806,7 +2862,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2806 u32 size; 2862 u32 size;
2807 int error; 2863 int error;
2808 char *context = NULL; 2864 char *context = NULL;
2809 struct task_security_struct *tsec = current->security;
2810 struct inode_security_struct *isec = inode->i_security; 2865 struct inode_security_struct *isec = inode->i_security;
2811 2866
2812 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2867 if (strcmp(name, XATTR_SELINUX_SUFFIX))
@@ -2821,13 +2876,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2821 * and lack of permission just means that we fall back to the 2876 * and lack of permission just means that we fall back to the
2822 * in-core context value, not a denial. 2877 * in-core context value, not a denial.
2823 */ 2878 */
2824 error = secondary_ops->capable(current, CAP_MAC_ADMIN); 2879 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2825 if (!error)
2826 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2827 SECCLASS_CAPABILITY2,
2828 CAPABILITY2__MAC_ADMIN,
2829 0,
2830 NULL);
2831 if (!error) 2880 if (!error)
2832 error = security_sid_to_context_force(isec->sid, &context, 2881 error = security_sid_to_context_force(isec->sid, &context,
2833 &size); 2882 &size);
@@ -2894,6 +2943,7 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2894 2943
2895static int selinux_revalidate_file_permission(struct file *file, int mask) 2944static int selinux_revalidate_file_permission(struct file *file, int mask)
2896{ 2945{
2946 const struct cred *cred = current_cred();
2897 int rc; 2947 int rc;
2898 struct inode *inode = file->f_path.dentry->d_inode; 2948 struct inode *inode = file->f_path.dentry->d_inode;
2899 2949
@@ -2906,7 +2956,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2906 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2956 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2907 mask |= MAY_APPEND; 2957 mask |= MAY_APPEND;
2908 2958
2909 rc = file_has_perm(current, file, 2959 rc = file_has_perm(cred, file,
2910 file_mask_to_av(inode->i_mode, mask)); 2960 file_mask_to_av(inode->i_mode, mask));
2911 if (rc) 2961 if (rc)
2912 return rc; 2962 return rc;
@@ -2917,16 +2967,16 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2917static int selinux_file_permission(struct file *file, int mask) 2967static int selinux_file_permission(struct file *file, int mask)
2918{ 2968{
2919 struct inode *inode = file->f_path.dentry->d_inode; 2969 struct inode *inode = file->f_path.dentry->d_inode;
2920 struct task_security_struct *tsec = current->security;
2921 struct file_security_struct *fsec = file->f_security; 2970 struct file_security_struct *fsec = file->f_security;
2922 struct inode_security_struct *isec = inode->i_security; 2971 struct inode_security_struct *isec = inode->i_security;
2972 u32 sid = current_sid();
2923 2973
2924 if (!mask) { 2974 if (!mask) {
2925 /* No permission to check. Existence test. */ 2975 /* No permission to check. Existence test. */
2926 return 0; 2976 return 0;
2927 } 2977 }
2928 2978
2929 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2979 if (sid == fsec->sid && fsec->isid == isec->sid
2930 && fsec->pseqno == avc_policy_seqno()) 2980 && fsec->pseqno == avc_policy_seqno())
2931 return selinux_netlbl_inode_permission(inode, mask); 2981 return selinux_netlbl_inode_permission(inode, mask);
2932 2982
@@ -2946,6 +2996,7 @@ static void selinux_file_free_security(struct file *file)
2946static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2996static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2947 unsigned long arg) 2997 unsigned long arg)
2948{ 2998{
2999 const struct cred *cred = current_cred();
2949 u32 av = 0; 3000 u32 av = 0;
2950 3001
2951 if (_IOC_DIR(cmd) & _IOC_WRITE) 3002 if (_IOC_DIR(cmd) & _IOC_WRITE)
@@ -2955,11 +3006,14 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2955 if (!av) 3006 if (!av)
2956 av = FILE__IOCTL; 3007 av = FILE__IOCTL;
2957 3008
2958 return file_has_perm(current, file, av); 3009 return file_has_perm(cred, file, av);
2959} 3010}
2960 3011
2961static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3012static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2962{ 3013{
3014 const struct cred *cred = current_cred();
3015 int rc = 0;
3016
2963#ifndef CONFIG_PPC32 3017#ifndef CONFIG_PPC32
2964 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3018 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2965 /* 3019 /*
@@ -2967,9 +3021,9 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
2967 * private file mapping that will also be writable. 3021 * private file mapping that will also be writable.
2968 * This has an additional check. 3022 * This has an additional check.
2969 */ 3023 */
2970 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 3024 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2971 if (rc) 3025 if (rc)
2972 return rc; 3026 goto error;
2973 } 3027 }
2974#endif 3028#endif
2975 3029
@@ -2984,9 +3038,11 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
2984 if (prot & PROT_EXEC) 3038 if (prot & PROT_EXEC)
2985 av |= FILE__EXECUTE; 3039 av |= FILE__EXECUTE;
2986 3040
2987 return file_has_perm(current, file, av); 3041 return file_has_perm(cred, file, av);
2988 } 3042 }
2989 return 0; 3043
3044error:
3045 return rc;
2990} 3046}
2991 3047
2992static int selinux_file_mmap(struct file *file, unsigned long reqprot, 3048static int selinux_file_mmap(struct file *file, unsigned long reqprot,
@@ -2994,7 +3050,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2994 unsigned long addr, unsigned long addr_only) 3050 unsigned long addr, unsigned long addr_only)
2995{ 3051{
2996 int rc = 0; 3052 int rc = 0;
2997 u32 sid = ((struct task_security_struct *)(current->security))->sid; 3053 u32 sid = current_sid();
2998 3054
2999 if (addr < mmap_min_addr) 3055 if (addr < mmap_min_addr)
3000 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3056 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3013,6 +3069,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3013 unsigned long reqprot, 3069 unsigned long reqprot,
3014 unsigned long prot) 3070 unsigned long prot)
3015{ 3071{
3072 const struct cred *cred = current_cred();
3016 int rc; 3073 int rc;
3017 3074
3018 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 3075 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
@@ -3027,12 +3084,11 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3027 rc = 0; 3084 rc = 0;
3028 if (vma->vm_start >= vma->vm_mm->start_brk && 3085 if (vma->vm_start >= vma->vm_mm->start_brk &&
3029 vma->vm_end <= vma->vm_mm->brk) { 3086 vma->vm_end <= vma->vm_mm->brk) {
3030 rc = task_has_perm(current, current, 3087 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3031 PROCESS__EXECHEAP);
3032 } else if (!vma->vm_file && 3088 } else if (!vma->vm_file &&
3033 vma->vm_start <= vma->vm_mm->start_stack && 3089 vma->vm_start <= vma->vm_mm->start_stack &&
3034 vma->vm_end >= vma->vm_mm->start_stack) { 3090 vma->vm_end >= vma->vm_mm->start_stack) {
3035 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 3091 rc = current_has_perm(current, PROCESS__EXECSTACK);
3036 } else if (vma->vm_file && vma->anon_vma) { 3092 } else if (vma->vm_file && vma->anon_vma) {
3037 /* 3093 /*
3038 * We are making executable a file mapping that has 3094 * We are making executable a file mapping that has
@@ -3041,8 +3097,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3041 * modified content. This typically should only 3097 * modified content. This typically should only
3042 * occur for text relocations. 3098 * occur for text relocations.
3043 */ 3099 */
3044 rc = file_has_perm(current, vma->vm_file, 3100 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3045 FILE__EXECMOD);
3046 } 3101 }
3047 if (rc) 3102 if (rc)
3048 return rc; 3103 return rc;
@@ -3054,12 +3109,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3054 3109
3055static int selinux_file_lock(struct file *file, unsigned int cmd) 3110static int selinux_file_lock(struct file *file, unsigned int cmd)
3056{ 3111{
3057 return file_has_perm(current, file, FILE__LOCK); 3112 const struct cred *cred = current_cred();
3113
3114 return file_has_perm(cred, file, FILE__LOCK);
3058} 3115}
3059 3116
3060static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3117static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3061 unsigned long arg) 3118 unsigned long arg)
3062{ 3119{
3120 const struct cred *cred = current_cred();
3063 int err = 0; 3121 int err = 0;
3064 3122
3065 switch (cmd) { 3123 switch (cmd) {
@@ -3070,7 +3128,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3070 } 3128 }
3071 3129
3072 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3130 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3073 err = file_has_perm(current, file, FILE__WRITE); 3131 err = file_has_perm(cred, file, FILE__WRITE);
3074 break; 3132 break;
3075 } 3133 }
3076 /* fall through */ 3134 /* fall through */
@@ -3080,7 +3138,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3080 case F_GETOWN: 3138 case F_GETOWN:
3081 case F_GETSIG: 3139 case F_GETSIG:
3082 /* Just check FD__USE permission */ 3140 /* Just check FD__USE permission */
3083 err = file_has_perm(current, file, 0); 3141 err = file_has_perm(cred, file, 0);
3084 break; 3142 break;
3085 case F_GETLK: 3143 case F_GETLK:
3086 case F_SETLK: 3144 case F_SETLK:
@@ -3094,7 +3152,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3094 err = -EINVAL; 3152 err = -EINVAL;
3095 break; 3153 break;
3096 } 3154 }
3097 err = file_has_perm(current, file, FILE__LOCK); 3155 err = file_has_perm(cred, file, FILE__LOCK);
3098 break; 3156 break;
3099 } 3157 }
3100 3158
@@ -3103,12 +3161,10 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3103 3161
3104static int selinux_file_set_fowner(struct file *file) 3162static int selinux_file_set_fowner(struct file *file)
3105{ 3163{
3106 struct task_security_struct *tsec;
3107 struct file_security_struct *fsec; 3164 struct file_security_struct *fsec;
3108 3165
3109 tsec = current->security;
3110 fsec = file->f_security; 3166 fsec = file->f_security;
3111 fsec->fown_sid = tsec->sid; 3167 fsec->fown_sid = current_sid();
3112 3168
3113 return 0; 3169 return 0;
3114} 3170}
@@ -3117,14 +3173,13 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3117 struct fown_struct *fown, int signum) 3173 struct fown_struct *fown, int signum)
3118{ 3174{
3119 struct file *file; 3175 struct file *file;
3176 u32 sid = current_sid();
3120 u32 perm; 3177 u32 perm;
3121 struct task_security_struct *tsec;
3122 struct file_security_struct *fsec; 3178 struct file_security_struct *fsec;
3123 3179
3124 /* struct fown_struct is never outside the context of a struct file */ 3180 /* struct fown_struct is never outside the context of a struct file */
3125 file = container_of(fown, struct file, f_owner); 3181 file = container_of(fown, struct file, f_owner);
3126 3182
3127 tsec = tsk->security;
3128 fsec = file->f_security; 3183 fsec = file->f_security;
3129 3184
3130 if (!signum) 3185 if (!signum)
@@ -3132,20 +3187,23 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3132 else 3187 else
3133 perm = signal_to_av(signum); 3188 perm = signal_to_av(signum);
3134 3189
3135 return avc_has_perm(fsec->fown_sid, tsec->sid, 3190 return avc_has_perm(fsec->fown_sid, sid,
3136 SECCLASS_PROCESS, perm, NULL); 3191 SECCLASS_PROCESS, perm, NULL);
3137} 3192}
3138 3193
3139static int selinux_file_receive(struct file *file) 3194static int selinux_file_receive(struct file *file)
3140{ 3195{
3141 return file_has_perm(current, file, file_to_av(file)); 3196 const struct cred *cred = current_cred();
3197
3198 return file_has_perm(cred, file, file_to_av(file));
3142} 3199}
3143 3200
3144static int selinux_dentry_open(struct file *file) 3201static int selinux_dentry_open(struct file *file, const struct cred *cred)
3145{ 3202{
3146 struct file_security_struct *fsec; 3203 struct file_security_struct *fsec;
3147 struct inode *inode; 3204 struct inode *inode;
3148 struct inode_security_struct *isec; 3205 struct inode_security_struct *isec;
3206
3149 inode = file->f_path.dentry->d_inode; 3207 inode = file->f_path.dentry->d_inode;
3150 fsec = file->f_security; 3208 fsec = file->f_security;
3151 isec = inode->i_security; 3209 isec = inode->i_security;
@@ -3166,7 +3224,7 @@ static int selinux_dentry_open(struct file *file)
3166 * new inode label or new policy. 3224 * new inode label or new policy.
