Commit 457db29b authored by Baolin Wang's avatar Baolin Wang Committed by John Stultz

security: Introduce security_settime64()

security_settime() uses a timespec, which is not year 2038 safe
on 32bit systems. Thus this patch introduces the security_settime64()
function with timespec64 type. We also convert the cap_settime() helper
function to use the 64bit types.

This patch then moves security_settime() to the header file as an
inline helper function so that existing users can be iteratively
converted.

None of the existing hooks is using the timespec argument and therefor
the patch is not making any functional changes.

Cc: Serge Hallyn <serge.hallyn@canonical.com>,
Cc: James Morris <james.l.morris@oracle.com>,
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Cc: Paul Moore <pmoore@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Kees Cook <keescook@chromium.org>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
Signed-off-by: default avatarBaolin Wang <baolin.wang@linaro.org>
[jstultz: Reworded commit message]
Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
parent 02fad5e9
...@@ -1190,7 +1190,8 @@ ...@@ -1190,7 +1190,8 @@
* Return 0 if permission is granted. * Return 0 if permission is granted.
* @settime: * @settime:
* Check permission to change the system time. * Check permission to change the system time.
* struct timespec and timezone are defined in include/linux/time.h * struct timespec64 is defined in include/linux/time64.h and timezone
* is defined in include/linux/time.h
* @ts contains new time * @ts contains new time
* @tz contains new timezone * @tz contains new timezone
* Return 0 if permission is granted. * Return 0 if permission is granted.
...@@ -1327,7 +1328,7 @@ union security_list_options { ...@@ -1327,7 +1328,7 @@ union security_list_options {
int (*quotactl)(int cmds, int type, int id, struct super_block *sb); int (*quotactl)(int cmds, int type, int id, struct super_block *sb);
int (*quota_on)(struct dentry *dentry); int (*quota_on)(struct dentry *dentry);
int (*syslog)(int type); int (*syslog)(int type);
int (*settime)(const struct timespec *ts, const struct timezone *tz); int (*settime)(const struct timespec64 *ts, const struct timezone *tz);
int (*vm_enough_memory)(struct mm_struct *mm, long pages); int (*vm_enough_memory)(struct mm_struct *mm, long pages);
int (*bprm_set_creds)(struct linux_binprm *bprm); int (*bprm_set_creds)(struct linux_binprm *bprm);
......
...@@ -71,7 +71,7 @@ struct timezone; ...@@ -71,7 +71,7 @@ struct timezone;
/* These functions are in security/commoncap.c */ /* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns, extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit); int cap, int audit);
extern int cap_settime(const struct timespec *ts, const struct timezone *tz); extern int cap_settime(const struct timespec64 *ts, const struct timezone *tz);
extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode); extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
extern int cap_ptrace_traceme(struct task_struct *parent); extern int cap_ptrace_traceme(struct task_struct *parent);
extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
...@@ -208,7 +208,13 @@ int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns, ...@@ -208,7 +208,13 @@ int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
int security_quotactl(int cmds, int type, int id, struct super_block *sb); int security_quotactl(int cmds, int type, int id, struct super_block *sb);
int security_quota_on(struct dentry *dentry); int security_quota_on(struct dentry *dentry);
int security_syslog(int type); int security_syslog(int type);
int security_settime(const struct timespec *ts, const struct timezone *tz); int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
static inline int security_settime(const struct timespec *ts, const struct timezone *tz)
{
struct timespec64 ts64 = timespec_to_timespec64(*ts);
return security_settime64(&ts64, tz);
}
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
int security_bprm_set_creds(struct linux_binprm *bprm); int security_bprm_set_creds(struct linux_binprm *bprm);
int security_bprm_check(struct linux_binprm *bprm); int security_bprm_check(struct linux_binprm *bprm);
...@@ -462,10 +468,18 @@ static inline int security_syslog(int type) ...@@ -462,10 +468,18 @@ static inline int security_syslog(int type)
return 0; return 0;
} }
static inline int security_settime64(const struct timespec64 *ts,
const struct timezone *tz)
{
return cap_settime(ts, tz);
}
static inline int security_settime(const struct timespec *ts, static inline int security_settime(const struct timespec *ts,
const struct timezone *tz) const struct timezone *tz)
{ {
return cap_settime(ts, tz); struct timespec64 ts64 = timespec_to_timespec64(*ts);
return cap_settime(&ts64, tz);
} }
static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
......
...@@ -111,7 +111,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, ...@@ -111,7 +111,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
* Determine whether the current process may set the system clock and timezone * Determine whether the current process may set the system clock and timezone
* information, returning 0 if permission granted, -ve if denied. * information, returning 0 if permission granted, -ve if denied.
*/ */
int cap_settime(const struct timespec *ts, const struct timezone *tz) int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
{ {
if (!capable(CAP_SYS_TIME)) if (!capable(CAP_SYS_TIME))
return -EPERM; return -EPERM;
......
...@@ -208,7 +208,7 @@ int security_syslog(int type) ...@@ -208,7 +208,7 @@ int security_syslog(int type)
return call_int_hook(syslog, 0, type); return call_int_hook(syslog, 0, type);
} }
int security_settime(const struct timespec *ts, const struct timezone *tz) int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
{ {
return call_int_hook(settime, 0, ts, tz); return call_int_hook(settime, 0, ts, tz);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment