selinux: clean up cred usage and simplify
authorStephen Smalley <sds@tycho.nsa.gov>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
commitbe0554c9bf9f7cc96f5205df8f8bd3573b74320e
treee7ab18363d24006d50a67d13d7b72d61efd40537
parent01593d3299a1cfdb5e08acf95f63ec59dd674906
selinux: clean up cred usage and simplify

SELinux was sometimes using the task "objective" credentials when
it could/should use the "subjective" credentials.  This was sometimes
hidden by the fact that we were unnecessarily passing around pointers
to the current task, making it appear as if the task could be something
other than current, so eliminate all such passing of current.  Inline
various permission checking helper functions that can be reduced to a
single avc_has_perm() call.

Since the credentials infrastructure only allows a task to alter
its own credentials, we can always assume that current must be the same
as the target task in selinux_setprocattr after the check. We likely
should move this check from selinux_setprocattr() to proc_pid_attr_write()
and drop the task argument to the security hook altogether; it can only
serve to confuse things.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c
security/selinux/include/objsec.h
security/selinux/selinuxfs.c