3167 * This check is not redundant - do not remove. 3225 * This check is not redundant - do not remove.
3168 */ 3226 */
3169 return inode_has_perm(current, inode, file_to_av(file), NULL); 3227 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3170} 3228}
3171 3229
3172/* task security operations */ 3230/* task security operations */
@@ -3179,36 +3237,88 @@ static int selinux_task_create(unsigned long clone_flags)
3179 if (rc) 3237 if (rc)
3180 return rc; 3238 return rc;
3181 3239
3182 return task_has_perm(current, current, PROCESS__FORK); 3240 return current_has_perm(current, PROCESS__FORK);
3183} 3241}
3184 3242
3185static int selinux_task_alloc_security(struct task_struct *tsk) 3243/*
3244 * detach and free the LSM part of a set of credentials
3245 */
3246static void selinux_cred_free(struct cred *cred)
3186{ 3247{
3187 struct task_security_struct *tsec1, *tsec2; 3248 struct task_security_struct *tsec = cred->security;
3188 int rc; 3249 cred->security = NULL;
3189 3250 kfree(tsec);
3190 tsec1 = current->security; 3251}
3191 3252
3192 rc = task_alloc_security(tsk); 3253/*
3193 if (rc) 3254 * prepare a new set of credentials for modification
3194 return rc; 3255 */
3195 tsec2 = tsk->security; 3256static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3257 gfp_t gfp)
3258{
3259 const struct task_security_struct *old_tsec;
3260 struct task_security_struct *tsec;
3196 3261
3197 tsec2->osid = tsec1->osid; 3262 old_tsec = old->security;
3198 tsec2->sid = tsec1->sid;
3199 3263
3200 /* Retain the exec, fs, key, and sock SIDs across fork */ 3264 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3201 tsec2->exec_sid = tsec1->exec_sid; 3265 if (!tsec)
3202 tsec2->create_sid = tsec1->create_sid; 3266 return -ENOMEM;
3203 tsec2->keycreate_sid = tsec1->keycreate_sid;
3204 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3205 3267
3268 new->security = tsec;
3206 return 0; 3269 return 0;
3207} 3270}
3208 3271
3209static void selinux_task_free_security(struct task_struct *tsk) 3272/*
3273 * commit new credentials
3274 */
3275static void selinux_cred_commit(struct cred *new, const struct cred *old)
3276{
3277 secondary_ops->cred_commit(new, old);
3278}
3279
3280/*
3281 * set the security data for a kernel service
3282 * - all the creation contexts are set to unlabelled
3283 */
3284static int selinux_kernel_act_as(struct cred *new, u32 secid)
3210{ 3285{
3211 task_free_security(tsk); 3286 struct task_security_struct *tsec = new->security;
3287 u32 sid = current_sid();
3288 int ret;
3289
3290 ret = avc_has_perm(sid, secid,
3291 SECCLASS_KERNEL_SERVICE,
3292 KERNEL_SERVICE__USE_AS_OVERRIDE,
3293 NULL);
3294 if (ret == 0) {
3295 tsec->sid = secid;
3296 tsec->create_sid = 0;
3297 tsec->keycreate_sid = 0;
3298 tsec->sockcreate_sid = 0;
3299 }
3300 return ret;
3301}
3302
3303/*
3304 * set the file creation context in a security record to the same as the
3305 * objective context of the specified inode
3306 */
3307static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3308{
3309 struct inode_security_struct *isec = inode->i_security;
3310 struct task_security_struct *tsec = new->security;
3311 u32 sid = current_sid();
3312 int ret;
3313
3314 ret = avc_has_perm(sid, isec->sid,
3315 SECCLASS_KERNEL_SERVICE,
3316 KERNEL_SERVICE__CREATE_FILES_AS,
3317 NULL);
3318
3319 if (ret == 0)
3320 tsec->create_sid = isec->sid;
3321 return 0;
3212} 3322}
3213 3323
3214static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3324static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
@@ -3222,9 +3332,10 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3222 return 0; 3332 return 0;
3223} 3333}
3224 3334
3225static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3335static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3336 int flags)
3226{ 3337{
3227 return secondary_ops->task_post_setuid(id0, id1, id2, flags); 3338 return secondary_ops->task_fix_setuid(new, old, flags);
3228} 3339}
3229 3340
3230static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3341static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -3235,23 +3346,22 @@ static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3235 3346
3236static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3347static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3237{ 3348{
3238 return task_has_perm(current, p, PROCESS__SETPGID); 3349 return current_has_perm(p, PROCESS__SETPGID);
3239} 3350}
3240 3351
3241static int selinux_task_getpgid(struct task_struct *p) 3352static int selinux_task_getpgid(struct task_struct *p)
3242{ 3353{
3243 return task_has_perm(current, p, PROCESS__GETPGID); 3354 return current_has_perm(p, PROCESS__GETPGID);
3244} 3355}
3245 3356
3246static int selinux_task_getsid(struct task_struct *p) 3357static int selinux_task_getsid(struct task_struct *p)
3247{ 3358{
3248 return task_has_perm(current, p, PROCESS__GETSESSION); 3359 return current_has_perm(p, PROCESS__GETSESSION);
3249} 3360}
3250 3361
3251static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3362static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3252{ 3363{
3253 struct task_security_struct *tsec = p->security; 3364 *secid = task_sid(p);
3254 *secid = tsec->sid;
3255} 3365}
3256 3366
3257static int selinux_task_setgroups(struct group_info *group_info) 3367static int selinux_task_setgroups(struct group_info *group_info)
@@ -3268,7 +3378,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3268 if (rc) 3378 if (rc)
3269 return rc; 3379 return rc;
3270 3380
3271 return task_has_perm(current, p, PROCESS__SETSCHED); 3381 return current_has_perm(p, PROCESS__SETSCHED);
3272} 3382}
3273 3383
3274static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3384static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@@ -3279,12 +3389,12 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3279 if (rc) 3389 if (rc)
3280 return rc; 3390 return rc;
3281 3391
3282 return task_has_perm(current, p, PROCESS__SETSCHED); 3392 return current_has_perm(p, PROCESS__SETSCHED);
3283} 3393}
3284 3394
3285static int selinux_task_getioprio(struct task_struct *p) 3395static int selinux_task_getioprio(struct task_struct *p)
3286{ 3396{
3287 return task_has_perm(current, p, PROCESS__GETSCHED); 3397 return current_has_perm(p, PROCESS__GETSCHED);
3288} 3398}
3289 3399
3290static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3400static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
@@ -3299,9 +3409,9 @@ static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim
3299 /* Control the ability to change the hard limit (whether 3409 /* Control the ability to change the hard limit (whether
3300 lowering or raising it), so that the hard limit can 3410 lowering or raising it), so that the hard limit can
3301 later be used as a safe reset point for the soft limit 3411 later be used as a safe reset point for the soft limit
3302 upon context transitions. See selinux_bprm_apply_creds. */ 3412 upon context transitions. See selinux_bprm_committing_creds. */
3303 if (old_rlim->rlim_max != new_rlim->rlim_max) 3413 if (old_rlim->rlim_max != new_rlim->rlim_max)
3304 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3414 return current_has_perm(current, PROCESS__SETRLIMIT);
3305 3415
3306 return 0; 3416 return 0;
3307} 3417}
@@ -3314,17 +3424,17 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s
3314 if (rc) 3424 if (rc)
3315 return rc; 3425 return rc;
3316 3426
3317 return task_has_perm(current, p, PROCESS__SETSCHED); 3427 return current_has_perm(p, PROCESS__SETSCHED);
3318} 3428}
3319 3429
3320static int selinux_task_getscheduler(struct task_struct *p) 3430static int selinux_task_getscheduler(struct task_struct *p)
3321{ 3431{
3322 return task_has_perm(current, p, PROCESS__GETSCHED); 3432 return current_has_perm(p, PROCESS__GETSCHED);
3323} 3433}
3324 3434
3325static int selinux_task_movememory(struct task_struct *p) 3435static int selinux_task_movememory(struct task_struct *p)
3326{ 3436{
3327 return task_has_perm(current, p, PROCESS__SETSCHED); 3437 return current_has_perm(p, PROCESS__SETSCHED);
3328} 3438}
3329 3439
3330static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3440static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
@@ -3332,7 +3442,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3332{ 3442{
3333 u32 perm; 3443 u32 perm;
3334 int rc; 3444 int rc;
3335 struct task_security_struct *tsec;
3336 3445
3337 rc = secondary_ops->task_kill(p, info, sig, secid); 3446 rc = secondary_ops->task_kill(p, info, sig, secid);
3338 if (rc) 3447 if (rc)
@@ -3342,11 +3451,11 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3342 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3451 perm = PROCESS__SIGNULL; /* null signal; existence test */
3343 else 3452 else
3344 perm = signal_to_av(sig); 3453 perm = signal_to_av(sig);
3345 tsec = p->security;
3346 if (secid) 3454 if (secid)
3347 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3455 rc = avc_has_perm(secid, task_sid(p),
3456 SECCLASS_PROCESS, perm, NULL);
3348 else 3457 else
3349 rc = task_has_perm(current, p, perm); 3458 rc = current_has_perm(p, perm);
3350 return rc; 3459 return rc;
3351} 3460}
3352 3461
@@ -3354,13 +3463,12 @@ static int selinux_task_prctl(int option,
3354 unsigned long arg2, 3463 unsigned long arg2,
3355 unsigned long arg3, 3464 unsigned long arg3,
3356 unsigned long arg4, 3465 unsigned long arg4,
3357 unsigned long arg5, 3466 unsigned long arg5)
3358 long *rc_p)
3359{ 3467{
3360 /* The current prctl operations do not appear to require 3468 /* The current prctl operations do not appear to require
3361 any SELinux controls since they merely observe or modify 3469 any SELinux controls since they merely observe or modify
3362 the state of the current process. */ 3470 the state of the current process. */
3363 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p); 3471 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3364} 3472}
3365 3473
3366static int selinux_task_wait(struct task_struct *p) 3474static int selinux_task_wait(struct task_struct *p)
@@ -3368,27 +3476,14 @@ static int selinux_task_wait(struct task_struct *p)
