Commit 8fd00b4d authored by Jiri Slaby's avatar Jiri Slaby

rlimits: security, add task_struct to setrlimit

Add task_struct to task_setrlimit of security_operations to be able to set
rlimit of task other than current.
Signed-off-by: default avatarJiri Slaby <jirislaby@gmail.com>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarJames Morris <jmorris@namei.org>
parent 2f7989ef
...@@ -1501,7 +1501,8 @@ struct security_operations { ...@@ -1501,7 +1501,8 @@ struct security_operations {
int (*task_setnice) (struct task_struct *p, int nice); int (*task_setnice) (struct task_struct *p, int nice);
int (*task_setioprio) (struct task_struct *p, int ioprio); int (*task_setioprio) (struct task_struct *p, int ioprio);
int (*task_getioprio) (struct task_struct *p); int (*task_getioprio) (struct task_struct *p);
int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim); int (*task_setrlimit) (struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim);
int (*task_setscheduler) (struct task_struct *p, int policy, int (*task_setscheduler) (struct task_struct *p, int policy,
struct sched_param *lp); struct sched_param *lp);
int (*task_getscheduler) (struct task_struct *p); int (*task_getscheduler) (struct task_struct *p);
...@@ -1751,7 +1752,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid); ...@@ -1751,7 +1752,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid);
int security_task_setnice(struct task_struct *p, int nice); int security_task_setnice(struct task_struct *p, int nice);
int security_task_setioprio(struct task_struct *p, int ioprio); int security_task_setioprio(struct task_struct *p, int ioprio);
int security_task_getioprio(struct task_struct *p); int security_task_getioprio(struct task_struct *p);
int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim); int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim);
int security_task_setscheduler(struct task_struct *p, int security_task_setscheduler(struct task_struct *p,
int policy, struct sched_param *lp); int policy, struct sched_param *lp);
int security_task_getscheduler(struct task_struct *p); int security_task_getscheduler(struct task_struct *p);
...@@ -2313,7 +2315,8 @@ static inline int security_task_getioprio(struct task_struct *p) ...@@ -2313,7 +2315,8 @@ static inline int security_task_getioprio(struct task_struct *p)
return 0; return 0;
} }
static inline int security_task_setrlimit(unsigned int resource, static inline int security_task_setrlimit(struct task_struct *p,
unsigned int resource,
struct rlimit *new_rlim) struct rlimit *new_rlim)
{ {
return 0; return 0;
......
...@@ -1290,7 +1290,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) ...@@ -1290,7 +1290,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > sysctl_nr_open) if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > sysctl_nr_open)
return -EPERM; return -EPERM;
retval = security_task_setrlimit(resource, &new_rlim); retval = security_task_setrlimit(current, resource, &new_rlim);
if (retval) if (retval)
return retval; return retval;
......
...@@ -412,7 +412,8 @@ static int cap_task_getioprio(struct task_struct *p) ...@@ -412,7 +412,8 @@ static int cap_task_getioprio(struct task_struct *p)
return 0; return 0;
} }
static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{ {
return 0; return 0;
} }
......
...@@ -769,9 +769,10 @@ int security_task_getioprio(struct task_struct *p) ...@@ -769,9 +769,10 @@ int security_task_getioprio(struct task_struct *p)
return security_ops->task_getioprio(p); return security_ops->task_getioprio(p);
} }
int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{ {
return security_ops->task_setrlimit(resource, new_rlim); return security_ops->task_setrlimit(p, resource, new_rlim);
} }
int security_task_setscheduler(struct task_struct *p, int security_task_setscheduler(struct task_struct *p,
......
...@@ -3371,16 +3371,17 @@ static int selinux_task_getioprio(struct task_struct *p) ...@@ -3371,16 +3371,17 @@ static int selinux_task_getioprio(struct task_struct *p)
return current_has_perm(p, PROCESS__GETSCHED); return current_has_perm(p, PROCESS__GETSCHED);
} }
static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{ {
struct rlimit *old_rlim = current->signal->rlim + resource; struct rlimit *old_rlim = p->signal->rlim + resource;
/* Control the ability to change the hard limit (whether /* Control the ability to change the hard limit (whether
lowering or raising it), so that the hard limit can lowering or raising it), so that the hard limit can
later be used as a safe reset point for the soft limit later be used as a safe reset point for the soft limit
upon context transitions. See selinux_bprm_committing_creds. */ upon context transitions. See selinux_bprm_committing_creds. */
if (old_rlim->rlim_max != new_rlim->rlim_max) if (old_rlim->rlim_max != new_rlim->rlim_max)
return current_has_perm(current, PROCESS__SETRLIMIT); return current_has_perm(p, PROCESS__SETRLIMIT);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment