prlimit,security,selinux: add a security hook for prlimit

[linux.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e6b1b741032192f437eb331392cd05ffc98ce1cd..870d24ecc2decf043e08dd8060aae0dbe0f16f91 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -28,7 +28,8 @@
 #include <linux/kernel.h>
 #include <linux/tracehook.h>
 #include <linux/errno.h>
-#include <linux/sched.h>
+#include <linux/sched/signal.h>
+#include <linux/sched/task.h>
 #include <linux/lsm_hooks.h>
 #include <linux/xattr.h>
 #include <linux/capability.h>
@@ -480,12 +481,13 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
                /* Special handling. Genfs but also in-core setxattr handler */
                !strcmp(sb->s_type->name, "sysfs") ||
-               !strcmp(sb->s_type->name, "cgroup") ||
-               !strcmp(sb->s_type->name, "cgroup2") ||
                !strcmp(sb->s_type->name, "pstore") ||
                !strcmp(sb->s_type->name, "debugfs") ||
                !strcmp(sb->s_type->name, "tracefs") ||
-               !strcmp(sb->s_type->name, "rootfs");
+               !strcmp(sb->s_type->name, "rootfs") ||
+               (selinux_policycap_cgroupseclabel &&
+                (!strcmp(sb->s_type->name, "cgroup") ||
+                 !strcmp(sb->s_type->name, "cgroup2")));
 }
 
 static int sb_finish_set_opts(struct super_block *sb)
@@ -2399,8 +2401,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 
                /* Make sure that anyone attempting to ptrace over a task that
                 * changes its SID has the appropriate permit */
-               if (bprm->unsafe &
-                   (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+               if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
                        u32 ptsid = ptrace_parent_sid();
                        if (ptsid != 0) {
                                rc = avc_has_perm(ptsid, new_tsec->sid,
@@ -3919,6 +3920,19 @@ static int selinux_task_getioprio(struct task_struct *p)
                            PROCESS__GETSCHED, NULL);
 }
 
+int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
+                        unsigned int flags)
+{
+       u32 av = 0;
+
+       if (flags & LSM_PRLIMIT_WRITE)
+               av |= PROCESS__SETRLIMIT;
+       if (flags & LSM_PRLIMIT_READ)
+               av |= PROCESS__GETRLIMIT;
+       return avc_has_perm(cred_sid(cred), cred_sid(tcred),
+                           SECCLASS_PROCESS, av, NULL);
+}
+
 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
                struct rlimit *new_rlim)
 {
@@ -6205,6 +6219,7 @@ static struct security_hook_list selinux_hooks[] = {
        LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
        LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
        LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
+       LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
        LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
        LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
        LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),