3368 return task_has_perm(p, current, PROCESS__SIGCHLD); 3476 return task_has_perm(p, current, PROCESS__SIGCHLD);
3369} 3477}
3370 3478
3371static void selinux_task_reparent_to_init(struct task_struct *p)
3372{
3373 struct task_security_struct *tsec;
3374
3375 secondary_ops->task_reparent_to_init(p);
3376
3377 tsec = p->security;
3378 tsec->osid = tsec->sid;
3379 tsec->sid = SECINITSID_KERNEL;
3380 return;
3381}
3382
3383static void selinux_task_to_inode(struct task_struct *p, 3479static void selinux_task_to_inode(struct task_struct *p,
3384 struct inode *inode) 3480 struct inode *inode)
3385{ 3481{
3386 struct task_security_struct *tsec = p->security;
3387 struct inode_security_struct *isec = inode->i_security; 3482 struct inode_security_struct *isec = inode->i_security;
3483 u32 sid = task_sid(p);
3388 3484
3389 isec->sid = tsec->sid; 3485 isec->sid = sid;
3390 isec->initialized = 1; 3486 isec->initialized = 1;
3391 return;
3392} 3487}
3393 3488
3394/* Returns error only if unable to parse addresses */ 3489/* Returns error only if unable to parse addresses */
@@ -3627,19 +3722,19 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3627 u32 perms) 3722 u32 perms)
3628{ 3723{
3629 struct inode_security_struct *isec; 3724 struct inode_security_struct *isec;
3630 struct task_security_struct *tsec;
3631 struct avc_audit_data ad; 3725 struct avc_audit_data ad;
3726 u32 sid;
3632 int err = 0; 3727 int err = 0;
3633 3728
3634 tsec = task->security;
3635 isec = SOCK_INODE(sock)->i_security; 3729 isec = SOCK_INODE(sock)->i_security;
3636 3730
3637 if (isec->sid == SECINITSID_KERNEL) 3731 if (isec->sid == SECINITSID_KERNEL)
3638 goto out; 3732 goto out;
3733 sid = task_sid(task);
3639 3734
3640 AVC_AUDIT_DATA_INIT(&ad, NET); 3735 AVC_AUDIT_DATA_INIT(&ad, NET);
3641 ad.u.net.sk = sock->sk; 3736 ad.u.net.sk = sock->sk;
3642 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3737 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3643 3738
3644out: 3739out:
3645 return err; 3740 return err;
@@ -3648,18 +3743,20 @@ out:
3648static int selinux_socket_create(int family, int type, 3743static int selinux_socket_create(int family, int type,
3649 int protocol, int kern) 3744 int protocol, int kern)
3650{ 3745{
3746 const struct cred *cred = current_cred();
3747 const struct task_security_struct *tsec = cred->security;
3748 u32 sid, newsid;
3749 u16 secclass;
3651 int err = 0; 3750 int err = 0;
3652 struct task_security_struct *tsec;
3653 u32 newsid;
3654 3751
3655 if (kern) 3752 if (kern)
3656 goto out; 3753 goto out;
3657 3754
3658 tsec = current->security; 3755 sid = tsec->sid;
3659 newsid = tsec->sockcreate_sid ? : tsec->sid; 3756 newsid = tsec->sockcreate_sid ?: sid;
3660 err = avc_has_perm(tsec->sid, newsid, 3757
3661 socket_type_to_security_class(family, type, 3758 secclass = socket_type_to_security_class(family, type, protocol);
3662 protocol), SOCKET__CREATE, NULL); 3759 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3663 3760
3664out: 3761out:
3665 return err; 3762 return err;
@@ -3668,18 +3765,26 @@ out:
3668static int selinux_socket_post_create(struct socket *sock, int family, 3765static int selinux_socket_post_create(struct socket *sock, int family,
3669 int type, int protocol, int kern) 3766 int type, int protocol, int kern)
3670{ 3767{
3671 int err = 0; 3768 const struct cred *cred = current_cred();
3769 const struct task_security_struct *tsec = cred->security;
3672 struct inode_security_struct *isec; 3770 struct inode_security_struct *isec;
3673 struct task_security_struct *tsec;
3674 struct sk_security_struct *sksec; 3771 struct sk_security_struct *sksec;
3675 u32 newsid; 3772 u32 sid, newsid;
3773 int err = 0;
3774
3775 sid = tsec->sid;
3776 newsid = tsec->sockcreate_sid;
3676 3777
3677 isec = SOCK_INODE(sock)->i_security; 3778 isec = SOCK_INODE(sock)->i_security;
3678 3779
3679 tsec = current->security; 3780 if (kern)
3680 newsid = tsec->sockcreate_sid ? : tsec->sid; 3781 isec->sid = SECINITSID_KERNEL;
3782 else if (newsid)
3783 isec->sid = newsid;
3784 else
3785 isec->sid = sid;
3786
3681 isec->sclass = socket_type_to_security_class(family, type, protocol); 3787 isec->sclass = socket_type_to_security_class(family, type, protocol);
3682 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3683 isec->initialized = 1; 3788 isec->initialized = 1;
3684 3789
3685 if (sock->sk) { 3790 if (sock->sk) {
@@ -3714,7 +3819,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3714 if (family == PF_INET || family == PF_INET6) { 3819 if (family == PF_INET || family == PF_INET6) {
3715 char *addrp; 3820 char *addrp;
3716 struct inode_security_struct *isec; 3821 struct inode_security_struct *isec;
3717 struct task_security_struct *tsec;
3718 struct avc_audit_data ad; 3822 struct avc_audit_data ad;
3719 struct sockaddr_in *addr4 = NULL; 3823 struct sockaddr_in *addr4 = NULL;
3720 struct sockaddr_in6 *addr6 = NULL; 3824 struct sockaddr_in6 *addr6 = NULL;
@@ -3722,7 +3826,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3722 struct sock *sk = sock->sk; 3826 struct sock *sk = sock->sk;
3723 u32 sid, node_perm; 3827 u32 sid, node_perm;
3724 3828
3725 tsec = current->security;
3726 isec = SOCK_INODE(sock)->i_security; 3829 isec = SOCK_INODE(sock)->i_security;
3727 3830
3728 if (family == PF_INET) { 3831 if (family == PF_INET) {
@@ -4387,7 +4490,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4387 "SELinux: unrecognized netlink message" 4490 "SELinux: unrecognized netlink message"
4388 " type=%hu for sclass=%hu\n", 4491 " type=%hu for sclass=%hu\n",
4389 nlh->nlmsg_type, isec->sclass); 4492 nlh->nlmsg_type, isec->sclass);
4390 if (!selinux_enforcing) 4493 if (!selinux_enforcing || security_get_allow_unknown())
4391 err = 0; 4494 err = 0;
4392 } 4495 }
4393 4496
@@ -4763,15 +4866,16 @@ static int ipc_alloc_security(struct task_struct *task,
4763 struct kern_ipc_perm *perm, 4866 struct kern_ipc_perm *perm,
4764 u16 sclass) 4867 u16 sclass)
4765{ 4868{
4766 struct task_security_struct *tsec = task->security;
4767 struct ipc_security_struct *isec; 4869 struct ipc_security_struct *isec;
4870 u32 sid;
4768 4871
4769 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4872 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4770 if (!isec) 4873 if (!isec)
4771 return -ENOMEM; 4874 return -ENOMEM;
4772 4875
4876 sid = task_sid(task);
4773 isec->sclass = sclass; 4877 isec->sclass = sclass;
4774 isec->sid = tsec->sid; 4878 isec->sid = sid;
4775 perm->security = isec; 4879 perm->security = isec;
4776 4880
4777 return 0; 4881 return 0;
@@ -4809,17 +4913,16 @@ static void msg_msg_free_security(struct msg_msg *msg)
4809static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4913static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4810 u32 perms) 4914 u32 perms)
4811{ 4915{
4812 struct task_security_struct *tsec;
4813 struct ipc_security_struct *isec; 4916 struct ipc_security_struct *isec;
4814 struct avc_audit_data ad; 4917 struct avc_audit_data ad;
4918 u32 sid = current_sid();
4815 4919
4816 tsec = current->security;
4817 isec = ipc_perms->security; 4920 isec = ipc_perms->security;
4818 4921
4819 AVC_AUDIT_DATA_INIT(&ad, IPC); 4922 AVC_AUDIT_DATA_INIT(&ad, IPC);
4820 ad.u.ipc_id = ipc_perms->key; 4923 ad.u.ipc_id = ipc_perms->key;
4821 4924
4822 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4925 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4823} 4926}
4824 4927
4825static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4928static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -4835,22 +4938,21 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
4835/* message queue security operations */ 4938/* message queue security operations */
4836static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4939static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4837{ 4940{
4838 struct task_security_struct *tsec;
4839 struct ipc_security_struct *isec; 4941 struct ipc_security_struct *isec;
4840 struct avc_audit_data ad; 4942 struct avc_audit_data ad;
4943 u32 sid = current_sid();
4841 int rc; 4944 int rc;
4842 4945
4843 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4946 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4844 if (rc) 4947 if (rc)
4845 return rc; 4948 return rc;
4846 4949
4847 tsec = current->security;
4848 isec = msq->q_perm.security; 4950 isec = msq->q_perm.security;
4849 4951
4850 AVC_AUDIT_DATA_INIT(&ad, IPC); 4952 AVC_AUDIT_DATA_INIT(&ad, IPC);
4851 ad.u.ipc_id = msq->q_perm.key; 4953 ad.u.ipc_id = msq->q_perm.key;
4852 4954
4853 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4955 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4854 MSGQ__CREATE, &ad); 4956 MSGQ__CREATE, &ad);
4855 if (rc) { 4957 if (rc) {
4856 ipc_free_security(&msq->q_perm); 4958 ipc_free_security(&msq->q_perm);
@@ -4866,17 +4968,16 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq)
4866 4968
4867static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4969static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4868{ 4970{
4869 struct task_security_struct *tsec;
4870 struct ipc_security_struct *isec; 4971 struct ipc_security_struct *isec;
4871 struct avc_audit_data ad; 4972 struct avc_audit_data ad;
4973 u32 sid = current_sid();
4872 4974
4873 tsec = current->security;
4874 isec = msq->q_perm.security; 4975 isec = msq->q_perm.security;
4875 4976
4876 AVC_AUDIT_DATA_INIT(&ad, IPC); 4977 AVC_AUDIT_DATA_INIT(&ad, IPC);
4877 ad.u.ipc_id = msq->q_perm.key; 4978 ad.u.ipc_id = msq->q_perm.key;
4878 4979
4879 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4980 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4880 MSGQ__ASSOCIATE, &ad); 4981 MSGQ__ASSOCIATE, &ad);
4881} 4982}
4882 4983
@@ -4910,13 +5011,12 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4910 5011
4911static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5012static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4912{ 5013{
4913 struct task_security_struct *tsec;
4914 struct ipc_security_struct *isec; 5014 struct ipc_security_struct *isec;
4915 struct msg_security_struct *msec; 5015 struct msg_security_struct *msec;
4916 struct avc_audit_data ad; 5016 struct avc_audit_data ad;
