| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  *  linux/kernel/sys.c | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  Copyright (C) 1991, 1992  Linus Torvalds | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-05-23 14:51:41 -04:00
										 |  |  | #include <linux/export.h>
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | #include <linux/mm.h>
 | 
					
						
							|  |  |  | #include <linux/utsname.h>
 | 
					
						
							|  |  |  | #include <linux/mman.h>
 | 
					
						
							|  |  |  | #include <linux/reboot.h>
 | 
					
						
							|  |  |  | #include <linux/prctl.h>
 | 
					
						
							|  |  |  | #include <linux/highuid.h>
 | 
					
						
							|  |  |  | #include <linux/fs.h>
 | 
					
						
							| 
									
										
										
										
											2011-05-26 12:48:41 -04:00
										 |  |  | #include <linux/kmod.h>
 | 
					
						
							| 
									
										
											  
											
												perf: Do the big rename: Performance Counters -> Performance Events
Bye-bye Performance Counters, welcome Performance Events!
In the past few months the perfcounters subsystem has grown out its
initial role of counting hardware events, and has become (and is
becoming) a much broader generic event enumeration, reporting, logging,
monitoring, analysis facility.
Naming its core object 'perf_counter' and naming the subsystem
'perfcounters' has become more and more of a misnomer. With pending
code like hw-breakpoints support the 'counter' name is less and
less appropriate.
All in one, we've decided to rename the subsystem to 'performance
events' and to propagate this rename through all fields, variables
and API names. (in an ABI compatible fashion)
The word 'event' is also a bit shorter than 'counter' - which makes
it slightly more convenient to write/handle as well.
Thanks goes to Stephane Eranian who first observed this misnomer and
suggested a rename.
User-space tooling and ABI compatibility is not affected - this patch
should be function-invariant. (Also, defconfigs were not touched to
keep the size down.)
This patch has been generated via the following script:
  FILES=$(find * -type f | grep -vE 'oprofile|[^K]config')
  sed -i \
    -e 's/PERF_EVENT_/PERF_RECORD_/g' \
    -e 's/PERF_COUNTER/PERF_EVENT/g' \
    -e 's/perf_counter/perf_event/g' \
    -e 's/nb_counters/nb_events/g' \
    -e 's/swcounter/swevent/g' \
    -e 's/tpcounter_event/tp_event/g' \
    $FILES
  for N in $(find . -name perf_counter.[ch]); do
    M=$(echo $N | sed 's/perf_counter/perf_event/g')
    mv $N $M
  done
  FILES=$(find . -name perf_event.*)
  sed -i \
    -e 's/COUNTER_MASK/REG_MASK/g' \
    -e 's/COUNTER/EVENT/g' \
    -e 's/\<event\>/event_id/g' \
    -e 's/counter/event/g' \
    -e 's/Counter/Event/g' \
    $FILES
... to keep it as correct as possible. This script can also be
used by anyone who has pending perfcounters patches - it converts
a Linux kernel tree over to the new naming. We tried to time this
change to the point in time where the amount of pending patches
is the smallest: the end of the merge window.
Namespace clashes were fixed up in a preparatory patch - and some
stylistic fallout will be fixed up in a subsequent patch.
( NOTE: 'counters' are still the proper terminology when we deal
  with hardware registers - and these sed scripts are a bit
  over-eager in renaming them. I've undone some of that, but
  in case there's something left where 'counter' would be
  better than 'event' we can undo that on an individual basis
  instead of touching an otherwise nicely automated patch. )
Suggested-by: Stephane Eranian <eranian@google.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Paul Mackerras <paulus@samba.org>
Reviewed-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <linux-arch@vger.kernel.org>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2009-09-21 12:02:48 +02:00
										 |  |  | #include <linux/perf_event.h>
 | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:53 -07:00
										 |  |  | #include <linux/resource.h>
 | 
					
						
							| 
									
										
										
										
											2005-06-25 14:57:52 -07:00
										 |  |  | #include <linux/kernel.h>
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | #include <linux/workqueue.h>
 | 
					
						
							| 
									
										
										
										
											2006-01-11 12:17:46 -08:00
										 |  |  | #include <linux/capability.h>
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | #include <linux/device.h>
 | 
					
						
							|  |  |  | #include <linux/key.h>
 | 
					
						
							|  |  |  | #include <linux/times.h>
 | 
					
						
							|  |  |  | #include <linux/posix-timers.h>
 | 
					
						
							|  |  |  | #include <linux/security.h>
 | 
					
						
							|  |  |  | #include <linux/dcookies.h>
 | 
					
						
							|  |  |  | #include <linux/suspend.h>
 | 
					
						
							|  |  |  | #include <linux/tty.h>
 | 
					
						
							| 
									
										
										
										
											2005-05-01 08:59:14 -07:00
										 |  |  | #include <linux/signal.h>
 | 
					
						
							| 
									
										
										
										
											2005-11-07 00:59:16 -08:00
										 |  |  | #include <linux/cn_proc.h>
 | 
					
						
							| 
									
										
										
										
											2006-09-26 10:52:28 +02:00
										 |  |  | #include <linux/getcpu.h>
 | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:37 -07:00
										 |  |  | #include <linux/task_io_accounting_ops.h>
 | 
					
						
							| 
									
										
										
										
											2007-07-15 23:41:32 -07:00
										 |  |  | #include <linux/seccomp.h>
 | 
					
						
							| 
									
										
										
										
											2007-10-01 01:20:10 -07:00
										 |  |  | #include <linux/cpu.h>
 | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:19 -08:00
										 |  |  | #include <linux/personality.h>
 | 
					
						
							| 
									
										
										
										
											2009-01-06 14:41:02 -08:00
										 |  |  | #include <linux/ptrace.h>
 | 
					
						
							| 
									
										
										
										
											2009-03-29 19:50:06 -04:00
										 |  |  | #include <linux/fs_struct.h>
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | #include <linux/file.h>
 | 
					
						
							|  |  |  | #include <linux/mount.h>
 | 
					
						
							| 
									
										
											  
											
												include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files.  percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed.  Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability.  As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
  http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
  only the necessary includes are there.  ie. if only gfp is used,
  gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
  blocks and try to put the new include such that its order conforms
  to its surrounding.  It's put in the include block which contains
  core kernel includes, in the same order that the rest are ordered -
  alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
  doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
  because the file doesn't have fitting include block), it prints out
  an error message indicating which .h file needs to be added to the
  file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
   over 4000 files, deleting around 700 includes and adding ~480 gfp.h
   and ~3000 slab.h inclusions.  The script emitted errors for ~400
   files.
2. Each error was manually checked.  Some didn't need the inclusion,
   some needed manual addition while adding it to implementation .h or
   embedding .c file was more appropriate for others.  This step added
   inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
   from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
   e.g. lib/decompress_*.c used malloc/free() wrappers around slab
   APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
   editing them as sprinkling gfp.h and slab.h inclusions around .h
   files could easily lead to inclusion dependency hell.  Most gfp.h
   inclusion directives were ignored as stuff from gfp.h was usually
   wildly available and often used in preprocessor macros.  Each
   slab.h inclusion directive was examined and added manually as
   necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
   were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
   distributed build env didn't work with gcov compiles) and a few
   more options had to be turned off depending on archs to make things
   build (like ipr on powerpc/64 which failed due to missing writeq).
   * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
   * powerpc and powerpc64 SMP allmodconfig
   * sparc and sparc64 SMP allmodconfig
   * ia64 SMP allmodconfig
   * s390 SMP allmodconfig
   * alpha SMP allmodconfig
   * um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
   a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
											
										 
											2010-03-24 17:04:11 +09:00
										 |  |  | #include <linux/gfp.h>
 | 
					
						
							| 
									
										
										
										
											2011-03-15 00:43:46 +01:00
										 |  |  | #include <linux/syscore_ops.h>
 | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | #include <linux/version.h>
 | 
					
						
							|  |  |  | #include <linux/ctype.h>
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | #include <linux/compat.h>
 | 
					
						
							|  |  |  | #include <linux/syscalls.h>
 | 
					
						
							| 
									
										
										
										
											2005-12-12 00:37:33 -08:00
										 |  |  | #include <linux/kprobes.h>
 | 
					
						
							| 
									
										
										
										
											2007-07-15 23:40:59 -07:00
										 |  |  | #include <linux/user_namespace.h>
 | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:06 -08:00
										 |  |  | #include <linux/binfmts.h>
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-30 15:27:37 -07:00
										 |  |  | #include <linux/sched.h>
 | 
					
						
							|  |  |  | #include <linux/rcupdate.h>
 | 
					
						
							|  |  |  | #include <linux/uidgid.h>
 | 
					
						
							|  |  |  | #include <linux/cred.h>
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-01-12 16:59:30 -08:00
										 |  |  | #include <linux/kmsg_dump.h>
 | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | /* Move somewhere else to avoid recompiling? */ | 
					
						
							|  |  |  | #include <generated/utsrelease.h>
 | 
					
						
							| 
									
										
										
										
											2011-01-12 16:59:30 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | #include <asm/uaccess.h>
 | 
					
						
							|  |  |  | #include <asm/io.h>
 | 
					
						
							|  |  |  | #include <asm/unistd.h>
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifndef SET_UNALIGN_CTL
 | 
					
						
							|  |  |  | # define SET_UNALIGN_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef GET_UNALIGN_CTL
 | 
					
						
							|  |  |  | # define GET_UNALIGN_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef SET_FPEMU_CTL
 | 
					
						
							|  |  |  | # define SET_FPEMU_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef GET_FPEMU_CTL
 | 
					
						
							|  |  |  | # define GET_FPEMU_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef SET_FPEXC_CTL
 | 
					
						
							|  |  |  | # define SET_FPEXC_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef GET_FPEXC_CTL
 | 
					
						
							|  |  |  | # define GET_FPEXC_CTL(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2006-06-07 16:10:19 +10:00
										 |  |  | #ifndef GET_ENDIAN
 | 
					
						
							|  |  |  | # define GET_ENDIAN(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef SET_ENDIAN
 | 
					
						
							|  |  |  | # define SET_ENDIAN(a,b)	(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2008-04-11 18:54:17 +02:00
										 |  |  | #ifndef GET_TSC_CTL
 | 
					
						
							|  |  |  | # define GET_TSC_CTL(a)		(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #ifndef SET_TSC_CTL
 | 
					
						
							|  |  |  | # define SET_TSC_CTL(a)		(-EINVAL)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * this is where the system-wide overflow UID and GID are defined, for | 
					
						
							|  |  |  |  * architectures that now have 32-bit UID/GID but didn't in the past | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int overflowuid = DEFAULT_OVERFLOWUID; | 
					
						
							|  |  |  | int overflowgid = DEFAULT_OVERFLOWGID; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | EXPORT_SYMBOL(overflowuid); | 
					
						
							|  |  |  | EXPORT_SYMBOL(overflowgid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * the same as above, but for filesystems which can only store a 16-bit | 
					
						
							|  |  |  |  * UID and GID. as such, this is needed on all architectures | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int fs_overflowuid = DEFAULT_FS_OVERFLOWUID; | 
					
						
							|  |  |  | int fs_overflowgid = DEFAULT_FS_OVERFLOWUID; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | EXPORT_SYMBOL(fs_overflowuid); | 
					
						
							|  |  |  | EXPORT_SYMBOL(fs_overflowgid); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * Returns true if current's euid is same as p's uid or euid, | 
					
						
							|  |  |  |  * or has CAP_SYS_NICE to p's user_ns. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Called with rcu_read_lock, creds are safe | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static bool set_one_prio_perm(struct task_struct *p) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	const struct cred *cred = current_cred(), *pcred = __task_cred(p); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-03-03 20:21:47 -08:00
										 |  |  | 	if (uid_eq(pcred->uid,  cred->euid) || | 
					
						
							|  |  |  | 	    uid_eq(pcred->euid, cred->euid)) | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 		return true; | 
					
						
							| 
									
										
										
										
											2011-11-16 23:15:31 -08:00
										 |  |  | 	if (ns_capable(pcred->user_ns, CAP_SYS_NICE)) | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 		return true; | 
					
						
							|  |  |  | 	return false; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:19 +11:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * set the priority of a task | 
					
						
							|  |  |  |  * - the caller must hold the RCU read lock | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | static int set_one_prio(struct task_struct *p, int niceval, int error) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	int no_nice; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 	if (!set_one_prio_perm(p)) { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		error = -EPERM; | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2005-05-01 08:59:00 -07:00
										 |  |  | 	if (niceval < task_nice(p) && !can_nice(p, niceval)) { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		error = -EACCES; | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	no_nice = security_task_setnice(p, niceval); | 
					
						
							|  |  |  | 	if (no_nice) { | 
					
						
							|  |  |  | 		error = no_nice; | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if (error == -ESRCH) | 
					
						
							|  |  |  | 		error = 0; | 
					
						
							|  |  |  | 	set_user_nice(p, niceval); | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	return error; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:09 +01:00
										 |  |  | SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	struct task_struct *g, *p; | 
					
						
							|  |  |  | 	struct user_struct *user; | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 	const struct cred *cred = current_cred(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int error = -EINVAL; | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 	struct pid *pgrp; | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 	kuid_t uid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:53 -07:00
										 |  |  | 	if (which > PRIO_USER || which < PRIO_PROCESS) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/* normalize: avoid signed division (rounding problems) */ | 
					
						
							|  |  |  | 	error = -ESRCH; | 
					
						
							| 
									
										
										
										
											2014-02-11 15:34:51 +08:00
										 |  |  | 	if (niceval < MIN_NICE) | 
					
						
							|  |  |  | 		niceval = MIN_NICE; | 
					
						
							|  |  |  | 	if (niceval > MAX_NICE) | 
					
						
							|  |  |  | 		niceval = MAX_NICE; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-12-10 00:52:51 +00:00
										 |  |  | 	rcu_read_lock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	read_lock(&tasklist_lock); | 
					
						
							|  |  |  | 	switch (which) { | 
					
						
							|  |  |  | 		case PRIO_PROCESS: | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			if (who) | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:16 -07:00
										 |  |  | 				p = find_task_by_vpid(who); | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			else | 
					
						
							|  |  |  | 				p = current; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			if (p) | 
					
						
							|  |  |  | 				error = set_one_prio(p, niceval, error); | 
					
						
							|  |  |  | 			break; | 
					
						
							|  |  |  | 		case PRIO_PGRP: | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			if (who) | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:14 -07:00
										 |  |  | 				pgrp = find_vpid(who); | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			else | 
					
						
							|  |  |  | 				pgrp = task_pgrp(current); | 
					
						
							| 
									
										
										
										
											2008-08-20 14:09:17 -07:00
										 |  |  | 			do_each_pid_thread(pgrp, PIDTYPE_PGID, p) { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 				error = set_one_prio(p, niceval, error); | 
					
						
							| 
									
										
										
										
											2008-08-20 14:09:17 -07:00
										 |  |  | 			} while_each_pid_thread(pgrp, PIDTYPE_PGID, p); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			break; | 
					
						
							|  |  |  | 		case PRIO_USER: | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 			uid = make_kuid(cred->user_ns, who); | 
					
						
							| 
									
										
										
										
											2012-03-03 18:58:11 -08:00
										 |  |  | 			user = cred->user; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			if (!who) | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 				uid = cred->uid; | 
					
						
							|  |  |  | 			else if (!uid_eq(uid, cred->uid) && | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 				 !(user = find_user(uid))) | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 				goto out_unlock;	/* No processes for this user */ | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-12-14 18:00:22 -08:00
										 |  |  | 			do_each_thread(g, p) { | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 				if (uid_eq(task_uid(p), uid)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 					error = set_one_prio(p, niceval, error); | 
					
						
							| 
									
										
										
										
											2009-12-14 18:00:22 -08:00
										 |  |  | 			} while_each_thread(g, p); | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 			if (!uid_eq(uid, cred->uid)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 				free_uid(user);		/* For find_user() */ | 
					
						
							|  |  |  | 			break; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | out_unlock: | 
					
						
							|  |  |  | 	read_unlock(&tasklist_lock); | 
					
						
							| 
									
										
										
										
											2009-12-10 00:52:51 +00:00
										 |  |  | 	rcu_read_unlock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | out: | 
					
						
							|  |  |  | 	return error; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Ugh. To avoid negative return values, "getpriority()" will | 
					
						
							|  |  |  |  * not return the normal nice-value, but a negated value that | 
					
						
							|  |  |  |  * has been offset by 20 (ie it returns 40..1 instead of -20..19) | 
					
						
							|  |  |  |  * to stay compatible. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:09 +01:00
										 |  |  | SYSCALL_DEFINE2(getpriority, int, which, int, who) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	struct task_struct *g, *p; | 
					
						
							|  |  |  | 	struct user_struct *user; | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 	const struct cred *cred = current_cred(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	long niceval, retval = -ESRCH; | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 	struct pid *pgrp; | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 	kuid_t uid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:53 -07:00
										 |  |  | 	if (which > PRIO_USER || which < PRIO_PROCESS) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-02-22 12:44:16 -08:00
										 |  |  | 	rcu_read_lock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	read_lock(&tasklist_lock); | 
					
						
							|  |  |  | 	switch (which) { | 
					
						
							|  |  |  | 		case PRIO_PROCESS: | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			if (who) | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:16 -07:00
										 |  |  | 				p = find_task_by_vpid(who); | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			else | 
					
						
							|  |  |  | 				p = current; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			if (p) { | 
					
						
							| 
									
										
										
										
											2014-05-08 18:33:49 +09:00
										 |  |  | 				niceval = nice_to_rlimit(task_nice(p)); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 				if (niceval > retval) | 
					
						
							|  |  |  | 					retval = niceval; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			break; | 
					
						
							|  |  |  | 		case PRIO_PGRP: | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			if (who) | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:14 -07:00
										 |  |  | 				pgrp = find_vpid(who); | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 			else | 
					
						
							|  |  |  | 				pgrp = task_pgrp(current); | 
					
						
							| 
									
										
										
										
											2008-08-20 14:09:17 -07:00
										 |  |  | 			do_each_pid_thread(pgrp, PIDTYPE_PGID, p) { | 
					
						
							| 
									
										
										
										
											2014-05-08 18:33:49 +09:00
										 |  |  | 				niceval = nice_to_rlimit(task_nice(p)); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 				if (niceval > retval) | 
					
						
							|  |  |  | 					retval = niceval; | 
					
						
							| 
									
										
										
										
											2008-08-20 14:09:17 -07:00
										 |  |  | 			} while_each_pid_thread(pgrp, PIDTYPE_PGID, p); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			break; | 
					
						
							|  |  |  | 		case PRIO_USER: | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 			uid = make_kuid(cred->user_ns, who); | 
					
						
							| 
									
										
										
