rlimits: security, add task_struct to setrlimit
in [Kernel]
|
From: James Morris on 23 Jun 2010 20:00 On Wed, 23 Jun 2010, Jiri Slaby wrote: > From: Jiri Slaby <jirislaby(a)gmail.com> > > Add task_struct to task_setrlimit of security_operations to be able to set > rlimit of task other than current. Given the scope of the changes, I'm not sure which tree these should go into. They affect the security API, so possibly mine. > > Signed-off-by: Jiri Slaby <jirislaby(a)gmail.com> > Acked-by: Eric Paris <eparis(a)redhat.com> > Acked-by: James Morris <jmorris(a)namei.org> > --- > include/linux/security.h | 9 ++++++--- > kernel/sys.c | 2 +- > security/capability.c | 3 ++- > security/security.c | 5 +++-- > security/selinux/hooks.c | 7 ++++--- > 5 files changed, 16 insertions(+), 10 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 5bcb395..a22219a 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -1499,7 +1499,8 @@ struct security_operations { > int (*task_setnice) (struct task_struct *p, int nice); > int (*task_setioprio) (struct task_struct *p, int ioprio); > int (*task_getioprio) (struct task_struct *p); > - int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim); > + int (*task_setrlimit) (struct task_struct *p, unsigned int resource, > + struct rlimit *new_rlim); > int (*task_setscheduler) (struct task_struct *p, int policy, > struct sched_param *lp); > int (*task_getscheduler) (struct task_struct *p); > @@ -1749,7 +1750,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid); > int security_task_setnice(struct task_struct *p, int nice); > int security_task_setioprio(struct task_struct *p, int ioprio); > int security_task_getioprio(struct task_struct *p); > -int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim); > +int security_task_setrlimit(struct task_struct *p, unsigned int resource, > + struct rlimit *new_rlim); > int security_task_setscheduler(struct task_struct *p, > int policy, struct sched_param *lp); > int security_task_getscheduler(struct task_struct *p); > @@ -2311,7 +2313,8 @@ static inline int security_task_getioprio(struct task_struct *p) > return 0; > } > > -static inline int security_task_setrlimit(unsigned int resource, > +static inline int security_task_setrlimit(struct task_struct *p, > + unsigned int resource, > struct rlimit *new_rlim) > { > return 0; > diff --git a/kernel/sys.c b/kernel/sys.c > index e83ddbb..1ba4522 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -1290,7 +1290,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) > if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > sysctl_nr_open) > return -EPERM; > > - retval = security_task_setrlimit(resource, &new_rlim); > + retval = security_task_setrlimit(current, resource, &new_rlim); > if (retval) > return retval; > > diff --git a/security/capability.c b/security/capability.c > index 4aeb699..830a213 100644 > --- a/security/capability.c > +++ b/security/capability.c > @@ -411,7 +411,8 @@ static int cap_task_getioprio(struct task_struct *p) > return 0; > } > > -static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) > +static int cap_task_setrlimit(struct task_struct *p, unsigned int resource, > + struct rlimit *new_rlim) > { > return 0; > } > diff --git a/security/security.c b/security/security.c > index 7461b1b..c53949f 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -780,9 +780,10 @@ int security_task_getioprio(struct task_struct *p) > return security_ops->task_getioprio(p); > } > > -int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) > +int security_task_setrlimit(struct task_struct *p, unsigned int resource, > + struct rlimit *new_rlim) > { > - return security_ops->task_setrlimit(resource, new_rlim); > + return security_ops->task_setrlimit(p, resource, new_rlim); > } > > int security_task_setscheduler(struct task_struct *p, > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 5c9f25b..e3ce6b4 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3371,16 +3371,17 @@ static int selinux_task_getioprio(struct task_struct *p) > return current_has_perm(p, PROCESS__GETSCHED); > } > > -static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) > +static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, > + struct rlimit *new_rlim) > { > - struct rlimit *old_rlim = current->signal->rlim + resource; > + struct rlimit *old_rlim = p->signal->rlim + resource; > > /* Control the ability to change the hard limit (whether > lowering or raising it), so that the hard limit can > later be used as a safe reset point for the soft limit > upon context transitions. See selinux_bprm_committing_creds. */ > if (old_rlim->rlim_max != new_rlim->rlim_max) > - return current_has_perm(current, PROCESS__SETRLIMIT); > + return current_has_perm(p, PROCESS__SETRLIMIT); > > return 0; > } > -- > 1.7.1 > > -- James Morris <jmorris(a)namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: James Morris on 4 Jul 2010 20:40 On Fri, 2 Jul 2010, Jiri Slaby wrote: > On 06/24/2010 01:58 AM, James Morris wrote: > > On Wed, 23 Jun 2010, Jiri Slaby wrote: > >> Add task_struct to task_setrlimit of security_operations to be able to set > >> rlimit of task other than current. > > > > Given the scope of the changes, I'm not sure which tree these should go > > into. They affect the security API, so possibly mine. > > If there are no objections, could you take it? Or maybe Andrew, if we > persuaded him? A bunch of these patches have no acked-by or reviewed-by, which means they still need to be reviewed. - James -- James Morris <jmorris(a)namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Pages: 1 Prev: Samsung S5P SoCs Next: [PATCH v2] block: Don't count_vm_events for discard bio in submit_bio. |