aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/capability.c58
-rw-r--r--security/commoncap.c830
-rw-r--r--security/keys/internal.h49
-rw-r--r--security/keys/key.c25
-rw-r--r--security/keys/keyctl.c210
-rw-r--r--security/keys/keyring.c15
-rw-r--r--security/keys/permission.c29
-rw-r--r--security/keys/proc.c8
-rw-r--r--security/keys/process_keys.c469
-rw-r--r--security/keys/request_key.c135
-rw-r--r--security/keys/request_key_auth.c46
-rw-r--r--security/root_plug.c13
-rw-r--r--security/security.c103
-rw-r--r--security/selinux/exports.c8
-rw-r--r--security/selinux/hooks.c1254
-rw-r--r--security/selinux/include/av_perm_to_string.h2
-rw-r--r--security/selinux/include/av_permissions.h2
-rw-r--r--security/selinux/include/class_to_string.h5
-rw-r--r--security/selinux/include/flask.h1
-rw-r--r--security/selinux/include/objsec.h11
-rw-r--r--security/selinux/nlmsgtab.c3
-rw-r--r--security/selinux/selinuxfs.c13
-rw-r--r--security/selinux/xfrm.c6
-rw-r--r--security/smack/smack_access.c4
-rw-r--r--security/smack/smack_lsm.c176
-rw-r--r--security/smack/smackfs.c6
26 files changed, 1988 insertions, 1493 deletions
diff --git a/security/capability.c b/security/capability.c
index 245874819036..2dce66fcb992 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -32,24 +32,19 @@ static int cap_quota_on(struct dentry *dentry)
32 return 0; 32 return 0;
33} 33}
34 34
35static int cap_bprm_alloc_security(struct linux_binprm *bprm) 35static int cap_bprm_check_security (struct linux_binprm *bprm)
36{ 36{
37 return 0; 37 return 0;
38} 38}
39 39
40static void cap_bprm_free_security(struct linux_binprm *bprm) 40static void cap_bprm_committing_creds(struct linux_binprm *bprm)
41{ 41{
42} 42}
43 43
44static void cap_bprm_post_apply_creds(struct linux_binprm *bprm) 44static void cap_bprm_committed_creds(struct linux_binprm *bprm)
45{ 45{
46} 46}
47 47
48static int cap_bprm_check_security(struct linux_binprm *bprm)
49{
50 return 0;
51}
52
53static int cap_sb_alloc_security(struct super_block *sb) 48static int cap_sb_alloc_security(struct super_block *sb)
54{ 49{
55 return 0; 50 return 0;
@@ -64,7 +59,7 @@ static int cap_sb_copy_data(char *orig, char *copy)
64 return 0; 59 return 0;
65} 60}
66 61
67static int cap_sb_kern_mount(struct super_block *sb, void *data) 62static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
68{ 63{
69 return 0; 64 return 0;
70} 65}
@@ -330,7 +325,7 @@ static int cap_file_receive(struct file *file)
330 return 0; 325 return 0;
331} 326}
332 327
333static int cap_dentry_open(struct file *file) 328static int cap_dentry_open(struct file *file, const struct cred *cred)
334{ 329{
335 return 0; 330 return 0;
336} 331}
@@ -340,15 +335,29 @@ static int cap_task_create(unsigned long clone_flags)
340 return 0; 335 return 0;
341} 336}
342 337
343static int cap_task_alloc_security(struct task_struct *p) 338static void cap_cred_free(struct cred *cred)
339{
340}
341
342static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp)
344{ 343{
345 return 0; 344 return 0;
346} 345}
347 346
348static void cap_task_free_security(struct task_struct *p) 347static void cap_cred_commit(struct cred *new, const struct cred *old)
349{ 348{
350} 349}
351 350
351static int cap_kernel_act_as(struct cred *new, u32 secid)
352{
353 return 0;
354}
355
356static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
357{
358 return 0;
359}
360
352static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 361static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
353{ 362{
354 return 0; 363 return 0;
@@ -750,7 +759,7 @@ static void cap_release_secctx(char *secdata, u32 seclen)
750} 759}
751 760
752#ifdef CONFIG_KEYS 761#ifdef CONFIG_KEYS
753static int cap_key_alloc(struct key *key, struct task_struct *ctx, 762static int cap_key_alloc(struct key *key, const struct cred *cred,
754 unsigned long flags) 763 unsigned long flags)
755{ 764{
756 return 0; 765 return 0;
@@ -760,7 +769,7 @@ static void cap_key_free(struct key *key)
760{ 769{
761} 770}
762 771
763static int cap_key_permission(key_ref_t key_ref, struct task_struct *context, 772static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
764 key_perm_t perm) 773 key_perm_t perm)
765{ 774{
766 return 0; 775 return 0;
@@ -814,8 +823,7 @@ void security_fixup_ops(struct security_operations *ops)
814 set_to_cap_if_null(ops, ptrace_may_access); 823 set_to_cap_if_null(ops, ptrace_may_access);
815 set_to_cap_if_null(ops, ptrace_traceme); 824 set_to_cap_if_null(ops, ptrace_traceme);
816 set_to_cap_if_null(ops, capget); 825 set_to_cap_if_null(ops, capget);
817 set_to_cap_if_null(ops, capset_check); 826 set_to_cap_if_null(ops, capset);
818 set_to_cap_if_null(ops, capset_set);
819 set_to_cap_if_null(ops, acct); 827 set_to_cap_if_null(ops, acct);
820 set_to_cap_if_null(ops, capable); 828 set_to_cap_if_null(ops, capable);
821 set_to_cap_if_null(ops, quotactl); 829 set_to_cap_if_null(ops, quotactl);
@@ -824,11 +832,9 @@ void security_fixup_ops(struct security_operations *ops)
824 set_to_cap_if_null(ops, syslog); 832 set_to_cap_if_null(ops, syslog);
825 set_to_cap_if_null(ops, settime); 833 set_to_cap_if_null(ops, settime);
826 set_to_cap_if_null(ops, vm_enough_memory); 834 set_to_cap_if_null(ops, vm_enough_memory);
827 set_to_cap_if_null(ops, bprm_alloc_security); 835 set_to_cap_if_null(ops, bprm_set_creds);
828 set_to_cap_if_null(ops, bprm_free_security); 836 set_to_cap_if_null(ops, bprm_committing_creds);
829 set_to_cap_if_null(ops, bprm_apply_creds); 837 set_to_cap_if_null(ops, bprm_committed_creds);
830 set_to_cap_if_null(ops, bprm_post_apply_creds);
831 set_to_cap_if_null(ops, bprm_set_security);
832 set_to_cap_if_null(ops, bprm_check_security); 838 set_to_cap_if_null(ops, bprm_check_security);
833 set_to_cap_if_null(ops, bprm_secureexec); 839 set_to_cap_if_null(ops, bprm_secureexec);
834 set_to_cap_if_null(ops, sb_alloc_security); 840 set_to_cap_if_null(ops, sb_alloc_security);
@@ -890,10 +896,13 @@ void security_fixup_ops(struct security_operations *ops)
890 set_to_cap_if_null(ops, file_receive); 896 set_to_cap_if_null(ops, file_receive);
891 set_to_cap_if_null(ops, dentry_open); 897 set_to_cap_if_null(ops, dentry_open);
892 set_to_cap_if_null(ops, task_create); 898 set_to_cap_if_null(ops, task_create);
893 set_to_cap_if_null(ops, task_alloc_security); 899 set_to_cap_if_null(ops, cred_free);
894 set_to_cap_if_null(ops, task_free_security); 900 set_to_cap_if_null(ops, cred_prepare);
901 set_to_cap_if_null(ops, cred_commit);
902 set_to_cap_if_null(ops, kernel_act_as);
903 set_to_cap_if_null(ops, kernel_create_files_as);
895 set_to_cap_if_null(ops, task_setuid); 904 set_to_cap_if_null(ops, task_setuid);
896 set_to_cap_if_null(ops, task_post_setuid); 905 set_to_cap_if_null(ops, task_fix_setuid);
897 set_to_cap_if_null(ops, task_setgid); 906 set_to_cap_if_null(ops, task_setgid);
898 set_to_cap_if_null(ops, task_setpgid); 907 set_to_cap_if_null(ops, task_setpgid);
899 set_to_cap_if_null(ops, task_getpgid); 908 set_to_cap_if_null(ops, task_getpgid);
@@ -910,7 +919,6 @@ void security_fixup_ops(struct security_operations *ops)
910 set_to_cap_if_null(ops, task_wait); 919 set_to_cap_if_null(ops, task_wait);
911 set_to_cap_if_null(ops, task_kill); 920 set_to_cap_if_null(ops, task_kill);
912 set_to_cap_if_null(ops, task_prctl); 921 set_to_cap_if_null(ops, task_prctl);
913 set_to_cap_if_null(ops, task_reparent_to_init);
914 set_to_cap_if_null(ops, task_to_inode); 922 set_to_cap_if_null(ops, task_to_inode);
915 set_to_cap_if_null(ops, ipc_permission); 923 set_to_cap_if_null(ops, ipc_permission);
916 set_to_cap_if_null(ops, ipc_getsecid); 924 set_to_cap_if_null(ops, ipc_getsecid);
diff --git a/security/commoncap.c b/security/commoncap.c
index 3976613db829..79713545cd63 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -8,6 +8,7 @@
8 */ 8 */
9 9
10#include <linux/capability.h> 10#include <linux/capability.h>
11#include <linux/audit.h>
11#include <linux/module.h> 12#include <linux/module.h>
12#include <linux/init.h> 13#include <linux/init.h>
13#include <linux/kernel.h> 14#include <linux/kernel.h>
@@ -29,7 +30,7 @@
29 30
30int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 31int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
31{ 32{
32 NETLINK_CB(skb).eff_cap = current->cap_effective; 33 NETLINK_CB(skb).eff_cap = current_cap();
33 return 0; 34 return 0;
34} 35}
35 36
@@ -39,23 +40,41 @@ int cap_netlink_recv(struct sk_buff *skb, int cap)
39 return -EPERM; 40 return -EPERM;
40 return 0; 41 return 0;
41} 42}
42
43EXPORT_SYMBOL(cap_netlink_recv); 43EXPORT_SYMBOL(cap_netlink_recv);
44 44
45/* 45/**
46 * cap_capable - Determine whether a task has a particular effective capability
47 * @tsk: The task to query
48 * @cap: The capability to check for
49 * @audit: Whether to write an audit message or not
50 *
51 * Determine whether the nominated task has the specified capability amongst
52 * its effective set, returning 0 if it does, -ve if it does not.
53 *
46 * NOTE WELL: cap_capable() cannot be used like the kernel's capable() 54 * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
47 * function. That is, it has the reverse semantics: cap_capable() 55 * function. That is, it has the reverse semantics: cap_capable() returns 0
48 * returns 0 when a task has a capability, but the kernel's capable() 56 * when a task has a capability, but the kernel's capable() returns 1 for this
49 * returns 1 for this case. 57 * case.
50 */ 58 */
51int cap_capable (struct task_struct *tsk, int cap) 59int cap_capable(struct task_struct *tsk, int cap, int audit)
52{ 60{
61 __u32 cap_raised;
62
53 /* Derived from include/linux/sched.h:capable. */ 63 /* Derived from include/linux/sched.h:capable. */
54 if (cap_raised(tsk->cap_effective, cap)) 64 rcu_read_lock();
55 return 0; 65 cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap);
56 return -EPERM; 66 rcu_read_unlock();
67 return cap_raised ? 0 : -EPERM;
57} 68}
58 69
70/**
71 * cap_settime - Determine whether the current process may set the system clock
72 * @ts: The time to set
73 * @tz: The timezone to set
74 *
75 * Determine whether the current process may set the system clock and timezone
76 * information, returning 0 if permission granted, -ve if denied.
77 */
59int cap_settime(struct timespec *ts, struct timezone *tz) 78int cap_settime(struct timespec *ts, struct timezone *tz)
60{ 79{
61 if (!capable(CAP_SYS_TIME)) 80 if (!capable(CAP_SYS_TIME))
@@ -63,121 +82,157 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
63 return 0; 82 return 0;
64} 83}
65 84
85/**
86 * cap_ptrace_may_access - Determine whether the current process may access
87 * another
88 * @child: The process to be accessed
89 * @mode: The mode of attachment.
90 *
91 * Determine whether a process may access another, returning 0 if permission
92 * granted, -ve if denied.
93 */
66int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) 94int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
67{ 95{
68 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 96 int ret = 0;
69 if (cap_issubset(child->cap_permitted, current->cap_permitted)) 97
70 return 0; 98 rcu_read_lock();
71 if (capable(CAP_SYS_PTRACE)) 99 if (!cap_issubset(__task_cred(child)->cap_permitted,
72 return 0; 100 current_cred()->cap_permitted) &&
73 return -EPERM; 101 !capable(CAP_SYS_PTRACE))
102 ret = -EPERM;
103 rcu_read_unlock();
104 return ret;
74} 105}
75 106
107/**
108 * cap_ptrace_traceme - Determine whether another process may trace the current
109 * @parent: The task proposed to be the tracer
110 *
111 * Determine whether the nominated task is permitted to trace the current
112 * process, returning 0 if permission is granted, -ve if denied.
113 */
76int cap_ptrace_traceme(struct task_struct *parent) 114int cap_ptrace_traceme(struct task_struct *parent)
77{ 115{
78 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 116 int ret = 0;
79 if (cap_issubset(current->cap_permitted, parent->cap_permitted)) 117
80 return 0; 118 rcu_read_lock();
81 if (has_capability(parent, CAP_SYS_PTRACE)) 119 if (!cap_issubset(current_cred()->cap_permitted,
82 return 0; 120 __task_cred(parent)->cap_permitted) &&
83 return -EPERM; 121 !has_capability(parent, CAP_SYS_PTRACE))
122 ret = -EPERM;
123 rcu_read_unlock();
124 return ret;
84} 125}
85 126
86int cap_capget (struct task_struct *target, kernel_cap_t *effective, 127/**
87 kernel_cap_t *inheritable, kernel_cap_t *permitted) 128 * cap_capget - Retrieve a task's capability sets
129 * @target: The task from which to retrieve the capability sets
130 * @effective: The place to record the effective set
131 * @inheritable: The place to record the inheritable set
132 * @permitted: The place to record the permitted set
133 *
134 * This function retrieves the capabilities of the nominated task and returns
135 * them to the caller.
136 */
137int cap_capget(struct task_struct *target, kernel_cap_t *effective,
138 kernel_cap_t *inheritable, kernel_cap_t *permitted)
88{ 139{
140 const struct cred *cred;
141
89 /* Derived from kernel/capability.c:sys_capget. */ 142 /* Derived from kernel/capability.c:sys_capget. */
90 *effective = target->cap_effective; 143 rcu_read_lock();
91 *inheritable = target->cap_inheritable; 144 cred = __task_cred(target);
92 *permitted = target->cap_permitted; 145 *effective = cred->cap_effective;
146 *inheritable = cred->cap_inheritable;
147 *permitted = cred->cap_permitted;
148 rcu_read_unlock();
93 return 0; 149 return 0;
94} 150}
95 151
96#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 152/*
97 153 * Determine whether the inheritable capabilities are limited to the old
98static inline int cap_block_setpcap(struct task_struct *target) 154 * permitted set. Returns 1 if they are limited, 0 if they are not.
99{ 155 */
100 /*
101 * No support for remote process capability manipulation with
102 * filesystem capability support.
103 */
104 return (target != current);
105}
106
107static inline int cap_inh_is_capped(void) 156static inline int cap_inh_is_capped(void)
108{ 157{
109 /* 158#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
110 * Return 1 if changes to the inheritable set are limited
111 * to the old permitted set. That is, if the current task
112 * does *not* possess the CAP_SETPCAP capability.
113 */
114 return (cap_capable(current, CAP_SETPCAP) != 0);
115}
116
117static inline int cap_limit_ptraced_target(void) { return 1; }
118
119#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
120 159
121static inline int cap_block_setpcap(struct task_struct *t) { return 0; } 160 /* they are so limited unless the current task has the CAP_SETPCAP
122static inline int cap_inh_is_capped(void) { return 1; } 161 * capability
123static inline int cap_limit_ptraced_target(void) 162 */
124{ 163 if (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
125 return !capable(CAP_SETPCAP); 164 return 0;
165#endif
166 return 1;
126} 167}
127 168
128#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 169/**
129 170 * cap_capset - Validate and apply proposed changes to current's capabilities
130int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 171 * @new: The proposed new credentials; alterations should be made here
131 kernel_cap_t *inheritable, kernel_cap_t *permitted) 172 * @old: The current task's current credentials
132{ 173 * @effective: A pointer to the proposed new effective capabilities set
133 if (cap_block_setpcap(target)) { 174 * @inheritable: A pointer to the proposed new inheritable capabilities set
134 return -EPERM; 175 * @permitted: A pointer to the proposed new permitted capabilities set
135 } 176 *
136 if (cap_inh_is_capped() 177 * This function validates and applies a proposed mass change to the current
137 && !cap_issubset(*inheritable, 178 * process's capability sets. The changes are made to the proposed new
138 cap_combine(target->cap_inheritable, 179 * credentials, and assuming no error, will be committed by the caller of LSM.
139 current->cap_permitted))) { 180 */
181int cap_capset(struct cred *new,
182 const struct cred *old,
183 const kernel_cap_t *effective,
184 const kernel_cap_t *inheritable,
185 const kernel_cap_t *permitted)
186{
187 if (cap_inh_is_capped() &&
188 !cap_issubset(*inheritable,
189 cap_combine(old->cap_inheritable,
190 old->cap_permitted)))
140 /* incapable of using this inheritable set */ 191 /* incapable of using this inheritable set */
141 return -EPERM; 192 return -EPERM;
142 } 193
143 if (!cap_issubset(*inheritable, 194 if (!cap_issubset(*inheritable,
144 cap_combine(target->cap_inheritable, 195 cap_combine(old->cap_inheritable,
145 current->cap_bset))) { 196 old->cap_bset)))
146 /* no new pI capabilities outside bounding set */ 197 /* no new pI capabilities outside bounding set */
147 return -EPERM; 198 return -EPERM;
148 }
149 199
150 /* verify restrictions on target's new Permitted set */ 200 /* verify restrictions on target's new Permitted set */
151 if (!cap_issubset (*permitted, 201 if (!cap_issubset(*permitted, old->cap_permitted))
152 cap_combine (target->cap_permitted,
153 current->cap_permitted))) {
154 return -EPERM; 202 return -EPERM;
155 }
156 203
157 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 204 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
158 if (!cap_issubset (*effective, *permitted)) { 205 if (!cap_issubset(*effective, *permitted))
159 return -EPERM; 206 return -EPERM;
160 }
161 207
208 new->cap_effective = *effective;
209 new->cap_inheritable = *inheritable;
210 new->cap_permitted = *permitted;
162 return 0; 211 return 0;
163} 212}
164 213
165void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 214/*
166 kernel_cap_t *inheritable, kernel_cap_t *permitted) 215 * Clear proposed capability sets for execve().
167{ 216 */
168 target->cap_effective = *effective;
169 target->cap_inheritable = *inheritable;
170 target->cap_permitted = *permitted;
171}
172
173static inline void bprm_clear_caps(struct linux_binprm *bprm) 217static inline void bprm_clear_caps(struct linux_binprm *bprm)
174{ 218{
175 cap_clear(bprm->cap_post_exec_permitted); 219 cap_clear(bprm->cred->cap_permitted);
176 bprm->cap_effective = false; 220 bprm->cap_effective = false;
177} 221}
178 222
179#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 223#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
180 224
225/**
226 * cap_inode_need_killpriv - Determine if inode change affects privileges
227 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
228 *
229 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
230 * affects the security markings on that inode, and if it is, should
231 * inode_killpriv() be invoked or the change rejected?
232 *
233 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
234 * -ve to deny the change.
235 */
181int cap_inode_need_killpriv(struct dentry *dentry) 236int cap_inode_need_killpriv(struct dentry *dentry)
182{ 237{
183 struct inode *inode = dentry->d_inode; 238 struct inode *inode = dentry->d_inode;
@@ -192,6 +247,14 @@ int cap_inode_need_killpriv(struct dentry *dentry)
192 return 1; 247 return 1;
193} 248}
194 249
250/**
251 * cap_inode_killpriv - Erase the security markings on an inode
252 * @dentry: The inode/dentry to alter
253 *
254 * Erase the privilege-enhancing security markings on an inode.
255 *
256 * Returns 0 if successful, -ve on error.
257 */
195int cap_inode_killpriv(struct dentry *dentry) 258int cap_inode_killpriv(struct dentry *dentry)
196{ 259{
197 struct inode *inode = dentry->d_inode; 260 struct inode *inode = dentry->d_inode;
@@ -202,19 +265,75 @@ int cap_inode_killpriv(struct dentry *dentry)
202 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 265 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
203} 266}
204 267
205static inline int cap_from_disk(struct vfs_cap_data *caps, 268/*
206 struct linux_binprm *bprm, unsigned size) 269 * Calculate the new process capability sets from the capability sets attached
270 * to a file.
271 */
272static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
273 struct linux_binprm *bprm,
274 bool *effective)
275{
276 struct cred *new = bprm->cred;
277 unsigned i;
278 int ret = 0;
279
280 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
281 *effective = true;
282
283 CAP_FOR_EACH_U32(i) {
284 __u32 permitted = caps->permitted.cap[i];
285 __u32 inheritable = caps->inheritable.cap[i];
286
287 /*
288 * pP' = (X & fP) | (pI & fI)
289 */
290 new->cap_permitted.cap[i] =
291 (new->cap_bset.cap[i] & permitted) |
292 (new->cap_inheritable.cap[i] & inheritable);
293
294 if (permitted & ~new->cap_permitted.cap[i])
295 /* insufficient to execute correctly */
296 ret = -EPERM;
297 }
298
299 /*
300 * For legacy apps, with no internal support for recognizing they
301 * do not have enough capabilities, we return an error if they are
302 * missing some "forced" (aka file-permitted) capabilities.
303 */
304 return *effective ? ret : 0;
305}
306
307/*
308 * Extract the on-exec-apply capability sets for an executable file.
309 */
310int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
207{ 311{
312 struct inode *inode = dentry->d_inode;
208 __u32 magic_etc; 313 __u32 magic_etc;
209 unsigned tocopy, i; 314 unsigned tocopy, i;
210 int ret; 315 int size;
316 struct vfs_cap_data caps;
317
318 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
319
320 if (!inode || !inode->i_op || !inode->i_op->getxattr)
321 return -ENODATA;
322
323 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
324 XATTR_CAPS_SZ);
325 if (size == -ENODATA || size == -EOPNOTSUPP)
326 /* no data, that's ok */
327 return -ENODATA;
328 if (size < 0)
329 return size;
211 330
212 if (size < sizeof(magic_etc)) 331 if (size < sizeof(magic_etc))
213 return -EINVAL; 332 return -EINVAL;
214 333
215 magic_etc = le32_to_cpu(caps->magic_etc); 334 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
216 335
217 switch ((magic_etc & VFS_CAP_REVISION_MASK)) { 336 switch (magic_etc & VFS_CAP_REVISION_MASK) {
218 case VFS_CAP_REVISION_1: 337 case VFS_CAP_REVISION_1:
219 if (size != XATTR_CAPS_SZ_1) 338 if (size != XATTR_CAPS_SZ_1)
220 return -EINVAL; 339 return -EINVAL;
@@ -229,77 +348,48 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
229 return -EINVAL; 348 return -EINVAL;
230 } 349 }
231 350
232 if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
233 bprm->cap_effective = true;
234 } else {
235 bprm->cap_effective = false;
236 }
237
238 ret = 0;
239
240 CAP_FOR_EACH_U32(i) { 351 CAP_FOR_EACH_U32(i) {
241 __u32 value_cpu; 352 if (i >= tocopy)
242 353 break;
243 if (i >= tocopy) { 354 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
244 /* 355 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
245 * Legacy capability sets have no upper bits
246 */
247 bprm->cap_post_exec_permitted.cap[i] = 0;
248 continue;
249 }
250 /*
251 * pP' = (X & fP) | (pI & fI)
252 */
253 value_cpu = le32_to_cpu(caps->data[i].permitted);
254 bprm->cap_post_exec_permitted.cap[i] =
255 (current->cap_bset.cap[i] & value_cpu) |
256 (current->cap_inheritable.cap[i] &
257 le32_to_cpu(caps->data[i].inheritable));
258 if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
259 /*
260 * insufficient to execute correctly
261 */
262 ret = -EPERM;
263 }
264 } 356 }
265 357
266 /* 358 return 0;
267 * For legacy apps, with no internal support for recognizing they
268 * do not have enough capabilities, we return an error if they are
269 * missing some "forced" (aka file-permitted) capabilities.
270 */
271 return bprm->cap_effective ? ret : 0;
272} 359}
273 360
274/* Locate any VFS capabilities: */ 361/*
275static int get_file_caps(struct linux_binprm *bprm) 362 * Attempt to get the on-exec apply capability sets for an executable file from
363 * its xattrs and, if present, apply them to the proposed credentials being
364 * constructed by execve().
365 */
366static int get_file_caps(struct linux_binprm *bprm, bool *effective)
276{ 367{
277 struct dentry *dentry; 368 struct dentry *dentry;
278 int rc = 0; 369 int rc = 0;
279 struct vfs_cap_data vcaps; 370 struct cpu_vfs_cap_data vcaps;
280 struct inode *inode;
281 371
282 bprm_clear_caps(bprm); 372 bprm_clear_caps(bprm);
283 373
374 if (!file_caps_enabled)
375 return 0;
376
284 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 377 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
285 return 0; 378 return 0;
286 379
287 dentry = dget(bprm->file->f_dentry); 380 dentry = dget(bprm->file->f_dentry);
288 inode = dentry->d_inode;
289 if (!inode->i_op || !inode->i_op->getxattr)
290 goto out;
291 381
292 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps, 382 rc = get_vfs_caps_from_disk(dentry, &vcaps);
293 XATTR_CAPS_SZ); 383 if (rc < 0) {
294 if (rc == -ENODATA || rc == -EOPNOTSUPP) { 384 if (rc == -EINVAL)
295 /* no data, that's ok */ 385 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
296 rc = 0; 386 __func__, rc, bprm->filename);
387 else if (rc == -ENODATA)
388 rc = 0;
297 goto out; 389 goto out;
298 } 390 }
299 if (rc < 0)
300 goto out;
301 391
302 rc = cap_from_disk(&vcaps, bprm, rc); 392 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
303 if (rc == -EINVAL) 393 if (rc == -EINVAL)
304 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 394 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
305 __func__, rc, bprm->filename); 395 __func__, rc, bprm->filename);
@@ -323,18 +413,57 @@ int cap_inode_killpriv(struct dentry *dentry)
323 return 0; 413 return 0;
324} 414}
325 415
326static inline int get_file_caps(struct linux_binprm *bprm) 416int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
417{
418 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
419 return -ENODATA;
420}
421
422static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
327{ 423{
328 bprm_clear_caps(bprm); 424 bprm_clear_caps(bprm);
329 return 0; 425 return 0;
330} 426}
331#endif 427#endif
332 428
333int cap_bprm_set_security (struct linux_binprm *bprm) 429/*
430 * Determine whether a exec'ing process's new permitted capabilities should be
431 * limited to just what it already has.
432 *
433 * This prevents processes that are being ptraced from gaining access to
434 * CAP_SETPCAP, unless the process they're tracing already has it, and the
435 * binary they're executing has filecaps that elevate it.
436 *
437 * Returns 1 if they should be limited, 0 if they are not.
438 */
439static inline int cap_limit_ptraced_target(void)
440{
441#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
442 if (capable(CAP_SETPCAP))
443 return 0;
444#endif
445 return 1;
446}
447
448/**
449 * cap_bprm_set_creds - Set up the proposed credentials for execve().
450 * @bprm: The execution parameters, including the proposed creds
451 *
452 * Set up the proposed credentials for a new execution context being
453 * constructed by execve(). The proposed creds in @bprm->cred is altered,
454 * which won't take effect immediately. Returns 0 if successful, -ve on error.
455 */
456int cap_bprm_set_creds(struct linux_binprm *bprm)
334{ 457{
458 const struct cred *old = current_cred();
459 struct cred *new = bprm->cred;
460 bool effective;
335 int ret; 461 int ret;
336 462
337 ret = get_file_caps(bprm); 463 effective = false;
464 ret = get_file_caps(bprm, &effective);
465 if (ret < 0)
466 return ret;
338 467
339 if (!issecure(SECURE_NOROOT)) { 468 if (!issecure(SECURE_NOROOT)) {
340 /* 469 /*
@@ -342,75 +471,113 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
342 * executables under compatibility mode, we override the 471 * executables under compatibility mode, we override the
343 * capability sets for the file. 472 * capability sets for the file.
344 * 473 *
345 * If only the real uid is 0, we do not set the effective 474 * If only the real uid is 0, we do not set the effective bit.
346 * bit.
347 */ 475 */
348 if (bprm->e_uid == 0 || current->uid == 0) { 476 if (new->euid == 0 || new->uid == 0) {
349 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 477 /* pP' = (cap_bset & ~0) | (pI & ~0) */
350 bprm->cap_post_exec_permitted = cap_combine( 478 new->cap_permitted = cap_combine(old->cap_bset,
351 current->cap_bset, current->cap_inheritable 479 old->cap_inheritable);
352 );
353 bprm->cap_effective = (bprm->e_uid == 0);
354 ret = 0;
355 } 480 }
481 if (new->euid == 0)
482 effective = true;
356 } 483 }
357 484
358 return ret; 485 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
359} 486 * credentials unless they have the appropriate permit
360 487 */
361void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 488 if ((new->euid != old->uid ||
362{ 489 new->egid != old->gid ||
363 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 490 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
364 !cap_issubset(bprm->cap_post_exec_permitted, 491 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
365 current->cap_permitted)) { 492 /* downgrade; they get no more than they had, and maybe less */
366 set_dumpable(current->mm, suid_dumpable); 493 if (!capable(CAP_SETUID)) {
367 current->pdeath_signal = 0; 494 new->euid = new->uid;
368 495 new->egid = new->gid;
369 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
370 if (!capable(CAP_SETUID)) {
371 bprm->e_uid = current->uid;
372 bprm->e_gid = current->gid;
373 }
374 if (cap_limit_ptraced_target()) {
375 bprm->cap_post_exec_permitted = cap_intersect(
376 bprm->cap_post_exec_permitted,
377 current->cap_permitted);
378 }
379 } 496 }
497 if (cap_limit_ptraced_target())
498 new->cap_permitted = cap_intersect(new->cap_permitted,
499 old->cap_permitted);
380 } 500 }
381 501
382 current->suid = current->euid = current->fsuid = bprm->e_uid; 502 new->suid = new->fsuid = new->euid;
383 current->sgid = current->egid = current->fsgid = bprm->e_gid; 503 new->sgid = new->fsgid = new->egid;
384 504
385 /* For init, we want to retain the capabilities set 505 /* For init, we want to retain the capabilities set in the initial
386 * in the init_task struct. Thus we skip the usual 506 * task. Thus we skip the usual capability rules
387 * capability rules */ 507 */
388 if (!is_global_init(current)) { 508 if (!is_global_init(current)) {
389 current->cap_permitted = bprm->cap_post_exec_permitted; 509 if (effective)
390 if (bprm->cap_effective) 510 new->cap_effective = new->cap_permitted;
391 current->cap_effective = bprm->cap_post_exec_permitted;
392 else 511 else
393 cap_clear(current->cap_effective); 512 cap_clear(new->cap_effective);
394 } 513 }
514 bprm->cap_effective = effective;
395 515
396 /* AUD: Audit candidate if current->cap_effective is set */ 516 /*
517 * Audit candidate if current->cap_effective is set
518 *
519 * We do not bother to audit if 3 things are true:
520 * 1) cap_effective has all caps
521 * 2) we are root
522 * 3) root is supposed to have all caps (SECURE_NOROOT)
523 * Since this is just a normal root execing a process.
524 *
525 * Number 1 above might fail if you don't have a full bset, but I think
526 * that is interesting information to audit.
527 */
528 if (!cap_isclear(new->cap_effective)) {
529 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
530 new->euid != 0 || new->uid != 0 ||
531 issecure(SECURE_NOROOT)) {
532 ret = audit_log_bprm_fcaps(bprm, new, old);
533 if (ret < 0)
534 return ret;
535 }
536 }
397 537
398 current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 538 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
539 return 0;
399} 540}
400 541
401int cap_bprm_secureexec (struct linux_binprm *bprm) 542/**
543 * cap_bprm_secureexec - Determine whether a secure execution is required
544 * @bprm: The execution parameters
545 *
546 * Determine whether a secure execution is required, return 1 if it is, and 0
547 * if it is not.
548 *
549 * The credentials have been committed by this point, and so are no longer
550 * available through @bprm->cred.
551 */
552int cap_bprm_secureexec(struct linux_binprm *bprm)
402{ 553{
403 if (current->uid != 0) { 554 const struct cred *cred = current_cred();
555
556 if (cred->uid != 0) {
404 if (bprm->cap_effective) 557 if (bprm->cap_effective)
405 return 1; 558 return 1;
406 if (!cap_isclear(bprm->cap_post_exec_permitted)) 559 if (!cap_isclear(cred->cap_permitted))
407 return 1; 560 return 1;
408 } 561 }
409 562
410 return (current->euid != current->uid || 563 return (cred->euid != cred->uid ||
411 current->egid != current->gid); 564 cred->egid != cred->gid);
412} 565}
413 566
567/**
568 * cap_inode_setxattr - Determine whether an xattr may be altered
569 * @dentry: The inode/dentry being altered
570 * @name: The name of the xattr to be changed
571 * @value: The value that the xattr will be changed to
572 * @size: The size of value
573 * @flags: The replacement flag
574 *
575 * Determine whether an xattr may be altered or set on an inode, returning 0 if
576 * permission is granted, -ve if denied.
577 *
578 * This is used to make sure security xattrs don't get updated or set by those
579 * who aren't privileged to do so.
580 */
414int cap_inode_setxattr(struct dentry *dentry, const char *name, 581int cap_inode_setxattr(struct dentry *dentry, const char *name,
415 const void *value, size_t size, int flags) 582 const void *value, size_t size, int flags)
416{ 583{
@@ -418,28 +585,42 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
418 if (!capable(CAP_SETFCAP)) 585 if (!capable(CAP_SETFCAP))
419 return -EPERM; 586 return -EPERM;
420 return 0; 587 return 0;
421 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 588 }
589
590 if (!strncmp(name, XATTR_SECURITY_PREFIX,
422 sizeof(XATTR_SECURITY_PREFIX) - 1) && 591 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
423 !capable(CAP_SYS_ADMIN)) 592 !capable(CAP_SYS_ADMIN))
424 return -EPERM; 593 return -EPERM;
425 return 0; 594 return 0;
426} 595}
427 596
597/**
598 * cap_inode_removexattr - Determine whether an xattr may be removed
599 * @dentry: The inode/dentry being altered
600 * @name: The name of the xattr to be changed
601 *
602 * Determine whether an xattr may be removed from an inode, returning 0 if
603 * permission is granted, -ve if denied.
604 *
605 * This is used to make sure security xattrs don't get removed by those who
606 * aren't privileged to remove them.
607 */
428int cap_inode_removexattr(struct dentry *dentry, const char *name) 608int cap_inode_removexattr(struct dentry *dentry, const char *name)
429{ 609{
430 if (!strcmp(name, XATTR_NAME_CAPS)) { 610 if (!strcmp(name, XATTR_NAME_CAPS)) {
431 if (!capable(CAP_SETFCAP)) 611 if (!capable(CAP_SETFCAP))
432 return -EPERM; 612 return -EPERM;
433 return 0; 613 return 0;
434 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 614 }
615
616 if (!strncmp(name, XATTR_SECURITY_PREFIX,
435 sizeof(XATTR_SECURITY_PREFIX) - 1) && 617 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
436 !capable(CAP_SYS_ADMIN)) 618 !capable(CAP_SYS_ADMIN))
437 return -EPERM; 619 return -EPERM;
438 return 0; 620 return 0;
439} 621}
440 622
441/* moved from kernel/sys.c. */ 623/*
442/*
443 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 624 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
444 * a process after a call to setuid, setreuid, or setresuid. 625 * a process after a call to setuid, setreuid, or setresuid.
445 * 626 *
@@ -453,10 +634,10 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
453 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 634 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
454 * capabilities are set to the permitted capabilities. 635 * capabilities are set to the permitted capabilities.
455 * 636 *
456 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 637 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
457 * never happen. 638 * never happen.
458 * 639 *
459 * -astor 640 * -astor
460 * 641 *
461 * cevans - New behaviour, Oct '99 642 * cevans - New behaviour, Oct '99
462 * A process may, via prctl(), elect to keep its capabilities when it 643 * A process may, via prctl(), elect to keep its capabilities when it
@@ -468,61 +649,60 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
468 * files.. 649 * files..
469 * Thanks to Olaf Kirch and Peter Benie for spotting this. 650 * Thanks to Olaf Kirch and Peter Benie for spotting this.