5017 u32 sid = current_sid();
4917 int rc; 5018 int rc;
4918 5019
4919 tsec = current->security;
4920 isec = msq->q_perm.security; 5020 isec = msq->q_perm.security;
4921 msec = msg->security; 5021 msec = msg->security;
4922 5022
@@ -4928,9 +5028,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4928 * Compute new sid based on current process and 5028 * Compute new sid based on current process and
4929 * message queue this message will be stored in 5029 * message queue this message will be stored in
4930 */ 5030 */
4931 rc = security_transition_sid(tsec->sid, 5031 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4932 isec->sid,
4933 SECCLASS_MSG,
4934 &msec->sid); 5032 &msec->sid);
4935 if (rc) 5033 if (rc)
4936 return rc; 5034 return rc;
@@ -4940,16 +5038,16 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4940 ad.u.ipc_id = msq->q_perm.key; 5038 ad.u.ipc_id = msq->q_perm.key;
4941 5039
4942 /* Can this process write to the queue? */ 5040 /* Can this process write to the queue? */
4943 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 5041 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4944 MSGQ__WRITE, &ad); 5042 MSGQ__WRITE, &ad);
4945 if (!rc) 5043 if (!rc)
4946 /* Can this process send the message */ 5044 /* Can this process send the message */
4947 rc = avc_has_perm(tsec->sid, msec->sid, 5045 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4948 SECCLASS_MSG, MSG__SEND, &ad); 5046 MSG__SEND, &ad);
4949 if (!rc) 5047 if (!rc)
4950 /* Can the message be put in the queue? */ 5048 /* Can the message be put in the queue? */
4951 rc = avc_has_perm(msec->sid, isec->sid, 5049 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4952 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 5050 MSGQ__ENQUEUE, &ad);
4953 5051
4954 return rc; 5052 return rc;
4955} 5053}
@@ -4958,23 +5056,22 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4958 struct task_struct *target, 5056 struct task_struct *target,
4959 long type, int mode) 5057 long type, int mode)
4960{ 5058{
4961 struct task_security_struct *tsec;
4962 struct ipc_security_struct *isec; 5059 struct ipc_security_struct *isec;
4963 struct msg_security_struct *msec; 5060 struct msg_security_struct *msec;
4964 struct avc_audit_data ad; 5061 struct avc_audit_data ad;
5062 u32 sid = task_sid(target);
4965 int rc; 5063 int rc;
4966 5064
4967 tsec = target->security;
4968 isec = msq->q_perm.security; 5065 isec = msq->q_perm.security;
4969 msec = msg->security; 5066 msec = msg->security;
4970 5067
4971 AVC_AUDIT_DATA_INIT(&ad, IPC); 5068 AVC_AUDIT_DATA_INIT(&ad, IPC);
4972 ad.u.ipc_id = msq->q_perm.key; 5069 ad.u.ipc_id = msq->q_perm.key;
4973 5070
4974 rc = avc_has_perm(tsec->sid, isec->sid, 5071 rc = avc_has_perm(sid, isec->sid,
4975 SECCLASS_MSGQ, MSGQ__READ, &ad); 5072 SECCLASS_MSGQ, MSGQ__READ, &ad);
4976 if (!rc) 5073 if (!rc)
4977 rc = avc_has_perm(tsec->sid, msec->sid, 5074 rc = avc_has_perm(sid, msec->sid,
4978 SECCLASS_MSG, MSG__RECEIVE, &ad); 5075 SECCLASS_MSG, MSG__RECEIVE, &ad);
4979 return rc; 5076 return rc;
4980} 5077}
@@ -4982,22 +5079,21 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4982/* Shared Memory security operations */ 5079/* Shared Memory security operations */
4983static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5080static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4984{ 5081{
4985 struct task_security_struct *tsec;
4986 struct ipc_security_struct *isec; 5082 struct ipc_security_struct *isec;
4987 struct avc_audit_data ad; 5083 struct avc_audit_data ad;
5084 u32 sid = current_sid();
4988 int rc; 5085 int rc;
4989 5086
4990 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5087 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4991 if (rc) 5088 if (rc)
4992 return rc; 5089 return rc;
4993 5090
4994 tsec = current->security;
4995 isec = shp->shm_perm.security; 5091 isec = shp->shm_perm.security;
4996 5092
4997 AVC_AUDIT_DATA_INIT(&ad, IPC); 5093 AVC_AUDIT_DATA_INIT(&ad, IPC);
4998 ad.u.ipc_id = shp->shm_perm.key; 5094 ad.u.ipc_id = shp->shm_perm.key;
4999 5095
5000 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 5096 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5001 SHM__CREATE, &ad); 5097 SHM__CREATE, &ad);
5002 if (rc) { 5098 if (rc) {
5003 ipc_free_security(&shp->shm_perm); 5099 ipc_free_security(&shp->shm_perm);
@@ -5013,17 +5109,16 @@ static void selinux_shm_free_security(struct shmid_kernel *shp)
5013 5109
5014static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5110static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5015{ 5111{
5016 struct task_security_struct *tsec;
5017 struct ipc_security_struct *isec; 5112 struct ipc_security_struct *isec;
5018 struct avc_audit_data ad; 5113 struct avc_audit_data ad;
5114 u32 sid = current_sid();
5019 5115
5020 tsec = current->security;
5021 isec = shp->shm_perm.security; 5116 isec = shp->shm_perm.security;
5022 5117
5023 AVC_AUDIT_DATA_INIT(&ad, IPC); 5118 AVC_AUDIT_DATA_INIT(&ad, IPC);
5024 ad.u.ipc_id = shp->shm_perm.key; 5119 ad.u.ipc_id = shp->shm_perm.key;
5025 5120
5026 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 5121 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5027 SHM__ASSOCIATE, &ad); 5122 SHM__ASSOCIATE, &ad);
5028} 5123}
5029 5124
@@ -5081,22 +5176,21 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5081/* Semaphore security operations */ 5176/* Semaphore security operations */
5082static int selinux_sem_alloc_security(struct sem_array *sma) 5177static int selinux_sem_alloc_security(struct sem_array *sma)
5083{ 5178{
5084 struct task_security_struct *tsec;
5085 struct ipc_security_struct *isec; 5179 struct ipc_security_struct *isec;
5086 struct avc_audit_data ad; 5180 struct avc_audit_data ad;
5181 u32 sid = current_sid();
5087 int rc; 5182 int rc;
5088 5183
5089 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5184 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5090 if (rc) 5185 if (rc)
5091 return rc; 5186 return rc;
5092 5187
5093 tsec = current->security;
5094 isec = sma->sem_perm.security; 5188 isec = sma->sem_perm.security;
5095 5189
5096 AVC_AUDIT_DATA_INIT(&ad, IPC); 5190 AVC_AUDIT_DATA_INIT(&ad, IPC);
5097 ad.u.ipc_id = sma->sem_perm.key; 5191 ad.u.ipc_id = sma->sem_perm.key;
5098 5192
5099 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 5193 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5100 SEM__CREATE, &ad); 5194 SEM__CREATE, &ad);
5101 if (rc) { 5195 if (rc) {
5102 ipc_free_security(&sma->sem_perm); 5196 ipc_free_security(&sma->sem_perm);
@@ -5112,17 +5206,16 @@ static void selinux_sem_free_security(struct sem_array *sma)
5112 5206
5113static int selinux_sem_associate(struct sem_array *sma, int semflg) 5207static int selinux_sem_associate(struct sem_array *sma, int semflg)
5114{ 5208{
5115 struct task_security_struct *tsec;
5116 struct ipc_security_struct *isec; 5209 struct ipc_security_struct *isec;
5117 struct avc_audit_data ad; 5210 struct avc_audit_data ad;
5211 u32 sid = current_sid();
5118 5212
5119 tsec = current->security;
5120 isec = sma->sem_perm.security; 5213 isec = sma->sem_perm.security;
5121 5214
5122 AVC_AUDIT_DATA_INIT(&ad, IPC); 5215 AVC_AUDIT_DATA_INIT(&ad, IPC);
5123 ad.u.ipc_id = sma->sem_perm.key; 5216 ad.u.ipc_id = sma->sem_perm.key;
5124 5217
5125 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 5218 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5126 SEM__ASSOCIATE, &ad); 5219 SEM__ASSOCIATE, &ad);
5127} 5220}
5128 5221
@@ -5212,33 +5305,35 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5212static int selinux_getprocattr(struct task_struct *p, 5305static int selinux_getprocattr(struct task_struct *p,
5213 char *name, char **value) 5306 char *name, char **value)
5214{ 5307{
5215 struct task_security_struct *tsec; 5308 const struct task_security_struct *__tsec;
5216 u32 sid; 5309 u32 sid;
5217 int error; 5310 int error;
5218 unsigned len; 5311 unsigned len;
5219 5312
5220 if (current != p) { 5313 if (current != p) {
5221 error = task_has_perm(current, p, PROCESS__GETATTR); 5314 error = current_has_perm(p, PROCESS__GETATTR);
5222 if (error) 5315 if (error)
5223 return error; 5316 return error;
5224 } 5317 }
5225 5318
5226 tsec = p->security; 5319 rcu_read_lock();
5320 __tsec = __task_cred(p)->security;
5227 5321
5228 if (!strcmp(name, "current")) 5322 if (!strcmp(name, "current"))
5229 sid = tsec->sid; 5323 sid = __tsec->sid;
5230 else if (!strcmp(name, "prev")) 5324 else if (!strcmp(name, "prev"))
5231 sid = tsec->osid; 5325 sid = __tsec->osid;
5232 else if (!strcmp(name, "exec")) 5326 else if (!strcmp(name, "exec"))
5233 sid = tsec->exec_sid; 5327 sid = __tsec->exec_sid;
5234 else if (!strcmp(name, "fscreate")) 5328 else if (!strcmp(name, "fscreate"))
5235 sid = tsec->create_sid; 5329 sid = __tsec->create_sid;
5236 else if (!strcmp(name, "keycreate")) 5330 else if (!strcmp(name, "keycreate"))
5237 sid = tsec->keycreate_sid; 5331 sid = __tsec->keycreate_sid;
5238 else if (!strcmp(name, "sockcreate")) 5332 else if (!strcmp(name, "sockcreate"))
5239 sid = tsec->sockcreate_sid; 5333 sid = __tsec->sockcreate_sid;
5240 else 5334 else
5241 return -EINVAL; 5335 goto invalid;
5336 rcu_read_unlock();
5242 5337
5243 if (!sid) 5338 if (!sid)
5244 return 0; 5339 return 0;
@@ -5247,6 +5342,10 @@ static int selinux_getprocattr(struct task_struct *p,
5247 if (error) 5342 if (error)
5248 return error; 5343 return error;
5249 return len; 5344 return len;
5345
5346invalid:
5347 rcu_read_unlock();
5348 return -EINVAL;
5250} 5349}
5251 5350
5252static int selinux_setprocattr(struct task_struct *p, 5351static int selinux_setprocattr(struct task_struct *p,
@@ -5254,7 +5353,8 @@ static int selinux_setprocattr(struct task_struct *p,
5254{ 5353{
5255 struct task_security_struct *tsec; 5354 struct task_security_struct *tsec;
5256 struct task_struct *tracer; 5355 struct task_struct *tracer;
5257 u32 sid = 0; 5356 struct cred *new;
5357 u32 sid = 0, ptsid;
5258 int error; 5358 int error;
5259 char *str = value; 5359 char *str = value;
5260 5360
@@ -5270,15 +5370,15 @@ static int selinux_setprocattr(struct task_struct *p,
5270 * above restriction is ever removed. 5370 * above restriction is ever removed.
