Convert selinux_file_send_sigiotask() to use the cred_task_has_perm() namespace-aware permission checking helper. This required saving the file owner cred in the file security blob for later use in this hook function. Since the cred already includes the cred/task security blob which has the task SID and the SELinux state/namespace, we can drop those separate fields from the file_security_struct at the same time. Signed-off-by: Stephen Smalley --- security/selinux/hooks.c | 15 ++++++--------- security/selinux/include/objsec.h | 3 +-- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 07bf35c14ae2..3c487b48e510 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3849,8 +3849,7 @@ static int selinux_file_alloc_security(struct file *file) u32 sid = current_sid(); fsec->sid = sid; - fsec->fown_sid = sid; - fsec->state = get_selinux_state(current_selinux_state); + fsec->cred = get_cred(current_cred()); return 0; } @@ -3859,8 +3858,7 @@ static void selinux_file_free_security(struct file *file) { struct file_security_struct *fsec = selinux_file(file); - put_selinux_state(fsec->state); - fsec->state = NULL; + put_cred(fsec->cred); } /* @@ -4143,14 +4141,14 @@ static void selinux_file_set_fowner(struct file *file) struct file_security_struct *fsec; fsec = selinux_file(file); - fsec->fown_sid = current_sid(); + put_cred(fsec->cred); + fsec->cred = get_cred(current_cred()); } static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { struct file *file; - u32 sid = task_sid_obj(tsk); u32 perm; struct file_security_struct *fsec; @@ -4164,9 +4162,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, else perm = signal_to_av(signum); - return avc_has_perm(fsec->state, - fsec->fown_sid, sid, - SECCLASS_PROCESS, perm, NULL); + return cred_task_has_perm(fsec->cred, tsk, SECCLASS_PROCESS, perm, + NULL); } static int selinux_file_receive(struct file *file) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 662329923214..9975a13700c5 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -55,10 +55,9 @@ struct inode_security_struct { struct file_security_struct { u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ u32 pseqno; /* Policy seqno at the time of file open */ - struct selinux_state *state; /* SELinux state */ + const struct cred *cred; /* cred for file owner (for SIGIO) */ }; struct superblock_security_struct { -- 2.50.1