[PATCH][LSM] Early init for security modules and various cleanups

Chris Wright (chris@wirex.com)
Mon, 2 Jun 2003 02:54:50 -0700


# This is a BitKeeper generated patch for the following project:
# Project Name: Linux kernel tree
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
# ChangeSet 1.1259 -> 1.1260
# mm/oom_kill.c 1.23 -> 1.24
# include/linux/security.h 1.21 -> 1.22
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 03/06/02 sds@epoch.ncsc.mil 1.1260
# [LSM] Replaced the direct capability bit tests with calls to the
# security_capable hook in mm/oom_kill.c
# --------------------------------------------
#
diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h Mon Jun 2 01:30:56 2003
+++ b/include/linux/security.h Mon Jun 2 01:30:56 2003
@@ -1231,6 +1231,11 @@
return security_ops->sysctl(table, op);
}

+static inline int security_capable(struct task_struct * tsk, int cap)
+{
+ return security_ops->capable(tsk, cap);
+}
+
static inline int security_quotactl (int cmds, int type, int id,
struct super_block *sb)
{
@@ -1894,6 +1899,11 @@
static inline int security_sysctl(ctl_table * table, int op)
{
return 0;
+}
+
+static inline int security_capable(struct task_struct * tsk, int cap)
+{
+ return cap_capable(tsk, cap);
}

static inline int security_quotactl (int cmds, int type, int id,
diff -Nru a/mm/oom_kill.c b/mm/oom_kill.c
--- a/mm/oom_kill.c Mon Jun 2 01:30:56 2003
+++ b/mm/oom_kill.c Mon Jun 2 01:30:56 2003
@@ -20,6 +20,7 @@
#include <linux/swap.h>
#include <linux/timex.h>
#include <linux/jiffies.h>
+#include <linux/security.h>

/* #define DEBUG */

@@ -91,7 +92,7 @@
* Superuser processes are usually more important, so we make it
* less likely that we kill those.
*/
- if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
+ if (!security_capable(p,CAP_SYS_ADMIN) ||
p->uid == 0 || p->euid == 0)
points /= 4;

@@ -101,7 +102,7 @@
* tend to only have this flag set on applications they think
* of as important.
*/
- if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
+ if (!security_capable(p,CAP_SYS_RAWIO))
points /= 4;
#ifdef DEBUG
printk(KERN_DEBUG "OOMkill: task %d (%s) got %d points\n",
@@ -154,7 +155,7 @@
p->flags |= PF_MEMALLOC | PF_MEMDIE;

/* This process has hardware access, be more careful. */
- if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO)) {
+ if (!security_capable(p,CAP_SYS_RAWIO)) {
force_sig(SIGTERM, p);
} else {
force_sig(SIGKILL, p);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/