5271 */ 5371 */
5272 if (!strcmp(name, "exec")) 5372 if (!strcmp(name, "exec"))
5273 error = task_has_perm(current, p, PROCESS__SETEXEC); 5373 error = current_has_perm(p, PROCESS__SETEXEC);
5274 else if (!strcmp(name, "fscreate")) 5374 else if (!strcmp(name, "fscreate"))
5275 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5375 error = current_has_perm(p, PROCESS__SETFSCREATE);
5276 else if (!strcmp(name, "keycreate")) 5376 else if (!strcmp(name, "keycreate"))
5277 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5377 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5278 else if (!strcmp(name, "sockcreate")) 5378 else if (!strcmp(name, "sockcreate"))
5279 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5379 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5280 else if (!strcmp(name, "current")) 5380 else if (!strcmp(name, "current"))
5281 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5381 error = current_has_perm(p, PROCESS__SETCURRENT);
5282 else 5382 else
5283 error = -EINVAL; 5383 error = -EINVAL;
5284 if (error) 5384 if (error)
@@ -5301,87 +5401,75 @@ static int selinux_setprocattr(struct task_struct *p,
5301 return error; 5401 return error;
5302 } 5402 }
5303 5403
5404 new = prepare_creds();
5405 if (!new)
5406 return -ENOMEM;
5407
5304 /* Permission checking based on the specified context is 5408 /* Permission checking based on the specified context is
5305 performed during the actual operation (execve, 5409 performed during the actual operation (execve,
5306 open/mkdir/...), when we know the full context of the 5410 open/mkdir/...), when we know the full context of the
5307 operation. See selinux_bprm_set_security for the execve 5411 operation. See selinux_bprm_set_creds for the execve
5308 checks and may_create for the file creation checks. The 5412 checks and may_create for the file creation checks. The
5309 operation will then fail if the context is not permitted. */ 5413 operation will then fail if the context is not permitted. */
5310 tsec = p->security; 5414 tsec = new->security;
5311 if (!strcmp(name, "exec")) 5415 if (!strcmp(name, "exec")) {
5312 tsec->exec_sid = sid; 5416 tsec->exec_sid = sid;
5313 else if (!strcmp(name, "fscreate")) 5417 } else if (!strcmp(name, "fscreate")) {
5314 tsec->create_sid = sid; 5418 tsec->create_sid = sid;
5315 else if (!strcmp(name, "keycreate")) { 5419 } else if (!strcmp(name, "keycreate")) {
5316 error = may_create_key(sid, p); 5420 error = may_create_key(sid, p);
5317 if (error) 5421 if (error)
5318 return error; 5422 goto abort_change;
5319 tsec->keycreate_sid = sid; 5423 tsec->keycreate_sid = sid;
5320 } else if (!strcmp(name, "sockcreate")) 5424 } else if (!strcmp(name, "sockcreate")) {
5321 tsec->sockcreate_sid = sid; 5425 tsec->sockcreate_sid = sid;
5322 else if (!strcmp(name, "current")) { 5426 } else if (!strcmp(name, "current")) {
5323 struct av_decision avd; 5427 error = -EINVAL;
5324
5325 if (sid == 0) 5428 if (sid == 0)
5326 return -EINVAL; 5429 goto abort_change;
5327 /* 5430
5328 * SELinux allows to change context in the following case only. 5431 /* Only allow single threaded processes to change context */
5329 * - Single threaded processes. 5432 error = -EPERM;
5330 * - Multi threaded processes intend to change its context into 5433 if (!is_single_threaded(p)) {
5331 * more restricted domain (defined by TYPEBOUNDS statement). 5434 error = security_bounded_transition(tsec->sid, sid);
5332 */ 5435 if (error)
5333 if (atomic_read(&p->mm->mm_users) != 1) { 5436 goto abort_change;
5334 struct task_struct *g, *t;
5335 struct mm_struct *mm = p->mm;
5336 read_lock(&tasklist_lock);
5337 do_each_thread(g, t) {
5338 if (t->mm == mm && t != p) {
5339 read_unlock(&tasklist_lock);
5340 error = security_bounded_transition(tsec->sid, sid);
5341 if (!error)
5342 goto boundary_ok;
5343
5344 return error;
5345 }
5346 } while_each_thread(g, t);
5347 read_unlock(&tasklist_lock);
5348 } 5437 }
5349boundary_ok:
5350 5438
5351 /* Check permissions for the transition. */ 5439 /* Check permissions for the transition. */
5352 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5440 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5353 PROCESS__DYNTRANSITION, NULL); 5441 PROCESS__DYNTRANSITION, NULL);
5354 if (error) 5442 if (error)
5355 return error; 5443 goto abort_change;
5356 5444
5357 /* Check for ptracing, and update the task SID if ok. 5445 /* Check for ptracing, and update the task SID if ok.
5358 Otherwise, leave SID unchanged and fail. */ 5446 Otherwise, leave SID unchanged and fail. */
5447 ptsid = 0;
5359 task_lock(p); 5448 task_lock(p);
5360 rcu_read_lock();
5361 tracer = tracehook_tracer_task(p); 5449 tracer = tracehook_tracer_task(p);
5362 if (tracer != NULL) { 5450 if (tracer)
5363 struct task_security_struct *ptsec = tracer->security; 5451 ptsid = task_sid(tracer);
5364 u32 ptsid = ptsec->sid; 5452 task_unlock(p);
5365 rcu_read_unlock(); 5453
5366 error = avc_has_perm_noaudit(ptsid, sid, 5454 if (tracer) {
5367 SECCLASS_PROCESS, 5455 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5368 PROCESS__PTRACE, 0, &avd); 5456 PROCESS__PTRACE, NULL);
5369 if (!error)
5370 tsec->sid = sid;
5371 task_unlock(p);
5372 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5373 PROCESS__PTRACE, &avd, error, NULL);
5374 if (error) 5457 if (error)
5375 return error; 5458 goto abort_change;
5376 } else {
5377 rcu_read_unlock();
5378 tsec->sid = sid;
5379 task_unlock(p);
5380 } 5459 }
5381 } else
5382 return -EINVAL;
5383 5460
5461 tsec->sid = sid;
5462 } else {
5463 error = -EINVAL;
5464 goto abort_change;
5465 }
5466
5467 commit_creds(new);
5384 return size; 5468 return size;
5469
5470abort_change:
5471 abort_creds(new);
5472 return error;
5385} 5473}
5386 5474
5387static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5475static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
@@ -5401,22 +5489,23 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
5401 5489
5402#ifdef CONFIG_KEYS 5490#ifdef CONFIG_KEYS
5403 5491
5404static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5492static int selinux_key_alloc(struct key *k, const struct cred *cred,
5405 unsigned long flags) 5493 unsigned long flags)
5406{ 5494{
5407 struct task_security_struct *tsec = tsk->security; 5495 const struct task_security_struct *tsec;
5408 struct key_security_struct *ksec; 5496 struct key_security_struct *ksec;
5409 5497
5410 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5498 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5411 if (!ksec) 5499 if (!ksec)
5412 return -ENOMEM; 5500 return -ENOMEM;
5413 5501
5502 tsec = cred->security;
5414 if (tsec->keycreate_sid) 5503 if (tsec->keycreate_sid)
5415 ksec->sid = tsec->keycreate_sid; 5504 ksec->sid = tsec->keycreate_sid;
5416 else 5505 else
5417 ksec->sid = tsec->sid; 5506 ksec->sid = tsec->sid;
5418 k->security = ksec;
5419 5507
5508 k->security = ksec;
5420 return 0; 5509 return 0;
5421} 5510}
5422 5511
@@ -5429,17 +5518,12 @@ static void selinux_key_free(struct key *k)
5429} 5518}
5430 5519
5431static int selinux_key_permission(key_ref_t key_ref, 5520static int selinux_key_permission(key_ref_t key_ref,
5432 struct task_struct *ctx, 5521 const struct cred *cred,
5433 key_perm_t perm) 5522 key_perm_t perm)
5434{ 5523{
5435 struct key *key; 5524 struct key *key;
5436 struct task_security_struct *tsec;
5437 struct key_security_struct *ksec; 5525 struct key_security_struct *ksec;
5438 5526 u32 sid;
5439 key = key_ref_to_ptr(key_ref);
5440
5441 tsec = ctx->security;
5442 ksec = key->security;
5443 5527
5444 /* if no specific permissions are requested, we skip the 5528 /* if no specific permissions are requested, we skip the
5445 permission check. No serious, additional covert channels 5529 permission check. No serious, additional covert channels
@@ -5447,8 +5531,12 @@ static int selinux_key_permission(key_ref_t key_ref,
5447 if (perm == 0) 5531 if (perm == 0)
5448 return 0; 5532 return 0;
5449 5533
5450 return avc_has_perm(tsec->sid, ksec->sid, 5534 sid = cred_sid(cred);
5451 SECCLASS_KEY, perm, NULL); 5535
5536 key = key_ref_to_ptr(key_ref);
5537 ksec = key->security;
5538
5539 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5452} 5540}
5453 5541
5454static int selinux_key_getsecurity(struct key *key, char **_buffer) 5542static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -5473,8 +5561,7 @@ static struct security_operations selinux_ops = {
5473 .ptrace_may_access = selinux_ptrace_may_access, 5561 .ptrace_may_access = selinux_ptrace_may_access,
5474 .ptrace_traceme = selinux_ptrace_traceme, 5562 .ptrace_traceme = selinux_ptrace_traceme,
5475 .capget = selinux_capget, 5563 .capget = selinux_capget,
5476 .capset_check = selinux_capset_check, 5564 .capset = selinux_capset,
5477 .capset_set = selinux_capset_set,
5478 .sysctl = selinux_sysctl, 5565 .sysctl = selinux_sysctl,
5479 .capable = selinux_capable, 5566 .capable = selinux_capable,
5480 .quotactl = selinux_quotactl, 5567 .quotactl = selinux_quotactl,
@@ -5485,12 +5572,10 @@ static struct security_operations selinux_ops = {
5485 .netlink_send = selinux_netlink_send, 5572 .netlink_send = selinux_netlink_send,
5486 .netlink_recv = selinux_netlink_recv, 5573 .netlink_recv = selinux_netlink_recv,
5487 5574
5488 .bprm_alloc_security = selinux_bprm_alloc_security, 5575 .bprm_set_creds = selinux_bprm_set_creds,
5489 .bprm_free_security = selinux_bprm_free_security,
5490 .bprm_apply_creds = selinux_bprm_apply_creds,
5491 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5492 .bprm_set_security = selinux_bprm_set_security,
5493 .bprm_check_security = selinux_bprm_check_security, 5576 .bprm_check_security = selinux_bprm_check_security,
5577 .bprm_committing_creds = selinux_bprm_committing_creds,
5578 .bprm_committed_creds = selinux_bprm_committed_creds,
5494 .bprm_secureexec = selinux_bprm_secureexec, 5579 .bprm_secureexec = selinux_bprm_secureexec,