										
											2012-03-03 18:58:11 -08:00
										 |  |  | 			user = cred->user; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			if (!who) | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 				uid = cred->uid; | 
					
						
							|  |  |  | 			else if (!uid_eq(uid, cred->uid) && | 
					
						
							| 
									
										
										
										
											2011-11-16 23:20:58 -08:00
										 |  |  | 				 !(user = find_user(uid))) | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 				goto out_unlock;	/* No processes for this user */ | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-12-14 18:00:22 -08:00
										 |  |  | 			do_each_thread(g, p) { | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 				if (uid_eq(task_uid(p), uid)) { | 
					
						
							| 
									
										
										
										
											2014-05-08 18:33:49 +09:00
										 |  |  | 					niceval = nice_to_rlimit(task_nice(p)); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 					if (niceval > retval) | 
					
						
							|  |  |  | 						retval = niceval; | 
					
						
							|  |  |  | 				} | 
					
						
							| 
									
										
										
										
											2009-12-14 18:00:22 -08:00
										 |  |  | 			} while_each_thread(g, p); | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 			if (!uid_eq(uid, cred->uid)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 				free_uid(user);		/* for find_user() */ | 
					
						
							|  |  |  | 			break; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | out_unlock: | 
					
						
							|  |  |  | 	read_unlock(&tasklist_lock); | 
					
						
							| 
									
										
										
										
											2010-02-22 12:44:16 -08:00
										 |  |  | 	rcu_read_unlock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return retval; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Unprivileged users may change the real gid to the effective gid | 
					
						
							|  |  |  |  * or vice versa.  (BSD-style) | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * If you set the real gid at all, or set the effective gid to a value not | 
					
						
							|  |  |  |  * equal to the real gid, then the saved gid is set to the new effective gid. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This makes it possible for a setgid program to completely drop its | 
					
						
							|  |  |  |  * privileges, which is often a useful assertion to make when you are doing | 
					
						
							|  |  |  |  * a security audit over a program. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * The general idea is that a program which uses just setregid() will be | 
					
						
							|  |  |  |  * 100% compatible with BSD.  A program which uses just setgid() will be | 
					
						
							|  |  |  |  * 100% compatible with POSIX with saved IDs.  | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * SMP: There are not races, the GIDs are checked only by filesystem | 
					
						
							|  |  |  |  *      operations (as far as semantic preservation is concerned). | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kgid_t krgid, kegid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	krgid = make_kgid(ns, rgid); | 
					
						
							|  |  |  | 	kegid = make_kgid(ns, egid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((rgid != (gid_t) -1) && !gid_valid(krgid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	if ((egid != (gid_t) -1) && !gid_valid(kegid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (rgid != (gid_t) -1) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (gid_eq(old->gid, krgid) || | 
					
						
							|  |  |  | 		    gid_eq(old->egid, krgid) || | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 		    ns_capable(old->user_ns, CAP_SETGID)) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 			new->gid = krgid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		else | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	if (egid != (gid_t) -1) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (gid_eq(old->gid, kegid) || | 
					
						
							|  |  |  | 		    gid_eq(old->egid, kegid) || | 
					
						
							|  |  |  | 		    gid_eq(old->sgid, kegid) || | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 		    ns_capable(old->user_ns, CAP_SETGID)) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 			new->egid = kegid; | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 		else | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (rgid != (gid_t) -1 || | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	    (egid != (gid_t) -1 && !gid_eq(kegid, old->gid))) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 		new->sgid = new->egid; | 
					
						
							|  |  |  | 	new->fsgid = new->egid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return commit_creds(new); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * setgid() is implemented like SysV w/ SAVED_IDS  | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * SMP: Same implicit races as above. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE1(setgid, gid_t, gid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kgid_t kgid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kgid = make_kgid(ns, gid); | 
					
						
							|  |  |  | 	if (!gid_valid(kgid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	if (ns_capable(old->user_ns, CAP_SETGID)) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->gid = new->egid = new->sgid = new->fsgid = kgid; | 
					
						
							|  |  |  | 	else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid)) | 
					
						
							|  |  |  | 		new->egid = new->fsgid = kgid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	else | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 		goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	return commit_creds(new); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							| 
									
										
										
										
											2009-02-27 15:13:54 +05:30
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * change the user struct in a credentials set to match the new UID | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static int set_user(struct cred *new) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	struct user_struct *new_user; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-02-08 07:00:08 -08:00
										 |  |  | 	new_user = alloc_uid(new->uid); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (!new_user) | 
					
						
							|  |  |  | 		return -EAGAIN; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-08-08 19:02:04 +04:00
										 |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * We don't fail in case of NPROC limit excess here because too many | 
					
						
							|  |  |  | 	 * poorly written programs don't check set*uid() return code, assuming | 
					
						
							|  |  |  | 	 * it never fails if called by root.  We may still enforce NPROC limit | 
					
						
							|  |  |  | 	 * for programs doing set*uid()+execve() by harmlessly deferring the | 
					
						
							|  |  |  | 	 * failure to the execve() stage. | 
					
						
							|  |  |  | 	 */ | 
					
						
							| 
									
										
										
										
											2010-03-05 13:42:54 -08:00
										 |  |  | 	if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) && | 
					
						
							| 
									
										
										
										
											2011-08-08 19:02:04 +04:00
										 |  |  | 			new_user != INIT_USER) | 
					
						
							|  |  |  | 		current->flags |= PF_NPROC_EXCEEDED; | 
					
						
							|  |  |  | 	else | 
					
						
							|  |  |  | 		current->flags &= ~PF_NPROC_EXCEEDED; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	free_uid(new->user); | 
					
						
							|  |  |  | 	new->user = new_user; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Unprivileged users may change the real uid to the effective uid | 
					
						
							|  |  |  |  * or vice versa.  (BSD-style) | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * If you set the real uid at all, or set the effective uid to a value not | 
					
						
							|  |  |  |  * equal to the real uid, then the saved uid is set to the new effective uid. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This makes it possible for a setuid program to completely drop its | 
					
						
							|  |  |  |  * privileges, which is often a useful assertion to make when you are doing | 
					
						
							|  |  |  |  * a security audit over a program. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * The general idea is that a program which uses just setreuid() will be | 
					
						
							|  |  |  |  * 100% compatible with BSD.  A program which uses just setuid() will be | 
					
						
							|  |  |  |  * 100% compatible with POSIX with saved IDs.  | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kuid_t kruid, keuid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kruid = make_kuid(ns, ruid); | 
					
						
							|  |  |  | 	keuid = make_kuid(ns, euid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((ruid != (uid_t) -1) && !uid_valid(kruid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	if ((euid != (uid_t) -1) && !uid_valid(keuid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (ruid != (uid_t) -1) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->uid = kruid; | 
					
						
							|  |  |  | 		if (!uid_eq(old->uid, kruid) && | 
					
						
							|  |  |  | 		    !uid_eq(old->euid, kruid) && | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 		    !ns_capable(old->user_ns, CAP_SETUID)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (euid != (uid_t) -1) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->euid = keuid; | 
					
						
							|  |  |  | 		if (!uid_eq(old->uid, keuid) && | 
					
						
							|  |  |  | 		    !uid_eq(old->euid, keuid) && | 
					
						
							|  |  |  | 		    !uid_eq(old->suid, keuid) && | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 		    !ns_capable(old->user_ns, CAP_SETUID)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	if (!uid_eq(new->uid, old->uid)) { | 
					
						
							| 
									
										
										
										
											2009-02-27 15:13:54 +05:30
										 |  |  | 		retval = set_user(new); | 
					
						
							|  |  |  | 		if (retval < 0) | 
					
						
							|  |  |  | 			goto error; | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (ruid != (uid_t) -1 || | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	    (euid != (uid_t) -1 && !uid_eq(keuid, old->uid))) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 		new->suid = new->euid; | 
					
						
							|  |  |  | 	new->fsuid = new->euid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	retval = security_task_fix_setuid(new, old, LSM_SETID_RE); | 
					
						
							|  |  |  | 	if (retval < 0) | 
					
						
							|  |  |  | 		goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	return commit_creds(new); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * setuid() is implemented like SysV with SAVED_IDS  | 
					
						
							|  |  |  |  *  | 
					
						
							|  |  |  |  * Note that SAVED_ID's is deficient in that a setuid root program | 
					
						
							|  |  |  |  * like sendmail, for example, cannot set its uid to be a normal  | 
					
						
							|  |  |  |  * user and then switch back, because if you're root, setuid() sets | 
					
						
							|  |  |  |  * the saved uid too.  If you don't like this, blame the bright people | 
					
						
							|  |  |  |  * in the POSIX committee and/or USG.  Note that the BSD-style setreuid() | 
					
						
							|  |  |  |  * will allow a root program to temporarily drop privileges and be able to | 
					
						
							|  |  |  |  * regain them by swapping the real and effective uid.   | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE1(setuid, uid_t, uid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kuid_t kuid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kuid = make_kuid(ns, uid); | 
					
						
							|  |  |  | 	if (!uid_valid(kuid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	if (ns_capable(old->user_ns, CAP_SETUID)) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->suid = new->uid = kuid; | 
					
						
							|  |  |  | 		if (!uid_eq(kuid, old->uid)) { | 
					
						
							| 
									
										
										
										
											2009-02-27 15:13:54 +05:30
										 |  |  | 			retval = set_user(new); | 
					
						
							|  |  |  | 			if (retval < 0) | 
					
						
							|  |  |  | 				goto error; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 		} | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	} else if (!uid_eq(kuid, old->uid) && !uid_eq(kuid, new->suid)) { | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 		goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	new->fsuid = new->euid = kuid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	retval = security_task_fix_setuid(new, old, LSM_SETID_ID); | 
					
						
							|  |  |  | 	if (retval < 0) | 
					
						
							|  |  |  | 		goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	return commit_creds(new); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * This function implements a generic ability to update ruid, euid, | 
					
						
							|  |  |  |  * and suid.  This allows you to implement the 4.4 compatible seteuid(). | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kuid_t kruid, keuid, ksuid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kruid = make_kuid(ns, ruid); | 
					
						
							|  |  |  | 	keuid = make_kuid(ns, euid); | 
					
						
							|  |  |  | 	ksuid = make_kuid(ns, suid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((ruid != (uid_t) -1) && !uid_valid(kruid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((euid != (uid_t) -1) && !uid_valid(keuid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((suid != (uid_t) -1) && !uid_valid(ksuid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	if (!ns_capable(old->user_ns, CAP_SETUID)) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (ruid != (uid_t) -1        && !uid_eq(kruid, old->uid) && | 
					
						
							|  |  |  | 		    !uid_eq(kruid, old->euid) && !uid_eq(kruid, old->suid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (euid != (uid_t) -1        && !uid_eq(keuid, old->uid) && | 
					
						
							|  |  |  | 		    !uid_eq(keuid, old->euid) && !uid_eq(keuid, old->suid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (suid != (uid_t) -1        && !uid_eq(ksuid, old->uid) && | 
					
						
							|  |  |  | 		    !uid_eq(ksuid, old->euid) && !uid_eq(ksuid, old->suid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (ruid != (uid_t) -1) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->uid = kruid; | 
					
						
							|  |  |  | 		if (!uid_eq(kruid, old->uid)) { | 
					
						
							| 
									
										
										
										
											2009-02-27 15:13:54 +05:30
										 |  |  | 			retval = set_user(new); | 
					
						
							|  |  |  | 			if (retval < 0) | 
					
						
							|  |  |  | 				goto error; | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	if (euid != (uid_t) -1) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->euid = keuid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (suid != (uid_t) -1) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->suid = ksuid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new->fsuid = new->euid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	retval = security_task_fix_setuid(new, old, LSM_SETID_RES); | 
					
						
							|  |  |  | 	if (retval < 0) | 
					
						
							|  |  |  | 		goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	return commit_creds(new); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | SYSCALL_DEFINE3(getresuid, uid_t __user *, ruidp, uid_t __user *, euidp, uid_t __user *, suidp) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 	const struct cred *cred = current_cred(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	uid_t ruid, euid, suid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	ruid = from_kuid_munged(cred->user_ns, cred->uid); | 
					
						
							|  |  |  | 	euid = from_kuid_munged(cred->user_ns, cred->euid); | 
					
						
							|  |  |  | 	suid = from_kuid_munged(cred->user_ns, cred->suid); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	if (!(retval   = put_user(ruid, ruidp)) && | 
					
						
							|  |  |  | 	    !(retval   = put_user(euid, euidp))) | 
					
						
							|  |  |  | 		retval = put_user(suid, suidp); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return retval; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Same as above, but for rgid, egid, sgid. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	struct user_namespace *ns = current_user_ns(); | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kgid_t krgid, kegid, ksgid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	krgid = make_kgid(ns, rgid); | 
					
						
							|  |  |  | 	kegid = make_kgid(ns, egid); | 
					
						
							|  |  |  | 	ksgid = make_kgid(ns, sgid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if ((rgid != (gid_t) -1) && !gid_valid(krgid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	if ((egid != (gid_t) -1) && !gid_valid(kegid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	if ((sgid != (gid_t) -1) && !gid_valid(ksgid)) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							|  |  |  | 		return -ENOMEM; | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	retval = -EPERM; | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	if (!ns_capable(old->user_ns, CAP_SETGID)) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (rgid != (gid_t) -1        && !gid_eq(krgid, old->gid) && | 
					
						
							|  |  |  | 		    !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (egid != (gid_t) -1        && !gid_eq(kegid, old->gid) && | 
					
						
							|  |  |  | 		    !gid_eq(kegid, old->egid) && !gid_eq(kegid, old->sgid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (sgid != (gid_t) -1        && !gid_eq(ksgid, old->gid) && | 
					
						
							|  |  |  | 		    !gid_eq(ksgid, old->egid) && !gid_eq(ksgid, old->sgid)) | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (rgid != (gid_t) -1) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->gid = krgid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	if (egid != (gid_t) -1) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->egid = kegid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (sgid != (gid_t) -1) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		new->sgid = ksgid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new->fsgid = new->egid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	return commit_creds(new); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | error: | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | SYSCALL_DEFINE3(getresgid, gid_t __user *, rgidp, gid_t __user *, egidp, gid_t __user *, sgidp) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:18 +11:00
										 |  |  | 	const struct cred *cred = current_cred(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int retval; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	gid_t rgid, egid, sgid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	rgid = from_kgid_munged(cred->user_ns, cred->gid); | 
					
						
							|  |  |  | 	egid = from_kgid_munged(cred->user_ns, cred->egid); | 
					
						
							|  |  |  | 	sgid = from_kgid_munged(cred->user_ns, cred->sgid); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	if (!(retval   = put_user(rgid, rgidp)) && | 
					
						
							|  |  |  | 	    !(retval   = put_user(egid, egidp))) | 
					
						
							|  |  |  | 		retval = put_user(sgid, sgidp); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return retval; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * "setfsuid()" sets the fsuid - the uid used for filesystem checks. This | 
					
						
							|  |  |  |  * is used for "access()" and for the NFS daemon (letting nfsd stay at | 
					
						
							|  |  |  |  * whatever uid it wants to). It normally shadows "euid", except when | 
					
						
							|  |  |  |  * explicitly set by setfsuid() or for access.. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE1(setfsuid, uid_t, uid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							|  |  |  | 	uid_t old_fsuid; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kuid_t kuid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 	old_fsuid = from_kuid_munged(old->user_ns, old->fsuid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kuid = make_kuid(old->user_ns, uid); | 
					
						
							|  |  |  | 	if (!uid_valid(kuid)) | 
					
						
							|  |  |  | 		return old_fsuid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		return old_fsuid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	if (uid_eq(kuid, old->uid)  || uid_eq(kuid, old->euid)  || | 
					
						
							|  |  |  | 	    uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) || | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	    ns_capable(old->user_ns, CAP_SETUID)) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (!uid_eq(kuid, old->fsuid)) { | 
					
						
							|  |  |  | 			new->fsuid = kuid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0) | 
					
						
							|  |  |  | 				goto change_okay; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return old_fsuid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | change_okay: | 
					
						
							|  |  |  | 	commit_creds(new); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return old_fsuid; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							| 
									
										
										
										
											2007-05-09 08:23:08 +02:00
										 |  |  |  * Samma på svenska.. | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:05 +01:00
										 |  |  | SYSCALL_DEFINE1(setfsgid, gid_t, gid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	const struct cred *old; | 
					
						
							|  |  |  | 	struct cred *new; | 
					
						
							|  |  |  | 	gid_t old_fsgid; | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	kgid_t kgid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	old = current_cred(); | 
					
						
							|  |  |  | 	old_fsgid = from_kgid_munged(old->user_ns, old->fsgid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	kgid = make_kgid(old->user_ns, gid); | 
					
						
							|  |  |  | 	if (!gid_valid(kgid)) | 
					
						
							|  |  |  | 		return old_fsgid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	new = prepare_creds(); | 
					
						
							|  |  |  | 	if (!new) | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		return old_fsgid; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 	if (gid_eq(kgid, old->gid)  || gid_eq(kgid, old->egid)  || | 
					
						
							|  |  |  | 	    gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) || | 
					
						
							| 
									
										
										
										
											2013-03-20 12:49:49 -07:00
										 |  |  | 	    ns_capable(old->user_ns, CAP_SETGID)) { | 
					
						
							| 
									
										
										
											
												userns: Convert setting and getting uid and gid system calls to use kuid and kgid
Convert setregid, setgid, setreuid, setuid,
setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid,
getuid, geteuid, getgid, getegid,
waitpid, waitid, wait4.
Convert userspace uids and gids into kuids and kgids before
being placed on struct cred.  Convert struct cred kuids and
kgids into userspace uids and gids when returning them.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
											
