| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Jun 2010 09:58:45 +1000 (EST)
From: James Morris <jmorris@...ei.org>
To: Jiri Slaby <jslaby@...e.cz>
cc: jirislaby@...il.com, Oleg Nesterov <oleg@...hat.com>,
akpm@...ux-foundation.org, adobriyan@...il.com,
nhorman@...driver.com, Stephen Smalley <sds@...ho.nsa.gov>,
Eric Paris <eparis@...isplace.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 01/12] rlimits: security, add task_struct to
setrlimit
On Wed, 23 Jun 2010, Jiri Slaby wrote:
> From: Jiri Slaby <jirislaby@...il.com>
>
> Add task_struct to task_setrlimit of security_operations to be able to set
> rlimit of task other than current.
Given the scope of the changes, I'm not sure which tree these should go
into. They affect the security API, so possibly mine.
>
> Signed-off-by: Jiri Slaby <jirislaby@...il.com>
> Acked-by: Eric Paris <eparis@...hat.com>
> Acked-by: James Morris <jmorris@...ei.org>
> ---
> include/linux/security.h | 9 ++++++---
> kernel/sys.c | 2 +-
> security/capability.c | 3 ++-
> security/security.c | 5 +++--
> security/selinux/hooks.c | 7 ++++---
> 5 files changed, 16 insertions(+), 10 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 5bcb395..a22219a 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1499,7 +1499,8 @@ struct security_operations {
> int (*task_setnice) (struct task_struct *p, int nice);
> int (*task_setioprio) (struct task_struct *p, int ioprio);
> int (*task_getioprio) (struct task_struct *p);
> - int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim);
> + int (*task_setrlimit) (struct task_struct *p, unsigned int resource,
> + struct rlimit *new_rlim);
> int (*task_setscheduler) (struct task_struct *p, int policy,
> struct sched_param *lp);
> int (*task_getscheduler) (struct task_struct *p);
> @@ -1749,7 +1750,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid);
> int security_task_setnice(struct task_struct *p, int nice);
> int security_task_setioprio(struct task_struct *p, int ioprio);
> int security_task_getioprio(struct task_struct *p);
> -int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim);
> +int security_task_setrlimit(struct task_struct *p, unsigned int resource,
> + struct rlimit *new_rlim);
> int security_task_setscheduler(struct task_struct *p,
> int policy, struct sched_param *lp);
> int security_task_getscheduler(struct task_struct *p);
> @@ -2311,7 +2313,8 @@ static inline int security_task_getioprio(struct task_struct *p)
> return 0;
> }
>
> -static inline int security_task_setrlimit(unsigned int resource,
> +static inline int security_task_setrlimit(struct task_struct *p,
> + unsigned int resource,
> struct rlimit *new_rlim)
> {
> return 0;
> diff --git a/kernel/sys.c b/kernel/sys.c
> index e83ddbb..1ba4522 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -1290,7 +1290,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
> if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > sysctl_nr_open)
> return -EPERM;
>
> - retval = security_task_setrlimit(resource, &new_rlim);
> + retval = security_task_setrlimit(current, resource, &new_rlim);
> if (retval)
> return retval;
>
> diff --git a/security/capability.c b/security/capability.c
> index 4aeb699..830a213 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -411,7 +411,8 @@ static int cap_task_getioprio(struct task_struct *p)
> return 0;
> }
>
> -static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
> +static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
> + struct rlimit *new_rlim)
> {
> return 0;
> }
> diff --git a/security/security.c b/security/security.c
> index 7461b1b..c53949f 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -780,9 +780,10 @@ int security_task_getioprio(struct task_struct *p)
> return security_ops->task_getioprio(p);
> }
>
> -int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
> +int security_task_setrlimit(struct task_struct *p, unsigned int resource,
> + struct rlimit *new_rlim)
> {
> - return security_ops->task_setrlimit(resource, new_rlim);
> + return security_ops->task_setrlimit(p, resource, new_rlim);
> }
>
> int security_task_setscheduler(struct task_struct *p,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 5c9f25b..e3ce6b4 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3371,16 +3371,17 @@ static int selinux_task_getioprio(struct task_struct *p)
> return current_has_perm(p, PROCESS__GETSCHED);
> }
>
> -static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
> +static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
> + struct rlimit *new_rlim)
> {
> - struct rlimit *old_rlim = current->signal->rlim + resource;
> + struct rlimit *old_rlim = p->signal->rlim + resource;
>
> /* Control the ability to change the hard limit (whether
> lowering or raising it), so that the hard limit can
> later be used as a safe reset point for the soft limit
> upon context transitions. See selinux_bprm_committing_creds. */
> if (old_rlim->rlim_max != new_rlim->rlim_max)
> - return current_has_perm(current, PROCESS__SETRLIMIT);
> + return current_has_perm(p, PROCESS__SETRLIMIT);
>
> return 0;
> }
> --
> 1.7.1
>
>
--
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists