linux/security/selinux/include
Stephen Smalley 791ec491c3 prlimit,security,selinux: add a security hook for prlimit
When SELinux was first added to the kernel, a process could only get
and set its own resource limits via getrlimit(2) and setrlimit(2), so no
MAC checks were required for those operations, and thus no security hooks
were defined for them. Later, SELinux introduced a hook for setlimit(2)
with a check if the hard limit was being changed in order to be able to
rely on the hard limit value as a safe reset point upon context
transitions.

Later on, when prlimit(2) was added to the kernel with the ability to get
or set resource limits (hard or soft) of another process, LSM/SELinux was
not updated other than to pass the target process to the setrlimit hook.
This resulted in incomplete control over both getting and setting the
resource limits of another process.

Add a new security_task_prlimit() hook to the check_prlimit_permission()
function to provide complete mediation.  The hook is only called when
acting on another task, and only if the existing DAC/capability checks
would allow access.  Pass flags down to the hook to indicate whether the
prlimit(2) call will read, write, or both read and write the resource
limits of the target process.

The existing security_task_setrlimit() hook is left alone; it continues
to serve a purpose in supporting the ability to make decisions based on
the old and/or new resource limit values when setting limits.  This
is consistent with the DAC/capability logic, where
check_prlimit_permission() performs generic DAC/capability checks for
acting on another task, while do_prlimit() performs a capability check
based on a comparison of the old and new resource limits.  Fix the
inline documentation for the hook to match the code.

Implement the new hook for SELinux.  For setting resource limits, we
reuse the existing setrlimit permission.  Note that this does overload
the setrlimit permission to mean the ability to set the resource limit
(soft or hard) of another process or the ability to change one's own
hard limit.  For getting resource limits, a new getrlimit permission
is defined.  This was not originally defined since getrlimit(2) could
only be used to obtain a process' own limits.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-03-06 10:43:47 +11:00
..
audit.h SELinux: keep the code clean formating and syntax 2008-07-14 15:01:36 +10:00
avc.h Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next 2015-08-15 13:29:57 +10:00
avc_ss.h selinux: sparse fix: fix several warnings in the security server code 2011-09-09 16:56:32 -07:00
classmap.h prlimit,security,selinux: add a security hook for prlimit 2017-03-06 10:43:47 +11:00
conditional.h selinux: Change bool variable name to index. 2016-04-14 11:24:50 -04:00
initial_sid_to_string.h selinux: const strings in tables 2010-03-08 09:33:53 +11:00
netif.h selinux: make the netif cache namespace aware 2014-09-10 17:09:57 -04:00
netlabel.h netlabel: Pass a family parameter to netlbl_skbuff_err(). 2016-06-27 15:06:16 -04:00
netnode.h selinux: reduce the number of calls to synchronize_net() when flushing caches 2014-06-26 14:33:56 -04:00
netport.h selinux: reduce the number of calls to synchronize_net() when flushing caches 2014-06-26 14:33:56 -04:00
objsec.h selinux: clean up cred usage and simplify 2017-01-09 10:07:31 -05:00
security.h selinux: wrap cgroup seclabel support with its own policy capability 2017-03-02 10:27:40 +11:00
xfrm.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-03-25 20:29:20 -04:00