subject:"\[RFC\]\[PATCH 2\/2 v3\] security\: Add task_settimerslack\/task

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-21 Thread James Morris

On Wed, 20 Jul 2016, John Stultz wrote:

> On Tue, Jul 19, 2016 at 11:12 PM, James Morris  wrote:
> > On Mon, 18 Jul 2016, John Stultz wrote:
> >
> >> As requested, this patch implements a task_settimerslack and
> >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> >> interface can have finer grained security policies applied to it.
> >>
> >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> >> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> >> seem like a widely enough adopted practice.
> >>
> >
> > I may have missed something in the earlier discussion, but why do we need
> > new LSM hooks here vs. calling the existing set/getscheduler hooks?
> 
> Mostly since adding a new hook was suggested originally. I don't think
> there's much difference as it stands, but I guess more fine grained
> checks could be added on the slack amounts, etc.
> 
> I can rework it, so let me know if using the existing hooks would be
> preferred, but otherwise I'll be sending out the non-rfc patches
> tomorrow.


I'd prefer to re-use the existing hooks, unless there is a specific need 
for the extra granularity.


-- 
James Morris

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-21 Thread James Morris

On Wed, 20 Jul 2016, John Stultz wrote:

> On Tue, Jul 19, 2016 at 11:12 PM, James Morris  wrote:
> > On Mon, 18 Jul 2016, John Stultz wrote:
> >
> >> As requested, this patch implements a task_settimerslack and
> >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> >> interface can have finer grained security policies applied to it.
> >>
> >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> >> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> >> seem like a widely enough adopted practice.
> >>
> >
> > I may have missed something in the earlier discussion, but why do we need
> > new LSM hooks here vs. calling the existing set/getscheduler hooks?
> 
> Mostly since adding a new hook was suggested originally. I don't think
> there's much difference as it stands, but I guess more fine grained
> checks could be added on the slack amounts, etc.
> 
> I can rework it, so let me know if using the existing hooks would be
> preferred, but otherwise I'll be sending out the non-rfc patches
> tomorrow.


I'd prefer to re-use the existing hooks, unless there is a specific need 
for the extra granularity.


-- 
James Morris

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-20 Thread John Stultz

On Tue, Jul 19, 2016 at 11:12 PM, James Morris  wrote:
> On Mon, 18 Jul 2016, John Stultz wrote:
>
>> As requested, this patch implements a task_settimerslack and
>> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
>> interface can have finer grained security policies applied to it.
>>
>> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
>> functions, as hiding it in the LSM hook seems too opaque, and doesn't
>> seem like a widely enough adopted practice.
>>
>
> I may have missed something in the earlier discussion, but why do we need
> new LSM hooks here vs. calling the existing set/getscheduler hooks?

Mostly since adding a new hook was suggested originally. I don't think
there's much difference as it stands, but I guess more fine grained
checks could be added on the slack amounts, etc.

I can rework it, so let me know if using the existing hooks would be
preferred, but otherwise I'll be sending out the non-rfc patches
tomorrow.

thanks
-john

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-20 Thread John Stultz

On Tue, Jul 19, 2016 at 11:12 PM, James Morris  wrote:
> On Mon, 18 Jul 2016, John Stultz wrote:
>
>> As requested, this patch implements a task_settimerslack and
>> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
>> interface can have finer grained security policies applied to it.
>>
>> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
>> functions, as hiding it in the LSM hook seems too opaque, and doesn't
>> seem like a widely enough adopted practice.
>>
>
> I may have missed something in the earlier discussion, but why do we need
> new LSM hooks here vs. calling the existing set/getscheduler hooks?

Mostly since adding a new hook was suggested originally. I don't think
there's much difference as it stands, but I guess more fine grained
checks could be added on the slack amounts, etc.

I can rework it, so let me know if using the existing hooks would be
preferred, but otherwise I'll be sending out the non-rfc patches
tomorrow.

thanks
-john

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-20 Thread James Morris

On Mon, 18 Jul 2016, John Stultz wrote:

> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
> 
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
> 

I may have missed something in the earlier discussion, but why do we need 
new LSM hooks here vs. calling the existing set/getscheduler hooks?

