[PATCH 1/3] SELinux: Add security hook definitions for setmempolicy

[PATCH 1/3] SELinux: Add security hook definitions for setmempolicy

[James Morris]

From: David Quigley <dpquigl@tycho.nsa.gov>

This patch adds new security hook definitions for the setmempolicy 
operation (currently unmediated by SELinux).  At present, the SELinux hook 
function implementation for this hook is identical to the setscheduler 
implementation, but a separate hook introduced to allow this check to be 
specialized in the future if necessary.

This patch is aimed at 2.6.18 inclusion.

Please apply.

Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/security.h |   16 ++++++++++++++++
 security/dummy.c         |    6 ++++++
 security/selinux/hooks.c |    6 ++++++
 3 files changed, 28 insertions(+)

diff -purN -X dontdiff linux-2.6.17-mm1.p/include/linux/security.h linux-2.6.17-mm1.w/include/linux/security.h
--- linux-2.6.17-mm1.p/include/linux/security.h	2006-06-21 11:54:11.000000000 -0400
+++ linux-2.6.17-mm1.w/include/linux/security.h	2006-06-21 12:30:11.000000000 -0400
@@ -601,6 +601,11 @@ struct swap_info_struct;
  *	@p.
  *	@p contains the task_struct for process.
  *	Return 0 if permission is granted.
+ * @task_setmempolicy
+ *	Check permission before setting memory policy and/or parameters of
+ *	process @p.
+ *	@p contains the task_struct for process.
+ *	Return 0 if permission is granted.
  * @task_kill:
  *	Check permission before sending signal @sig to @p.  @info can be NULL,
  *	the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1221,6 +1226,7 @@ struct security_operations {
 	int (*task_setscheduler) (struct task_struct * p, int policy,
 				  struct sched_param * lp);
 	int (*task_getscheduler) (struct task_struct * p);
+	int (*task_setmempolicy) (struct task_struct * p); 
 	int (*task_kill) (struct task_struct * p,
 			  struct siginfo * info, int sig);
 	int (*task_wait) (struct task_struct * p);
@@ -1866,6 +1872,11 @@ static inline int security_task_getsched
 	return security_ops->task_getscheduler (p);
 }
 
+static inline int security_task_setmempolicy (struct task_struct *p)
+{
+	return security_ops->task_setmempolicy (p);
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
@@ -2513,6 +2524,11 @@ static inline int security_task_getsched
 	return 0;
 }
 
+static inline int security_task_setmempolicy (struct task_struct *p)
+{
+	return 0;
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/dummy.c linux-2.6.17-mm1.w/security/dummy.c
--- linux-2.6.17-mm1.p/security/dummy.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/dummy.c	2006-06-21 12:30:11.000000000 -0400
@@ -537,6 +537,11 @@ static int dummy_task_getscheduler (stru
 	return 0;
 }
 
+static int dummy_task_setmempolicy (struct task_struct *p)
+{
+	return 0;
+}
+
 static int dummy_task_wait (struct task_struct *p)
 {
 	return 0;
@@ -982,6 +987,7 @@ void security_fixup_ops (struct security
 	set_to_dummy_if_null(ops, task_setrlimit);
 	set_to_dummy_if_null(ops, task_setscheduler);
 	set_to_dummy_if_null(ops, task_getscheduler);
+	set_to_dummy_if_null(ops, task_setmempolicy);
 	set_to_dummy_if_null(ops, task_wait);
 	set_to_dummy_if_null(ops, task_kill);
 	set_to_dummy_if_null(ops, task_prctl);
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/hooks.c linux-2.6.17-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-mm1.p/security/selinux/hooks.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/hooks.c	2006-06-21 12:30:11.000000000 -0400
@@ -2690,6 +2690,11 @@ static int selinux_task_getscheduler(str
 	return task_has_perm(current, p, PROCESS__GETSCHED);
 }
 
+static int selinux_task_setmempolicy(struct task_struct *p)
+{
+	return task_has_perm(current, p, PROCESS__SETSCHED);
+}
+
 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
 {
 	u32 perm;
@@ -4416,6 +4421,7 @@ static struct security_operations selinu
 	.task_setrlimit =		selinux_task_setrlimit,
 	.task_setscheduler =		selinux_task_setscheduler,
 	.task_getscheduler =		selinux_task_getscheduler,
+	.task_setmempolicy =		selinux_task_setmempolicy,
 	.task_kill =			selinux_task_kill,
 	.task_wait =			selinux_task_wait,
 	.task_prctl =			selinux_task_prctl,

[PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

[James Morris]

From: David Quigley <dpquigl@tycho.nsa.gov>

This patch inserts the security hook calls into the setmempolicy function 
to enable security modules to mediate this operation between tasks.

This patch is aimed at 2.6.18 inclusion.

Please apply.

Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

---

 mempolicy.c |    5 +++++
 migrate.c   |    6 ++++++
 2 files changed, 11 insertions(+)

diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/mempolicy.c linux-2.6.17-mm1.w/mm/mempolicy.c
--- linux-2.6.17-mm1.p/mm/mempolicy.c	2006-06-21 13:09:22.000000000 -0400
+++ linux-2.6.17-mm1.w/mm/mempolicy.c	2006-06-21 13:10:09.000000000 -0400
@@ -88,6 +88,7 @@
 #include <linux/proc_fs.h>
 #include <linux/migrate.h>
 #include <linux/rmap.h>
+#include <linux/security.h>
 
 #include <asm/tlbflush.h>
 #include <asm/uaccess.h>
@@ -946,6 +947,10 @@ asmlinkage long sys_migrate_pages(pid_t 
 		goto out;
 	}
 
+	err = security_task_setmempolicy(task);
+	if (err)
+		goto out;
+
 	err = do_migrate_pages(mm, &old, &new,
 		capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
 out:
diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/migrate.c linux-2.6.17-mm1.w/mm/migrate.c
--- linux-2.6.17-mm1.p/mm/migrate.c	2006-06-21 13:09:22.000000000 -0400
+++ linux-2.6.17-mm1.w/mm/migrate.c	2006-06-21 13:10:09.000000000 -0400
@@ -27,6 +27,7 @@
 #include <linux/writeback.h>
 #include <linux/mempolicy.h>
 #include <linux/vmalloc.h>
+#include <linux/security.h>
 
 #include "internal.h"
 
@@ -903,6 +904,11 @@ asmlinkage long sys_move_pages(pid_t pid
 		goto out2;
 	}
 
+ 	err = security_task_setmempolicy(task);
+ 	if (err)
+ 		goto out2;
+ 	
+
 	task_nodes = cpuset_mems_allowed(task);
 
 	/* Limit nr_pages so that the multiplication may not overflow */

[PATCH 3/3] SELinux: Add sockcreate node to procattr API

[James Morris]

From: Eric Paris <eparis@redhat.com>

Below is a patch to add a new /proc/self/attr/sockcreate node (similar to 
the fscreate and keycreate nodes). A process may write a context into this 
interface and all subsequent sockets created will be labeled with that 
context.  This is the same idea as the fscreate interface where a process 
can specify the label of a file about to be created.  At this time one 
envisioned user of this will be xinetd. It will be able to better label 
sockets for the actual services.  At this time all sockets take the label 
of the creating process, so all xinitd sockets would just be labeled the 
same.

I tested this by creating a tcp sender and listener.  The sender was able 
to write to this new proc file and then create sockets with the specified 
label.  I am able to be sure the new label was used since the avc denial 
messages kicked out by the kernel included both the new security 
permission setsockcreate and all the socket denials were for the new 
label, not the label of the running process.

This patch is targeted for inclusion in 2.6.18.

Please apply.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>


---

 fs/proc/base.c                               |    6 ++++++
 security/selinux/hooks.c                     |   22 +++++++++++++++++-----
 security/selinux/include/av_perm_to_string.h |    1 +
 security/selinux/include/av_permissions.h    |    1 +
 security/selinux/include/objsec.h            |    1 +
 5 files changed, 26 insertions(+), 5 deletions(-)


diff -purN -X dontdiff linux-2.6.17-mm1.p/fs/proc/base.c linux-2.6.17-mm1.w/fs/proc/base.c
--- linux-2.6.17-mm1.p/fs/proc/base.c	2006-06-21 11:54:10.000000000 -0400
+++ linux-2.6.17-mm1.w/fs/proc/base.c	2006-06-21 12:51:28.000000000 -0400
@@ -133,6 +133,7 @@ enum pid_directory_inos {
 	PROC_TGID_ATTR_EXEC,
 	PROC_TGID_ATTR_FSCREATE,
 	PROC_TGID_ATTR_KEYCREATE,
+	PROC_TGID_ATTR_SOCKCREATE,
 #endif
 #ifdef CONFIG_AUDITSYSCALL
 	PROC_TGID_LOGINUID,
@@ -175,6 +176,7 @@ enum pid_directory_inos {
 	PROC_TID_ATTR_EXEC,
 	PROC_TID_ATTR_FSCREATE,
 	PROC_TID_ATTR_KEYCREATE,
+	PROC_TID_ATTR_SOCKCREATE,
 #endif
 #ifdef CONFIG_AUDITSYSCALL
 	PROC_TID_LOGINUID,
@@ -292,6 +294,7 @@ static struct pid_entry tgid_attr_stuff[
 	E(PROC_TGID_ATTR_EXEC,     "exec",     S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TGID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TGID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
+	E(PROC_TGID_ATTR_SOCKCREATE, "sockcreate", S_IFREG|S_IRUGO|S_IWUGO),
 	{0,0,NULL,0}
 };
 static struct pid_entry tid_attr_stuff[] = {
@@ -300,6 +303,7 @@ static struct pid_entry tid_attr_stuff[]
 	E(PROC_TID_ATTR_EXEC,      "exec",     S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TID_ATTR_FSCREATE,  "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
+	E(PROC_TID_ATTR_SOCKCREATE, "sockcreate", S_IFREG|S_IRUGO|S_IWUGO),
 	{0,0,NULL,0}
 };
 #endif
@@ -1765,6 +1769,8 @@ static struct dentry *proc_pident_lookup
 		case PROC_TGID_ATTR_FSCREATE:
 		case PROC_TID_ATTR_KEYCREATE:
 		case PROC_TGID_ATTR_KEYCREATE:
+		case PROC_TID_ATTR_SOCKCREATE:
+		case PROC_TGID_ATTR_SOCKCREATE:
 			inode->i_fop = &proc_pid_attr_operations;
 			break;
 #endif
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/hooks.c linux-2.6.17-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-mm1.p/security/selinux/hooks.c	2006-06-21 12:42:51.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/hooks.c	2006-06-21 12:54:26.000000000 -0400
@@ -1532,8 +1532,9 @@ static int selinux_bprm_set_security(str
 	/* Default to the current task SID. */
 	bsec->sid = tsec->sid;
 
