[PATCH] lsm: add task_setioprio hook · tjh.dev/kernel@03e6806

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] lsm: add task_setioprio hook

Implement an LSM hook for setting a task's IO priority, similar to the hook
for setting a tasks's nice value.

A previous version of this LSM hook was included in an older version of
multiadm by Jan Engelhardt, although I don't recall it being submitted
upstream.

Also included is the corresponding SELinux hook, which re-uses the setsched
permission in the proccess class.

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Jens Axboe <axboe@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

James Morris and committed by

Linus Torvalds 20 years ago 03e68060 9216dfad

+34

4 changed files

expand all

ioprio.c

include

linux

security.h

security

dummy.c

selinux

hooks.c

fs/ioprio.c

··· 24 24 #include <linux/blkdev.h> 25 25 #include <linux/capability.h> 26 26 #include <linux/syscalls.h> 27 + #include <linux/security.h> 27 28 28 29 static int set_task_ioprio(struct task_struct *task, int ioprio) 29 30 { 31 + int err; 30 32 struct io_context *ioc; 31 33 32 34 if (task->uid != current->euid && 33 35 task->uid != current->uid && !capable(CAP_SYS_NICE)) 34 36 return -EPERM; 37 + 38 + err = security_task_setioprio(task, ioprio); 39 + if (err) 40 + return err; 35 41 36 42 task_lock(task); 37 43

+16

include/linux/security.h

··· 577 577 * @p contains the task_struct of process. 578 578 * @nice contains the new nice value. 579 579 * Return 0 if permission is granted. 580 + * @task_setioprio 581 + * Check permission before setting the ioprio value of @p to @ioprio. 582 + * @p contains the task_struct of process. 583 + * @ioprio contains the new ioprio value 584 + * Return 0 if permission is granted. 580 585 * @task_setrlimit: 581 586 * Check permission before setting the resource limits of the current 582 587 * process for @resource to @new_rlim. The old resource limit values can ··· 1215 1210 int (*task_getsid) (struct task_struct * p); 1216 1211 int (*task_setgroups) (struct group_info *group_info); 1217 1212 int (*task_setnice) (struct task_struct * p, int nice); 1213 + int (*task_setioprio) (struct task_struct * p, int ioprio); 1218 1214 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1219 1215 int (*task_setscheduler) (struct task_struct * p, int policy, 1220 1216 struct sched_param * lp); ··· 1840 1834 static inline int security_task_setnice (struct task_struct *p, int nice) 1841 1835 { 1842 1836 return security_ops->task_setnice (p, nice); 1837 + } 1838 + 1839 + static inline int security_task_setioprio (struct task_struct *p, int ioprio) 1840 + { 1841 + return security_ops->task_setioprio (p, ioprio); 1843 1842 } 1844 1843 1845 1844 static inline int security_task_setrlimit (unsigned int resource, ··· 2485 2474 } 2486 2475 2487 2476 static inline int security_task_setnice (struct task_struct *p, int nice) 2477 + { 2478 + return 0; 2479 + } 2480 + 2481 + static inline int security_task_setioprio (struct task_struct *p, int ioprio) 2488 2482 { 2489 2483 return 0; 2490 2484 }

security/dummy.c

··· 516 516 return 0; 517 517 } 518 518 519 + static int dummy_task_setioprio (struct task_struct *p, int ioprio) 520 + { 521 + return 0; 522 + } 523 + 519 524 static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) 520 525 { 521 526 return 0; ··· 977 972 set_to_dummy_if_null(ops, task_getsid); 978 973 set_to_dummy_if_null(ops, task_setgroups); 979 974 set_to_dummy_if_null(ops, task_setnice); 975 + set_to_dummy_if_null(ops, task_setioprio); 980 976 set_to_dummy_if_null(ops, task_setrlimit); 981 977 set_to_dummy_if_null(ops, task_setscheduler); 982 978 set_to_dummy_if_null(ops, task_getscheduler);

security/selinux/hooks.c

··· 2645 2645 return task_has_perm(current,p, PROCESS__SETSCHED); 2646 2646 } 2647 2647 2648 + static int selinux_task_setioprio(struct task_struct *p, int ioprio) 2649 + { 2650 + return task_has_perm(current, p, PROCESS__SETSCHED); 2651 + } 2652 + 2648 2653 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2649 2654 { 2650 2655 struct rlimit *old_rlim = current->signal->rlim + resource; ··· 4388 4383 .task_getsid = selinux_task_getsid, 4389 4384 .task_setgroups = selinux_task_setgroups, 4390 4385 .task_setnice = selinux_task_setnice, 4386 + .task_setioprio = selinux_task_setioprio, 4391 4387 .task_setrlimit = selinux_task_setrlimit, 4392 4388 .task_setscheduler = selinux_task_setscheduler, 4393 4389 .task_getscheduler = selinux_task_getscheduler,