470 */ 651 */
471static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 652static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
472 int old_suid)
473{ 653{
474 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 654 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
475 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 655 (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
476 !issecure(SECURE_KEEP_CAPS)) { 656 !issecure(SECURE_KEEP_CAPS)) {
477 cap_clear (current->cap_permitted); 657 cap_clear(new->cap_permitted);
478 cap_clear (current->cap_effective); 658 cap_clear(new->cap_effective);
479 }
480 if (old_euid == 0 && current->euid != 0) {
481 cap_clear (current->cap_effective);
482 }
483 if (old_euid != 0 && current->euid == 0) {
484 current->cap_effective = current->cap_permitted;
485 } 659 }
660 if (old->euid == 0 && new->euid != 0)
661 cap_clear(new->cap_effective);
662 if (old->euid != 0 && new->euid == 0)
663 new->cap_effective = new->cap_permitted;
486} 664}
487 665
488int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 666/**
489 int flags) 667 * cap_task_fix_setuid - Fix up the results of setuid() call
668 * @new: The proposed credentials
669 * @old: The current task's current credentials
670 * @flags: Indications of what has changed
671 *
672 * Fix up the results of setuid() call before the credential changes are
673 * actually applied, returning 0 to grant the changes, -ve to deny them.
674 */
675int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
490{ 676{
491 switch (flags) { 677 switch (flags) {
492 case LSM_SETID_RE: 678 case LSM_SETID_RE:
493 case LSM_SETID_ID: 679 case LSM_SETID_ID:
494 case LSM_SETID_RES: 680 case LSM_SETID_RES:
495 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 681 /* juggle the capabilities to follow [RES]UID changes unless
496 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 682 * otherwise suppressed */
497 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 683 if (!issecure(SECURE_NO_SETUID_FIXUP))
498 } 684 cap_emulate_setxuid(new, old);
499 break; 685 break;
500 case LSM_SETID_FS:
501 {
502 uid_t old_fsuid = old_ruid;
503 686
504 /* Copied from kernel/sys.c:setfsuid. */ 687 case LSM_SETID_FS:
505 688 /* juggle the capabilties to follow FSUID changes, unless
506 /* 689 * otherwise suppressed
507 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 690 *
508 * if not, we might be a bit too harsh here. 691 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
509 */ 692 * if not, we might be a bit too harsh here.
510 693 */
511 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 694 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
512 if (old_fsuid == 0 && current->fsuid != 0) { 695 if (old->fsuid == 0 && new->fsuid != 0)
513 current->cap_effective = 696 new->cap_effective =
514 cap_drop_fs_set( 697 cap_drop_fs_set(new->cap_effective);
515 current->cap_effective); 698
516 } 699 if (old->fsuid != 0 && new->fsuid == 0)
517 if (old_fsuid != 0 && current->fsuid == 0) { 700 new->cap_effective =
518 current->cap_effective = 701 cap_raise_fs_set(new->cap_effective,
519 cap_raise_fs_set( 702 new->cap_permitted);
520 current->cap_effective,
521 current->cap_permitted);
522 }
523 }
524 break;
525 } 703 }
704 break;
705
526 default: 706 default:
527 return -EINVAL; 707 return -EINVAL;
528 } 708 }
@@ -543,42 +723,71 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
543 */ 723 */
544static int cap_safe_nice(struct task_struct *p) 724static int cap_safe_nice(struct task_struct *p)
545{ 725{
546 if (!cap_issubset(p->cap_permitted, current->cap_permitted) && 726 int is_subset;
547 !capable(CAP_SYS_NICE)) 727
728 rcu_read_lock();
729 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
730 current_cred()->cap_permitted);
731 rcu_read_unlock();
732
733 if (!is_subset && !capable(CAP_SYS_NICE))
548 return -EPERM; 734 return -EPERM;
549 return 0; 735 return 0;
550} 736}
551 737
552int cap_task_setscheduler (struct task_struct *p, int policy, 738/**
739 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
740 * @p: The task to affect
741 * @policy: The policy to effect
742 * @lp: The parameters to the scheduling policy
743 *
744 * Detemine if the requested scheduler policy change is permitted for the
745 * specified task, returning 0 if permission is granted, -ve if denied.
746 */
747int cap_task_setscheduler(struct task_struct *p, int policy,
553 struct sched_param *lp) 748 struct sched_param *lp)
554{ 749{
555 return cap_safe_nice(p); 750 return cap_safe_nice(p);
556} 751}
557 752
558int cap_task_setioprio (struct task_struct *p, int ioprio) 753/**
754 * cap_task_ioprio - Detemine if I/O priority change is permitted
755 * @p: The task to affect
756 * @ioprio: The I/O priority to set
757 *
758 * Detemine if the requested I/O priority change is permitted for the specified
759 * task, returning 0 if permission is granted, -ve if denied.
760 */
761int cap_task_setioprio(struct task_struct *p, int ioprio)
559{ 762{
560 return cap_safe_nice(p); 763 return cap_safe_nice(p);
561} 764}
562 765
563int cap_task_setnice (struct task_struct *p, int nice) 766/**
767 * cap_task_ioprio - Detemine if task priority change is permitted
768 * @p: The task to affect
769 * @nice: The nice value to set
770 *
771 * Detemine if the requested task priority change is permitted for the
772 * specified task, returning 0 if permission is granted, -ve if denied.
773 */
774int cap_task_setnice(struct task_struct *p, int nice)
564{ 775{
565 return cap_safe_nice(p); 776 return cap_safe_nice(p);
566} 777}
567 778
568/* 779/*
569 * called from kernel/sys.c for prctl(PR_CABSET_DROP) 780 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
570 * done without task_capability_lock() because it introduces 781 * the current task's bounding set. Returns 0 on success, -ve on error.
571 * no new races - i.e. only another task doing capget() on
572 * this task could get inconsistent info. There can be no
573 * racing writer bc a task can only change its own caps.
574 */ 782 */
575static long cap_prctl_drop(unsigned long cap) 783static long cap_prctl_drop(struct cred *new, unsigned long cap)
576{ 784{
577 if (!capable(CAP_SETPCAP)) 785 if (!capable(CAP_SETPCAP))
578 return -EPERM; 786 return -EPERM;
579 if (!cap_valid(cap)) 787 if (!cap_valid(cap))
580 return -EINVAL; 788 return -EINVAL;
581 cap_lower(current->cap_bset, cap); 789
790 cap_lower(new->cap_bset, cap);
582 return 0; 791 return 0;
583} 792}
584 793
@@ -598,22 +807,42 @@ int cap_task_setnice (struct task_struct *p, int nice)
598} 807}
599#endif 808#endif
600 809
810/**
811 * cap_task_prctl - Implement process control functions for this security module
812 * @option: The process control function requested
813 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
814 *
815 * Allow process control functions (sys_prctl()) to alter capabilities; may
816 * also deny access to other functions not otherwise implemented here.
817 *
818 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
819 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
820 * modules will consider performing the function.
821 */
601int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 822int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
602 unsigned long arg4, unsigned long arg5, long *rc_p) 823 unsigned long arg4, unsigned long arg5)
603{ 824{
825 struct cred *new;
604 long error = 0; 826 long error = 0;
605 827
828 new = prepare_creds();
829 if (!new)
830 return -ENOMEM;
831
606 switch (option) { 832 switch (option) {
607 case PR_CAPBSET_READ: 833 case PR_CAPBSET_READ:
834 error = -EINVAL;
608 if (!cap_valid(arg2)) 835 if (!cap_valid(arg2))
609 error = -EINVAL; 836 goto error;
610 else 837 error = !!cap_raised(new->cap_bset, arg2);
611 error = !!cap_raised(current->cap_bset, arg2); 838 goto no_change;
612 break; 839
613#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 840#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
614 case PR_CAPBSET_DROP: 841 case PR_CAPBSET_DROP:
615 error = cap_prctl_drop(arg2); 842 error = cap_prctl_drop(new, arg2);
616 break; 843 if (error < 0)
844 goto error;
845 goto changed;
617 846
618 /* 847 /*
619 * The next four prctl's remain to assist with transitioning a 848 * The next four prctl's remain to assist with transitioning a
@@ -635,12 +864,12 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
635 * capability-based-privilege environment. 864 * capability-based-privilege environment.
636 */ 865 */
637 case PR_SET_SECUREBITS: 866 case PR_SET_SECUREBITS:
638 if ((((current->securebits & SECURE_ALL_LOCKS) >> 1) 867 error = -EPERM;
639 & (current->securebits ^ arg2)) /*[1]*/ 868 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
640 || ((current->securebits & SECURE_ALL_LOCKS 869 & (new->securebits ^ arg2)) /*[1]*/
641 & ~arg2)) /*[2]*/ 870 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
642 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 871 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
643 || (cap_capable(current, CAP_SETPCAP) != 0)) { /*[4]*/ 872 || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/
644 /* 873 /*
645 * [1] no changing of bits that are locked 874 * [1] no changing of bits that are locked
646 * [2] no unlocking of locks 875 * [2] no unlocking of locks
@@ -648,65 +877,80 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
648 * [4] doing anything requires privilege (go read about 877 * [4] doing anything requires privilege (go read about
649 * the "sendmail capabilities bug") 878 * the "sendmail capabilities bug")
650 */ 879 */
651 error = -EPERM; /* cannot change a locked bit */ 880 )
652 } else { 881 /* cannot change a locked bit */
653 current->securebits = arg2; 882 goto error;
654 } 883 new->securebits = arg2;
655 break; 884 goto changed;
885
656 case PR_GET_SECUREBITS: 886 case PR_GET_SECUREBITS:
657 error = current->securebits; 887 error = new->securebits;
658 break; 888 goto no_change;
659 889
660#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 890#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
661 891
662 case PR_GET_KEEPCAPS: 892 case PR_GET_KEEPCAPS:
663 if (issecure(SECURE_KEEP_CAPS)) 893 if (issecure(SECURE_KEEP_CAPS))
664 error = 1; 894 error = 1;
665 break; 895 goto no_change;
896
666 case PR_SET_KEEPCAPS: 897 case PR_SET_KEEPCAPS:
898 error = -EINVAL;
667 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 899 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
668 error = -EINVAL; 900 goto error;
669 else if (issecure(SECURE_KEEP_CAPS_LOCKED)) 901 error = -EPERM;
670 error = -EPERM; 902 if (issecure(SECURE_KEEP_CAPS_LOCKED))
671 else if (arg2) 903 goto error;
672 current->securebits |= issecure_mask(SECURE_KEEP_CAPS); 904 if (arg2)
905 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
673 else 906 else
674 current->securebits &= 907 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
675 ~issecure_mask(SECURE_KEEP_CAPS); 908 goto changed;
676 break;
677 909
678 default: 910 default:
679 /* No functionality available - continue with default */ 911 /* No functionality available - continue with default */
680 return 0; 912 error = -ENOSYS;
913 goto error;
681 } 914 }
682 915
683 /* Functionality provided */ 916 /* Functionality provided */
684 *rc_p = error; 917changed:
685 return 1; 918 return commit_creds(new);
686}
687 919
688void cap_task_reparent_to_init (struct task_struct *p) 920no_change:
689{ 921 error = 0;
690 cap_set_init_eff(p->cap_effective); 922error:
691 cap_clear(p->cap_inheritable); 923 abort_creds(new);
692 cap_set_full(p->cap_permitted); 924 return error;
693 p->securebits = SECUREBITS_DEFAULT;
694 return;
695} 925}
696 926
697int cap_syslog (int type) 927/**
928 * cap_syslog - Determine whether syslog function is permitted
929 * @type: Function requested
930 *
931 * Determine whether the current process is permitted to use a particular
932 * syslog function, returning 0 if permission is granted, -ve if not.
933 */
934int cap_syslog(int type)
698{ 935{
699 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 936 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
700 return -EPERM; 937 return -EPERM;
701 return 0; 938 return 0;
702} 939}
703 940
941/**
942 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
943 * @mm: The VM space in which the new mapping is to be made
944 * @pages: The size of the mapping
945 *
946 * Determine whether the allocation of a new virtual mapping by the current
947 * task is permitted, returning 0 if permission is granted, -ve if not.
948 */
704int cap_vm_enough_memory(struct mm_struct *mm, long pages) 949int cap_vm_enough_memory(struct mm_struct *mm, long pages)
705{ 950{
706 int cap_sys_admin = 0; 951 int cap_sys_admin = 0;
707 952
708 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 953 if (cap_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT) == 0)
709 cap_sys_admin = 1; 954 cap_sys_admin = 1;
710 return __vm_enough_memory(mm, pages, cap_sys_admin); 955 return __vm_enough_memory(mm, pages, cap_sys_admin);
711} 956}
712
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 239098f0fd76..81932abefe7b 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -12,8 +12,8 @@
12#ifndef _INTERNAL_H 12#ifndef _INTERNAL_H
13#define _INTERNAL_H 13#define _INTERNAL_H
14 14
15#include <linux/sched.h>
15#include <linux/key-type.h> 16#include <linux/key-type.h>
16#include <linux/key-ui.h>
17 17
18static inline __attribute__((format(printf, 1, 2))) 18static inline __attribute__((format(printf, 1, 2)))
19void no_printk(const char *fmt, ...) 19void no_printk(const char *fmt, ...)
@@ -26,7 +26,7 @@ void no_printk(const char *fmt, ...)
26#define kleave(FMT, ...) \ 26#define kleave(FMT, ...) \
27 printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__) 27 printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
28#define kdebug(FMT, ...) \ 28#define kdebug(FMT, ...) \
29 printk(KERN_DEBUG "xxx" FMT"yyy\n", ##__VA_ARGS__) 29 printk(KERN_DEBUG " "FMT"\n", ##__VA_ARGS__)
30#else 30#else
31#define kenter(FMT, ...) \ 31#define kenter(FMT, ...) \
32 no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__) 32 no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
@@ -82,6 +82,9 @@ extern struct mutex key_construction_mutex;
82extern wait_queue_head_t request_key_conswq; 82extern wait_queue_head_t request_key_conswq;
83 83
84 84
85extern struct key_type *key_type_lookup(const char *type);
86extern void key_type_put(struct key_type *ktype);
87
85extern int __key_link(struct key *keyring, struct key *key); 88extern int __key_link(struct key *keyring, struct key *key);
86 89
87extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 90extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
@@ -95,7 +98,7 @@ extern struct key *keyring_search_instkey(struct key *keyring,
95typedef int (*key_match_func_t)(const struct key *, const void *); 98typedef int (*key_match_func_t)(const struct key *, const void *);
96 99
97extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, 100extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
98 struct task_struct *tsk, 101 const struct cred *cred,
99 struct key_type *type, 102 struct key_type *type,
100 const void *description, 103 const void *description,
101 key_match_func_t match); 104 key_match_func_t match);
@@ -103,13 +106,13 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
103extern key_ref_t search_process_keyrings(struct key_type *type, 106extern key_ref_t search_process_keyrings(struct key_type *type,
104 const void *description, 107 const void *description,
105 key_match_func_t match, 108 key_match_func_t match,
106 struct task_struct *tsk); 109 const struct cred *cred);
107 110
108extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); 111extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
109 112
110extern int install_user_keyrings(struct task_struct *tsk); 113extern int install_user_keyrings(void);
111extern int install_thread_keyring(struct task_struct *tsk); 114extern int install_thread_keyring_to_cred(struct cred *);
112extern int install_process_keyring(struct task_struct *tsk); 115extern int install_process_keyring_to_cred(struct cred *);
113 116
114extern struct key *request_key_and_link(struct key_type *type, 117extern struct key *request_key_and_link(struct key_type *type,
115 const char *description, 118 const char *description,
@@ -119,12 +122,39 @@ extern struct key *request_key_and_link(struct key_type *type,
119 struct key *dest_keyring, 122 struct key *dest_keyring,
120 unsigned long flags); 123 unsigned long flags);
121 124
125extern key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
126 key_perm_t perm);
127
128extern long join_session_keyring(const char *name);
129
130/*
131 * check to see whether permission is granted to use a key in the desired way
132 */
133extern int key_task_permission(const key_ref_t key_ref,
134 const struct cred *cred,
135 key_perm_t perm);
136
137static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
138{
139 return key_task_permission(key_ref, current_cred(), perm);
140}
141
142/* required permissions */
143#define KEY_VIEW 0x01 /* require permission to view attributes */
144#define KEY_READ 0x02 /* require permission to read content */
145#define KEY_WRITE 0x04 /* require permission to update / modify */
146#define KEY_SEARCH 0x08 /* require permission to search (keyring) or find (key) */
147#define KEY_LINK 0x10 /* require permission to link */
148#define KEY_SETATTR 0x20 /* require permission to change attributes */
149#define KEY_ALL 0x3f /* all the above permissions */
150
122/* 151/*
123 * request_key authorisation 152 * request_key authorisation
124 */ 153 */
125struct request_key_auth { 154struct request_key_auth {
126 struct key *target_key; 155 struct key *target_key;
127 struct task_struct *context; 156 struct key *dest_keyring;
157 const struct cred *cred;
128 void *callout_info; 158 void *callout_info;
129 size_t callout_len; 159 size_t callout_len;
130 pid_t pid; 160 pid_t pid;
@@ -133,7 +163,8 @@ struct request_key_auth {
133extern struct key_type key_type_request_key_auth; 163extern struct key_type key_type_request_key_auth;
134extern struct key *request_key_auth_new(struct key *target, 164extern struct key *request_key_auth_new(struct key *target,
135 const void *callout_info, 165 const void *callout_info,
136 size_t callout_len); 166 size_t callout_len,
167 struct key *dest_keyring);
137 168
138extern struct key *key_get_instantiation_authkey(key_serial_t target_id); 169extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
139 170
diff --git a/security/keys/key.c b/security/keys/key.c
index 14948cf83ef6..f76c8a546fd3 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -218,7 +218,7 @@ serial_exists:
218 * instantiate the key or discard it before returning 218 * instantiate the key or discard it before returning
219 */ 219 */
220struct key *key_alloc(struct key_type *type, const char *desc, 220struct key *key_alloc(struct key_type *type, const char *desc,
221 uid_t uid, gid_t gid, struct task_struct *ctx, 221 uid_t uid, gid_t gid, const struct cred *cred,
222 key_perm_t perm, unsigned long flags) 222 key_perm_t perm, unsigned long flags)
223{ 223{
224 struct key_user *user = NULL; 224 struct key_user *user = NULL;
@@ -294,7 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
294#endif 294#endif
295 295
296 /* let the security module know about the key */ 296 /* let the security module know about the key */
297 ret = security_key_alloc(key, ctx, flags); 297 ret = security_key_alloc(key, cred, flags);
298 if (ret < 0) 298 if (ret < 0)
299 goto security_error; 299 goto security_error;
300 300
@@ -391,7 +391,7 @@ static int __key_instantiate_and_link(struct key *key,
391 const void *data, 391 const void *data,
392 size_t datalen, 392 size_t datalen,
393 struct key *keyring, 393 struct key *keyring,
394 struct key *instkey) 394 struct key *authkey)
395{ 395{
396 int ret, awaken; 396 int ret, awaken;
397 397
@@ -421,8 +421,8 @@ static int __key_instantiate_and_link(struct key *key,
421 ret = __key_link(keyring, key); 421 ret = __key_link(keyring, key);
422 422
423 /* disable the authorisation key */ 423 /* disable the authorisation key */
424 if (instkey) 424 if (authkey)
425 key_revoke(instkey); 425 key_revoke(authkey);
426 } 426 }
427 } 427 }
428 428
@@ -444,14 +444,14 @@ int key_instantiate_and_link(struct key *key,
444 const void *data, 444 const void *data,
445 size_t datalen, 445 size_t datalen,
446 struct key *keyring, 446 struct key *keyring,
447 struct key *instkey) 447 struct key *authkey)
448{ 448{
449 int ret; 449 int ret;
450 450
451 if (keyring) 451 if (keyring)
452 down_write(&keyring->sem); 452 down_write(&keyring->sem);
453 453
454 ret = __key_instantiate_and_link(key, data, datalen, keyring, instkey); 454 ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey);
455 455
456 if (keyring) 456 if (keyring)
457 up_write(&keyring->sem); 457 up_write(&keyring->sem);
@@ -469,7 +469,7 @@ EXPORT_SYMBOL(key_instantiate_and_link);
469int key_negate_and_link(struct key *key, 469int key_negate_and_link(struct key *key,
470 unsigned timeout, 470 unsigned timeout,
471 struct key *keyring, 471 struct key *keyring,
472 struct key *instkey) 472 struct key *authkey)
473{ 473{
474 struct timespec now; 474 struct timespec now;
475 int ret, awaken; 475 int ret, awaken;
@@ -504,8 +504,8 @@ int key_negate_and_link(struct key *key,
504 ret = __key_link(keyring, key); 504 ret = __key_link(keyring, key);
505 505
506 /* disable the authorisation key */ 506 /* disable the authorisation key */
507 if (instkey) 507 if (authkey)
508 key_revoke(instkey); 508 key_revoke(authkey);
509 } 509 }
510 510
511 mutex_unlock(&key_construction_mutex); 511 mutex_unlock(&key_construction_mutex);
@@ -743,6 +743,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
743 key_perm_t perm, 743 key_perm_t perm,
744 unsigned long flags) 744 unsigned long flags)
745{ 745{
746 const struct cred *cred = current_cred();
746 struct key_type *ktype; 747 struct key_type *ktype;
747 struct key *keyring, *key = NULL; 748 struct key *keyring, *key = NULL;
748 key_ref_t key_ref; 749 key_ref_t key_ref;
@@ -802,8 +803,8 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
802 } 803 }
803 804
804 /* allocate a new key */ 805 /* allocate a new key */
805 key = key_alloc(ktype, description, current->fsuid, current->fsgid, 806 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred,
806 current, perm, flags); 807 perm, flags);
807 if (IS_ERR(key)) { 808 if (IS_ERR(key)) {
808 key_ref = ERR_CAST(key); 809 key_ref = ERR_CAST(key);
809 goto error_3; 810 goto error_3;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index acc9c89e40a8..7c72baa02f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -103,7 +103,7 @@ asmlinkage long sys_add_key(const char __user *_type,
103 } 103 }
104 104
105 /* find the target keyring (which must be writable) */ 105 /* find the target keyring (which must be writable) */
106 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 106 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
107 if (IS_ERR(keyring_ref)) { 107 if (IS_ERR(keyring_ref)) {
108 ret = PTR_ERR(keyring_ref); 108 ret = PTR_ERR(keyring_ref);
109 goto error3; 109 goto error3;
@@ -185,7 +185,7 @@ asmlinkage long sys_request_key(const char __user *_type,
185 /* get the destination keyring if specified */ 185 /* get the destination keyring if specified */
186 dest_ref = NULL; 186 dest_ref = NULL;
187 if (destringid) { 187 if (destringid) {
188 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 188 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE);
189 if (IS_ERR(dest_ref)) { 189 if (IS_ERR(dest_ref)) {
190 ret = PTR_ERR(dest_ref); 190 ret = PTR_ERR(dest_ref);
191 goto error3; 191 goto error3;
@@ -235,7 +235,7 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
235 key_ref_t key_ref; 235 key_ref_t key_ref;
236 long ret; 236 long ret;
237 237
238 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 238 key_ref = lookup_user_key(id, create, 0, KEY_SEARCH);
239 if (IS_ERR(key_ref)) { 239 if (IS_ERR(key_ref)) {
240 ret = PTR_ERR(key_ref); 240 ret = PTR_ERR(key_ref);
241 goto error; 241 goto error;
@@ -308,7 +308,7 @@ long keyctl_update_key(key_serial_t id,
308 } 308 }
309 309
310 /* find the target key (which must be writable) */ 310 /* find the target key (which must be writable) */
311 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 311 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE);
312 if (IS_ERR(key_ref)) { 312 if (IS_ERR(key_ref)) {
313 ret = PTR_ERR(key_ref); 313 ret = PTR_ERR(key_ref);
314 goto error2; 314 goto error2;
@@ -336,7 +336,7 @@ long keyctl_revoke_key(key_serial_t id)
336 key_ref_t key_ref; 336 key_ref_t key_ref;
337 long ret; 337 long ret;
338 338
339 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 339 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE);
340 if (IS_ERR(key_ref)) { 340 if (IS_ERR(key_ref)) {
341 ret = PTR_ERR(key_ref); 341 ret = PTR_ERR(key_ref);
342 goto error; 342 goto error;
@@ -362,7 +362,7 @@ long keyctl_keyring_clear(key_serial_t ringid)
362 key_ref_t keyring_ref; 362 key_ref_t keyring_ref;
363 long ret; 363 long ret;
364 364
365 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 365 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
366 if (IS_ERR(keyring_ref)) { 366 if (IS_ERR(keyring_ref)) {
367 ret = PTR_ERR(keyring_ref); 367 ret = PTR_ERR(keyring_ref);
368 goto error; 368 goto error;
@@ -388,13 +388,13 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
388 key_ref_t keyring_ref, key_ref; 388 key_ref_t keyring_ref, key_ref;
389 long ret; 389 long ret;
390 390
391 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 391 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
392 if (IS_ERR(keyring_ref)) { 392 if (IS_ERR(keyring_ref)) {
393 ret = PTR_ERR(keyring_ref); 393 ret = PTR_ERR(keyring_ref);
394 goto error; 394 goto error;
395 } 395 }
396 396
397 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 397 key_ref = lookup_user_key(id, 1, 0, KEY_LINK);
398 if (IS_ERR(key_ref)) { 398 if (IS_ERR(key_ref)) {
399 ret = PTR_ERR(key_ref); 399 ret = PTR_ERR(key_ref);
400 goto error2; 400 goto error2;
@@ -422,13 +422,13 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
422 key_ref_t keyring_ref, key_ref; 422 key_ref_t keyring_ref, key_ref;
423 long ret; 423 long ret;
424 424
425 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 425 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_WRITE);
426 if (IS_ERR(keyring_ref)) { 426 if (IS_ERR(keyring_ref)) {
427 ret = PTR_ERR(keyring_ref); 427 ret = PTR_ERR(keyring_ref);
428 goto error; 428 goto error;
429 } 429 }
430 430
431 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 431 key_ref = lookup_user_key(id, 0, 0, 0);
432 if (IS_ERR(key_ref)) { 432 if (IS_ERR(key_ref)) {
433 ret = PTR_ERR(key_ref); 433 ret = PTR_ERR(key_ref);
434 goto error2; 434 goto error2;
@@ -464,7 +464,7 @@ long keyctl_describe_key(key_serial_t keyid,
464 char *tmpbuf; 464 char *tmpbuf;
465 long ret; 465 long ret;
466 466
467 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 467 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW);
468 if (IS_ERR(key_ref)) { 468 if (IS_ERR(key_ref)) {
469 /* viewing a key under construction is permitted if we have the 469 /* viewing a key under construction is permitted if we have the
470 * authorisation token handy */ 470 * authorisation token handy */
@@ -472,7 +472,7 @@ long keyctl_describe_key(key_serial_t keyid,
472 instkey = key_get_instantiation_authkey(keyid); 472 instkey = key_get_instantiation_authkey(keyid);
473 if (!IS_ERR(instkey)) { 473 if (!IS_ERR(instkey)) {
474 key_put(instkey); 474 key_put(instkey);
475 key_ref = lookup_user_key(NULL, keyid, 475 key_ref = lookup_user_key(keyid,
476 0, 1, 0); 476 0, 1, 0);
477 if (!IS_ERR(key_ref)) 477 if (!IS_ERR(key_ref))
478 goto okay; 478 goto okay;
@@ -557,7 +557,7 @@ long keyctl_keyring_search(key_serial_t ringid,
557 } 557 }
558 558
559 /* get the keyring at which to begin the search */ 559 /* get the keyring at which to begin the search */
560 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 560 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_SEARCH);
561 if (IS_ERR(keyring_ref)) { 561 if (IS_ERR(keyring_ref)) {
562 ret = PTR_ERR(keyring_ref); 562 ret = PTR_ERR(keyring_ref);
563 goto error2; 563 goto error2;
@@ -566,7 +566,7 @@ long keyctl_keyring_search(key_serial_t ringid,
566 /* get the destination keyring if specified */ 566 /* get the destination keyring if specified */
567 dest_ref = NULL; 567 dest_ref = NULL;
568 if (destringid) { 568 if (destringid) {
569 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 569 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE);
570 if (IS_ERR(dest_ref)) { 570 if (IS_ERR(dest_ref)) {
571 ret = PTR_ERR(dest_ref); 571 ret = PTR_ERR(dest_ref);
572 goto error3; 572 goto error3;
@@ -636,7 +636,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
636 long ret; 636 long ret;
637 637
638 /* find the key first */ 638 /* find the key first */
639 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 639 key_ref = lookup_user_key(keyid, 0, 0, 0);
640 if (IS_ERR(key_ref)) { 640 if (IS_ERR(key_ref)) {
641 ret = -ENOKEY; 641 ret = -ENOKEY;
642 goto error; 642 goto error;
@@ -699,7 +699,7 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
699 if (uid == (uid_t) -1 && gid == (gid_t) -1) 699 if (uid == (uid_t) -1 && gid == (gid_t) -1)
700 goto error; 700 goto error;
701 701
702 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 702 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
703 if (IS_ERR(key_ref)) { 703 if (IS_ERR(key_ref)) {
704 ret = PTR_ERR(key_ref); 704 ret = PTR_ERR(key_ref);
705 goto error; 705 goto error;
@@ -804,7 +804,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
804 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 804 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
805 goto error; 805 goto error;
806 806
807 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 807 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
808 if (IS_ERR(key_ref)) { 808 if (IS_ERR(key_ref)) {
809 ret = PTR_ERR(key_ref); 809 ret = PTR_ERR(key_ref);
810 goto error; 810 goto error;
@@ -817,7 +817,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
817 down_write(&key->sem); 817 down_write(&key->sem);
818 818
819 /* if we're not the sysadmin, we can only change a key that we own */ 819 /* if we're not the sysadmin, we can only change a key that we own */
820 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 820 if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) {
821 key->perm = perm; 821 key->perm = perm;
822 ret = 0; 822 ret = 0;
823 } 823 }
@@ -829,6 +829,60 @@ error:
829 829
830} /* end keyctl_setperm_key() */ 830} /* end keyctl_setperm_key() */
831 831
832/*
833 * get the destination keyring for instantiation
834 */
835static long get_instantiation_keyring(key_serial_t ringid,
836 struct request_key_auth *rka,
837 struct key **_dest_keyring)
838{
839 key_ref_t dkref;
840
841 /* just return a NULL pointer if we weren't asked to make a link */
842 if (ringid == 0) {
843 *_dest_keyring = NULL;
844 return 0;
845 }
846
847 /* if a specific keyring is nominated by ID, then use that */
848 if (ringid > 0) {
849 dkref = lookup_user_key(ringid, 1, 0, KEY_WRITE);
850 if (IS_ERR(dkref))
851 return PTR_ERR(dkref);
852 *_dest_keyring = key_ref_to_ptr(dkref);
853 return 0;
854 }
855
856 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)
857 return -EINVAL;
858
859 /* otherwise specify the destination keyring recorded in the
860 * authorisation key (any KEY_SPEC_*_KEYRING) */
861 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
862 *_dest_keyring = rka->dest_keyring;
863 return 0;
864 }
865
866 return -ENOKEY;
867}
868
869/*
870 * change the request_key authorisation key on the current process
871 */
872static int keyctl_change_reqkey_auth(struct key *key)
873{
874 struct cred *new;
875
876 new = prepare_creds();
877 if (!new)
878 return -ENOMEM;
879
880 key_put(new->request_key_auth);
881 new->request_key_auth = key_get(key);
882
883 return commit_creds(new);
884}
885
832/*****************************************************************************/ 886/*****************************************************************************/
833/* 887/*
834 * instantiate the key with the specified payload, and, if one is given, link 888 * instantiate the key with the specified payload, and, if one is given, link
@@ -839,13 +893,15 @@ long keyctl_instantiate_key(key_serial_t id,
839 size_t plen, 893 size_t plen,
840 key_serial_t ringid) 894 key_serial_t ringid)
841{ 895{
896 const struct cred *cred = current_cred();
842 struct request_key_auth *rka; 897 struct request_key_auth *rka;
843 struct key *instkey; 898 struct key *instkey, *dest_keyring;
844 key_ref_t keyring_ref;
845 void *payload; 899 void *payload;
846 long ret; 900 long ret;
847 bool vm = false; 901 bool vm = false;
848 902
903 kenter("%d,,%zu,%d", id, plen, ringid);
904
849 ret = -EINVAL; 905 ret = -EINVAL;
850 if (plen > 1024 * 1024 - 1) 906 if (plen > 1024 * 1024 - 1)
851 goto error; 907 goto error;
@@ -853,7 +909,7 @@ long keyctl_instantiate_key(key_serial_t id,
853 /* the appropriate instantiation authorisation key must have been 909 /* the appropriate instantiation authorisation key must have been
854 * assumed before calling this */ 910 * assumed before calling this */
855 ret = -EPERM; 911 ret = -EPERM;
856 instkey = current->request_key_auth; 912 instkey = cred->request_key_auth;
857 if (!instkey) 913 if (!instkey)
858 goto error; 914 goto error;
859 915
@@ -883,28 +939,20 @@ long keyctl_instantiate_key(key_serial_t id,
883 939
884 /* find the destination keyring amongst those belonging to the 940 /* find the destination keyring amongst those belonging to the
885 * requesting task */ 941 * requesting task */
886 keyring_ref = NULL; 942 ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
887 if (ringid) { 943 if (ret < 0)
888 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 944 goto error2;
889 KEY_WRITE);
890 if (IS_ERR(keyring_ref)) {
891 ret = PTR_ERR(keyring_ref);
892 goto error2;
893 }
894 }
895 945
896 /* instantiate the key and link it into a keyring */ 946 /* instantiate the key and link it into a keyring */
897 ret = key_instantiate_and_link(rka->target_key, payload, plen, 947 ret = key_instantiate_and_link(rka->target_key, payload, plen,
898 key_ref_to_ptr(keyring_ref), instkey); 948 dest_keyring, instkey);
899 949
900 key_ref_put(keyring_ref); 950 key_put(dest_keyring);
901 951
902 /* discard the assumed authority if it's just been disabled by 952 /* discard the assumed authority if it's just been disabled by
903 * instantiation of the key */ 953 * instantiation of the key */
904 if (ret == 0) { 954 if (ret == 0)
905 key_put(current->request_key_auth); 955 keyctl_change_reqkey_auth(NULL);
906 current->request_key_auth = NULL;
907 }
908 956
909error2: 957error2:
910 if (!vm) 958 if (!vm)
@@ -923,15 +971,17 @@ error:
923 */ 971 */
924long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 972long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
925{ 973{
974 const struct cred *cred = current_cred();
926 struct request_key_auth *rka; 975 struct request_key_auth *rka;
927 struct key *instkey; 976 struct key *instkey, *dest_keyring;
928 key_ref_t keyring_ref;
929 long ret; 977 long ret;
930 978
979 kenter("%d,%u,%d", id, timeout, ringid);
980
931 /* the appropriate instantiation authorisation key must have been 981 /* the appropriate instantiation authorisation key must have been
932 * assumed before calling this */ 982 * assumed before calling this */
933 ret = -EPERM; 983 ret = -EPERM;
934 instkey = current->request_key_auth; 984 instkey = cred->request_key_auth;
935 if (!instkey) 985 if (!instkey)
936 goto error; 986 goto error;
937 987
@@ -941,27 +991,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
941 991
942 /* find the destination keyring if present (which must also be 992 /* find the destination keyring if present (which must also be
943 * writable) */ 993 * writable) */
944 keyring_ref = NULL; 994 ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
945 if (ringid) { 995 if (ret < 0)
946 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 996 goto error;
947 if (IS_ERR(keyring_ref)) {
948 ret = PTR_ERR(keyring_ref);
949 goto error;
950 }
951 }
952 997
953 /* instantiate the key and link it into a keyring */ 998 /* instantiate the key and link it into a keyring */
954 ret = key_negate_and_link(rka->target_key, timeout, 999 ret = key_negate_and_link(rka->target_key, timeout,
955 key_ref_to_ptr(keyring_ref), instkey); 1000 dest_keyring, instkey);
956 1001
957 key_ref_put(keyring_ref); 1002 key_put(dest_keyring);
958 1003
959 /* discard the assumed authority if it's just been disabled by 1004 /* discard the assumed authority if it's just been disabled by
960 * instantiation of the key */ 1005 * instantiation of the key */
961 if (ret == 0) { 1006 if (ret == 0)
962 key_put(current->request_key_auth); 1007 keyctl_change_reqkey_auth(NULL);
963 current->request_key_auth = NULL;
964 }
965 1008
966error: 1009error:
967 return ret; 1010 return ret;
@@ -975,35 +1018,56 @@ error:
975 */ 1018 */
976long keyctl_set_reqkey_keyring(int reqkey_defl) 1019long keyctl_set_reqkey_keyring(int reqkey_defl)
977{ 1020{
978 int ret; 1021 struct cred *new;
1022 int ret, old_setting;
1023
1024 old_setting = current_cred_xxx(jit_keyring);
1025
1026 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)
1027 return old_setting;
1028
1029 new = prepare_creds();
1030 if (!new)
1031 return -ENOMEM;
979 1032
980 switch (reqkey_defl) { 1033 switch (reqkey_defl) {
981 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1034 case KEY_REQKEY_DEFL_THREAD_KEYRING:
982 ret = install_thread_keyring(current); 1035 ret = install_thread_keyring_to_cred(new);
983 if (ret < 0) 1036 if (ret < 0)
984 return ret; 1037 goto error;
985 goto set; 1038 goto set;
986 1039
987 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1040 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
988 ret = install_process_keyring(current); 1041 ret = install_process_keyring_to_cred(new);
989 if (ret < 0) 1042 if (ret < 0) {
990 return ret; 1043 if (ret != -EEXIST)
1044 goto error;
1045 ret = 0;
1046 }
1047 goto set;
991 1048
992 case KEY_REQKEY_DEFL_DEFAULT: 1049 case KEY_REQKEY_DEFL_DEFAULT:
993 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1050 case KEY_REQKEY_DEFL_SESSION_KEYRING:
994 case KEY_REQKEY_DEFL_USER_KEYRING: 1051 case KEY_REQKEY_DEFL_USER_KEYRING:
995 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1052 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
996 set: 1053 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
997 current->jit_keyring = reqkey_defl; 1054 goto set;
998 1055
999 case KEY_REQKEY_DEFL_NO_CHANGE: 1056 case KEY_REQKEY_DEFL_NO_CHANGE:
1000 return current->jit_keyring;
1001
1002 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1057 case KEY_REQKEY_DEFL_GROUP_KEYRING:
1003 default: 1058 default:
1004 return -EINVAL; 1059 ret = -EINVAL;
1060 goto error;
1005 } 1061 }
1006 1062
1063set:
1064 new->jit_keyring = reqkey_defl;
1065 commit_creds(new);
1066 return old_setting;
1067error:
1068 abort_creds(new);
1069 return -EINVAL;
1070
1007} /* end keyctl_set_reqkey_keyring() */ 1071} /* end keyctl_set_reqkey_keyring() */
1008 1072
1009/*****************************************************************************/ 1073/*****************************************************************************/
@@ -1018,7 +1082,7 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1018 time_t expiry; 1082 time_t expiry;
1019 long ret; 1083 long ret;
1020 1084
1021 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 1085 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR);
1022 if (IS_ERR(key_ref)) { 1086 if (IS_ERR(key_ref)) {
1023 ret = PTR_ERR(key_ref); 1087 ret = PTR_ERR(key_ref);
1024 goto error; 1088 goto error;
@@ -1062,9 +1126,7 @@ long keyctl_assume_authority(key_serial_t id)
1062 1126
1063 /* we divest ourselves of authority if given an ID of 0 */ 1127 /* we divest ourselves of authority if given an ID of 0 */
1064 if (id == 0) { 1128 if (id == 0) {
1065 key_put(current->request_key_auth); 1129 ret = keyctl_change_reqkey_auth(NULL);
1066 current->request_key_auth = NULL;
1067 ret = 0;
1068 goto error; 1130 goto error;
1069 } 1131 }
1070 1132
@@ -1079,10 +1141,12 @@ long keyctl_assume_authority(key_serial_t id)
1079 goto error; 1141 goto error;
1080 } 1142 }
1081 1143
1082 key_put(current->request_key_auth); 1144 ret = keyctl_change_reqkey_auth(authkey);
1083 current->request_key_auth = authkey; 1145 if (ret < 0)
1084 ret = authkey->serial; 1146 goto error;
1147 key_put(authkey);
1085 1148
1149 ret = authkey->serial;
1086error: 1150error:
1087 return ret; 1151 return ret;
1088 1152
@@ -1105,7 +1169,7 @@ long keyctl_get_security(key_serial_t keyid,
1105 char *context; 1169 char *context;
1106 long ret; 1170 long ret;
1107 1171
1108 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 1172 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW);
1109 if (IS_ERR(key_ref)) { 1173 if (IS_ERR(key_ref)) {
1110 if (PTR_ERR(key_ref) != -EACCES) 1174 if (PTR_ERR(key_ref) != -EACCES)
1111 return PTR_ERR(key_ref); 1175 return PTR_ERR(key_ref);
@@ -1117,7 +1181,7 @@ long keyctl_get_security(key_serial_t keyid,
1117 return PTR_ERR(key_ref); 1181 return PTR_ERR(key_ref);
1118 key_put(instkey); 1182 key_put(instkey);
1119 1183
1120 key_ref = lookup_user_key(NULL, keyid, 0, 1, 0); 1184 key_ref = lookup_user_key(keyid, 0, 1, 0);
1121 if (IS_ERR(key_ref)) 1185 if (IS_ERR(key_ref))
1122 return PTR_ERR(key_ref); 1186 return PTR_ERR(key_ref);
1123 } 1187 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index a9ab8affc092..ed851574d073 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -16,6 +16,7 @@
16#include <linux/security.h> 16#include <linux/security.h>
17#include <linux/seq_file.h> 17#include <linux/seq_file.h>
18#include <linux/err.h> 18#include <linux/err.h>
19#include <keys/keyring-type.h>
19#include <asm/uaccess.h> 20#include <asm/uaccess.h>
20#include "internal.h" 21#include "internal.h"
21 22
@@ -244,14 +245,14 @@ static long keyring_read(const struct key *keyring,
244 * allocate a keyring and link into the destination keyring 245 * allocate a keyring and link into the destination keyring
245 */ 246 */
246struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 247struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
247 struct task_struct *ctx, unsigned long flags, 248 const struct cred *cred, unsigned long flags,
248 struct key *dest) 249 struct key *dest)
249{ 250{
250 struct key *keyring; 251 struct key *keyring;
251 int ret; 252 int ret;
252 253
253 keyring = key_alloc(&key_type_keyring, description, 254 keyring = key_alloc(&key_type_keyring, description,
254 uid, gid, ctx, 255 uid, gid, cred,
255 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL, 256 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
256 flags); 257 flags);
257 258
@@ -280,7 +281,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
280 * - we propagate the possession attribute from the keyring ref to the key ref 281 * - we propagate the possession attribute from the keyring ref to the key ref
281 */ 282 */
282key_ref_t keyring_search_aux(key_ref_t keyring_ref, 283key_ref_t keyring_search_aux(key_ref_t keyring_ref,
283 struct task_struct *context, 284 const struct cred *cred,
284 struct key_type *type, 285 struct key_type *type,
285 const void *description, 286 const void *description,
286 key_match_func_t match) 287 key_match_func_t match)
@@ -303,7 +304,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
303 key_check(keyring); 304 key_check(keyring);
304 305
305 /* top keyring must have search permission to begin the search */ 306 /* top keyring must have search permission to begin the search */
306 err = key_task_permission(keyring_ref, context, KEY_SEARCH); 307 err = key_task_permission(keyring_ref, cred, KEY_SEARCH);
307 if (err < 0) { 308 if (err < 0) {
308 key_ref = ERR_PTR(err); 309 key_ref = ERR_PTR(err);
309 goto error; 310 goto error;
@@ -376,7 +377,7 @@ descend:
376 377
377 /* key must have search permissions */ 378 /* key must have search permissions */
378 if (key_task_permission(make_key_ref(key, possessed), 379 if (key_task_permission(make_key_ref(key, possessed),
379 context, KEY_SEARCH) < 0) 380 cred, KEY_SEARCH) < 0)
380 continue; 381 continue;
381 382
382 /* we set a different error code if we pass a negative key */ 383 /* we set a different error code if we pass a negative key */
@@ -403,7 +404,7 @@ ascend:
403 continue; 404 continue;
404 405
405 if (key_task_permission(make_key_ref(key, possessed), 406 if (key_task_permission(make_key_ref(key, possessed),
406 context, KEY_SEARCH) < 0) 407 cred, KEY_SEARCH) < 0)
407 continue; 408 continue;
408 409
409 /* stack the current position */ 410 /* stack the current position */
@@ -458,7 +459,7 @@ key_ref_t keyring_search(key_ref_t keyring,
458 if (!type->match) 459 if (!type->match)
459 return ERR_PTR(-ENOKEY); 460 return ERR_PTR(-ENOKEY);
460 461
461 return keyring_search_aux(keyring, current, 462 return keyring_search_aux(keyring, current->cred,
462 type, description, type->match); 463 type, description, type->match);
463 464
464} /* end keyring_search() */ 465} /* end keyring_search() */
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 3b41f9b52537..5d9fc7b93f2e 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -14,12 +14,19 @@
14#include "internal.h" 14#include "internal.h"
15 15
16/*****************************************************************************/ 16/*****************************************************************************/
17/* 17/**
18 * check to see whether permission is granted to use a key in the desired way, 18 * key_task_permission - Check a key can be used
19 * but permit the security modules to override 19 * @key_ref: The key to check
20 * @cred: The credentials to use
21 * @perm: The permissions to check for
22 *
23 * Check to see whether permission is granted to use a key in the desired way,
24 * but permit the security modules to override.