-- 
James Morris

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-20 Thread James Morris

On Mon, 18 Jul 2016, John Stultz wrote:

> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
> 
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
> 

I may have missed something in the earlier discussion, but why do we need 
new LSM hooks here vs. calling the existing set/getscheduler hooks?

-- 
James Morris

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Kees Cook

On Mon, Jul 18, 2016 at 1:11 PM, John Stultz  wrote:
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
>
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.

Yeah, I think this does make it more readable in the end.

>
> Don't really know what I'm doing here, so close review would be
> appreciated!
>
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 
> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 

Acked-by: Kees Cook 

-Kees

> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
>
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
> goto out;
> }
>
> +   err = security_task_settimerslack(p, slack_ns);
> +   if (err) {
> +   count = err;
> +   goto out;
> +   }
> +
> task_lock(p);
> if (slack_ns == 0)
> p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
> goto out;
> }
>
> +   ret = security_task_gettimerslack(p);
> +   if (ret)
> +   goto out;
> +
> task_lock(p);
> seq_printf(m, "%llu\n", p->timer_slack_ns);
> task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   * Check permission before moving memory owned by process @p.
>   * @p contains the task_struct for process.
>   * Return 0 if permission is granted.
> + * @task_settimerslack:
> + * Check permission before setting timerslack value of @p to @slack.
> + * @p contains the task_struct of a process.
> + * @slack contains the new slack value.
> + * Return 0 if permission is granted.
> + * @task_gettimerslack:
> + * Check permission before returning the timerslack value of @p.
> + * @p contains the task_struct of a process.
> + * Return 0 if permission is granted.
>   * @task_kill:
>   * Check permission before sending signal @sig to @p.  @info can be NULL,
>   * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
> int (*task_setscheduler)(struct task_struct *p);
> int (*task_getscheduler)(struct task_struct *p);
> int (*task_movememory)(struct task_struct *p);
> +   int (*task_settimerslack)(struct task_struct *p, u64 slack);
> +   int (*task_gettimerslack)(struct task_struct *p);
> int (*task_kill)(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
> int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
> struct list_head task_setscheduler;
> struct list_head task_getscheduler;
> struct list_head task_movememory;
> +   struct list_head task_settimerslack;
> +   struct list_head task_gettimerslack;
> struct list_head task_kill;
> struct list_head task_wait;
> struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Kees Cook

On Mon, Jul 18, 2016 at 1:11 PM, John Stultz  wrote:
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
>
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.

Yeah, I think this does make it more readable in the end.

>
> Don't really know what I'm doing here, so close review would be
> appreciated!
>
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 
> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 

Acked-by: Kees Cook 

-Kees

> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
>
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
> goto out;
> }
>
> +   err = security_task_settimerslack(p, slack_ns);
> +   if (err) {
> +   count = err;
> +   goto out;
> +   }
> +
> task_lock(p);
> if (slack_ns == 0)
> p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
> goto out;
> }
>
> +   ret = security_task_gettimerslack(p);
> +   if (ret)
> +   goto out;
> +
> task_lock(p);
> seq_printf(m, "%llu\n", p->timer_slack_ns);
> task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   * Check permission before moving memory owned by process @p.
>   * @p contains the task_struct for process.
>   * Return 0 if permission is granted.
> + * @task_settimerslack:
> + * Check permission before setting timerslack value of @p to @slack.
> + * @p contains the task_struct of a process.
> + * @slack contains the new slack value.
> + * Return 0 if permission is granted.
> + * @task_gettimerslack:
> + * Check permission before returning the timerslack value of @p.
> + * @p contains the task_struct of a process.
> + * Return 0 if permission is granted.
>   * @task_kill:
>   * Check permission before sending signal @sig to @p.  @info can be NULL,
>   * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
> int (*task_setscheduler)(struct task_struct *p);
> int (*task_getscheduler)(struct task_struct *p);
> int (*task_movememory)(struct task_struct *p);
> +   int (*task_settimerslack)(struct task_struct *p, u64 slack);
> +   int (*task_gettimerslack)(struct task_struct *p);
> int (*task_kill)(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
> int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
> struct list_head task_setscheduler;
> struct list_head task_getscheduler;
> struct list_head task_movememory;
> +   struct list_head task_settimerslack;
> +   struct list_head task_gettimerslack;
> struct list_head task_kill;
> struct list_head task_wait;
> struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct *p);
> +int security_task_settimerslack(struct task_struct *p, u64 slack);
> +int security_task_gettimerslack(struct task_struct *p);
>  int security_task_kill(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
>  int security_task_wait(struct task_struct *p);
> @@ -950,6 +952,16