5495 5580
5496 .sb_alloc_security = selinux_sb_alloc_security, 5581 .sb_alloc_security = selinux_sb_alloc_security,
@@ -5549,10 +5634,13 @@ static struct security_operations selinux_ops = {
5549 .dentry_open = selinux_dentry_open, 5634 .dentry_open = selinux_dentry_open,
5550 5635
5551 .task_create = selinux_task_create, 5636 .task_create = selinux_task_create,
5552 .task_alloc_security = selinux_task_alloc_security, 5637 .cred_free = selinux_cred_free,
5553 .task_free_security = selinux_task_free_security, 5638 .cred_prepare = selinux_cred_prepare,
5639 .cred_commit = selinux_cred_commit,
5640 .kernel_act_as = selinux_kernel_act_as,
5641 .kernel_create_files_as = selinux_kernel_create_files_as,
5554 .task_setuid = selinux_task_setuid, 5642 .task_setuid = selinux_task_setuid,
5555 .task_post_setuid = selinux_task_post_setuid, 5643 .task_fix_setuid = selinux_task_fix_setuid,
5556 .task_setgid = selinux_task_setgid, 5644 .task_setgid = selinux_task_setgid,
5557 .task_setpgid = selinux_task_setpgid, 5645 .task_setpgid = selinux_task_setpgid,
5558 .task_getpgid = selinux_task_getpgid, 5646 .task_getpgid = selinux_task_getpgid,
@@ -5569,7 +5657,6 @@ static struct security_operations selinux_ops = {
5569 .task_kill = selinux_task_kill, 5657 .task_kill = selinux_task_kill,
5570 .task_wait = selinux_task_wait, 5658 .task_wait = selinux_task_wait,
5571 .task_prctl = selinux_task_prctl, 5659 .task_prctl = selinux_task_prctl,
5572 .task_reparent_to_init = selinux_task_reparent_to_init,
5573 .task_to_inode = selinux_task_to_inode, 5660 .task_to_inode = selinux_task_to_inode,
5574 5661
5575 .ipc_permission = selinux_ipc_permission, 5662 .ipc_permission = selinux_ipc_permission,
@@ -5665,8 +5752,6 @@ static struct security_operations selinux_ops = {
5665 5752
5666static __init int selinux_init(void) 5753static __init int selinux_init(void)
5667{ 5754{
5668 struct task_security_struct *tsec;
5669
5670 if (!security_module_enable(&selinux_ops)) { 5755 if (!security_module_enable(&selinux_ops)) {
5671 selinux_enabled = 0; 5756 selinux_enabled = 0;
5672 return 0; 5757 return 0;
@@ -5680,10 +5765,7 @@ static __init int selinux_init(void)
5680 printk(KERN_INFO "SELinux: Initializing.\n"); 5765 printk(KERN_INFO "SELinux: Initializing.\n");
5681 5766
5682 /* Set the security state for the initial task. */ 5767 /* Set the security state for the initial task. */
5683 if (task_alloc_security(current)) 5768 cred_init_security();
5684 panic("SELinux: Failed to initialize initial task.\n");
5685 tsec = current->security;
5686 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5687 5769
5688 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5770 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5689 sizeof(struct inode_security_struct), 5771 sizeof(struct inode_security_struct),
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 1223b4ff9bee..c0c885427b91 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -176,3 +176,5 @@
176 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect") 176 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
177 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero") 177 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
178 S_(SECCLASS_PEER, PEER__RECV, "recv") 178 S_(SECCLASS_PEER, PEER__RECV, "recv")
179 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
180 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index c4c51165c505..0ba79fe00e11 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -841,3 +841,5 @@
841#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL 841#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
842#define MEMPROTECT__MMAP_ZERO 0x00000001UL 842#define MEMPROTECT__MMAP_ZERO 0x00000001UL
843#define PEER__RECV 0x00000001UL 843#define PEER__RECV 0x00000001UL
844#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
845#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index bd813c366e34..21ec786611d4 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -72,3 +72,8 @@
72 S_(NULL) 72 S_(NULL)
73 S_("peer") 73 S_("peer")
74 S_("capability2") 74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index febf8868e852..882f27d66fac 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -52,6 +52,7 @@
52#define SECCLASS_MEMPROTECT 61 52#define SECCLASS_MEMPROTECT 61
53#define SECCLASS_PEER 68 53#define SECCLASS_PEER 68
54#define SECCLASS_CAPABILITY2 69 54#define SECCLASS_CAPABILITY2 69
55#define SECCLASS_KERNEL_SERVICE 74
55 56
56/* 57/*
57 * Security identifier indices for initial entities 58 * Security identifier indices for initial entities
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index f8be8d7fa26d..3cc45168f674 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -77,17 +77,6 @@ struct ipc_security_struct {
77 u32 sid; /* SID of IPC resource */ 77 u32 sid; /* SID of IPC resource */
78}; 78};
79 79
80struct bprm_security_struct {
81 u32 sid; /* SID for transformed process */
82 unsigned char set;
83
84 /*
85 * unsafe is used to share failure information from bprm_apply_creds()
86 * to bprm_post_apply_creds().
87 */
88 char unsafe;
89};
90
91struct netif_security_struct { 80struct netif_security_struct {
92 int ifindex; /* device index */ 81 int ifindex; /* device index */
93 u32 sid; /* SID for this interface */ 82 u32 sid; /* SID for this interface */
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index ff59c0c4804b..4ed7bab89c59 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -63,6 +63,9 @@ static struct nlmsg_perm nlmsg_route_perms[] =
63 { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 63 { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
64 { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 64 { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
65 { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 65 { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
66 { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
67 { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
68 { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
66}; 69};
67 70
68static struct nlmsg_perm nlmsg_firewall_perms[] = 71static struct nlmsg_perm nlmsg_firewall_perms[] =
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 69c9dccc8cf0..c86303638235 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -95,13 +95,18 @@ extern void selnl_notify_setenforce(int val);
95static int task_has_security(struct task_struct *tsk, 95static int task_has_security(struct task_struct *tsk,
96 u32 perms) 96 u32 perms)
97{ 97{
98 struct task_security_struct *tsec; 98 const struct task_security_struct *tsec;
99 99 u32 sid = 0;
100 tsec = tsk->security; 100
101 rcu_read_lock();
102 tsec = __task_cred(tsk)->security;
103 if (tsec)
104 sid = tsec->sid;
105 rcu_read_unlock();
101 if (!tsec) 106 if (!tsec)
102 return -EACCES; 107 return -EACCES;
103 108
104 return avc_has_perm(tsec->sid, SECINITSID_SECURITY, 109 return avc_has_perm(sid, SECINITSID_SECURITY,
105 SECCLASS_SECURITY, perms, NULL); 110 SECCLASS_SECURITY, perms, NULL);
106} 111}
107 112
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8f17f542a116..c0eb72013d67 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -197,7 +197,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
197 struct xfrm_user_sec_ctx *uctx, u32 sid) 197 struct xfrm_user_sec_ctx *uctx, u32 sid)
198{ 198{
199 int rc = 0; 199 int rc = 0;
200 struct task_security_struct *tsec = current->security; 200 const struct task_security_struct *tsec = current_security();
201 struct xfrm_sec_ctx *ctx = NULL; 201 struct xfrm_sec_ctx *ctx = NULL;
202 char *ctx_str = NULL; 202 char *ctx_str = NULL;
203 u32 str_len; 203 u32 str_len;
@@ -333,7 +333,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
333 */ 333 */
334int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 334int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
335{ 335{
336 struct task_security_struct *tsec = current->security; 336 const struct task_security_struct *tsec = current_security();
337 int rc = 0; 337 int rc = 0;
338 338
339 if (ctx) { 339 if (ctx) {
@@ -378,7 +378,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
378 */ 378 */
379int selinux_xfrm_state_delete(struct xfrm_state *x) 379int selinux_xfrm_state_delete(struct xfrm_state *x)
380{ 380{
381 struct task_security_struct *tsec = current->security; 381 const struct task_security_struct *tsec = current_security();
382 struct xfrm_sec_ctx *ctx = x->security; 382 struct xfrm_sec_ctx *ctx = x->security;
383 int rc = 0; 383 int rc = 0;
384 384
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 79ff21ed4c3b..247cec3b5a43 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -164,7 +164,7 @@ int smk_curacc(char *obj_label, u32 mode)
164{ 164{
165 int rc; 165 int rc;
166 166
167 rc = smk_access(current->security, obj_label, mode); 167 rc = smk_access(current_security(), obj_label, mode);
168 if (rc == 0) 168 if (rc == 0)
169 return 0; 169 return 0;
170 170
@@ -173,7 +173,7 @@ int smk_curacc(char *obj_label, u32 mode)
173 * only one that gets privilege and current does not 173 * only one that gets privilege and current does not
174 * have that label. 174 * have that label.
175 */ 175 */
176 if (smack_onlycap != NULL && smack_onlycap != current->security) 176 if (smack_onlycap != NULL && smack_onlycap != current->cred->security)
177 return rc; 177 return rc;
178 178
179 if (capable(CAP_MAC_OVERRIDE)) 179 if (capable(CAP_MAC_OVERRIDE))
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6e2dc0bab70d..8ad48161cef5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -30,6 +30,8 @@
30 30
31#include "smack.h" 31#include "smack.h"
32 32
33#define task_security(task) (task_cred_xxx((task), security))
34
33/* 35/*
34 * I hope these are the hokeyist lines of code in the module. Casey. 36 * I hope these are the hokeyist lines of code in the module. Casey.