25 *
26 * The caller must hold either a ref on cred or must hold the RCU readlock or a
27 * spinlock.
20 */ 28 */
21int key_task_permission(const key_ref_t key_ref, 29int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
22 struct task_struct *context,
23 key_perm_t perm) 30 key_perm_t perm)
24{ 31{
25 struct key *key; 32 struct key *key;
@@ -29,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref,
29 key = key_ref_to_ptr(key_ref); 36 key = key_ref_to_ptr(key_ref);
30 37
31 /* use the second 8-bits of permissions for keys the caller owns */ 38 /* use the second 8-bits of permissions for keys the caller owns */
32 if (key->uid == context->fsuid) { 39 if (key->uid == cred->fsuid) {
33 kperm = key->perm >> 16; 40 kperm = key->perm >> 16;
34 goto use_these_perms; 41 goto use_these_perms;
35 } 42 }
@@ -37,15 +44,12 @@ int key_task_permission(const key_ref_t key_ref,
37 /* use the third 8-bits of permissions for keys the caller has a group 44 /* use the third 8-bits of permissions for keys the caller has a group
38 * membership in common with */ 45 * membership in common with */
39 if (key->gid != -1 && key->perm & KEY_GRP_ALL) { 46 if (key->gid != -1 && key->perm & KEY_GRP_ALL) {
40 if (key->gid == context->fsgid) { 47 if (key->gid == cred->fsgid) {
41 kperm = key->perm >> 8; 48 kperm = key->perm >> 8;
42 goto use_these_perms; 49 goto use_these_perms;
43 } 50 }
44 51
45 task_lock(context); 52 ret = groups_search(cred->group_info, key->gid);
46 ret = groups_search(context->group_info, key->gid);
47 task_unlock(context);
48
49 if (ret) { 53 if (ret) {
50 kperm = key->perm >> 8; 54 kperm = key->perm >> 8;
51 goto use_these_perms; 55 goto use_these_perms;
@@ -56,6 +60,7 @@ int key_task_permission(const key_ref_t key_ref,
56 kperm = key->perm; 60 kperm = key->perm;
57 61
58use_these_perms: 62use_these_perms:
63
59 /* use the top 8-bits of permissions for keys the caller possesses 64 /* use the top 8-bits of permissions for keys the caller possesses
60 * - possessor permissions are additive with other permissions 65 * - possessor permissions are additive with other permissions
61 */ 66 */
@@ -68,7 +73,7 @@ use_these_perms:
68 return -EACCES; 73 return -EACCES;
69 74
70 /* let LSM be the final arbiter */ 75 /* let LSM be the final arbiter */
71 return security_key_permission(key_ref, context, perm); 76 return security_key_permission(key_ref, cred, perm);
72 77
73} /* end key_task_permission() */ 78} /* end key_task_permission() */
74 79
diff --git a/security/keys/proc.c b/security/keys/proc.c
index f619170da760..7f508def50e3 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -136,8 +136,12 @@ static int proc_keys_show(struct seq_file *m, void *v)
136 int rc; 136 int rc;
137 137
138 /* check whether the current task is allowed to view the key (assuming 138 /* check whether the current task is allowed to view the key (assuming
139 * non-possession) */ 139 * non-possession)
140 rc = key_task_permission(make_key_ref(key, 0), current, KEY_VIEW); 140 * - the caller holds a spinlock, and thus the RCU read lock, making our
141 * access to __current_cred() safe
142 */
143 rc = key_task_permission(make_key_ref(key, 0), current_cred(),
144 KEY_VIEW);
141 if (rc < 0) 145 if (rc < 0)
142 return 0; 146 return 0;
143 147
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 45b240af6dbe..2f5d89e92b85 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -40,13 +40,17 @@ struct key_user root_key_user = {
40/* 40/*
41 * install user and user session keyrings for a particular UID 41 * install user and user session keyrings for a particular UID
42 */ 42 */
43int install_user_keyrings(struct task_struct *tsk) 43int install_user_keyrings(void)
44{ 44{
45 struct user_struct *user = tsk->user; 45 struct user_struct *user;
46 const struct cred *cred;
46 struct key *uid_keyring, *session_keyring; 47 struct key *uid_keyring, *session_keyring;
47 char buf[20]; 48 char buf[20];
48 int ret; 49 int ret;
49 50
51 cred = current_cred();
52 user = cred->user;
53
50 kenter("%p{%u}", user, user->uid); 54 kenter("%p{%u}", user, user->uid);
51 55
52 if (user->uid_keyring) { 56 if (user->uid_keyring) {
@@ -67,7 +71,7 @@ int install_user_keyrings(struct task_struct *tsk)
67 uid_keyring = find_keyring_by_name(buf, true); 71 uid_keyring = find_keyring_by_name(buf, true);
68 if (IS_ERR(uid_keyring)) { 72 if (IS_ERR(uid_keyring)) {
69 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 73 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
70 tsk, KEY_ALLOC_IN_QUOTA, 74 cred, KEY_ALLOC_IN_QUOTA,
71 NULL); 75 NULL);
72 if (IS_ERR(uid_keyring)) { 76 if (IS_ERR(uid_keyring)) {
73 ret = PTR_ERR(uid_keyring); 77 ret = PTR_ERR(uid_keyring);
@@ -83,7 +87,7 @@ int install_user_keyrings(struct task_struct *tsk)
83 if (IS_ERR(session_keyring)) { 87 if (IS_ERR(session_keyring)) {
84 session_keyring = 88 session_keyring =
85 keyring_alloc(buf, user->uid, (gid_t) -1, 89 keyring_alloc(buf, user->uid, (gid_t) -1,
86 tsk, KEY_ALLOC_IN_QUOTA, NULL); 90 cred, KEY_ALLOC_IN_QUOTA, NULL);
87 if (IS_ERR(session_keyring)) { 91 if (IS_ERR(session_keyring)) {
88 ret = PTR_ERR(session_keyring); 92 ret = PTR_ERR(session_keyring);
89 goto error_release; 93 goto error_release;
@@ -115,140 +119,128 @@ error:
115 return ret; 119 return ret;
116} 120}
117 121
118/*****************************************************************************/
119/* 122/*
120 * deal with the UID changing 123 * install a fresh thread keyring directly to new credentials
121 */ 124 */
122void switch_uid_keyring(struct user_struct *new_user) 125int install_thread_keyring_to_cred(struct cred *new)
123{ 126{
124#if 0 /* do nothing for now */ 127 struct key *keyring;
125 struct key *old;
126
127 /* switch to the new user's session keyring if we were running under
128 * root's default session keyring */
129 if (new_user->uid != 0 &&
130 current->session_keyring == &root_session_keyring
131 ) {
132 atomic_inc(&new_user->session_keyring->usage);
133
134 task_lock(current);
135 old = current->session_keyring;
136 current->session_keyring = new_user->session_keyring;
137 task_unlock(current);
138 128
139 key_put(old); 129 keyring = keyring_alloc("_tid", new->uid, new->gid, new,
140 } 130 KEY_ALLOC_QUOTA_OVERRUN, NULL);
141#endif 131 if (IS_ERR(keyring))
132 return PTR_ERR(keyring);
142 133
143} /* end switch_uid_keyring() */ 134 new->thread_keyring = keyring;
135 return 0;
136}
144 137
145/*****************************************************************************/
146/* 138/*
147 * install a fresh thread keyring, discarding the old one 139 * install a fresh thread keyring, discarding the old one
148 */ 140 */
149int install_thread_keyring(struct task_struct *tsk) 141static int install_thread_keyring(void)
150{ 142{
151 struct key *keyring, *old; 143 struct cred *new;
152 char buf[20];
153 int ret; 144 int ret;
154 145
155 sprintf(buf, "_tid.%u", tsk->pid); 146 new = prepare_creds();
147 if (!new)
148 return -ENOMEM;
156 149
157 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, 150 BUG_ON(new->thread_keyring);
158 KEY_ALLOC_QUOTA_OVERRUN, NULL); 151
159 if (IS_ERR(keyring)) { 152 ret = install_thread_keyring_to_cred(new);
160 ret = PTR_ERR(keyring); 153 if (ret < 0) {
161 goto error; 154 abort_creds(new);
155 return ret;
162 } 156 }
163 157
164 task_lock(tsk); 158 return commit_creds(new);
165 old = tsk->thread_keyring; 159}
166 tsk->thread_keyring = keyring;
167 task_unlock(tsk);
168 160
169 ret = 0; 161/*
162 * install a process keyring directly to a credentials struct
163 * - returns -EEXIST if there was already a process keyring, 0 if one installed,
164 * and other -ve on any other error
165 */
166int install_process_keyring_to_cred(struct cred *new)
167{
168 struct key *keyring;
169 int ret;
170 170
171 key_put(old); 171 if (new->tgcred->process_keyring)
172error: 172 return -EEXIST;
173
174 keyring = keyring_alloc("_pid", new->uid, new->gid,
175 new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
176 if (IS_ERR(keyring))
177 return PTR_ERR(keyring);
178
179 spin_lock_irq(&new->tgcred->lock);
180 if (!new->tgcred->process_keyring) {
181 new->tgcred->process_keyring = keyring;
182 keyring = NULL;
183 ret = 0;
184 } else {
185 ret = -EEXIST;
186 }
187 spin_unlock_irq(&new->tgcred->lock);
188 key_put(keyring);
173 return ret; 189 return ret;
190}
174 191
175} /* end install_thread_keyring() */
176
177/*****************************************************************************/
178/* 192/*
179 * make sure a process keyring is installed 193 * make sure a process keyring is installed
194 * - we
180 */ 195 */
181int install_process_keyring(struct task_struct *tsk) 196static int install_process_keyring(void)
182{ 197{
183 struct key *keyring; 198 struct cred *new;
184 char buf[20];
185 int ret; 199 int ret;
186 200
187 might_sleep(); 201 new = prepare_creds();
188 202 if (!new)
189 if (!tsk->signal->process_keyring) { 203 return -ENOMEM;
190 sprintf(buf, "_pid.%u", tsk->tgid);
191
192 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk,
193 KEY_ALLOC_QUOTA_OVERRUN, NULL);
194 if (IS_ERR(keyring)) {
195 ret = PTR_ERR(keyring);
196 goto error;
197 }
198
199 /* attach keyring */
200 spin_lock_irq(&tsk->sighand->siglock);
201 if (!tsk->signal->process_keyring) {
202 tsk->signal->process_keyring = keyring;
203 keyring = NULL;
204 }
205 spin_unlock_irq(&tsk->sighand->siglock);
206 204
207 key_put(keyring); 205 ret = install_process_keyring_to_cred(new);
206 if (ret < 0) {
207 abort_creds(new);
208 return ret != -EEXIST ?: 0;
208 } 209 }
209 210
210 ret = 0; 211 return commit_creds(new);
211error: 212}
212 return ret;
213
214} /* end install_process_keyring() */
215 213
216/*****************************************************************************/
217/* 214/*
218 * install a session keyring, discarding the old one 215 * install a session keyring directly to a credentials struct
219 * - if a keyring is not supplied, an empty one is invented
220 */ 216 */
221static int install_session_keyring(struct task_struct *tsk, 217static int install_session_keyring_to_cred(struct cred *cred,
222 struct key *keyring) 218 struct key *keyring)
223{ 219{
224 unsigned long flags; 220 unsigned long flags;
225 struct key *old; 221 struct key *old;
226 char buf[20];
227 222
228 might_sleep(); 223 might_sleep();
229 224
230 /* create an empty session keyring */ 225 /* create an empty session keyring */
231 if (!keyring) { 226 if (!keyring) {
232 sprintf(buf, "_ses.%u", tsk->tgid);
233
234 flags = KEY_ALLOC_QUOTA_OVERRUN; 227 flags = KEY_ALLOC_QUOTA_OVERRUN;
235 if (tsk->signal->session_keyring) 228 if (cred->tgcred->session_keyring)
236 flags = KEY_ALLOC_IN_QUOTA; 229 flags = KEY_ALLOC_IN_QUOTA;
237 230
238 keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, 231 keyring = keyring_alloc("_ses", cred->uid, cred->gid,
239 flags, NULL); 232 cred, flags, NULL);
240 if (IS_ERR(keyring)) 233 if (IS_ERR(keyring))
241 return PTR_ERR(keyring); 234 return PTR_ERR(keyring);
242 } 235 } else {
243 else {
244 atomic_inc(&keyring->usage); 236 atomic_inc(&keyring->usage);
245 } 237 }
246 238
247 /* install the keyring */ 239 /* install the keyring */
248 spin_lock_irq(&tsk->sighand->siglock); 240 spin_lock_irq(&cred->tgcred->lock);
249 old = tsk->signal->session_keyring; 241 old = cred->tgcred->session_keyring;
250 rcu_assign_pointer(tsk->signal->session_keyring, keyring); 242 rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
251 spin_unlock_irq(&tsk->sighand->siglock); 243 spin_unlock_irq(&cred->tgcred->lock);
252 244
253 /* we're using RCU on the pointer, but there's no point synchronising 245 /* we're using RCU on the pointer, but there's no point synchronising
254 * on it if it didn't previously point to anything */ 246 * on it if it didn't previously point to anything */
@@ -258,110 +250,29 @@ static int install_session_keyring(struct task_struct *tsk,
258 } 250 }
259 251
260 return 0; 252 return 0;
253}
261 254
262} /* end install_session_keyring() */
263
264/*****************************************************************************/
265/*
266 * copy the keys in a thread group for fork without CLONE_THREAD
267 */
268int copy_thread_group_keys(struct task_struct *tsk)
269{
270 key_check(current->thread_group->session_keyring);
271 key_check(current->thread_group->process_keyring);
272
273 /* no process keyring yet */
274 tsk->signal->process_keyring = NULL;
275
276 /* same session keyring */
277 rcu_read_lock();
278 tsk->signal->session_keyring =
279 key_get(rcu_dereference(current->signal->session_keyring));
280 rcu_read_unlock();
281
282 return 0;
283
284} /* end copy_thread_group_keys() */
285
286/*****************************************************************************/
287/*
288 * copy the keys for fork
289 */
290int copy_keys(unsigned long clone_flags, struct task_struct *tsk)
291{
292 key_check(tsk->thread_keyring);
293 key_check(tsk->request_key_auth);
294
295 /* no thread keyring yet */
296 tsk->thread_keyring = NULL;
297
298 /* copy the request_key() authorisation for this thread */
299 key_get(tsk->request_key_auth);
300
301 return 0;
302
303} /* end copy_keys() */
304
305/*****************************************************************************/
306/*
307 * dispose of thread group keys upon thread group destruction
308 */
309void exit_thread_group_keys(struct signal_struct *tg)
310{
311 key_put(tg->session_keyring);
312 key_put(tg->process_keyring);
313
314} /* end exit_thread_group_keys() */
315
316/*****************************************************************************/
317/*
318 * dispose of per-thread keys upon thread exit
319 */
320void exit_keys(struct task_struct *tsk)
321{
322 key_put(tsk->thread_keyring);
323 key_put(tsk->request_key_auth);
324
325} /* end exit_keys() */
326
327/*****************************************************************************/
328/* 255/*
329 * deal with execve() 256 * install a session keyring, discarding the old one
257 * - if a keyring is not supplied, an empty one is invented
330 */ 258 */
331int exec_keys(struct task_struct *tsk) 259static int install_session_keyring(struct key *keyring)
332{ 260{
333 struct key *old; 261 struct cred *new;
334 262 int ret;
335 /* newly exec'd tasks don't get a thread keyring */
336 task_lock(tsk);
337 old = tsk->thread_keyring;
338 tsk->thread_keyring = NULL;
339 task_unlock(tsk);
340
341 key_put(old);
342
343 /* discard the process keyring from a newly exec'd task */
344 spin_lock_irq(&tsk->sighand->siglock);
345 old = tsk->signal->process_keyring;
346 tsk->signal->process_keyring = NULL;
347 spin_unlock_irq(&tsk->sighand->siglock);
348
349 key_put(old);
350
351 return 0;
352 263
353} /* end exec_keys() */ 264 new = prepare_creds();
265 if (!new)
266 return -ENOMEM;
354 267
355/*****************************************************************************/ 268 ret = install_session_keyring_to_cred(new, NULL);
356/* 269 if (ret < 0) {
357 * deal with SUID programs 270 abort_creds(new);
358 * - we might want to make this invent a new session keyring 271 return ret;
359 */ 272 }
360int suid_keys(struct task_struct *tsk)
361{
362 return 0;
363 273
364} /* end suid_keys() */ 274 return commit_creds(new);
275}
365 276
366/*****************************************************************************/ 277/*****************************************************************************/
367/* 278/*
@@ -370,10 +281,11 @@ int suid_keys(struct task_struct *tsk)
370void key_fsuid_changed(struct task_struct *tsk) 281void key_fsuid_changed(struct task_struct *tsk)
371{ 282{
372 /* update the ownership of the thread keyring */ 283 /* update the ownership of the thread keyring */
373 if (tsk->thread_keyring) { 284 BUG_ON(!tsk->cred);
374 down_write(&tsk->thread_keyring->sem); 285 if (tsk->cred->thread_keyring) {
375 tsk->thread_keyring->uid = tsk->fsuid; 286 down_write(&tsk->cred->thread_keyring->sem);
376 up_write(&tsk->thread_keyring->sem); 287 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
288 up_write(&tsk->cred->thread_keyring->sem);
377 } 289 }
378 290
379} /* end key_fsuid_changed() */ 291} /* end key_fsuid_changed() */
@@ -385,10 +297,11 @@ void key_fsuid_changed(struct task_struct *tsk)
385void key_fsgid_changed(struct task_struct *tsk) 297void key_fsgid_changed(struct task_struct *tsk)
386{ 298{
387 /* update the ownership of the thread keyring */ 299 /* update the ownership of the thread keyring */
388 if (tsk->thread_keyring) { 300 BUG_ON(!tsk->cred);
389 down_write(&tsk->thread_keyring->sem); 301 if (tsk->cred->thread_keyring) {
390 tsk->thread_keyring->gid = tsk->fsgid; 302 down_write(&tsk->cred->thread_keyring->sem);
391 up_write(&tsk->thread_keyring->sem); 303 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
304 up_write(&tsk->cred->thread_keyring->sem);
392 } 305 }
393 306
394} /* end key_fsgid_changed() */ 307} /* end key_fsgid_changed() */
@@ -404,7 +317,7 @@ void key_fsgid_changed(struct task_struct *tsk)
404key_ref_t search_process_keyrings(struct key_type *type, 317key_ref_t search_process_keyrings(struct key_type *type,
405 const void *description, 318 const void *description,
406 key_match_func_t match, 319 key_match_func_t match,
407 struct task_struct *context) 320 const struct cred *cred)
408{ 321{
409 struct request_key_auth *rka; 322 struct request_key_auth *rka;
410 key_ref_t key_ref, ret, err; 323 key_ref_t key_ref, ret, err;
@@ -423,10 +336,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
423 err = ERR_PTR(-EAGAIN); 336 err = ERR_PTR(-EAGAIN);
424 337
425 /* search the thread keyring first */ 338 /* search the thread keyring first */
426 if (context->thread_keyring) { 339 if (cred->thread_keyring) {
427 key_ref = keyring_search_aux( 340 key_ref = keyring_search_aux(
428 make_key_ref(context->thread_keyring, 1), 341 make_key_ref(cred->thread_keyring, 1),
429 context, type, description, match); 342 cred, type, description, match);
430 if (!IS_ERR(key_ref)) 343 if (!IS_ERR(key_ref))
431 goto found; 344 goto found;
432 345
@@ -444,10 +357,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
444 } 357 }
445 358
446 /* search the process keyring second */ 359 /* search the process keyring second */
447 if (context->signal->process_keyring) { 360 if (cred->tgcred->process_keyring) {
448 key_ref = keyring_search_aux( 361 key_ref = keyring_search_aux(
449 make_key_ref(context->signal->process_keyring, 1), 362 make_key_ref(cred->tgcred->process_keyring, 1),
450 context, type, description, match); 363 cred, type, description, match);
451 if (!IS_ERR(key_ref)) 364 if (!IS_ERR(key_ref))
452 goto found; 365 goto found;
453 366
@@ -465,13 +378,13 @@ key_ref_t search_process_keyrings(struct key_type *type,
465 } 378 }
466 379
467 /* search the session keyring */ 380 /* search the session keyring */
468 if (context->signal->session_keyring) { 381 if (cred->tgcred->session_keyring) {
469 rcu_read_lock(); 382 rcu_read_lock();
470 key_ref = keyring_search_aux( 383 key_ref = keyring_search_aux(
471 make_key_ref(rcu_dereference( 384 make_key_ref(rcu_dereference(
472 context->signal->session_keyring), 385 cred->tgcred->session_keyring),
473 1), 386 1),
474 context, type, description, match); 387 cred, type, description, match);
475 rcu_read_unlock(); 388 rcu_read_unlock();
476 389
477 if (!IS_ERR(key_ref)) 390 if (!IS_ERR(key_ref))
@@ -490,10 +403,10 @@ key_ref_t search_process_keyrings(struct key_type *type,
490 } 403 }
491 } 404 }
492 /* or search the user-session keyring */ 405 /* or search the user-session keyring */
493 else if (context->user->session_keyring) { 406 else if (cred->user->session_keyring) {
494 key_ref = keyring_search_aux( 407 key_ref = keyring_search_aux(
495 make_key_ref(context->user->session_keyring, 1), 408 make_key_ref(cred->user->session_keyring, 1),
496 context, type, description, match); 409 cred, type, description, match);
497 if (!IS_ERR(key_ref)) 410 if (!IS_ERR(key_ref))
498 goto found; 411 goto found;
499 412
@@ -514,20 +427,20 @@ key_ref_t search_process_keyrings(struct key_type *type,
514 * search the keyrings of the process mentioned there 427 * search the keyrings of the process mentioned there
515 * - we don't permit access to request_key auth keys via this method 428 * - we don't permit access to request_key auth keys via this method
516 */ 429 */
517 if (context->request_key_auth && 430 if (cred->request_key_auth &&
518 context == current && 431 cred == current_cred() &&
519 type != &key_type_request_key_auth 432 type != &key_type_request_key_auth
520 ) { 433 ) {
521 /* defend against the auth key being revoked */ 434 /* defend against the auth key being revoked */
522 down_read(&context->request_key_auth->sem); 435 down_read(&cred->request_key_auth->sem);
523 436
524 if (key_validate(context->request_key_auth) == 0) { 437 if (key_validate(cred->request_key_auth) == 0) {
525 rka = context->request_key_auth->payload.data; 438 rka = cred->request_key_auth->payload.data;
526 439
527 key_ref = search_process_keyrings(type, description, 440 key_ref = search_process_keyrings(type, description,
528 match, rka->context); 441 match, rka->cred);
529 442
530 up_read(&context->request_key_auth->sem); 443 up_read(&cred->request_key_auth->sem);
531 444
532 if (!IS_ERR(key_ref)) 445 if (!IS_ERR(key_ref))
533 goto found; 446 goto found;
@@ -544,7 +457,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
544 break; 457 break;
545 } 458 }
546 } else { 459 } else {
547 up_read(&context->request_key_auth->sem); 460 up_read(&cred->request_key_auth->sem);
548 } 461 }
549 } 462 }
550 463
@@ -572,93 +485,98 @@ static int lookup_user_key_possessed(const struct key *key, const void *target)
572 * - don't create special keyrings unless so requested 485 * - don't create special keyrings unless so requested
573 * - partially constructed keys aren't found unless requested 486 * - partially constructed keys aren't found unless requested
574 */ 487 */
575key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id, 488key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
576 int create, int partial, key_perm_t perm) 489 key_perm_t perm)
577{ 490{
578 key_ref_t key_ref, skey_ref; 491 struct request_key_auth *rka;
492 const struct cred *cred;
579 struct key *key; 493 struct key *key;
494 key_ref_t key_ref, skey_ref;
580 int ret; 495 int ret;
581 496
582 if (!context) 497try_again:
583 context = current; 498 cred = get_current_cred();
584
585 key_ref = ERR_PTR(-ENOKEY); 499 key_ref = ERR_PTR(-ENOKEY);
586 500
587 switch (id) { 501 switch (id) {
588 case KEY_SPEC_THREAD_KEYRING: 502 case KEY_SPEC_THREAD_KEYRING:
589 if (!context->thread_keyring) { 503 if (!cred->thread_keyring) {
590 if (!create) 504 if (!create)
591 goto error; 505 goto error;
592 506
593 ret = install_thread_keyring(context); 507 ret = install_thread_keyring();
594 if (ret < 0) { 508 if (ret < 0) {
595 key = ERR_PTR(ret); 509 key = ERR_PTR(ret);
596 goto error; 510 goto error;
597 } 511 }
512 goto reget_creds;
598 } 513 }
599 514
600 key = context->thread_keyring; 515 key = cred->thread_keyring;
601 atomic_inc(&key->usage); 516 atomic_inc(&key->usage);
602 key_ref = make_key_ref(key, 1); 517 key_ref = make_key_ref(key, 1);
603 break; 518 break;
604 519
605 case KEY_SPEC_PROCESS_KEYRING: 520 case KEY_SPEC_PROCESS_KEYRING:
606 if (!context->signal->process_keyring) { 521 if (!cred->tgcred->process_keyring) {
607 if (!create) 522 if (!create)
608 goto error; 523 goto error;
609 524
610 ret = install_process_keyring(context); 525 ret = install_process_keyring();
611 if (ret < 0) { 526 if (ret < 0) {
612 key = ERR_PTR(ret); 527 key = ERR_PTR(ret);
613 goto error; 528 goto error;
614 } 529 }
530 goto reget_creds;
615 } 531 }
616 532
617 key = context->signal->process_keyring; 533 key = cred->tgcred->process_keyring;
618 atomic_inc(&key->usage); 534 atomic_inc(&key->usage);
619 key_ref = make_key_ref(key, 1); 535 key_ref = make_key_ref(key, 1);
620 break; 536 break;
621 537
622 case KEY_SPEC_SESSION_KEYRING: 538 case KEY_SPEC_SESSION_KEYRING:
623 if (!context->signal->session_keyring) { 539 if (!cred->tgcred->session_keyring) {
624 /* always install a session keyring upon access if one 540 /* always install a session keyring upon access if one
625 * doesn't exist yet */ 541 * doesn't exist yet */
626 ret = install_user_keyrings(context); 542 ret = install_user_keyrings();
627 if (ret < 0) 543 if (ret < 0)
628 goto error; 544 goto error;
629 ret = install_session_keyring( 545 ret = install_session_keyring(
630 context, context->user->session_keyring); 546 cred->user->session_keyring);
547
631 if (ret < 0) 548 if (ret < 0)
632 goto error; 549 goto error;
550 goto reget_creds;
633 } 551 }
634 552
635 rcu_read_lock(); 553 rcu_read_lock();
636 key = rcu_dereference(context->signal->session_keyring); 554 key = rcu_dereference(cred->tgcred->session_keyring);
637 atomic_inc(&key->usage); 555 atomic_inc(&key->usage);
638 rcu_read_unlock(); 556 rcu_read_unlock();
639 key_ref = make_key_ref(key, 1); 557 key_ref = make_key_ref(key, 1);
640 break; 558 break;
641 559
642 case KEY_SPEC_USER_KEYRING: 560 case KEY_SPEC_USER_KEYRING:
643 if (!context->user->uid_keyring) { 561 if (!cred->user->uid_keyring) {
644 ret = install_user_keyrings(context); 562 ret = install_user_keyrings();
645 if (ret < 0) 563 if (ret < 0)
646 goto error; 564 goto error;
647 } 565 }
648 566
649 key = context->user->uid_keyring; 567 key = cred->user->uid_keyring;
650 atomic_inc(&key->usage); 568 atomic_inc(&key->usage);
651 key_ref = make_key_ref(key, 1); 569 key_ref = make_key_ref(key, 1);
652 break; 570 break;
653 571
654 case KEY_SPEC_USER_SESSION_KEYRING: 572 case KEY_SPEC_USER_SESSION_KEYRING:
655 if (!context->user->session_keyring) { 573 if (!cred->user->session_keyring) {
656 ret = install_user_keyrings(context); 574 ret = install_user_keyrings();
657 if (ret < 0) 575 if (ret < 0)
658 goto error; 576 goto error;
659 } 577 }
660 578
661 key = context->user->session_keyring; 579 key = cred->user->session_keyring;
662 atomic_inc(&key->usage); 580 atomic_inc(&key->usage);
663 key_ref = make_key_ref(key, 1); 581 key_ref = make_key_ref(key, 1);
664 break; 582 break;
@@ -669,7 +587,7 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
669 goto error; 587 goto error;
670 588
671 case KEY_SPEC_REQKEY_AUTH_KEY: 589 case KEY_SPEC_REQKEY_AUTH_KEY:
672 key = context->request_key_auth; 590 key = cred->request_key_auth;
673 if (!key) 591 if (!key)
674 goto error; 592 goto error;
675 593
@@ -677,6 +595,25 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
677 key_ref = make_key_ref(key, 1); 595 key_ref = make_key_ref(key, 1);
678 break; 596 break;
679 597
598 case KEY_SPEC_REQUESTOR_KEYRING:
599 if (!cred->request_key_auth)
600 goto error;
601
602 down_read(&cred->request_key_auth->sem);
603 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
604 key_ref = ERR_PTR(-EKEYREVOKED);
605 key = NULL;
606 } else {
607 rka = cred->request_key_auth->payload.data;
608 key = rka->dest_keyring;
609 atomic_inc(&key->usage);
610 }
611 up_read(&cred->request_key_auth->sem);
612 if (!key)
613 goto error;
614 key_ref = make_key_ref(key, 1);
615 break;
616
680 default: 617 default:
681 key_ref = ERR_PTR(-EINVAL); 618 key_ref = ERR_PTR(-EINVAL);
682 if (id < 1) 619 if (id < 1)
@@ -693,7 +630,7 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
693 /* check to see if we possess the key */ 630 /* check to see if we possess the key */
694 skey_ref = search_process_keyrings(key->type, key, 631 skey_ref = search_process_keyrings(key->type, key,
695 lookup_user_key_possessed, 632 lookup_user_key_possessed,
696 current); 633 cred);
697 634
698 if (!IS_ERR(skey_ref)) { 635 if (!IS_ERR(skey_ref)) {
699 key_put(key); 636 key_put(key);
@@ -725,11 +662,12 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
725 goto invalid_key; 662 goto invalid_key;
726 663
727 /* check the permissions */ 664 /* check the permissions */
728 ret = key_task_permission(key_ref, context, perm); 665 ret = key_task_permission(key_ref, cred, perm);
729 if (ret < 0) 666 if (ret < 0)
730 goto invalid_key; 667 goto invalid_key;
731 668
732error: 669error:
670 put_cred(cred);
733 return key_ref; 671 return key_ref;
734 672
735invalid_key: 673invalid_key:
@@ -737,6 +675,12 @@ invalid_key:
737 key_ref = ERR_PTR(ret); 675 key_ref = ERR_PTR(ret);
738 goto error; 676 goto error;
739 677
678 /* if we attempted to install a keyring, then it may have caused new
679 * creds to be installed */
680reget_creds:
681 put_cred(cred);
682 goto try_again;
683
740} /* end lookup_user_key() */ 684} /* end lookup_user_key() */
741 685
742/*****************************************************************************/ 686/*****************************************************************************/
@@ -748,20 +692,33 @@ invalid_key:
748 */ 692 */
749long join_session_keyring(const char *name) 693long join_session_keyring(const char *name)
750{ 694{
751 struct task_struct *tsk = current; 695 const struct cred *old;
696 struct cred *new;
752 struct key *keyring; 697 struct key *keyring;
753 long ret; 698 long ret, serial;
699
700 /* only permit this if there's a single thread in the thread group -
701 * this avoids us having to adjust the creds on all threads and risking
702 * ENOMEM */
703 if (!is_single_threaded(current))
704 return -EMLINK;
705
706 new = prepare_creds();
707 if (!new)
708 return -ENOMEM;
709 old = current_cred();
754 710
755 /* if no name is provided, install an anonymous keyring */ 711 /* if no name is provided, install an anonymous keyring */
756 if (!name) { 712 if (!name) {
757 ret = install_session_keyring(tsk, NULL); 713 ret = install_session_keyring_to_cred(new, NULL);
758 if (ret < 0) 714 if (ret < 0)
759 goto error; 715 goto error;
760 716
761 rcu_read_lock(); 717 serial = new->tgcred->session_keyring->serial;
762 ret = rcu_dereference(tsk->signal->session_keyring)->serial; 718 ret = commit_creds(new);
763 rcu_read_unlock(); 719 if (ret == 0)
764 goto error; 720 ret = serial;
721 goto okay;
765 } 722 }
766 723
767 /* allow the user to join or create a named keyring */ 724 /* allow the user to join or create a named keyring */
@@ -771,29 +728,33 @@ long join_session_keyring(const char *name)
771 keyring = find_keyring_by_name(name, false); 728 keyring = find_keyring_by_name(name, false);
772 if (PTR_ERR(keyring) == -ENOKEY) { 729 if (PTR_ERR(keyring) == -ENOKEY) {
773 /* not found - try and create a new one */ 730 /* not found - try and create a new one */
774 keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, 731 keyring = keyring_alloc(name, old->uid, old->gid, old,
775 KEY_ALLOC_IN_QUOTA, NULL); 732 KEY_ALLOC_IN_QUOTA, NULL);
776 if (IS_ERR(keyring)) { 733 if (IS_ERR(keyring)) {
777 ret = PTR_ERR(keyring); 734 ret = PTR_ERR(keyring);
778 goto error2; 735 goto error2;
779 } 736 }
780 } 737 } else if (IS_ERR(keyring)) {
781 else if (IS_ERR(keyring)) {
782 ret = PTR_ERR(keyring); 738 ret = PTR_ERR(keyring);
783 goto error2; 739 goto error2;
784 } 740 }
785 741
786 /* we've got a keyring - now to install it */ 742 /* we've got a keyring - now to install it */
787 ret = install_session_keyring(tsk, keyring); 743 ret = install_session_keyring_to_cred(new, keyring);
788 if (ret < 0) 744 if (ret < 0)
789 goto error2; 745 goto error2;
790 746
747 commit_creds(new);
748 mutex_unlock(&key_session_mutex);
749
791 ret = keyring->serial; 750 ret = keyring->serial;
792 key_put(keyring); 751 key_put(keyring);
752okay:
753 return ret;
793 754
794error2: 755error2:
795 mutex_unlock(&key_session_mutex); 756 mutex_unlock(&key_session_mutex);
796error: 757error:
758 abort_creds(new);
797 return ret; 759 return ret;
798 760}
799} /* end join_session_keyring() */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index abea08f87fe2..0e04f72ef2d4 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -19,6 +19,8 @@
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include "internal.h" 20#include "internal.h"
21 21
22#define key_negative_timeout 60 /* default timeout on a negative key's existence */
23
22/* 24/*
23 * wait_on_bit() sleep function for uninterruptible waiting 25 * wait_on_bit() sleep function for uninterruptible waiting
24 */ 26 */
@@ -64,7 +66,7 @@ static int call_sbin_request_key(struct key_construction *cons,
64 const char *op, 66 const char *op,
65 void *aux) 67 void *aux)
66{ 68{
67 struct task_struct *tsk = current; 69 const struct cred *cred = current_cred();
68 key_serial_t prkey, sskey; 70 key_serial_t prkey, sskey;
69 struct key *key = cons->key, *authkey = cons->authkey, *keyring; 71 struct key *key = cons->key, *authkey = cons->authkey, *keyring;
70 char *argv[9], *envp[3], uid_str[12], gid_str[12]; 72 char *argv[9], *envp[3], uid_str[12], gid_str[12];
@@ -74,15 +76,17 @@ static int call_sbin_request_key(struct key_construction *cons,
74 76
75 kenter("{%d},{%d},%s", key->serial, authkey->serial, op); 77 kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
76 78
77 ret = install_user_keyrings(tsk); 79 ret = install_user_keyrings();
78 if (ret < 0) 80 if (ret < 0)
79 goto error_alloc; 81 goto error_alloc;
80 82
81 /* allocate a new session keyring */ 83 /* allocate a new session keyring */
82 sprintf(desc, "_req.%u", key->serial); 84 sprintf(desc, "_req.%u", key->serial);
83 85
84 keyring = keyring_alloc(desc, current->fsuid, current->fsgid, current, 86 cred = get_current_cred();
87 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
85 KEY_ALLOC_QUOTA_OVERRUN, NULL); 88 KEY_ALLOC_QUOTA_OVERRUN, NULL);
89 put_cred(cred);
86 if (IS_ERR(keyring)) { 90 if (IS_ERR(keyring)) {
87 ret = PTR_ERR(keyring); 91 ret = PTR_ERR(keyring);
88 goto error_alloc; 92 goto error_alloc;
@@ -94,29 +98,24 @@ static int call_sbin_request_key(struct key_construction *cons,
94 goto error_link; 98 goto error_link;
95 99
96 /* record the UID and GID */ 100 /* record the UID and GID */
97 sprintf(uid_str, "%d", current->fsuid); 101 sprintf(uid_str, "%d", cred->fsuid);
98 sprintf(gid_str, "%d", current->fsgid); 102 sprintf(gid_str, "%d", cred->fsgid);
99 103
100 /* we say which key is under construction */ 104 /* we say which key is under construction */
101 sprintf(key_str, "%d", key->serial); 105 sprintf(key_str, "%d", key->serial);
102 106
103 /* we specify the process's default keyrings */ 107 /* we specify the process's default keyrings */
104 sprintf(keyring_str[0], "%d", 108 sprintf(keyring_str[0], "%d",
105 tsk->thread_keyring ? tsk->thread_keyring->serial : 0); 109 cred->thread_keyring ? cred->thread_keyring->serial : 0);
106 110
107 prkey = 0; 111 prkey = 0;
108 if (tsk->signal->process_keyring) 112 if (cred->tgcred->process_keyring)
