[PATCH] SELinux: add task_movememory hook

This patch adds new security hook, task_movememory, to be called when memory
owened by a task is to be moved (e.g.  when migrating pages to a this hook is
identical to the setscheduler implementation, but a separate hook introduced
to allow this check to be specialized in the future if necessary.

Since the last posting, the hook has been renamed following feedback from
Christoph Lameter.

Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Andi Kleen <ak@muc.de>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/include/linux/security.h b/include/linux/security.h
index 65b32a0..d2c17bd 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -601,6 +601,10 @@ struct swap_info_struct;
  *     @p.
  *     @p contains the task_struct for process.
  *     Return 0 if permission is granted.
+ * @task_movememory
+ *     Check permission before moving memory owned by process @p.
+ *     @p contains the task_struct for process.
+ *     Return 0 if permission is granted.
  * @task_kill:
  *     Check permission before sending signal @sig to @p.  @info can be NULL,
  *     the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1220,6 +1224,7 @@ struct security_operations {
        int (*task_setscheduler) (struct task_struct * p, int policy,
                                  struct sched_param * lp);
        int (*task_getscheduler) (struct task_struct * p);
+       int (*task_movememory) (struct task_struct * p);
        int (*task_kill) (struct task_struct * p,
                          struct siginfo * info, int sig);
        int (*task_wait) (struct task_struct * p);
@@ -1865,6 +1870,11 @@ static inline int security_task_getscheduler (struct task_struct *p)
        return security_ops->task_getscheduler (p);
 }
 
+static inline int security_task_movememory (struct task_struct *p)
+{
+       return security_ops->task_movememory (p);
+}
+
 static inline int security_task_kill (struct task_struct *p,
                                      struct siginfo *info, int sig)
 {
@@ -2512,6 +2522,11 @@ static inline int security_task_getscheduler (struct task_struct *p)
        return 0;
 }
 
+static inline int security_task_movememory (struct task_struct *p)
+{
+       return 0;
+}
+
 static inline int security_task_kill (struct task_struct *p,
                                      struct siginfo *info, int sig)
 {

diff --git a/security/dummy.c b/security/dummy.c
index 879a985..c3c5493 100644 (file)
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -537,6 +537,11 @@ static int dummy_task_getscheduler (struct task_struct *p)
        return 0;
 }
 
+static int dummy_task_movememory (struct task_struct *p)
+{
+       return 0;
+}
+
 static int dummy_task_wait (struct task_struct *p)
 {
        return 0;
@@ -981,6 +986,7 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, task_setrlimit);
        set_to_dummy_if_null(ops, task_setscheduler);
        set_to_dummy_if_null(ops, task_getscheduler);
+       set_to_dummy_if_null(ops, task_movememory);
        set_to_dummy_if_null(ops, task_wait);
        set_to_dummy_if_null(ops, task_kill);
        set_to_dummy_if_null(ops, task_prctl);

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9dcf298..79c16e3 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2679,6 +2679,11 @@ static int selinux_task_getscheduler(struct task_struct *p)
        return task_has_perm(current, p, PROCESS__GETSCHED);
 }
 
+static int selinux_task_movememory(struct task_struct *p)
+{
+       return task_has_perm(current, p, PROCESS__SETSCHED);
+}
+
 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
 {
        u32 perm;
@@ -4392,6 +4397,7 @@ static struct security_operations selinux_ops = {
        .task_setrlimit =               selinux_task_setrlimit,
        .task_setscheduler =            selinux_task_setscheduler,
        .task_getscheduler =            selinux_task_getscheduler,
+       .task_movememory =              selinux_task_movememory,
        .task_kill =                    selinux_task_kill,
        .task_wait =                    selinux_task_wait,
        .task_prctl =                   selinux_task_prctl,