From: Serge Hallyn <serue@us.ibm.com>
To: linux-kernel@vger.kernel.org
Cc: Hubertus Franke <frankeh@watson.ibm.com>,
Cedric Le Goater <clg@fr.ibm.com>,
Dave Hansen <haveblue@us.ibm.com>,
Serge E Hallyn <serue@us.ibm.com>
Subject: RFC [patch 10/34] PID Virtualization Change pid accesses: security/
Date: Tue, 17 Jan 2006 08:33:08 -0600 [thread overview]
Message-ID: <20060117143325.734450000@sergelap> (raw)
In-Reply-To: 20060117143258.150807000@sergelap
[-- Attachment #1: B9-change-pid-tgid-references-security --]
[-- Type: text/plain, Size: 5095 bytes --]
Change pid accesses for security modules.
Signed-off-by: Dave Hansen <haveblue@us.ibm.com>
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
commoncap.c | 2 +-
keys/process_keys.c | 6 +++---
keys/request_key_auth.c | 2 +-
seclvl.c | 16 ++++++++--------
selinux/avc.c | 4 ++--
5 files changed, 15 insertions(+), 15 deletions(-)
Index: linux-2.6.15/security/commoncap.c
===================================================================
--- linux-2.6.15.orig/security/commoncap.c 2006-01-17 08:36:28.000000000 -0500
+++ linux-2.6.15/security/commoncap.c 2006-01-17 08:37:01.000000000 -0500
@@ -169,7 +169,7 @@
/* For init, we want to retain the capabilities set
* in the init_task struct. Thus we skip the usual
* capability rules */
- if (current->pid != 1) {
+ if (task_pid(current) != 1) {
current->cap_permitted = new_permitted;
current->cap_effective =
cap_intersect (new_permitted, bprm->cap_effective);
Index: linux-2.6.15/security/keys/process_keys.c
===================================================================
--- linux-2.6.15.orig/security/keys/process_keys.c 2006-01-17 08:36:28.000000000 -0500
+++ linux-2.6.15/security/keys/process_keys.c 2006-01-17 08:37:01.000000000 -0500
@@ -140,7 +140,7 @@
char buf[20];
int ret;
- sprintf(buf, "_tid.%u", tsk->pid);
+ sprintf(buf, "_tid.%u", task_pid(tsk));
keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
@@ -173,7 +173,7 @@
int ret;
if (!tsk->signal->process_keyring) {
- sprintf(buf, "_pid.%u", tsk->tgid);
+ sprintf(buf, "_pid.%u", task_tgid(tsk));
keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
@@ -213,7 +213,7 @@
/* create an empty session keyring */
if (!keyring) {
- sprintf(buf, "_ses.%u", tsk->tgid);
+ sprintf(buf, "_ses.%u", task_tgid(tsk));
keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
Index: linux-2.6.15/security/keys/request_key_auth.c
===================================================================
--- linux-2.6.15.orig/security/keys/request_key_auth.c 2006-01-17 08:36:28.000000000 -0500
+++ linux-2.6.15/security/keys/request_key_auth.c 2006-01-17 08:37:01.000000000 -0500
@@ -60,7 +60,7 @@
else {
/* it isn't - use this process as the context */
rka->context = current;
- rka->pid = current->pid;
+ rka->pid = task_pid(current);
}
rka->target_key = key_get((struct key *) data);
Index: linux-2.6.15/security/seclvl.c
===================================================================
--- linux-2.6.15.orig/security/seclvl.c 2006-01-17 08:36:28.000000000 -0500
+++ linux-2.6.15/security/seclvl.c 2006-01-17 08:37:01.000000000 -0500
@@ -296,7 +296,7 @@
static int seclvl_ptrace(struct task_struct *parent, struct task_struct *child)