109 prkey = tsk->signal->process_keyring->serial; 113 prkey = cred->tgcred->process_keyring->serial;
110
111 sprintf(keyring_str[1], "%d", prkey);
112 114
113 if (tsk->signal->session_keyring) { 115 if (cred->tgcred->session_keyring)
114 rcu_read_lock(); 116 sskey = rcu_dereference(cred->tgcred->session_keyring)->serial;
115 sskey = rcu_dereference(tsk->signal->session_keyring)->serial; 117 else
116 rcu_read_unlock(); 118 sskey = cred->user->session_keyring->serial;
117 } else {
118 sskey = tsk->user->session_keyring->serial;
119 }
120 119
121 sprintf(keyring_str[2], "%d", sskey); 120 sprintf(keyring_str[2], "%d", sskey);
122 121
@@ -157,8 +156,8 @@ error_link:
157 key_put(keyring); 156 key_put(keyring);
158 157
159error_alloc: 158error_alloc:
160 kleave(" = %d", ret);
161 complete_request_key(cons, ret); 159 complete_request_key(cons, ret);
160 kleave(" = %d", ret);
162 return ret; 161 return ret;
163} 162}
164 163
@@ -167,7 +166,8 @@ error_alloc:
167 * - we ignore program failure and go on key status instead 166 * - we ignore program failure and go on key status instead
168 */ 167 */
169static int construct_key(struct key *key, const void *callout_info, 168static int construct_key(struct key *key, const void *callout_info,
170 size_t callout_len, void *aux) 169 size_t callout_len, void *aux,
170 struct key *dest_keyring)
171{ 171{
172 struct key_construction *cons; 172 struct key_construction *cons;
173 request_key_actor_t actor; 173 request_key_actor_t actor;
@@ -181,7 +181,8 @@ static int construct_key(struct key *key, const void *callout_info,
181 return -ENOMEM; 181 return -ENOMEM;
182 182
183 /* allocate an authorisation key */ 183 /* allocate an authorisation key */
184 authkey = request_key_auth_new(key, callout_info, callout_len); 184 authkey = request_key_auth_new(key, callout_info, callout_len,
185 dest_keyring);
185 if (IS_ERR(authkey)) { 186 if (IS_ERR(authkey)) {
186 kfree(cons); 187 kfree(cons);
187 ret = PTR_ERR(authkey); 188 ret = PTR_ERR(authkey);
@@ -209,46 +210,67 @@ static int construct_key(struct key *key, const void *callout_info,
209} 210}
210 211
211/* 212/*
212 * link a key to the appropriate destination keyring 213 * get the appropriate destination keyring for the request
213 * - the caller must hold a write lock on the destination keyring 214 * - we return whatever keyring we select with an extra reference upon it which
215 * the caller must release
214 */ 216 */
215static void construct_key_make_link(struct key *key, struct key *dest_keyring) 217static void construct_get_dest_keyring(struct key **_dest_keyring)
216{ 218{
217 struct task_struct *tsk = current; 219 struct request_key_auth *rka;
218 struct key *drop = NULL; 220 const struct cred *cred = current_cred();
221 struct key *dest_keyring = *_dest_keyring, *authkey;
219 222
220 kenter("{%d},%p", key->serial, dest_keyring); 223 kenter("%p", dest_keyring);
221 224
222 /* find the appropriate keyring */ 225 /* find the appropriate keyring */
223 if (!dest_keyring) { 226 if (dest_keyring) {
224 switch (tsk->jit_keyring) { 227 /* the caller supplied one */
228 key_get(dest_keyring);
229 } else {
230 /* use a default keyring; falling through the cases until we
231 * find one that we actually have */
232 switch (cred->jit_keyring) {
225 case KEY_REQKEY_DEFL_DEFAULT: 233 case KEY_REQKEY_DEFL_DEFAULT:
234 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
235 if (cred->request_key_auth) {
236 authkey = cred->request_key_auth;
237 down_read(&authkey->sem);
238 rka = authkey->payload.data;
239 if (!test_bit(KEY_FLAG_REVOKED,
240 &authkey->flags))
241 dest_keyring =
242 key_get(rka->dest_keyring);
243 up_read(&authkey->sem);
244 if (dest_keyring)
245 break;
246 }
247
226 case KEY_REQKEY_DEFL_THREAD_KEYRING: 248 case KEY_REQKEY_DEFL_THREAD_KEYRING:
227 dest_keyring = tsk->thread_keyring; 249 dest_keyring = key_get(cred->thread_keyring);
228 if (dest_keyring) 250 if (dest_keyring)
229 break; 251 break;
230 252
231 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 253 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
232 dest_keyring = tsk->signal->process_keyring; 254 dest_keyring = key_get(cred->tgcred->process_keyring);
233 if (dest_keyring) 255 if (dest_keyring)
234 break; 256 break;
235 257
236 case KEY_REQKEY_DEFL_SESSION_KEYRING: 258 case KEY_REQKEY_DEFL_SESSION_KEYRING:
237 rcu_read_lock(); 259 rcu_read_lock();
238 dest_keyring = key_get( 260 dest_keyring = key_get(
239 rcu_dereference(tsk->signal->session_keyring)); 261 rcu_dereference(cred->tgcred->session_keyring));
240 rcu_read_unlock(); 262 rcu_read_unlock();
241 drop = dest_keyring;
242 263
243 if (dest_keyring) 264 if (dest_keyring)
244 break; 265 break;
245 266
246 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 267 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
247 dest_keyring = tsk->user->session_keyring; 268 dest_keyring =
269 key_get(cred->user->session_keyring);
248 break; 270 break;
249 271
250 case KEY_REQKEY_DEFL_USER_KEYRING: 272 case KEY_REQKEY_DEFL_USER_KEYRING:
251 dest_keyring = tsk->user->uid_keyring; 273 dest_keyring = key_get(cred->user->uid_keyring);
252 break; 274 break;
253 275
254 case KEY_REQKEY_DEFL_GROUP_KEYRING: 276 case KEY_REQKEY_DEFL_GROUP_KEYRING:
@@ -257,10 +279,9 @@ static void construct_key_make_link(struct key *key, struct key *dest_keyring)
257 } 279 }
258 } 280 }
259 281
260 /* and attach the key to it */ 282 *_dest_keyring = dest_keyring;
261 __key_link(dest_keyring, key); 283 kleave(" [dk %d]", key_serial(dest_keyring));
262 key_put(drop); 284 return;
263 kleave("");
264} 285}
265 286
266/* 287/*
@@ -275,6 +296,7 @@ static int construct_alloc_key(struct key_type *type,
275 struct key_user *user, 296 struct key_user *user,
276 struct key **_key) 297 struct key **_key)
277{ 298{
299 const struct cred *cred = current_cred();
278 struct key *key; 300 struct key *key;
279 key_ref_t key_ref; 301 key_ref_t key_ref;
280 302
@@ -282,33 +304,28 @@ static int construct_alloc_key(struct key_type *type,
282 304
283 mutex_lock(&user->cons_lock); 305 mutex_lock(&user->cons_lock);
284 306
285 key = key_alloc(type, description, 307 key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred,
286 current->fsuid, current->fsgid, current, KEY_POS_ALL, 308 KEY_POS_ALL, flags);
287 flags);
288 if (IS_ERR(key)) 309 if (IS_ERR(key))
289 goto alloc_failed; 310 goto alloc_failed;
290 311
291 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 312 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
292 313
293 if (dest_keyring) 314 down_write(&dest_keyring->sem);
294 down_write(&dest_keyring->sem);
295 315
296 /* attach the key to the destination keyring under lock, but we do need 316 /* attach the key to the destination keyring under lock, but we do need
297 * to do another check just in case someone beat us to it whilst we 317 * to do another check just in case someone beat us to it whilst we
298 * waited for locks */ 318 * waited for locks */
299 mutex_lock(&key_construction_mutex); 319 mutex_lock(&key_construction_mutex);
300 320
301 key_ref = search_process_keyrings(type, description, type->match, 321 key_ref = search_process_keyrings(type, description, type->match, cred);
302 current);
303 if (!IS_ERR(key_ref)) 322 if (!IS_ERR(key_ref))
304 goto key_already_present; 323 goto key_already_present;
305 324
306 if (dest_keyring) 325 __key_link(dest_keyring, key);
307 construct_key_make_link(key, dest_keyring);
308 326
309 mutex_unlock(&key_construction_mutex); 327 mutex_unlock(&key_construction_mutex);
310 if (dest_keyring) 328 up_write(&dest_keyring->sem);
311 up_write(&dest_keyring->sem);
312 mutex_unlock(&user->cons_lock); 329 mutex_unlock(&user->cons_lock);
313 *_key = key; 330 *_key = key;
314 kleave(" = 0 [%d]", key_serial(key)); 331 kleave(" = 0 [%d]", key_serial(key));
@@ -346,25 +363,36 @@ static struct key *construct_key_and_link(struct key_type *type,
346 struct key *key; 363 struct key *key;
347 int ret; 364 int ret;
348 365
349 user = key_user_lookup(current->fsuid); 366 kenter("");
367
368 user = key_user_lookup(current_fsuid());
350 if (!user) 369 if (!user)
351 return ERR_PTR(-ENOMEM); 370 return ERR_PTR(-ENOMEM);
352 371
372 construct_get_dest_keyring(&dest_keyring);
373
353 ret = construct_alloc_key(type, description, dest_keyring, flags, user, 374 ret = construct_alloc_key(type, description, dest_keyring, flags, user,
354 &key); 375 &key);
355 key_user_put(user); 376 key_user_put(user);
356 377
357 if (ret == 0) { 378 if (ret == 0) {
358 ret = construct_key(key, callout_info, callout_len, aux); 379 ret = construct_key(key, callout_info, callout_len, aux,
359 if (ret < 0) 380 dest_keyring);
381 if (ret < 0) {
382 kdebug("cons failed");
360 goto construction_failed; 383 goto construction_failed;
384 }
361 } 385 }
362 386
387 key_put(dest_keyring);
388 kleave(" = key %d", key_serial(key));
363 return key; 389 return key;
364 390
365construction_failed: 391construction_failed:
366 key_negate_and_link(key, key_negative_timeout, NULL, NULL); 392 key_negate_and_link(key, key_negative_timeout, NULL, NULL);
367 key_put(key); 393 key_put(key);
394 key_put(dest_keyring);
395 kleave(" = %d", ret);
368 return ERR_PTR(ret); 396 return ERR_PTR(ret);
369} 397}
370 398
@@ -383,6 +411,7 @@ struct key *request_key_and_link(struct key_type *type,
383 struct key *dest_keyring, 411 struct key *dest_keyring,
384 unsigned long flags) 412 unsigned long flags)
385{ 413{
414 const struct cred *cred = current_cred();
386 struct key *key; 415 struct key *key;
387 key_ref_t key_ref; 416 key_ref_t key_ref;
388 417
@@ -392,7 +421,7 @@ struct key *request_key_and_link(struct key_type *type,
392 421
393 /* search all the process keyrings for a key */ 422 /* search all the process keyrings for a key */
394 key_ref = search_process_keyrings(type, description, type->match, 423 key_ref = search_process_keyrings(type, description, type->match,
395 current); 424 cred);
396 425
397 if (!IS_ERR(key_ref)) { 426 if (!IS_ERR(key_ref)) {
398 key = key_ref_to_ptr(key_ref); 427 key = key_ref_to_ptr(key_ref);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index bd237b0a6331..86747151ee5b 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -105,9 +105,9 @@ static void request_key_auth_revoke(struct key *key)
105 105
106 kenter("{%d}", key->serial); 106 kenter("{%d}", key->serial);
107 107
108 if (rka->context) { 108 if (rka->cred) {
109 put_task_struct(rka->context); 109 put_cred(rka->cred);
110 rka->context = NULL; 110 rka->cred = NULL;
111 } 111 }
112 112
113} /* end request_key_auth_revoke() */ 113} /* end request_key_auth_revoke() */
@@ -122,12 +122,13 @@ static void request_key_auth_destroy(struct key *key)
122 122
123 kenter("{%d}", key->serial); 123 kenter("{%d}", key->serial);
124 124
125 if (rka->context) { 125 if (rka->cred) {
126 put_task_struct(rka->context); 126 put_cred(rka->cred);
127 rka->context = NULL; 127 rka->cred = NULL;
128 } 128 }
129 129
130 key_put(rka->target_key); 130 key_put(rka->target_key);
131 key_put(rka->dest_keyring);
131 kfree(rka->callout_info); 132 kfree(rka->callout_info);
132 kfree(rka); 133 kfree(rka);
133 134
@@ -139,9 +140,10 @@ static void request_key_auth_destroy(struct key *key)
139 * access to the caller's security data 140 * access to the caller's security data
140 */ 141 */
141struct key *request_key_auth_new(struct key *target, const void *callout_info, 142struct key *request_key_auth_new(struct key *target, const void *callout_info,
142 size_t callout_len) 143 size_t callout_len, struct key *dest_keyring)
143{ 144{
144 struct request_key_auth *rka, *irka; 145 struct request_key_auth *rka, *irka;
146 const struct cred *cred = current->cred;
145 struct key *authkey = NULL; 147 struct key *authkey = NULL;
146 char desc[20]; 148 char desc[20];
147 int ret; 149 int ret;
@@ -163,31 +165,29 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
163 165
164 /* see if the calling process is already servicing the key request of 166 /* see if the calling process is already servicing the key request of
165 * another process */ 167 * another process */
166 if (current->request_key_auth) { 168 if (cred->request_key_auth) {
167 /* it is - use that instantiation context here too */ 169 /* it is - use that instantiation context here too */
168 down_read(&current->request_key_auth->sem); 170 down_read(&cred->request_key_auth->sem);
169 171
170 /* if the auth key has been revoked, then the key we're 172 /* if the auth key has been revoked, then the key we're
171 * servicing is already instantiated */ 173 * servicing is already instantiated */
172 if (test_bit(KEY_FLAG_REVOKED, 174 if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
173 &current->request_key_auth->flags))
174 goto auth_key_revoked; 175 goto auth_key_revoked;
175 176
176 irka = current->request_key_auth->payload.data; 177 irka = cred->request_key_auth->payload.data;
177 rka->context = irka->context; 178 rka->cred = get_cred(irka->cred);
178 rka->pid = irka->pid; 179 rka->pid = irka->pid;
179 get_task_struct(rka->context);
180 180
181 up_read(&current->request_key_auth->sem); 181 up_read(&cred->request_key_auth->sem);
182 } 182 }
183 else { 183 else {
184 /* it isn't - use this process as the context */ 184 /* it isn't - use this process as the context */
185 rka->context = current; 185 rka->cred = get_cred(cred);
186 rka->pid = current->pid; 186 rka->pid = current->pid;
187 get_task_struct(rka->context);
188 } 187 }
189 188
190 rka->target_key = key_get(target); 189 rka->target_key = key_get(target);
190 rka->dest_keyring = key_get(dest_keyring);
191 memcpy(rka->callout_info, callout_info, callout_len); 191 memcpy(rka->callout_info, callout_info, callout_len);
192 rka->callout_len = callout_len; 192 rka->callout_len = callout_len;
193 193
@@ -195,7 +195,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
195 sprintf(desc, "%x", target->serial); 195 sprintf(desc, "%x", target->serial);
196 196
197 authkey = key_alloc(&key_type_request_key_auth, desc, 197 authkey = key_alloc(&key_type_request_key_auth, desc,
198 current->fsuid, current->fsgid, current, 198 cred->fsuid, cred->fsgid, cred,
199 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | 199 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
200 KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA); 200 KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
201 if (IS_ERR(authkey)) { 201 if (IS_ERR(authkey)) {
@@ -203,16 +203,16 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
203 goto error_alloc; 203 goto error_alloc;
204 } 204 }
205 205
206 /* construct and attach to the keyring */ 206 /* construct the auth key */
207 ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL); 207 ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
208 if (ret < 0) 208 if (ret < 0)
209 goto error_inst; 209 goto error_inst;
210 210
211 kleave(" = {%d}", authkey->serial); 211 kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
212 return authkey; 212 return authkey;
213 213
214auth_key_revoked: 214auth_key_revoked:
215 up_read(&current->request_key_auth->sem); 215 up_read(&cred->request_key_auth->sem);
216 kfree(rka->callout_info); 216 kfree(rka->callout_info);
217 kfree(rka); 217 kfree(rka);
218 kleave("= -EKEYREVOKED"); 218 kleave("= -EKEYREVOKED");
@@ -223,6 +223,7 @@ error_inst:
223 key_put(authkey); 223 key_put(authkey);
224error_alloc: 224error_alloc:
225 key_put(rka->target_key); 225 key_put(rka->target_key);
226 key_put(rka->dest_keyring);
226 kfree(rka->callout_info); 227 kfree(rka->callout_info);
227 kfree(rka); 228 kfree(rka);
228 kleave("= %d", ret); 229 kleave("= %d", ret);
@@ -254,6 +255,7 @@ static int key_get_instantiation_authkey_match(const struct key *key,
254 */ 255 */
255struct key *key_get_instantiation_authkey(key_serial_t target_id) 256struct key *key_get_instantiation_authkey(key_serial_t target_id)
256{ 257{
258 const struct cred *cred = current_cred();
257 struct key *authkey; 259 struct key *authkey;
258 key_ref_t authkey_ref; 260 key_ref_t authkey_ref;
259 261
@@ -261,7 +263,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
261 &key_type_request_key_auth, 263 &key_type_request_key_auth,
262 (void *) (unsigned long) target_id, 264 (void *) (unsigned long) target_id,
263 key_get_instantiation_authkey_match, 265 key_get_instantiation_authkey_match,
264 current); 266 cred);
265 267
266 if (IS_ERR(authkey_ref)) { 268 if (IS_ERR(authkey_ref)) {
267 authkey = ERR_CAST(authkey_ref); 269 authkey = ERR_CAST(authkey_ref);
diff --git a/security/root_plug.c b/security/root_plug.c
index c3f68b5b372d..40fb4f15e27b 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -55,9 +55,9 @@ static int rootplug_bprm_check_security (struct linux_binprm *bprm)
55 struct usb_device *dev; 55 struct usb_device *dev;
56 56
57 root_dbg("file %s, e_uid = %d, e_gid = %d\n", 57 root_dbg("file %s, e_uid = %d, e_gid = %d\n",
58 bprm->filename, bprm->e_uid, bprm->e_gid); 58 bprm->filename, bprm->cred->euid, bprm->cred->egid);
59 59
60 if (bprm->e_gid == 0) { 60 if (bprm->cred->egid == 0) {
61 dev = usb_find_device(vendor_id, product_id); 61 dev = usb_find_device(vendor_id, product_id);
62 if (!dev) { 62 if (!dev) {
63 root_dbg("e_gid = 0, and device not found, " 63 root_dbg("e_gid = 0, and device not found, "
@@ -75,15 +75,12 @@ static struct security_operations rootplug_security_ops = {
75 .ptrace_may_access = cap_ptrace_may_access, 75 .ptrace_may_access = cap_ptrace_may_access,
76 .ptrace_traceme = cap_ptrace_traceme, 76 .ptrace_traceme = cap_ptrace_traceme,
77 .capget = cap_capget, 77 .capget = cap_capget,
78 .capset_check = cap_capset_check, 78 .capset = cap_capset,
79 .capset_set = cap_capset_set,
80 .capable = cap_capable, 79 .capable = cap_capable,
81 80
82 .bprm_apply_creds = cap_bprm_apply_creds, 81 .bprm_set_creds = cap_bprm_set_creds,
83 .bprm_set_security = cap_bprm_set_security,
84 82
85 .task_post_setuid = cap_task_post_setuid, 83 .task_fix_setuid = cap_task_fix_setuid,
86 .task_reparent_to_init = cap_task_reparent_to_init,
87 .task_prctl = cap_task_prctl, 84 .task_prctl = cap_task_prctl,
88 85
89 .bprm_check_security = rootplug_bprm_check_security, 86 .bprm_check_security = rootplug_bprm_check_security,
diff --git a/security/security.c b/security/security.c
index c0acfa7177e5..d85dbb37c972 100644
--- a/security/security.c
+++ b/security/security.c
@@ -145,25 +145,23 @@ int security_capget(struct task_struct *target,
145 return security_ops->capget(target, effective, inheritable, permitted); 145 return security_ops->capget(target, effective, inheritable, permitted);
146} 146}
147 147
148int security_capset_check(struct task_struct *target, 148int security_capset(struct cred *new, const struct cred *old,
149 kernel_cap_t *effective, 149 const kernel_cap_t *effective,
150 kernel_cap_t *inheritable, 150 const kernel_cap_t *inheritable,
151 kernel_cap_t *permitted) 151 const kernel_cap_t *permitted)
152{ 152{
153 return security_ops->capset_check(target, effective, inheritable, permitted); 153 return security_ops->capset(new, old,
154 effective, inheritable, permitted);
154} 155}
155 156
156void security_capset_set(struct task_struct *target, 157int security_capable(struct task_struct *tsk, int cap)
157 kernel_cap_t *effective,
158 kernel_cap_t *inheritable,
159 kernel_cap_t *permitted)
160{ 158{
161 security_ops->capset_set(target, effective, inheritable, permitted); 159 return security_ops->capable(tsk, cap, SECURITY_CAP_AUDIT);
162} 160}
163 161
164int security_capable(struct task_struct *tsk, int cap) 162int security_capable_noaudit(struct task_struct *tsk, int cap)
165{ 163{
166 return security_ops->capable(tsk, cap); 164 return security_ops->capable(tsk, cap, SECURITY_CAP_NOAUDIT);
167} 165}
168 166
169int security_acct(struct file *file) 167int security_acct(struct file *file)
@@ -215,34 +213,24 @@ int security_vm_enough_memory_kern(long pages)
215 return security_ops->vm_enough_memory(current->mm, pages); 213 return security_ops->vm_enough_memory(current->mm, pages);
216} 214}
217 215
218int security_bprm_alloc(struct linux_binprm *bprm) 216int security_bprm_set_creds(struct linux_binprm *bprm)
219{
220 return security_ops->bprm_alloc_security(bprm);
221}
222
223void security_bprm_free(struct linux_binprm *bprm)
224{
225 security_ops->bprm_free_security(bprm);
226}
227
228void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
229{ 217{
230 security_ops->bprm_apply_creds(bprm, unsafe); 218 return security_ops->bprm_set_creds(bprm);
231} 219}
232 220
233void security_bprm_post_apply_creds(struct linux_binprm *bprm) 221int security_bprm_check(struct linux_binprm *bprm)
234{ 222{
235 security_ops->bprm_post_apply_creds(bprm); 223 return security_ops->bprm_check_security(bprm);
236} 224}
237 225
238int security_bprm_set(struct linux_binprm *bprm) 226void security_bprm_committing_creds(struct linux_binprm *bprm)
239{ 227{
240 return security_ops->bprm_set_security(bprm); 228 security_ops->bprm_committing_creds(bprm);
241} 229}
242 230
243int security_bprm_check(struct linux_binprm *bprm) 231void security_bprm_committed_creds(struct linux_binprm *bprm)
244{ 232{
245 return security_ops->bprm_check_security(bprm); 233 security_ops->bprm_committed_creds(bprm);
246} 234}
247 235
248int security_bprm_secureexec(struct linux_binprm *bprm) 236int security_bprm_secureexec(struct linux_binprm *bprm)
@@ -266,9 +254,9 @@ int security_sb_copy_data(char *orig, char *copy)
266} 254}
267EXPORT_SYMBOL(security_sb_copy_data); 255EXPORT_SYMBOL(security_sb_copy_data);
268 256
269int security_sb_kern_mount(struct super_block *sb, void *data) 257int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
270{ 258{
271 return security_ops->sb_kern_mount(sb, data); 259 return security_ops->sb_kern_mount(sb, flags, data);
272} 260}
273 261
274int security_sb_show_options(struct seq_file *m, struct super_block *sb) 262int security_sb_show_options(struct seq_file *m, struct super_block *sb)
@@ -603,9 +591,9 @@ int security_file_receive(struct file *file)
603 return security_ops->file_receive(file); 591 return security_ops->file_receive(file);
604} 592}
605 593
606int security_dentry_open(struct file *file) 594int security_dentry_open(struct file *file, const struct cred *cred)
607{ 595{
608 return security_ops->dentry_open(file); 596 return security_ops->dentry_open(file, cred);
609} 597}
610 598
611int security_task_create(unsigned long clone_flags) 599int security_task_create(unsigned long clone_flags)
@@ -613,14 +601,29 @@ int security_task_create(unsigned long clone_flags)
613 return security_ops->task_create(clone_flags); 601 return security_ops->task_create(clone_flags);
614} 602}
615 603
616int security_task_alloc(struct task_struct *p) 604void security_cred_free(struct cred *cred)
617{ 605{
618 return security_ops->task_alloc_security(p); 606 security_ops->cred_free(cred);
619} 607}
620 608
621void security_task_free(struct task_struct *p) 609int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
622{ 610{
623 security_ops->task_free_security(p); 611 return security_ops->cred_prepare(new, old, gfp);
612}
613
614void security_commit_creds(struct cred *new, const struct cred *old)
615{
616 security_ops->cred_commit(new, old);
617}
618
619int security_kernel_act_as(struct cred *new, u32 secid)
620{
621 return security_ops->kernel_act_as(new, secid);
622}
623
624int security_kernel_create_files_as(struct cred *new, struct inode *inode)
625{
626 return security_ops->kernel_create_files_as(new, inode);
624} 627}
625 628
626int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 629int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
@@ -628,10 +631,10 @@ int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
628 return security_ops->task_setuid(id0, id1, id2, flags); 631 return security_ops->task_setuid(id0, id1, id2, flags);
629} 632}
630 633
631int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, 634int security_task_fix_setuid(struct cred *new, const struct cred *old,
632 uid_t old_suid, int flags) 635 int flags)
633{ 636{
634 return security_ops->task_post_setuid(old_ruid, old_euid, old_suid, flags); 637 return security_ops->task_fix_setuid(new, old, flags);
635} 638}
636 639
637int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 640int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -713,14 +716,9 @@ int security_task_wait(struct task_struct *p)
713} 716}
714 717
715int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, 718int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
716 unsigned long arg4, unsigned long arg5, long *rc_p) 719 unsigned long arg4, unsigned long arg5)
717{
718 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
719}
720
721void security_task_reparent_to_init(struct task_struct *p)
722{ 720{
723 security_ops->task_reparent_to_init(p); 721 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
724} 722}
725 723
726void security_task_to_inode(struct task_struct *p, struct inode *inode) 724void security_task_to_inode(struct task_struct *p, struct inode *inode)
@@ -1120,9 +1118,10 @@ EXPORT_SYMBOL(security_skb_classify_flow);
1120 1118
1121#ifdef CONFIG_KEYS 1119#ifdef CONFIG_KEYS
1122 1120
1123int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags) 1121int security_key_alloc(struct key *key, const struct cred *cred,
1122 unsigned long flags)
1124{ 1123{
1125 return security_ops->key_alloc(key, tsk, flags); 1124 return security_ops->key_alloc(key, cred, flags);
1126} 1125}
1127 1126
1128void security_key_free(struct key *key) 1127void security_key_free(struct key *key)
@@ -1131,9 +1130,9 @@ void security_key_free(struct key *key)
1131} 1130}
1132 1131
1133int security_key_permission(key_ref_t key_ref, 1132int security_key_permission(key_ref_t key_ref,
1134 struct task_struct *context, key_perm_t perm) 1133 const struct cred *cred, key_perm_t perm)
1135{ 1134{
1136 return security_ops->key_permission(key_ref, context, perm); 1135 return security_ops->key_permission(key_ref, cred, perm);
1137} 1136}
1138 1137
1139int security_key_getsecurity(struct key *key, char **_buffer) 1138int security_key_getsecurity(struct key *key, char **_buffer)
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index 64af2d3409ef..c73aeaa008e8 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -39,9 +39,13 @@ EXPORT_SYMBOL_GPL(selinux_string_to_sid);
39int selinux_secmark_relabel_packet_permission(u32 sid) 39int selinux_secmark_relabel_packet_permission(u32 sid)
40{ 40{
41 if (selinux_enabled) { 41 if (selinux_enabled) {
42 struct task_security_struct *tsec = current->security; 42 const struct task_security_struct *__tsec;
43 u32 tsid;
43 44
44 return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET, 45 __tsec = current_security();
46 tsid = __tsec->sid;
47
48 return avc_has_perm(tsid, sid, SECCLASS_PACKET,
45 PACKET__RELABELTO, NULL); 49 PACKET__RELABELTO, NULL);
46 } 50 }
47 return 0; 51 return 0;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f85597a4d733..853b58c8b2cb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -156,33 +156,62 @@ static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0); 156 return (atomic_read(&selinux_secmark_refcount) > 0);
157} 157}
158 158
159/* Allocate and free functions for each kind of security blob. */ 159/*
160 160 * initialise the security for the init task
161static int task_alloc_security(struct task_struct *task) 161 */
162static void cred_init_security(void)
162{ 163{
164 struct cred *cred = (struct cred *) current->real_cred;
163 struct task_security_struct *tsec; 165 struct task_security_struct *tsec;
164 166
165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
166 if (!tsec) 168 if (!tsec)
167 return -ENOMEM; 169 panic("SELinux: Failed to initialize initial task.\n");
168 170
169 tsec->osid = tsec->sid = SECINITSID_UNLABELED; 171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
170 task->security = tsec; 172 cred->security = tsec;
173}
171 174
172 return 0; 175/*
176 * get the security ID of a set of credentials
177 */
178static inline u32 cred_sid(const struct cred *cred)
179{
180 const struct task_security_struct *tsec;
181
182 tsec = cred->security;
183 return tsec->sid;
173} 184}
174 185
175static void task_free_security(struct task_struct *task) 186/*
187 * get the objective security ID of a task
188 */
189static inline u32 task_sid(const struct task_struct *task)
176{ 190{
177 struct task_security_struct *tsec = task->security; 191 u32 sid;
178 task->security = NULL; 192
179 kfree(tsec); 193 rcu_read_lock();
194 sid = cred_sid(__task_cred(task));
195 rcu_read_unlock();
196 return sid;
180} 197}
181 198
199/*
200 * get the subjective security ID of the current task
201 */
202static inline u32 current_sid(void)
203{
204 const struct task_security_struct *tsec = current_cred()->security;
205
206 return tsec->sid;
207}
208
209/* Allocate and free functions for each kind of security blob. */
210
182static int inode_alloc_security(struct inode *inode) 211static int inode_alloc_security(struct inode *inode)
183{ 212{
184 struct task_security_struct *tsec = current->security;
185 struct inode_security_struct *isec; 213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
186 215
187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
188 if (!isec) 217 if (!isec)
@@ -193,7 +222,7 @@ static int inode_alloc_security(struct inode *inode)
193 isec->inode = inode; 222 isec->inode = inode;
194 isec->sid = SECINITSID_UNLABELED; 223 isec->sid = SECINITSID_UNLABELED;
195 isec->sclass = SECCLASS_FILE; 224 isec->sclass = SECCLASS_FILE;
196 isec->task_sid = tsec->sid; 225 isec->task_sid = sid;
197 inode->i_security = isec; 226 inode->i_security = isec;
198 227
199 return 0; 228 return 0;
@@ -215,15 +244,15 @@ static void inode_free_security(struct inode *inode)
215 244
216static int file_alloc_security(struct file *file) 245static int file_alloc_security(struct file *file)
217{ 246{
218 struct task_security_struct *tsec = current->security;
219 struct file_security_struct *fsec; 247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
220 249
221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 if (!fsec) 251 if (!fsec)
223 return -ENOMEM; 252 return -ENOMEM;
224 253
225 fsec->sid = tsec->sid; 254 fsec->sid = sid;
226 fsec->fown_sid = tsec->sid; 255 fsec->fown_sid = sid;
227 file->f_security = fsec; 256 file->f_security = fsec;
228 257
229 return 0; 258 return 0;
@@ -338,8 +367,9 @@ static const match_table_t tokens = {
338 367
339static int may_context_mount_sb_relabel(u32 sid, 368static int may_context_mount_sb_relabel(u32 sid,
340 struct superblock_security_struct *sbsec, 369 struct superblock_security_struct *sbsec,
341 struct task_security_struct *tsec) 370 const struct cred *cred)
342{ 371{
372 const struct task_security_struct *tsec = cred->security;
343 int rc; 373 int rc;
344 374
345 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
@@ -354,8 +384,9 @@ static int may_context_mount_sb_relabel(u32 sid,
354 384
355static int may_context_mount_inode_relabel(u32 sid, 385static int may_context_mount_inode_relabel(u32 sid,
356 struct superblock_security_struct *sbsec, 386 struct superblock_security_struct *sbsec,
357 struct task_security_struct *tsec) 387 const struct cred *cred)
358{ 388{
389 const struct task_security_struct *tsec = cred->security;
359 int rc; 390 int rc;
360 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__RELABELFROM, NULL); 392 FILESYSTEM__RELABELFROM, NULL);
@@ -553,8 +584,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
553static int selinux_set_mnt_opts(struct super_block *sb, 584static int selinux_set_mnt_opts(struct super_block *sb,
554 struct security_mnt_opts *opts) 585 struct security_mnt_opts *opts)
555{ 586{
587 const struct cred *cred = current_cred();
556 int rc = 0, i; 588 int rc = 0, i;
557 struct task_security_struct *tsec = current->security;
558 struct superblock_security_struct *sbsec = sb->s_security; 589 struct superblock_security_struct *sbsec = sb->s_security;
559 const char *name = sb->s_type->name; 590 const char *name = sb->s_type->name;
560 struct inode *inode = sbsec->sb->s_root->d_inode; 591 struct inode *inode = sbsec->sb->s_root->d_inode;
@@ -671,7 +702,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
671 sbsec->proc = 1; 702 sbsec->proc = 1;
672 703
673 /* Determine the labeling behavior to use for this filesystem type. */ 704 /* Determine the labeling behavior to use for this filesystem type. */
674 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
675 if (rc) { 706 if (rc) {
676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677 __func__, sb->s_type->name, rc); 708 __func__, sb->s_type->name, rc);
@@ -680,8 +711,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
680 711
681 /* sets the context of the superblock for the fs being mounted. */ 712 /* sets the context of the superblock for the fs being mounted. */
682 if (fscontext_sid) { 713 if (fscontext_sid) {
683 714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
685 if (rc) 715 if (rc)
686 goto out; 716 goto out;
687 717
@@ -695,12 +725,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
695 */ 725 */
696 if (context_sid) { 726 if (context_sid) {
697 if (!fscontext_sid) { 727 if (!fscontext_sid) {
698 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
729 cred);
699 if (rc) 730 if (rc)
700 goto out; 731 goto out;
701 sbsec->sid = context_sid; 732 sbsec->sid = context_sid;
702 } else { 733 } else {
703 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
735 cred);
704 if (rc) 736 if (rc)
705 goto out; 737 goto out;
706 } 738 }
@@ -712,7 +744,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
712 } 744 }
713 745
714 if (rootcontext_sid) { 746 if (rootcontext_sid) {
715 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748 cred);
716 if (rc) 749 if (rc)
717 goto out; 750 goto out;
718 751
@@ -730,7 +763,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
730 763
731 if (defcontext_sid != sbsec->def_sid) { 764 if (defcontext_sid != sbsec->def_sid) {
732 rc = may_context_mount_inode_relabel(defcontext_sid, 765 rc = may_context_mount_inode_relabel(defcontext_sid,
733 sbsec, tsec); 766 sbsec, cred);
734 if (rc) 767 if (rc)
735 goto out; 768 goto out;
736 } 769 }
@@ -1345,18 +1378,53 @@ static inline u32 signal_to_av(int sig)
1345 return perm; 1378 return perm;
1346} 1379}
1347 1380
1348/* Check permission betweeen a pair of tasks, e.g. signal checks, 1381/*
1349 fork check, ptrace check, etc. */ 1382 * Check permission between a pair of credentials
1350static int task_has_perm(struct task_struct *tsk1, 1383 * fork check, ptrace check, etc.