										 
											2012-02-07 18:51:01 -08:00
										 |  |  | 		if (!gid_eq(kgid, old->fsgid)) { | 
					
						
							|  |  |  | 			new->fsgid = kgid; | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 			goto change_okay; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	abort_creds(new); | 
					
						
							|  |  |  | 	return old_fsgid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | change_okay: | 
					
						
							|  |  |  | 	commit_creds(new); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return old_fsgid; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-30 15:27:37 -07:00
										 |  |  | /**
 | 
					
						
							|  |  |  |  * sys_getpid - return the thread group id of the current process | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Note, despite the name, this returns the tgid not the pid.  The tgid and | 
					
						
							|  |  |  |  * the pid are identical unless CLONE_THREAD was specified on clone() in | 
					
						
							|  |  |  |  * which case the tgid is the same in all threads of the same group. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This is SMP safe as current->tgid does not change. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | SYSCALL_DEFINE0(getpid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	return task_tgid_vnr(current); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /* Thread ID - the internal kernel "pid" */ | 
					
						
							|  |  |  | SYSCALL_DEFINE0(gettid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	return task_pid_vnr(current); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Accessing ->real_parent is not SMP-safe, it could | 
					
						
							|  |  |  |  * change from under us. However, we can use a stale | 
					
						
							|  |  |  |  * value of ->real_parent under rcu_read_lock(), see | 
					
						
							|  |  |  |  * release_task()->call_rcu(delayed_put_task_struct). | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | SYSCALL_DEFINE0(getppid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	int pid; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	rcu_read_lock(); | 
					
						
							|  |  |  | 	pid = task_tgid_vnr(rcu_dereference(current->real_parent)); | 
					
						
							|  |  |  | 	rcu_read_unlock(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return pid; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE0(getuid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	/* Only we change this so SMP safe */ | 
					
						
							|  |  |  | 	return from_kuid_munged(current_user_ns(), current_uid()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE0(geteuid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	/* Only we change this so SMP safe */ | 
					
						
							|  |  |  | 	return from_kuid_munged(current_user_ns(), current_euid()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE0(getgid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	/* Only we change this so SMP safe */ | 
					
						
							|  |  |  | 	return from_kgid_munged(current_user_ns(), current_gid()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE0(getegid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	/* Only we change this so SMP safe */ | 
					
						
							|  |  |  | 	return from_kgid_munged(current_user_ns(), current_egid()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | void do_sys_times(struct tms *tms) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
											  
											
												sched, cputime: Introduce thread_group_times()
This is a real fix for problem of utime/stime values decreasing
described in the thread:
   http://lkml.org/lkml/2009/11/3/522
Now cputime is accounted in the following way:
 - {u,s}time in task_struct are increased every time when the thread
   is interrupted by a tick (timer interrupt).
 - When a thread exits, its {u,s}time are added to signal->{u,s}time,
   after adjusted by task_times().
 - When all threads in a thread_group exits, accumulated {u,s}time
   (and also c{u,s}time) in signal struct are added to c{u,s}time
   in signal struct of the group's parent.
So {u,s}time in task struct are "raw" tick count, while
{u,s}time and c{u,s}time in signal struct are "adjusted" values.
And accounted values are used by:
 - task_times(), to get cputime of a thread:
   This function returns adjusted values that originates from raw
   {u,s}time and scaled by sum_exec_runtime that accounted by CFS.
 - thread_group_cputime(), to get cputime of a thread group:
   This function returns sum of all {u,s}time of living threads in
   the group, plus {u,s}time in the signal struct that is sum of
   adjusted cputimes of all exited threads belonged to the group.
The problem is the return value of thread_group_cputime(),
because it is mixed sum of "raw" value and "adjusted" value:
  group's {u,s}time = foreach(thread){{u,s}time} + exited({u,s}time)
This misbehavior can break {u,s}time monotonicity.
Assume that if there is a thread that have raw values greater
than adjusted values (e.g. interrupted by 1000Hz ticks 50 times
but only runs 45ms) and if it exits, cputime will decrease (e.g.
-5ms).
To fix this, we could do:
  group's {u,s}time = foreach(t){task_times(t)} + exited({u,s}time)
But task_times() contains hard divisions, so applying it for
every thread should be avoided.
This patch fixes the above problem in the following way:
 - Modify thread's exit (= __exit_signal()) not to use task_times().
   It means {u,s}time in signal struct accumulates raw values instead
   of adjusted values.  As the result it makes thread_group_cputime()
   to return pure sum of "raw" values.
 - Introduce a new function thread_group_times(*task, *utime, *stime)
   that converts "raw" values of thread_group_cputime() to "adjusted"
   values, in same calculation procedure as task_times().
 - Modify group's exit (= wait_task_zombie()) to use this introduced
   thread_group_times().  It make c{u,s}time in signal struct to
   have adjusted values like before this patch.
 - Replace some thread_group_cputime() by thread_group_times().
   This replacements are only applied where conveys the "adjusted"
   cputime to users, and where already uses task_times() near by it.
   (i.e. sys_times(), getrusage(), and /proc/<PID>/stat.)
This patch have a positive side effect:
 - Before this patch, if a group contains many short-life threads
   (e.g. runs 0.9ms and not interrupted by ticks), the group's
   cputime could be invisible since thread's cputime was accumulated
   after adjusted: imagine adjustment function as adj(ticks, runtime),
     {adj(0, 0.9) + adj(0, 0.9) + ....} = {0 + 0 + ....} = 0.
   After this patch it will not happen because the adjustment is
   applied after accumulated.
v2:
 - remove if()s, put new variables into signal_struct.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Spencer Candland <spencer@bluehost.com>
Cc: Americo Wang <xiyou.wangcong@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
LKML-Reference: <4B162517.8040909@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2009-12-02 17:28:07 +09:00
										 |  |  | 	cputime_t tgutime, tgstime, cutime, cstime; | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-11-17 15:40:08 +01:00
										 |  |  | 	spin_lock_irq(¤t->sighand->siglock); | 
					
						
							| 
									
										
										
										
											2012-11-21 16:26:44 +01:00
										 |  |  | 	thread_group_cputime_adjusted(current, &tgutime, &tgstime); | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 	cutime = current->signal->cutime; | 
					
						
							|  |  |  | 	cstime = current->signal->cstime; | 
					
						
							|  |  |  | 	spin_unlock_irq(¤t->sighand->siglock); | 
					
						
							| 
									
										
											  
											
												sched, cputime: Introduce thread_group_times()
This is a real fix for problem of utime/stime values decreasing
described in the thread:
   http://lkml.org/lkml/2009/11/3/522
Now cputime is accounted in the following way:
 - {u,s}time in task_struct are increased every time when the thread
   is interrupted by a tick (timer interrupt).
 - When a thread exits, its {u,s}time are added to signal->{u,s}time,
   after adjusted by task_times().
 - When all threads in a thread_group exits, accumulated {u,s}time
   (and also c{u,s}time) in signal struct are added to c{u,s}time
   in signal struct of the group's parent.
So {u,s}time in task struct are "raw" tick count, while
{u,s}time and c{u,s}time in signal struct are "adjusted" values.
And accounted values are used by:
 - task_times(), to get cputime of a thread:
   This function returns adjusted values that originates from raw
   {u,s}time and scaled by sum_exec_runtime that accounted by CFS.
 - thread_group_cputime(), to get cputime of a thread group:
   This function returns sum of all {u,s}time of living threads in
   the group, plus {u,s}time in the signal struct that is sum of
   adjusted cputimes of all exited threads belonged to the group.
The problem is the return value of thread_group_cputime(),
because it is mixed sum of "raw" value and "adjusted" value:
  group's {u,s}time = foreach(thread){{u,s}time} + exited({u,s}time)
This misbehavior can break {u,s}time monotonicity.
Assume that if there is a thread that have raw values greater
than adjusted values (e.g. interrupted by 1000Hz ticks 50 times
but only runs 45ms) and if it exits, cputime will decrease (e.g.
-5ms).
To fix this, we could do:
  group's {u,s}time = foreach(t){task_times(t)} + exited({u,s}time)
But task_times() contains hard divisions, so applying it for
every thread should be avoided.
This patch fixes the above problem in the following way:
 - Modify thread's exit (= __exit_signal()) not to use task_times().
   It means {u,s}time in signal struct accumulates raw values instead
   of adjusted values.  As the result it makes thread_group_cputime()
   to return pure sum of "raw" values.
 - Introduce a new function thread_group_times(*task, *utime, *stime)
   that converts "raw" values of thread_group_cputime() to "adjusted"
   values, in same calculation procedure as task_times().
 - Modify group's exit (= wait_task_zombie()) to use this introduced
   thread_group_times().  It make c{u,s}time in signal struct to
   have adjusted values like before this patch.
 - Replace some thread_group_cputime() by thread_group_times().
   This replacements are only applied where conveys the "adjusted"
   cputime to users, and where already uses task_times() near by it.
   (i.e. sys_times(), getrusage(), and /proc/<PID>/stat.)
This patch have a positive side effect:
 - Before this patch, if a group contains many short-life threads
   (e.g. runs 0.9ms and not interrupted by ticks), the group's
   cputime could be invisible since thread's cputime was accumulated
   after adjusted: imagine adjustment function as adj(ticks, runtime),
     {adj(0, 0.9) + adj(0, 0.9) + ....} = {0 + 0 + ....} = 0.
   After this patch it will not happen because the adjustment is
   applied after accumulated.
v2:
 - remove if()s, put new variables into signal_struct.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Spencer Candland <spencer@bluehost.com>
Cc: Americo Wang <xiyou.wangcong@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
LKML-Reference: <4B162517.8040909@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2009-12-02 17:28:07 +09:00
										 |  |  | 	tms->tms_utime = cputime_to_clock_t(tgutime); | 
					
						
							|  |  |  | 	tms->tms_stime = cputime_to_clock_t(tgstime); | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 	tms->tms_cutime = cputime_to_clock_t(cutime); | 
					
						
							|  |  |  | 	tms->tms_cstime = cputime_to_clock_t(cstime); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:03 +01:00
										 |  |  | SYSCALL_DEFINE1(times, struct tms __user *, tbuf) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	if (tbuf) { | 
					
						
							|  |  |  | 		struct tms tmp; | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 		do_sys_times(&tmp); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		if (copy_to_user(tbuf, &tmp, sizeof(struct tms))) | 
					
						
							|  |  |  | 			return -EFAULT; | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2009-01-06 14:41:02 -08:00
										 |  |  | 	force_successful_syscall_return(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return (long) jiffies_64_to_clock_t(get_jiffies_64()); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * This needs some heavy checking ... | 
					
						
							|  |  |  |  * I just haven't the stomach for it. I also don't fully | 
					
						
							|  |  |  |  * understand sessions/pgrp etc. Let somebody who does explain it. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * OK, I think I have the protection semantics right.... this is really | 
					
						
							|  |  |  |  * only important on a multi-user system anyway, to make sure one user | 
					
						
							|  |  |  |  * can't send a signal to a process owned by another.  -TYT, 12/12/91 | 
					
						
							|  |  |  |  * | 
					
						
							| 
									
										
										
										
											2014-01-23 15:55:52 -08:00
										 |  |  |  * !PF_FORKNOEXEC check to conform completely to POSIX. | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:06 +01:00
										 |  |  | SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	struct task_struct *p; | 
					
						
							| 
									
										
										
										
											2006-01-08 01:03:53 -08:00
										 |  |  | 	struct task_struct *group_leader = current->group_leader; | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:08 -08:00
										 |  |  | 	struct pid *pgrp; | 
					
						
							|  |  |  | 	int err; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	if (!pid) | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:14 -07:00
										 |  |  | 		pid = task_pid_vnr(group_leader); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (!pgid) | 
					
						
							|  |  |  | 		pgid = pid; | 
					
						
							|  |  |  | 	if (pgid < 0) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2010-08-31 17:00:18 -07:00
										 |  |  | 	rcu_read_lock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	/* From this point forward we keep holding onto the tasklist lock
 | 
					
						
							|  |  |  | 	 * so that our parent does not change from under us. -DaveM | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 	write_lock_irq(&tasklist_lock); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	err = -ESRCH; | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:08 -08:00
										 |  |  | 	p = find_task_by_vpid(pid); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (!p) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	err = -EINVAL; | 
					
						
							|  |  |  | 	if (!thread_group_leader(p)) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:08 -08:00
										 |  |  | 	if (same_thread_group(p->real_parent, group_leader)) { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		err = -EPERM; | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 		if (task_session(p) != task_session(group_leader)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			goto out; | 
					
						
							|  |  |  | 		err = -EACCES; | 
					
						
							| 
									
										
										
										
											2014-01-23 15:55:52 -08:00
										 |  |  | 		if (!(p->flags & PF_FORKNOEXEC)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			goto out; | 
					
						
							|  |  |  | 	} else { | 
					
						
							|  |  |  | 		err = -ESRCH; | 
					
						
							| 
									
										
										
										
											2006-01-08 01:03:53 -08:00
										 |  |  | 		if (p != group_leader) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	err = -EPERM; | 
					
						
							|  |  |  | 	if (p->signal->leader) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:08 -08:00
										 |  |  | 	pgrp = task_pid(p); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (pgid != pid) { | 
					
						
							| 
									
										
										
										
											2007-10-18 23:40:14 -07:00
										 |  |  | 		struct task_struct *g; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:08 -08:00
										 |  |  | 		pgrp = find_vpid(pgid); | 
					
						
							|  |  |  | 		g = pid_task(pgrp, PIDTYPE_PGID); | 
					
						
							| 
									
										
										
										
											2007-02-12 00:53:01 -08:00
										 |  |  | 		if (!g || task_session(g) != task_session(group_leader)) | 
					
						
							| 
									
										
										
										
											2006-12-08 02:38:02 -08:00
										 |  |  | 			goto out; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	err = security_task_setpgid(p, pgid); | 
					
						
							|  |  |  | 	if (err) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-04-02 16:58:39 -07:00
										 |  |  | 	if (task_pgrp(p) != pgrp) | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:27 -07:00
										 |  |  | 		change_pid(p, PIDTYPE_PGID, pgrp); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	err = 0; | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	/* All paths lead to here, thus we are safe. -DaveM */ | 
					
						
							|  |  |  | 	write_unlock_irq(&tasklist_lock); | 
					
						
							| 
									
										
										
										
											2010-08-31 17:00:18 -07:00
										 |  |  | 	rcu_read_unlock(); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return err; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:04 +01:00
										 |  |  | SYSCALL_DEFINE1(getpgid, pid_t, pid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:29 -07:00
										 |  |  | 	struct task_struct *p; | 
					
						
							|  |  |  | 	struct pid *grp; | 
					
						
							|  |  |  | 	int retval; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	rcu_read_lock(); | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	if (!pid) | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:29 -07:00
										 |  |  | 		grp = task_pgrp(current); | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	else { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		retval = -ESRCH; | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:29 -07:00
										 |  |  | 		p = find_task_by_vpid(pid); | 
					
						
							|  |  |  | 		if (!p) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 		grp = task_pgrp(p); | 
					
						
							|  |  |  | 		if (!grp) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		retval = security_task_getpgid(p); | 
					
						
							|  |  |  | 		if (retval) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:29 -07:00
										 |  |  | 	retval = pid_vnr(grp); | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	rcu_read_unlock(); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef __ARCH_WANT_SYS_GETPGRP
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:04 +01:00
										 |  |  | SYSCALL_DEFINE0(getpgrp) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:29 -07:00
										 |  |  | 	return sys_getpgid(0); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:04 +01:00
										 |  |  | SYSCALL_DEFINE1(getsid, pid_t, pid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:28 -07:00
										 |  |  | 	struct task_struct *p; | 
					
						
							|  |  |  | 	struct pid *sid; | 
					
						
							|  |  |  | 	int retval; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	rcu_read_lock(); | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	if (!pid) | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:28 -07:00
										 |  |  | 		sid = task_session(current); | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	else { | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		retval = -ESRCH; | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:28 -07:00
										 |  |  | 		p = find_task_by_vpid(pid); | 
					
						
							|  |  |  | 		if (!p) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 		sid = task_session(p); | 
					
						
							|  |  |  | 		if (!sid) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		retval = security_task_getsid(p); | 
					
						
							|  |  |  | 		if (retval) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2008-04-30 00:54:28 -07:00
										 |  |  | 	retval = pid_vnr(sid); | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	rcu_read_unlock(); | 
					
						
							|  |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-07-03 15:08:26 -07:00
										 |  |  | static void set_special_pids(struct pid *pid) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct task_struct *curr = current->group_leader; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (task_session(curr) != pid) | 
					
						
							|  |  |  | 		change_pid(curr, PIDTYPE_SID, pid); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (task_pgrp(curr) != pid) | 
					
						
							|  |  |  | 		change_pid(curr, PIDTYPE_PGID, pid); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:06 +01:00
										 |  |  | SYSCALL_DEFINE0(setsid) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2006-01-08 01:03:58 -08:00
										 |  |  | 	struct task_struct *group_leader = current->group_leader; | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:09 -08:00
										 |  |  | 	struct pid *sid = task_pid(group_leader); | 
					
						
							|  |  |  | 	pid_t session = pid_vnr(sid); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	int err = -EPERM; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	write_lock_irq(&tasklist_lock); | 
					
						
							| 
									
										
										
										
											2006-03-31 02:31:33 -08:00
										 |  |  | 	/* Fail if I am already a session leader */ | 
					
						
							|  |  |  | 	if (group_leader->signal->leader) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:11 -08:00
										 |  |  | 	/* Fail if a process group id already exists that equals the
 | 
					
						
							|  |  |  | 	 * proposed session id. | 
					
						
							| 
									
										
										
										
											2006-03-31 02:31:33 -08:00
										 |  |  | 	 */ | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:12 -08:00
										 |  |  | 	if (pid_task(sid, PIDTYPE_PGID)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2006-01-08 01:03:58 -08:00
										 |  |  | 	group_leader->signal->leader = 1; | 
					
						
							| 
									
										
										
										
											2013-07-03 15:08:26 -07:00
										 |  |  | 	set_special_pids(sid); | 
					
						
							| 
									
										
										
										
											2006-12-08 02:36:04 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-10-13 10:37:26 +01:00
										 |  |  | 	proc_clear_tty(group_leader); | 
					
						
							| 
									
										
										
										
											2006-12-08 02:36:04 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-02-08 04:19:09 -08:00
										 |  |  | 	err = session; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | out: | 
					
						
							|  |  |  | 	write_unlock_irq(&tasklist_lock); | 
					
						
							| 
									
										
											  
											
												sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity.  This patch
implements an idea from Linus, to automatically create task
groups.  Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group.  When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped.  Child
processes inherit this task group thereafter, and increase it's
refcount.  When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
  cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
  echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
  echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2010-11-30 14:18:03 +01:00
										 |  |  | 	if (err > 0) { | 
					
						
							| 
									
										
										
										
											2009-10-26 16:49:34 -07:00
										 |  |  | 		proc_sid_connector(group_leader); | 
					
						
							| 
									
										
											  
											
												sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity.  This patch
implements an idea from Linus, to automatically create task
groups.  Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group.  When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped.  Child
processes inherit this task group thereafter, and increase it's
refcount.  When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
  cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
  echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
  echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2010-11-30 14:18:03 +01:00
										 |  |  | 		sched_autogroup_create_attach(group_leader); | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return err; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | DECLARE_RWSEM(uts_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:19 -08:00
										 |  |  | #ifdef COMPAT_UTS_MACHINE
 | 
					
						
							|  |  |  | #define override_architecture(name) \
 | 
					
						
							| 
									
										
										
