Skip to content

Commit

Permalink
[PATCH] SELinux: add security hook call to mediate attach_task (kerne…
Browse files Browse the repository at this point in the history
…l/cpuset.c)

Add a security hook call to enable security modules to control the ability
to attach a task to a cpuset.  While limited control over this operation is
possible via permission checks on the pseudo fs interface, those checks are
not sufficient to control access to the target task, which is looked up in
this function.  The existing task_setscheduler hook is re-used for this
operation since this falls under the same class of operations.

Signed-off-by: David Quigley <dpquigl@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Paul Jackson <pj@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  • Loading branch information
David Quigley authored and Linus Torvalds committed Jun 23, 2006
1 parent e7834f8 commit 22fb52d
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions kernel/cpuset.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
#include <linux/rcupdate.h>
#include <linux/sched.h>
#include <linux/seq_file.h>
#include <linux/security.h>
#include <linux/slab.h>
#include <linux/smp_lock.h>
#include <linux/spinlock.h>
Expand Down Expand Up @@ -1177,6 +1178,7 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
cpumask_t cpus;
nodemask_t from, to;
struct mm_struct *mm;
int retval;

if (sscanf(pidbuf, "%d", &pid) != 1)
return -EIO;
Expand Down Expand Up @@ -1205,6 +1207,12 @@ static int attach_task(struct cpuset *cs, char *pidbuf, char **ppathbuf)
get_task_struct(tsk);
}

retval = security_task_setscheduler(tsk, 0, NULL);
if (retval) {
put_task_struct(tsk);
return retval;
}

mutex_lock(&callback_mutex);

task_lock(tsk);
Expand Down

0 comments on commit 22fb52d

Please sign in to comment.