tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PATCH] SELinux: add task_movememory hook

This patch adds new security hook, task_movememory, to be called when memory
owened by a task is to be moved (e.g. when migrating pages to a this hook is
identical to the setscheduler implementation, but a separate hook introduced
to allow this check to be specialized in the future if necessary.

Since the last posting, the hook has been renamed following feedback from
Christoph Lameter.

Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Andi Kleen <ak@muc.de>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

David Quigley and committed by
Linus Torvalds 35601547 22fb52dd

+27
+15
include/linux/security.h
··· 601 601 * @p. 602 602 * @p contains the task_struct for process. 603 603 * Return 0 if permission is granted. 604 + * @task_movememory 605 + * Check permission before moving memory owned by process @p. 606 + * @p contains the task_struct for process. 607 + * Return 0 if permission is granted. 604 608 * @task_kill: 605 609 * Check permission before sending signal @sig to @p. @info can be NULL, 606 610 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or ··· 1224 1220 int (*task_setscheduler) (struct task_struct * p, int policy, 1225 1221 struct sched_param * lp); 1226 1222 int (*task_getscheduler) (struct task_struct * p); 1223 + int (*task_movememory) (struct task_struct * p); 1227 1224 int (*task_kill) (struct task_struct * p, 1228 1225 struct siginfo * info, int sig); 1229 1226 int (*task_wait) (struct task_struct * p); ··· 1870 1865 return security_ops->task_getscheduler (p); 1871 1866 } 1872 1867 1868 + static inline int security_task_movememory (struct task_struct *p) 1869 + { 1870 + return security_ops->task_movememory (p); 1871 + } 1872 + 1873 1873 static inline int security_task_kill (struct task_struct *p, 1874 1874 struct siginfo *info, int sig) 1875 1875 { ··· 2518 2508 } 2519 2509 2520 2510 static inline int security_task_getscheduler (struct task_struct *p) 2511 + { 2512 + return 0; 2513 + } 2514 + 2515 + static inline int security_task_movememory (struct task_struct *p) 2521 2516 { 2522 2517 return 0; 2523 2518 }
+6
security/dummy.c
··· 537 537 return 0; 538 538 } 539 539 540 + static int dummy_task_movememory (struct task_struct *p) 541 + { 542 + return 0; 543 + } 544 + 540 545 static int dummy_task_wait (struct task_struct *p) 541 546 { 542 547 return 0; ··· 986 981 set_to_dummy_if_null(ops, task_setrlimit); 987 982 set_to_dummy_if_null(ops, task_setscheduler); 988 983 set_to_dummy_if_null(ops, task_getscheduler); 984 + set_to_dummy_if_null(ops, task_movememory); 989 985 set_to_dummy_if_null(ops, task_wait); 990 986 set_to_dummy_if_null(ops, task_kill); 991 987 set_to_dummy_if_null(ops, task_prctl);
+6
security/selinux/hooks.c
··· 2679 2679 return task_has_perm(current, p, PROCESS__GETSCHED); 2680 2680 } 2681 2681 2682 + static int selinux_task_movememory(struct task_struct *p) 2683 + { 2684 + return task_has_perm(current, p, PROCESS__SETSCHED); 2685 + } 2686 + 2682 2687 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig) 2683 2688 { 2684 2689 u32 perm; ··· 4397 4392 .task_setrlimit = selinux_task_setrlimit, 4398 4393 .task_setscheduler = selinux_task_setscheduler, 4399 4394 .task_getscheduler = selinux_task_getscheduler, 4395 + .task_movememory = selinux_task_movememory, 4400 4396 .task_kill = selinux_task_kill, 4401 4397 .task_wait = selinux_task_wait, 4402 4398 .task_prctl = selinux_task_prctl,