-	/* Reset create SID on execve. */
+	/* Reset create and sockcreate SID on execve. */
 	tsec->create_sid = 0;
+	tsec->sockcreate_sid = 0;
 
 	if (tsec->exec_sid) {
 		newsid = tsec->exec_sid;
@@ -2585,9 +2586,10 @@ static int selinux_task_alloc_security(s
 	tsec2->osid = tsec1->osid;
 	tsec2->sid = tsec1->sid;
 
-	/* Retain the exec and create SIDs across fork */
+	/* Retain the exec, create, and sock SIDs across fork */
 	tsec2->exec_sid = tsec1->exec_sid;
 	tsec2->create_sid = tsec1->create_sid;
+	tsec2->sockcreate_sid = tsec1->sockcreate_sid;
 
 	/* Retain ptracer SID across fork, if any.
 	   This will be reset by the ptrace hook upon any
@@ -2937,12 +2939,14 @@ static int selinux_socket_create(int fam
 {
 	int err = 0;
 	struct task_security_struct *tsec;
+	u32 newsid;
 
 	if (kern)
 		goto out;
 
 	tsec = current->security;
-	err = avc_has_perm(tsec->sid, tsec->sid,
+	newsid = tsec->sockcreate_sid ? : tsec->sid;
+	err = avc_has_perm(tsec->sid, newsid,
 			   socket_type_to_security_class(family, type,
 			   protocol), SOCKET__CREATE, NULL);
 
@@ -2955,12 +2959,14 @@ static void selinux_socket_post_create(s
 {
 	struct inode_security_struct *isec;
 	struct task_security_struct *tsec;
+	u32 newsid;
 
 	isec = SOCK_INODE(sock)->i_security;
 
 	tsec = current->security;
+	newsid = tsec->sockcreate_sid ? : tsec->sid;
 	isec->sclass = socket_type_to_security_class(family, type, protocol);
-	isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
+	isec->sid = kern ? SECINITSID_KERNEL : newsid;
 	isec->initialized = 1;
 
 	return;
@@ -4163,6 +4169,8 @@ static int selinux_getprocattr(struct ta
 		sid = tsec->create_sid;
 	else if (!strcmp(name, "keycreate"))
 		sid = tsec->keycreate_sid;
+	else if (!strcmp(name, "sockcreate"))
+		sid = tsec->sockcreate_sid;
 	else
 		return -EINVAL;
 
@@ -4197,6 +4205,8 @@ static int selinux_setprocattr(struct ta
 		error = task_has_perm(current, p, PROCESS__SETFSCREATE);
 	else if (!strcmp(name, "keycreate"))
 		error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
+	else if (!strcmp(name, "sockcreate"))
+		error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
 	else if (!strcmp(name, "current"))
 		error = task_has_perm(current, p, PROCESS__SETCURRENT);
 	else
@@ -4231,7 +4241,9 @@ static int selinux_setprocattr(struct ta
 		if (error)
 			return error;
 		tsec->keycreate_sid = sid;
-	} else if (!strcmp(name, "current")) {
+	} else if (!strcmp(name, "sockcreate"))
+		tsec->sockcreate_sid = sid;
+	else if (!strcmp(name, "current")) {
 		struct av_decision avd;
 
 		if (sid == 0)
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/av_permissions.h linux-2.6.17-mm1.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-mm1.p/security/selinux/include/av_permissions.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/av_permissions.h	2006-06-21 12:57:36.000000000 -0400
@@ -468,6 +468,7 @@
 #define PROCESS__EXECSTACK                        0x04000000UL
 #define PROCESS__EXECHEAP                         0x08000000UL
 #define PROCESS__SETKEYCREATE                     0x10000000UL
+#define PROCESS__SETSOCKCREATE                    0x20000000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/av_perm_to_string.h linux-2.6.17-mm1.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-mm1.p/security/selinux/include/av_perm_to_string.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/av_perm_to_string.h	2006-06-21 12:58:58.000000000 -0400
@@ -73,6 +73,7 @@
    S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
    S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
    S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
+   S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/objsec.h linux-2.6.17-mm1.w/security/selinux/include/objsec.h
--- linux-2.6.17-mm1.p/security/selinux/include/objsec.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/objsec.h	2006-06-21 12:58:07.000000000 -0400
@@ -33,6 +33,7 @@ struct task_security_struct {
 	u32 exec_sid;        /* exec SID */
 	u32 create_sid;      /* fscreate SID */
 	u32 keycreate_sid;   /* keycreate SID */
+	u32 sockcreate_sid;  /* fscreate SID */
 	u32 ptrace_sid;      /* SID of ptrace parent */
 };
 

Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

[Christoph Lameter]

On Wed, 21 Jun 2006, James Morris wrote:

> From: David Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch inserts the security hook calls into the setmempolicy function 
> to enable security modules to mediate this operation between tasks.