{
if (seclvl >= 0) {
- if (child->pid == 1) {
+ if (task_pid(child) == 1) {
seclvl_printk(1, KERN_WARNING, "Attempt to ptrace "
"the init process dissallowed in "
"secure level %d\n", seclvl);
@@ -313,7 +313,7 @@
static int seclvl_capable(struct task_struct *tsk, int cap)
{
/* init can do anything it wants */
- if (tsk->pid == 1)
+ if (task_pid(tsk) == 1)
return 0;
switch (seclvl) {
@@ -375,10 +375,10 @@
(tv->tv_sec == now.tv_sec && tv->tv_nsec < now.tv_nsec)) {
seclvl_printk(1, KERN_WARNING, "Attempt to decrement "
"time in secure level %d denied: "
- "current->pid = [%d], "
- "current->group_leader->pid = [%d]\n",
- seclvl, current->pid,
- current->group_leader->pid);
+ "current pid = [%d], "
+ "current->group_leader pid = [%d]\n",
+ seclvl, task_pid(current),
+ task_pid(current->group_leader));
return -EPERM;
} /* if attempt to decrement time */
} /* if seclvl > 1 */
@@ -424,7 +424,7 @@
static int
seclvl_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
{
- if (current->pid != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
+ if (task_pid(current) != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
switch (seclvl) {
case 2:
seclvl_printk(1, KERN_WARNING, "Write to block device "
@@ -479,7 +479,7 @@
*/
static int seclvl_umount(struct vfsmount *mnt, int flags)
{
- if (current->pid == 1)
+ if (task_pid(current) == 1)
return 0;
if (seclvl == 2) {
seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure "
Index: linux-2.6.15/security/selinux/avc.c
===================================================================
--- linux-2.6.15.orig/security/selinux/avc.c 2006-01-17 08:36:28.000000000 -0500
+++ linux-2.6.15/security/selinux/avc.c 2006-01-17 08:37:01.000000000 -0500
@@ -558,8 +558,8 @@
audit_log_format(ab, " for ");
if (a && a->tsk)
tsk = a->tsk;
- if (tsk && tsk->pid) {
- audit_log_format(ab, " pid=%d comm=", tsk->pid);
+ if (tsk && task_pid(tsk)) {
+ audit_log_format(ab, " pid=%d comm=", task_pid(tsk));
audit_log_untrustedstring(ab, tsk->comm);
}
if (a) {
--
next prev parent reply other threads:[~2006-01-17 14:50 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-17 14:32 RFC [patch 00/34] PID Virtualization Overview Serge Hallyn
2006-01-17 14:32 ` RFC [patch 01/34] PID Virtualization Change pid accesses: drivers Serge Hallyn
2006-01-17 14:33 ` RFC [patch 02/34] PID Virtualization Change pid accesses: most archs Serge Hallyn
2006-01-17 14:33 ` RFC [patch 03/34] PID Virtualization Change pid accesses: filesystems Serge Hallyn
2006-01-17 14:33 ` RFC [patch 04/34] PID Virtualization Change pid accesses: include/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 05/34] PID Virtualization Change pid accesses: ipc Serge Hallyn
2006-01-17 14:33 ` RFC [patch 06/34] PID Virtualization Change pid accesses: kernel/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 07/34] PID Virtualization Change pid accesses: lib/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 08/34] PID Virtualization Change pid accesses: mm/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 09/34] PID Virtualization Change pid accesses: net/ Serge Hallyn
2006-01-17 14:33 ` Serge Hallyn [this message]