1351 struct task_struct *tsk2, 1384 */
1385static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1387 u32 perms)
1388{
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392}
1393
1394/*
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1399 */
1400static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1352 u32 perms) 1402 u32 perms)
1353{ 1403{
1354 struct task_security_struct *tsec1, *tsec2; 1404 const struct task_security_struct *__tsec1, *__tsec2;
1405 u32 sid1, sid2;
1355 1406
1356 tsec1 = tsk1->security; 1407 rcu_read_lock();
1357 tsec2 = tsk2->security; 1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1358 return avc_has_perm(tsec1->sid, tsec2->sid, 1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1359 SECCLASS_PROCESS, perms, NULL); 1410 rcu_read_unlock();
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412}
1413
1414/*
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1419 */
1420static int current_has_perm(const struct task_struct *tsk,
1421 u32 perms)
1422{
1423 u32 sid, tsid;
1424
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1360} 1428}
1361 1429
1362#if CAP_LAST_CAP > 63 1430#if CAP_LAST_CAP > 63
@@ -1365,14 +1433,14 @@ static int task_has_perm(struct task_struct *tsk1,
1365 1433
1366/* Check whether a task is allowed to use a capability. */ 1434/* Check whether a task is allowed to use a capability. */
1367static int task_has_capability(struct task_struct *tsk, 1435static int task_has_capability(struct task_struct *tsk,
1368 int cap) 1436 int cap, int audit)
1369{ 1437{
1370 struct task_security_struct *tsec;
1371 struct avc_audit_data ad; 1438 struct avc_audit_data ad;
1439 struct av_decision avd;
1372 u16 sclass; 1440 u16 sclass;
1441 u32 sid = task_sid(tsk);
1373 u32 av = CAP_TO_MASK(cap); 1442 u32 av = CAP_TO_MASK(cap);
1374 1443 int rc;
1375 tsec = tsk->security;
1376 1444
1377 AVC_AUDIT_DATA_INIT(&ad, CAP); 1445 AVC_AUDIT_DATA_INIT(&ad, CAP);
1378 ad.tsk = tsk; 1446 ad.tsk = tsk;
@@ -1390,37 +1458,39 @@ static int task_has_capability(struct task_struct *tsk,
1390 "SELinux: out of range capability %d\n", cap); 1458 "SELinux: out of range capability %d\n", cap);
1391 BUG(); 1459 BUG();
1392 } 1460 }
1393 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); 1461
1462 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1463 if (audit == SECURITY_CAP_AUDIT)
1464 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1465 return rc;
1394} 1466}
1395 1467
1396/* Check whether a task is allowed to use a system operation. */ 1468/* Check whether a task is allowed to use a system operation. */
1397static int task_has_system(struct task_struct *tsk, 1469static int task_has_system(struct task_struct *tsk,
1398 u32 perms) 1470 u32 perms)
1399{ 1471{
1400 struct task_security_struct *tsec; 1472 u32 sid = task_sid(tsk);
1401 1473
1402 tsec = tsk->security; 1474 return avc_has_perm(sid, SECINITSID_KERNEL,
1403
1404 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1405 SECCLASS_SYSTEM, perms, NULL); 1475 SECCLASS_SYSTEM, perms, NULL);
1406} 1476}
1407 1477
1408/* Check whether a task has a particular permission to an inode. 1478/* Check whether a task has a particular permission to an inode.
1409 The 'adp' parameter is optional and allows other audit 1479 The 'adp' parameter is optional and allows other audit
1410 data to be passed (e.g. the dentry). */ 1480 data to be passed (e.g. the dentry). */
1411static int inode_has_perm(struct task_struct *tsk, 1481static int inode_has_perm(const struct cred *cred,
1412 struct inode *inode, 1482 struct inode *inode,
1413 u32 perms, 1483 u32 perms,
1414 struct avc_audit_data *adp) 1484 struct avc_audit_data *adp)
1415{ 1485{
1416 struct task_security_struct *tsec;
1417 struct inode_security_struct *isec; 1486 struct inode_security_struct *isec;
1418 struct avc_audit_data ad; 1487 struct avc_audit_data ad;
1488 u32 sid;
1419 1489
1420 if (unlikely(IS_PRIVATE(inode))) 1490 if (unlikely(IS_PRIVATE(inode)))
1421 return 0; 1491 return 0;
1422 1492
1423 tsec = tsk->security; 1493 sid = cred_sid(cred);
1424 isec = inode->i_security; 1494 isec = inode->i_security;
1425 1495
1426 if (!adp) { 1496 if (!adp) {
@@ -1429,23 +1499,24 @@ static int inode_has_perm(struct task_struct *tsk,
1429 ad.u.fs.inode = inode; 1499 ad.u.fs.inode = inode;
1430 } 1500 }
1431 1501
1432 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1502 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1433} 1503}
1434 1504
1435/* Same as inode_has_perm, but pass explicit audit data containing 1505/* Same as inode_has_perm, but pass explicit audit data containing
1436 the dentry to help the auditing code to more easily generate the 1506 the dentry to help the auditing code to more easily generate the
1437 pathname if needed. */ 1507 pathname if needed. */
1438static inline int dentry_has_perm(struct task_struct *tsk, 1508static inline int dentry_has_perm(const struct cred *cred,
1439 struct vfsmount *mnt, 1509 struct vfsmount *mnt,
1440 struct dentry *dentry, 1510 struct dentry *dentry,
1441 u32 av) 1511 u32 av)
1442{ 1512{
1443 struct inode *inode = dentry->d_inode; 1513 struct inode *inode = dentry->d_inode;
1444 struct avc_audit_data ad; 1514 struct avc_audit_data ad;
1515
1445 AVC_AUDIT_DATA_INIT(&ad, FS); 1516 AVC_AUDIT_DATA_INIT(&ad, FS);
1446 ad.u.fs.path.mnt = mnt; 1517 ad.u.fs.path.mnt = mnt;
1447 ad.u.fs.path.dentry = dentry; 1518 ad.u.fs.path.dentry = dentry;
1448 return inode_has_perm(tsk, inode, av, &ad); 1519 return inode_has_perm(cred, inode, av, &ad);
1449} 1520}
1450 1521
1451/* Check whether a task can use an open file descriptor to 1522/* Check whether a task can use an open file descriptor to
@@ -1456,33 +1527,35 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1456 has the same SID as the process. If av is zero, then 1527 has the same SID as the process. If av is zero, then
1457 access to the file is not checked, e.g. for cases 1528 access to the file is not checked, e.g. for cases
1458 where only the descriptor is affected like seek. */ 1529 where only the descriptor is affected like seek. */
1459static int file_has_perm(struct task_struct *tsk, 1530static int file_has_perm(const struct cred *cred,
1460 struct file *file, 1531 struct file *file,
1461 u32 av) 1532 u32 av)
1462{ 1533{
1463 struct task_security_struct *tsec = tsk->security;
1464 struct file_security_struct *fsec = file->f_security; 1534 struct file_security_struct *fsec = file->f_security;
1465 struct inode *inode = file->f_path.dentry->d_inode; 1535 struct inode *inode = file->f_path.dentry->d_inode;
1466 struct avc_audit_data ad; 1536 struct avc_audit_data ad;
1537 u32 sid = cred_sid(cred);
1467 int rc; 1538 int rc;
1468 1539
1469 AVC_AUDIT_DATA_INIT(&ad, FS); 1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1470 ad.u.fs.path = file->f_path; 1541 ad.u.fs.path = file->f_path;
1471 1542
1472 if (tsec->sid != fsec->sid) { 1543 if (sid != fsec->sid) {
1473 rc = avc_has_perm(tsec->sid, fsec->sid, 1544 rc = avc_has_perm(sid, fsec->sid,
1474 SECCLASS_FD, 1545 SECCLASS_FD,
1475 FD__USE, 1546 FD__USE,
1476 &ad); 1547 &ad);
1477 if (rc) 1548 if (rc)
1478 return rc; 1549 goto out;
1479 } 1550 }
1480 1551
1481 /* av is zero if only checking access to the descriptor. */ 1552 /* av is zero if only checking access to the descriptor. */
1553 rc = 0;
1482 if (av) 1554 if (av)
1483 return inode_has_perm(tsk, inode, av, &ad); 1555 rc = inode_has_perm(cred, inode, av, &ad);
1484 1556
1485 return 0; 1557out:
1558 return rc;
1486} 1559}
1487 1560
1488/* Check whether a task can create a file. */ 1561/* Check whether a task can create a file. */
@@ -1490,36 +1563,36 @@ static int may_create(struct inode *dir,
1490 struct dentry *dentry, 1563 struct dentry *dentry,
1491 u16 tclass) 1564 u16 tclass)
1492{ 1565{
1493 struct task_security_struct *tsec; 1566 const struct cred *cred = current_cred();
1567 const struct task_security_struct *tsec = cred->security;
1494 struct inode_security_struct *dsec; 1568 struct inode_security_struct *dsec;
1495 struct superblock_security_struct *sbsec; 1569 struct superblock_security_struct *sbsec;
1496 u32 newsid; 1570 u32 sid, newsid;
1497 struct avc_audit_data ad; 1571 struct avc_audit_data ad;
1498 int rc; 1572 int rc;
1499 1573
1500 tsec = current->security;
1501 dsec = dir->i_security; 1574 dsec = dir->i_security;
1502 sbsec = dir->i_sb->s_security; 1575 sbsec = dir->i_sb->s_security;
1503 1576
1577 sid = tsec->sid;
1578 newsid = tsec->create_sid;
1579
1504 AVC_AUDIT_DATA_INIT(&ad, FS); 1580 AVC_AUDIT_DATA_INIT(&ad, FS);
1505 ad.u.fs.path.dentry = dentry; 1581 ad.u.fs.path.dentry = dentry;
1506 1582
1507 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1583 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1508 DIR__ADD_NAME | DIR__SEARCH, 1584 DIR__ADD_NAME | DIR__SEARCH,
1509 &ad); 1585 &ad);
1510 if (rc) 1586 if (rc)
1511 return rc; 1587 return rc;
1512 1588
1513 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1589 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1514 newsid = tsec->create_sid; 1590 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1515 } else {
1516 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1517 &newsid);
1518 if (rc) 1591 if (rc)
1519 return rc; 1592 return rc;
1520 } 1593 }
1521 1594
1522 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1595 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1523 if (rc) 1596 if (rc)
1524 return rc; 1597 return rc;
1525 1598
@@ -1532,11 +1605,9 @@ static int may_create(struct inode *dir,
1532static int may_create_key(u32 ksid, 1605static int may_create_key(u32 ksid,
1533 struct task_struct *ctx) 1606 struct task_struct *ctx)
1534{ 1607{
1535 struct task_security_struct *tsec; 1608 u32 sid = task_sid(ctx);
1536 1609
1537 tsec = ctx->security; 1610 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1538
1539 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1540} 1611}
1541 1612
1542#define MAY_LINK 0 1613#define MAY_LINK 0
@@ -1549,13 +1620,12 @@ static int may_link(struct inode *dir,
1549 int kind) 1620 int kind)
1550 1621
1551{ 1622{
1552 struct task_security_struct *tsec;
1553 struct inode_security_struct *dsec, *isec; 1623 struct inode_security_struct *dsec, *isec;
1554 struct avc_audit_data ad; 1624 struct avc_audit_data ad;
1625 u32 sid = current_sid();
1555 u32 av; 1626 u32 av;
1556 int rc; 1627 int rc;
1557 1628
1558 tsec = current->security;
1559 dsec = dir->i_security; 1629 dsec = dir->i_security;
1560 isec = dentry->d_inode->i_security; 1630 isec = dentry->d_inode->i_security;
1561 1631
@@ -1564,7 +1634,7 @@ static int may_link(struct inode *dir,
1564 1634
1565 av = DIR__SEARCH; 1635 av = DIR__SEARCH;
1566 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1636 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1567 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1637 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1568 if (rc) 1638 if (rc)
1569 return rc; 1639 return rc;
1570 1640
@@ -1584,7 +1654,7 @@ static int may_link(struct inode *dir,
1584 return 0; 1654 return 0;
1585 } 1655 }
1586 1656
1587 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1657 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1588 return rc; 1658 return rc;
1589} 1659}
1590 1660
@@ -1593,14 +1663,13 @@ static inline int may_rename(struct inode *old_dir,
1593 struct inode *new_dir, 1663 struct inode *new_dir,
1594 struct dentry *new_dentry) 1664 struct dentry *new_dentry)
1595{ 1665{
1596 struct task_security_struct *tsec;
1597 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1666 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1598 struct avc_audit_data ad; 1667 struct avc_audit_data ad;
1668 u32 sid = current_sid();
1599 u32 av; 1669 u32 av;
1600 int old_is_dir, new_is_dir; 1670 int old_is_dir, new_is_dir;
1601 int rc; 1671 int rc;
1602 1672
1603 tsec = current->security;
1604 old_dsec = old_dir->i_security; 1673 old_dsec = old_dir->i_security;
1605 old_isec = old_dentry->d_inode->i_security; 1674 old_isec = old_dentry->d_inode->i_security;
1606 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1675 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
@@ -1609,16 +1678,16 @@ static inline int may_rename(struct inode *old_dir,
1609 AVC_AUDIT_DATA_INIT(&ad, FS); 1678 AVC_AUDIT_DATA_INIT(&ad, FS);
1610 1679
1611 ad.u.fs.path.dentry = old_dentry; 1680 ad.u.fs.path.dentry = old_dentry;
1612 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1681 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1613 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1682 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1614 if (rc) 1683 if (rc)
1615 return rc; 1684 return rc;
1616 rc = avc_has_perm(tsec->sid, old_isec->sid, 1685 rc = avc_has_perm(sid, old_isec->sid,
1617 old_isec->sclass, FILE__RENAME, &ad); 1686 old_isec->sclass, FILE__RENAME, &ad);
1618 if (rc) 1687 if (rc)
1619 return rc; 1688 return rc;
1620 if (old_is_dir && new_dir != old_dir) { 1689 if (old_is_dir && new_dir != old_dir) {
1621 rc = avc_has_perm(tsec->sid, old_isec->sid, 1690 rc = avc_has_perm(sid, old_isec->sid,
1622 old_isec->sclass, DIR__REPARENT, &ad); 1691 old_isec->sclass, DIR__REPARENT, &ad);
1623 if (rc) 1692 if (rc)
1624 return rc; 1693 return rc;
@@ -1628,13 +1697,13 @@ static inline int may_rename(struct inode *old_dir,
1628 av = DIR__ADD_NAME | DIR__SEARCH; 1697 av = DIR__ADD_NAME | DIR__SEARCH;
1629 if (new_dentry->d_inode) 1698 if (new_dentry->d_inode)
1630 av |= DIR__REMOVE_NAME; 1699 av |= DIR__REMOVE_NAME;
1631 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1700 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1632 if (rc) 1701 if (rc)
1633 return rc; 1702 return rc;
1634 if (new_dentry->d_inode) { 1703 if (new_dentry->d_inode) {
1635 new_isec = new_dentry->d_inode->i_security; 1704 new_isec = new_dentry->d_inode->i_security;
1636 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1705 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1637 rc = avc_has_perm(tsec->sid, new_isec->sid, 1706 rc = avc_has_perm(sid, new_isec->sid,
1638 new_isec->sclass, 1707 new_isec->sclass,
1639 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1708 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1640 if (rc) 1709 if (rc)
@@ -1645,18 +1714,16 @@ static inline int may_rename(struct inode *old_dir,
1645} 1714}
1646 1715
1647/* Check whether a task can perform a filesystem operation. */ 1716/* Check whether a task can perform a filesystem operation. */
1648static int superblock_has_perm(struct task_struct *tsk, 1717static int superblock_has_perm(const struct cred *cred,
1649 struct super_block *sb, 1718 struct super_block *sb,
1650 u32 perms, 1719 u32 perms,
1651 struct avc_audit_data *ad) 1720 struct avc_audit_data *ad)
1652{ 1721{
1653 struct task_security_struct *tsec;
1654 struct superblock_security_struct *sbsec; 1722 struct superblock_security_struct *sbsec;
1723 u32 sid = cred_sid(cred);
1655 1724
1656 tsec = tsk->security;
1657 sbsec = sb->s_security; 1725 sbsec = sb->s_security;
1658 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1726 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1659 perms, ad);
1660} 1727}
1661 1728
1662/* Convert a Linux mode and permission mask to an access vector. */ 1729/* Convert a Linux mode and permission mask to an access vector. */
@@ -1687,15 +1754,39 @@ static inline u32 file_mask_to_av(int mode, int mask)
1687 return av; 1754 return av;
1688} 1755}
1689 1756
1757/* Convert a Linux file to an access vector. */
1758static inline u32 file_to_av(struct file *file)
1759{
1760 u32 av = 0;
1761
1762 if (file->f_mode & FMODE_READ)
1763 av |= FILE__READ;
1764 if (file->f_mode & FMODE_WRITE) {
1765 if (file->f_flags & O_APPEND)
1766 av |= FILE__APPEND;
1767 else
1768 av |= FILE__WRITE;
1769 }
1770 if (!av) {
1771 /*
1772 * Special file opened with flags 3 for ioctl-only use.
1773 */
1774 av = FILE__IOCTL;
1775 }
1776
1777 return av;
1778}
1779
1690/* 1780/*
1691 * Convert a file mask to an access vector and include the correct open 1781 * Convert a file to an access vector and include the correct open
1692 * open permission. 1782 * open permission.
1693 */ 1783 */
1694static inline u32 open_file_mask_to_av(int mode, int mask) 1784static inline u32 open_file_to_av(struct file *file)
1695{ 1785{
1696 u32 av = file_mask_to_av(mode, mask); 1786 u32 av = file_to_av(file);
1697 1787
1698 if (selinux_policycap_openperm) { 1788 if (selinux_policycap_openperm) {
1789 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1699 /* 1790 /*
1700 * lnk files and socks do not really have an 'open' 1791 * lnk files and socks do not really have an 'open'
1701 */ 1792 */
@@ -1711,34 +1802,11 @@ static inline u32 open_file_mask_to_av(int mode, int mask)
1711 av |= DIR__OPEN; 1802 av |= DIR__OPEN;
1712 else 1803 else
1713 printk(KERN_ERR "SELinux: WARNING: inside %s with " 1804 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1714 "unknown mode:%x\n", __func__, mode); 1805 "unknown mode:%o\n", __func__, mode);
1715 } 1806 }
1716 return av; 1807 return av;
1717} 1808}
1718 1809
1719/* Convert a Linux file to an access vector. */
1720static inline u32 file_to_av(struct file *file)
1721{
1722 u32 av = 0;
1723
1724 if (file->f_mode & FMODE_READ)
1725 av |= FILE__READ;
1726 if (file->f_mode & FMODE_WRITE) {
1727 if (file->f_flags & O_APPEND)
1728 av |= FILE__APPEND;
1729 else
1730 av |= FILE__WRITE;
1731 }
1732 if (!av) {
1733 /*
1734 * Special file opened with flags 3 for ioctl-only use.
1735 */
1736 av = FILE__IOCTL;
1737 }
1738
1739 return av;
1740}
1741
1742/* Hook functions begin here. */ 1810/* Hook functions begin here. */
1743 1811
1744static int selinux_ptrace_may_access(struct task_struct *child, 1812static int selinux_ptrace_may_access(struct task_struct *child,
@@ -1751,13 +1819,12 @@ static int selinux_ptrace_may_access(struct task_struct *child,
1751 return rc; 1819 return rc;
1752 1820
1753 if (mode == PTRACE_MODE_READ) { 1821 if (mode == PTRACE_MODE_READ) {
1754 struct task_security_struct *tsec = current->security; 1822 u32 sid = current_sid();
1755 struct task_security_struct *csec = child->security; 1823 u32 csid = task_sid(child);
1756 return avc_has_perm(tsec->sid, csec->sid, 1824 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1757 SECCLASS_FILE, FILE__READ, NULL);
1758 } 1825 }
1759 1826
1760 return task_has_perm(current, child, PROCESS__PTRACE); 1827 return current_has_perm(child, PROCESS__PTRACE);
1761} 1828}
1762 1829
1763static int selinux_ptrace_traceme(struct task_struct *parent) 1830static int selinux_ptrace_traceme(struct task_struct *parent)
@@ -1776,40 +1843,37 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1776{ 1843{
1777 int error; 1844 int error;
1778 1845
1779 error = task_has_perm(current, target, PROCESS__GETCAP); 1846 error = current_has_perm(target, PROCESS__GETCAP);
1780 if (error) 1847 if (error)
1781 return error; 1848 return error;
1782 1849
1783 return secondary_ops->capget(target, effective, inheritable, permitted); 1850 return secondary_ops->capget(target, effective, inheritable, permitted);
1784} 1851}
1785 1852
1786static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1853static int selinux_capset(struct cred *new, const struct cred *old,
1787 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1854 const kernel_cap_t *effective,
1855 const kernel_cap_t *inheritable,
1856 const kernel_cap_t *permitted)
1788{ 1857{
1789 int error; 1858 int error;
1790 1859
1791 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1860 error = secondary_ops->capset(new, old,
1861 effective, inheritable, permitted);
1792 if (error) 1862 if (error)
1793 return error; 1863 return error;
1794 1864
1795 return task_has_perm(current, target, PROCESS__SETCAP); 1865 return cred_has_perm(old, new, PROCESS__SETCAP);
1796} 1866}
1797 1867
1798static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1868static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1799 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1800{
1801 secondary_ops->capset_set(target, effective, inheritable, permitted);
1802}
1803
1804static int selinux_capable(struct task_struct *tsk, int cap)
1805{ 1869{
1806 int rc; 1870 int rc;
1807 1871
1808 rc = secondary_ops->capable(tsk, cap); 1872 rc = secondary_ops->capable(tsk, cap, audit);
1809 if (rc) 1873 if (rc)
1810 return rc; 1874 return rc;
1811 1875
1812 return task_has_capability(tsk, cap); 1876 return task_has_capability(tsk, cap, audit);
1813} 1877}
1814 1878
1815static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1879static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1857,15 +1921,14 @@ static int selinux_sysctl(ctl_table *table, int op)
1857{ 1921{
1858 int error = 0; 1922 int error = 0;
1859 u32 av; 1923 u32 av;
1860 struct task_security_struct *tsec; 1924 u32 tsid, sid;
1861 u32 tsid;
1862 int rc; 1925 int rc;
1863 1926
1864 rc = secondary_ops->sysctl(table, op); 1927 rc = secondary_ops->sysctl(table, op);
1865 if (rc) 1928 if (rc)
1866 return rc; 1929 return rc;
1867 1930
1868 tsec = current->security; 1931 sid = current_sid();
1869 1932
1870 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1933 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1871 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1934 SECCLASS_DIR : SECCLASS_FILE, &tsid);
@@ -1877,7 +1940,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1877 /* The op values are "defined" in sysctl.c, thereby creating 1940 /* The op values are "defined" in sysctl.c, thereby creating
1878 * a bad coupling between this module and sysctl.c */ 1941 * a bad coupling between this module and sysctl.c */
1879 if (op == 001) { 1942 if (op == 001) {
1880 error = avc_has_perm(tsec->sid, tsid, 1943 error = avc_has_perm(sid, tsid,
1881 SECCLASS_DIR, DIR__SEARCH, NULL); 1944 SECCLASS_DIR, DIR__SEARCH, NULL);
1882 } else { 1945 } else {
1883 av = 0; 1946 av = 0;
@@ -1886,7 +1949,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1886 if (op & 002) 1949 if (op & 002)
1887 av |= FILE__WRITE; 1950 av |= FILE__WRITE;
1888 if (av) 1951 if (av)
1889 error = avc_has_perm(tsec->sid, tsid, 1952 error = avc_has_perm(sid, tsid,
1890 SECCLASS_FILE, av, NULL); 1953 SECCLASS_FILE, av, NULL);
1891 } 1954 }
1892 1955
@@ -1895,6 +1958,7 @@ static int selinux_sysctl(ctl_table *table, int op)
1895 1958
1896static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1959static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1897{ 1960{
1961 const struct cred *cred = current_cred();
1898 int rc = 0; 1962 int rc = 0;
1899 1963
1900 if (!sb) 1964 if (!sb)
@@ -1906,14 +1970,12 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1906 case Q_QUOTAOFF: 1970 case Q_QUOTAOFF:
1907 case Q_SETINFO: 1971 case Q_SETINFO:
1908 case Q_SETQUOTA: 1972 case Q_SETQUOTA:
1909 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD, 1973 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1910 NULL);
1911 break; 1974 break;
1912 case Q_GETFMT: 1975 case Q_GETFMT:
1913 case Q_GETINFO: 1976 case Q_GETINFO:
1914 case Q_GETQUOTA: 1977 case Q_GETQUOTA:
1915 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET, 1978 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1916 NULL);
1917 break; 1979 break;
1918 default: 1980 default:
1919 rc = 0; /* let the kernel handle invalid cmds */ 1981 rc = 0; /* let the kernel handle invalid cmds */
@@ -1924,7 +1986,9 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1924 1986
1925static int selinux_quota_on(struct dentry *dentry) 1987static int selinux_quota_on(struct dentry *dentry)
1926{ 1988{
1927 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1989 const struct cred *cred = current_cred();
1990
1991 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1928} 1992}
1929 1993
1930static int selinux_syslog(int type) 1994static int selinux_syslog(int type)
@@ -1972,16 +2036,8 @@ static int selinux_syslog(int type)
1972static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2036static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1973{ 2037{
1974 int rc, cap_sys_admin = 0; 2038 int rc, cap_sys_admin = 0;
1975 struct task_security_struct *tsec = current->security;
1976
1977 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1978 if (rc == 0)
1979 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1980 SECCLASS_CAPABILITY,
1981 CAP_TO_MASK(CAP_SYS_ADMIN),
1982 0,
1983 NULL);
1984 2039
2040 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1985 if (rc == 0) 2041 if (rc == 0)
1986 cap_sys_admin = 1; 2042 cap_sys_admin = 1;
1987 2043
@@ -1990,59 +2046,45 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1990 2046
1991/* binprm security operations */ 2047/* binprm security operations */
1992 2048
1993static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 2049static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1994{
1995 struct bprm_security_struct *bsec;
1996
1997 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1998 if (!bsec)
1999 return -ENOMEM;
2000
2001 bsec->sid = SECINITSID_UNLABELED;
2002 bsec->set = 0;
2003
2004 bprm->security = bsec;
2005 return 0;
2006}
2007
2008static int selinux_bprm_set_security(struct linux_binprm *bprm)
2009{ 2050{
2010 struct task_security_struct *tsec; 2051 const struct task_security_struct *old_tsec;
2011 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2052 struct task_security_struct *new_tsec;
2012 struct inode_security_struct *isec; 2053 struct inode_security_struct *isec;
2013 struct bprm_security_struct *bsec;
2014 u32 newsid;
2015 struct avc_audit_data ad; 2054 struct avc_audit_data ad;
2055 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2016 int rc; 2056 int rc;
2017 2057
2018 rc = secondary_ops->bprm_set_security(bprm); 2058 rc = secondary_ops->bprm_set_creds(bprm);
2019 if (rc) 2059 if (rc)
2020 return rc; 2060 return rc;
2021 2061
2022 bsec = bprm->security; 2062 /* SELinux context only depends on initial program or script and not
2023 2063 * the script interpreter */
2024 if (bsec->set) 2064 if (bprm->cred_prepared)
2025 return 0; 2065 return 0;
2026 2066
2027 tsec = current->security; 2067 old_tsec = current_security();
2068 new_tsec = bprm->cred->security;
2028 isec = inode->i_security; 2069 isec = inode->i_security;
2029 2070
2030 /* Default to the current task SID. */ 2071 /* Default to the current task SID. */
2031 bsec->sid = tsec->sid; 2072 new_tsec->sid = old_tsec->sid;
2073 new_tsec->osid = old_tsec->sid;
2032 2074
2033 /* Reset fs, key, and sock SIDs on execve. */ 2075 /* Reset fs, key, and sock SIDs on execve. */
2034 tsec->create_sid = 0; 2076 new_tsec->create_sid = 0;
2035 tsec->keycreate_sid = 0; 2077 new_tsec->keycreate_sid = 0;
2036 tsec->sockcreate_sid = 0; 2078 new_tsec->sockcreate_sid = 0;
2037 2079
2038 if (tsec->exec_sid) { 2080 if (old_tsec->exec_sid) {
2039 newsid = tsec->exec_sid; 2081 new_tsec->sid = old_tsec->exec_sid;
2040 /* Reset exec SID on execve. */ 2082 /* Reset exec SID on execve. */
2041 tsec->exec_sid = 0; 2083 new_tsec->exec_sid = 0;
2042 } else { 2084 } else {
2043 /* Check for a default transition on this program. */ 2085 /* Check for a default transition on this program. */
2044 rc = security_transition_sid(tsec->sid, isec->sid, 2086 rc = security_transition_sid(old_tsec->sid, isec->sid,
2045 SECCLASS_PROCESS, &newsid); 2087 SECCLASS_PROCESS, &new_tsec->sid);
2046 if (rc) 2088 if (rc)
2047 return rc; 2089 return rc;
2048 } 2090 }
@@ -2051,33 +2093,63 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
2051 ad.u.fs.path = bprm->file->f_path; 2093 ad.u.fs.path = bprm->file->f_path;
2052 2094
2053 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2095 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2054 newsid = tsec->sid; 2096 new_tsec->sid = old_tsec->sid;
2055 2097
2056 if (tsec->sid == newsid) { 2098 if (new_tsec->sid == old_tsec->sid) {
2057 rc = avc_has_perm(tsec->sid, isec->sid, 2099 rc = avc_has_perm(old_tsec->sid, isec->sid,
2058 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2100 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2059 if (rc) 2101 if (rc)
2060 return rc; 2102 return rc;
2061 } else { 2103 } else {
2062 /* Check permissions for the transition. */ 2104 /* Check permissions for the transition. */
2063 rc = avc_has_perm(tsec->sid, newsid, 2105 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2064 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2106 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2065 if (rc) 2107 if (rc)
2066 return rc; 2108 return rc;
2067 2109
2068 rc = avc_has_perm(newsid, isec->sid, 2110 rc = avc_has_perm(new_tsec->sid, isec->sid,
2069 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2111 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2070 if (rc) 2112 if (rc)
2071 return rc; 2113 return rc;
2072 2114
2073 /* Clear any possibly unsafe personality bits on exec: */ 2115 /* Check for shared state */
2074 current->personality &= ~PER_CLEAR_ON_SETID; 2116 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2117 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2118 SECCLASS_PROCESS, PROCESS__SHARE,
2119 NULL);
2120 if (rc)
2121 return -EPERM;
2122 }
2123
2124 /* Make sure that anyone attempting to ptrace over a task that
2125 * changes its SID has the appropriate permit */
2126 if (bprm->unsafe &
2127 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128 struct task_struct *tracer;
2129 struct task_security_struct *sec;
2130 u32 ptsid = 0;
2075 2131
2076 /* Set the security field to the new SID. */ 2132 rcu_read_lock();
2077 bsec->sid = newsid; 2133 tracer = tracehook_tracer_task(current);
2134 if (likely(tracer != NULL)) {
2135 sec = __task_cred(tracer)->security;
2136 ptsid = sec->sid;
2137 }
2138 rcu_read_unlock();
2139
2140 if (ptsid != 0) {
2141 rc = avc_has_perm(ptsid, new_tsec->sid,
2142 SECCLASS_PROCESS,
2143 PROCESS__PTRACE, NULL);
2144 if (rc)
2145 return -EPERM;
2146 }
2147 }
2148
2149 /* Clear any possibly unsafe personality bits on exec: */
2150 bprm->per_clear |= PER_CLEAR_ON_SETID;
2078 } 2151 }
2079 2152
2080 bsec->set = 1;
2081 return 0; 2153 return 0;
2082} 2154}
2083 2155
@@ -2086,35 +2158,34 @@ static int selinux_bprm_check_security(struct linux_binprm *bprm)
2086 return secondary_ops->bprm_check_security(bprm); 2158 return secondary_ops->bprm_check_security(bprm);
2087} 2159}
2088 2160
2089
2090static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2161static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2091{ 2162{
2092 struct task_security_struct *tsec = current->security; 2163 const struct cred *cred = current_cred();
2164 const struct task_security_struct *tsec = cred->security;
2165 u32 sid, osid;
2093 int atsecure = 0; 2166 int atsecure = 0;
2094 2167
2095 if (tsec->osid != tsec->sid) { 2168 sid = tsec->sid;
2169 osid = tsec->osid;
2170
2171 if (osid != sid) {
2096 /* Enable secure mode for SIDs transitions unless 2172 /* Enable secure mode for SIDs transitions unless
2097 the noatsecure permission is granted between 2173 the noatsecure permission is granted between
2098 the two SIDs, i.e. ahp returns 0. */ 2174 the two SIDs, i.e. ahp returns 0. */
2099 atsecure = avc_has_perm(tsec->osid, tsec->sid, 2175 atsecure = avc_has_perm(osid, sid,
2100 SECCLASS_PROCESS, 2176 SECCLASS_PROCESS,
2101 PROCESS__NOATSECURE, NULL); 2177 PROCESS__NOATSECURE, NULL);
2102 } 2178 }
2103 2179
2104 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2180 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2105} 2181}
2106 2182
2107static void selinux_bprm_free_security(struct linux_binprm *bprm)
2108{
2109 kfree(bprm->security);
2110 bprm->security = NULL;
2111}
2112
2113extern struct vfsmount *selinuxfs_mount; 2183extern struct vfsmount *selinuxfs_mount;
2114extern struct dentry *selinux_null; 2184extern struct dentry *selinux_null;
2115 2185
2116/* Derived from fs/exec.c:flush_old_files. */ 2186/* Derived from fs/exec.c:flush_old_files. */
2117static inline void flush_unauthorized_files(struct files_struct *files) 2187static inline void flush_unauthorized_files(const struct cred *cred,
2188 struct files_struct *files)
2118{ 2189{
2119 struct avc_audit_data ad; 2190 struct avc_audit_data ad;
2120 struct file *file, *devnull = NULL; 2191 struct file *file, *devnull = NULL;
@@ -2136,7 +2207,7 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2136 interested in the inode-based check here. */ 2207 interested in the inode-based check here. */
2137 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list); 2208 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2138 inode = file->f_path.dentry->d_inode; 2209 inode = file->f_path.dentry->d_inode;
2139 if (inode_has_perm(current, inode, 2210 if (inode_has_perm(cred, inode,
2140 FILE__READ | FILE__WRITE, NULL)) { 2211 FILE__READ | FILE__WRITE, NULL)) {
2141 drop_tty = 1; 2212 drop_tty = 1;
2142 } 2213 }
@@ -2171,7 +2242,7 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2171 file = fget(i); 2242 file = fget(i);
2172 if (!file) 2243 if (!file)
2173 continue; 2244 continue;
2174 if (file_has_perm(current, 2245 if (file_has_perm(cred,
2175 file, 2246 file,
2176 file_to_av(file))) { 2247 file_to_av(file))) {
2177 sys_close(i); 2248 sys_close(i);
@@ -2185,7 +2256,10 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2185 if (devnull) { 2256 if (devnull) {
2186 get_file(devnull); 2257 get_file(devnull);
2187 } else { 2258 } else {
2188 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2259 devnull = dentry_open(
2260 dget(selinux_null),
2261 mntget(selinuxfs_mount),
2262 O_RDWR, cred);
2189 if (IS_ERR(devnull)) { 2263 if (IS_ERR(devnull)) {
2190 devnull = NULL; 2264 devnull = NULL;
2191 put_unused_fd(fd); 2265 put_unused_fd(fd);
@@ -2204,94 +2278,78 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2204 spin_unlock(&files->file_lock); 2278 spin_unlock(&files->file_lock);
2205} 2279}
2206 2280
2207static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2281/*
2282 * Prepare a process for imminent new credential changes due to exec
2283 */
2284static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2208{ 2285{
2209 struct task_security_struct *tsec; 2286 struct task_security_struct *new_tsec;
2210 struct bprm_security_struct *bsec; 2287 struct rlimit *rlim, *initrlim;
2211 u32 sid; 2288 int rc, i;
2212 int rc;
2213
2214 secondary_ops->bprm_apply_creds(bprm, unsafe);
2215
2216 tsec = current->security;
2217 2289
2218 bsec = bprm->security; 2290 secondary_ops->bprm_committing_creds(bprm);
2219 sid = bsec->sid;
2220 2291
2221 tsec->osid = tsec->sid; 2292 new_tsec = bprm->cred->security;
2222 bsec->unsafe = 0; 2293 if (new_tsec->sid == new_tsec->osid)
2223 if (tsec->sid != sid) { 2294 return;
2224 /* Check for shared state. If not ok, leave SID
2225 unchanged and kill. */
2226 if (unsafe & LSM_UNSAFE_SHARE) {
2227 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2228 PROCESS__SHARE, NULL);
2229 if (rc) {
2230 bsec->unsafe = 1;
2231 return;
2232 }
2233 }
2234 2295
2235 /* Check for ptracing, and update the task SID if ok. 2296 /* Close files for which the new task SID is not authorized. */
2236 Otherwise, leave SID unchanged and kill. */ 2297 flush_unauthorized_files(bprm->cred, current->files);
2237 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2238 struct task_struct *tracer;
2239 struct task_security_struct *sec;
2240 u32 ptsid = 0;
2241 2298
2242 rcu_read_lock(); 2299 /* Always clear parent death signal on SID transitions. */
2243 tracer = tracehook_tracer_task(current); 2300 current->pdeath_signal = 0;
2244 if (likely(tracer != NULL)) {
2245 sec = tracer->security;
2246 ptsid = sec->sid;
2247 }
2248 rcu_read_unlock();
2249 2301
2250 if (ptsid != 0) { 2302 /* Check whether the new SID can inherit resource limits from the old
2251 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 2303 * SID. If not, reset all soft limits to the lower of the current