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Serge E. Hallyn

Quoting John Stultz (john.stu...@linaro.org):
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
> 
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
> 
> Don't really know what I'm doing here, so close review would be
> appreciated!
> 
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 

Acked-by: Serge Hallyn 

> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 
> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
> 
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
>   goto out;
>   }
>  
> + err = security_task_settimerslack(p, slack_ns);
> + if (err) {
> + count = err;
> + goto out;
> + }
> +
>   task_lock(p);
>   if (slack_ns == 0)
>   p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
>   goto out;
>   }
>  
> + ret = security_task_gettimerslack(p);
> + if (ret)
> + goto out;
> +
>   task_lock(p);
>   seq_printf(m, "%llu\n", p->timer_slack_ns);
>   task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   *   Check permission before moving memory owned by process @p.
>   *   @p contains the task_struct for process.
>   *   Return 0 if permission is granted.
> + * @task_settimerslack:
> + *   Check permission before setting timerslack value of @p to @slack.
> + *   @p contains the task_struct of a process.
> + *   @slack contains the new slack value.
> + *   Return 0 if permission is granted.
> + * @task_gettimerslack:
> + *   Check permission before returning the timerslack value of @p.
> + *   @p contains the task_struct of a process.
> + *   Return 0 if permission is granted.
>   * @task_kill:
>   *   Check permission before sending signal @sig to @p.  @info can be NULL,
>   *   the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
>   int (*task_setscheduler)(struct task_struct *p);
>   int (*task_getscheduler)(struct task_struct *p);
>   int (*task_movememory)(struct task_struct *p);
> + int (*task_settimerslack)(struct task_struct *p, u64 slack);
> + int (*task_gettimerslack)(struct task_struct *p);
>   int (*task_kill)(struct task_struct *p, struct siginfo *info,
>   int sig, u32 secid);
>   int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
>   struct list_head task_setscheduler;
>   struct list_head task_getscheduler;
>   struct list_head task_movememory;
> + struct list_head task_settimerslack;
> + struct list_head task_gettimerslack;
>   struct list_head task_kill;
>   struct list_head task_wait;
>   struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct *p);
> +int security_task_settimerslack(struct task_struct *p, u64 slack);
> +int security_task_gettimerslack(struct task_struct *p);
>  int

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Serge E. Hallyn

Quoting John Stultz (john.stu...@linaro.org):
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
> 
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
> 
> Don't really know what I'm doing here, so close review would be
> appreciated!
> 
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 