										
											2010-04-23 13:17:44 -04:00
										 |  |  | 	(personality(current->personality) == PER_LINUX32 && \ | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:19 -08:00
										 |  |  | 	 copy_to_user(name->machine, COMPAT_UTS_MACHINE, \ | 
					
						
							|  |  |  | 		      sizeof(COMPAT_UTS_MACHINE))) | 
					
						
							|  |  |  | #else
 | 
					
						
							|  |  |  | #define override_architecture(name)	0
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * Work around broken programs that cannot handle "Linux 3.0". | 
					
						
							|  |  |  |  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2012-10-19 13:56:51 -07:00
										 |  |  | static int override_release(char __user *release, size_t len) | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	int ret = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (current->personality & UNAME26) { | 
					
						
							| 
									
										
										
										
											2012-10-19 13:56:51 -07:00
										 |  |  | 		const char *rest = UTS_RELEASE; | 
					
						
							|  |  |  | 		char buf[65] = { 0 }; | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 		int ndots = 0; | 
					
						
							|  |  |  | 		unsigned v; | 
					
						
							| 
									
										
										
										
											2012-10-19 13:56:51 -07:00
										 |  |  | 		size_t copy; | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 		while (*rest) { | 
					
						
							|  |  |  | 			if (*rest == '.' && ++ndots >= 3) | 
					
						
							|  |  |  | 				break; | 
					
						
							|  |  |  | 			if (!isdigit(*rest) && *rest != '.') | 
					
						
							|  |  |  | 				break; | 
					
						
							|  |  |  | 			rest++; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; | 
					
						
							| 
									
										
										
										
											2012-10-19 18:45:53 -07:00
										 |  |  | 		copy = clamp_t(size_t, len, 1, sizeof(buf)); | 
					
						
							| 
									
										
										
										
											2012-10-19 13:56:51 -07:00
										 |  |  | 		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); | 
					
						
							|  |  |  | 		ret = copy_to_user(release, buf, copy + 1); | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	return ret; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:26 +01:00
										 |  |  | SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	int errno = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	down_read(&uts_sem); | 
					
						
							| 
									
										
										
										
											2006-10-02 02:18:11 -07:00
										 |  |  | 	if (copy_to_user(name, utsname(), sizeof *name)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		errno = -EFAULT; | 
					
						
							|  |  |  | 	up_read(&uts_sem); | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:19 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 	if (!errno && override_release(name->release, sizeof(name->release))) | 
					
						
							|  |  |  | 		errno = -EFAULT; | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:19 -08:00
										 |  |  | 	if (!errno && override_architecture(name)) | 
					
						
							|  |  |  | 		errno = -EFAULT; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	return errno; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:21 -08:00
										 |  |  | #ifdef __ARCH_WANT_SYS_OLD_UNAME
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Old cruft | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	int error = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (!name) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	down_read(&uts_sem); | 
					
						
							|  |  |  | 	if (copy_to_user(name, utsname(), sizeof(*name))) | 
					
						
							|  |  |  | 		error = -EFAULT; | 
					
						
							|  |  |  | 	up_read(&uts_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 	if (!error && override_release(name->release, sizeof(name->release))) | 
					
						
							|  |  |  | 		error = -EFAULT; | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:21 -08:00
										 |  |  | 	if (!error && override_architecture(name)) | 
					
						
							|  |  |  | 		error = -EFAULT; | 
					
						
							|  |  |  | 	return error; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	int error; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (!name) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							|  |  |  | 	if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname))) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	down_read(&uts_sem); | 
					
						
							|  |  |  | 	error = __copy_to_user(&name->sysname, &utsname()->sysname, | 
					
						
							|  |  |  | 			       __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __put_user(0, name->sysname + __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __copy_to_user(&name->nodename, &utsname()->nodename, | 
					
						
							|  |  |  | 				__OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __put_user(0, name->nodename + __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __copy_to_user(&name->release, &utsname()->release, | 
					
						
							|  |  |  | 				__OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __put_user(0, name->release + __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __copy_to_user(&name->version, &utsname()->version, | 
					
						
							|  |  |  | 				__OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __put_user(0, name->version + __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __copy_to_user(&name->machine, &utsname()->machine, | 
					
						
							|  |  |  | 				__OLD_UTS_LEN); | 
					
						
							|  |  |  | 	error |= __put_user(0, name->machine + __OLD_UTS_LEN); | 
					
						
							|  |  |  | 	up_read(&uts_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (!error && override_architecture(name)) | 
					
						
							|  |  |  | 		error = -EFAULT; | 
					
						
							| 
									
										
										
										
											2011-08-19 16:15:10 -07:00
										 |  |  | 	if (!error && override_release(name->release, sizeof(name->release))) | 
					
						
							|  |  |  | 		error = -EFAULT; | 
					
						
							| 
									
										
										
										
											2010-03-10 15:21:21 -08:00
										 |  |  | 	return error ? -EFAULT : 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:25 +01:00
										 |  |  | SYSCALL_DEFINE2(sethostname, char __user *, name, int, len) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	int errno; | 
					
						
							|  |  |  | 	char tmp[__NEW_UTS_LEN]; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:18 -07:00
										 |  |  | 	if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		return -EPERM; | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (len < 0 || len > __NEW_UTS_LEN) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	down_write(&uts_sem); | 
					
						
							|  |  |  | 	errno = -EFAULT; | 
					
						
							|  |  |  | 	if (!copy_from_user(tmp, name, len)) { | 
					
						
							| 
									
										
										
										
											2008-10-15 22:01:51 -07:00
										 |  |  | 		struct new_utsname *u = utsname(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		memcpy(u->nodename, tmp, len); | 
					
						
							|  |  |  | 		memset(u->nodename + len, 0, sizeof(u->nodename) - len); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		errno = 0; | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:07 -07:00
										 |  |  | 		uts_proc_notify(UTS_PROC_HOSTNAME); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	up_write(&uts_sem); | 
					
						
							|  |  |  | 	return errno; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef __ARCH_WANT_SYS_GETHOSTNAME
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:25 +01:00
										 |  |  | SYSCALL_DEFINE2(gethostname, char __user *, name, int, len) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	int i, errno; | 
					
						
							| 
									
										
										
										
											2008-10-15 22:01:51 -07:00
										 |  |  | 	struct new_utsname *u; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	if (len < 0) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	down_read(&uts_sem); | 
					
						
							| 
									
										
										
										
											2008-10-15 22:01:51 -07:00
										 |  |  | 	u = utsname(); | 
					
						
							|  |  |  | 	i = 1 + strlen(u->nodename); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	if (i > len) | 
					
						
							|  |  |  | 		i = len; | 
					
						
							|  |  |  | 	errno = 0; | 
					
						
							| 
									
										
										
										
											2008-10-15 22:01:51 -07:00
										 |  |  | 	if (copy_to_user(name, u->nodename, i)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		errno = -EFAULT; | 
					
						
							|  |  |  | 	up_read(&uts_sem); | 
					
						
							|  |  |  | 	return errno; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Only setdomainname; getdomainname can be implemented by calling | 
					
						
							|  |  |  |  * uname() | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:25 +01:00
										 |  |  | SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	int errno; | 
					
						
							|  |  |  | 	char tmp[__NEW_UTS_LEN]; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 	if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN)) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		return -EPERM; | 
					
						
							|  |  |  | 	if (len < 0 || len > __NEW_UTS_LEN) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	down_write(&uts_sem); | 
					
						
							|  |  |  | 	errno = -EFAULT; | 
					
						
							|  |  |  | 	if (!copy_from_user(tmp, name, len)) { | 
					
						
							| 
									
										
										
										
											2008-10-15 22:01:51 -07:00
										 |  |  | 		struct new_utsname *u = utsname(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		memcpy(u->domainname, tmp, len); | 
					
						
							|  |  |  | 		memset(u->domainname + len, 0, sizeof(u->domainname) - len); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		errno = 0; | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:07 -07:00
										 |  |  | 		uts_proc_notify(UTS_PROC_DOMAINNAME); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	up_write(&uts_sem); | 
					
						
							|  |  |  | 	return errno; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:26 +01:00
										 |  |  | SYSCALL_DEFINE2(getrlimit, unsigned int, resource, struct rlimit __user *, rlim) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2010-05-04 11:28:25 +02:00
										 |  |  | 	struct rlimit value; | 
					
						
							|  |  |  | 	int ret; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	ret = do_prlimit(current, resource, NULL, &value); | 
					
						
							|  |  |  | 	if (!ret) | 
					
						
							|  |  |  | 		ret = copy_to_user(rlim, &value, sizeof(*rlim)) ? -EFAULT : 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return ret; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef __ARCH_WANT_SYS_OLD_GETRLIMIT
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  *	Back compatibility for getrlimit. Needed for some apps. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  |   | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:26 +01:00
										 |  |  | SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource, | 
					
						
							|  |  |  | 		struct rlimit __user *, rlim) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	struct rlimit x; | 
					
						
							|  |  |  | 	if (resource >= RLIM_NLIMITS) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	task_lock(current->group_leader); | 
					
						
							|  |  |  | 	x = current->signal->rlim[resource]; | 
					
						
							|  |  |  | 	task_unlock(current->group_leader); | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	if (x.rlim_cur > 0x7FFFFFFF) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		x.rlim_cur = 0x7FFFFFFF; | 
					
						
							| 
									
										
										
										
											2006-09-30 23:27:24 -07:00
										 |  |  | 	if (x.rlim_max > 0x7FFFFFFF) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		x.rlim_max = 0x7FFFFFFF; | 
					
						
							|  |  |  | 	return copy_to_user(rlim, &x, sizeof(x))?-EFAULT:0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-05-04 18:03:50 +02:00
										 |  |  | static inline bool rlim64_is_infinity(__u64 rlim64) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | #if BITS_PER_LONG < 64
 | 
					
						
							|  |  |  | 	return rlim64 >= ULONG_MAX; | 
					
						
							|  |  |  | #else
 | 
					
						
							|  |  |  | 	return rlim64 == RLIM64_INFINITY; | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void rlim_to_rlim64(const struct rlimit *rlim, struct rlimit64 *rlim64) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	if (rlim->rlim_cur == RLIM_INFINITY) | 
					
						
							|  |  |  | 		rlim64->rlim_cur = RLIM64_INFINITY; | 
					
						
							|  |  |  | 	else | 
					
						
							|  |  |  | 		rlim64->rlim_cur = rlim->rlim_cur; | 
					
						
							|  |  |  | 	if (rlim->rlim_max == RLIM_INFINITY) | 
					
						
							|  |  |  | 		rlim64->rlim_max = RLIM64_INFINITY; | 
					
						
							|  |  |  | 	else | 
					
						
							|  |  |  | 		rlim64->rlim_max = rlim->rlim_max; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void rlim64_to_rlim(const struct rlimit64 *rlim64, struct rlimit *rlim) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	if (rlim64_is_infinity(rlim64->rlim_cur)) | 
					
						
							|  |  |  | 		rlim->rlim_cur = RLIM_INFINITY; | 
					
						
							|  |  |  | 	else | 
					
						
							|  |  |  | 		rlim->rlim_cur = (unsigned long)rlim64->rlim_cur; | 
					
						
							|  |  |  | 	if (rlim64_is_infinity(rlim64->rlim_max)) | 
					
						
							|  |  |  | 		rlim->rlim_max = RLIM_INFINITY; | 
					
						
							|  |  |  | 	else | 
					
						
							|  |  |  | 		rlim->rlim_max = (unsigned long)rlim64->rlim_max; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-08-28 14:08:17 +02:00
										 |  |  | /* make sure you are allowed to change @tsk limits before calling this */ | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | int do_prlimit(struct task_struct *tsk, unsigned int resource, | 
					
						
							|  |  |  | 		struct rlimit *new_rlim, struct rlimit *old_rlim) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	struct rlimit *rlim; | 
					
						
							| 
									
										
										
										
											2009-11-14 17:37:04 +01:00
										 |  |  | 	int retval = 0; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	if (resource >= RLIM_NLIMITS) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	if (new_rlim) { | 
					
						
							|  |  |  | 		if (new_rlim->rlim_cur > new_rlim->rlim_max) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		if (resource == RLIMIT_NOFILE && | 
					
						
							|  |  |  | 				new_rlim->rlim_max > sysctl_nr_open) | 
					
						
							|  |  |  | 			return -EPERM; | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-08-28 14:08:17 +02:00
										 |  |  | 	/* protect tsk->signal and tsk->sighand from disappearing */ | 
					
						
							|  |  |  | 	read_lock(&tasklist_lock); | 
					
						
							|  |  |  | 	if (!tsk->sighand) { | 
					
						
							|  |  |  | 		retval = -ESRCH; | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	rlim = tsk->signal->rlim + resource; | 
					
						
							| 
									
										
										
										
											2009-11-14 17:37:04 +01:00
										 |  |  | 	task_lock(tsk->group_leader); | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	if (new_rlim) { | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 		/* Keep the capable check against init_user_ns until
 | 
					
						
							|  |  |  | 		   cgroups can contain all limits */ | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 		if (new_rlim->rlim_max > rlim->rlim_max && | 
					
						
							|  |  |  | 				!capable(CAP_SYS_RESOURCE)) | 
					
						
							|  |  |  | 			retval = -EPERM; | 
					
						
							|  |  |  | 		if (!retval) | 
					
						
							|  |  |  | 			retval = security_task_setrlimit(tsk->group_leader, | 
					
						
							|  |  |  | 					resource, new_rlim); | 
					
						
							|  |  |  | 		if (resource == RLIMIT_CPU && new_rlim->rlim_cur == 0) { | 
					
						
							|  |  |  | 			/*
 | 
					
						
							|  |  |  | 			 * The caller is asking for an immediate RLIMIT_CPU | 
					
						
							|  |  |  | 			 * expiry.  But we use the zero value to mean "it was | 
					
						
							|  |  |  | 			 * never set".  So let's cheat and make it one second | 
					
						
							|  |  |  | 			 * instead | 
					
						
							|  |  |  | 			 */ | 
					
						
							|  |  |  | 			new_rlim->rlim_cur = 1; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if (!retval) { | 
					
						
							|  |  |  | 		if (old_rlim) | 
					
						
							|  |  |  | 			*old_rlim = *rlim; | 
					
						
							|  |  |  | 		if (new_rlim) | 
					
						
							|  |  |  | 			*rlim = *new_rlim; | 
					
						
							| 
									
										
											  
											
												CPU time limit patch / setrlimit(RLIMIT_CPU, 0) cheat fix
As discovered here today, the change in Kernel 2.6.17 intended to inhibit
users from setting RLIMIT_CPU to 0 (as that is equivalent to unlimited) by
"cheating" and setting it to 1 in such a case, does not make a difference,
as the check is done in the wrong place (too late), and only applies to the
profiling code.
On all systems I checked running kernels above 2.6.17, no matter what the
hard and soft CPU time limits were before, a user could escape them by
issuing in the shell (sh/bash/zsh) "ulimit -t 0", and then the user's
process was not ever killed.
Attached is a trivial patch to fix that.  Simply moving the check to a
slightly earlier location (specifically, before the line that actually
assigns the limit - *old_rlim = new_rlim), does the trick.
Do note that at least the zsh (but not ash, dash, or bash) shell has the
problem of "caching" the limits set by the ulimit command, so when running
zsh the fix will not immediately be evident - after entering "ulimit -t 0",
"ulimit -a" will show "-t: cpu time (seconds) 0", even though the actual
limit as returned by getrlimit(...) will be 1.  It can be verified by
opening a subshell (which will not have the values of the parent shell in
cache) and checking in it, or just by running a CPU intensive command like
"echo '65536^1048576' | bc" and verifying that it dumps core after one
second.
Regardless of whether that is a misfeature in the shell, perhaps it would
be better to return -EINVAL from setrlimit in such a case instead of
cheating and setting to 1, as that does not really reflect the actual state
of the process anymore.  I do not however know what the ground for that
decision was in the original 2.6.17 change, and whether there would be any
"backward" compatibility issues, so I preferred not to touch that right
now.
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2007-05-08 00:30:31 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2009-08-26 23:45:34 +02:00
										 |  |  | 	task_unlock(tsk->group_leader); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2006-03-24 03:18:36 -08:00
										 |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * RLIMIT_CPU handling.   Note that the kernel fails to return an error | 
					
						
							|  |  |  | 	 * code if it rejected the user's attempt to set RLIMIT_CPU.  This is a | 
					
						
							|  |  |  | 	 * very long-standing error, and fixing it now risks breakage of | 
					
						
							|  |  |  | 	 * applications, so we live with it | 
					
						
							|  |  |  | 	 */ | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	 if (!retval && new_rlim && resource == RLIMIT_CPU && | 
					
						
							|  |  |  | 			 new_rlim->rlim_cur != RLIM_INFINITY) | 
					
						
							|  |  |  | 		update_rlimit_cpu(tsk, new_rlim->rlim_cur); | 
					
						
							| 
									
										
										
										
											2006-03-24 03:18:34 -08:00
										 |  |  | out: | 
					
						
							| 
									
										
										
										
											2009-08-28 14:08:17 +02:00
										 |  |  | 	read_unlock(&tasklist_lock); | 
					
						
							| 
									
										
										
										
											2009-09-03 19:21:45 +02:00
										 |  |  | 	return retval; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-05-04 18:03:50 +02:00
										 |  |  | /* rcu lock must be held */ | 
					
						
							|  |  |  | static int check_prlimit_permission(struct task_struct *task) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	const struct cred *cred = current_cred(), *tcred; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 	if (current == task) | 
					
						
							|  |  |  | 		return 0; | 
					
						
							| 
									
										
										
										
											2010-05-04 18:03:50 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 	tcred = __task_cred(task); | 
					
						
							| 
									
										
										
										
											2012-03-03 20:21:47 -08:00
										 |  |  | 	if (uid_eq(cred->uid, tcred->euid) && | 
					
						
							|  |  |  | 	    uid_eq(cred->uid, tcred->suid) && | 
					
						
							|  |  |  | 	    uid_eq(cred->uid, tcred->uid)  && | 
					
						
							|  |  |  | 	    gid_eq(cred->gid, tcred->egid) && | 
					
						
							|  |  |  | 	    gid_eq(cred->gid, tcred->sgid) && | 
					
						
							|  |  |  | 	    gid_eq(cred->gid, tcred->gid)) | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 		return 0; | 
					
						
							| 
									
										
										
										
											2011-11-16 23:15:31 -08:00
										 |  |  | 	if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) | 
					
						
							| 
									
										
										
										
											2011-03-23 16:43:22 -07:00
										 |  |  | 		return 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return -EPERM; | 
					
						
							| 
									
										
										
