[PATCH] SELinux: add security hook call to mediate attach_task (kernel/cpuset.c)

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add a security hook call to enable security modules to control the ability
to attach a task to a cpuset. While limited control over this operation is
possible via permission checks on the pseudo fs interface, those checks are
not sufficient to control access to the target task, which is looked up in
this function. The existing task_setscheduler hook is re-used for this
operation since this falls under the same class of operations.

Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Paul Jackson <pj@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

David Quigley and committed by

Linus Torvalds 20 years ago 22fb52dd e7834f8f

1 changed file

expand all

kernel

cpuset.c

kernel/cpuset.c

··· 41 41 #include <linux/rcupdate.h> 42 42 #include <linux/sched.h> 43 43 #include <linux/seq_file.h> 44 + #include <linux/security.h> 44 45 #include <linux/slab.h> 45 46 #include <linux/smp_lock.h> 46 47 #include <linux/spinlock.h> ··· 1178 1177 cpumask_t cpus; 1179 1178 nodemask_t from, to; 1180 1179 struct mm_struct *mm; 1180 + int retval; 1181 1181 1182 1182 if (sscanf(pidbuf, "%d", &pid) != 1) 1183 1183 return -EIO; ··· 1205 1203 } else { 1206 1204 tsk = current; 1207 1205 get_task_struct(tsk); 1206 + } 1207 + 1208 + retval = security_task_setscheduler(tsk, 0, NULL); 1209 + if (retval) { 1210 + put_task_struct(tsk); 1211 + return retval; 1208 1212 } 1209 1213 1210 1214 mutex_lock(&callback_mutex);