2252 PROCESS__PTRACE, NULL); 2304 * task's hard limit and the init task's soft limit.
2253 if (rc) { 2305 *
2254 bsec->unsafe = 1; 2306 * Note that the setting of hard limits (even to lower them) can be
2255 return; 2307 * controlled by the setrlimit check. The inclusion of the init task's
2256 } 2308 * soft limit into the computation is to avoid resetting soft limits
2257 } 2309 * higher than the default soft limit for cases where the default is
2310 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2311 */
2312 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2313 PROCESS__RLIMITINH, NULL);
2314 if (rc) {
2315 for (i = 0; i < RLIM_NLIMITS; i++) {
2316 rlim = current->signal->rlim + i;
2317 initrlim = init_task.signal->rlim + i;
2318 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2258 } 2319 }
2259 tsec->sid = sid; 2320 update_rlimit_cpu(rlim->rlim_cur);
2260 } 2321 }
2261} 2322}
2262 2323
2263/* 2324/*
2264 * called after apply_creds without the task lock held 2325 * Clean up the process immediately after the installation of new credentials
2326 * due to exec
2265 */ 2327 */
2266static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2328static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2267{ 2329{
2268 struct task_security_struct *tsec; 2330 const struct task_security_struct *tsec = current_security();
2269 struct rlimit *rlim, *initrlim;
2270 struct itimerval itimer; 2331 struct itimerval itimer;
2271 struct bprm_security_struct *bsec; 2332 struct sighand_struct *psig;
2333 u32 osid, sid;
2272 int rc, i; 2334 int rc, i;
2335 unsigned long flags;
2273 2336
2274 tsec = current->security; 2337 secondary_ops->bprm_committed_creds(bprm);
2275 bsec = bprm->security;
2276 2338
2277 if (bsec->unsafe) { 2339 osid = tsec->osid;
2278 force_sig_specific(SIGKILL, current); 2340 sid = tsec->sid;
2279 return; 2341
2280 } 2342 if (sid == osid)
2281 if (tsec->osid == tsec->sid)
2282 return; 2343 return;
2283 2344
2284 /* Close files for which the new task SID is not authorized. */ 2345 /* Check whether the new SID can inherit signal state from the old SID.
2285 flush_unauthorized_files(current->files); 2346 * If not, clear itimers to avoid subsequent signal generation and
2286 2347 * flush and unblock signals.
2287 /* Check whether the new SID can inherit signal state 2348 *
2288 from the old SID. If not, clear itimers to avoid 2349 * This must occur _after_ the task SID has been updated so that any
2289 subsequent signal generation and flush and unblock 2350 * kill done after the flush will be checked against the new SID.
2290 signals. This must occur _after_ the task SID has 2351 */
2291 been updated so that any kill done after the flush 2352 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2292 will be checked against the new SID. */
2293 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2294 PROCESS__SIGINH, NULL);
2295 if (rc) { 2353 if (rc) {
2296 memset(&itimer, 0, sizeof itimer); 2354 memset(&itimer, 0, sizeof itimer);
2297 for (i = 0; i < 3; i++) 2355 for (i = 0; i < 3; i++)
@@ -2304,33 +2362,14 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2304 spin_unlock_irq(&current->sighand->siglock); 2362 spin_unlock_irq(&current->sighand->siglock);
2305 } 2363 }
2306 2364
2307 /* Always clear parent death signal on SID transitions. */ 2365 /* Wake up the parent if it is waiting so that it can recheck
2308 current->pdeath_signal = 0; 2366 * wait permission to the new task SID. */
2309 2367 read_lock_irq(&tasklist_lock);
2310 /* Check whether the new SID can inherit resource limits 2368 psig = current->parent->sighand;
2311 from the old SID. If not, reset all soft limits to 2369 spin_lock_irqsave(&psig->siglock, flags);
2312 the lower of the current task's hard limit and the init
2313 task's soft limit. Note that the setting of hard limits
2314 (even to lower them) can be controlled by the setrlimit
2315 check. The inclusion of the init task's soft limit into
2316 the computation is to avoid resetting soft limits higher
2317 than the default soft limit for cases where the default
2318 is lower than the hard limit, e.g. RLIMIT_CORE or
2319 RLIMIT_STACK.*/
2320 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2321 PROCESS__RLIMITINH, NULL);
2322 if (rc) {
2323 for (i = 0; i < RLIM_NLIMITS; i++) {
2324 rlim = current->signal->rlim + i;
2325 initrlim = init_task.signal->rlim+i;
2326 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2327 }
2328 update_rlimit_cpu(rlim->rlim_cur);
2329 }
2330
2331 /* Wake up the parent if it is waiting so that it can
2332 recheck wait permission to the new task SID. */
2333 wake_up_interruptible(&current->parent->signal->wait_chldexit); 2370 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2371 spin_unlock_irqrestore(&psig->siglock, flags);
2372 read_unlock_irq(&tasklist_lock);
2334} 2373}
2335 2374
2336/* superblock security operations */ 2375/* superblock security operations */
@@ -2435,8 +2474,9 @@ out:
2435 return rc; 2474 return rc;
2436} 2475}
2437 2476
2438static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2477static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2439{ 2478{
2479 const struct cred *cred = current_cred();
2440 struct avc_audit_data ad; 2480 struct avc_audit_data ad;
2441 int rc; 2481 int rc;
2442 2482
@@ -2444,18 +2484,23 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2444 if (rc) 2484 if (rc)
2445 return rc; 2485 return rc;
2446 2486
2487 /* Allow all mounts performed by the kernel */
2488 if (flags & MS_KERNMOUNT)
2489 return 0;
2490
2447 AVC_AUDIT_DATA_INIT(&ad, FS); 2491 AVC_AUDIT_DATA_INIT(&ad, FS);
2448 ad.u.fs.path.dentry = sb->s_root; 2492 ad.u.fs.path.dentry = sb->s_root;
2449 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2493 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2450} 2494}
2451 2495
2452static int selinux_sb_statfs(struct dentry *dentry) 2496static int selinux_sb_statfs(struct dentry *dentry)
2453{ 2497{
2498 const struct cred *cred = current_cred();
2454 struct avc_audit_data ad; 2499 struct avc_audit_data ad;
2455 2500
2456 AVC_AUDIT_DATA_INIT(&ad, FS); 2501 AVC_AUDIT_DATA_INIT(&ad, FS);
2457 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2502 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2458 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2503 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2459} 2504}
2460 2505
2461static int selinux_mount(char *dev_name, 2506static int selinux_mount(char *dev_name,
@@ -2464,6 +2509,7 @@ static int selinux_mount(char *dev_name,
2464 unsigned long flags, 2509 unsigned long flags,
2465 void *data) 2510 void *data)
2466{ 2511{
2512 const struct cred *cred = current_cred();
2467 int rc; 2513 int rc;
2468 2514
2469 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); 2515 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
@@ -2471,22 +2517,23 @@ static int selinux_mount(char *dev_name,
2471 return rc; 2517 return rc;
2472 2518
2473 if (flags & MS_REMOUNT) 2519 if (flags & MS_REMOUNT)
2474 return superblock_has_perm(current, path->mnt->mnt_sb, 2520 return superblock_has_perm(cred, path->mnt->mnt_sb,
2475 FILESYSTEM__REMOUNT, NULL); 2521 FILESYSTEM__REMOUNT, NULL);
2476 else 2522 else
2477 return dentry_has_perm(current, path->mnt, path->dentry, 2523 return dentry_has_perm(cred, path->mnt, path->dentry,
2478 FILE__MOUNTON); 2524 FILE__MOUNTON);
2479} 2525}
2480 2526
2481static int selinux_umount(struct vfsmount *mnt, int flags) 2527static int selinux_umount(struct vfsmount *mnt, int flags)
2482{ 2528{
2529 const struct cred *cred = current_cred();
2483 int rc; 2530 int rc;
2484 2531
2485 rc = secondary_ops->sb_umount(mnt, flags); 2532 rc = secondary_ops->sb_umount(mnt, flags);
2486 if (rc) 2533 if (rc)
2487 return rc; 2534 return rc;
2488 2535
2489 return superblock_has_perm(current, mnt->mnt_sb, 2536 return superblock_has_perm(cred, mnt->mnt_sb,
2490 FILESYSTEM__UNMOUNT, NULL); 2537 FILESYSTEM__UNMOUNT, NULL);
2491} 2538}
2492 2539
@@ -2506,21 +2553,22 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2506 char **name, void **value, 2553 char **name, void **value,
2507 size_t *len) 2554 size_t *len)
2508{ 2555{
2509 struct task_security_struct *tsec; 2556 const struct cred *cred = current_cred();
2557 const struct task_security_struct *tsec = cred->security;
2510 struct inode_security_struct *dsec; 2558 struct inode_security_struct *dsec;
2511 struct superblock_security_struct *sbsec; 2559 struct superblock_security_struct *sbsec;
2512 u32 newsid, clen; 2560 u32 sid, newsid, clen;
2513 int rc; 2561 int rc;
2514 char *namep = NULL, *context; 2562 char *namep = NULL, *context;
2515 2563
2516 tsec = current->security;
2517 dsec = dir->i_security; 2564 dsec = dir->i_security;
2518 sbsec = dir->i_sb->s_security; 2565 sbsec = dir->i_sb->s_security;
2519 2566
2520 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2567 sid = tsec->sid;
2521 newsid = tsec->create_sid; 2568 newsid = tsec->create_sid;
2522 } else { 2569
2523 rc = security_transition_sid(tsec->sid, dsec->sid, 2570 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2571 rc = security_transition_sid(sid, dsec->sid,
2524 inode_mode_to_security_class(inode->i_mode), 2572 inode_mode_to_security_class(inode->i_mode),
2525 &newsid); 2573 &newsid);
2526 if (rc) { 2574 if (rc) {
@@ -2623,21 +2671,25 @@ static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dent
2623 2671
2624static int selinux_inode_readlink(struct dentry *dentry) 2672static int selinux_inode_readlink(struct dentry *dentry)
2625{ 2673{
2626 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2674 const struct cred *cred = current_cred();
2675
2676 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2627} 2677}
2628 2678
2629static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2679static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2630{ 2680{
2681 const struct cred *cred = current_cred();
2631 int rc; 2682 int rc;
2632 2683
2633 rc = secondary_ops->inode_follow_link(dentry, nameidata); 2684 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2634 if (rc) 2685 if (rc)
2635 return rc; 2686 return rc;
2636 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2687 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2637} 2688}
2638 2689
2639static int selinux_inode_permission(struct inode *inode, int mask) 2690static int selinux_inode_permission(struct inode *inode, int mask)
2640{ 2691{
2692 const struct cred *cred = current_cred();
2641 int rc; 2693 int rc;
2642 2694
2643 rc = secondary_ops->inode_permission(inode, mask); 2695 rc = secondary_ops->inode_permission(inode, mask);
@@ -2649,12 +2701,13 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2649 return 0; 2701 return 0;
2650 } 2702 }
2651 2703
2652 return inode_has_perm(current, inode, 2704 return inode_has_perm(cred, inode,
2653 open_file_mask_to_av(inode->i_mode, mask), NULL); 2705 file_mask_to_av(inode->i_mode, mask), NULL);
2654} 2706}
2655 2707
2656static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2708static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2657{ 2709{
2710 const struct cred *cred = current_cred();
2658 int rc; 2711 int rc;
2659 2712
2660 rc = secondary_ops->inode_setattr(dentry, iattr); 2713 rc = secondary_ops->inode_setattr(dentry, iattr);
@@ -2666,18 +2719,22 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2666 2719
2667 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2720 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2668 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2721 ATTR_ATIME_SET | ATTR_MTIME_SET))
2669 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2722 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2670 2723
2671 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2724 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2672} 2725}
2673 2726
2674static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2727static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2675{ 2728{
2676 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2729 const struct cred *cred = current_cred();
2730
2731 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2677} 2732}
2678 2733
2679static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2734static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2680{ 2735{
2736 const struct cred *cred = current_cred();
2737
2681 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2738 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2682 sizeof XATTR_SECURITY_PREFIX - 1)) { 2739 sizeof XATTR_SECURITY_PREFIX - 1)) {
2683 if (!strcmp(name, XATTR_NAME_CAPS)) { 2740 if (!strcmp(name, XATTR_NAME_CAPS)) {
@@ -2692,18 +2749,17 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2692 2749
2693 /* Not an attribute we recognize, so just check the 2750 /* Not an attribute we recognize, so just check the
2694 ordinary setattr permission. */ 2751 ordinary setattr permission. */
2695 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2752 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2696} 2753}
2697 2754
2698static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2755static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2699 const void *value, size_t size, int flags) 2756 const void *value, size_t size, int flags)
2700{ 2757{
2701 struct task_security_struct *tsec = current->security;
2702 struct inode *inode = dentry->d_inode; 2758 struct inode *inode = dentry->d_inode;
2703 struct inode_security_struct *isec = inode->i_security; 2759 struct inode_security_struct *isec = inode->i_security;
2704 struct superblock_security_struct *sbsec; 2760 struct superblock_security_struct *sbsec;
2705 struct avc_audit_data ad; 2761 struct avc_audit_data ad;
2706 u32 newsid; 2762 u32 newsid, sid = current_sid();
2707 int rc = 0; 2763 int rc = 0;
2708 2764
2709 if (strcmp(name, XATTR_NAME_SELINUX)) 2765 if (strcmp(name, XATTR_NAME_SELINUX))
@@ -2719,7 +2775,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2719 AVC_AUDIT_DATA_INIT(&ad, FS); 2775 AVC_AUDIT_DATA_INIT(&ad, FS);
2720 ad.u.fs.path.dentry = dentry; 2776 ad.u.fs.path.dentry = dentry;
2721 2777
2722 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2778 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2723 FILE__RELABELFROM, &ad); 2779 FILE__RELABELFROM, &ad);
2724 if (rc) 2780 if (rc)
2725 return rc; 2781 return rc;
@@ -2733,12 +2789,12 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2733 if (rc) 2789 if (rc)
2734 return rc; 2790 return rc;
2735 2791
2736 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2792 rc = avc_has_perm(sid, newsid, isec->sclass,
2737 FILE__RELABELTO, &ad); 2793 FILE__RELABELTO, &ad);
2738 if (rc) 2794 if (rc)
2739 return rc; 2795 return rc;
2740 2796
2741 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2797 rc = security_validate_transition(isec->sid, newsid, sid,
2742 isec->sclass); 2798 isec->sclass);
2743 if (rc) 2799 if (rc)
2744 return rc; 2800 return rc;
@@ -2778,12 +2834,16 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2778 2834
2779static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2835static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2780{ 2836{
2781 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2837 const struct cred *cred = current_cred();
2838
2839 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2782} 2840}
2783 2841
2784static int selinux_inode_listxattr(struct dentry *dentry) 2842static int selinux_inode_listxattr(struct dentry *dentry)
2785{ 2843{
2786 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2844 const struct cred *cred = current_cred();
2845
2846 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2787} 2847}
2788 2848
2789static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2849static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
@@ -2806,7 +2866,6 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2806 u32 size; 2866 u32 size;
2807 int error; 2867 int error;
2808 char *context = NULL; 2868 char *context = NULL;
2809 struct task_security_struct *tsec = current->security;
2810 struct inode_security_struct *isec = inode->i_security; 2869 struct inode_security_struct *isec = inode->i_security;
2811 2870
2812 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2871 if (strcmp(name, XATTR_SELINUX_SUFFIX))
@@ -2821,13 +2880,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2821 * and lack of permission just means that we fall back to the 2880 * and lack of permission just means that we fall back to the
2822 * in-core context value, not a denial. 2881 * in-core context value, not a denial.
2823 */ 2882 */
2824 error = secondary_ops->capable(current, CAP_MAC_ADMIN); 2883 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2825 if (!error)
2826 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2827 SECCLASS_CAPABILITY2,
2828 CAPABILITY2__MAC_ADMIN,
2829 0,
2830 NULL);
2831 if (!error) 2884 if (!error)
2832 error = security_sid_to_context_force(isec->sid, &context, 2885 error = security_sid_to_context_force(isec->sid, &context,
2833 &size); 2886 &size);
@@ -2894,6 +2947,7 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2894 2947
2895static int selinux_revalidate_file_permission(struct file *file, int mask) 2948static int selinux_revalidate_file_permission(struct file *file, int mask)
2896{ 2949{
2950 const struct cred *cred = current_cred();
2897 int rc; 2951 int rc;
2898 struct inode *inode = file->f_path.dentry->d_inode; 2952 struct inode *inode = file->f_path.dentry->d_inode;
2899 2953
@@ -2906,7 +2960,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2906 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2960 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2907 mask |= MAY_APPEND; 2961 mask |= MAY_APPEND;
2908 2962
2909 rc = file_has_perm(current, file, 2963 rc = file_has_perm(cred, file,
2910 file_mask_to_av(inode->i_mode, mask)); 2964 file_mask_to_av(inode->i_mode, mask));
2911 if (rc) 2965 if (rc)
2912 return rc; 2966 return rc;
@@ -2917,16 +2971,16 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2917static int selinux_file_permission(struct file *file, int mask) 2971static int selinux_file_permission(struct file *file, int mask)
2918{ 2972{
2919 struct inode *inode = file->f_path.dentry->d_inode; 2973 struct inode *inode = file->f_path.dentry->d_inode;
2920 struct task_security_struct *tsec = current->security;
2921 struct file_security_struct *fsec = file->f_security; 2974 struct file_security_struct *fsec = file->f_security;
2922 struct inode_security_struct *isec = inode->i_security; 2975 struct inode_security_struct *isec = inode->i_security;
2976 u32 sid = current_sid();
2923 2977
2924 if (!mask) { 2978 if (!mask) {
2925 /* No permission to check. Existence test. */ 2979 /* No permission to check. Existence test. */
2926 return 0; 2980 return 0;
2927 } 2981 }
2928 2982
2929 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2983 if (sid == fsec->sid && fsec->isid == isec->sid
2930 && fsec->pseqno == avc_policy_seqno()) 2984 && fsec->pseqno == avc_policy_seqno())
2931 return selinux_netlbl_inode_permission(inode, mask); 2985 return selinux_netlbl_inode_permission(inode, mask);
2932 2986
@@ -2946,6 +3000,7 @@ static void selinux_file_free_security(struct file *file)
2946static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3000static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2947 unsigned long arg) 3001 unsigned long arg)
2948{ 3002{
3003 const struct cred *cred = current_cred();
2949 u32 av = 0; 3004 u32 av = 0;
2950 3005
2951 if (_IOC_DIR(cmd) & _IOC_WRITE) 3006 if (_IOC_DIR(cmd) & _IOC_WRITE)
@@ -2955,11 +3010,14 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2955 if (!av) 3010 if (!av)
2956 av = FILE__IOCTL; 3011 av = FILE__IOCTL;
2957 3012
2958 return file_has_perm(current, file, av); 3013 return file_has_perm(cred, file, av);
2959} 3014}
2960 3015
2961static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3016static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2962{ 3017{
3018 const struct cred *cred = current_cred();
3019 int rc = 0;
3020
2963#ifndef CONFIG_PPC32 3021#ifndef CONFIG_PPC32
2964 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3022 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2965 /* 3023 /*
@@ -2967,9 +3025,9 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
2967 * private file mapping that will also be writable. 3025 * private file mapping that will also be writable.
2968 * This has an additional check. 3026 * This has an additional check.
2969 */ 3027 */
2970 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 3028 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
2971 if (rc) 3029 if (rc)
2972 return rc; 3030 goto error;
2973 } 3031 }
2974#endif 3032#endif
2975 3033
@@ -2984,9 +3042,11 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
2984 if (prot & PROT_EXEC) 3042 if (prot & PROT_EXEC)
2985 av |= FILE__EXECUTE; 3043 av |= FILE__EXECUTE;
2986 3044
2987 return file_has_perm(current, file, av); 3045 return file_has_perm(cred, file, av);
2988 } 3046 }
2989 return 0; 3047
3048error:
3049 return rc;
2990} 3050}
2991 3051
2992static int selinux_file_mmap(struct file *file, unsigned long reqprot, 3052static int selinux_file_mmap(struct file *file, unsigned long reqprot,
@@ -2994,7 +3054,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2994 unsigned long addr, unsigned long addr_only) 3054 unsigned long addr, unsigned long addr_only)
2995{ 3055{
2996 int rc = 0; 3056 int rc = 0;
2997 u32 sid = ((struct task_security_struct *)(current->security))->sid; 3057 u32 sid = current_sid();
2998 3058
2999 if (addr < mmap_min_addr) 3059 if (addr < mmap_min_addr)
3000 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3060 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
@@ -3013,6 +3073,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3013 unsigned long reqprot, 3073 unsigned long reqprot,
3014 unsigned long prot) 3074 unsigned long prot)
3015{ 3075{
3076 const struct cred *cred = current_cred();
3016 int rc; 3077 int rc;
3017 3078
3018 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 3079 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
@@ -3027,12 +3088,11 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3027 rc = 0; 3088 rc = 0;
3028 if (vma->vm_start >= vma->vm_mm->start_brk && 3089 if (vma->vm_start >= vma->vm_mm->start_brk &&
3029 vma->vm_end <= vma->vm_mm->brk) { 3090 vma->vm_end <= vma->vm_mm->brk) {
3030 rc = task_has_perm(current, current, 3091 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3031 PROCESS__EXECHEAP);
3032 } else if (!vma->vm_file && 3092 } else if (!vma->vm_file &&
3033 vma->vm_start <= vma->vm_mm->start_stack && 3093 vma->vm_start <= vma->vm_mm->start_stack &&
3034 vma->vm_end >= vma->vm_mm->start_stack) { 3094 vma->vm_end >= vma->vm_mm->start_stack) {
3035 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 3095 rc = current_has_perm(current, PROCESS__EXECSTACK);
3036 } else if (vma->vm_file && vma->anon_vma) { 3096 } else if (vma->vm_file && vma->anon_vma) {
3037 /* 3097 /*
3038 * We are making executable a file mapping that has 3098 * We are making executable a file mapping that has
@@ -3041,8 +3101,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3041 * modified content. This typically should only 3101 * modified content. This typically should only
3042 * occur for text relocations. 3102 * occur for text relocations.
3043 */ 3103 */
3044 rc = file_has_perm(current, vma->vm_file, 3104 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3045 FILE__EXECMOD);
3046 } 3105 }
3047 if (rc) 3106 if (rc)
3048 return rc; 3107 return rc;
@@ -3054,12 +3113,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3054 3113
3055static int selinux_file_lock(struct file *file, unsigned int cmd) 3114static int selinux_file_lock(struct file *file, unsigned int cmd)
3056{ 3115{
3057 return file_has_perm(current, file, FILE__LOCK); 3116 const struct cred *cred = current_cred();
3117
3118 return file_has_perm(cred, file, FILE__LOCK);
3058} 3119}
3059 3120
3060static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3121static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3061 unsigned long arg) 3122 unsigned long arg)
3062{ 3123{
3124 const struct cred *cred = current_cred();
3063 int err = 0; 3125 int err = 0;
3064 3126
3065 switch (cmd) { 3127 switch (cmd) {
@@ -3070,7 +3132,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3070 } 3132 }
3071 3133
3072 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3134 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3073 err = file_has_perm(current, file, FILE__WRITE); 3135 err = file_has_perm(cred, file, FILE__WRITE);
3074 break; 3136 break;
3075 } 3137 }
3076 /* fall through */ 3138 /* fall through */
@@ -3080,7 +3142,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3080 case F_GETOWN: 3142 case F_GETOWN:
3081 case F_GETSIG: 3143 case F_GETSIG:
3082 /* Just check FD__USE permission */ 3144 /* Just check FD__USE permission */
3083 err = file_has_perm(current, file, 0); 3145 err = file_has_perm(cred, file, 0);
3084 break; 3146 break;
3085 case F_GETLK: 3147 case F_GETLK:
3086 case F_SETLK: 3148 case F_SETLK:
@@ -3094,7 +3156,7 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3094 err = -EINVAL; 3156 err = -EINVAL;
3095 break; 3157 break;
3096 } 3158 }
3097 err = file_has_perm(current, file, FILE__LOCK); 3159 err = file_has_perm(cred, file, FILE__LOCK);
3098 break; 3160 break;
3099 } 3161 }
3100 3162
@@ -3103,12 +3165,10 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3103 3165
3104static int selinux_file_set_fowner(struct file *file) 3166static int selinux_file_set_fowner(struct file *file)
3105{ 3167{
3106 struct task_security_struct *tsec;
3107 struct file_security_struct *fsec; 3168 struct file_security_struct *fsec;
3108 3169
3109 tsec = current->security;
3110 fsec = file->f_security; 3170 fsec = file->f_security;
3111 fsec->fown_sid = tsec->sid; 3171 fsec->fown_sid = current_sid();
3112 3172
3113 return 0; 3173 return 0;
3114} 3174}
@@ -3117,14 +3177,13 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3117 struct fown_struct *fown, int signum) 3177 struct fown_struct *fown, int signum)
3118{ 3178{
3119 struct file *file; 3179 struct file *file;
3180 u32 sid = current_sid();
3120 u32 perm; 3181 u32 perm;
3121 struct task_security_struct *tsec;
3122 struct file_security_struct *fsec; 3182 struct file_security_struct *fsec;
3123 3183
3124 /* struct fown_struct is never outside the context of a struct file */ 3184 /* struct fown_struct is never outside the context of a struct file */
3125 file = container_of(fown, struct file, f_owner); 3185 file = container_of(fown, struct file, f_owner);
3126 3186
3127 tsec = tsk->security;
3128 fsec = file->f_security; 3187 fsec = file->f_security;
3129 3188
3130 if (!signum) 3189 if (!signum)
@@ -3132,20 +3191,23 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3132 else 3191 else
3133 perm = signal_to_av(signum); 3192 perm = signal_to_av(signum);
3134 3193
3135 return avc_has_perm(fsec->fown_sid, tsec->sid, 3194 return avc_has_perm(fsec->fown_sid, sid,
3136 SECCLASS_PROCESS, perm, NULL); 3195 SECCLASS_PROCESS, perm, NULL);
3137} 3196}
3138 3197
3139static int selinux_file_receive(struct file *file) 3198static int selinux_file_receive(struct file *file)
3140{ 3199{
3141 return file_has_perm(current, file, file_to_av(file)); 3200 const struct cred *cred = current_cred();
3201
3202 return file_has_perm(cred, file, file_to_av(file));
3142} 3203}
3143 3204
3144static int selinux_dentry_open(struct file *file) 3205static int selinux_dentry_open(struct file *file, const struct cred *cred)
3145{ 3206{
3146 struct file_security_struct *fsec; 3207 struct file_security_struct *fsec;
3147 struct inode *inode; 3208 struct inode *inode;
3148 struct inode_security_struct *isec; 3209 struct inode_security_struct *isec;
3210
3149 inode = file->f_path.dentry->d_inode; 3211 inode = file->f_path.dentry->d_inode;
3150 fsec = file->f_security; 3212 fsec = file->f_security;
3151 isec = inode->i_security; 3213 isec = inode->i_security;
@@ -3166,7 +3228,7 @@ static int selinux_dentry_open(struct file *file)
3166 * new inode label or new policy. 3228 * new inode label or new policy.
3167 * This check is not redundant - do not remove. 3229 * This check is not redundant - do not remove.