										
											2010-05-04 18:03:50 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, | 
					
						
							|  |  |  | 		const struct rlimit64 __user *, new_rlim, | 
					
						
							|  |  |  | 		struct rlimit64 __user *, old_rlim) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct rlimit64 old64, new64; | 
					
						
							|  |  |  | 	struct rlimit old, new; | 
					
						
							|  |  |  | 	struct task_struct *tsk; | 
					
						
							|  |  |  | 	int ret; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (new_rlim) { | 
					
						
							|  |  |  | 		if (copy_from_user(&new64, new_rlim, sizeof(new64))) | 
					
						
							|  |  |  | 			return -EFAULT; | 
					
						
							|  |  |  | 		rlim64_to_rlim(&new64, &new); | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	rcu_read_lock(); | 
					
						
							|  |  |  | 	tsk = pid ? find_task_by_vpid(pid) : current; | 
					
						
							|  |  |  | 	if (!tsk) { | 
					
						
							|  |  |  | 		rcu_read_unlock(); | 
					
						
							|  |  |  | 		return -ESRCH; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	ret = check_prlimit_permission(tsk); | 
					
						
							|  |  |  | 	if (ret) { | 
					
						
							|  |  |  | 		rcu_read_unlock(); | 
					
						
							|  |  |  | 		return ret; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	get_task_struct(tsk); | 
					
						
							|  |  |  | 	rcu_read_unlock(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, | 
					
						
							|  |  |  | 			old_rlim ? &old : NULL); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (!ret && old_rlim) { | 
					
						
							|  |  |  | 		rlim_to_rlim64(&old, &old64); | 
					
						
							|  |  |  | 		if (copy_to_user(old_rlim, &old64, sizeof(old64))) | 
					
						
							|  |  |  | 			ret = -EFAULT; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	put_task_struct(tsk); | 
					
						
							|  |  |  | 	return ret; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-08-26 23:45:34 +02:00
										 |  |  | SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct rlimit new_rlim; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (copy_from_user(&new_rlim, rlim, sizeof(*rlim))) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							| 
									
										
										
										
											2010-03-24 16:11:29 +01:00
										 |  |  | 	return do_prlimit(current, resource, &new_rlim, NULL); | 
					
						
							| 
									
										
										
										
											2009-08-26 23:45:34 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * It would make sense to put struct rusage in the task_struct, | 
					
						
							|  |  |  |  * except that would make the task_struct be *really big*.  After | 
					
						
							|  |  |  |  * task_struct gets moved into malloc'ed memory, it would | 
					
						
							|  |  |  |  * make sense to do this.  It will make moving the rest of the information | 
					
						
							|  |  |  |  * a lot simpler!  (Which we're not doing right now because we're not | 
					
						
							|  |  |  |  * measuring them yet). | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * When sampling multiple threads for RUSAGE_SELF, under SMP we might have | 
					
						
							|  |  |  |  * races with threads incrementing their own counters.  But since word | 
					
						
							|  |  |  |  * reads are atomic, we either get new values or old values and we don't | 
					
						
							|  |  |  |  * care which for the sums.  We always take the siglock to protect reading | 
					
						
							|  |  |  |  * the c* fields from p->signal from races with exit.c updating those | 
					
						
							|  |  |  |  * fields when reaping, so a sample either gets all the additions of a | 
					
						
							|  |  |  |  * given child after it's reaped, or none so this sample is before reaping. | 
					
						
							| 
									
										
										
										
											2006-03-23 03:00:13 -08:00
										 |  |  |  * | 
					
						
							| 
									
										
										
										
											2006-06-22 14:47:26 -07:00
										 |  |  |  * Locking: | 
					
						
							|  |  |  |  * We need to take the siglock for CHILDEREN, SELF and BOTH | 
					
						
							|  |  |  |  * for  the cases current multithreaded, non-current single threaded | 
					
						
							|  |  |  |  * non-current multithreaded.  Thread traversal is now safe with | 
					
						
							|  |  |  |  * the siglock held. | 
					
						
							|  |  |  |  * Strictly speaking, we donot need to take the siglock if we are current and | 
					
						
							|  |  |  |  * single threaded,  as no one else can take our signal_struct away, no one | 
					
						
							|  |  |  |  * else can  reap the  children to update signal->c* counters, and no one else | 
					
						
							|  |  |  |  * can race with the signal-> fields. If we do not take any lock, the | 
					
						
							|  |  |  |  * signal-> fields could be read out of order while another thread was just | 
					
						
							|  |  |  |  * exiting. So we should  place a read memory barrier when we avoid the lock. | 
					
						
							|  |  |  |  * On the writer side,  write memory barrier is implied in  __exit_signal | 
					
						
							|  |  |  |  * as __exit_signal releases  the siglock spinlock after updating the signal-> | 
					
						
							|  |  |  |  * fields. But we don't do this yet to keep things simple. | 
					
						
							| 
									
										
										
										
											2006-03-23 03:00:13 -08:00
										 |  |  |  * | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | static void accumulate_thread_rusage(struct task_struct *t, struct rusage *r) | 
					
						
							| 
									
										
										
										
											2008-04-29 00:58:42 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	r->ru_nvcsw += t->nvcsw; | 
					
						
							|  |  |  | 	r->ru_nivcsw += t->nivcsw; | 
					
						
							|  |  |  | 	r->ru_minflt += t->min_flt; | 
					
						
							|  |  |  | 	r->ru_majflt += t->maj_flt; | 
					
						
							|  |  |  | 	r->ru_inblock += task_io_get_inblock(t); | 
					
						
							|  |  |  | 	r->ru_oublock += task_io_get_oublock(t); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | static void k_getrusage(struct task_struct *p, int who, struct rusage *r) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct task_struct *t; | 
					
						
							|  |  |  | 	unsigned long flags; | 
					
						
							| 
									
										
											  
											
												sched, cputime: Introduce thread_group_times()
This is a real fix for problem of utime/stime values decreasing
described in the thread:
   http://lkml.org/lkml/2009/11/3/522
Now cputime is accounted in the following way:
 - {u,s}time in task_struct are increased every time when the thread
   is interrupted by a tick (timer interrupt).
 - When a thread exits, its {u,s}time are added to signal->{u,s}time,
   after adjusted by task_times().
 - When all threads in a thread_group exits, accumulated {u,s}time
   (and also c{u,s}time) in signal struct are added to c{u,s}time
   in signal struct of the group's parent.
So {u,s}time in task struct are "raw" tick count, while
{u,s}time and c{u,s}time in signal struct are "adjusted" values.
And accounted values are used by:
 - task_times(), to get cputime of a thread:
   This function returns adjusted values that originates from raw
   {u,s}time and scaled by sum_exec_runtime that accounted by CFS.
 - thread_group_cputime(), to get cputime of a thread group:
   This function returns sum of all {u,s}time of living threads in
   the group, plus {u,s}time in the signal struct that is sum of
   adjusted cputimes of all exited threads belonged to the group.
The problem is the return value of thread_group_cputime(),
because it is mixed sum of "raw" value and "adjusted" value:
  group's {u,s}time = foreach(thread){{u,s}time} + exited({u,s}time)
This misbehavior can break {u,s}time monotonicity.
Assume that if there is a thread that have raw values greater
than adjusted values (e.g. interrupted by 1000Hz ticks 50 times
but only runs 45ms) and if it exits, cputime will decrease (e.g.
-5ms).
To fix this, we could do:
  group's {u,s}time = foreach(t){task_times(t)} + exited({u,s}time)
But task_times() contains hard divisions, so applying it for
every thread should be avoided.
This patch fixes the above problem in the following way:
 - Modify thread's exit (= __exit_signal()) not to use task_times().
   It means {u,s}time in signal struct accumulates raw values instead
   of adjusted values.  As the result it makes thread_group_cputime()
   to return pure sum of "raw" values.
 - Introduce a new function thread_group_times(*task, *utime, *stime)
   that converts "raw" values of thread_group_cputime() to "adjusted"
   values, in same calculation procedure as task_times().
 - Modify group's exit (= wait_task_zombie()) to use this introduced
   thread_group_times().  It make c{u,s}time in signal struct to
   have adjusted values like before this patch.
 - Replace some thread_group_cputime() by thread_group_times().
   This replacements are only applied where conveys the "adjusted"
   cputime to users, and where already uses task_times() near by it.
   (i.e. sys_times(), getrusage(), and /proc/<PID>/stat.)
This patch have a positive side effect:
 - Before this patch, if a group contains many short-life threads
   (e.g. runs 0.9ms and not interrupted by ticks), the group's
   cputime could be invisible since thread's cputime was accumulated
   after adjusted: imagine adjustment function as adj(ticks, runtime),
     {adj(0, 0.9) + adj(0, 0.9) + ....} = {0 + 0 + ....} = 0.
   After this patch it will not happen because the adjustment is
   applied after accumulated.
v2:
 - remove if()s, put new variables into signal_struct.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Spencer Candland <spencer@bluehost.com>
Cc: Americo Wang <xiyou.wangcong@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
LKML-Reference: <4B162517.8040909@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2009-12-02 17:28:07 +09:00
										 |  |  | 	cputime_t tgutime, tgstime, utime, stime; | 
					
						
							| 
									
										
											  
											
												getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark.  This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems.  /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior.  Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields.  The
first one is ->maxrss which we use to store rss hiwater of the task.  The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs.  These values are used in k_getrusage() to actually fill
->ru_maxrss.  k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
	int status;
	printf("allocate 100MB\n");
	consume(100);
	printf("testcase1: fork inherit? \n");
	printf("  expect: initial.self ~= child.self\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase2: fork inherit? (cont.) \n");
	printf("  expect: initial.children ~= 100MB, but child.children = 0\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("child");
		_exit(0);
	}
	printf("\n");
	printf("testcase3: fork + malloc \n");
	printf("  expect: child.self ~= initial.self + 50MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		printf("allocate +50MB\n");
		consume(50);
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase4: grandchild maxrss\n");
	printf("  expect: post_wait.children ~= 300MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 0 -g 300");
		_exit(0);
	}
	printf("\n");
	printf("testcase5: zombie\n");
	printf("  expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
	printf("          post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
	show_rusage("initial");
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("pre_wait");
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 400");
		_exit(0);
	}
	printf("\n");
	printf("testcase6: SIG_IGN\n");
	printf("  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
	show_rusage("initial");
	signal(SIGCHLD, SIG_IGN);
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("after_zombie");
	} else {
		system("./child -n 500");
		_exit(0);
	}
	printf("\n");
	signal(SIGCHLD, SIG_DFL);
	printf("testcase7: exec (without fork) \n");
	printf("  expect: initial ~= exec \n");
	show_rusage("initial");
	execl("./child", "child", "-v", NULL);
	return 0;
}
child.c
=======
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "common.h"
int main(int argc, char** argv)
{
	int status;
	int c;
	long consume_size = 0;
	long grandchild_consume_size = 0;
	int show = 0;
	while ((c = getopt(argc, argv, "n:g:v")) != -1) {
		switch (c) {
		case 'n':
			consume_size = atol(optarg);
			break;
		case 'v':
			show = 1;
			break;
		case 'g':
			grandchild_consume_size = atol(optarg);
			break;
		default:
			break;
		}
	}
	if (show)
		show_rusage("exec");
	if (consume_size) {
		printf("child alloc %ldMB\n", consume_size);
		consume(consume_size);
	}
	if (grandchild_consume_size) {
		if (fork()) {
			wait(&status);
		} else {
			printf("grandchild alloc %ldMB\n", grandchild_consume_size);
			consume(grandchild_consume_size);
			exit(0);
		}
	}
	return 0;
}
common.c
========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
    	int err, err2;
    	struct rusage rusage_self;
    	struct rusage rusage_children;
    	printf("%s: ", prefix);
    	err = getrusage(RUSAGE_SELF, &rusage_self);
    	if (!err)
    		printf("self %ld ", rusage_self.ru_maxrss);
    	err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
    	if (!err2)
    		printf("children %ld ", rusage_children.ru_maxrss);
    	printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
	void *addr;
	int size = getpagesize();
	int i;
	for (i=0; i<1000; i++) {
		addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
		if (addr == MAP_FAILED)
			err("make_pagefault");
		memset(addr, 0, size);
		munmap(addr, size);
	}
}
void consume(int mega)
{
    	size_t sz = mega * 1024 * 1024;
    	void *ptr;
    	ptr = malloc(sz);
    	memset(ptr, 0, sz);
	make_pagefault();
}
pid_t __fork(void)
{
	pid_t pid;
	pid = fork();
	make_pagefault();
	return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2009-09-22 16:44:10 -07:00
										 |  |  | 	unsigned long maxrss = 0; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	memset((char *) r, 0, sizeof *r); | 
					
						
							| 
									
										
										
										
											2011-12-15 14:56:09 +01:00
										 |  |  | 	utime = stime = 0; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-04-29 00:58:42 -07:00
										 |  |  | 	if (who == RUSAGE_THREAD) { | 
					
						
							| 
									
										
										
										
											2012-11-21 16:26:44 +01:00
										 |  |  | 		task_cputime_adjusted(current, &utime, &stime); | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 		accumulate_thread_rusage(p, r); | 
					
						
							| 
									
										
											  
											
												getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark.  This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems.  /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior.  Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields.  The
first one is ->maxrss which we use to store rss hiwater of the task.  The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs.  These values are used in k_getrusage() to actually fill
->ru_maxrss.  k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
	int status;
	printf("allocate 100MB\n");
	consume(100);
	printf("testcase1: fork inherit? \n");
	printf("  expect: initial.self ~= child.self\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase2: fork inherit? (cont.) \n");
	printf("  expect: initial.children ~= 100MB, but child.children = 0\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("child");
		_exit(0);
	}
	printf("\n");
	printf("testcase3: fork + malloc \n");
	printf("  expect: child.self ~= initial.self + 50MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		printf("allocate +50MB\n");
		consume(50);
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase4: grandchild maxrss\n");
	printf("  expect: post_wait.children ~= 300MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 0 -g 300");
		_exit(0);
	}
	printf("\n");
	printf("testcase5: zombie\n");
	printf("  expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
	printf("          post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
	show_rusage("initial");
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("pre_wait");
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 400");
		_exit(0);
	}
	printf("\n");
	printf("testcase6: SIG_IGN\n");
	printf("  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
	show_rusage("initial");
	signal(SIGCHLD, SIG_IGN);
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("after_zombie");
	} else {
		system("./child -n 500");
		_exit(0);
	}
	printf("\n");
	signal(SIGCHLD, SIG_DFL);
	printf("testcase7: exec (without fork) \n");
	printf("  expect: initial ~= exec \n");
	show_rusage("initial");
	execl("./child", "child", "-v", NULL);
	return 0;
}
child.c
=======
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "common.h"
int main(int argc, char** argv)
{
	int status;
	int c;
	long consume_size = 0;
	long grandchild_consume_size = 0;
	int show = 0;
	while ((c = getopt(argc, argv, "n:g:v")) != -1) {
		switch (c) {
		case 'n':
			consume_size = atol(optarg);
			break;
		case 'v':
			show = 1;
			break;
		case 'g':
			grandchild_consume_size = atol(optarg);
			break;
		default:
			break;
		}
	}
	if (show)
		show_rusage("exec");
	if (consume_size) {
		printf("child alloc %ldMB\n", consume_size);
		consume(consume_size);
	}
	if (grandchild_consume_size) {
		if (fork()) {
			wait(&status);
		} else {
			printf("grandchild alloc %ldMB\n", grandchild_consume_size);
			consume(grandchild_consume_size);
			exit(0);
		}
	}
	return 0;
}
common.c
========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
    	int err, err2;
    	struct rusage rusage_self;
    	struct rusage rusage_children;
    	printf("%s: ", prefix);
    	err = getrusage(RUSAGE_SELF, &rusage_self);
    	if (!err)
    		printf("self %ld ", rusage_self.ru_maxrss);
    	err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
    	if (!err2)
    		printf("children %ld ", rusage_children.ru_maxrss);
    	printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
	void *addr;
	int size = getpagesize();
	int i;
	for (i=0; i<1000; i++) {
		addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
		if (addr == MAP_FAILED)
			err("make_pagefault");
		memset(addr, 0, size);
		munmap(addr, size);
	}
}
void consume(int mega)
{
    	size_t sz = mega * 1024 * 1024;
    	void *ptr;
    	ptr = malloc(sz);
    	memset(ptr, 0, sz);
	make_pagefault();
}
pid_t __fork(void)
{
	pid_t pid;
	pid = fork();
	make_pagefault();
	return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2009-09-22 16:44:10 -07:00
										 |  |  | 		maxrss = p->signal->maxrss; | 
					
						
							| 
									
										
										
										
											2008-04-29 00:58:42 -07:00
										 |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-04-30 00:52:38 -07:00
										 |  |  | 	if (!lock_task_sighand(p, &flags)) | 
					
						
							| 
									
										
										
										
											2006-06-22 14:47:26 -07:00
										 |  |  | 		return; | 
					
						
							| 
									
										
										
										
											2006-01-08 01:05:15 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	switch (who) { | 
					
						
							| 
									
										
										
										
											2006-01-08 01:05:15 -08:00
										 |  |  | 		case RUSAGE_BOTH: | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		case RUSAGE_CHILDREN: | 
					
						
							|  |  |  | 			utime = p->signal->cutime; | 
					
						
							|  |  |  | 			stime = p->signal->cstime; | 
					
						
							|  |  |  | 			r->ru_nvcsw = p->signal->cnvcsw; | 
					
						
							|  |  |  | 			r->ru_nivcsw = p->signal->cnivcsw; | 
					
						
							|  |  |  | 			r->ru_minflt = p->signal->cmin_flt; | 
					
						
							|  |  |  | 			r->ru_majflt = p->signal->cmaj_flt; | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:37 -07:00
										 |  |  | 			r->ru_inblock = p->signal->cinblock; | 
					
						
							|  |  |  | 			r->ru_oublock = p->signal->coublock; | 
					
						
							| 
									
										
											  
