+ selinux-add-security-hook-call-to-mediate-attach_task.patch added to -mm tree

akpm@xxxxxxxx · Tue, 20 Jun 2006 21:44:44 -0700

The patch titled

     SELinux: add security hook call to mediate attach_task (kernel/cpuset.c)

has been added to the -mm tree.  Its filename is

     selinux-add-security-hook-call-to-mediate-attach_task.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: SELinux: add security hook call to mediate attach_task (kernel/cpuset.c)
From: David Quigley <dpquigl@xxxxxxxxxxxxx>


Add a security hook call to enable security modules to control the ability
to attach a task to a cpuset.  While limited control over this operation is
possible via permission checks on the pseudo fs interface, those checks are
not sufficient to control access to the target task, which is looked up in
this function.  The existing task_setscheduler hook is re-used for this
operation since this falls under the same class of operations.

Signed-off-by: David Quigley <dpquigl@xxxxxxxxxxxxx>
Acked-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
Cc: Paul Jackson <pj@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 kernel/cpuset.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff -puN kernel/cpuset.c~selinux-add-security-hook-call-to-mediate-attach_task kernel/cpuset.c

--- a/kernel/cpuset.c~selinux-add-security-hook-call-to-mediate-attach_task
+++ a/kernel/cpuset.c
@@ -41,6 +41,7 @@
 #include <linux/rcupdate.h>
 #include <linux/sched.h>
 #include <linux/seq_file.h>
+#include <linux/security.h>
 #include <linux/slab.h>
 #include <linux/smp_lock.h>
 #include <linux/spinlock.h>
@@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs
 	cpumask_t cpus;
 	nodemask_t from, to;
 	struct mm_struct *mm;
+	int retval;
 
 	if (sscanf(pidbuf, "%d", &pid) != 1)
 		return -EIO;
@@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs
 		get_task_struct(tsk);
 	}
 
+	retval = security_task_setscheduler(tsk, 0, NULL);
+	if (retval) {
+		put_task_struct(tsk);
+		return retval;
+	}
+
 	mutex_lock(&callback_mutex);
 
 	task_lock(tsk);
_

Patches currently in -mm which might be from dpquigl@xxxxxxxxxxxxx are

selinux-add-security-hooks-to-getsetaffinity.patch
selinux-add-security-hook-call-to-mediate-attach_task.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