35 */ 37 */
@@ -102,7 +104,7 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
102 if (rc != 0) 104 if (rc != 0)
103 return rc; 105 return rc;
104 106
105 rc = smk_access(current->security, ctp->security, MAY_READWRITE); 107 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE);
106 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 108 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
107 return 0; 109 return 0;
108 return rc; 110 return rc;
@@ -124,7 +126,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
124 if (rc != 0) 126 if (rc != 0)
125 return rc; 127 return rc;
126 128
127 rc = smk_access(ptp->security, current->security, MAY_READWRITE); 129 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE);
128 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 130 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
129 return 0; 131 return 0;
130 return rc; 132 return rc;
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
141static int smack_syslog(int type) 143static int smack_syslog(int type)
142{ 144{
143 int rc; 145 int rc;
144 char *sp = current->security; 146 char *sp = current_security();
145 147
146 rc = cap_syslog(type); 148 rc = cap_syslog(type);
147 if (rc != 0) 149 if (rc != 0)
@@ -373,7 +375,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
373 */ 375 */
374static int smack_inode_alloc_security(struct inode *inode) 376static int smack_inode_alloc_security(struct inode *inode)
375{ 377{
376 inode->i_security = new_inode_smack(current->security); 378 inode->i_security = new_inode_smack(current_security());
377 if (inode->i_security == NULL) 379 if (inode->i_security == NULL)
378 return -ENOMEM; 380 return -ENOMEM;
379 return 0; 381 return 0;
@@ -818,7 +820,7 @@ static int smack_file_permission(struct file *file, int mask)
818 */ 820 */
819static int smack_file_alloc_security(struct file *file) 821static int smack_file_alloc_security(struct file *file)
820{ 822{
821 file->f_security = current->security; 823 file->f_security = current_security();
822 return 0; 824 return 0;
823} 825}
824 826
@@ -916,7 +918,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
916 */ 918 */
917static int smack_file_set_fowner(struct file *file) 919static int smack_file_set_fowner(struct file *file)
918{ 920{
919 file->f_security = current->security; 921 file->f_security = current_security();
920 return 0; 922 return 0;
921} 923}
922 924
@@ -941,7 +943,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
941 * struct fown_struct is never outside the context of a struct file 943 * struct fown_struct is never outside the context of a struct file
942 */ 944 */
943 file = container_of(fown, struct file, f_owner); 945 file = container_of(fown, struct file, f_owner);
944 rc = smk_access(file->f_security, tsk->security, MAY_WRITE); 946 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE);
945 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 947 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
946 return 0; 948 return 0;
947 return rc; 949 return rc;
@@ -973,33 +975,75 @@ static int smack_file_receive(struct file *file)
973 */ 975 */
974 976
975/** 977/**
976 * smack_task_alloc_security - "allocate" a task blob 978 * smack_cred_free - "free" task-level security credentials
977 * @tsk: the task in need of a blob 979 * @cred: the credentials in question
978 * 980 *
979 * Smack isn't using copies of blobs. Everyone 981 * Smack isn't using copies of blobs. Everyone
980 * points to an immutable list. No alloc required. 982 * points to an immutable list. The blobs never go away.
981 * No data copy required. 983 * There is no leak here.
984 */
985static void smack_cred_free(struct cred *cred)
986{
987 cred->security = NULL;
988}
989
990/**
991 * smack_cred_prepare - prepare new set of credentials for modification
992 * @new: the new credentials
993 * @old: the original credentials
994 * @gfp: the atomicity of any memory allocations
995 *
996 * Prepare a new set of credentials for modification.
997 */
998static int smack_cred_prepare(struct cred *new, const struct cred *old,
999 gfp_t gfp)
1000{
1001 new->security = old->security;
1002 return 0;
1003}
1004
1005/*
1006 * commit new credentials
1007 * @new: the new credentials
1008 * @old: the original credentials
1009 */
1010static void smack_cred_commit(struct cred *new, const struct cred *old)
1011{
1012}
1013
1014/**
1015 * smack_kernel_act_as - Set the subjective context in a set of credentials
1016 * @new points to the set of credentials to be modified.
1017 * @secid specifies the security ID to be set
982 * 1018 *
983 * Always returns 0 1019 * Set the security data for a kernel service.
984 */ 1020 */
985static int smack_task_alloc_security(struct task_struct *tsk) 1021static int smack_kernel_act_as(struct cred *new, u32 secid)
986{ 1022{
987 tsk->security = current->security; 1023 char *smack = smack_from_secid(secid);
1024
1025 if (smack == NULL)
1026 return -EINVAL;
988 1027
1028 new->security = smack;
989 return 0; 1029 return 0;
990} 1030}
991 1031
992/** 1032/**
993 * smack_task_free_security - "free" a task blob 1033 * smack_kernel_create_files_as - Set the file creation label in a set of creds
994 * @task: the task with the blob 1034 * @new points to the set of credentials to be modified
1035 * @inode points to the inode to use as a reference
995 * 1036 *
996 * Smack isn't using copies of blobs. Everyone 1037 * Set the file creation context in a set of credentials to the same
997 * points to an immutable list. The blobs never go away. 1038 * as the objective context of the specified inode
998 * There is no leak here.
999 */ 1039 */
1000static void smack_task_free_security(struct task_struct *task) 1040static int smack_kernel_create_files_as(struct cred *new,
1041 struct inode *inode)
1001{ 1042{
1002 task->security = NULL; 1043 struct inode_smack *isp = inode->i_security;
1044
1045 new->security = isp->smk_inode;
1046 return 0;
1003} 1047}
1004 1048
1005/** 1049/**
@@ -1011,7 +1055,7 @@ static void smack_task_free_security(struct task_struct *task)
1011 */ 1055 */
1012static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1056static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1013{ 1057{
1014 return smk_curacc(p->security, MAY_WRITE); 1058 return smk_curacc(task_security(p), MAY_WRITE);
1015} 1059}
1016 1060
1017/** 1061/**
@@ -1022,7 +1066,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1022 */ 1066 */
1023static int smack_task_getpgid(struct task_struct *p) 1067static int smack_task_getpgid(struct task_struct *p)
1024{ 1068{
1025 return smk_curacc(p->security, MAY_READ); 1069 return smk_curacc(task_security(p), MAY_READ);
1026} 1070}
1027 1071
1028/** 1072/**
@@ -1033,7 +1077,7 @@ static int smack_task_getpgid(struct task_struct *p)
1033 */ 1077 */
1034static int smack_task_getsid(struct task_struct *p) 1078static int smack_task_getsid(struct task_struct *p)
1035{ 1079{
1036 return smk_curacc(p->security, MAY_READ); 1080 return smk_curacc(task_security(p), MAY_READ);
1037} 1081}
1038 1082
1039/** 1083/**
@@ -1045,7 +1089,7 @@ static int smack_task_getsid(struct task_struct *p)
1045 */ 1089 */
1046static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1090static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1047{ 1091{
1048 *secid = smack_to_secid(p->security); 1092 *secid = smack_to_secid(task_security(p));
1049} 1093}
1050 1094
1051/** 1095/**
@@ -1061,7 +1105,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1061 1105
1062 rc = cap_task_setnice(p, nice); 1106 rc = cap_task_setnice(p, nice);
1063 if (rc == 0) 1107 if (rc == 0)
1064 rc = smk_curacc(p->security, MAY_WRITE); 1108 rc = smk_curacc(task_security(p), MAY_WRITE);
1065 return rc; 1109 return rc;
1066} 1110}
1067 1111
@@ -1078,7 +1122,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1078 1122
1079 rc = cap_task_setioprio(p, ioprio); 1123 rc = cap_task_setioprio(p, ioprio);
1080 if (rc == 0) 1124 if (rc == 0)
1081 rc = smk_curacc(p->security, MAY_WRITE); 1125 rc = smk_curacc(task_security(p), MAY_WRITE);
1082 return rc; 1126 return rc;
1083} 1127}
1084 1128
@@ -1090,7 +1134,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1090 */ 1134 */
1091static int smack_task_getioprio(struct task_struct *p) 1135static int smack_task_getioprio(struct task_struct *p)
1092{ 1136{
1093 return smk_curacc(p->security, MAY_READ); 1137 return smk_curacc(task_security(p), MAY_READ);
1094} 1138}
1095 1139
1096/** 1140/**
@@ -1108,7 +1152,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1108 1152
1109 rc = cap_task_setscheduler(p, policy, lp); 1153 rc = cap_task_setscheduler(p, policy, lp);
1110 if (rc == 0) 1154 if (rc == 0)
1111 rc = smk_curacc(p->security, MAY_WRITE); 1155 rc = smk_curacc(task_security(p), MAY_WRITE);
1112 return rc; 1156 return rc;
1113} 1157}
1114 1158
@@ -1120,7 +1164,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1120 */ 1164 */
1121static int smack_task_getscheduler(struct task_struct *p) 1165static int smack_task_getscheduler(struct task_struct *p)
1122{ 1166{
1123 return smk_curacc(p->security, MAY_READ); 1167 return smk_curacc(task_security(p), MAY_READ);
1124} 1168}
1125 1169
1126/** 1170/**
@@ -1131,7 +1175,7 @@ static int smack_task_getscheduler(struct task_struct *p)
1131 */ 1175 */
1132static int smack_task_movememory(struct task_struct *p) 1176static int smack_task_movememory(struct task_struct *p)
1133{ 1177{
1134 return smk_curacc(p->security, MAY_WRITE); 1178 return smk_curacc(task_security(p), MAY_WRITE);
1135} 1179}
1136 1180
1137/** 1181/**
@@ -1154,13 +1198,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1154 * can write the receiver. 1198 * can write the receiver.
1155 */ 1199 */
1156 if (secid == 0) 1200 if (secid == 0)
1157 return smk_curacc(p->security, MAY_WRITE); 1201 return smk_curacc(task_security(p), MAY_WRITE);
1158 /* 1202 /*
1159 * If the secid isn't 0 we're dealing with some USB IO 1203 * If the secid isn't 0 we're dealing with some USB IO
1160 * specific behavior. This is not clean. For one thing 1204 * specific behavior. This is not clean. For one thing
1161 * we can't take privilege into account. 1205 * we can't take privilege into account.