											
												getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark.  This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems.  /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior.  Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields.  The
first one is ->maxrss which we use to store rss hiwater of the task.  The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs.  These values are used in k_getrusage() to actually fill
->ru_maxrss.  k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
	int status;
	printf("allocate 100MB\n");
	consume(100);
	printf("testcase1: fork inherit? \n");
	printf("  expect: initial.self ~= child.self\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase2: fork inherit? (cont.) \n");
	printf("  expect: initial.children ~= 100MB, but child.children = 0\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("child");
		_exit(0);
	}
	printf("\n");
	printf("testcase3: fork + malloc \n");
	printf("  expect: child.self ~= initial.self + 50MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		printf("allocate +50MB\n");
		consume(50);
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase4: grandchild maxrss\n");
	printf("  expect: post_wait.children ~= 300MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 0 -g 300");
		_exit(0);
	}
	printf("\n");
	printf("testcase5: zombie\n");
	printf("  expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
	printf("          post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
	show_rusage("initial");
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("pre_wait");
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 400");
		_exit(0);
	}
	printf("\n");
	printf("testcase6: SIG_IGN\n");
	printf("  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
	show_rusage("initial");
	signal(SIGCHLD, SIG_IGN);
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("after_zombie");
	} else {
		system("./child -n 500");
		_exit(0);
	}
	printf("\n");
	signal(SIGCHLD, SIG_DFL);
	printf("testcase7: exec (without fork) \n");
	printf("  expect: initial ~= exec \n");
	show_rusage("initial");
	execl("./child", "child", "-v", NULL);
	return 0;
}
child.c
=======
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "common.h"
int main(int argc, char** argv)
{
	int status;
	int c;
	long consume_size = 0;
	long grandchild_consume_size = 0;
	int show = 0;
	while ((c = getopt(argc, argv, "n:g:v")) != -1) {
		switch (c) {
		case 'n':
			consume_size = atol(optarg);
			break;
		case 'v':
			show = 1;
			break;
		case 'g':
			grandchild_consume_size = atol(optarg);
			break;
		default:
			break;
		}
	}
	if (show)
		show_rusage("exec");
	if (consume_size) {
		printf("child alloc %ldMB\n", consume_size);
		consume(consume_size);
	}
	if (grandchild_consume_size) {
		if (fork()) {
			wait(&status);
		} else {
			printf("grandchild alloc %ldMB\n", grandchild_consume_size);
			consume(grandchild_consume_size);
			exit(0);
		}
	}
	return 0;
}
common.c
========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
    	int err, err2;
    	struct rusage rusage_self;
    	struct rusage rusage_children;
    	printf("%s: ", prefix);
    	err = getrusage(RUSAGE_SELF, &rusage_self);
    	if (!err)
    		printf("self %ld ", rusage_self.ru_maxrss);
    	err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
    	if (!err2)
    		printf("children %ld ", rusage_children.ru_maxrss);
    	printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
	void *addr;
	int size = getpagesize();
	int i;
	for (i=0; i<1000; i++) {
		addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
		if (addr == MAP_FAILED)
			err("make_pagefault");
		memset(addr, 0, size);
		munmap(addr, size);
	}
}
void consume(int mega)
{
    	size_t sz = mega * 1024 * 1024;
    	void *ptr;
    	ptr = malloc(sz);
    	memset(ptr, 0, sz);
	make_pagefault();
}
pid_t __fork(void)
{
	pid_t pid;
	pid = fork();
	make_pagefault();
	return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2009-09-22 16:44:10 -07:00
										 |  |  | 			maxrss = p->signal->cmaxrss; | 
					
						
							| 
									
										
										
										
											2006-01-08 01:05:15 -08:00
										 |  |  | 
 | 
					
						
							|  |  |  | 			if (who == RUSAGE_CHILDREN) | 
					
						
							|  |  |  | 				break; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		case RUSAGE_SELF: | 
					
						
							| 
									
										
										
										
											2012-11-21 16:26:44 +01:00
										 |  |  | 			thread_group_cputime_adjusted(p, &tgutime, &tgstime); | 
					
						
							| 
									
										
										
										
											2011-12-15 14:56:09 +01:00
										 |  |  | 			utime += tgutime; | 
					
						
							|  |  |  | 			stime += tgstime; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			r->ru_nvcsw += p->signal->nvcsw; | 
					
						
							|  |  |  | 			r->ru_nivcsw += p->signal->nivcsw; | 
					
						
							|  |  |  | 			r->ru_minflt += p->signal->min_flt; | 
					
						
							|  |  |  | 			r->ru_majflt += p->signal->maj_flt; | 
					
						
							| 
									
										
										
										
											2007-05-10 22:22:37 -07:00
										 |  |  | 			r->ru_inblock += p->signal->inblock; | 
					
						
							|  |  |  | 			r->ru_oublock += p->signal->oublock; | 
					
						
							| 
									
										
											  
											
												getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark.  This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems.  /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior.  Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields.  The
first one is ->maxrss which we use to store rss hiwater of the task.  The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs.  These values are used in k_getrusage() to actually fill
->ru_maxrss.  k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
	int status;
	printf("allocate 100MB\n");
	consume(100);
	printf("testcase1: fork inherit? \n");
	printf("  expect: initial.self ~= child.self\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase2: fork inherit? (cont.) \n");
	printf("  expect: initial.children ~= 100MB, but child.children = 0\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("child");
		_exit(0);
	}
	printf("\n");
	printf("testcase3: fork + malloc \n");
	printf("  expect: child.self ~= initial.self + 50MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		printf("allocate +50MB\n");
		consume(50);
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase4: grandchild maxrss\n");
	printf("  expect: post_wait.children ~= 300MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 0 -g 300");
		_exit(0);
	}
	printf("\n");
	printf("testcase5: zombie\n");
	printf("  expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
	printf("          post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
	show_rusage("initial");
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("pre_wait");
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 400");
		_exit(0);
	}
	printf("\n");
	printf("testcase6: SIG_IGN\n");
	printf("  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
	show_rusage("initial");
	signal(SIGCHLD, SIG_IGN);
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("after_zombie");
	} else {
		system("./child -n 500");
		_exit(0);
	}
	printf("\n");
	signal(SIGCHLD, SIG_DFL);
	printf("testcase7: exec (without fork) \n");
	printf("  expect: initial ~= exec \n");
	show_rusage("initial");
	execl("./child", "child", "-v", NULL);
	return 0;
}
child.c
=======
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "common.h"
int main(int argc, char** argv)
{
	int status;
	int c;
	long consume_size = 0;
	long grandchild_consume_size = 0;
	int show = 0;
	while ((c = getopt(argc, argv, "n:g:v")) != -1) {
		switch (c) {
		case 'n':
			consume_size = atol(optarg);
			break;
		case 'v':
			show = 1;
			break;
		case 'g':
			grandchild_consume_size = atol(optarg);
			break;
		default:
			break;
		}
	}
	if (show)
		show_rusage("exec");
	if (consume_size) {
		printf("child alloc %ldMB\n", consume_size);
		consume(consume_size);
	}
	if (grandchild_consume_size) {
		if (fork()) {
			wait(&status);
		} else {
			printf("grandchild alloc %ldMB\n", grandchild_consume_size);
			consume(grandchild_consume_size);
			exit(0);
		}
	}
	return 0;
}
common.c
========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
    	int err, err2;
    	struct rusage rusage_self;
    	struct rusage rusage_children;
    	printf("%s: ", prefix);
    	err = getrusage(RUSAGE_SELF, &rusage_self);
    	if (!err)
    		printf("self %ld ", rusage_self.ru_maxrss);
    	err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
    	if (!err2)
    		printf("children %ld ", rusage_children.ru_maxrss);
    	printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
	void *addr;
	int size = getpagesize();
	int i;
	for (i=0; i<1000; i++) {
		addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
		if (addr == MAP_FAILED)
			err("make_pagefault");
		memset(addr, 0, size);
		munmap(addr, size);
	}
}
void consume(int mega)
{
    	size_t sz = mega * 1024 * 1024;
    	void *ptr;
    	ptr = malloc(sz);
    	memset(ptr, 0, sz);
	make_pagefault();
}
pid_t __fork(void)
{
	pid_t pid;
	pid = fork();
	make_pagefault();
	return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2009-09-22 16:44:10 -07:00
										 |  |  | 			if (maxrss < p->signal->maxrss) | 
					
						
							|  |  |  | 				maxrss = p->signal->maxrss; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			t = p; | 
					
						
							|  |  |  | 			do { | 
					
						
							| 
									
										
											  
											
												timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling.  It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads.  It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine.  (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.)  To do this, at each tick we now update fields in
signal_struct as well as task_struct.  The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
	cputime_t utime;
	cputime_t stime;
	unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels.  For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
	struct task_cputime totals;
};
struct thread_group_cputime {
	struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers).  The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends.  In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention).  For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu().  The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel.  The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields.  The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures.  The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated.  The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU.  Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away.  All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline.  When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations.  It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below).  Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
	kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
	all of which was spent in the system.  There were twice as many
	voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
	an unmodified kernel can handle), the fixed kernel ran the test in
	eight percent of the time (5.8 seconds as opposed to 70 seconds) and
	had better tick accuracy (.012 seconds per tick as opposed to .023
	seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
	interval of 10,000 seconds (i.e. a timer that ticks only once) had
	very nearly the same performance in both cases:  6.3 seconds elapsed
	for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds).  The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
	running), the modified kernel was very slightly favored in that while
	it killed the process in 19.997 seconds of CPU time (5.002 seconds of
	wall time), only .003 seconds of that was system time, the rest was
	user time.  The unmodified kernel killed the process in 20.001 seconds
	of CPU (5.014 seconds of wall time) of which .016 seconds was system
	time.  Really, though, the results were too close to call.  The results
	were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
	(where the hard limit would never be reached) and an itimer running,
	the modified kernel exhibited worse tick accuracy than the unmodified
	kernel: .050 seconds/tick versus .028 seconds/tick.  Otherwise,
	performance was almost indistinguishable.  With no itimer running this
	test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing.  those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s.  On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds.  Performance with eight, four and one
thread were comparable.  Interestingly, the timer ticks with the fix seemed
more accurate:  The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick.  Both cases were configured for an interval of
0.01 seconds.  Again, the other tests were comparable.  Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix.  In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable).  System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s).  It received 147651 ticks for 0.015 seconds per tick, still quite
accurate.  There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
											
										 
											2008-09-12 09:54:39 -07:00
										 |  |  | 				accumulate_thread_rusage(t, r); | 
					
						
							| 
									
										
										
										
											2014-01-23 15:55:55 -08:00
										 |  |  | 			} while_each_thread(p, t); | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			break; | 
					
						
							| 
									
										
										
										
											2006-01-08 01:05:15 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		default: | 
					
						
							|  |  |  | 			BUG(); | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2006-06-22 14:47:26 -07:00
										 |  |  | 	unlock_task_sighand(p, &flags); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-04-29 00:58:42 -07:00
										 |  |  | out: | 
					
						
							| 
									
										
										
										
											2006-01-08 01:05:15 -08:00
										 |  |  | 	cputime_to_timeval(utime, &r->ru_utime); | 
					
						
							|  |  |  | 	cputime_to_timeval(stime, &r->ru_stime); | 
					
						
							| 
									
										
											  
											
												getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark.  This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems.  /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior.  Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields.  The
first one is ->maxrss which we use to store rss hiwater of the task.  The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs.  These values are used in k_getrusage() to actually fill
->ru_maxrss.  k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
	int status;
	printf("allocate 100MB\n");
	consume(100);
	printf("testcase1: fork inherit? \n");
	printf("  expect: initial.self ~= child.self\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase2: fork inherit? (cont.) \n");
	printf("  expect: initial.children ~= 100MB, but child.children = 0\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		show_rusage("child");
		_exit(0);
	}
	printf("\n");
	printf("testcase3: fork + malloc \n");
	printf("  expect: child.self ~= initial.self + 50MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
	} else {
		printf("allocate +50MB\n");
		consume(50);
		show_rusage("fork child");
		_exit(0);
	}
	printf("\n");
	printf("testcase4: grandchild maxrss\n");
	printf("  expect: post_wait.children ~= 300MB\n");
	show_rusage("initial");
	if (__fork()) {
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 0 -g 300");
		_exit(0);
	}
	printf("\n");
	printf("testcase5: zombie\n");
	printf("  expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
	printf("          post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
	show_rusage("initial");
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("pre_wait");
		wait(&status);
		show_rusage("post_wait");
	} else {
		system("./child -n 400");
		_exit(0);
	}
	printf("\n");
	printf("testcase6: SIG_IGN\n");
	printf("  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
	show_rusage("initial");
	signal(SIGCHLD, SIG_IGN);
	if (__fork()) {
		sleep(1); /* children become zombie */
		show_rusage("after_zombie");
	} else {
		system("./child -n 500");
		_exit(0);
	}
	printf("\n");
	signal(SIGCHLD, SIG_DFL);
	printf("testcase7: exec (without fork) \n");
	printf("  expect: initial ~= exec \n");
	show_rusage("initial");
	execl("./child", "child", "-v", NULL);
	return 0;
}
child.c
=======
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "common.h"
int main(int argc, char** argv)
{
	int status;
	int c;
	long consume_size = 0;
	long grandchild_consume_size = 0;
	int show = 0;
	while ((c = getopt(argc, argv, "n:g:v")) != -1) {
		switch (c) {
		case 'n':
			consume_size = atol(optarg);
			break;
		case 'v':
			show = 1;
			break;
		case 'g':
			grandchild_consume_size = atol(optarg);
			break;
		default:
			break;
		}
	}
	if (show)
		show_rusage("exec");
	if (consume_size) {
		printf("child alloc %ldMB\n", consume_size);
		consume(consume_size);
	}
	if (grandchild_consume_size) {
		if (fork()) {
			wait(&status);
		} else {
			printf("grandchild alloc %ldMB\n", grandchild_consume_size);
			consume(grandchild_consume_size);
			exit(0);
		}
	}
	return 0;
}
common.c
========
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/mman.h>
 #include "common.h"
 #define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
    	int err, err2;
    	struct rusage rusage_self;
    	struct rusage rusage_children;
    	printf("%s: ", prefix);
    	err = getrusage(RUSAGE_SELF, &rusage_self);
    	if (!err)
    		printf("self %ld ", rusage_self.ru_maxrss);
    	err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
    	if (!err2)
    		printf("children %ld ", rusage_children.ru_maxrss);
    	printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
	void *addr;
	int size = getpagesize();
	int i;
	for (i=0; i<1000; i++) {
		addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
		if (addr == MAP_FAILED)
			err("make_pagefault");
		memset(addr, 0, size);
		munmap(addr, size);
	}
}
void consume(int mega)
{
    	size_t sz = mega * 1024 * 1024;
    	void *ptr;
    	ptr = malloc(sz);
    	memset(ptr, 0, sz);
	make_pagefault();
}
pid_t __fork(void)
{
	pid_t pid;
	pid = fork();
	make_pagefault();
	return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
  expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
  expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
  expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
  expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
  expect: pre_wait ~= initial, IOW the zombie process is not accounted.
          post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
  expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
  expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2009-09-22 16:44:10 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	if (who != RUSAGE_CHILDREN) { | 
					
						
							|  |  |  | 		struct mm_struct *mm = get_task_mm(p); | 
					
						
							|  |  |  | 		if (mm) { | 
					
						
							|  |  |  | 			setmax_mm_hiwater_rss(&maxrss, mm); | 
					
						
							|  |  |  | 			mmput(mm); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	r->ru_maxrss = maxrss * (PAGE_SIZE / 1024); /* convert pages to KBs */ | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int getrusage(struct task_struct *p, int who, struct rusage __user *ru) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct rusage r; | 
					
						
							|  |  |  | 	k_getrusage(p, who, &r); | 
					
						
							|  |  |  | 	return copy_to_user(ru, &r, sizeof(r)) ? -EFAULT : 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:26 +01:00
										 |  |  | SYSCALL_DEFINE2(getrusage, int, who, struct rusage __user *, ru) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-04-29 00:58:42 -07:00
										 |  |  | 	if (who != RUSAGE_SELF && who != RUSAGE_CHILDREN && | 
					
						
							|  |  |  | 	    who != RUSAGE_THREAD) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 	return getrusage(current, who, ru); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-03-03 12:49:06 -05:00
										 |  |  | #ifdef CONFIG_COMPAT
 | 
					
						
							|  |  |  | COMPAT_SYSCALL_DEFINE2(getrusage, int, who, struct compat_rusage __user *, ru) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct rusage r; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (who != RUSAGE_SELF && who != RUSAGE_CHILDREN && | 
					
						
							|  |  |  | 	    who != RUSAGE_THREAD) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	k_getrusage(current, who, &r); | 
					
						
							|  |  |  | 	return put_compat_rusage(&r, ru); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:26 +01:00
										 |  |  | SYSCALL_DEFINE1(umask, int, mask) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							|  |  |  | 	mask = xchg(¤t->fs->umask, mask & S_IRWXUGO); | 
					
						
							|  |  |  | 	return mask; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
											  
											
												capabilities: introduce per-process capability bounding set
The capability bounding set is a set beyond which capabilities cannot grow.
 Currently cap_bset is per-system.  It can be manipulated through sysctl,
but only init can add capabilities.  Root can remove capabilities.  By
default it includes all caps except CAP_SETPCAP.
This patch makes the bounding set per-process when file capabilities are
enabled.  It is inherited at fork from parent.  Noone can add elements,
CAP_SETPCAP is required to remove them.
One example use of this is to start a safer container.  For instance, until
device namespaces or per-container device whitelists are introduced, it is
best to take CAP_MKNOD away from a container.
The bounding set will not affect pP and pE immediately.  It will only
affect pP' and pE' after subsequent exec()s.  It also does not affect pI,
and exec() does not constrain pI'.  So to really start a shell with no way
of regain CAP_MKNOD, you would do
	prctl(PR_CAPBSET_DROP, CAP_MKNOD);
	cap_t cap = cap_get_proc();
	cap_value_t caparray[1];
	caparray[0] = CAP_MKNOD;
	cap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);
	cap_set_proc(cap);
	cap_free(cap);
The following test program will get and set the bounding
set (but not pI).  For instance
	./bset get
		(lists capabilities in bset)
	./bset drop cap_net_raw
		(starts shell with new bset)
		(use capset, setuid binary, or binary with
		file capabilities to try to increase caps)
************************************************************
cap_bound.c
************************************************************
 #include <sys/prctl.h>
 #include <linux/capability.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23
 #endif
 #ifndef PR_CAPBSET_DROP
 #define PR_CAPBSET_DROP 24
 #endif
int usage(char *me)
{
	printf("Usage: %s get\n", me);
	printf("       %s drop <capability>\n", me);
	return 1;
}
 #define numcaps 32
char *captable[numcaps] = {
	"cap_chown",
	"cap_dac_override",
	"cap_dac_read_search",
	"cap_fowner",
	"cap_fsetid",
	"cap_kill",
	"cap_setgid",
	"cap_setuid",
	"cap_setpcap",
	"cap_linux_immutable",
	"cap_net_bind_service",
	"cap_net_broadcast",
	"cap_net_admin",
	"cap_net_raw",
	"cap_ipc_lock",
	"cap_ipc_owner",
	"cap_sys_module",
	"cap_sys_rawio",
	"cap_sys_chroot",
	"cap_sys_ptrace",
	"cap_sys_pacct",
	"cap_sys_admin",
	"cap_sys_boot",
	"cap_sys_nice",
	"cap_sys_resource",
	"cap_sys_time",
	"cap_sys_tty_config",
	"cap_mknod",
	"cap_lease",
	"cap_audit_write",
	"cap_audit_control",
	"cap_setfcap"
};
int getbcap(void)
{
	int comma=0;
	unsigned long i;
	int ret;
	printf("i know of %d capabilities\n", numcaps);
	printf("capability bounding set:");
	for (i=0; i<numcaps; i++) {
		ret = prctl(PR_CAPBSET_READ, i);
		if (ret < 0)
			perror("prctl");
		else if (ret==1)
			printf("%s%s", (comma++) ? ", " : " ", captable[i]);
	}
	printf("\n");
	return 0;
}
int capdrop(char *str)
{
	unsigned long i;
	int found=0;
	for (i=0; i<numcaps; i++) {
		if (strcmp(captable[i], str) == 0) {
			found=1;
			break;
		}
	}
	if (!found)
		return 1;
	if (prctl(PR_CAPBSET_DROP, i)) {
		perror("prctl");
		return 1;
	}
	return 0;
}
int main(int argc, char *argv[])
{
	if (argc<2)
		return usage(argv[0]);
	if (strcmp(argv[1], "get")==0)
		return getbcap();
	if (strcmp(argv[1], "drop")!=0 || argc<3)
		return usage(argv[0]);
	if (capdrop(argv[2])) {
		printf("unknown capability\n");
		return 1;
	}
	return execl("/bin/bash", "/bin/bash", NULL);
}
************************************************************
[serue@us.ibm.com: fix typo]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>a
Signed-off-by: "Serge E. Hallyn" <serue@us.ibm.com>
Tested-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2008-02-04 22:29:45 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	struct fd exe; | 
					
						
							| 
									
										
										
