summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2011-12-22 00:17:03 +0400
committerJames Morris <jmorris@namei.org>2012-02-10 02:14:51 +0400
commit1a2a4d06e1e95260c470ebe3a945f61bbe8c1fd8 (patch)
tree7167d158749a7acf2ce8bbe1ecd25234b654e813 /security
parent9e3ff38647a316e4f92d59b14c8f0eb13b33bb2c (diff)
downloadlinux-1a2a4d06e1e95260c470ebe3a945f61bbe8c1fd8.tar.xz
security: create task_free security callback
The current LSM interface to cred_free is not sufficient for allowing an LSM to track the life and death of a task. This patch adds the task_free hook so that an LSM can clean up resources on task death. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/capability.c5
-rw-r--r--security/security.c5
2 files changed, 10 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c
index 2f680eb02b59..5bb21b1c448c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -358,6 +358,10 @@ static int cap_task_create(unsigned long clone_flags)
return 0;
}
+static void cap_task_free(struct task_struct *task)
+{
+}
+
static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
return 0;
@@ -954,6 +958,7 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, file_receive);
set_to_cap_if_null(ops, dentry_open);
set_to_cap_if_null(ops, task_create);
+ set_to_cap_if_null(ops, task_free);
set_to_cap_if_null(ops, cred_alloc_blank);
set_to_cap_if_null(ops, cred_free);
set_to_cap_if_null(ops, cred_prepare);
diff --git a/security/security.c b/security/security.c
index d7542493454d..7d9426bb7442 100644
--- a/security/security.c
+++ b/security/security.c
@@ -729,6 +729,11 @@ int security_task_create(unsigned long clone_flags)
return security_ops->task_create(clone_flags);
}
+void security_task_free(struct task_struct *task)
+{
+ security_ops->task_free(task);
+}
+
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
return security_ops->cred_alloc_blank(cred, gfp);