2006-01-17 14:33 ` RFC [patch 11/34] PID Virtualization Change pid accesses: sound/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 12/34] PID Virtualization Change pid accesses: ia64 and mips Serge Hallyn
2006-01-17 14:33 ` RFC [patch 13/34] PID Virtualization Define new task_pid api Serge Hallyn
2006-01-17 15:32 ` Arjan van de Ven
2006-01-17 15:56 ` Serge E. Hallyn
2006-01-17 16:02 ` Arjan van de Ven
2006-01-17 16:03 ` Alan Cox
2006-01-17 17:16 ` Kyle Moffett
2006-01-17 17:25 ` Dave Hansen
2006-01-18 4:54 ` Greg KH
2006-01-18 4:55 ` Greg KH
2006-01-18 16:23 ` Dave Hansen
2006-01-20 17:00 ` Eric W. Biederman
2006-01-20 20:18 ` Hubertus Franke
2006-01-21 10:25 ` Eric W. Biederman
2006-01-23 18:38 ` Hubertus Franke
2006-01-23 18:48 ` Eric W. Biederman
2006-01-21 14:42 ` Eric W. Biederman
2006-01-22 6:43 ` Kyle Moffett
2006-01-22 15:48 ` Eric W. Biederman
2006-01-22 15:55 ` Arjan van de Ven
2006-01-22 16:24 ` Eric W. Biederman
2006-01-26 20:01 ` Herbert Poetzl
2006-01-27 9:04 ` Eric W. Biederman
2006-01-27 12:27 ` Kyle Moffett
2006-01-27 13:15 ` Eric W. Biederman
2006-01-23 18:50 ` Hubertus Franke
2006-01-23 19:28 ` Eric W. Biederman
2006-01-23 21:11 ` Alan Cox
2006-01-23 21:30 ` Eric W. Biederman
2006-01-23 22:15 ` Hubertus Franke
2006-01-24 6:56 ` Arjan van de Ven
2006-01-24 19:34 ` Eric W. Biederman
2006-01-24 21:09 ` Hubertus Franke
2006-01-24 0:22 ` Alan Cox
2006-01-24 19:26 ` Eric W. Biederman
2006-01-24 21:11 ` Alan Cox
2006-01-24 21:15 ` Arjan van de Ven
2006-01-25 9:58 ` Eric W. Biederman
2006-01-25 15:10 ` Trond Myklebust
2006-01-25 18:01 ` Eric W. Biederman
2006-01-25 19:30 ` Trond Myklebust
2006-01-25 21:59 ` Eric W. Biederman
2006-01-25 9:13 ` Eric W. Biederman
2006-01-25 9:51 ` Eric W. Biederman
2006-01-26 20:23 ` Herbert Poetzl
2006-01-27 8:28 ` Eric W. Biederman
[not found] ` <m1k6cqlmfe.fsf_-_@ebiederm.dsl.xmission.com>
2006-01-23 21:57 ` RFC: [PATCH] pids as weak references Dave Hansen
2006-01-31 21:02 ` RFC [patch 13/34] PID Virtualization Define new task_pid api Linus Torvalds
2006-02-01 0:01 ` Hubertus Franke
2006-02-01 4:18 ` Eric W. Biederman
2006-02-01 4:39 ` Linus Torvalds
2006-02-01 7:14 ` Eric W. Biederman
2006-02-01 16:41 ` Dave Hansen
2006-02-02 5:14 ` Herbert Poetzl
2006-02-01 16:29 ` Greg
2006-02-01 16:44 ` Eric W. Biederman
2006-02-02 13:50 ` Greg
2006-02-02 14:09 ` Eric W. Biederman
2006-02-02 14:48 ` Kirill Korotaev
2006-02-02 15:13 ` Eric W. Biederman
2006-02-02 15:26 ` Kirill Korotaev
2006-02-02 15:51 ` Eric W. Biederman
2006-02-02 16:05 ` Kirill Korotaev
2006-02-02 16:27 ` Eric W. Biederman
2006-02-02 21:32 ` Cedric Le Goater
2006-02-02 21:43 ` Hubertus Franke
2006-02-02 21:46 ` Eric W. Biederman
2006-02-03 10:07 ` Kirill Korotaev
2006-02-03 10:52 ` Kirill Korotaev
2006-02-03 11:09 ` Eric W. Biederman
2006-02-03 15:45 ` Dave Hansen
2006-02-03 16:35 ` Kirill Korotaev
2006-02-02 21:10 ` Cedric Le Goater
2006-02-02 21:24 ` Eric W. Biederman
2006-02-06 20:15 ` Pavel Machek
2006-02-06 20:34 ` Eric W. Biederman
2006-02-06 20:36 ` Kirill Korotaev
2006-02-06 20:40 ` Eric W. Biederman
2006-02-02 14:49 ` Kirill Korotaev
2006-01-17 14:33 ` RFC [patch 14/34] PID Virtualization const parameter for process group Serge Hallyn
2006-01-17 14:33 ` RFC [patch 15/34] PID Virtualization task virtual pid access functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 16/34] PID Virtualization return virtual pids where required Serge Hallyn
2006-01-17 14:33 ` RFC [patch 17/34] PID Virtualization return virtual process group ids Serge Hallyn
2006-01-17 14:33 ` RFC [patch 18/34] PID Virtualization code enhancements for virtual pids in /proc Serge Hallyn
2006-01-17 14:33 ` RFC [patch 19/34] PID Virtualization Define pid_to_vpid functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 20/34] PID Virtualization Use pid_to_vpid conversion functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 21/34] PID Virtualization file owner pid virtualization Serge Hallyn
2006-01-17 14:33 ` RFC [patch 22/34] PID Virtualization define vpid_to_pid functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 23/34] PID Virtualization Use " Serge Hallyn
2006-01-17 14:33 ` RFC [patch 24/34] PID Virtualization use vpgid_to_pgid function Serge Hallyn
2006-01-17 14:33 ` RFC [patch 25/34] PID Virtualization Context for pid_to_vpid conversition functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 26/34] PID Virtualization Documentation Serge Hallyn
2006-01-17 14:33 ` RFC [patch 27/34] PID Virtualization pidspace Serge Hallyn
2006-01-17 14:33 ` RFC [patch 28/34] PID Virtualization container object and functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 29/34] PID Virtualization container attach/detach calls Serge Hallyn
2006-01-17 14:33 ` RFC [patch 30/34] PID Virtualization /proc/container filesystem Serge Hallyn
2006-01-17 14:33 ` RFC [patch 31/34] PID Virtualization Implementation of low level virtualization functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 32/34] PID Virtualization Handle special case vpid return cases Serge Hallyn
2006-01-17 14:33 ` RFC [patch 33/34] PID Virtualization per container /proc filesystem Serge Hallyn
2006-01-17 14:33 ` RFC [patch 34/34] PID Virtualization pidspace parent : signal behavior Serge Hallyn
2006-01-17 16:19 ` RFC [patch 00/34] PID Virtualization Overview Suleiman Souhlal
2006-01-17 17:08 ` Dave Hansen
2006-01-17 18:09 ` Suleiman Souhlal
2006-01-17 18:12 ` Dave Hansen
2006-01-17 18:29 ` Alan Cox
2006-01-18 19:01 ` Dave Hansen
2006-01-18 19:28 ` Arjan van de Ven
2006-01-18 19:38 ` Dave Hansen
2006-01-18 19:50 ` Arjan van de Ven
2006-01-18 22:54 ` Alan Cox
2006-01-19 7:15 ` Arjan van de Ven
2006-01-20 5:11 ` Eric W. Biederman
2006-01-20 20:23 ` Serge E. Hallyn
2006-01-20 20:33 ` Hubertus Franke
2006-01-21 10:34 ` Eric W. Biederman
2006-01-20 19:53 ` RFC: Multiple instances of kernel namespaces Eric W. Biederman
2006-01-20 20:13 ` Serge E. Hallyn
2006-01-20 20:22 ` Hubertus Franke
[not found] ` <20060120203555.GC13265@sergelap.austin.ibm.com>
2006-01-20 21:47 ` Hubertus Franke
2006-01-21 10:04 ` Eric W. Biederman
2006-01-26 19:47 ` Herbert Poetzl
2006-01-26 20:13 ` Eric W. Biederman
2006-01-26 20:27 ` Herbert Poetzl
2006-01-21 10:31 ` RFC [patch 00/34] PID Virtualization Overview Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060117143325.734450000@sergelap \
--to=serue@us.ibm.com \
--cc=clg@fr.ibm.com \
--cc=frankeh@watson.ibm.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).