Setting a memory policy is different from migrating pages of an 
application. The migration function migrates a process, it does not set 
any memory policies. Cpuset may change memory policies of the tasks 
contained in it but sys_migrate_pages() cannot.

We need a similar hook for the sys_move_pages() function call in mm right?

If this is a generic hook then I would suggest to have some hook that 
contains the term "memory placement" somewhere that would fit both system 
calls.

Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

[James Morris]

On Wed, 21 Jun 2006, Christoph Lameter wrote:

> On Wed, 21 Jun 2006, James Morris wrote:
> 
> > From: David Quigley <dpquigl@tycho.nsa.gov>
> > 
> > This patch inserts the security hook calls into the setmempolicy function 
> > to enable security modules to mediate this operation between tasks.
> 
> Setting a memory policy is different from migrating pages of an 
> application. The migration function migrates a process, it does not set 
> any memory policies. Cpuset may change memory policies of the tasks 
> contained in it but sys_migrate_pages() cannot.

I'll let David and/or Stephen address this in detail, but what's being 
added here is a security asbtraction, where we consider these operations 
to be equivalent from an access control point of view.  So, one task 
causing another task's memory to be moved to another node is conisdered to 
be "setting memory policy" at a conceptual level.  Perhaps we could change 
the name of the hook to make that clearer (which you suggest below).

> We need a similar hook for the sys_move_pages() function call in mm right?

Yes, the hook is also added to sys_move_pages() in the patch.

> If this is a generic hook then I would suggest to have some hook that 
> contains the term "memory placement" somewhere that would fit both system 
> calls.
> 

-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

[Christoph Lameter]

On Wed, 21 Jun 2006, James Morris wrote:

> I'll let David and/or Stephen address this in detail, but what's being 
> added here is a security asbtraction, where we consider these operations 
> to be equivalent from an access control point of view.  So, one task 
> causing another task's memory to be moved to another node is conisdered to 
> be "setting memory policy" at a conceptual level.  Perhaps we could change 
> the name of the hook to make that clearer (which you suggest below).

That will cause lots of confusion. Moving memory is not a memory policy.

Why was this name picked? Use move_pages movemem or so.

Re: [PATCH 2/3] SELinux: add security_task_setmempolicy hooks to mm code

[James Morris]

On Wed, 21 Jun 2006, Christoph Lameter wrote:

> On Wed, 21 Jun 2006, James Morris wrote:
> 
> > I'll let David and/or Stephen address this in detail, but what's being 
> > added here is a security asbtraction, where we consider these operations 
> > to be equivalent from an access control point of view.  So, one task 
> > causing another task's memory to be moved to another node is conisdered to 
> > be "setting memory policy" at a conceptual level.  Perhaps we could change 
> > the name of the hook to make that clearer (which you suggest below).
> 
> That will cause lots of confusion. Moving memory is not a memory policy.
> 
> Why was this name picked? Use move_pages movemem or so.

Not sure, perhaps some earlier thinking that stuck around.  Thanks for 
looking at it, I'll respin the patches.


-- 
James Morris
<jmorris@namei.org>

[PATCH 0/3] SELinux: movememory & sockcreate updates for -mm

[James Morris]

The following is a respin of the patchset sent earlier today, starting 
with:

'Subject: [PATCH 1/3] SELinux: Add security hook definitions for 
setmempolicy'

The only changes are in the first two patches, where the hook names have 
been changed.



-- 
James Morris
<jmorris@namei.org>

[PATCH 1/3] SELinux: add task_movememory hook

[James Morris]

From: David Quigley <dpquigl@tycho.nsa.gov>

This patch adds new security hook, task_movememory, to be called when 
memory owened by a task is to be moved (e.g. when migrating pages to a 
different node). At present, the SELinux hook function implementation for 
this hook is identical to the setscheduler implementation, but a separate 
hook introduced to allow this check to be specialized in the future if 
necessary.

Since the last posting, the hook has been renamed following feedback from
Christoph Lameter.

This patch is aimed at 2.6.18 inclusion.

Please apply.

Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/security.h |   15 +++++++++++++++
 security/dummy.c         |    6 ++++++
 security/selinux/hooks.c |    6 ++++++
 3 files changed, 27 insertions(+)

diff -purN -X dontdiff linux-2.6.17-mm1.p/include/linux/security.h linux-2.6.17-mm1.w/include/linux/security.h
--- linux-2.6.17-mm1.p/include/linux/security.h	2006-06-21 11:54:11.000000000 -0400
+++ linux-2.6.17-mm1.w/include/linux/security.h	2006-06-21 16:57:53.000000000 -0400
@@ -601,6 +601,10 @@ struct swap_info_struct;
  *	@p.
  *	@p contains the task_struct for process.
  *	Return 0 if permission is granted.
+ * @task_movememory
+ *	Check permission before moving memory owned by process @p.
+ *	@p contains the task_struct for process.
+ *	Return 0 if permission is granted.
  * @task_kill:
  *	Check permission before sending signal @sig to @p.  @info can be NULL,
  *	the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1221,6 +1225,7 @@ struct security_operations {
 	int (*task_setscheduler) (struct task_struct * p, int policy,
 				  struct sched_param * lp);
 	int (*task_getscheduler) (struct task_struct * p);
+	int (*task_movememory) (struct task_struct * p); 
 	int (*task_kill) (struct task_struct * p,
 			  struct siginfo * info, int sig);
 	int (*task_wait) (struct task_struct * p);
@@ -1866,6 +1871,11 @@ static inline int security_task_getsched
 	return security_ops->task_getscheduler (p);
 }
 