1162 */ 1206 */
1163 return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); 1207 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE);
1164} 1208}
1165 1209
1166/** 1210/**
@@ -1173,7 +1217,7 @@ static int smack_task_wait(struct task_struct *p)
1173{ 1217{
1174 int rc; 1218 int rc;
1175 1219
1176 rc = smk_access(current->security, p->security, MAY_WRITE); 1220 rc = smk_access(current_security(), task_security(p), MAY_WRITE);
1177 if (rc == 0) 1221 if (rc == 0)
1178 return 0; 1222 return 0;
1179 1223
@@ -1204,7 +1248,7 @@ static int smack_task_wait(struct task_struct *p)
1204static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1248static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1205{ 1249{
1206 struct inode_smack *isp = inode->i_security; 1250 struct inode_smack *isp = inode->i_security;
1207 isp->smk_inode = p->security; 1251 isp->smk_inode = task_security(p);
1208} 1252}
1209 1253
1210/* 1254/*
@@ -1223,7 +1267,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1223 */ 1267 */
1224static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1268static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
1225{ 1269{
1226 char *csp = current->security; 1270 char *csp = current_security();
1227 struct socket_smack *ssp; 1271 struct socket_smack *ssp;
1228 1272
1229 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1273 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
@@ -1448,7 +1492,7 @@ static int smack_flags_to_may(int flags)
1448 */ 1492 */
1449static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1493static int smack_msg_msg_alloc_security(struct msg_msg *msg)
1450{ 1494{
1451 msg->security = current->security; 1495 msg->security = current_security();
1452 return 0; 1496 return 0;
1453} 1497}
1454 1498
@@ -1484,7 +1528,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
1484{ 1528{
1485 struct kern_ipc_perm *isp = &shp->shm_perm; 1529 struct kern_ipc_perm *isp = &shp->shm_perm;
1486 1530
1487 isp->security = current->security; 1531 isp->security = current_security();
1488 return 0; 1532 return 0;
1489} 1533}
1490 1534
@@ -1593,7 +1637,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
1593{ 1637{
1594 struct kern_ipc_perm *isp = &sma->sem_perm; 1638 struct kern_ipc_perm *isp = &sma->sem_perm;
1595 1639
1596 isp->security = current->security; 1640 isp->security = current_security();
1597 return 0; 1641 return 0;
1598} 1642}
1599 1643
@@ -1697,7 +1741,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
1697{ 1741{
1698 struct kern_ipc_perm *kisp = &msq->q_perm; 1742 struct kern_ipc_perm *kisp = &msq->q_perm;
1699 1743
1700 kisp->security = current->security; 1744 kisp->security = current_security();
1701 return 0; 1745 return 0;
1702} 1746}
1703 1747
@@ -1852,7 +1896,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
1852 struct super_block *sbp; 1896 struct super_block *sbp;
1853 struct superblock_smack *sbsp; 1897 struct superblock_smack *sbsp;
1854 struct inode_smack *isp; 1898 struct inode_smack *isp;
1855 char *csp = current->security; 1899 char *csp = current_security();
1856 char *fetched; 1900 char *fetched;
1857 char *final; 1901 char *final;
1858 struct dentry *dp; 1902 struct dentry *dp;
@@ -2009,7 +2053,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2009 if (strcmp(name, "current") != 0) 2053 if (strcmp(name, "current") != 0)
2010 return -EINVAL; 2054 return -EINVAL;
2011 2055
2012 cp = kstrdup(p->security, GFP_KERNEL); 2056 cp = kstrdup(task_security(p), GFP_KERNEL);
2013 if (cp == NULL) 2057 if (cp == NULL)
2014 return -ENOMEM; 2058 return -ENOMEM;
2015 2059
@@ -2033,6 +2077,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2033static int smack_setprocattr(struct task_struct *p, char *name, 2077static int smack_setprocattr(struct task_struct *p, char *name,
2034 void *value, size_t size) 2078 void *value, size_t size)
2035{ 2079{
2080 struct cred *new;
2036 char *newsmack; 2081 char *newsmack;
2037 2082
2038 /* 2083 /*
@@ -2055,7 +2100,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2055 if (newsmack == NULL) 2100 if (newsmack == NULL)
2056 return -EINVAL; 2101 return -EINVAL;
2057 2102
2058 p->security = newsmack; 2103 new = prepare_creds();
2104 if (!new)
2105 return -ENOMEM;
2106 new->security = newsmack;
2107 commit_creds(new);
2059 return size; 2108 return size;
2060} 2109}
2061 2110
@@ -2288,8 +2337,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
2288 return; 2337 return;
2289 2338
2290 ssp = sk->sk_security; 2339 ssp = sk->sk_security;
2291 ssp->smk_in = current->security; 2340 ssp->smk_in = ssp->smk_out = current_security();
2292 ssp->smk_out = current->security;
2293 ssp->smk_packet[0] = '\0'; 2341 ssp->smk_packet[0] = '\0';
2294 2342
2295 rc = smack_netlabel(sk); 2343 rc = smack_netlabel(sk);
@@ -2352,17 +2400,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2352/** 2400/**
2353 * smack_key_alloc - Set the key security blob 2401 * smack_key_alloc - Set the key security blob
2354 * @key: object 2402 * @key: object
2355 * @tsk: the task associated with the key 2403 * @cred: the credentials to use
2356 * @flags: unused 2404 * @flags: unused
2357 * 2405 *
2358 * No allocation required 2406 * No allocation required
2359 * 2407 *
2360 * Returns 0 2408 * Returns 0
2361 */ 2409 */
2362static int smack_key_alloc(struct key *key, struct task_struct *tsk, 2410static int smack_key_alloc(struct key *key, const struct cred *cred,
2363 unsigned long flags) 2411 unsigned long flags)
2364{ 2412{
2365 key->security = tsk->security; 2413 key->security = cred->security;
2366 return 0; 2414 return 0;
2367} 2415}
2368 2416
@@ -2380,14 +2428,14 @@ static void smack_key_free(struct key *key)
2380/* 2428/*
2381 * smack_key_permission - Smack access on a key 2429 * smack_key_permission - Smack access on a key
2382 * @key_ref: gets to the object 2430 * @key_ref: gets to the object
2383 * @context: task involved 2431 * @cred: the credentials to use
2384 * @perm: unused 2432 * @perm: unused
2385 * 2433 *
2386 * Return 0 if the task has read and write to the object, 2434 * Return 0 if the task has read and write to the object,
2387 * an error code otherwise 2435 * an error code otherwise
2388 */ 2436 */
2389static int smack_key_permission(key_ref_t key_ref, 2437static int smack_key_permission(key_ref_t key_ref,
2390 struct task_struct *context, key_perm_t perm) 2438 const struct cred *cred, key_perm_t perm)
2391{ 2439{
2392 struct key *keyp; 2440 struct key *keyp;
2393 2441
@@ -2403,10 +2451,10 @@ static int smack_key_permission(key_ref_t key_ref,
2403 /* 2451 /*
2404 * This should not occur 2452 * This should not occur
2405 */ 2453 */
2406 if (context->security == NULL) 2454 if (cred->security == NULL)
2407 return -EACCES; 2455 return -EACCES;
2408 2456
2409 return smk_access(context->security, keyp->security, MAY_READWRITE); 2457 return smk_access(cred->security, keyp->security, MAY_READWRITE);
2410} 2458}
2411#endif /* CONFIG_KEYS */ 2459#endif /* CONFIG_KEYS */
2412 2460
@@ -2577,15 +2625,13 @@ struct security_operations smack_ops = {
2577 .ptrace_may_access = smack_ptrace_may_access, 2625 .ptrace_may_access = smack_ptrace_may_access,
2578 .ptrace_traceme = smack_ptrace_traceme, 2626 .ptrace_traceme = smack_ptrace_traceme,
2579 .capget = cap_capget, 2627 .capget = cap_capget,
2580 .capset_check = cap_capset_check, 2628 .capset = cap_capset,
2581 .capset_set = cap_capset_set,
2582 .capable = cap_capable, 2629 .capable = cap_capable,
2583 .syslog = smack_syslog, 2630 .syslog = smack_syslog,
2584 .settime = cap_settime, 2631 .settime = cap_settime,
2585 .vm_enough_memory = cap_vm_enough_memory, 2632 .vm_enough_memory = cap_vm_enough_memory,
2586 2633
2587 .bprm_apply_creds = cap_bprm_apply_creds, 2634 .bprm_set_creds = cap_bprm_set_creds,
2588 .bprm_set_security = cap_bprm_set_security,
2589 .bprm_secureexec = cap_bprm_secureexec, 2635 .bprm_secureexec = cap_bprm_secureexec,
2590 2636
2591 .sb_alloc_security = smack_sb_alloc_security, 2637 .sb_alloc_security = smack_sb_alloc_security,
@@ -2627,9 +2673,12 @@ struct security_operations smack_ops = {
2627 .file_send_sigiotask = smack_file_send_sigiotask, 2673 .file_send_sigiotask = smack_file_send_sigiotask,
2628 .file_receive = smack_file_receive, 2674 .file_receive = smack_file_receive,
2629 2675
2630 .task_alloc_security = smack_task_alloc_security, 2676 .cred_free = smack_cred_free,
2631 .task_free_security = smack_task_free_security, 2677 .cred_prepare = smack_cred_prepare,
2632 .task_post_setuid = cap_task_post_setuid, 2678 .cred_commit = smack_cred_commit,
2679 .kernel_act_as = smack_kernel_act_as,
2680 .kernel_create_files_as = smack_kernel_create_files_as,
2681 .task_fix_setuid = cap_task_fix_setuid,
2633 .task_setpgid = smack_task_setpgid, 2682 .task_setpgid = smack_task_setpgid,
2634 .task_getpgid = smack_task_getpgid, 2683 .task_getpgid = smack_task_getpgid,
2635 .task_getsid = smack_task_getsid, 2684 .task_getsid = smack_task_getsid,
@@ -2642,7 +2691,6 @@ struct security_operations smack_ops = {
2642 .task_movememory = smack_task_movememory, 2691 .task_movememory = smack_task_movememory,
2643 .task_kill = smack_task_kill, 2692 .task_kill = smack_task_kill,
2644 .task_wait = smack_task_wait, 2693 .task_wait = smack_task_wait,
2645 .task_reparent_to_init = cap_task_reparent_to_init,
2646 .task_to_inode = smack_task_to_inode, 2694 .task_to_inode = smack_task_to_inode,
2647 .task_prctl = cap_task_prctl, 2695 .task_prctl = cap_task_prctl,
2648 2696
@@ -2718,6 +2766,8 @@ struct security_operations smack_ops = {
2718 */ 2766 */
2719static __init int smack_init(void) 2767static __init int smack_init(void)
2720{ 2768{
2769 struct cred *cred;
2770
2721 if (!security_module_enable(&smack_ops)) 2771 if (!security_module_enable(&smack_ops))
2722 return 0; 2772 return 0;
2723 2773
@@ -2726,7 +2776,8 @@ static __init int smack_init(void)
2726 /* 2776 /*
2727 * Set the security state for the initial task. 2777 * Set the security state for the initial task.
2728 */ 2778 */
2729 current->security = &smack_known_floor.smk_known; 2779 cred = (struct cred *) current->cred;
2780 cred->security = &smack_known_floor.smk_known;
2730 2781
2731 /* 2782 /*
2732 * Initialize locks 2783 * Initialize locks
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index c21d8c8bf0c7..ca257dfdc75d 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -336,7 +336,7 @@ static void smk_cipso_doi(void)
336 336
337 audit_info.loginuid = audit_get_loginuid(current); 337 audit_info.loginuid = audit_get_loginuid(current);
338 audit_info.sessionid = audit_get_sessionid(current); 338 audit_info.sessionid = audit_get_sessionid(current);
339 audit_info.secid = smack_to_secid(current->security); 339 audit_info.secid = smack_to_secid(current_security());
340 340
341 rc = netlbl_cfg_map_del(NULL, &audit_info); 341 rc = netlbl_cfg_map_del(NULL, &audit_info);
342 if (rc != 0) 342 if (rc != 0)
@@ -371,7 +371,7 @@ static void smk_unlbl_ambient(char *oldambient)
371 371
372 audit_info.loginuid = audit_get_loginuid(current); 372 audit_info.loginuid = audit_get_loginuid(current);
373 audit_info.sessionid = audit_get_sessionid(current); 373 audit_info.sessionid = audit_get_sessionid(current);
374 audit_info.secid = smack_to_secid(current->security); 374 audit_info.secid = smack_to_secid(current_security());
375 375
376 if (oldambient != NULL) { 376 if (oldambient != NULL) {
377 rc = netlbl_cfg_map_del(oldambient, &audit_info); 377 rc = netlbl_cfg_map_del(oldambient, &audit_info);
@@ -843,7 +843,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
843 size_t count, loff_t *ppos) 843 size_t count, loff_t *ppos)
844{ 844{
845 char in[SMK_LABELLEN]; 845 char in[SMK_LABELLEN];
846 char *sp = current->security; 846 char *sp = current->cred->security;
847 847
848 if (!capable(CAP_MAC_ADMIN)) 848 if (!capable(CAP_MAC_ADMIN))
849 return -EPERM; 849 return -EPERM;
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-24 07:24:57 -0500