summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2017-02-17 07:57:00 -0500
committerJames Morris <james.l.morris@oracle.com>2017-03-06 10:43:47 +1100
commit791ec491c372f49cea3ea7a7143454a9023ac9d4 (patch)
tree61ebe35fe137240666588ae13723c3ae971558ac /security
parentc1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201 (diff)
downloadlinux-791ec491c372f49cea3ea7a7143454a9023ac9d4.tar.bz2
prlimit,security,selinux: add a security hook for prlimit
When SELinux was first added to the kernel, a process could only get and set its own resource limits via getrlimit(2) and setrlimit(2), so no MAC checks were required for those operations, and thus no security hooks were defined for them. Later, SELinux introduced a hook for setlimit(2) with a check if the hard limit was being changed in order to be able to rely on the hard limit value as a safe reset point upon context transitions. Later on, when prlimit(2) was added to the kernel with the ability to get or set resource limits (hard or soft) of another process, LSM/SELinux was not updated other than to pass the target process to the setrlimit hook. This resulted in incomplete control over both getting and setting the resource limits of another process. Add a new security_task_prlimit() hook to the check_prlimit_permission() function to provide complete mediation. The hook is only called when acting on another task, and only if the existing DAC/capability checks would allow access. Pass flags down to the hook to indicate whether the prlimit(2) call will read, write, or both read and write the resource limits of the target process. The existing security_task_setrlimit() hook is left alone; it continues to serve a purpose in supporting the ability to make decisions based on the old and/or new resource limit values when setting limits. This is consistent with the DAC/capability logic, where check_prlimit_permission() performs generic DAC/capability checks for acting on another task, while do_prlimit() performs a capability check based on a comparison of the old and new resource limits. Fix the inline documentation for the hook to match the code. Implement the new hook for SELinux. For setting resource limits, we reuse the existing setrlimit permission. Note that this does overload the setrlimit permission to mean the ability to set the resource limit (soft or hard) of another process or the ability to change one's own hard limit. For getting resource limits, a new getrlimit permission is defined. This was not originally defined since getrlimit(2) could only be used to obtain a process' own limits. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c8
-rw-r--r--security/selinux/hooks.c14
-rw-r--r--security/selinux/include/classmap.h2
3 files changed, 23 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index d0e07f269b2d..905dad2811d3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1036,6 +1036,12 @@ int security_task_getioprio(struct task_struct *p)
return call_int_hook(task_getioprio, 0, p);
}
+int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
+ unsigned int flags)
+{
+ return call_int_hook(task_prlimit, 0, cred, tcred, flags);
+}
+
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
@@ -1793,6 +1799,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.task_setioprio),
.task_getioprio =
LIST_HEAD_INIT(security_hook_heads.task_getioprio),
+ .task_prlimit =
+ LIST_HEAD_INIT(security_hook_heads.task_prlimit),
.task_setrlimit =
LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
.task_setscheduler =
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0c2ac318aa7f..870d24ecc2de 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3920,6 +3920,19 @@ static int selinux_task_getioprio(struct task_struct *p)
PROCESS__GETSCHED, NULL);
}
+int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
+ unsigned int flags)
+{
+ u32 av = 0;
+
+ if (flags & LSM_PRLIMIT_WRITE)
+ av |= PROCESS__SETRLIMIT;
+ if (flags & LSM_PRLIMIT_READ)
+ av |= PROCESS__GETRLIMIT;
+ return avc_has_perm(cred_sid(cred), cred_sid(tcred),
+ SECCLASS_PROCESS, av, NULL);
+}
+
static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
@@ -6206,6 +6219,7 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
+ LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index d429c4a1c551..1e0cc9b5de20 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -47,7 +47,7 @@ struct security_class_mapping secclass_map[] = {
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
"execmem", "execstack", "execheap", "setkeycreate",
- "setsockcreate", NULL } },
+ "setsockcreate", "getrlimit", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", "module_load", NULL } },