+static inline int security_task_movememory (struct task_struct *p)
+{
+	return security_ops->task_movememory (p);
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
@@ -2513,6 +2523,11 @@ static inline int security_task_getsched
 	return 0;
 }
 
+static inline int security_task_movememory (struct task_struct *p)
+{
+	return 0;
+}
+
 static inline int security_task_kill (struct task_struct *p,
 				      struct siginfo *info, int sig)
 {
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/dummy.c linux-2.6.17-mm1.w/security/dummy.c
--- linux-2.6.17-mm1.p/security/dummy.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/dummy.c	2006-06-21 16:58:22.000000000 -0400
@@ -537,6 +537,11 @@ static int dummy_task_getscheduler (stru
 	return 0;
 }
 
+static int dummy_task_movememory (struct task_struct *p)
+{
+	return 0;
+}
+
 static int dummy_task_wait (struct task_struct *p)
 {
 	return 0;
@@ -982,6 +987,7 @@ void security_fixup_ops (struct security
 	set_to_dummy_if_null(ops, task_setrlimit);
 	set_to_dummy_if_null(ops, task_setscheduler);
 	set_to_dummy_if_null(ops, task_getscheduler);
+	set_to_dummy_if_null(ops, task_movememory);
 	set_to_dummy_if_null(ops, task_wait);
 	set_to_dummy_if_null(ops, task_kill);
 	set_to_dummy_if_null(ops, task_prctl);
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/hooks.c linux-2.6.17-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-mm1.p/security/selinux/hooks.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/hooks.c	2006-06-21 16:58:40.000000000 -0400
@@ -2690,6 +2690,11 @@ static int selinux_task_getscheduler(str
 	return task_has_perm(current, p, PROCESS__GETSCHED);
 }
 
+static int selinux_task_movememory(struct task_struct *p)
+{
+	return task_has_perm(current, p, PROCESS__SETSCHED);
+}
+
 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
 {
 	u32 perm;
@@ -4416,6 +4421,7 @@ static struct security_operations selinu
 	.task_setrlimit =		selinux_task_setrlimit,
 	.task_setscheduler =		selinux_task_setscheduler,
 	.task_getscheduler =		selinux_task_getscheduler,
+	.task_movememory =		selinux_task_movememory,
 	.task_kill =			selinux_task_kill,
 	.task_wait =			selinux_task_wait,
 	.task_prctl =			selinux_task_prctl,

[PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[James Morris]

From: David Quigley <dpquigl@tycho.nsa.gov>

This patch inserts security_task_movememory hook calls into memory
management code to enable security modules to mediate this operation
between tasks.

Since the last posting, the hook has been renamed following feedback from
Christoph Lameter.

This patch is aimed at 2.6.18 inclusion.

Please apply.

Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>


---

 mm/mempolicy.c |    5 +++++
 mm/migrate.c   |    6 ++++++
 2 files changed, 11 insertions(+)

diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/mempolicy.c linux-2.6.17-mm1.w/mm/mempolicy.c
--- linux-2.6.17-mm1.p/mm/mempolicy.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/mm/mempolicy.c	2006-06-21 17:18:00.000000000 -0400
@@ -88,6 +88,7 @@
 #include <linux/proc_fs.h>
 #include <linux/migrate.h>
 #include <linux/rmap.h>
+#include <linux/security.h>
 
 #include <asm/tlbflush.h>
 #include <asm/uaccess.h>
@@ -946,6 +947,10 @@ asmlinkage long sys_migrate_pages(pid_t 
 		goto out;
 	}
 
+	err = security_task_movememory(task);
+	if (err)
+		goto out;
+
 	err = do_migrate_pages(mm, &old, &new,
 		capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
 out:
diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/migrate.c linux-2.6.17-mm1.w/mm/migrate.c
--- linux-2.6.17-mm1.p/mm/migrate.c	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/mm/migrate.c	2006-06-21 17:17:52.000000000 -0400
@@ -27,6 +27,7 @@
 #include <linux/writeback.h>
 #include <linux/mempolicy.h>
 #include <linux/vmalloc.h>
+#include <linux/security.h>
 
 #include "internal.h"
 
@@ -903,6 +904,11 @@ asmlinkage long sys_move_pages(pid_t pid
 		goto out2;
 	}
 
+ 	err = security_task_movememory(task);
+ 	if (err)
+ 		goto out2;
+ 	
+
 	task_nodes = cpuset_mems_allowed(task);
 
 	/* Limit nr_pages so that the multiplication may not overflow */

[PATCH 3/3] SELinux: Add sockcreate node to procattr API

[James Morris]

From: Eric Paris <eparis@redhat.com>

(Unchanged from eariler post).

Below is a patch to add a new /proc/self/attr/sockcreate A process may 
write a context into this interface and all subsequent sockets created 
will be labeled with that context.  This is the same idea as the fscreate 
interface where a process can specify the label of a file about to be 
created.  At this time one envisioned user of this will be xinetd. It will 
be able to better label sockets for the actual services.  At this time all 
sockets take the label of the creating process, so all xinitd sockets 
would just be labeled the same.

I tested this by creating a tcp sender and listener.  The sender was able 
to write to this new proc file and then create sockets with the specified 
label.  I am able to be sure the new label was used since the avc denial 
messages kicked out by the kernel included both the new security 
permission setsockcreate and all the socket denials were for the new 
label, not the label of the running process.


This patch is targeted for inclusion in 2.6.18.

Please apply.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>


---

 fs/proc/base.c                               |    6 ++++++
 security/selinux/hooks.c                     |   22 +++++++++++++++++-----
 security/selinux/include/av_perm_to_string.h |    1 +
 security/selinux/include/av_permissions.h    |    1 +
 security/selinux/include/objsec.h            |    1 +
 5 files changed, 26 insertions(+), 5 deletions(-)


diff -purN -X dontdiff linux-2.6.17-mm1.p/fs/proc/base.c linux-2.6.17-mm1.w/fs/proc/base.c
--- linux-2.6.17-mm1.p/fs/proc/base.c	2006-06-21 11:54:10.000000000 -0400
+++ linux-2.6.17-mm1.w/fs/proc/base.c	2006-06-21 12:51:28.000000000 -0400
@@ -133,6 +133,7 @@ enum pid_directory_inos {
 	PROC_TGID_ATTR_EXEC,
 	PROC_TGID_ATTR_FSCREATE,
 	PROC_TGID_ATTR_KEYCREATE,
+	PROC_TGID_ATTR_SOCKCREATE,
 #endif
 #ifdef CONFIG_AUDITSYSCALL
 	PROC_TGID_LOGINUID,
@@ -175,6 +176,7 @@ enum pid_directory_inos {
 	PROC_TID_ATTR_EXEC,
 	PROC_TID_ATTR_FSCREATE,
 	PROC_TID_ATTR_KEYCREATE,
+	PROC_TID_ATTR_SOCKCREATE,
 #endif
 #ifdef CONFIG_AUDITSYSCALL
 	PROC_TID_LOGINUID,
@@ -292,6 +294,7 @@ static struct pid_entry tgid_attr_stuff[
 	E(PROC_TGID_ATTR_EXEC,     "exec",     S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TGID_ATTR_FSCREATE, "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TGID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
+	E(PROC_TGID_ATTR_SOCKCREATE, "sockcreate", S_IFREG|S_IRUGO|S_IWUGO),
 	{0,0,NULL,0}
 };
 static struct pid_entry tid_attr_stuff[] = {
@@ -300,6 +303,7 @@ static struct pid_entry tid_attr_stuff[]
 	E(PROC_TID_ATTR_EXEC,      "exec",     S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TID_ATTR_FSCREATE,  "fscreate", S_IFREG|S_IRUGO|S_IWUGO),
 	E(PROC_TID_ATTR_KEYCREATE, "keycreate", S_IFREG|S_IRUGO|S_IWUGO),
+	E(PROC_TID_ATTR_SOCKCREATE, "sockcreate", S_IFREG|S_IRUGO|S_IWUGO),
 	{0,0,NULL,0}
 };
 #endif
@@ -1765,6 +1769,8 @@ static struct dentry *proc_pident_lookup
 		case PROC_TGID_ATTR_FSCREATE:
 		case PROC_TID_ATTR_KEYCREATE:
 		case PROC_TGID_ATTR_KEYCREATE:
+		case PROC_TID_ATTR_SOCKCREATE:
+		case PROC_TGID_ATTR_SOCKCREATE:
 			inode->i_fop = &proc_pid_attr_operations;
 			break;
 #endif
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/hooks.c linux-2.6.17-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-mm1.p/security/selinux/hooks.c	2006-06-21 12:42:51.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/hooks.c	2006-06-21 12:54:26.000000000 -0400
@@ -1532,8 +1532,9 @@ static int selinux_bprm_set_security(str
 	/* Default to the current task SID. */
 	bsec->sid = tsec->sid;
 
-	/* Reset create SID on execve. */
+	/* Reset create and sockcreate SID on execve. */
 	tsec->create_sid = 0;
+	tsec->sockcreate_sid = 0;
 
 	if (tsec->exec_sid) {
 		newsid = tsec->exec_sid;
@@ -2585,9 +2586,10 @@ static int selinux_task_alloc_security(s
 	tsec2->osid = tsec1->osid;
 	tsec2->sid = tsec1->sid;
 
-	/* Retain the exec and create SIDs across fork */
+	/* Retain the exec, create, and sock SIDs across fork */
 	tsec2->exec_sid = tsec1->exec_sid;
 	tsec2->create_sid = tsec1->create_sid;
+	tsec2->sockcreate_sid = tsec1->sockcreate_sid;
 
 	/* Retain ptracer SID across fork, if any.
 	   This will be reset by the ptrace hook upon any
@@ -2937,12 +2939,14 @@ static int selinux_socket_create(int fam
 {
 	int err = 0;
 	struct task_security_struct *tsec;
+	u32 newsid;
 
 	if (kern)
 		goto out;
 
 	tsec = current->security;
-	err = avc_has_perm(tsec->sid, tsec->sid,
+	newsid = tsec->sockcreate_sid ? : tsec->sid;
+	err = avc_has_perm(tsec->sid, newsid,
 			   socket_type_to_security_class(family, type,
 			   protocol), SOCKET__CREATE, NULL);
 
@@ -2955,12 +2959,14 @@ static void selinux_socket_post_create(s
 {
 	struct inode_security_struct *isec;
 	struct task_security_struct *tsec;
+	u32 newsid;
 
 	isec = SOCK_INODE(sock)->i_security;
 
 	tsec = current->security;
+	newsid = tsec->sockcreate_sid ? : tsec->sid;
 	isec->sclass = socket_type_to_security_class(family, type, protocol);
-	isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
+	isec->sid = kern ? SECINITSID_KERNEL : newsid;
 	isec->initialized = 1;
 
 	return;
@@ -4163,6 +4169,8 @@ static int selinux_getprocattr(struct ta
 		sid = tsec->create_sid;
 	else if (!strcmp(name, "keycreate"))
 		sid = tsec->keycreate_sid;
+	else if (!strcmp(name, "sockcreate"))
+		sid = tsec->sockcreate_sid;
 	else
 		return -EINVAL;
 
@@ -4197,6 +4205,8 @@ static int selinux_setprocattr(struct ta
 		error = task_has_perm(current, p, PROCESS__SETFSCREATE);
 	else if (!strcmp(name, "keycreate"))
 		error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
+	else if (!strcmp(name, "sockcreate"))
+		error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
 	else if (!strcmp(name, "current"))
 		error = task_has_perm(current, p, PROCESS__SETCURRENT);
 	else
@@ -4231,7 +4241,9 @@ static int selinux_setprocattr(struct ta
 		if (error)
 			return error;
 		tsec->keycreate_sid = sid;
-	} else if (!strcmp(name, "current")) {
+	} else if (!strcmp(name, "sockcreate"))
+		tsec->sockcreate_sid = sid;
+	else if (!strcmp(name, "current")) {
 		struct av_decision avd;
 
 		if (sid == 0)
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/av_permissions.h linux-2.6.17-mm1.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-mm1.p/security/selinux/include/av_permissions.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/av_permissions.h	2006-06-21 12:57:36.000000000 -0400
@@ -468,6 +468,7 @@
 #define PROCESS__EXECSTACK                        0x04000000UL
 #define PROCESS__EXECHEAP                         0x08000000UL
 #define PROCESS__SETKEYCREATE                     0x10000000UL
+#define PROCESS__SETSOCKCREATE                    0x20000000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/av_perm_to_string.h linux-2.6.17-mm1.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-mm1.p/security/selinux/include/av_perm_to_string.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/av_perm_to_string.h	2006-06-21 12:58:58.000000000 -0400
@@ -73,6 +73,7 @@
    S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
    S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
    S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
+   S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff -purN -X dontdiff linux-2.6.17-mm1.p/security/selinux/include/objsec.h linux-2.6.17-mm1.w/security/selinux/include/objsec.h
--- linux-2.6.17-mm1.p/security/selinux/include/objsec.h	2006-06-21 11:54:12.000000000 -0400
+++ linux-2.6.17-mm1.w/security/selinux/include/objsec.h	2006-06-21 12:58:07.000000000 -0400
@@ -33,6 +33,7 @@ struct task_security_struct {
 	u32 exec_sid;        /* exec SID */
 	u32 create_sid;      /* fscreate SID */
 	u32 keycreate_sid;   /* keycreate SID */
+	u32 sockcreate_sid;  /* fscreate SID */
 	u32 ptrace_sid;      /* SID of ptrace parent */
 };
 

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[Christoph Lameter]

On Wed, 21 Jun 2006, James Morris wrote:

> diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/mempolicy.c linux-2.6.17-mm1.w/mm/mempolicy.c
> --- linux-2.6.17-mm1.p/mm/mempolicy.c	2006-06-21 11:54:12.000000000 -0400
> +++ linux-2.6.17-mm1.w/mm/mempolicy.c	2006-06-21 17:18:00.000000000 -0400
> @@ -88,6 +88,7 @@
>  #include <linux/proc_fs.h>
>  #include <linux/migrate.h>
>  #include <linux/rmap.h>
> +#include <linux/security.h>
>  
>  #include <asm/tlbflush.h>
>  #include <asm/uaccess.h>
> @@ -946,6 +947,10 @@ asmlinkage long sys_migrate_pages(pid_t 
>  		goto out;
>  	}
>  
> +	err = security_task_movememory(task);
> +	if (err)
> +		goto out;
> +
>  	err = do_migrate_pages(mm, &old, &new,
>  		capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
>  out:

Acked-by: Christoph Lameter <clameter@sgi.com>


> diff -purN -X dontdiff linux-2.6.17-mm1.p/mm/migrate.c linux-2.6.17-mm1.w/mm/migrate.c
> --- linux-2.6.17-mm1.p/mm/migrate.c	2006-06-21 11:54:12.000000000 -0400
> +++ linux-2.6.17-mm1.w/mm/migrate.c	2006-06-21 17:17:52.000000000 -0400
> @@ -27,6 +27,7 @@
>  #include <linux/writeback.h>
>  #include <linux/mempolicy.h>
>  #include <linux/vmalloc.h>
> +#include <linux/security.h>
>  
>  #include "internal.h"
>  
> @@ -903,6 +904,11 @@ asmlinkage long sys_move_pages(pid_t pid
>  		goto out2;
>  	}
>  
> + 	err = security_task_movememory(task);
> + 	if (err)
> + 		goto out2;
> + 	
> +
>  	task_nodes = cpuset_mems_allowed(task);
>  
>  	/* Limit nr_pages so that the multiplication may not overflow */
> 

This check is before the validity of nodes has been verified but 
the check in sys_migrate_pages is after the checking of the nodes.

