The patch titled
lsm: add task_setioprio hook
has been removed from the -mm tree. Its filename is
lsm-add-task_setioprio-hook.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
Subject: lsm: add task_setioprio hook
From: James Morris <jmorris@xxxxxxxxx>
Implement an LSM hook for setting a task's IO priority, similar to the hook
for setting a tasks's nice value.
A previous version of this LSM hook was included in an older version of
multiadm by Jan Engelhardt, although I don't recall it being submitted
upstream.
Also included is the corresponding SELinux hook, which re-uses the setsched
permission in the proccess class.
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxxxx>
Cc: Jens Axboe <axboe@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
fs/ioprio.c | 6 ++++++
include/linux/security.h | 16 ++++++++++++++++
security/dummy.c | 6 ++++++
security/selinux/hooks.c | 6 ++++++
4 files changed, 34 insertions(+)
diff -puN fs/ioprio.c~lsm-add-task_setioprio-hook fs/ioprio.c
--- a/fs/ioprio.c~lsm-add-task_setioprio-hook
+++ a/fs/ioprio.c
@@ -24,15 +24,21 @@
#include <linux/blkdev.h>
#include <linux/capability.h>
#include <linux/syscalls.h>
+#include <linux/security.h>
static int set_task_ioprio(struct task_struct *task, int ioprio)
{
+ int err;
struct io_context *ioc;
if (task->uid != current->euid &&
task->uid != current->uid && !capable(CAP_SYS_NICE))
return -EPERM;
+ err = security_task_setioprio(task, ioprio);
+ if (err)
+ return err;
+
task_lock(task);
task->ioprio = ioprio;
diff -puN include/linux/security.h~lsm-add-task_setioprio-hook include/linux/security.h
--- a/include/linux/security.h~lsm-add-task_setioprio-hook
+++ a/include/linux/security.h
@@ -577,6 +577,11 @@ struct swap_info_struct;
* @p contains the task_struct of process.
* @nice contains the new nice value.
* Return 0 if permission is granted.
+ * @task_setioprio
+ * Check permission before setting the ioprio value of @p to @ioprio.
+ * @p contains the task_struct of process.
+ * @ioprio contains the new ioprio value
+ * Return 0 if permission is granted.
* @task_setrlimit:
* Check permission before setting the resource limits of the current
* process for @resource to @new_rlim. The old resource limit values can
@@ -1210,6 +1215,7 @@ struct security_operations {
int (*task_getsid) (struct task_struct * p);
int (*task_setgroups) (struct group_info *group_info);
int (*task_setnice) (struct task_struct * p, int nice);
+ int (*task_setioprio) (struct task_struct * p, int ioprio);
int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim);
int (*task_setscheduler) (struct task_struct * p, int policy,
struct sched_param * lp);
@@ -1836,6 +1842,11 @@ static inline int security_task_setnice
return security_ops->task_setnice (p, nice);
}
+static inline int security_task_setioprio (struct task_struct *p, int ioprio)
+{
+ return security_ops->task_setioprio (p, ioprio);
+}
+
static inline int security_task_setrlimit (unsigned int resource,
struct rlimit *new_rlim)
{
@@ -2478,6 +2489,11 @@ static inline int security_task_setnice
return 0;
}
+static inline int security_task_setioprio (struct task_struct *p, int ioprio)
+{
+ return 0;
+}
+
static inline int security_task_setrlimit (unsigned int resource,
struct rlimit *new_rlim)
{
diff -puN security/dummy.c~lsm-add-task_setioprio-hook security/dummy.c
--- a/security/dummy.c~lsm-add-task_setioprio-hook
+++ a/security/dummy.c
@@ -516,6 +516,11 @@ static int dummy_task_setnice (struct ta
return 0;
}
+static int dummy_task_setioprio (struct task_struct *p, int ioprio)
+{
+ return 0;
+}
+
static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)
{
return 0;
@@ -972,6 +977,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, task_getsid);
set_to_dummy_if_null(ops, task_setgroups);
set_to_dummy_if_null(ops, task_setnice);
+ set_to_dummy_if_null(ops, task_setioprio);
set_to_dummy_if_null(ops, task_setrlimit);
set_to_dummy_if_null(ops, task_setscheduler);
set_to_dummy_if_null(ops, task_getscheduler);
diff -puN security/selinux/hooks.c~lsm-add-task_setioprio-hook security/selinux/hooks.c
--- a/security/selinux/hooks.c~lsm-add-task_setioprio-hook
+++ a/security/selinux/hooks.c
@@ -2645,6 +2645,11 @@ static int selinux_task_setnice(struct t
return task_has_perm(current,p, PROCESS__SETSCHED);
}
+static int selinux_task_setioprio(struct task_struct *p, int ioprio)
+{
+ return task_has_perm(current, p, PROCESS__SETSCHED);
+}
+
static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
{
struct rlimit *old_rlim = current->signal->rlim + resource;
@@ -4383,6 +4388,7 @@ static struct security_operations selinu
.task_getsid = selinux_task_getsid,
.task_setgroups = selinux_task_setgroups,
.task_setnice = selinux_task_setnice,
+ .task_setioprio = selinux_task_setioprio,
.task_setrlimit = selinux_task_setrlimit,
.task_setscheduler = selinux_task_setscheduler,
.task_getscheduler = selinux_task_getscheduler,
_
Patches currently in -mm which might be from jmorris@xxxxxxxxx are
origin.patch
keys-allocate-key-serial-numbers-randomly.patch
keys-restrict-contents-of-proc-keys-to-viewable-keys.patch
keys-add-a-way-to-store-the-appropriate-context-for-newly-created-keys.patch
proc-cleanup-proc_fd_access_allowed.patch
selinux-add-sockcreate-node-to-procattr-api.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
