2005-11-14 21:33:24

by Serge E. Hallyn

[permalink] [raw]
Subject: [RFC] [PATCH 10/13] Change pid accesses: security/

Replace-Subject: Change pid accesses: security/
From: Serge Hallyn <[email protected]>

Change pid accesses for security modules.

Signed-off-by: Dave Hansen <[email protected]>
Signed-off-by: Serge Hallyn <[email protected]>
---
security/commoncap.c | 2 +-
security/keys/process_keys.c | 6 +++---
security/keys/request_key_auth.c | 2 +-
security/seclvl.c | 16 ++++++++--------
security/selinux/avc.c | 4 ++--
5 files changed, 15 insertions(+), 15 deletions(-)

Index: linux-2.6.15-rc1/security/commoncap.c
===================================================================
--- linux-2.6.15-rc1.orig/security/commoncap.c
+++ linux-2.6.15-rc1/security/commoncap.c
@@ -169,7 +169,7 @@ void cap_bprm_apply_creds (struct linux_
/* For init, we want to retain the capabilities set
* in the init_task struct. Thus we skip the usual
* capability rules */
- if (current->pid != 1) {
+ if (task_pid(current) != 1) {
current->cap_permitted = new_permitted;
current->cap_effective =
cap_intersect (new_permitted, bprm->cap_effective);
Index: linux-2.6.15-rc1/security/keys/process_keys.c
===================================================================
--- linux-2.6.15-rc1.orig/security/keys/process_keys.c
+++ linux-2.6.15-rc1/security/keys/process_keys.c
@@ -140,7 +140,7 @@ int install_thread_keyring(struct task_s
char buf[20];
int ret;

- sprintf(buf, "_tid.%u", tsk->pid);
+ sprintf(buf, "_tid.%u", task_pid(tsk));

keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
@@ -173,7 +173,7 @@ int install_process_keyring(struct task_
int ret;

if (!tsk->signal->process_keyring) {
- sprintf(buf, "_pid.%u", tsk->tgid);
+ sprintf(buf, "_pid.%u", task_tgid(tsk));

keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
@@ -213,7 +213,7 @@ static int install_session_keyring(struc

/* create an empty session keyring */
if (!keyring) {
- sprintf(buf, "_ses.%u", tsk->tgid);
+ sprintf(buf, "_ses.%u", task_tgid(tsk));

keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
if (IS_ERR(keyring)) {
Index: linux-2.6.15-rc1/security/keys/request_key_auth.c
===================================================================
--- linux-2.6.15-rc1.orig/security/keys/request_key_auth.c
+++ linux-2.6.15-rc1/security/keys/request_key_auth.c
@@ -60,7 +60,7 @@ static int request_key_auth_instantiate(
else {
/* it isn't - use this process as the context */
rka->context = current;
- rka->pid = current->pid;
+ rka->pid = task_pid(current);
}

rka->target_key = key_get((struct key *) data);
Index: linux-2.6.15-rc1/security/seclvl.c
===================================================================
--- linux-2.6.15-rc1.orig/security/seclvl.c
+++ linux-2.6.15-rc1/security/seclvl.c
@@ -296,7 +296,7 @@ static struct file_operations passwd_fil
static int seclvl_ptrace(struct task_struct *parent, struct task_struct *child)
{
if (seclvl >= 0) {
- if (child->pid == 1) {
+ if (task_pid(child) == 1) {
seclvl_printk(1, KERN_WARNING, "Attempt to ptrace "
"the init process dissallowed in "
"secure level %d\n", seclvl);
@@ -313,7 +313,7 @@ static int seclvl_ptrace(struct task_str
static int seclvl_capable(struct task_struct *tsk, int cap)
{
/* init can do anything it wants */
- if (tsk->pid == 1)
+ if (task_pid(tsk) == 1)
return 0;

switch (seclvl) {
@@ -375,10 +375,10 @@ static int seclvl_settime(struct timespe
(tv->tv_sec == now.tv_sec && tv->tv_nsec < now.tv_nsec)) {
seclvl_printk(1, KERN_WARNING, "Attempt to decrement "
"time in secure level %d denied: "
- "current->pid = [%d], "
- "current->group_leader->pid = [%d]\n",
- seclvl, current->pid,
- current->group_leader->pid);
+ "current pid = [%d], "
+ "current->group_leader pid = [%d]\n",
+ seclvl, task_pid(current),
+ task_pid(current->group_leader));
return -EPERM;
} /* if attempt to decrement time */
} /* if seclvl > 1 */
@@ -424,7 +424,7 @@ static void seclvl_bd_release(struct ino
static int
seclvl_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
{
- if (current->pid != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
+ if (task_pid(current) != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
switch (seclvl) {
case 2:
seclvl_printk(1, KERN_WARNING, "Write to block device "
@@ -479,7 +479,7 @@ static void seclvl_file_free_security(st
*/
static int seclvl_umount(struct vfsmount *mnt, int flags)
{
- if (current->pid == 1)
+ if (task_pid(current) == 1)
return 0;
if (seclvl == 2) {
seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure "
Index: linux-2.6.15-rc1/security/selinux/avc.c
===================================================================
--- linux-2.6.15-rc1.orig/security/selinux/avc.c
+++ linux-2.6.15-rc1/security/selinux/avc.c
@@ -558,8 +558,8 @@ void avc_audit(u32 ssid, u32 tsid,
audit_log_format(ab, " for ");
if (a && a->tsk)
tsk = a->tsk;
- if (tsk && tsk->pid) {
- audit_log_format(ab, " pid=%d comm=", tsk->pid);
+ if (tsk && task_pid(tsk)) {
+ audit_log_format(ab, " pid=%d comm=", task_pid(tsk));
audit_log_untrustedstring(ab, tsk->comm);
}
if (a) {

--