										
											2013-01-23 17:07:38 -05:00
										 |  |  | 	struct inode *inode; | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	int err; | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	exe = fdget(fd); | 
					
						
							|  |  |  | 	if (!exe.file) | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 		return -EBADF; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-23 17:07:38 -05:00
										 |  |  | 	inode = file_inode(exe.file); | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * Because the original mm->exe_file points to executable file, make | 
					
						
							|  |  |  | 	 * sure that this one is executable as well, to avoid breaking an | 
					
						
							|  |  |  | 	 * overall picture. | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 	err = -EACCES; | 
					
						
							| 
									
										
										
										
											2013-01-23 17:07:38 -05:00
										 |  |  | 	if (!S_ISREG(inode->i_mode)	|| | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	    exe.file->f_path.mnt->mnt_flags & MNT_NOEXEC) | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 		goto exit; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-23 17:07:38 -05:00
										 |  |  | 	err = inode_permission(inode, MAY_EXEC); | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 	if (err) | 
					
						
							|  |  |  | 		goto exit; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | 	down_write(&mm->mmap_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/*
 | 
					
						
							| 
									
										
										
										
											2012-07-11 14:02:11 -07:00
										 |  |  | 	 * Forbid mm->exe_file change if old file still mapped. | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | 	 */ | 
					
						
							|  |  |  | 	err = -EBUSY; | 
					
						
							| 
									
										
										
										
											2012-07-11 14:02:11 -07:00
										 |  |  | 	if (mm->exe_file) { | 
					
						
							|  |  |  | 		struct vm_area_struct *vma; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		for (vma = mm->mmap; vma; vma = vma->vm_next) | 
					
						
							|  |  |  | 			if (vma->vm_file && | 
					
						
							|  |  |  | 			    path_equal(&vma->vm_file->f_path, | 
					
						
							|  |  |  | 				       &mm->exe_file->f_path)) | 
					
						
							|  |  |  | 				goto exit_unlock; | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * The symlink can be changed only once, just to disallow arbitrary | 
					
						
							|  |  |  | 	 * transitions malicious software might bring in. This means one | 
					
						
							|  |  |  | 	 * could make a snapshot over all processes running and monitor | 
					
						
							|  |  |  | 	 * /proc/pid/exe changes to notice unusual activity if needed. | 
					
						
							|  |  |  | 	 */ | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | 	err = -EPERM; | 
					
						
							|  |  |  | 	if (test_and_set_bit(MMF_EXE_FILE_CHANGED, &mm->flags)) | 
					
						
							|  |  |  | 		goto exit_unlock; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-11 14:02:11 -07:00
										 |  |  | 	err = 0; | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	set_mm_exe_file(mm, exe.file);	/* this grabs a reference to exe.file */ | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | exit_unlock: | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 	up_write(&mm->mmap_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | exit: | 
					
						
							| 
									
										
										
										
											2012-08-28 12:52:22 -04:00
										 |  |  | 	fdput(exe); | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 	return err; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | static int prctl_set_mm(int opt, unsigned long addr, | 
					
						
							|  |  |  | 			unsigned long arg4, unsigned long arg5) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	unsigned long rlim = rlimit(RLIMIT_DATA); | 
					
						
							|  |  |  | 	struct mm_struct *mm = current->mm; | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 	struct vm_area_struct *vma; | 
					
						
							|  |  |  | 	int error; | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 	if (arg5 || (arg4 && opt != PR_SET_MM_AUXV)) | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-03-15 15:17:10 -07:00
										 |  |  | 	if (!capable(CAP_SYS_RESOURCE)) | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		return -EPERM; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:46 -07:00
										 |  |  | 	if (opt == PR_SET_MM_EXE_FILE) | 
					
						
							|  |  |  | 		return prctl_set_mm_exe_file(mm, (unsigned int)addr); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:11 -07:00
										 |  |  | 	if (addr >= TASK_SIZE || addr < mmap_min_addr) | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 	error = -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 	down_read(&mm->mmap_sem); | 
					
						
							|  |  |  | 	vma = find_vma(mm, addr); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	switch (opt) { | 
					
						
							|  |  |  | 	case PR_SET_MM_START_CODE: | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 		mm->start_code = addr; | 
					
						
							|  |  |  | 		break; | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 	case PR_SET_MM_END_CODE: | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 		mm->end_code = addr; | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_MM_START_DATA: | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 		mm->start_data = addr; | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		break; | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 	case PR_SET_MM_END_DATA: | 
					
						
							|  |  |  | 		mm->end_data = addr; | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 		break; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	case PR_SET_MM_START_BRK: | 
					
						
							|  |  |  | 		if (addr <= mm->end_data) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		if (rlim < RLIM_INFINITY && | 
					
						
							|  |  |  | 		    (mm->brk - addr) + | 
					
						
							|  |  |  | 		    (mm->end_data - mm->start_data) > rlim) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		mm->start_brk = addr; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	case PR_SET_MM_BRK: | 
					
						
							|  |  |  | 		if (addr <= mm->end_data) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		if (rlim < RLIM_INFINITY && | 
					
						
							|  |  |  | 		    (addr - mm->start_brk) + | 
					
						
							|  |  |  | 		    (mm->end_data - mm->start_data) > rlim) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		mm->brk = addr; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-31 16:26:45 -07:00
										 |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * If command line arguments and environment | 
					
						
							|  |  |  | 	 * are placed somewhere else on stack, we can | 
					
						
							|  |  |  | 	 * set them up here, ARG_START/END to setup | 
					
						
							|  |  |  | 	 * command line argumets and ENV_START/END | 
					
						
							|  |  |  | 	 * for environment. | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 	case PR_SET_MM_START_STACK: | 
					
						
							|  |  |  | 	case PR_SET_MM_ARG_START: | 
					
						
							|  |  |  | 	case PR_SET_MM_ARG_END: | 
					
						
							|  |  |  | 	case PR_SET_MM_ENV_START: | 
					
						
							|  |  |  | 	case PR_SET_MM_ENV_END: | 
					
						
							|  |  |  | 		if (!vma) { | 
					
						
							|  |  |  | 			error = -EFAULT; | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		if (opt == PR_SET_MM_START_STACK) | 
					
						
							|  |  |  | 			mm->start_stack = addr; | 
					
						
							|  |  |  | 		else if (opt == PR_SET_MM_ARG_START) | 
					
						
							|  |  |  | 			mm->arg_start = addr; | 
					
						
							|  |  |  | 		else if (opt == PR_SET_MM_ARG_END) | 
					
						
							|  |  |  | 			mm->arg_end = addr; | 
					
						
							|  |  |  | 		else if (opt == PR_SET_MM_ENV_START) | 
					
						
							|  |  |  | 			mm->env_start = addr; | 
					
						
							|  |  |  | 		else if (opt == PR_SET_MM_ENV_END) | 
					
						
							|  |  |  | 			mm->env_end = addr; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * This doesn't move auxiliary vector itself | 
					
						
							|  |  |  | 	 * since it's pinned to mm_struct, but allow | 
					
						
							|  |  |  | 	 * to fill vector with new values. It's up | 
					
						
							|  |  |  | 	 * to a caller to provide sane values here | 
					
						
							|  |  |  | 	 * otherwise user space tools which use this | 
					
						
							|  |  |  | 	 * vector might be unhappy. | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 	case PR_SET_MM_AUXV: { | 
					
						
							|  |  |  | 		unsigned long user_auxv[AT_VECTOR_SIZE]; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		if (arg4 > sizeof(user_auxv)) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 		up_read(&mm->mmap_sem); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		if (copy_from_user(user_auxv, (const void __user *)addr, arg4)) | 
					
						
							|  |  |  | 			return -EFAULT; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		/* Make sure the last entry is always AT_NULL */ | 
					
						
							|  |  |  | 		user_auxv[AT_VECTOR_SIZE - 2] = 0; | 
					
						
							|  |  |  | 		user_auxv[AT_VECTOR_SIZE - 1] = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		task_lock(current); | 
					
						
							|  |  |  | 		memcpy(mm->saved_auxv, user_auxv, arg4); | 
					
						
							|  |  |  | 		task_unlock(current); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		return 0; | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | 	default: | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	error = 0; | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	up_read(&mm->mmap_sem); | 
					
						
							|  |  |  | 	return error; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:12 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												kernel/sys.c: make prctl(PR_SET_MM) generally available
The purpose of this patch is to allow privileged processes to set
their own per-memory memory-region fields:
      start_code, end_code, start_data, end_data, start_brk, brk,
      start_stack, arg_start, arg_end, env_start, env_end.
This functionality is needed by any application or package that needs to
reconstruct Linux processes, that is, to start them in any way other than
by means of an "execve()" from an executable file.  This includes:
1. Restoring processes from a checkpoint-file (by all potential
   user-level checkpointing packages, not only CRIU's).
2. Restarting processes on another node after process migration.
3. Starting duplicated copies of a running process (for reliability
   and high-availablity).
4. Starting a process from an executable format that is not supported
   by Linux, thus requiring a "manual execve" by a user-level utility.
5. Similarly, starting a process from a networked and/or crypted
   executable that, for confidentiality, licensing or other reasons,
   may not be written to the local file-systems.
The code that does that was already included in the Linux kernel by the
CRIU group, in the form of "prctl(PR_SET_MM)", but prior to this was
enclosed within their private "#ifdef CONFIG_CHECKPOINT_RESTORE", which is
normally disabled.  The patch removes those ifdefs.
Signed-off-by: Amnon Shiloh <u3557@miso.sublimeip.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2013-04-30 15:28:48 -07:00
										 |  |  | #ifdef CONFIG_CHECKPOINT_RESTORE
 | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:12 -07:00
										 |  |  | static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	return put_user(me->clear_child_tid, tid_addr); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
											  
											
												kernel/sys.c: make prctl(PR_SET_MM) generally available
The purpose of this patch is to allow privileged processes to set
their own per-memory memory-region fields:
      start_code, end_code, start_data, end_data, start_brk, brk,
      start_stack, arg_start, arg_end, env_start, env_end.
This functionality is needed by any application or package that needs to
reconstruct Linux processes, that is, to start them in any way other than
by means of an "execve()" from an executable file.  This includes:
1. Restoring processes from a checkpoint-file (by all potential
   user-level checkpointing packages, not only CRIU's).
2. Restarting processes on another node after process migration.
3. Starting duplicated copies of a running process (for reliability
   and high-availablity).
4. Starting a process from an executable format that is not supported
   by Linux, thus requiring a "manual execve" by a user-level utility.
5. Similarly, starting a process from a networked and/or crypted
   executable that, for confidentiality, licensing or other reasons,
   may not be written to the local file-systems.
The code that does that was already included in the Linux kernel by the
CRIU group, in the form of "prctl(PR_SET_MM)", but prior to this was
enclosed within their private "#ifdef CONFIG_CHECKPOINT_RESTORE", which is
normally disabled.  The patch removes those ifdefs.
Signed-off-by: Amnon Shiloh <u3557@miso.sublimeip.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
											
										 
											2013-04-30 15:28:48 -07:00
										 |  |  | #else
 | 
					
						
							| 
									
										
										
										
											2012-06-07 14:21:12 -07:00
										 |  |  | static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	return -EINVAL; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2012-01-12 17:20:55 -08:00
										 |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:28 +01:00
										 |  |  | SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, | 
					
						
							|  |  |  | 		unsigned long, arg4, unsigned long, arg5) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2008-11-14 10:39:16 +11:00
										 |  |  | 	struct task_struct *me = current; | 
					
						
							|  |  |  | 	unsigned char comm[sizeof(me->comm)]; | 
					
						
							|  |  |  | 	long error; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	error = security_task_prctl(option, arg2, arg3, arg4, arg5); | 
					
						
							|  |  |  | 	if (error != -ENOSYS) | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		return error; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management.  This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
	struct cred *new = prepare_creds();
	int ret = blah(new);
	if (ret < 0) {
		abort_creds(new);
		return ret;
	}
	return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const.  The purpose of this is compile-time
discouragement of altering credentials through those pointers.  Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
  (1) Its reference count may incremented and decremented.
  (2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
 (1) execve().
     This now prepares and commits credentials in various places in the
     security code rather than altering the current creds directly.
 (2) Temporary credential overrides.
     do_coredump() and sys_faccessat() now prepare their own credentials and
     temporarily override the ones currently on the acting thread, whilst
     preventing interference from other threads by holding cred_replace_mutex
     on the thread being dumped.
     This will be replaced in a future patch by something that hands down the
     credentials directly to the functions being called, rather than altering
     the task's objective credentials.
 (3) LSM interface.
     A number of functions have been changed, added or removed:
     (*) security_capset_check(), ->capset_check()
     (*) security_capset_set(), ->capset_set()
     	 Removed in favour of security_capset().
     (*) security_capset(), ->capset()
     	 New.  This is passed a pointer to the new creds, a pointer to the old
     	 creds and the proposed capability sets.  It should fill in the new
     	 creds or return an error.  All pointers, barring the pointer to the
     	 new creds, are now const.
     (*) security_bprm_apply_creds(), ->bprm_apply_creds()
     	 Changed; now returns a value, which will cause the process to be
     	 killed if it's an error.
     (*) security_task_alloc(), ->task_alloc_security()
     	 Removed in favour of security_prepare_creds().
     (*) security_cred_free(), ->cred_free()
     	 New.  Free security data attached to cred->security.
     (*) security_prepare_creds(), ->cred_prepare()
     	 New. Duplicate any security data attached to cred->security.
     (*) security_commit_creds(), ->cred_commit()
     	 New. Apply any security effects for the upcoming installation of new
     	 security by commit_creds().
     (*) security_task_post_setuid(), ->task_post_setuid()
     	 Removed in favour of security_task_fix_setuid().
     (*) security_task_fix_setuid(), ->task_fix_setuid()
     	 Fix up the proposed new credentials for setuid().  This is used by
     	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
     	 setuid() changes.  Changes are made to the new credentials, rather
     	 than the task itself as in security_task_post_setuid().
     (*) security_task_reparent_to_init(), ->task_reparent_to_init()
     	 Removed.  Instead the task being reparented to init is referred
     	 directly to init's credentials.
	 NOTE!  This results in the loss of some state: SELinux's osid no
	 longer records the sid of the thread that forked it.
     (*) security_key_alloc(), ->key_alloc()
     (*) security_key_permission(), ->key_permission()
     	 Changed.  These now take cred pointers rather than task pointers to
     	 refer to the security context.
 (4) sys_capset().
     This has been simplified and uses less locking.  The LSM functions it
     calls have been merged.
 (5) reparent_to_kthreadd().
     This gives the current thread the same credentials as init by simply using
     commit_thread() to point that way.
 (6) __sigqueue_alloc() and switch_uid()
     __sigqueue_alloc() can't stop the target task from changing its creds
     beneath it, so this function gets a reference to the currently applicable
     user_struct which it then passes into the sigqueue struct it returns if
     successful.
     switch_uid() is now called from commit_creds(), and possibly should be
     folded into that.  commit_creds() should take care of protecting
     __sigqueue_alloc().
 (7) [sg]et[ug]id() and co and [sg]et_current_groups.
     The set functions now all use prepare_creds(), commit_creds() and
     abort_creds() to build and check a new set of credentials before applying
     it.
     security_task_set[ug]id() is called inside the prepared section.  This
     guarantees that nothing else will affect the creds until we've finished.
     The calling of set_dumpable() has been moved into commit_creds().
     Much of the functionality of set_user() has been moved into
     commit_creds().
     The get functions all simply access the data directly.
 (8) security_task_prctl() and cap_task_prctl().
     security_task_prctl() has been modified to return -ENOSYS if it doesn't
     want to handle a function, or otherwise return the return value directly
     rather than through an argument.
     Additionally, cap_task_prctl() now prepares a new set of credentials, even
     if it doesn't end up using it.
 (9) Keyrings.
     A number of changes have been made to the keyrings code:
     (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
     	 all been dropped and built in to the credentials functions directly.
     	 They may want separating out again later.
     (b) key_alloc() and search_process_keyrings() now take a cred pointer
     	 rather than a task pointer to specify the security context.
     (c) copy_creds() gives a new thread within the same thread group a new
     	 thread keyring if its parent had one, otherwise it discards the thread
     	 keyring.
     (d) The authorisation key now points directly to the credentials to extend
     	 the search into rather pointing to the task that carries them.
     (e) Installing thread, process or session keyrings causes a new set of
     	 credentials to be created, even though it's not strictly necessary for
     	 process or session keyrings (they're shared).
(10) Usermode helper.
     The usermode helper code now carries a cred struct pointer in its
     subprocess_info struct instead of a new session keyring pointer.  This set
     of credentials is derived from init_cred and installed on the new process
     after it has been cloned.
     call_usermodehelper_setup() allocates the new credentials and
     call_usermodehelper_freeinfo() discards them if they haven't been used.  A
     special cred function (prepare_usermodeinfo_creds()) is provided
     specifically for call_usermodehelper_setup() to call.
     call_usermodehelper_setkeys() adjusts the credentials to sport the
     supplied keyring as the new session keyring.
(11) SELinux.
     SELinux has a number of changes, in addition to those to support the LSM
     interface changes mentioned above:
     (a) selinux_setprocattr() no longer does its check for whether the
     	 current ptracer can access processes with the new SID inside the lock
     	 that covers getting the ptracer's SID.  Whilst this lock ensures that
     	 the check is done with the ptracer pinned, the result is only valid
     	 until the lock is released, so there's no point doing it inside the
     	 lock.
(12) is_single_threaded().
     This function has been extracted from selinux_setprocattr() and put into
     a file of its own in the lib/ directory as join_session_keyring() now
     wants to use it too.
     The code in SELinux just checked to see whether a task shared mm_structs
     with other tasks (CLONE_VM), but that isn't good enough.  We really want
     to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
     The NFS server daemon now has to use the COW credentials to set the
     credentials it is going to use.  It really needs to pass the credentials
     down to the functions it calls, but it can't do that until other patches
     in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
											