3168 */ 3230 */
3169 return inode_has_perm(current, inode, file_to_av(file), NULL); 3231 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3170} 3232}
3171 3233
3172/* task security operations */ 3234/* task security operations */
@@ -3179,36 +3241,88 @@ static int selinux_task_create(unsigned long clone_flags)
3179 if (rc) 3241 if (rc)
3180 return rc; 3242 return rc;
3181 3243
3182 return task_has_perm(current, current, PROCESS__FORK); 3244 return current_has_perm(current, PROCESS__FORK);
3183} 3245}
3184 3246
3185static int selinux_task_alloc_security(struct task_struct *tsk) 3247/*
3248 * detach and free the LSM part of a set of credentials
3249 */
3250static void selinux_cred_free(struct cred *cred)
3186{ 3251{
3187 struct task_security_struct *tsec1, *tsec2; 3252 struct task_security_struct *tsec = cred->security;
3188 int rc; 3253 cred->security = NULL;
3189 3254 kfree(tsec);
3190 tsec1 = current->security; 3255}
3191 3256
3192 rc = task_alloc_security(tsk); 3257/*
3193 if (rc) 3258 * prepare a new set of credentials for modification
3194 return rc; 3259 */
3195 tsec2 = tsk->security; 3260static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3261 gfp_t gfp)
3262{
3263 const struct task_security_struct *old_tsec;
3264 struct task_security_struct *tsec;
3196 3265
3197 tsec2->osid = tsec1->osid; 3266 old_tsec = old->security;
3198 tsec2->sid = tsec1->sid;
3199 3267
3200 /* Retain the exec, fs, key, and sock SIDs across fork */ 3268 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3201 tsec2->exec_sid = tsec1->exec_sid; 3269 if (!tsec)
3202 tsec2->create_sid = tsec1->create_sid; 3270 return -ENOMEM;
3203 tsec2->keycreate_sid = tsec1->keycreate_sid;
3204 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3205 3271
3272 new->security = tsec;
3206 return 0; 3273 return 0;
3207} 3274}
3208 3275
3209static void selinux_task_free_security(struct task_struct *tsk) 3276/*
3277 * commit new credentials
3278 */
3279static void selinux_cred_commit(struct cred *new, const struct cred *old)
3280{
3281 secondary_ops->cred_commit(new, old);
3282}
3283
3284/*
3285 * set the security data for a kernel service
3286 * - all the creation contexts are set to unlabelled
3287 */
3288static int selinux_kernel_act_as(struct cred *new, u32 secid)
3289{
3290 struct task_security_struct *tsec = new->security;
3291 u32 sid = current_sid();
3292 int ret;
3293
3294 ret = avc_has_perm(sid, secid,
3295 SECCLASS_KERNEL_SERVICE,
3296 KERNEL_SERVICE__USE_AS_OVERRIDE,
3297 NULL);
3298 if (ret == 0) {
3299 tsec->sid = secid;
3300 tsec->create_sid = 0;
3301 tsec->keycreate_sid = 0;
3302 tsec->sockcreate_sid = 0;
3303 }
3304 return ret;
3305}
3306
3307/*
3308 * set the file creation context in a security record to the same as the
3309 * objective context of the specified inode
3310 */
3311static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3210{ 3312{
3211 task_free_security(tsk); 3313 struct inode_security_struct *isec = inode->i_security;
3314 struct task_security_struct *tsec = new->security;
3315 u32 sid = current_sid();
3316 int ret;
3317
3318 ret = avc_has_perm(sid, isec->sid,
3319 SECCLASS_KERNEL_SERVICE,
3320 KERNEL_SERVICE__CREATE_FILES_AS,
3321 NULL);
3322
3323 if (ret == 0)
3324 tsec->create_sid = isec->sid;
3325 return 0;
3212} 3326}
3213 3327
3214static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3328static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
@@ -3222,9 +3336,10 @@ static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3222 return 0; 3336 return 0;
3223} 3337}
3224 3338
3225static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3339static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3340 int flags)
3226{ 3341{
3227 return secondary_ops->task_post_setuid(id0, id1, id2, flags); 3342 return secondary_ops->task_fix_setuid(new, old, flags);
3228} 3343}
3229 3344
3230static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3345static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
@@ -3235,23 +3350,22 @@ static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3235 3350
3236static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3351static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3237{ 3352{
3238 return task_has_perm(current, p, PROCESS__SETPGID); 3353 return current_has_perm(p, PROCESS__SETPGID);
3239} 3354}
3240 3355
3241static int selinux_task_getpgid(struct task_struct *p) 3356static int selinux_task_getpgid(struct task_struct *p)
3242{ 3357{
3243 return task_has_perm(current, p, PROCESS__GETPGID); 3358 return current_has_perm(p, PROCESS__GETPGID);
3244} 3359}
3245 3360
3246static int selinux_task_getsid(struct task_struct *p) 3361static int selinux_task_getsid(struct task_struct *p)
3247{ 3362{
3248 return task_has_perm(current, p, PROCESS__GETSESSION); 3363 return current_has_perm(p, PROCESS__GETSESSION);
3249} 3364}
3250 3365
3251static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3366static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3252{ 3367{
3253 struct task_security_struct *tsec = p->security; 3368 *secid = task_sid(p);
3254 *secid = tsec->sid;
3255} 3369}
3256 3370
3257static int selinux_task_setgroups(struct group_info *group_info) 3371static int selinux_task_setgroups(struct group_info *group_info)
@@ -3268,7 +3382,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice)
3268 if (rc) 3382 if (rc)
3269 return rc; 3383 return rc;
3270 3384
3271 return task_has_perm(current, p, PROCESS__SETSCHED); 3385 return current_has_perm(p, PROCESS__SETSCHED);
3272} 3386}
3273 3387
3274static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3388static int selinux_task_setioprio(struct task_struct *p, int ioprio)
@@ -3279,12 +3393,12 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3279 if (rc) 3393 if (rc)
3280 return rc; 3394 return rc;
3281 3395
3282 return task_has_perm(current, p, PROCESS__SETSCHED); 3396 return current_has_perm(p, PROCESS__SETSCHED);
3283} 3397}
3284 3398
3285static int selinux_task_getioprio(struct task_struct *p) 3399static int selinux_task_getioprio(struct task_struct *p)
3286{ 3400{
3287 return task_has_perm(current, p, PROCESS__GETSCHED); 3401 return current_has_perm(p, PROCESS__GETSCHED);
3288} 3402}
3289 3403
3290static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3404static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
@@ -3299,9 +3413,9 @@ static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim
3299 /* Control the ability to change the hard limit (whether 3413 /* Control the ability to change the hard limit (whether
3300 lowering or raising it), so that the hard limit can 3414 lowering or raising it), so that the hard limit can
3301 later be used as a safe reset point for the soft limit 3415 later be used as a safe reset point for the soft limit
3302 upon context transitions. See selinux_bprm_apply_creds. */ 3416 upon context transitions. See selinux_bprm_committing_creds. */
3303 if (old_rlim->rlim_max != new_rlim->rlim_max) 3417 if (old_rlim->rlim_max != new_rlim->rlim_max)
3304 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3418 return current_has_perm(current, PROCESS__SETRLIMIT);
3305 3419
3306 return 0; 3420 return 0;
3307} 3421}
@@ -3314,17 +3428,17 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s
3314 if (rc) 3428 if (rc)
3315 return rc; 3429 return rc;
3316 3430
3317 return task_has_perm(current, p, PROCESS__SETSCHED); 3431 return current_has_perm(p, PROCESS__SETSCHED);
3318} 3432}
3319 3433
3320static int selinux_task_getscheduler(struct task_struct *p) 3434static int selinux_task_getscheduler(struct task_struct *p)
3321{ 3435{
3322 return task_has_perm(current, p, PROCESS__GETSCHED); 3436 return current_has_perm(p, PROCESS__GETSCHED);
3323} 3437}
3324 3438
3325static int selinux_task_movememory(struct task_struct *p) 3439static int selinux_task_movememory(struct task_struct *p)
3326{ 3440{
3327 return task_has_perm(current, p, PROCESS__SETSCHED); 3441 return current_has_perm(p, PROCESS__SETSCHED);
3328} 3442}
3329 3443
3330static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3444static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
@@ -3332,7 +3446,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3332{ 3446{
3333 u32 perm; 3447 u32 perm;
3334 int rc; 3448 int rc;
3335 struct task_security_struct *tsec;
3336 3449
3337 rc = secondary_ops->task_kill(p, info, sig, secid); 3450 rc = secondary_ops->task_kill(p, info, sig, secid);
3338 if (rc) 3451 if (rc)
@@ -3342,11 +3455,11 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3342 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3455 perm = PROCESS__SIGNULL; /* null signal; existence test */
3343 else 3456 else
3344 perm = signal_to_av(sig); 3457 perm = signal_to_av(sig);
3345 tsec = p->security;
3346 if (secid) 3458 if (secid)
3347 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3459 rc = avc_has_perm(secid, task_sid(p),
3460 SECCLASS_PROCESS, perm, NULL);
3348 else 3461 else
3349 rc = task_has_perm(current, p, perm); 3462 rc = current_has_perm(p, perm);
3350 return rc; 3463 return rc;
3351} 3464}
3352 3465
@@ -3354,13 +3467,12 @@ static int selinux_task_prctl(int option,
3354 unsigned long arg2, 3467 unsigned long arg2,
3355 unsigned long arg3, 3468 unsigned long arg3,
3356 unsigned long arg4, 3469 unsigned long arg4,
3357 unsigned long arg5, 3470 unsigned long arg5)
3358 long *rc_p)
3359{ 3471{
3360 /* The current prctl operations do not appear to require 3472 /* The current prctl operations do not appear to require
3361 any SELinux controls since they merely observe or modify 3473 any SELinux controls since they merely observe or modify
3362 the state of the current process. */ 3474 the state of the current process. */
3363 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p); 3475 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3364} 3476}
3365 3477
3366static int selinux_task_wait(struct task_struct *p) 3478static int selinux_task_wait(struct task_struct *p)
@@ -3368,27 +3480,14 @@ static int selinux_task_wait(struct task_struct *p)
3368 return task_has_perm(p, current, PROCESS__SIGCHLD); 3480 return task_has_perm(p, current, PROCESS__SIGCHLD);
3369} 3481}
3370 3482
3371static void selinux_task_reparent_to_init(struct task_struct *p)
3372{
3373 struct task_security_struct *tsec;
3374
3375 secondary_ops->task_reparent_to_init(p);
3376
3377 tsec = p->security;
3378 tsec->osid = tsec->sid;
3379 tsec->sid = SECINITSID_KERNEL;
3380 return;
3381}
3382
3383static void selinux_task_to_inode(struct task_struct *p, 3483static void selinux_task_to_inode(struct task_struct *p,
3384 struct inode *inode) 3484 struct inode *inode)
3385{ 3485{
3386 struct task_security_struct *tsec = p->security;
3387 struct inode_security_struct *isec = inode->i_security; 3486 struct inode_security_struct *isec = inode->i_security;
3487 u32 sid = task_sid(p);
3388 3488
3389 isec->sid = tsec->sid; 3489 isec->sid = sid;
3390 isec->initialized = 1; 3490 isec->initialized = 1;
3391 return;
3392} 3491}
3393 3492
3394/* Returns error only if unable to parse addresses */ 3493/* Returns error only if unable to parse addresses */
@@ -3627,19 +3726,19 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3627 u32 perms) 3726 u32 perms)
3628{ 3727{
3629 struct inode_security_struct *isec; 3728 struct inode_security_struct *isec;
3630 struct task_security_struct *tsec;
3631 struct avc_audit_data ad; 3729 struct avc_audit_data ad;
3730 u32 sid;
3632 int err = 0; 3731 int err = 0;
3633 3732
3634 tsec = task->security;
3635 isec = SOCK_INODE(sock)->i_security; 3733 isec = SOCK_INODE(sock)->i_security;
3636 3734
3637 if (isec->sid == SECINITSID_KERNEL) 3735 if (isec->sid == SECINITSID_KERNEL)
3638 goto out; 3736 goto out;
3737 sid = task_sid(task);
3639 3738
3640 AVC_AUDIT_DATA_INIT(&ad, NET); 3739 AVC_AUDIT_DATA_INIT(&ad, NET);
3641 ad.u.net.sk = sock->sk; 3740 ad.u.net.sk = sock->sk;
3642 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3741 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3643 3742
3644out: 3743out:
3645 return err; 3744 return err;
@@ -3648,18 +3747,20 @@ out:
3648static int selinux_socket_create(int family, int type, 3747static int selinux_socket_create(int family, int type,
3649 int protocol, int kern) 3748 int protocol, int kern)
3650{ 3749{
3750 const struct cred *cred = current_cred();
3751 const struct task_security_struct *tsec = cred->security;
3752 u32 sid, newsid;
3753 u16 secclass;
3651 int err = 0; 3754 int err = 0;
3652 struct task_security_struct *tsec;
3653 u32 newsid;
3654 3755
3655 if (kern) 3756 if (kern)
3656 goto out; 3757 goto out;
3657 3758
3658 tsec = current->security; 3759 sid = tsec->sid;
3659 newsid = tsec->sockcreate_sid ? : tsec->sid; 3760 newsid = tsec->sockcreate_sid ?: sid;
3660 err = avc_has_perm(tsec->sid, newsid, 3761
3661 socket_type_to_security_class(family, type, 3762 secclass = socket_type_to_security_class(family, type, protocol);
3662 protocol), SOCKET__CREATE, NULL); 3763 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3663 3764
3664out: 3765out:
3665 return err; 3766 return err;
@@ -3668,18 +3769,26 @@ out:
3668static int selinux_socket_post_create(struct socket *sock, int family, 3769static int selinux_socket_post_create(struct socket *sock, int family,
3669 int type, int protocol, int kern) 3770 int type, int protocol, int kern)
3670{ 3771{
3671 int err = 0; 3772 const struct cred *cred = current_cred();
3773 const struct task_security_struct *tsec = cred->security;
3672 struct inode_security_struct *isec; 3774 struct inode_security_struct *isec;
3673 struct task_security_struct *tsec;
3674 struct sk_security_struct *sksec; 3775 struct sk_security_struct *sksec;
3675 u32 newsid; 3776 u32 sid, newsid;
3777 int err = 0;
3778
3779 sid = tsec->sid;
3780 newsid = tsec->sockcreate_sid;
3676 3781
3677 isec = SOCK_INODE(sock)->i_security; 3782 isec = SOCK_INODE(sock)->i_security;
3678 3783
3679 tsec = current->security; 3784 if (kern)
3680 newsid = tsec->sockcreate_sid ? : tsec->sid; 3785 isec->sid = SECINITSID_KERNEL;
3786 else if (newsid)
3787 isec->sid = newsid;
3788 else
3789 isec->sid = sid;
3790
3681 isec->sclass = socket_type_to_security_class(family, type, protocol); 3791 isec->sclass = socket_type_to_security_class(family, type, protocol);
3682 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3683 isec->initialized = 1; 3792 isec->initialized = 1;
3684 3793
3685 if (sock->sk) { 3794 if (sock->sk) {
@@ -3714,7 +3823,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3714 if (family == PF_INET || family == PF_INET6) { 3823 if (family == PF_INET || family == PF_INET6) {
3715 char *addrp; 3824 char *addrp;
3716 struct inode_security_struct *isec; 3825 struct inode_security_struct *isec;
3717 struct task_security_struct *tsec;
3718 struct avc_audit_data ad; 3826 struct avc_audit_data ad;
3719 struct sockaddr_in *addr4 = NULL; 3827 struct sockaddr_in *addr4 = NULL;
3720 struct sockaddr_in6 *addr6 = NULL; 3828 struct sockaddr_in6 *addr6 = NULL;
@@ -3722,7 +3830,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3722 struct sock *sk = sock->sk; 3830 struct sock *sk = sock->sk;
3723 u32 sid, node_perm; 3831 u32 sid, node_perm;
3724 3832
3725 tsec = current->security;
3726 isec = SOCK_INODE(sock)->i_security; 3833 isec = SOCK_INODE(sock)->i_security;
3727 3834
3728 if (family == PF_INET) { 3835 if (family == PF_INET) {
@@ -4387,7 +4494,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4387 "SELinux: unrecognized netlink message" 4494 "SELinux: unrecognized netlink message"
4388 " type=%hu for sclass=%hu\n", 4495 " type=%hu for sclass=%hu\n",
4389 nlh->nlmsg_type, isec->sclass); 4496 nlh->nlmsg_type, isec->sclass);
4390 if (!selinux_enforcing) 4497 if (!selinux_enforcing || security_get_allow_unknown())
4391 err = 0; 4498 err = 0;
4392 } 4499 }
4393 4500
@@ -4763,15 +4870,16 @@ static int ipc_alloc_security(struct task_struct *task,
4763 struct kern_ipc_perm *perm, 4870 struct kern_ipc_perm *perm,
4764 u16 sclass) 4871 u16 sclass)
4765{ 4872{
4766 struct task_security_struct *tsec = task->security;
4767 struct ipc_security_struct *isec; 4873 struct ipc_security_struct *isec;
4874 u32 sid;
4768 4875
4769 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4876 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4770 if (!isec) 4877 if (!isec)
4771 return -ENOMEM; 4878 return -ENOMEM;
4772 4879
4880 sid = task_sid(task);
4773 isec->sclass = sclass; 4881 isec->sclass = sclass;
4774 isec->sid = tsec->sid; 4882 isec->sid = sid;
4775 perm->security = isec; 4883 perm->security = isec;
4776 4884
4777 return 0; 4885 return 0;
@@ -4809,17 +4917,16 @@ static void msg_msg_free_security(struct msg_msg *msg)
4809static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4917static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4810 u32 perms) 4918 u32 perms)
4811{ 4919{
4812 struct task_security_struct *tsec;
4813 struct ipc_security_struct *isec; 4920 struct ipc_security_struct *isec;
4814 struct avc_audit_data ad; 4921 struct avc_audit_data ad;
4922 u32 sid = current_sid();
4815 4923
4816 tsec = current->security;
4817 isec = ipc_perms->security; 4924 isec = ipc_perms->security;
4818 4925
4819 AVC_AUDIT_DATA_INIT(&ad, IPC); 4926 AVC_AUDIT_DATA_INIT(&ad, IPC);
4820 ad.u.ipc_id = ipc_perms->key; 4927 ad.u.ipc_id = ipc_perms->key;
4821 4928
4822 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4929 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4823} 4930}
4824 4931
4825static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4932static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -4835,22 +4942,21 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
4835/* message queue security operations */ 4942/* message queue security operations */
4836static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4943static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4837{ 4944{
4838 struct task_security_struct *tsec;
4839 struct ipc_security_struct *isec; 4945 struct ipc_security_struct *isec;
4840 struct avc_audit_data ad; 4946 struct avc_audit_data ad;
4947 u32 sid = current_sid();
4841 int rc; 4948 int rc;
4842 4949
4843 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4950 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4844 if (rc) 4951 if (rc)
4845 return rc; 4952 return rc;
4846 4953
4847 tsec = current->security;
4848 isec = msq->q_perm.security; 4954 isec = msq->q_perm.security;
4849 4955
4850 AVC_AUDIT_DATA_INIT(&ad, IPC); 4956 AVC_AUDIT_DATA_INIT(&ad, IPC);
4851 ad.u.ipc_id = msq->q_perm.key; 4957 ad.u.ipc_id = msq->q_perm.key;
4852 4958
4853 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4959 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4854 MSGQ__CREATE, &ad); 4960 MSGQ__CREATE, &ad);
4855 if (rc) { 4961 if (rc) {
4856 ipc_free_security(&msq->q_perm); 4962 ipc_free_security(&msq->q_perm);
@@ -4866,17 +4972,16 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq)
4866 4972
4867static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4973static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4868{ 4974{
4869 struct task_security_struct *tsec;
4870 struct ipc_security_struct *isec; 4975 struct ipc_security_struct *isec;
4871 struct avc_audit_data ad; 4976 struct avc_audit_data ad;
4977 u32 sid = current_sid();
4872 4978
4873 tsec = current->security;
4874 isec = msq->q_perm.security; 4979 isec = msq->q_perm.security;
4875 4980
4876 AVC_AUDIT_DATA_INIT(&ad, IPC); 4981 AVC_AUDIT_DATA_INIT(&ad, IPC);
4877 ad.u.ipc_id = msq->q_perm.key; 4982 ad.u.ipc_id = msq->q_perm.key;
4878 4983
4879 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4984 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4880 MSGQ__ASSOCIATE, &ad); 4985 MSGQ__ASSOCIATE, &ad);
4881} 4986}
4882 4987
@@ -4910,13 +5015,12 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4910 5015
4911static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5016static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4912{ 5017{
4913 struct task_security_struct *tsec;
4914 struct ipc_security_struct *isec; 5018 struct ipc_security_struct *isec;
4915 struct msg_security_struct *msec; 5019 struct msg_security_struct *msec;
4916 struct avc_audit_data ad; 5020 struct avc_audit_data ad;
5021 u32 sid = current_sid();
4917 int rc; 5022 int rc;
4918 5023
4919 tsec = current->security;
4920 isec = msq->q_perm.security; 5024 isec = msq->q_perm.security;
4921 msec = msg->security; 5025 msec = msg->security;
4922 5026
@@ -4928,9 +5032,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4928 * Compute new sid based on current process and 5032 * Compute new sid based on current process and
4929 * message queue this message will be stored in 5033 * message queue this message will be stored in
4930 */ 5034 */
4931 rc = security_transition_sid(tsec->sid, 5035 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4932 isec->sid,
4933 SECCLASS_MSG,
4934 &msec->sid); 5036 &msec->sid);
4935 if (rc) 5037 if (rc)
4936 return rc; 5038 return rc;
@@ -4940,16 +5042,16 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4940 ad.u.ipc_id = msq->q_perm.key; 5042 ad.u.ipc_id = msq->q_perm.key;
4941 5043
4942 /* Can this process write to the queue? */ 5044 /* Can this process write to the queue? */
4943 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 5045 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4944 MSGQ__WRITE, &ad); 5046 MSGQ__WRITE, &ad);
4945 if (!rc) 5047 if (!rc)
4946 /* Can this process send the message */ 5048 /* Can this process send the message */
4947 rc = avc_has_perm(tsec->sid, msec->sid, 5049 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4948 SECCLASS_MSG, MSG__SEND, &ad); 5050 MSG__SEND, &ad);
4949 if (!rc) 5051 if (!rc)
4950 /* Can the message be put in the queue? */ 5052 /* Can the message be put in the queue? */
4951 rc = avc_has_perm(msec->sid, isec->sid, 5053 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4952 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 5054 MSGQ__ENQUEUE, &ad);
4953 5055
4954 return rc; 5056 return rc;
4955} 5057}
@@ -4958,23 +5060,22 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4958 struct task_struct *target, 5060 struct task_struct *target,
4959 long type, int mode) 5061 long type, int mode)
4960{ 5062{
4961 struct task_security_struct *tsec;
4962 struct ipc_security_struct *isec; 5063 struct ipc_security_struct *isec;
4963 struct msg_security_struct *msec; 5064 struct msg_security_struct *msec;
4964 struct avc_audit_data ad; 5065 struct avc_audit_data ad;
5066 u32 sid = task_sid(target);
4965 int rc; 5067 int rc;
4966 5068
4967 tsec = target->security;
4968 isec = msq->q_perm.security; 5069 isec = msq->q_perm.security;
4969 msec = msg->security; 5070 msec = msg->security;
4970 5071
4971 AVC_AUDIT_DATA_INIT(&ad, IPC); 5072 AVC_AUDIT_DATA_INIT(&ad, IPC);
4972 ad.u.ipc_id = msq->q_perm.key; 5073 ad.u.ipc_id = msq->q_perm.key;
4973 5074
4974 rc = avc_has_perm(tsec->sid, isec->sid, 5075 rc = avc_has_perm(sid, isec->sid,
4975 SECCLASS_MSGQ, MSGQ__READ, &ad); 5076 SECCLASS_MSGQ, MSGQ__READ, &ad);
4976 if (!rc) 5077 if (!rc)
4977 rc = avc_has_perm(tsec->sid, msec->sid, 5078 rc = avc_has_perm(sid, msec->sid,
4978 SECCLASS_MSG, MSG__RECEIVE, &ad); 5079 SECCLASS_MSG, MSG__RECEIVE, &ad);
4979 return rc; 5080 return rc;
4980} 5081}
@@ -4982,22 +5083,21 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4982/* Shared Memory security operations */ 5083/* Shared Memory security operations */
4983static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5084static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4984{ 5085{
4985 struct task_security_struct *tsec;
4986 struct ipc_security_struct *isec; 5086 struct ipc_security_struct *isec;
4987 struct avc_audit_data ad; 5087 struct avc_audit_data ad;
5088 u32 sid = current_sid();
4988 int rc; 5089 int rc;
4989 5090
4990 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5091 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4991 if (rc) 5092 if (rc)
4992 return rc; 5093 return rc;
4993 5094
4994 tsec = current->security;
4995 isec = shp->shm_perm.security; 5095 isec = shp->shm_perm.security;
4996 5096
4997 AVC_AUDIT_DATA_INIT(&ad, IPC); 5097 AVC_AUDIT_DATA_INIT(&ad, IPC);
4998 ad.u.ipc_id = shp->shm_perm.key; 5098 ad.u.ipc_id = shp->shm_perm.key;
4999 5099
5000 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 5100 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5001 SHM__CREATE, &ad); 5101 SHM__CREATE, &ad);
5002 if (rc) { 5102 if (rc) {
5003 ipc_free_security(&shp->shm_perm); 5103 ipc_free_security(&shp->shm_perm);
@@ -5013,17 +5113,16 @@ static void selinux_shm_free_security(struct shmid_kernel *shp)
5013 5113
5014static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5114static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5015{ 5115{
5016 struct task_security_struct *tsec;
5017 struct ipc_security_struct *isec; 5116 struct ipc_security_struct *isec;
5018 struct avc_audit_data ad; 5117 struct avc_audit_data ad;
5118 u32 sid = current_sid();
5019 5119
5020 tsec = current->security;
5021 isec = shp->shm_perm.security; 5120 isec = shp->shm_perm.security;
5022 5121
5023 AVC_AUDIT_DATA_INIT(&ad, IPC); 5122 AVC_AUDIT_DATA_INIT(&ad, IPC);
5024 ad.u.ipc_id = shp->shm_perm.key; 5123 ad.u.ipc_id = shp->shm_perm.key;
5025 5124
5026 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 5125 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5027 SHM__ASSOCIATE, &ad); 5126 SHM__ASSOCIATE, &ad);
5028} 5127}
5029 5128
@@ -5081,22 +5180,21 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5081/* Semaphore security operations */ 5180/* Semaphore security operations */
5082static int selinux_sem_alloc_security(struct sem_array *sma) 5181static int selinux_sem_alloc_security(struct sem_array *sma)
5083{ 5182{
5084 struct task_security_struct *tsec;
5085 struct ipc_security_struct *isec; 5183 struct ipc_security_struct *isec;
5086 struct avc_audit_data ad; 5184 struct avc_audit_data ad;
5185 u32 sid = current_sid();
5087 int rc; 5186 int rc;
5088 5187
5089 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5188 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5090 if (rc) 5189 if (rc)
5091 return rc; 5190 return rc;
5092 5191
5093 tsec = current->security;
5094 isec = sma->sem_perm.security; 5192 isec = sma->sem_perm.security;
5095 5193
5096 AVC_AUDIT_DATA_INIT(&ad, IPC); 5194 AVC_AUDIT_DATA_INIT(&ad, IPC);
5097 ad.u.ipc_id = sma->sem_perm.key; 5195 ad.u.ipc_id = sma->sem_perm.key;
5098 5196
5099 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 5197 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5100 SEM__CREATE, &ad); 5198 SEM__CREATE, &ad);
5101 if (rc) { 5199 if (rc) {
5102 ipc_free_security(&sma->sem_perm); 5200 ipc_free_security(&sma->sem_perm);
@@ -5112,17 +5210,16 @@ static void selinux_sem_free_security(struct sem_array *sma)
5112 5210
5113static int selinux_sem_associate(struct sem_array *sma, int semflg) 5211static int selinux_sem_associate(struct sem_array *sma, int semflg)
5114{ 5212{
5115 struct task_security_struct *tsec;
5116 struct ipc_security_struct *isec; 5213 struct ipc_security_struct *isec;
5117 struct avc_audit_data ad; 5214 struct avc_audit_data ad;
5215 u32 sid = current_sid();
5118 5216
5119 tsec = current->security;
5120 isec = sma->sem_perm.security; 5217 isec = sma->sem_perm.security;
5121 5218
5122 AVC_AUDIT_DATA_INIT(&ad, IPC); 5219 AVC_AUDIT_DATA_INIT(&ad, IPC);
5123 ad.u.ipc_id = sma->sem_perm.key; 5220 ad.u.ipc_id = sma->sem_perm.key;
5124 5221
5125 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 5222 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5126 SEM__ASSOCIATE, &ad); 5223 SEM__ASSOCIATE, &ad);
5127} 5224}
5128 5225
@@ -5212,33 +5309,35 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5212static int selinux_getprocattr(struct task_struct *p, 5309static int selinux_getprocattr(struct task_struct *p,
5213 char *name, char **value) 5310 char *name, char **value)
5214{ 5311{
5215 struct task_security_struct *tsec; 5312 const struct task_security_struct *__tsec;
5216 u32 sid; 5313 u32 sid;
5217 int error; 5314 int error;
5218 unsigned len; 5315 unsigned len;
5219 5316
5220 if (current != p) { 5317 if (current != p) {
5221 error = task_has_perm(current, p, PROCESS__GETATTR); 5318 error = current_has_perm(p, PROCESS__GETATTR);
5222 if (error) 5319 if (error)
5223 return error; 5320 return error;
5224 } 5321 }
5225 5322
5226 tsec = p->security; 5323 rcu_read_lock();
5324 __tsec = __task_cred(p)->security;
5227 5325
5228 if (!strcmp(name, "current")) 5326 if (!strcmp(name, "current"))
5229 sid = tsec->sid; 5327 sid = __tsec->sid;
5230 else if (!strcmp(name, "prev")) 5328 else if (!strcmp(name, "prev"))
5231 sid = tsec->osid; 5329 sid = __tsec->osid;
5232 else if (!strcmp(name, "exec")) 5330 else if (!strcmp(name, "exec"))
5233 sid = tsec->exec_sid; 5331 sid = __tsec->exec_sid;
5234 else if (!strcmp(name, "fscreate")) 5332 else if (!strcmp(name, "fscreate"))
5235 sid = tsec->create_sid; 5333 sid = __tsec->create_sid;
5236 else if (!strcmp(name, "keycreate")) 5334 else if (!strcmp(name, "keycreate"))
5237 sid = tsec->keycreate_sid; 5335 sid = __tsec->keycreate_sid;
5238 else if (!strcmp(name, "sockcreate")) 5336 else if (!strcmp(name, "sockcreate"))
5239 sid = tsec->sockcreate_sid; 5337 sid = __tsec->sockcreate_sid;
5240 else 5338 else
5241 return -EINVAL; 5339 goto invalid;
5340 rcu_read_unlock();
5242 5341
5243 if (!sid) 5342 if (!sid)
5244 return 0; 5343 return 0;
@@ -5247,6 +5346,10 @@ static int selinux_getprocattr(struct task_struct *p,
5247 if (error) 5346 if (error)
5248 return error; 5347 return error;
5249 return len; 5348 return len;
5349
5350invalid:
5351 rcu_read_unlock();
5352 return -EINVAL;
5250} 5353}
5251 5354
5252static int selinux_setprocattr(struct task_struct *p, 5355static int selinux_setprocattr(struct task_struct *p,
@@ -5254,7 +5357,8 @@ static int selinux_setprocattr(struct task_struct *p,
5254{ 5357{
5255 struct task_security_struct *tsec; 5358 struct task_security_struct *tsec;
5256 struct task_struct *tracer; 5359 struct task_struct *tracer;
5257 u32 sid = 0; 5360 struct cred *new;
5361 u32 sid = 0, ptsid;
5258 int error; 5362 int error;
5259 char *str = value; 5363 char *str = value;
5260 5364
@@ -5270,15 +5374,15 @@ static int selinux_setprocattr(struct task_struct *p,
5270 * above restriction is ever removed. 5374 * above restriction is ever removed.
5271 */ 5375 */
5272 if (!strcmp(name, "exec")) 5376 if (!strcmp(name, "exec"))
5273 error = task_has_perm(current, p, PROCESS__SETEXEC); 5377 error = current_has_perm(p, PROCESS__SETEXEC);
5274 else if (!strcmp(name, "fscreate")) 5378 else if (!strcmp(name, "fscreate"))
5275 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5379 error = current_has_perm(p, PROCESS__SETFSCREATE);
5276 else if (!strcmp(name, "keycreate")) 5380 else if (!strcmp(name, "keycreate"))
5277 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5381 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5278 else if (!strcmp(name, "sockcreate")) 5382 else if (!strcmp(name, "sockcreate"))
5279 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5383 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5280 else if (!strcmp(name, "current")) 5384 else if (!strcmp(name, "current"))
5281 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5385 error = current_has_perm(p, PROCESS__SETCURRENT);
5282 else 5386 else
5283 error = -EINVAL; 5387 error = -EINVAL;
5284 if (error) 5388 if (error)
@@ -5301,87 +5405,75 @@ static int selinux_setprocattr(struct task_struct *p,
5301 return error; 5405 return error;
5302 } 5406 }
5303 5407
5408 new = prepare_creds();
5409 if (!new)
5410 return -ENOMEM;
5411
5304 /* Permission checking based on the specified context is 5412 /* Permission checking based on the specified context is
5305 performed during the actual operation (execve, 5413 performed during the actual operation (execve,
5306 open/mkdir/...), when we know the full context of the 5414 open/mkdir/...), when we know the full context of the
5307 operation. See selinux_bprm_set_security for the execve 5415 operation. See selinux_bprm_set_creds for the execve
5308 checks and may_create for the file creation checks. The 5416 checks and may_create for the file creation checks. The
5309 operation will then fail if the context is not permitted. */ 5417 operation will then fail if the context is not permitted. */
5310 tsec = p->security; 5418 tsec = new->security;
5311 if (!strcmp(name, "exec")) 5419 if (!strcmp(name, "exec")) {
5312 tsec->exec_sid = sid; 5420 tsec->exec_sid = sid;
5313 else if (!strcmp(name, "fscreate")) 5421 } else if (!strcmp(name, "fscreate")) {
5314 tsec->create_sid = sid; 5422 tsec->create_sid = sid;
5315 else if (!strcmp(name, "keycreate")) { 5423 } else if (!strcmp(name, "keycreate")) {
5316 error = may_create_key(sid, p); 5424 error = may_create_key(sid, p);
5317 if (error) 5425 if (error)
5318 return error; 5426 goto abort_change;
5319 tsec->keycreate_sid = sid; 5427 tsec->keycreate_sid = sid;
5320 } else if (!strcmp(name, "sockcreate")) 5428 } else if (!strcmp(name, "sockcreate")) {
5321 tsec->sockcreate_sid = sid; 5429 tsec->sockcreate_sid = sid;
5322 else if (!strcmp(name, "current")) { 5430 } else if (!strcmp(name, "current")) {
5323 struct av_decision avd; 5431 error = -EINVAL;
5324
5325 if (sid == 0) 5432 if (sid == 0)
5326 return -EINVAL; 5433 goto abort_change;
5327 /* 5434
5328 * SELinux allows to change context in the following case only. 5435 /* Only allow single threaded processes to change context */
5329 * - Single threaded processes. 5436 error = -EPERM;
5330 * - Multi threaded processes intend to change its context into 5437 if (!is_single_threaded(p)) {
5331 * more restricted domain (defined by TYPEBOUNDS statement). 5438 error = security_bounded_transition(tsec->sid, sid);
5332 */ 5439 if (error)
5333 if (atomic_read(&p->mm->mm_users) != 1) { 5440 goto abort_change;
5334 struct task_struct *g, *t;
5335 struct mm_struct *mm = p->mm;
5336 read_lock(&tasklist_lock);
5337 do_each_thread(g, t) {
5338 if (t->mm == mm && t != p) {
5339 read_unlock(&tasklist_lock);
5340 error = security_bounded_transition(tsec->sid, sid);
5341 if (!error)
5342 goto boundary_ok;
5343
5344 return error;
5345 }
5346 } while_each_thread(g, t);
5347 read_unlock(&tasklist_lock);
5348 } 5441 }
5349boundary_ok:
5350 5442
5351 /* Check permissions for the transition. */ 5443 /* Check permissions for the transition. */
5352 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5444 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5353 PROCESS__DYNTRANSITION, NULL); 5445 PROCESS__DYNTRANSITION, NULL);
5354 if (error) 5446 if (error)
5355 return error; 5447 goto abort_change;
5356 5448
5357 /* Check for ptracing, and update the task SID if ok. 5449 /* Check for ptracing, and update the task SID if ok.
