Loading fs/proc/base.c +9 −4 Original line number Diff line number Diff line Loading @@ -2488,6 +2488,12 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, length = -ESRCH; if (!task) goto out_no_task; /* A task may only write its own attributes. */ length = -EACCES; if (current != task) goto out; if (count > PAGE_SIZE) count = PAGE_SIZE; Loading @@ -2503,14 +2509,13 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, } /* Guard against adverse ptrace interaction */ length = mutex_lock_interruptible(&task->signal->cred_guard_mutex); length = mutex_lock_interruptible(¤t->signal->cred_guard_mutex); if (length < 0) goto out_free; length = security_setprocattr(task, (char*)file->f_path.dentry->d_name.name, length = security_setprocattr(file->f_path.dentry->d_name.name, page, count); mutex_unlock(&task->signal->cred_guard_mutex); mutex_unlock(¤t->signal->cred_guard_mutex); out_free: kfree(page); out: Loading include/linux/lsm_hooks.h +1 −9 Original line number Diff line number Diff line Loading @@ -665,11 +665,6 @@ * @sig contains the signal value. * @secid contains the sid of the process where the signal originated * Return 0 if permission is granted. * @task_wait: * Check permission before allowing a process to reap a child process @p * and collect its status information. * @p contains the task_struct for process. * Return 0 if permission is granted. * @task_prctl: * Check permission before performing a process control operation on the * current process. Loading Loading @@ -1506,7 +1501,6 @@ union security_list_options { int (*task_movememory)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int (*task_wait)(struct task_struct *p); int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void (*task_to_inode)(struct task_struct *p, struct inode *inode); Loading Loading @@ -1546,8 +1540,7 @@ union security_list_options { void (*d_instantiate)(struct dentry *dentry, struct inode *inode); int (*getprocattr)(struct task_struct *p, char *name, char **value); int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); int (*setprocattr)(const char *name, void *value, size_t size); int (*ismaclabel)(const char *name); int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid); Loading Loading @@ -1767,7 +1760,6 @@ struct security_hook_heads { struct list_head task_getscheduler; struct list_head task_movememory; struct list_head task_kill; struct list_head task_wait; struct list_head task_prctl; struct list_head task_to_inode; struct list_head ipc_permission; Loading include/linux/security.h +2 −8 Original line number Diff line number Diff line Loading @@ -332,7 +332,6 @@ int security_task_getscheduler(struct task_struct *p); int security_task_movememory(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int security_task_wait(struct task_struct *p); int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); Loading Loading @@ -361,7 +360,7 @@ int security_sem_semop(struct sem_array *sma, struct sembuf *sops, unsigned nsops, int alter); void security_d_instantiate(struct dentry *dentry, struct inode *inode); int security_getprocattr(struct task_struct *p, char *name, char **value); int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size); int security_setprocattr(const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); Loading Loading @@ -980,11 +979,6 @@ static inline int security_task_kill(struct task_struct *p, return 0; } static inline int security_task_wait(struct task_struct *p) { return 0; } static inline int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, Loading Loading @@ -1106,7 +1100,7 @@ static inline int security_getprocattr(struct task_struct *p, char *name, char * return -EINVAL; } static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) static inline int security_setprocattr(char *name, void *value, size_t size) { return -EINVAL; } Loading kernel/exit.c +2 −17 Original line number Diff line number Diff line Loading @@ -14,7 +14,6 @@ #include <linux/tty.h> #include <linux/iocontext.h> #include <linux/key.h> #include <linux/security.h> #include <linux/cpu.h> #include <linux/acct.h> #include <linux/tsacct_kern.h> Loading Loading @@ -1360,7 +1359,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; * then ->notask_error is 0 if @p is an eligible child, * or another error from security_task_wait(), or still -ECHILD. * or still -ECHILD. */ static int wait_consider_task(struct wait_opts *wo, int ptrace, struct task_struct *p) Loading @@ -1380,20 +1379,6 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, if (!ret) return ret; ret = security_task_wait(p); if (unlikely(ret < 0)) { /* * If we have not yet seen any eligible child, * then let this error code replace -ECHILD. * A permission error will give the user a clue * to look for security policy problems, rather * than for mysterious wait bugs. */ if (wo->notask_error) wo->notask_error = ret; return 0; } if (unlikely(exit_state == EXIT_TRACE)) { /* * ptrace == 0 means we are the natural parent. In this case Loading Loading @@ -1486,7 +1471,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; then * ->notask_error is 0 if there were any eligible children, * or another error from security_task_wait(), or still -ECHILD. * or still -ECHILD. */ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) { Loading security/apparmor/lsm.c +2 −5 Original line number Diff line number Diff line Loading @@ -505,8 +505,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, return error; } static int apparmor_setprocattr(struct task_struct *task, char *name, void *value, size_t size) static int apparmor_setprocattr(const char *name, void *value, size_t size) { char *command, *largs = NULL, *args = value; size_t arg_size; Loading @@ -515,9 +515,6 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, if (size == 0) return -EINVAL; /* task can only write its own attributes */ if (current != task) return -EACCES; /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { Loading Loading
