From: James Morris Implement an LSM hook for setting a task's IO priority, similar to the hook for setting a tasks's nice value. A previous version of this LSM hook was included in an older version of multiadm by Jan Engelhardt, although I don't recall it being submitted upstream. Also included is the corresponding SELinux hook, which re-uses the setsched permission in the proccess class. Signed-off-by: James Morris Acked-by: Stephen Smalley Cc: Jan Engelhardt Cc: Chris Wright Cc: Jens Axboe Signed-off-by: Andrew Morton --- fs/ioprio.c | 6 ++++++ include/linux/security.h | 16 ++++++++++++++++ security/dummy.c | 6 ++++++ security/selinux/hooks.c | 6 ++++++ 4 files changed, 34 insertions(+) diff -puN fs/ioprio.c~lsm-add-task_setioprio-hook fs/ioprio.c --- devel/fs/ioprio.c~lsm-add-task_setioprio-hook 2006-05-30 14:50:21.000000000 -0700 +++ devel-akpm/fs/ioprio.c 2006-05-30 14:50:21.000000000 -0700 @@ -24,15 +24,21 @@ #include #include #include +#include static int set_task_ioprio(struct task_struct *task, int ioprio) { + int err; struct io_context *ioc; if (task->uid != current->euid && task->uid != current->uid && !capable(CAP_SYS_NICE)) return -EPERM; + err = security_task_setioprio(task, ioprio); + if (err) + return err; + task_lock(task); task->ioprio = ioprio; diff -puN include/linux/security.h~lsm-add-task_setioprio-hook include/linux/security.h --- devel/include/linux/security.h~lsm-add-task_setioprio-hook 2006-05-30 14:50:21.000000000 -0700 +++ devel-akpm/include/linux/security.h 2006-05-30 14:50:21.000000000 -0700 @@ -577,6 +577,11 @@ struct swap_info_struct; * @p contains the task_struct of process. * @nice contains the new nice value. * Return 0 if permission is granted. + * @task_setioprio + * Check permission before setting the ioprio value of @p to @ioprio. + * @p contains the task_struct of process. + * @ioprio contains the new ioprio value + * Return 0 if permission is granted. * @task_setrlimit: * Check permission before setting the resource limits of the current * process for @resource to @new_rlim. The old resource limit values can @@ -1204,6 +1209,7 @@ struct security_operations { int (*task_getsid) (struct task_struct * p); int (*task_setgroups) (struct group_info *group_info); int (*task_setnice) (struct task_struct * p, int nice); + int (*task_setioprio) (struct task_struct * p, int ioprio); int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); int (*task_setscheduler) (struct task_struct * p, int policy, struct sched_param * lp); @@ -1828,6 +1834,11 @@ static inline int security_task_setnice return security_ops->task_setnice (p, nice); } +static inline int security_task_setioprio (struct task_struct *p, int ioprio) +{ + return security_ops->task_setioprio (p, ioprio); +} + static inline int security_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) { @@ -2470,6 +2481,11 @@ static inline int security_task_setnice return 0; } +static inline int security_task_setioprio (struct task_struct *p, int ioprio) +{ + return 0; +} + static inline int security_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) { diff -puN security/dummy.c~lsm-add-task_setioprio-hook security/dummy.c --- devel/security/dummy.c~lsm-add-task_setioprio-hook 2006-05-30 14:50:21.000000000 -0700 +++ devel-akpm/security/dummy.c 2006-05-30 14:50:21.000000000 -0700 @@ -516,6 +516,11 @@ static int dummy_task_setnice (struct ta return 0; } +static int dummy_task_setioprio (struct task_struct *p, int ioprio) +{ + return 0; +} + static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) { return 0; @@ -962,6 +967,7 @@ void security_fixup_ops (struct security set_to_dummy_if_null(ops, task_getsid); set_to_dummy_if_null(ops, task_setgroups); set_to_dummy_if_null(ops, task_setnice); + set_to_dummy_if_null(ops, task_setioprio); set_to_dummy_if_null(ops, task_setrlimit); set_to_dummy_if_null(ops, task_setscheduler); set_to_dummy_if_null(ops, task_getscheduler); diff -puN security/selinux/hooks.c~lsm-add-task_setioprio-hook security/selinux/hooks.c --- devel/security/selinux/hooks.c~lsm-add-task_setioprio-hook 2006-05-30 14:50:21.000000000 -0700 +++ devel-akpm/security/selinux/hooks.c 2006-05-30 14:50:21.000000000 -0700 @@ -2645,6 +2645,11 @@ static int selinux_task_setnice(struct t return task_has_perm(current,p, PROCESS__SETSCHED); } +static int selinux_task_setioprio(struct task_struct *p, int ioprio) +{ + return task_has_perm(current, p, PROCESS__SETSCHED); +} + static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) { struct rlimit *old_rlim = current->signal->rlim + resource; @@ -4332,6 +4337,7 @@ static struct security_operations selinu .task_getsid = selinux_task_getsid, .task_setgroups = selinux_task_setgroups, .task_setnice = selinux_task_setnice, + .task_setioprio = selinux_task_setioprio, .task_setrlimit = selinux_task_setrlimit, .task_setscheduler = selinux_task_setscheduler, .task_getscheduler = selinux_task_getscheduler, _