--- David Howells <dhowells@xxxxxxxxxx> wrote: > Remove the temporarily embedded task security record from task_struct. > Instead > it is made to dangle from the task_struct::sec and task_struct::act_as > pointers > with references counted for each. > > ... > > The LSM hooks for dealing with task security are modified to deal with the > task > security struct directly rather than going via the task_struct as appopriate. > > ... > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index a49d94f..dbce607 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -957,9 +957,22 @@ static int smack_task_alloc_security(struct task_struct > *tsk) > * points to an immutable list. The blobs never go away. > * There is no leak here. > */ > -static void smack_task_free_security(struct task_struct *task) > +static void smack_task_free_security(struct task_security *sec) > { > - task->sec->security = NULL; > + sec->security = NULL; > +} > + > +/** > + * task_dup_security - Duplicate task security > + * @p points to the task_security struct that has been copied > + * > + * Duplicate the security structure currently attached to the p->security > field > + * and attach back to p->security (the pointer itself was copied, so there's > + * nothing to be done here). > + */ > +static int smack_task_dup_security(struct task_security *sec) > +{ > + return 0; > } Thank you for adding this hook. The comment is helpful. > /** > @@ -2276,17 +2289,17 @@ static int smack_inet_conn_request(struct sock *sk, > struct sk_buff *skb, > /** > * smack_key_alloc - Set the key security blob > * @key: object > - * @tsk: the task associated with the key > + * @context: the task security associated with the key > * @flags: unused > * > * No allocation required > * > * Returns 0 > */ > -static int smack_key_alloc(struct key *key, struct task_struct *tsk, > +static int smack_key_alloc(struct key *key, struct task_security *context, > unsigned long flags) > { > - key->security = tsk->act_as->security; > + key->security = context->security; > return 0; > } > > @@ -2304,14 +2317,14 @@ static void smack_key_free(struct key *key) > /* > * smack_key_permission - Smack access on a key > * @key_ref: gets to the object > - * @context: task involved > + * @context: task security involved > * @perm: unused > * > * Return 0 if the task has read and write to the object, > * an error code otherwise > */ > static int smack_key_permission(key_ref_t key_ref, > - struct task_struct *context, key_perm_t perm) > + struct task_security *context, key_perm_t perm) > { > struct key *keyp; > > @@ -2327,10 +2340,10 @@ static int smack_key_permission(key_ref_t key_ref, > /* > * This should not occur > */ > - if (context->act_as->security == NULL) > + if (context->security == NULL) > return -EACCES; > > - return smk_access(context->act_as->security, keyp->security, > + return smk_access(context->security, keyp->security, > MAY_READWRITE); > } > #endif /* CONFIG_KEYS */ > @@ -2430,6 +2443,7 @@ static struct security_operations smack_ops = { > > .task_alloc_security = smack_task_alloc_security, > .task_free_security = smack_task_free_security, > + .task_dup_security = smack_task_dup_security, > .task_post_setuid = cap_task_post_setuid, > .task_setpgid = smack_task_setpgid, > .task_getpgid = smack_task_getpgid, No objections from the Smack side. Thank you. Casey Schaufler casey@xxxxxxxxxxxxxxxx - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html