proc,security: move restriction on writing /proc/pid/attr nodes to proc
authorStephen Smalley <sds@tycho.nsa.gov>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
commitb21507e272627c434e8dd74e8d51fd8245281b59
tree3c8453724f6429e2bae5cd3cc9266104c2e6feea
parentbe0554c9bf9f7cc96f5205df8f8bd3573b74320e
proc,security: move restriction on writing /proc/pid/attr nodes to proc

Processes can only alter their own security attributes via
/proc/pid/attr nodes.  This is presently enforced by each individual
security module and is also imposed by the Linux credentials
implementation, which only allows a task to alter its own credentials.
Move the check enforcing this restriction from the individual
security modules to proc_pid_attr_write() before calling the security hook,
and drop the unnecessary task argument to the security hook since it can
only ever be the current task.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
fs/proc/base.c
include/linux/lsm_hooks.h
include/linux/security.h
security/apparmor/lsm.c
security/security.c
security/selinux/hooks.c
security/smack/smack_lsm.c