fs/proc/base.c +9 −4 Original line number Diff line number Diff line Loading @@ -2488,6 +2488,12 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, length = -ESRCH; if (!task) goto out_no_task; /* A task may only write its own attributes. */ length = -EACCES; if (current != task) goto out; if (count > PAGE_SIZE) count = PAGE_SIZE; Loading @@ -2503,14 +2509,13 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, } /* Guard against adverse ptrace interaction */ length = mutex_lock_interruptible(&task->signal->cred_guard_mutex); length = mutex_lock_interruptible(¤t->signal->cred_guard_mutex); if (length < 0) goto out_free; length = security_setprocattr(task, (char*)file->f_path.dentry->d_name.name, length = security_setprocattr(file->f_path.dentry->d_name.name, page, count); mutex_unlock(&task->signal->cred_guard_mutex); mutex_unlock(¤t->signal->cred_guard_mutex); out_free: kfree(page); out: Loading
include/linux/lsm_hooks.h +1 −9 Original line number Diff line number Diff line Loading @@ -665,11 +665,6 @@ * @sig contains the signal value. * @secid contains the sid of the process where the signal originated * Return 0 if permission is granted. * @task_wait: * Check permission before allowing a process to reap a child process @p * and collect its status information. * @p contains the task_struct for process. * Return 0 if permission is granted. * @task_prctl: * Check permission before performing a process control operation on the * current process. Loading Loading @@ -1506,7 +1501,6 @@ union security_list_options { int (*task_movememory)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int (*task_wait)(struct task_struct *p); int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void (*task_to_inode)(struct task_struct *p, struct inode *inode); Loading Loading @@ -1546,8 +1540,7 @@ union security_list_options { void (*d_instantiate)(struct dentry *dentry, struct inode *inode); int (*getprocattr)(struct task_struct *p, char *name, char **value); int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); int (*setprocattr)(const char *name, void *value, size_t size); int (*ismaclabel)(const char *name); int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid); Loading Loading @@ -1767,7 +1760,6 @@ struct security_hook_heads { struct list_head task_getscheduler; struct list_head task_movememory; struct list_head task_kill; struct list_head task_wait; struct list_head task_prctl; struct list_head task_to_inode; struct list_head ipc_permission; Loading
include/linux/security.h +2 −8 Original line number Diff line number Diff line Loading @@ -332,7 +332,6 @@ int security_task_getscheduler(struct task_struct *p); int security_task_movememory(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int security_task_wait(struct task_struct *p); int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); void security_task_to_inode(struct task_struct *p, struct inode *inode); Loading Loading @@ -361,7 +360,7 @@ int security_sem_semop(struct sem_array *sma, struct sembuf *sops, unsigned nsops, int alter); void security_d_instantiate(struct dentry *dentry, struct inode *inode); int security_getprocattr(struct task_struct *p, char *name, char **value); int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size); int security_setprocattr(const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); Loading Loading @@ -980,11 +979,6 @@ static inline int security_task_kill(struct task_struct *p, return 0; } static inline int security_task_wait(struct task_struct *p) { return 0; } static inline int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, Loading Loading @@ -1106,7 +1100,7 @@ static inline int security_getprocattr(struct task_struct *p, char *name, char * return -EINVAL; } static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) static inline int security_setprocattr(char *name, void *value, size_t size) { return -EINVAL; } Loading
kernel/exit.c +2 −17 Original line number Diff line number Diff line Loading @@ -14,7 +14,6 @@ #include <linux/tty.h> #include <linux/iocontext.h> #include <linux/key.h> #include <linux/security.h> #include <linux/cpu.h> #include <linux/acct.h> #include <linux/tsacct_kern.h> Loading Loading @@ -1360,7 +1359,7 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; * then ->notask_error is 0 if @p is an eligible child, * or another error from security_task_wait(), or still -ECHILD. * or still -ECHILD. */ static int wait_consider_task(struct wait_opts *wo, int ptrace, struct task_struct *p) Loading @@ -1380,20 +1379,6 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, if (!ret) return ret; ret = security_task_wait(p); if (unlikely(ret < 0)) { /* * If we have not yet seen any eligible child, * then let this error code replace -ECHILD. * A permission error will give the user a clue * to look for security policy problems, rather * than for mysterious wait bugs. */ if (wo->notask_error) wo->notask_error = ret; return 0; } if (unlikely(exit_state == EXIT_TRACE)) { /* * ptrace == 0 means we are the natural parent. In this case Loading Loading @@ -1486,7 +1471,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, * Returns nonzero for a final return, when we have unlocked tasklist_lock. * Returns zero if the search for a child should continue; then * ->notask_error is 0 if there were any eligible children, * or another error from security_task_wait(), or still -ECHILD. * or still -ECHILD. */ static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk) { Loading
security/apparmor/lsm.c +2 −5 Original line number Diff line number Diff line Loading @@ -505,8 +505,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, return error; } static int apparmor_setprocattr(struct task_struct *task, char *name, void *value, size_t size) static int apparmor_setprocattr(const char *name, void *value, size_t size) { char *command, *largs = NULL, *args = value; size_t arg_size; Loading @@ -515,9 +515,6 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, if (size == 0) return -EINVAL; /* task can only write its own attributes */ if (current != task) return -EACCES; /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { Loading