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[James Morris]

On Wed, 21 Jun 2006, Christoph Lameter wrote:

> This check is before the validity of nodes has been verified but 
> the check in sys_migrate_pages is after the checking of the nodes.

This should be fine, as we're only checking at a broad level whether the 
task has permission to perform the operation at all.  We do not poke 
around inside to see which nodes are being referenced.


(did 1/3 make it to the list?)


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[Serge E. Hallyn]

Quoting James Morris (jmorris@namei.org):
> From: David Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch inserts security_task_movememory hook calls into memory
> management code to enable security modules to mediate this operation
> between tasks.
> 
> Since the last posting, the hook has been renamed following feedback from
> Christoph Lameter.
> 
> This patch is aimed at 2.6.18 inclusion.
> 
> Please apply.

Hi,

sorry if I'm being dense - what is actually being protected against
here?  The only thing I can think of is one process causing performance
degradation to another by moving it's memory further from it's cpu on a
NUMA machine.

Is there something more?  (And is what I'm guessing even possible?)

I'm not arguing against this hook, just wondering whether there's
more to this than I see.

thanks,
-serge

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[Christoph Lameter]

On Thu, 22 Jun 2006, Serge E. Hallyn wrote:

> sorry if I'm being dense - what is actually being protected against
> here?  The only thing I can think of is one process causing performance
> degradation to another by moving it's memory further from it's cpu on a
> NUMA machine.

Right.
 
> Is there something more?  (And is what I'm guessing even possible?)

In the case of move_pages() a process can find out where the pages of 
another process were allocated.
 
> I'm not arguing against this hook, just wondering whether there's
> more to this than I see.

I was wondering myself.

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[James Morris]

On Thu, 22 Jun 2006, Serge E. Hallyn wrote:

> sorry if I'm being dense - what is actually being protected against
> here?  The only thing I can think of is one process causing performance
> degradation to another by moving it's memory further from it's cpu on a
> NUMA machine.

This is a privileged operation, which currently relies only on uid (i.e. 
traditional Unix DAC), and capability checking.

SELinux introduces Mandatory Access Control (MAC) based upon all 
security-relevant attributes of tasks and objects, not just uid/capability 
checks.  Theoretically, all processes could run with euid==0 under SELinux 
(in fact, Russell Coker's 'play box' does something similar by giving out 
the root password to everyone, although SELinux is designed to complement 
DAC, not replace it).

Any privileged operations with DAC controls also need corresponding MAC 
controls, which is what this patch implements.



- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[Chris Wright]

* Serge E. Hallyn (serue@us.ibm.com) wrote:
> sorry if I'm being dense - what is actually being protected against
> here?  The only thing I can think of is one process causing performance
> degradation to another by moving it's memory further from it's cpu on a
> NUMA machine.

There's been a short series of patches (plus a short doc from James) to
deal with code that's already doing uid/euid capable() checks w/out a
corresponding LSM hook.  IOW, it's already been recognized as security
sensitive and has DAC check w/out corresponding MAC check.  It's a small
issue with relatively minor security impacts, but is completing
mediation.

thanks,
-chris

Re: [PATCH 1/3] SELinux: add task_movememory hook

[Chris Wright]

* James Morris (jmorris@namei.org) wrote:
> From: David Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch adds new security hook, task_movememory, to be called when 
> memory owened by a task is to be moved (e.g. when migrating pages to a 
> different node). At present, the SELinux hook function implementation for 
> this hook is identical to the setscheduler implementation, but a separate 
> hook introduced to allow this check to be specialized in the future if 
> necessary.
> 
> Since the last posting, the hook has been renamed following feedback from
> Christoph Lameter.
> 
> This patch is aimed at 2.6.18 inclusion.
> 
> Please apply.
> 
> Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: James Morris <jmorris@namei.org>

Acked-by: Chris Wright <chrisw@sous-sol.org>

thanks,
-chris

Re: [PATCH 2/3] SELinux: add security_task_movememory calls to mm code

[Chris Wright]

* James Morris (jmorris@namei.org) wrote:
> From: David Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch inserts security_task_movememory hook calls into memory
> management code to enable security modules to mediate this operation
> between tasks.
> 
> Since the last posting, the hook has been renamed following feedback from
> Christoph Lameter.
> 
> This patch is aimed at 2.6.18 inclusion.
> 
> Please apply.
> 
> Signed-Off-By: David Quigley <dpquigl@tycho.nsa.gov>
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: James Morris <jmorris@namei.org>

Acked-by: Chris Wright <chrisw@sous-sol.org>