Commit f9008e4c authored by David Quigley's avatar David Quigley Committed by Linus Torvalds

[PATCH] SELinux: extend task_kill hook to handle signals sent by AIO completion

This patch extends the security_task_kill hook to handle signals sent by AIO
completion.  In this case, the secid of the task responsible for the signal
needs to be obtained and saved earlier, so a security_task_getsecid() hook is
added, and then this saved value is passed subsequently to the extended
task_kill hook for use in checking.
Signed-off-by: default avatarDavid Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent ed11d9eb
...@@ -567,6 +567,9 @@ struct swap_info_struct; ...@@ -567,6 +567,9 @@ struct swap_info_struct;
* @p. * @p.
* @p contains the task_struct for the process. * @p contains the task_struct for the process.
* Return 0 if permission is granted. * Return 0 if permission is granted.
* @task_getsecid:
* Retrieve the security identifier of the process @p.
* @p contains the task_struct for the process and place is into @secid.
* @task_setgroups: * @task_setgroups:
* Check permission before setting the supplementary group set of the * Check permission before setting the supplementary group set of the
* current process. * current process.
...@@ -615,6 +618,7 @@ struct swap_info_struct; ...@@ -615,6 +618,7 @@ struct swap_info_struct;
* @p contains the task_struct for process. * @p contains the task_struct for process.
* @info contains the signal information. * @info contains the signal information.
* @sig contains the signal value. * @sig contains the signal value.
* @secid contains the sid of the process where the signal originated
* Return 0 if permission is granted. * Return 0 if permission is granted.
* @task_wait: * @task_wait:
* Check permission before allowing a process to reap a child process @p * Check permission before allowing a process to reap a child process @p
...@@ -1219,6 +1223,7 @@ struct security_operations { ...@@ -1219,6 +1223,7 @@ struct security_operations {
int (*task_setpgid) (struct task_struct * p, pid_t pgid); int (*task_setpgid) (struct task_struct * p, pid_t pgid);
int (*task_getpgid) (struct task_struct * p); int (*task_getpgid) (struct task_struct * p);
int (*task_getsid) (struct task_struct * p); int (*task_getsid) (struct task_struct * p);
void (*task_getsecid) (struct task_struct * p, u32 * secid);
int (*task_setgroups) (struct group_info *group_info); int (*task_setgroups) (struct group_info *group_info);
int (*task_setnice) (struct task_struct * p, int nice); int (*task_setnice) (struct task_struct * p, int nice);
int (*task_setioprio) (struct task_struct * p, int ioprio); int (*task_setioprio) (struct task_struct * p, int ioprio);
...@@ -1228,7 +1233,7 @@ struct security_operations { ...@@ -1228,7 +1233,7 @@ struct security_operations {
int (*task_getscheduler) (struct task_struct * p); int (*task_getscheduler) (struct task_struct * p);
int (*task_movememory) (struct task_struct * p); int (*task_movememory) (struct task_struct * p);
int (*task_kill) (struct task_struct * p, int (*task_kill) (struct task_struct * p,
struct siginfo * info, int sig); struct siginfo * info, int sig, u32 secid);
int (*task_wait) (struct task_struct * p); int (*task_wait) (struct task_struct * p);
int (*task_prctl) (int option, unsigned long arg2, int (*task_prctl) (int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4, unsigned long arg3, unsigned long arg4,
...@@ -1839,6 +1844,11 @@ static inline int security_task_getsid (struct task_struct *p) ...@@ -1839,6 +1844,11 @@ static inline int security_task_getsid (struct task_struct *p)
return security_ops->task_getsid (p); return security_ops->task_getsid (p);
} }
static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
{
security_ops->task_getsecid (p, secid);
}
static inline int security_task_setgroups (struct group_info *group_info) static inline int security_task_setgroups (struct group_info *group_info)
{ {
return security_ops->task_setgroups (group_info); return security_ops->task_setgroups (group_info);
...@@ -1878,9 +1888,10 @@ static inline int security_task_movememory (struct task_struct *p) ...@@ -1878,9 +1888,10 @@ static inline int security_task_movememory (struct task_struct *p)
} }
static inline int security_task_kill (struct task_struct *p, static inline int security_task_kill (struct task_struct *p,
struct siginfo *info, int sig) struct siginfo *info, int sig,
u32 secid)
{ {
return security_ops->task_kill (p, info, sig); return security_ops->task_kill (p, info, sig, secid);
} }
static inline int security_task_wait (struct task_struct *p) static inline int security_task_wait (struct task_struct *p)
...@@ -2491,6 +2502,9 @@ static inline int security_task_getsid (struct task_struct *p) ...@@ -2491,6 +2502,9 @@ static inline int security_task_getsid (struct task_struct *p)
return 0; return 0;
} }
static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
{ }
static inline int security_task_setgroups (struct group_info *group_info) static inline int security_task_setgroups (struct group_info *group_info)
{ {
return 0; return 0;
...@@ -2530,7 +2544,8 @@ static inline int security_task_movememory (struct task_struct *p) ...@@ -2530,7 +2544,8 @@ static inline int security_task_movememory (struct task_struct *p)
} }
static inline int security_task_kill (struct task_struct *p, static inline int security_task_kill (struct task_struct *p,
struct siginfo *info, int sig) struct siginfo *info, int sig,
u32 secid)
{ {
return 0; return 0;
} }
......
