[PATCH 2/2] SELinux: Add security hook call to mediate attach_task (kernel/cpuset.c)

From: David Quigley <[email protected]>

This patch adds a security hook call to enable security modules to control 
the ability to attach a task to a cpuset.  While limited control over this 
operation is possible via permission checks on the pseudo fs interface, 
those checks are not sufficient to control access to the target task, 
which is looked up in this function.  The existing task_setscheduler hook 
is re-used for this operation since this falls under the same class of 
operations.

This is aimed at 2.6.18 inclusion to cover new code currently unmediated
by SELinux.

Please apply.

Signed-Off-By: David Quigley <[email protected]>
Acked-by:  Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>

---

 kernel/cpuset.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff -uprN -X /home/dpquigl/dontdiff linux-2.6.17-rc6-mm2/kernel/cpuset.c linux-2.6.17-rc6-mm2-attach/kernel/cpuset.c
--- linux-2.6.17-rc6-mm2/kernel/cpuset.c	2006-06-15 09:46:28.000000000 -0400
+++ linux-2.6.17-rc6-mm2-attach/kernel/cpuset.c	2006-06-15 09:52:43.000000000 -0400
@@ -41,6 +41,7 @@
 #include <linux/rcupdate.h>
 #include <linux/sched.h>
 #include <linux/seq_file.h>
+#include <linux/security.h>
 #include <linux/slab.h>
 #include <linux/smp_lock.h>
 #include <linux/spinlock.h>
@@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs
 	cpumask_t cpus;
 	nodemask_t from, to;
 	struct mm_struct *mm;
+	int retval;
 
 	if (sscanf(pidbuf, "%d", &pid) != 1)
 		return -EIO;
@@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs
 		get_task_struct(tsk);
 	}
 
+	retval = security_task_setscheduler(tsk, 0, NULL);
+	if (retval) {
+		put_task_struct(tsk);
+		return retval;
+	}
+
 	mutex_lock(&callback_mutex);
 
 	task_lock(tsk);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH 2/2] SELinux: Add security hook call to mediate attach_task (kernel/cpuset.c)
    • From: Paul Jackson <[email protected]>

• References:
  • [PATCH 1/2] SELinux: Add security hooks to {get,set}affinity
    • From: James Morris <[email protected]>

• Prev by Date: Re: [PATCH] Implement kasprintf
• Next by Date: RE: [discuss] Re: [RFC] Whitelist chipsets supporting MSI and check Hyper-transport capabilitiesKJ
• Previous by thread: [PATCH 1/2] SELinux: Add security hooks to {get,set}affinity
• Next by thread: Re: [PATCH 2/2] SELinux: Add security hook call to mediate attach_task (kernel/cpuset.c)
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]