5358 Otherwise, leave SID unchanged and fail. */ 5450 Otherwise, leave SID unchanged and fail. */
5451 ptsid = 0;
5359 task_lock(p); 5452 task_lock(p);
5360 rcu_read_lock();
5361 tracer = tracehook_tracer_task(p); 5453 tracer = tracehook_tracer_task(p);
5362 if (tracer != NULL) { 5454 if (tracer)
5363 struct task_security_struct *ptsec = tracer->security; 5455 ptsid = task_sid(tracer);
5364 u32 ptsid = ptsec->sid; 5456 task_unlock(p);
5365 rcu_read_unlock(); 5457
5366 error = avc_has_perm_noaudit(ptsid, sid, 5458 if (tracer) {
5367 SECCLASS_PROCESS, 5459 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5368 PROCESS__PTRACE, 0, &avd); 5460 PROCESS__PTRACE, NULL);
5369 if (!error)
5370 tsec->sid = sid;
5371 task_unlock(p);
5372 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5373 PROCESS__PTRACE, &avd, error, NULL);
5374 if (error) 5461 if (error)
5375 return error; 5462 goto abort_change;
5376 } else {
5377 rcu_read_unlock();
5378 tsec->sid = sid;
5379 task_unlock(p);
5380 } 5463 }
5381 } else
5382 return -EINVAL;
5383 5464
5465 tsec->sid = sid;
5466 } else {
5467 error = -EINVAL;
5468 goto abort_change;
5469 }
5470
5471 commit_creds(new);
5384 return size; 5472 return size;
5473
5474abort_change:
5475 abort_creds(new);
5476 return error;
5385} 5477}
5386 5478
5387static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5479static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
@@ -5401,22 +5493,23 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
5401 5493
5402#ifdef CONFIG_KEYS 5494#ifdef CONFIG_KEYS
5403 5495
5404static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5496static int selinux_key_alloc(struct key *k, const struct cred *cred,
5405 unsigned long flags) 5497 unsigned long flags)
5406{ 5498{
5407 struct task_security_struct *tsec = tsk->security; 5499 const struct task_security_struct *tsec;
5408 struct key_security_struct *ksec; 5500 struct key_security_struct *ksec;
5409 5501
5410 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5502 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5411 if (!ksec) 5503 if (!ksec)
5412 return -ENOMEM; 5504 return -ENOMEM;
5413 5505
5506 tsec = cred->security;
5414 if (tsec->keycreate_sid) 5507 if (tsec->keycreate_sid)
5415 ksec->sid = tsec->keycreate_sid; 5508 ksec->sid = tsec->keycreate_sid;
5416 else 5509 else
5417 ksec->sid = tsec->sid; 5510 ksec->sid = tsec->sid;
5418 k->security = ksec;
5419 5511
5512 k->security = ksec;
5420 return 0; 5513 return 0;
5421} 5514}
5422 5515
@@ -5429,17 +5522,12 @@ static void selinux_key_free(struct key *k)
5429} 5522}
5430 5523
5431static int selinux_key_permission(key_ref_t key_ref, 5524static int selinux_key_permission(key_ref_t key_ref,
5432 struct task_struct *ctx, 5525 const struct cred *cred,
5433 key_perm_t perm) 5526 key_perm_t perm)
5434{ 5527{
5435 struct key *key; 5528 struct key *key;
5436 struct task_security_struct *tsec;
5437 struct key_security_struct *ksec; 5529 struct key_security_struct *ksec;
5438 5530 u32 sid;
5439 key = key_ref_to_ptr(key_ref);
5440
5441 tsec = ctx->security;
5442 ksec = key->security;
5443 5531
5444 /* if no specific permissions are requested, we skip the 5532 /* if no specific permissions are requested, we skip the
5445 permission check. No serious, additional covert channels 5533 permission check. No serious, additional covert channels
@@ -5447,8 +5535,12 @@ static int selinux_key_permission(key_ref_t key_ref,
5447 if (perm == 0) 5535 if (perm == 0)
5448 return 0; 5536 return 0;
5449 5537
5450 return avc_has_perm(tsec->sid, ksec->sid, 5538 sid = cred_sid(cred);
5451 SECCLASS_KEY, perm, NULL); 5539
5540 key = key_ref_to_ptr(key_ref);
5541 ksec = key->security;
5542
5543 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5452} 5544}
5453 5545
5454static int selinux_key_getsecurity(struct key *key, char **_buffer) 5546static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -5473,8 +5565,7 @@ static struct security_operations selinux_ops = {
5473 .ptrace_may_access = selinux_ptrace_may_access, 5565 .ptrace_may_access = selinux_ptrace_may_access,
5474 .ptrace_traceme = selinux_ptrace_traceme, 5566 .ptrace_traceme = selinux_ptrace_traceme,
5475 .capget = selinux_capget, 5567 .capget = selinux_capget,
5476 .capset_check = selinux_capset_check, 5568 .capset = selinux_capset,
5477 .capset_set = selinux_capset_set,
5478 .sysctl = selinux_sysctl, 5569 .sysctl = selinux_sysctl,
5479 .capable = selinux_capable, 5570 .capable = selinux_capable,
5480 .quotactl = selinux_quotactl, 5571 .quotactl = selinux_quotactl,
@@ -5485,12 +5576,10 @@ static struct security_operations selinux_ops = {
5485 .netlink_send = selinux_netlink_send, 5576 .netlink_send = selinux_netlink_send,
5486 .netlink_recv = selinux_netlink_recv, 5577 .netlink_recv = selinux_netlink_recv,
5487 5578
5488 .bprm_alloc_security = selinux_bprm_alloc_security, 5579 .bprm_set_creds = selinux_bprm_set_creds,
5489 .bprm_free_security = selinux_bprm_free_security,
5490 .bprm_apply_creds = selinux_bprm_apply_creds,
5491 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5492 .bprm_set_security = selinux_bprm_set_security,
5493 .bprm_check_security = selinux_bprm_check_security, 5580 .bprm_check_security = selinux_bprm_check_security,
5581 .bprm_committing_creds = selinux_bprm_committing_creds,
5582 .bprm_committed_creds = selinux_bprm_committed_creds,
5494 .bprm_secureexec = selinux_bprm_secureexec, 5583 .bprm_secureexec = selinux_bprm_secureexec,
5495 5584
5496 .sb_alloc_security = selinux_sb_alloc_security, 5585 .sb_alloc_security = selinux_sb_alloc_security,
@@ -5549,10 +5638,13 @@ static struct security_operations selinux_ops = {
5549 .dentry_open = selinux_dentry_open, 5638 .dentry_open = selinux_dentry_open,
5550 5639
5551 .task_create = selinux_task_create, 5640 .task_create = selinux_task_create,
5552 .task_alloc_security = selinux_task_alloc_security, 5641 .cred_free = selinux_cred_free,
5553 .task_free_security = selinux_task_free_security, 5642 .cred_prepare = selinux_cred_prepare,
5643 .cred_commit = selinux_cred_commit,
5644 .kernel_act_as = selinux_kernel_act_as,
5645 .kernel_create_files_as = selinux_kernel_create_files_as,
5554 .task_setuid = selinux_task_setuid, 5646 .task_setuid = selinux_task_setuid,
5555 .task_post_setuid = selinux_task_post_setuid, 5647 .task_fix_setuid = selinux_task_fix_setuid,
5556 .task_setgid = selinux_task_setgid, 5648 .task_setgid = selinux_task_setgid,
5557 .task_setpgid = selinux_task_setpgid, 5649 .task_setpgid = selinux_task_setpgid,
5558 .task_getpgid = selinux_task_getpgid, 5650 .task_getpgid = selinux_task_getpgid,
@@ -5569,7 +5661,6 @@ static struct security_operations selinux_ops = {
5569 .task_kill = selinux_task_kill, 5661 .task_kill = selinux_task_kill,
5570 .task_wait = selinux_task_wait, 5662 .task_wait = selinux_task_wait,
5571 .task_prctl = selinux_task_prctl, 5663 .task_prctl = selinux_task_prctl,
5572 .task_reparent_to_init = selinux_task_reparent_to_init,
5573 .task_to_inode = selinux_task_to_inode, 5664 .task_to_inode = selinux_task_to_inode,
5574 5665
5575 .ipc_permission = selinux_ipc_permission, 5666 .ipc_permission = selinux_ipc_permission,
@@ -5665,8 +5756,6 @@ static struct security_operations selinux_ops = {
5665 5756
5666static __init int selinux_init(void) 5757static __init int selinux_init(void)
5667{ 5758{
5668 struct task_security_struct *tsec;
5669
5670 if (!security_module_enable(&selinux_ops)) { 5759 if (!security_module_enable(&selinux_ops)) {
5671 selinux_enabled = 0; 5760 selinux_enabled = 0;
5672 return 0; 5761 return 0;
@@ -5680,10 +5769,7 @@ static __init int selinux_init(void)
5680 printk(KERN_INFO "SELinux: Initializing.\n"); 5769 printk(KERN_INFO "SELinux: Initializing.\n");
5681 5770
5682 /* Set the security state for the initial task. */ 5771 /* Set the security state for the initial task. */
5683 if (task_alloc_security(current)) 5772 cred_init_security();
5684 panic("SELinux: Failed to initialize initial task.\n");
5685 tsec = current->security;
5686 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5687 5773
5688 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5774 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5689 sizeof(struct inode_security_struct), 5775 sizeof(struct inode_security_struct),
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 1223b4ff9bee..c0c885427b91 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -176,3 +176,5 @@
176 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect") 176 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
177 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero") 177 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
178 S_(SECCLASS_PEER, PEER__RECV, "recv") 178 S_(SECCLASS_PEER, PEER__RECV, "recv")
179 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
180 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index c4c51165c505..0ba79fe00e11 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -841,3 +841,5 @@
841#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL 841#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
842#define MEMPROTECT__MMAP_ZERO 0x00000001UL 842#define MEMPROTECT__MMAP_ZERO 0x00000001UL
843#define PEER__RECV 0x00000001UL 843#define PEER__RECV 0x00000001UL
844#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
845#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index bd813c366e34..21ec786611d4 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -72,3 +72,8 @@
72 S_(NULL) 72 S_(NULL)
73 S_("peer") 73 S_("peer")
74 S_("capability2") 74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index febf8868e852..882f27d66fac 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -52,6 +52,7 @@
52#define SECCLASS_MEMPROTECT 61 52#define SECCLASS_MEMPROTECT 61
53#define SECCLASS_PEER 68 53#define SECCLASS_PEER 68
54#define SECCLASS_CAPABILITY2 69 54#define SECCLASS_CAPABILITY2 69
55#define SECCLASS_KERNEL_SERVICE 74
55 56
56/* 57/*
57 * Security identifier indices for initial entities 58 * Security identifier indices for initial entities
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index f8be8d7fa26d..3cc45168f674 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -77,17 +77,6 @@ struct ipc_security_struct {
77 u32 sid; /* SID of IPC resource */ 77 u32 sid; /* SID of IPC resource */
78}; 78};
79 79
80struct bprm_security_struct {
81 u32 sid; /* SID for transformed process */
82 unsigned char set;
83
84 /*
85 * unsafe is used to share failure information from bprm_apply_creds()
86 * to bprm_post_apply_creds().
87 */
88 char unsafe;
89};
90
91struct netif_security_struct { 80struct netif_security_struct {
92 int ifindex; /* device index */ 81 int ifindex; /* device index */
93 u32 sid; /* SID for this interface */ 82 u32 sid; /* SID for this interface */
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index ff59c0c4804b..4ed7bab89c59 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -63,6 +63,9 @@ static struct nlmsg_perm nlmsg_route_perms[] =
63 { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 63 { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
64 { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 64 { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
65 { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 65 { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
66 { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
67 { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
68 { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
66}; 69};
67 70
68static struct nlmsg_perm nlmsg_firewall_perms[] = 71static struct nlmsg_perm nlmsg_firewall_perms[] =
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 69c9dccc8cf0..c86303638235 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -95,13 +95,18 @@ extern void selnl_notify_setenforce(int val);
95static int task_has_security(struct task_struct *tsk, 95static int task_has_security(struct task_struct *tsk,
96 u32 perms) 96 u32 perms)
97{ 97{
98 struct task_security_struct *tsec; 98 const struct task_security_struct *tsec;
99 99 u32 sid = 0;
100 tsec = tsk->security; 100
101 rcu_read_lock();
102 tsec = __task_cred(tsk)->security;
103 if (tsec)
104 sid = tsec->sid;
105 rcu_read_unlock();
101 if (!tsec) 106 if (!tsec)
102 return -EACCES; 107 return -EACCES;
103 108
104 return avc_has_perm(tsec->sid, SECINITSID_SECURITY, 109 return avc_has_perm(sid, SECINITSID_SECURITY,
105 SECCLASS_SECURITY, perms, NULL); 110 SECCLASS_SECURITY, perms, NULL);
106} 111}
107 112
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8f17f542a116..c0eb72013d67 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -197,7 +197,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
197 struct xfrm_user_sec_ctx *uctx, u32 sid) 197 struct xfrm_user_sec_ctx *uctx, u32 sid)
198{ 198{
199 int rc = 0; 199 int rc = 0;
200 struct task_security_struct *tsec = current->security; 200 const struct task_security_struct *tsec = current_security();
201 struct xfrm_sec_ctx *ctx = NULL; 201 struct xfrm_sec_ctx *ctx = NULL;
202 char *ctx_str = NULL; 202 char *ctx_str = NULL;
203 u32 str_len; 203 u32 str_len;
@@ -333,7 +333,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
333 */ 333 */
334int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 334int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
335{ 335{
336 struct task_security_struct *tsec = current->security; 336 const struct task_security_struct *tsec = current_security();
337 int rc = 0; 337 int rc = 0;
338 338
339 if (ctx) { 339 if (ctx) {
@@ -378,7 +378,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
378 */ 378 */
379int selinux_xfrm_state_delete(struct xfrm_state *x) 379int selinux_xfrm_state_delete(struct xfrm_state *x)
380{ 380{
381 struct task_security_struct *tsec = current->security; 381 const struct task_security_struct *tsec = current_security();
382 struct xfrm_sec_ctx *ctx = x->security; 382 struct xfrm_sec_ctx *ctx = x->security;
383 int rc = 0; 383 int rc = 0;
384 384
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 79ff21ed4c3b..247cec3b5a43 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -164,7 +164,7 @@ int smk_curacc(char *obj_label, u32 mode)
164{ 164{
165 int rc; 165 int rc;
166 166
167 rc = smk_access(current->security, obj_label, mode); 167 rc = smk_access(current_security(), obj_label, mode);
168 if (rc == 0) 168 if (rc == 0)
169 return 0; 169 return 0;
170 170
@@ -173,7 +173,7 @@ int smk_curacc(char *obj_label, u32 mode)
173 * only one that gets privilege and current does not 173 * only one that gets privilege and current does not
174 * have that label. 174 * have that label.
175 */ 175 */
176 if (smack_onlycap != NULL && smack_onlycap != current->security) 176 if (smack_onlycap != NULL && smack_onlycap != current->cred->security)
177 return rc; 177 return rc;
178 178
179 if (capable(CAP_MAC_OVERRIDE)) 179 if (capable(CAP_MAC_OVERRIDE))
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6e2dc0bab70d..1b5551dfc1f7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -30,6 +30,8 @@
30 30
31#include "smack.h" 31#include "smack.h"
32 32
33#define task_security(task) (task_cred_xxx((task), security))
34
33/* 35/*
34 * I hope these are the hokeyist lines of code in the module. Casey. 36 * I hope these are the hokeyist lines of code in the module. Casey.
35 */ 37 */
@@ -102,7 +104,7 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
102 if (rc != 0) 104 if (rc != 0)
103 return rc; 105 return rc;
104 106
105 rc = smk_access(current->security, ctp->security, MAY_READWRITE); 107 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE);
106 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 108 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
107 return 0; 109 return 0;
108 return rc; 110 return rc;
@@ -124,7 +126,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
124 if (rc != 0) 126 if (rc != 0)
125 return rc; 127 return rc;
126 128
127 rc = smk_access(ptp->security, current->security, MAY_READWRITE); 129 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE);
128 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 130 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
129 return 0; 131 return 0;
130 return rc; 132 return rc;
@@ -141,7 +143,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
141static int smack_syslog(int type) 143static int smack_syslog(int type)
142{ 144{
143 int rc; 145 int rc;
144 char *sp = current->security; 146 char *sp = current_security();
145 147
146 rc = cap_syslog(type); 148 rc = cap_syslog(type);
147 if (rc != 0) 149 if (rc != 0)
@@ -248,11 +250,12 @@ static int smack_sb_copy_data(char *orig, char *smackopts)
248/** 250/**
249 * smack_sb_kern_mount - Smack specific mount processing 251 * smack_sb_kern_mount - Smack specific mount processing
250 * @sb: the file system superblock 252 * @sb: the file system superblock
253 * @flags: the mount flags
251 * @data: the smack mount options 254 * @data: the smack mount options
252 * 255 *
253 * Returns 0 on success, an error code on failure 256 * Returns 0 on success, an error code on failure
254 */ 257 */
255static int smack_sb_kern_mount(struct super_block *sb, void *data) 258static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
256{ 259{
257 struct dentry *root = sb->s_root; 260 struct dentry *root = sb->s_root;
258 struct inode *inode = root->d_inode; 261 struct inode *inode = root->d_inode;
@@ -373,7 +376,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
373 */ 376 */
374static int smack_inode_alloc_security(struct inode *inode) 377static int smack_inode_alloc_security(struct inode *inode)
375{ 378{
376 inode->i_security = new_inode_smack(current->security); 379 inode->i_security = new_inode_smack(current_security());
377 if (inode->i_security == NULL) 380 if (inode->i_security == NULL)
378 return -ENOMEM; 381 return -ENOMEM;
379 return 0; 382 return 0;
@@ -818,7 +821,7 @@ static int smack_file_permission(struct file *file, int mask)
818 */ 821 */
819static int smack_file_alloc_security(struct file *file) 822static int smack_file_alloc_security(struct file *file)
820{ 823{
821 file->f_security = current->security; 824 file->f_security = current_security();
822 return 0; 825 return 0;
823} 826}
824 827
@@ -916,7 +919,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
916 */ 919 */
917static int smack_file_set_fowner(struct file *file) 920static int smack_file_set_fowner(struct file *file)
918{ 921{
919 file->f_security = current->security; 922 file->f_security = current_security();
920 return 0; 923 return 0;
921} 924}
922 925
@@ -941,7 +944,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
941 * struct fown_struct is never outside the context of a struct file 944 * struct fown_struct is never outside the context of a struct file
942 */ 945 */
943 file = container_of(fown, struct file, f_owner); 946 file = container_of(fown, struct file, f_owner);
944 rc = smk_access(file->f_security, tsk->security, MAY_WRITE); 947 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE);
945 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 948 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
946 return 0; 949 return 0;
947 return rc; 950 return rc;
@@ -973,33 +976,75 @@ static int smack_file_receive(struct file *file)
973 */ 976 */
974 977
975/** 978/**
976 * smack_task_alloc_security - "allocate" a task blob 979 * smack_cred_free - "free" task-level security credentials
977 * @tsk: the task in need of a blob 980 * @cred: the credentials in question
978 * 981 *
979 * Smack isn't using copies of blobs. Everyone 982 * Smack isn't using copies of blobs. Everyone
980 * points to an immutable list. No alloc required. 983 * points to an immutable list. The blobs never go away.
981 * No data copy required. 984 * There is no leak here.
985 */
986static void smack_cred_free(struct cred *cred)
987{
988 cred->security = NULL;
989}
990
991/**
992 * smack_cred_prepare - prepare new set of credentials for modification
993 * @new: the new credentials
994 * @old: the original credentials
995 * @gfp: the atomicity of any memory allocations
996 *
997 * Prepare a new set of credentials for modification.
998 */
999static int smack_cred_prepare(struct cred *new, const struct cred *old,
1000 gfp_t gfp)
1001{
1002 new->security = old->security;
1003 return 0;
1004}
1005
1006/*
1007 * commit new credentials
1008 * @new: the new credentials
1009 * @old: the original credentials
1010 */
1011static void smack_cred_commit(struct cred *new, const struct cred *old)
1012{
1013}
1014
1015/**
1016 * smack_kernel_act_as - Set the subjective context in a set of credentials
1017 * @new points to the set of credentials to be modified.
1018 * @secid specifies the security ID to be set
982 * 1019 *
983 * Always returns 0 1020 * Set the security data for a kernel service.
984 */ 1021 */
985static int smack_task_alloc_security(struct task_struct *tsk) 1022static int smack_kernel_act_as(struct cred *new, u32 secid)
986{ 1023{
987 tsk->security = current->security; 1024 char *smack = smack_from_secid(secid);
1025
1026 if (smack == NULL)
1027 return -EINVAL;
988 1028
1029 new->security = smack;
989 return 0; 1030 return 0;
990} 1031}
991 1032
992/** 1033/**
993 * smack_task_free_security - "free" a task blob 1034 * smack_kernel_create_files_as - Set the file creation label in a set of creds
994 * @task: the task with the blob 1035 * @new points to the set of credentials to be modified
1036 * @inode points to the inode to use as a reference
995 * 1037 *
996 * Smack isn't using copies of blobs. Everyone 1038 * Set the file creation context in a set of credentials to the same
997 * points to an immutable list. The blobs never go away. 1039 * as the objective context of the specified inode
998 * There is no leak here.
999 */ 1040 */
1000static void smack_task_free_security(struct task_struct *task) 1041static int smack_kernel_create_files_as(struct cred *new,
1042 struct inode *inode)
1001{ 1043{
1002 task->security = NULL; 1044 struct inode_smack *isp = inode->i_security;
1045
1046 new->security = isp->smk_inode;
1047 return 0;
1003} 1048}
1004 1049
1005/** 1050/**
@@ -1011,7 +1056,7 @@ static void smack_task_free_security(struct task_struct *task)
1011 */ 1056 */
1012static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1057static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1013{ 1058{
1014 return smk_curacc(p->security, MAY_WRITE); 1059 return smk_curacc(task_security(p), MAY_WRITE);
1015} 1060}
1016 1061
1017/** 1062/**
@@ -1022,7 +1067,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1022 */ 1067 */
1023static int smack_task_getpgid(struct task_struct *p) 1068static int smack_task_getpgid(struct task_struct *p)
1024{ 1069{
1025 return smk_curacc(p->security, MAY_READ); 1070 return smk_curacc(task_security(p), MAY_READ);
1026} 1071}
1027 1072
1028/** 1073/**
@@ -1033,7 +1078,7 @@ static int smack_task_getpgid(struct task_struct *p)
1033 */ 1078 */
1034static int smack_task_getsid(struct task_struct *p) 1079static int smack_task_getsid(struct task_struct *p)
1035{ 1080{
1036 return smk_curacc(p->security, MAY_READ); 1081 return smk_curacc(task_security(p), MAY_READ);
1037} 1082}
1038 1083
1039/** 1084/**
@@ -1045,7 +1090,7 @@ static int smack_task_getsid(struct task_struct *p)
1045 */ 1090 */
1046static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1091static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1047{ 1092{
1048 *secid = smack_to_secid(p->security); 1093 *secid = smack_to_secid(task_security(p));
1049} 1094}
1050 1095
1051/** 1096/**
@@ -1061,7 +1106,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1061 1106
1062 rc = cap_task_setnice(p, nice); 1107 rc = cap_task_setnice(p, nice);
1063 if (rc == 0) 1108 if (rc == 0)
1064 rc = smk_curacc(p->security, MAY_WRITE); 1109 rc = smk_curacc(task_security(p), MAY_WRITE);
1065 return rc; 1110 return rc;
1066} 1111}
1067 1112
@@ -1078,7 +1123,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1078 1123
1079 rc = cap_task_setioprio(p, ioprio); 1124 rc = cap_task_setioprio(p, ioprio);
1080 if (rc == 0) 1125 if (rc == 0)
1081 rc = smk_curacc(p->security, MAY_WRITE); 1126 rc = smk_curacc(task_security(p), MAY_WRITE);
1082 return rc; 1127 return rc;
1083} 1128}
1084 1129
@@ -1090,7 +1135,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1090 */ 1135 */
1091static int smack_task_getioprio(struct task_struct *p) 1136static int smack_task_getioprio(struct task_struct *p)
1092{ 1137{
1093 return smk_curacc(p->security, MAY_READ); 1138 return smk_curacc(task_security(p), MAY_READ);
1094} 1139}
1095 1140
1096/** 1141/**
@@ -1108,7 +1153,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1108 1153
1109 rc = cap_task_setscheduler(p, policy, lp); 1154 rc = cap_task_setscheduler(p, policy, lp);
1110 if (rc == 0) 1155 if (rc == 0)
1111 rc = smk_curacc(p->security, MAY_WRITE); 1156 rc = smk_curacc(task_security(p), MAY_WRITE);
1112 return rc; 1157 return rc;
1113} 1158}
1114 1159
@@ -1120,7 +1165,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1120 */ 1165 */
1121static int smack_task_getscheduler(struct task_struct *p) 1166static int smack_task_getscheduler(struct task_struct *p)
1122{ 1167{
1123 return smk_curacc(p->security, MAY_READ); 1168 return smk_curacc(task_security(p), MAY_READ);
1124} 1169}
1125 1170
1126/** 1171/**
@@ -1131,7 +1176,7 @@ static int smack_task_getscheduler(struct task_struct *p)
1131 */ 1176 */
1132static int smack_task_movememory(struct task_struct *p) 1177static int smack_task_movememory(struct task_struct *p)
1133{ 1178{
1134 return smk_curacc(p->security, MAY_WRITE); 1179 return smk_curacc(task_security(p), MAY_WRITE);
1135} 1180}
1136 1181
1137/** 1182/**
@@ -1154,13 +1199,13 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1154 * can write the receiver. 1199 * can write the receiver.
1155 */ 1200 */
1156 if (secid == 0) 1201 if (secid == 0)
1157 return smk_curacc(p->security, MAY_WRITE); 1202 return smk_curacc(task_security(p), MAY_WRITE);
1158 /* 1203 /*
1159 * If the secid isn't 0 we're dealing with some USB IO 1204 * If the secid isn't 0 we're dealing with some USB IO
1160 * specific behavior. This is not clean. For one thing 1205 * specific behavior. This is not clean. For one thing
1161 * we can't take privilege into account. 1206 * we can't take privilege into account.
1162 */ 1207 */
1163 return smk_access(smack_from_secid(secid), p->security, MAY_WRITE); 1208 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE);
1164} 1209}
1165 1210
1166/** 1211/**
@@ -1173,7 +1218,7 @@ static int smack_task_wait(struct task_struct *p)
1173{ 1218{
1174 int rc; 1219 int rc;
1175 1220
1176 rc = smk_access(current->security, p->security, MAY_WRITE); 1221 rc = smk_access(current_security(), task_security(p), MAY_WRITE);
1177 if (rc == 0) 1222 if (rc == 0)
1178 return 0; 1223 return 0;
1179 1224
@@ -1204,7 +1249,7 @@ static int smack_task_wait(struct task_struct *p)
1204static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1249static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1205{ 1250{
1206 struct inode_smack *isp = inode->i_security; 1251 struct inode_smack *isp = inode->i_security;
1207 isp->smk_inode = p->security; 1252 isp->smk_inode = task_security(p);
1208} 1253}
1209 1254
1210/* 1255/*
@@ -1223,7 +1268,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
1223 */ 1268 */
1224static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1269static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
1225{ 1270{
1226 char *csp = current->security; 1271 char *csp = current_security();
1227 struct socket_smack *ssp; 1272 struct socket_smack *ssp;
1228 1273
1229 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1274 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
@@ -1448,7 +1493,7 @@ static int smack_flags_to_may(int flags)
1448 */ 1493 */
1449static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1494static int smack_msg_msg_alloc_security(struct msg_msg *msg)
1450{ 1495{
1451 msg->security = current->security; 1496 msg->security = current_security();
1452 return 0; 1497 return 0;
1453} 1498}
1454 1499
@@ -1484,7 +1529,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
1484{ 1529{
1485 struct kern_ipc_perm *isp = &shp->shm_perm; 1530 struct kern_ipc_perm *isp = &shp->shm_perm;
1486 1531
1487 isp->security = current->security; 1532 isp->security = current_security();
1488 return 0; 1533 return 0;
1489} 1534}
1490 1535
@@ -1593,7 +1638,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
1593{ 1638{
1594 struct kern_ipc_perm *isp = &sma->sem_perm; 1639 struct kern_ipc_perm *isp = &sma->sem_perm;
1595 1640
1596 isp->security = current->security; 1641 isp->security = current_security();
1597 return 0; 1642 return 0;
1598} 1643}
1599 1644
@@ -1697,7 +1742,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
1697{ 1742{
1698 struct kern_ipc_perm *kisp = &msq->q_perm; 1743 struct kern_ipc_perm *kisp = &msq->q_perm;
1699 1744
1700 kisp->security = current->security; 1745 kisp->security = current_security();
1701 return 0; 1746 return 0;
1702} 1747}
1703 1748
@@ -1852,7 +1897,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
1852 struct super_block *sbp; 1897 struct super_block *sbp;
1853 struct superblock_smack *sbsp; 1898 struct superblock_smack *sbsp;
1854 struct inode_smack *isp; 1899 struct inode_smack *isp;
1855 char *csp = current->security; 1900 char *csp = current_security();
1856 char *fetched; 1901 char *fetched;
1857 char *final; 1902 char *final;
1858 struct dentry *dp; 1903 struct dentry *dp;
@@ -2009,7 +2054,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2009 if (strcmp(name, "current") != 0) 2054 if (strcmp(name, "current") != 0)
2010 return -EINVAL; 2055 return -EINVAL;
2011 2056
2012 cp = kstrdup(p->security, GFP_KERNEL); 2057 cp = kstrdup(task_security(p), GFP_KERNEL);
2013 if (cp == NULL) 2058 if (cp == NULL)
2014 return -ENOMEM; 2059 return -ENOMEM;
2015 2060
@@ -2033,6 +2078,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2033static int smack_setprocattr(struct task_struct *p, char *name, 2078static int smack_setprocattr(struct task_struct *p, char *name,
2034 void *value, size_t size) 2079 void *value, size_t size)
2035{ 2080{
2081 struct cred *new;
2036 char *newsmack; 2082 char *newsmack;
2037 2083
2038 /* 2084 /*
@@ -2055,7 +2101,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2055 if (newsmack == NULL) 2101 if (newsmack == NULL)
2056 return -EINVAL; 2102 return -EINVAL;
2057 2103
2058 p->security = newsmack; 2104 new = prepare_creds();
2105 if (!new)
2106 return -ENOMEM;
2107 new->security = newsmack;
2108 commit_creds(new);
2059 return size; 2109 return size;
2060} 2110}
2061 2111
@@ -2288,8 +2338,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
2288 return; 2338 return;
2289 2339
2290 ssp = sk->sk_security; 2340 ssp = sk->sk_security;
2291 ssp->smk_in = current->security; 2341 ssp->smk_in = ssp->smk_out = current_security();
2292 ssp->smk_out = current->security;
2293 ssp->smk_packet[0] = '\0'; 2342 ssp->smk_packet[0] = '\0';
2294 2343
2295 rc = smack_netlabel(sk); 2344 rc = smack_netlabel(sk);
@@ -2352,17 +2401,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2352/** 2401/**
2353 * smack_key_alloc - Set the key security blob 2402 * smack_key_alloc - Set the key security blob
2354 * @key: object 2403 * @key: object
2355 * @tsk: the task associated with the key 2404 * @cred: the credentials to use
2356 * @flags: unused 2405 * @flags: unused
2357 * 2406 *
2358 * No allocation required 2407 * No allocation required
2359 * 2408 *
2360 * Returns 0 2409 * Returns 0
2361 */ 2410 */
2362static int smack_key_alloc(struct key *key, struct task_struct *tsk, 2411static int smack_key_alloc(struct key *key, const struct cred *cred,
2363 unsigned long flags) 2412 unsigned long flags)
2364{ 2413{
2365 key->security = tsk->security; 2414 key->security = cred->security;
2366 return 0; 2415 return 0;
2367} 2416}
2368 2417
@@ -2380,14 +2429,14 @@ static void smack_key_free(struct key *key)
2380/* 2429/*
2381 * smack_key_permission - Smack access on a key 2430 * smack_key_permission - Smack access on a key
2382 * @key_ref: gets to the object 2431 * @key_ref: gets to the object
2383 * @context: task involved 2432 * @cred: the credentials to use
2384 * @perm: unused 2433 * @perm: unused
2385 * 2434 *
2386 * Return 0 if the task has read and write to the object, 2435 * Return 0 if the task has read and write to the object,
2387 * an error code otherwise 2436 * an error code otherwise
2388 */ 2437 */
2389static int smack_key_permission(key_ref_t key_ref, 2438static int smack_key_permission(key_ref_t key_ref,
2390 struct task_struct *context, key_perm_t perm) 2439 const struct cred *cred, key_perm_t perm)
2391{ 2440{
2392 struct key *keyp; 2441 struct key *keyp;
2393 2442
@@ -2403,10 +2452,10 @@ static int smack_key_permission(key_ref_t key_ref,
2403 /* 2452 /*
2404 * This should not occur 2453 * This should not occur
2405 */ 2454 */
2406 if (context->security == NULL) 2455 if (cred->security == NULL)
2407 return -EACCES; 2456 return -EACCES;
2408 2457
2409 return smk_access(context->security, keyp->security, MAY_READWRITE); 2458 return smk_access(cred->security, keyp->security, MAY_READWRITE);
2410} 2459}
2411#endif /* CONFIG_KEYS */ 2460#endif /* CONFIG_KEYS */
2412 2461
@@ -2577,15 +2626,13 @@ struct security_operations smack_ops = {
2577 .ptrace_may_access = smack_ptrace_may_access, 2626 .ptrace_may_access = smack_ptrace_may_access,
2578 .ptrace_traceme = smack_ptrace_traceme, 2627 .ptrace_traceme = smack_ptrace_traceme,
2579 .capget = cap_capget, 2628 .capget = cap_capget,
2580 .capset_check = cap_capset_check, 2629 .capset = cap_capset,
2581 .capset_set = cap_capset_set,
2582 .capable = cap_capable, 2630 .capable = cap_capable,
2583 .syslog = smack_syslog, 2631 .syslog = smack_syslog,
2584 .settime = cap_settime, 2632 .settime = cap_settime,
2585 .vm_enough_memory = cap_vm_enough_memory, 2633 .vm_enough_memory = cap_vm_enough_memory,
2586 2634
2587 .bprm_apply_creds = cap_bprm_apply_creds, 2635 .bprm_set_creds = cap_bprm_set_creds,
2588 .bprm_set_security = cap_bprm_set_security,
2589 .bprm_secureexec = cap_bprm_secureexec, 2636 .bprm_secureexec = cap_bprm_secureexec,
2590 2637
2591 .sb_alloc_security = smack_sb_alloc_security, 2638 .sb_alloc_security = smack_sb_alloc_security,
@@ -2627,9 +2674,12 @@ struct security_operations smack_ops = {
2627 .file_send_sigiotask = smack_file_send_sigiotask, 2674 .file_send_sigiotask = smack_file_send_sigiotask,
2628 .file_receive = smack_file_receive, 2675 .file_receive = smack_file_receive,
2629 2676
2630 .task_alloc_security = smack_task_alloc_security, 2677 .cred_free = smack_cred_free,
2631 .task_free_security = smack_task_free_security, 2678 .cred_prepare = smack_cred_prepare,
2632 .task_post_setuid = cap_task_post_setuid, 2679 .cred_commit = smack_cred_commit,
2680 .kernel_act_as = smack_kernel_act_as,
2681 .kernel_create_files_as = smack_kernel_create_files_as,
2682 .task_fix_setuid = cap_task_fix_setuid,
2633 .task_setpgid = smack_task_setpgid, 2683 .task_setpgid = smack_task_setpgid,
2634 .task_getpgid = smack_task_getpgid, 2684 .task_getpgid = smack_task_getpgid,
2635 .task_getsid = smack_task_getsid, 2685 .task_getsid = smack_task_getsid,
@@ -2642,7 +2692,6 @@ struct security_operations smack_ops = {
2642 .task_movememory = smack_task_movememory, 2692 .task_movememory = smack_task_movememory,
2643 .task_kill = smack_task_kill, 2693 .task_kill = smack_task_kill,
2644 .task_wait = smack_task_wait, 2694 .task_wait = smack_task_wait,
2645 .task_reparent_to_init = cap_task_reparent_to_init,
2646 .task_to_inode = smack_task_to_inode, 2695 .task_to_inode = smack_task_to_inode,
2647 .task_prctl = cap_task_prctl, 2696 .task_prctl = cap_task_prctl,
2648 2697
@@ -2718,6 +2767,8 @@ struct security_operations smack_ops = {
2718 */ 2767 */
2719static __init int smack_init(void) 2768static __init int smack_init(void)
2720{ 2769{
2770 struct cred *cred;
2771
2721 if (!security_module_enable(&smack_ops)) 2772 if (!security_module_enable(&smack_ops))
2722 return 0; 2773 return 0;
2723 2774
@@ -2726,7 +2777,8 @@ static __init int smack_init(void)
2726 /* 2777 /*
2727 * Set the security state for the initial task. 2778 * Set the security state for the initial task.
2728 */ 2779 */
2729 current->security = &smack_known_floor.smk_known; 2780 cred = (struct cred *) current->cred;
2781 cred->security = &smack_known_floor.smk_known;
2730 2782
2731 /* 2783 /*
2732 * Initialize locks 2784 * Initialize locks
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index c21d8c8bf0c7..ca257dfdc75d 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -336,7 +336,7 @@ static void smk_cipso_doi(void)
336 336
337 audit_info.loginuid = audit_get_loginuid(current); 337 audit_info.loginuid = audit_get_loginuid(current);
338 audit_info.sessionid = audit_get_sessionid(current); 338 audit_info.sessionid = audit_get_sessionid(current);
339 audit_info.secid = smack_to_secid(current->security); 339 audit_info.secid = smack_to_secid(current_security());
340 340
341 rc = netlbl_cfg_map_del(NULL, &audit_info); 341 rc = netlbl_cfg_map_del(NULL, &audit_info);
342 if (rc != 0) 342 if (rc != 0)
@@ -371,7 +371,7 @@ static void smk_unlbl_ambient(char *oldambient)
371 371
372 audit_info.loginuid = audit_get_loginuid(current); 372 audit_info.loginuid = audit_get_loginuid(current);
373 audit_info.sessionid = audit_get_sessionid(current); 373 audit_info.sessionid = audit_get_sessionid(current);
374 audit_info.secid = smack_to_secid(current->security); 374 audit_info.secid = smack_to_secid(current_security());
375 375
376 if (oldambient != NULL) { 376 if (oldambient != NULL) {
377 rc = netlbl_cfg_map_del(oldambient, &audit_info); 377 rc = netlbl_cfg_map_del(oldambient, &audit_info);
@@ -843,7 +843,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
843 size_t count, loff_t *ppos) 843 size_t count, loff_t *ppos)
844{ 844{
845 char in[SMK_LABELLEN]; 845 char in[SMK_LABELLEN];
846 char *sp = current->security; 846 char *sp = current->cred->security;
847 847
848 if (!capable(CAP_MAC_ADMIN)) 848 if (!capable(CAP_MAC_ADMIN))
849 return -EPERM; 849 return -EPERM;