...@@ -506,6 +506,9 @@ static int dummy_task_getsid (struct task_struct *p) ...@@ -506,6 +506,9 @@ static int dummy_task_getsid (struct task_struct *p)
return 0; return 0;
} }
static void dummy_task_getsecid (struct task_struct *p, u32 *secid)
{ }
static int dummy_task_setgroups (struct group_info *group_info) static int dummy_task_setgroups (struct group_info *group_info)
{ {
return 0; return 0;
...@@ -548,7 +551,7 @@ static int dummy_task_wait (struct task_struct *p) ...@@ -548,7 +551,7 @@ static int dummy_task_wait (struct task_struct *p)
} }
static int dummy_task_kill (struct task_struct *p, struct siginfo *info, static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
int sig) int sig, u32 secid)
{ {
return 0; return 0;
} }
...@@ -981,6 +984,7 @@ void security_fixup_ops (struct security_operations *ops) ...@@ -981,6 +984,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, task_setpgid); set_to_dummy_if_null(ops, task_setpgid);
set_to_dummy_if_null(ops, task_getpgid); set_to_dummy_if_null(ops, task_getpgid);
set_to_dummy_if_null(ops, task_getsid); set_to_dummy_if_null(ops, task_getsid);
set_to_dummy_if_null(ops, task_getsecid);
set_to_dummy_if_null(ops, task_setgroups); set_to_dummy_if_null(ops, task_setgroups);
set_to_dummy_if_null(ops, task_setnice); set_to_dummy_if_null(ops, task_setnice);
set_to_dummy_if_null(ops, task_setioprio); set_to_dummy_if_null(ops, task_setioprio);
......
...@@ -2644,6 +2644,11 @@ static int selinux_task_getsid(struct task_struct *p) ...@@ -2644,6 +2644,11 @@ static int selinux_task_getsid(struct task_struct *p)
return task_has_perm(current, p, PROCESS__GETSESSION); return task_has_perm(current, p, PROCESS__GETSESSION);
} }
static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
{
selinux_get_task_sid(p, secid);
}
static int selinux_task_setgroups(struct group_info *group_info) static int selinux_task_setgroups(struct group_info *group_info)
{ {
/* See the comment for setuid above. */ /* See the comment for setuid above. */
...@@ -2700,12 +2705,14 @@ static int selinux_task_movememory(struct task_struct *p) ...@@ -2700,12 +2705,14 @@ static int selinux_task_movememory(struct task_struct *p)
return task_has_perm(current, p, PROCESS__SETSCHED); return task_has_perm(current, p, PROCESS__SETSCHED);
} }
static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig) static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{ {
u32 perm; u32 perm;
int rc; int rc;
struct task_security_struct *tsec;
rc = secondary_ops->task_kill(p, info, sig); rc = secondary_ops->task_kill(p, info, sig, secid);
if (rc) if (rc)
return rc; return rc;
...@@ -2716,8 +2723,12 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int si ...@@ -2716,8 +2723,12 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int si
perm = PROCESS__SIGNULL; /* null signal; existence test */ perm = PROCESS__SIGNULL; /* null signal; existence test */
else else
perm = signal_to_av(sig); perm = signal_to_av(sig);
tsec = p->security;
return task_has_perm(current, p, perm); if (secid)
rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
else
rc = task_has_perm(current, p, perm);
return rc;
} }
static int selinux_task_prctl(int option, static int selinux_task_prctl(int option,
...@@ -4434,6 +4445,7 @@ static struct security_operations selinux_ops = { ...@@ -4434,6 +4445,7 @@ static struct security_operations selinux_ops = {
.task_setpgid = selinux_task_setpgid, .task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid, .task_getpgid = selinux_task_getpgid,
.task_getsid = selinux_task_getsid, .task_getsid = selinux_task_getsid,
.task_getsecid = selinux_task_getsecid,
.task_setgroups = selinux_task_setgroups, .task_setgroups = selinux_task_setgroups,
.task_setnice = selinux_task_setnice, .task_setnice = selinux_task_setnice,
.task_setioprio = selinux_task_setioprio, .task_setioprio = selinux_task_setioprio,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment