TOMOYO: Add refcounter on domain structure.

Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to determine whether this struct is referred by "struct cred"->security or not. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>

TOMOYO: Add refcounter on domain structure.
Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to determine whether this struct is referred by "struct cred"->security or not. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
ec8e6a4e · Tetsuo Handa · James Morris · 76bb0895 · ec8e6a4e · ec8e6a4e
Commit ec8e6a4e authored Feb 11, 2010 by Tetsuo Handa Committed by James Morris Feb 15, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 16 deletions

security/tomoyo/common.h security/tomoyo/common.h +5 -0

security/tomoyo/domain.c security/tomoyo/domain.c +2 -0

security/tomoyo/tomoyo.c security/tomoyo/tomoyo.c +21 -16

No files found.
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -234,6 +234,10 @@ struct tomoyo_acl_info {
 *      name of the domain to be created was too long or it could not allocate
 *      memory. If set to true, more than one process continued execve()
 *      without domain transition.
+ *  (9) "users" is an atomic_t that holds how many "struct cred"->security
+ *      are referring this "struct tomoyo_domain_info". If is_deleted == true
+ *      and users == 0, this struct will be kfree()d upon next garbage
+ *      collection.
 *
 * A domain's lifecycle is an analogy of files on / directory.
 * Multiple domains with the same domainname cannot be created (as with
@@ -252,6 +256,7 @@ struct tomoyo_domain_info {
 	bool quota_warned; /* Quota warnning flag.   */
 	bool ignore_global_allow_read; /* Ignore "allow_read" flag. */
 	bool transition_failed; /* Domain transition failed flag. */
+	atomic_t users; /* Number of referring credentials. */
 };

 /*

--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -817,6 +817,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
 out:
 	if (!domain)
 		domain = old_domain;
+	/* Update reference count on "struct tomoyo_domain_info". */
+	atomic_inc(&domain->users);
 	bprm->cred->security = domain;
 	kfree(real_program_name);
 	kfree(symlink_program_name);

--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -21,21 +21,23 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
 static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
 			       gfp_t gfp)
 {
-	/*
-	 * Since "struct tomoyo_domain_info *" is a sharable pointer,
-	 * we don't need to duplicate.
-	 */
-	new->security = old->security;
+	struct tomoyo_domain_info *domain = old->security;
+	new->security = domain;
+	if (domain)
+		atomic_inc(&domain->users);
 	return 0;
 }

 static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
 {
-	/*
-	 * Since "struct tomoyo_domain_info *" is a sharable pointer,
-	 * we don't need to duplicate.
-	 */
-	new->security = old->security;
+	tomoyo_cred_prepare(new, old, 0);
+}
+
+static void tomoyo_cred_free(struct cred *cred)
+{
+	struct tomoyo_domain_info *domain = cred->security;
+	if (domain)
+		atomic_dec(&domain->users);
 }

 static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
@@ -58,6 +60,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
 	 */
 	if (!tomoyo_policy_loaded)
 		tomoyo_load_policy(bprm->filename);
+	/*
+	 * Release reference to "struct tomoyo_domain_info" stored inside
+	 * "bprm->cred->security". New reference to "struct tomoyo_domain_info"
+	 * stored inside "bprm->cred->security" will be acquired later inside
+	 * tomoyo_find_next_domain().
+	 */
+	atomic_dec(&((struct tomoyo_domain_info *)
+		     bprm->cred->security)->users);
 	/*
 	 * Tell tomoyo_bprm_check_security() is called for the first time of an
 	 * execve operation.
@@ -75,12 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
 	 * using current domain.
 	 */
 	if (!domain) {
-		/*
-		 * We will need to protect whole execve() operation when GC
-		 * starts kfree()ing "struct tomoyo_domain_info" because
-		 * bprm->cred->security points to "struct tomoyo_domain_info"
-		 * but "struct tomoyo_domain_info" does not have a refcounter.
-		 */
 		const int idx = tomoyo_read_lock();
 		const int err = tomoyo_find_next_domain(bprm);
 		tomoyo_read_unlock(idx);
@@ -265,6 +269,7 @@ static struct security_operations tomoyo_security_ops = {
 	.cred_alloc_blank    = tomoyo_cred_alloc_blank,
 	.cred_prepare        = tomoyo_cred_prepare,
 	.cred_transfer	     = tomoyo_cred_transfer,
+	.cred_free           = tomoyo_cred_free,
 	.bprm_set_creds      = tomoyo_bprm_set_creds,
 	.bprm_check_security = tomoyo_bprm_check_security,
 	.file_fcntl          = tomoyo_file_fcntl,