[PATCH 1/3] SELinux: Add security hook definitions for setmempolicy

From: David Quigley <[email protected]>

This patch adds new security hook definitions for the setmempolicy 
operation (currently unmediated by SELinux).  At present, the SELinux hook 
function implementation for this hook is identical to the setscheduler 
implementation, but a separate hook introduced to allow this check to be 
specialized in the future if necessary.

This patch is aimed at 2.6.18 inclusion.

Please apply.

Signed-Off-By: David Quigley <[email protected]>
Acked-by:  Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>

---

 include/linux/security.h |   16 ++++++++++++++++
 security/dummy.c         |    6 ++++++
 security/selinux/hooks.c |    6 ++++++
 3 files changed, 28 insertions(+)

diff -purN -X dontdiff linux-2.6.17-mm1.p/include/linux/security.h linux-2.6.17-mm1.w/include/linux/security.h
--- linux-2.6.17-mm1.p/include/linux/security.h	2006-06-21 11:54:11.000000000 -0400
+++ linux-2.6.17-mm1.w/include/linux/security.h	2006-06-21 12:30:11.000000000 -0400
@@ -601,6 +601,11 @@ struct swap_info_struct;
  *	@p.
  *	@p contains the task_struct for process.
  *	Return 0 if permission is granted.
+ * @task_setmempolicy
+ *	Check permission before setting memory policy and/or parameters of
+ *	process @p.
+ *	@p contains the task_struct for process.
+ *	Return 0 if permission is granted.
  * @task_kill:
  *	Check permission before sending signal @sig to @p.  @info can be NULL,
  *	the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1221,6 +1226,7 @@ struct security_operations {
 	int (*task_setscheduler) (struct task_struct * p, int policy,
 				  struct sched_param * lp);
 	int (*task_getscheduler) (struct task_struct * p);
+	int (*task_setmempolicy) (struct task_struct * p); 
 	int (*task_kill) (struct task_struct * p,
 			  struct siginfo * info, int sig);
 	int (*task_wait) (struct task_struct * p);
@@ -1866,6 +1872,11 @@ static inline int security_task_getsched
 	return security_ops->task_getscheduler (p);
 }
 
+static inline int security_task_setmempolicy (struct task_struct *p)
+{
+	return security_ops->task_setmempolicy (p);
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
@@ -2513,6 +2524,11 @@ static inline int security_task_getsched
 	return 0;
 }
 
+static inline int security_task_setmempolicy (struct task_struct *p)
+{
+	return 0;
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/dummy.c linux-2.6.17-mm1.w/security/dummy.c
--- linux-2.6.17-mm1.p/security/dummy.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/dummy.c	2006-06-21 12:30:11.000000000 -0400
@@ -537,6 +537,11 @@ static int dummy_task_getscheduler (stru
 	return 0;
 }
 
+static int dummy_task_setmempolicy (struct task_struct *p)
+{
+	return 0;
+}
+
 static int dummy_task_wait (struct task_struct *p)
 {
 	return 0;
@@ -982,6 +987,7 @@ void security_fixup_ops (struct security
 	set_to_dummy_if_null(ops, task_setrlimit);
 	set_to_dummy_if_null(ops, task_setscheduler);
 	set_to_dummy_if_null(ops, task_getscheduler);
+	set_to_dummy_if_null(ops, task_setmempolicy);
 	set_to_dummy_if_null(ops, task_wait);
 	set_to_dummy_if_null(ops, task_kill);
 	set_to_dummy_if_null(ops, task_prctl);
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/hooks.c linux-2.6.17-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-mm1.p/security/selinux/hooks.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/hooks.c	2006-06-21 12:30:11.000000000 -0400
@@ -2690,6 +2690,11 @@ static int selinux_task_getscheduler(str
 	return task_has_perm(current, p, PROCESS__GETSCHED);
 }
 
+static int selinux_task_setmempolicy(struct task_struct *p)
+{
+	return task_has_perm(current, p, PROCESS__SETSCHED);
+}
+
 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
 {
 	u32 perm;
@@ -4416,6 +4421,7 @@ static struct security_operations selinu
 	.task_setrlimit =		selinux_task_setrlimit,
 	.task_setscheduler =		selinux_task_setscheduler,
 	.task_getscheduler =		selinux_task_getscheduler,
+	.task_setmempolicy =		selinux_task_setmempolicy,
 	.task_kill =			selinux_task_kill,
 	.task_wait =			selinux_task_wait,
 	.task_prctl =			selinux_task_prctl,
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • [PATCH 0/3] SELinux: movememory & sockcreate updates for -mm
    • From: James Morris <[email protected]>
  • [PATCH 3/3] SELinux: Add sockcreate node to procattr API
    • From: James Morris <[email protected]>
  • [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
    • From: James Morris <[email protected]>

• Prev by Date: Re: 2.6.17-mm1
• Next by Date: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
• Previous by thread: [GIT PATCH] PCI patches for 2.6.17
• Next by thread: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]