										 
											2008-11-14 10:39:23 +11:00
										 |  |  | 	error = 0; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	switch (option) { | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 	case PR_SET_PDEATHSIG: | 
					
						
							|  |  |  | 		if (!valid_signal(arg2)) { | 
					
						
							|  |  |  | 			error = -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			break; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 		} | 
					
						
							|  |  |  | 		me->pdeath_signal = arg2; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_PDEATHSIG: | 
					
						
							|  |  |  | 		error = put_user(me->pdeath_signal, (int __user *)arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_DUMPABLE: | 
					
						
							|  |  |  | 		error = get_dumpable(me->mm); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_DUMPABLE: | 
					
						
							|  |  |  | 		if (arg2 != SUID_DUMP_DISABLE && arg2 != SUID_DUMP_USER) { | 
					
						
							|  |  |  | 			error = -EINVAL; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 			break; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 		} | 
					
						
							|  |  |  | 		set_dumpable(me->mm, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 	case PR_SET_UNALIGN: | 
					
						
							|  |  |  | 		error = SET_UNALIGN_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_UNALIGN: | 
					
						
							|  |  |  | 		error = GET_UNALIGN_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_FPEMU: | 
					
						
							|  |  |  | 		error = SET_FPEMU_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_FPEMU: | 
					
						
							|  |  |  | 		error = GET_FPEMU_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_FPEXC: | 
					
						
							|  |  |  | 		error = SET_FPEXC_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_FPEXC: | 
					
						
							|  |  |  | 		error = GET_FPEXC_CTL(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_TIMING: | 
					
						
							|  |  |  | 		error = PR_TIMING_STATISTICAL; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_TIMING: | 
					
						
							|  |  |  | 		if (arg2 != PR_TIMING_STATISTICAL) | 
					
						
							|  |  |  | 			error = -EINVAL; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_NAME: | 
					
						
							|  |  |  | 		comm[sizeof(me->comm) - 1] = 0; | 
					
						
							|  |  |  | 		if (strncpy_from_user(comm, (char __user *)arg2, | 
					
						
							|  |  |  | 				      sizeof(me->comm) - 1) < 0) | 
					
						
							|  |  |  | 			return -EFAULT; | 
					
						
							|  |  |  | 		set_task_comm(me, comm); | 
					
						
							|  |  |  | 		proc_comm_connector(me); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_NAME: | 
					
						
							|  |  |  | 		get_task_comm(comm, me); | 
					
						
							|  |  |  | 		if (copy_to_user((char __user *)arg2, comm, sizeof(comm))) | 
					
						
							|  |  |  | 			return -EFAULT; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_ENDIAN: | 
					
						
							|  |  |  | 		error = GET_ENDIAN(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_ENDIAN: | 
					
						
							|  |  |  | 		error = SET_ENDIAN(me, arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_SECCOMP: | 
					
						
							|  |  |  | 		error = prctl_get_seccomp(); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_SECCOMP: | 
					
						
							|  |  |  | 		error = prctl_set_seccomp(arg2, (char __user *)arg3); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_TSC: | 
					
						
							|  |  |  | 		error = GET_TSC_CTL(arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_TSC: | 
					
						
							|  |  |  | 		error = SET_TSC_CTL(arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_TASK_PERF_EVENTS_DISABLE: | 
					
						
							|  |  |  | 		error = perf_event_task_disable(); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_TASK_PERF_EVENTS_ENABLE: | 
					
						
							|  |  |  | 		error = perf_event_task_enable(); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_TIMERSLACK: | 
					
						
							|  |  |  | 		error = current->timer_slack_ns; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_TIMERSLACK: | 
					
						
							|  |  |  | 		if (arg2 <= 0) | 
					
						
							|  |  |  | 			current->timer_slack_ns = | 
					
						
							| 
									
										
										
										
											2008-09-01 15:52:40 -07:00
										 |  |  | 					current->default_timer_slack_ns; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 		else | 
					
						
							|  |  |  | 			current->timer_slack_ns = arg2; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_MCE_KILL: | 
					
						
							|  |  |  | 		if (arg4 | arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		switch (arg2) { | 
					
						
							|  |  |  | 		case PR_MCE_KILL_CLEAR: | 
					
						
							|  |  |  | 			if (arg3 != 0) | 
					
						
							| 
									
										
										
										
											2009-09-16 11:50:14 +02:00
										 |  |  | 				return -EINVAL; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 			current->flags &= ~PF_MCE_PROCESS; | 
					
						
							| 
									
										
										
										
											2009-09-16 11:50:14 +02:00
										 |  |  | 			break; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 		case PR_MCE_KILL_SET: | 
					
						
							|  |  |  | 			current->flags |= PF_MCE_PROCESS; | 
					
						
							|  |  |  | 			if (arg3 == PR_MCE_KILL_EARLY) | 
					
						
							|  |  |  | 				current->flags |= PF_MCE_EARLY; | 
					
						
							|  |  |  | 			else if (arg3 == PR_MCE_KILL_LATE) | 
					
						
							|  |  |  | 				current->flags &= ~PF_MCE_EARLY; | 
					
						
							|  |  |  | 			else if (arg3 == PR_MCE_KILL_DEFAULT) | 
					
						
							|  |  |  | 				current->flags &= | 
					
						
							|  |  |  | 						~(PF_MCE_EARLY|PF_MCE_PROCESS); | 
					
						
							| 
									
										
										
										
											2009-10-04 02:20:11 +02:00
										 |  |  | 			else | 
					
						
							| 
									
										
											  
											
												Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
With this change, calling
  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
disables privilege granting operations at execve-time.  For example, a
process will not be able to execute a setuid binary to change their uid
or gid if this bit is set.  The same is true for file capabilities.
Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
LSMs respect the requested behavior.
To determine if the NO_NEW_PRIVS bit is set, a task may call
  prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
It returns 1 if set and 0 if it is not set. If any of the arguments are
non-zero, it will return -1 and set errno to -EINVAL.
(PR_SET_NO_NEW_PRIVS behaves similarly.)
This functionality is desired for the proposed seccomp filter patch
series.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
system call behavior for itself and its child tasks without being
able to impact the behavior of a more privileged task.
Another potential use is making certain privileged operations
unprivileged.  For example, chroot may be considered "safe" if it cannot
affect privileged tasks.
Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use.  It is fixed in a subsequent patch.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
v18: updated change desc
v17: using new define values as per 3.4
Signed-off-by: James Morris <james.l.morris@oracle.com>
											
										 
											2012-04-12 16:47:50 -05:00
										 |  |  | 				return -EINVAL; | 
					
						
							|  |  |  | 			break; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 		default: | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_MCE_KILL_GET: | 
					
						
							|  |  |  | 		if (arg2 | arg3 | arg4 | arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		if (current->flags & PF_MCE_PROCESS) | 
					
						
							|  |  |  | 			error = (current->flags & PF_MCE_EARLY) ? | 
					
						
							|  |  |  | 				PR_MCE_KILL_EARLY : PR_MCE_KILL_LATE; | 
					
						
							|  |  |  | 		else | 
					
						
							|  |  |  | 			error = PR_MCE_KILL_DEFAULT; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_MM: | 
					
						
							|  |  |  | 		error = prctl_set_mm(arg2, arg3, arg4, arg5); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_TID_ADDRESS: | 
					
						
							|  |  |  | 		error = prctl_get_tid_address(me, (int __user **)arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_CHILD_SUBREAPER: | 
					
						
							|  |  |  | 		me->signal->is_child_subreaper = !!arg2; | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_CHILD_SUBREAPER: | 
					
						
							|  |  |  | 		error = put_user(me->signal->is_child_subreaper, | 
					
						
							|  |  |  | 				 (int __user *)arg2); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_NO_NEW_PRIVS: | 
					
						
							|  |  |  | 		if (arg2 != 1 || arg3 || arg4 || arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-05-21 15:23:46 -07:00
										 |  |  | 		task_set_no_new_privs(current); | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_GET_NO_NEW_PRIVS: | 
					
						
							|  |  |  | 		if (arg2 || arg3 || arg4 || arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							| 
									
										
										
										
											2014-05-21 15:23:46 -07:00
										 |  |  | 		return task_no_new_privs(current) ? 1 : 0; | 
					
						
							| 
									
										
										
										
											2014-04-07 15:37:10 -07:00
										 |  |  | 	case PR_GET_THP_DISABLE: | 
					
						
							|  |  |  | 		if (arg2 || arg3 || arg4 || arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		error = !!(me->mm->def_flags & VM_NOHUGEPAGE); | 
					
						
							|  |  |  | 		break; | 
					
						
							|  |  |  | 	case PR_SET_THP_DISABLE: | 
					
						
							|  |  |  | 		if (arg3 || arg4 || arg5) | 
					
						
							|  |  |  | 			return -EINVAL; | 
					
						
							|  |  |  | 		down_write(&me->mm->mmap_sem); | 
					
						
							|  |  |  | 		if (arg2) | 
					
						
							|  |  |  | 			me->mm->def_flags |= VM_NOHUGEPAGE; | 
					
						
							|  |  |  | 		else | 
					
						
							|  |  |  | 			me->mm->def_flags &= ~VM_NOHUGEPAGE; | 
					
						
							|  |  |  | 		up_write(&me->mm->mmap_sem); | 
					
						
							|  |  |  | 		break; | 
					
						
							| 
									
										
										
										
											2013-02-21 16:43:07 -08:00
										 |  |  | 	default: | 
					
						
							|  |  |  | 		error = -EINVAL; | 
					
						
							|  |  |  | 		break; | 
					
						
							| 
									
										
										
										
											2005-04-16 15:20:36 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	return error; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2006-09-26 10:52:28 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-01-14 14:14:33 +01:00
										 |  |  | SYSCALL_DEFINE3(getcpu, unsigned __user *, cpup, unsigned __user *, nodep, | 
					
						
							|  |  |  | 		struct getcpu_cache __user *, unused) | 
					
						
							| 
									
										
										
										
											2006-09-26 10:52:28 +02:00
										 |  |  | { | 
					
						
							|  |  |  | 	int err = 0; | 
					
						
							|  |  |  | 	int cpu = raw_smp_processor_id(); | 
					
						
							|  |  |  | 	if (cpup) | 
					
						
							|  |  |  | 		err |= put_user(cpu, cpup); | 
					
						
							|  |  |  | 	if (nodep) | 
					
						
							|  |  |  | 		err |= put_user(cpu_to_node(cpu), nodep); | 
					
						
							|  |  |  | 	return err ? -EFAULT : 0; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2007-07-17 18:37:02 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-30 15:27:37 -07:00
										 |  |  | /**
 | 
					
						
							|  |  |  |  * do_sysinfo - fill in sysinfo struct | 
					
						
							|  |  |  |  * @info: pointer to buffer to fill | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static int do_sysinfo(struct sysinfo *info) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	unsigned long mem_total, sav_total; | 
					
						
							|  |  |  | 	unsigned int mem_unit, bitcount; | 
					
						
							|  |  |  | 	struct timespec tp; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	memset(info, 0, sizeof(struct sysinfo)); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-07-03 15:05:01 -07:00
										 |  |  | 	get_monotonic_boottime(&tp); | 
					
						
							| 
									
										
										
										
											2013-04-30 15:27:37 -07:00
										 |  |  | 	info->uptime = tp.tv_sec + (tp.tv_nsec ? 1 : 0); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	get_avenrun(info->loads, 0, SI_LOAD_SHIFT - FSHIFT); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	info->procs = nr_threads; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	si_meminfo(info); | 
					
						
							|  |  |  | 	si_swapinfo(info); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * If the sum of all the available memory (i.e. ram + swap) | 
					
						
							|  |  |  | 	 * is less than can be stored in a 32 bit unsigned long then | 
					
						
							|  |  |  | 	 * we can be binary compatible with 2.2.x kernels.  If not, | 
					
						
							|  |  |  | 	 * well, in that case 2.2.x was broken anyways... | 
					
						
							|  |  |  | 	 * | 
					
						
							|  |  |  | 	 *  -Erik Andersen <andersee@debian.org> | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	mem_total = info->totalram + info->totalswap; | 
					
						
							|  |  |  | 	if (mem_total < info->totalram || mem_total < info->totalswap) | 
					
						
							|  |  |  | 		goto out; | 
					
						
							|  |  |  | 	bitcount = 0; | 
					
						
							|  |  |  | 	mem_unit = info->mem_unit; | 
					
						
							|  |  |  | 	while (mem_unit > 1) { | 
					
						
							|  |  |  | 		bitcount++; | 
					
						
							|  |  |  | 		mem_unit >>= 1; | 
					
						
							|  |  |  | 		sav_total = mem_total; | 
					
						
							|  |  |  | 		mem_total <<= 1; | 
					
						
							|  |  |  | 		if (mem_total < sav_total) | 
					
						
							|  |  |  | 			goto out; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/*
 | 
					
						
							|  |  |  | 	 * If mem_total did not overflow, multiply all memory values by | 
					
						
							|  |  |  | 	 * info->mem_unit and set it to 1.  This leaves things compatible | 
					
						
							|  |  |  | 	 * with 2.2.x, and also retains compatibility with earlier 2.4.x | 
					
						
							|  |  |  | 	 * kernels... | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	info->mem_unit = 1; | 
					
						
							|  |  |  | 	info->totalram <<= bitcount; | 
					
						
							|  |  |  | 	info->freeram <<= bitcount; | 
					
						
							|  |  |  | 	info->sharedram <<= bitcount; | 
					
						
							|  |  |  | 	info->bufferram <<= bitcount; | 
					
						
							|  |  |  | 	info->totalswap <<= bitcount; | 
					
						
							|  |  |  | 	info->freeswap <<= bitcount; | 
					
						
							|  |  |  | 	info->totalhigh <<= bitcount; | 
					
						
							|  |  |  | 	info->freehigh <<= bitcount; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | out: | 
					
						
							|  |  |  | 	return 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | SYSCALL_DEFINE1(sysinfo, struct sysinfo __user *, info) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct sysinfo val; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	do_sysinfo(&val); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (copy_to_user(info, &val, sizeof(struct sysinfo))) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef CONFIG_COMPAT
 | 
					
						
							|  |  |  | struct compat_sysinfo { | 
					
						
							|  |  |  | 	s32 uptime; | 
					
						
							|  |  |  | 	u32 loads[3]; | 
					
						
							|  |  |  | 	u32 totalram; | 
					
						
							|  |  |  | 	u32 freeram; | 
					
						
							|  |  |  | 	u32 sharedram; | 
					
						
							|  |  |  | 	u32 bufferram; | 
					
						
							|  |  |  | 	u32 totalswap; | 
					
						
							|  |  |  | 	u32 freeswap; | 
					
						
							|  |  |  | 	u16 procs; | 
					
						
							|  |  |  | 	u16 pad; | 
					
						
							|  |  |  | 	u32 totalhigh; | 
					
						
							|  |  |  | 	u32 freehigh; | 
					
						
							|  |  |  | 	u32 mem_unit; | 
					
						
							|  |  |  | 	char _f[20-2*sizeof(u32)-sizeof(int)]; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct sysinfo s; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	do_sysinfo(&s); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	/* Check to see if any memory value is too large for 32-bit and scale
 | 
					
						
							|  |  |  | 	 *  down if needed | 
					
						
							|  |  |  | 	 */ | 
					
						
							|  |  |  | 	if ((s.totalram >> 32) || (s.totalswap >> 32)) { | 
					
						
							|  |  |  | 		int bitcount = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		while (s.mem_unit < PAGE_SIZE) { | 
					
						
							|  |  |  | 			s.mem_unit <<= 1; | 
					
						
							|  |  |  | 			bitcount++; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		s.totalram >>= bitcount; | 
					
						
							|  |  |  | 		s.freeram >>= bitcount; | 
					
						
							|  |  |  | 		s.sharedram >>= bitcount; | 
					
						
							|  |  |  | 		s.bufferram >>= bitcount; | 
					
						
							|  |  |  | 		s.totalswap >>= bitcount; | 
					
						
							|  |  |  | 		s.freeswap >>= bitcount; | 
					
						
							|  |  |  | 		s.totalhigh >>= bitcount; | 
					
						
							|  |  |  | 		s.freehigh >>= bitcount; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (!access_ok(VERIFY_WRITE, info, sizeof(struct compat_sysinfo)) || | 
					
						
							|  |  |  | 	    __put_user(s.uptime, &info->uptime) || | 
					
						
							|  |  |  | 	    __put_user(s.loads[0], &info->loads[0]) || | 
					
						
							|  |  |  | 	    __put_user(s.loads[1], &info->loads[1]) || | 
					
						
							|  |  |  | 	    __put_user(s.loads[2], &info->loads[2]) || | 
					
						
							|  |  |  | 	    __put_user(s.totalram, &info->totalram) || | 
					
						
							|  |  |  | 	    __put_user(s.freeram, &info->freeram) || | 
					
						
							|  |  |  | 	    __put_user(s.sharedram, &info->sharedram) || | 
					
						
							|  |  |  | 	    __put_user(s.bufferram, &info->bufferram) || | 
					
						
							|  |  |  | 	    __put_user(s.totalswap, &info->totalswap) || | 
					
						
							|  |  |  | 	    __put_user(s.freeswap, &info->freeswap) || | 
					
						
							|  |  |  | 	    __put_user(s.procs, &info->procs) || | 
					
						
							|  |  |  | 	    __put_user(s.totalhigh, &info->totalhigh) || | 
					
						
							|  |  |  | 	    __put_user(s.freehigh, &info->freehigh) || | 
					
						
							|  |  |  | 	    __put_user(s.mem_unit, &info->mem_unit)) | 
					
						
							|  |  |  | 		return -EFAULT; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | #endif /* CONFIG_COMPAT */
 |