Commit 22fb52dd authored by David Quigley's avatar David Quigley Committed by Linus Torvalds

[PATCH] SELinux: add security hook call to mediate attach_task (kernel/cpuset.c)

Add a security hook call to enable security modules to control the ability
to attach a task to a cpuset.  While limited control over this operation is
possible via permission checks on the pseudo fs interface, those checks are
not sufficient to control access to the target task, which is looked up in
this function.  The existing task_setscheduler hook is re-used for this
operation since this falls under the same class of operations.
Signed-off-by: default avatarDavid Quigley <dpquigl@tycho.nsa.gov>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarPaul Jackson <pj@sgi.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent e7834f8f
...@@ -41,6 +41,7 @@ ...@@ -41,6 +41,7 @@
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <linux/security.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/smp_lock.h> #include <linux/smp_lock.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
...@@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf) ...@@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
cpumask_t cpus; cpumask_t cpus;
nodemask_t from, to; nodemask_t from, to;
struct mm_struct *mm; struct mm_struct *mm;
int retval;
if (sscanf(pidbuf, "%d", &pid) != 1) if (sscanf(pidbuf, "%d", &pid) != 1)
return -EIO; return -EIO;
...@@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf) ...@@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
get_task_struct(tsk); get_task_struct(tsk);
} }
retval = security_task_setscheduler(tsk, 0, NULL);
if (retval) {
put_task_struct(tsk);
return retval;
}
mutex_lock(&callback_mutex); mutex_lock(&callback_mutex);
task_lock(tsk); task_lock(tsk);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment