[PATCH] /proc/pid inode security labels

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch against 2.5.69-bk adds a hook to proc_pid_make_inode to allow
security modules to set the security attributes on /proc/pid inodes based on
the security attributes of the associated task.  This is required by SELinux
in order to control access to the process state accessible via /proc/pid
inodes in accordance with the task's security label.

An alternative approach that was considered was to implement an xattr handler
for /proc/pid inodes.  That approach would still require a hook call from the
xattr handler to the security module to obtain an xattr value based on the
task security attributes, so it would add a further level of
indirection/translation.  The only benefit of implementing an xattr handler
for the /proc/pid inodes would be that the /proc/pid inode security labels
could then be exported to userspace.  However, the /proc/pid inode security
labels are only used internally by the security module for access control
purposes, and userspace access to the full range of process attributes is
already provided via the /proc/pid/attr interface.  Consequently, a simple
hook in proc_pid_make_inode seemed preferable.

fs/proc/base.c

@@ -829,6 +829,7 @@ static struct inode *proc_pid_make_inode(struct super_block * sb, struct task_st
 		inode->i_uid = task->euid;
 		inode->i_gid = task->egid;
 	}
+	security_task_to_inode(task, inode);
 
 out:
 	return inode;

include/linux/security.h

@@ -596,6 +596,11 @@ struct swap_info_struct;
  * 	Set the security attributes in @p->security for a kernel thread that
  * 	is being reparented to the init task.
  *	@p contains the task_struct for the kernel thread.
+ * @task_to_inode:
+ * 	Set the security attributes for an inode based on an associated task's
+ * 	security attributes, e.g. for /proc/pid inodes.
+ *	@p contains the task_struct for the task.
+ *	@inode contains the inode structure for the inode.
  *
  * Security hooks for Netlink messaging.
  *
@@ -1086,6 +1091,7 @@ struct security_operations {
 			   unsigned long arg5);
 	void (*task_kmod_set_label) (void);
 	void (*task_reparent_to_init) (struct task_struct * p);
+	void (*task_to_inode)(struct task_struct *p, struct inode *inode);
 
 	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
 
@@ -1659,6 +1665,11 @@ static inline void security_task_reparent_to_init (struct task_struct *p)
 	security_ops->task_reparent_to_init (p);
 }
 
+static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
+{
+	security_ops->task_to_inode(p, inode);
+}
+
 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
 					   short flag)
 {
@@ -2268,6 +2279,9 @@ static inline void security_task_reparent_to_init (struct task_struct *p)
 	cap_task_reparent_to_init (p);
 }
 
+static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
+{ }
+
 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
 					   short flag)
 {

security/dummy.c

@@ -513,6 +513,9 @@ static void dummy_task_reparent_to_init (struct task_struct *p)
 	return;
 }
 
+static void dummy_task_to_inode(struct task_struct *p, struct inode *inode)
+{ }
+
 static int dummy_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
 {
 	return 0;
@@ -852,6 +855,7 @@ void security_fixup_ops (struct security_operations *ops)
 	set_to_dummy_if_null(ops, task_prctl);
 	set_to_dummy_if_null(ops, task_kmod_set_label);
 	set_to_dummy_if_null(ops, task_reparent_to_init);
+ 	set_to_dummy_if_null(ops, task_to_inode);
 	set_to_dummy_if_null(ops, ipc_permission);
 	set_to_dummy_if_null(ops, msg_msg_alloc_security);
 	set_to_dummy_if_null(ops, msg_msg_free_security);