[PATCH] SELinux: add security hook call to mediate attach_task (kernel/cpuset.c)
authorDavid Quigley <dpquigl@tycho.nsa.gov>
Fri, 23 Jun 2006 09:04:00 +0000 (02:04 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Fri, 23 Jun 2006 14:42:54 +0000 (07:42 -0700)
Add a security hook call to enable security modules to control the ability
to attach a task to a cpuset.  While limited control over this operation is
possible via permission checks on the pseudo fs interface, those checks are
not sufficient to control access to the target task, which is looked up in
this function.  The existing task_setscheduler hook is re-used for this
operation since this falls under the same class of operations.

Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Paul Jackson <pj@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
kernel/cpuset.c

index 77f45ffd5ea102499302233265c87b1b5d2ddc1a..b602f73fb38d021133f0c8d3f7f0516dc78e61a7 100644 (file)
@@ -41,6 +41,7 @@
 #include <linux/rcupdate.h>
 #include <linux/sched.h>
 #include <linux/seq_file.h>
+#include <linux/security.h>
 #include <linux/slab.h>
 #include <linux/smp_lock.h>
 #include <linux/spinlock.h>
@@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
        cpumask_t cpus;
        nodemask_t from, to;
        struct mm_struct *mm;
+       int retval;
 
        if (sscanf(pidbuf, "%d", &pid) != 1)
                return -EIO;
@@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
                get_task_struct(tsk);
        }
 
+       retval = security_task_setscheduler(tsk, 0, NULL);
+       if (retval) {
+               put_task_struct(tsk);
+               return retval;
+       }
+
        mutex_lock(&callback_mutex);
 
        task_lock(tsk);