Acked-by: Serge Hallyn 

> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 
> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
> 
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
>   goto out;
>   }
>  
> + err = security_task_settimerslack(p, slack_ns);
> + if (err) {
> + count = err;
> + goto out;
> + }
> +
>   task_lock(p);
>   if (slack_ns == 0)
>   p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
>   goto out;
>   }
>  
> + ret = security_task_gettimerslack(p);
> + if (ret)
> + goto out;
> +
>   task_lock(p);
>   seq_printf(m, "%llu\n", p->timer_slack_ns);
>   task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   *   Check permission before moving memory owned by process @p.
>   *   @p contains the task_struct for process.
>   *   Return 0 if permission is granted.
> + * @task_settimerslack:
> + *   Check permission before setting timerslack value of @p to @slack.
> + *   @p contains the task_struct of a process.
> + *   @slack contains the new slack value.
> + *   Return 0 if permission is granted.
> + * @task_gettimerslack:
> + *   Check permission before returning the timerslack value of @p.
> + *   @p contains the task_struct of a process.
> + *   Return 0 if permission is granted.
>   * @task_kill:
>   *   Check permission before sending signal @sig to @p.  @info can be NULL,
>   *   the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
>   int (*task_setscheduler)(struct task_struct *p);
>   int (*task_getscheduler)(struct task_struct *p);
>   int (*task_movememory)(struct task_struct *p);
> + int (*task_settimerslack)(struct task_struct *p, u64 slack);
> + int (*task_gettimerslack)(struct task_struct *p);
>   int (*task_kill)(struct task_struct *p, struct siginfo *info,
>   int sig, u32 secid);
>   int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
>   struct list_head task_setscheduler;
>   struct list_head task_getscheduler;
>   struct list_head task_movememory;
> + struct list_head task_settimerslack;
> + struct list_head task_gettimerslack;
>   struct list_head task_kill;
>   struct list_head task_wait;
>   struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct *p);
> +int security_task_settimerslack(struct task_struct *p, u64 slack);
> +int security_task_gettimerslack(struct task_struct *p);
>  int security_task_kill(struct task_struct *p, struct siginfo *info,
>   int sig, u32 secid);
>  int security_task_wait(struct task_struct *p);
> @@ -950,6 +952,16 @@ static inline int security_task_movememory(struct 
> task_struct *p)
>   return 0;
>  }
>  
> +static inline int security_task_settimerslack(struct

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Nick Kralevich

On Mon, Jul 18, 2016 at 1:11 PM, John Stultz  wrote:
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
>
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
>
> Don't really know what I'm doing here, so close review would be
> appreciated!

Looks good. Thanks!

Reviewed-by: Nick Kralevich 

>
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 
> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 
> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
>
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
> goto out;
> }
>
> +   err = security_task_settimerslack(p, slack_ns);
> +   if (err) {
> +   count = err;
> +   goto out;
> +   }
> +
> task_lock(p);
> if (slack_ns == 0)
> p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
> goto out;
> }
>
> +   ret = security_task_gettimerslack(p);
> +   if (ret)
> +   goto out;
> +
> task_lock(p);
> seq_printf(m, "%llu\n", p->timer_slack_ns);
> task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   * Check permission before moving memory owned by process @p.
>   * @p contains the task_struct for process.
>   * Return 0 if permission is granted.
> + * @task_settimerslack:
> + * Check permission before setting timerslack value of @p to @slack.
> + * @p contains the task_struct of a process.
> + * @slack contains the new slack value.
> + * Return 0 if permission is granted.
> + * @task_gettimerslack:
> + * Check permission before returning the timerslack value of @p.
> + * @p contains the task_struct of a process.
> + * Return 0 if permission is granted.
>   * @task_kill:
>   * Check permission before sending signal @sig to @p.  @info can be NULL,
>   * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
> int (*task_setscheduler)(struct task_struct *p);
> int (*task_getscheduler)(struct task_struct *p);
> int (*task_movememory)(struct task_struct *p);
> +   int (*task_settimerslack)(struct task_struct *p, u64 slack);
> +   int (*task_gettimerslack)(struct task_struct *p);
> int (*task_kill)(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
> int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
> struct list_head task_setscheduler;
> struct list_head task_getscheduler;
> struct list_head task_movememory;
> +   struct list_head task_settimerslack;
> +   struct list_head task_gettimerslack;
> struct list_head task_kill;
> struct list_head task_wait;
> struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread Nick Kralevich

On Mon, Jul 18, 2016 at 1:11 PM, John Stultz  wrote:
> As requested, this patch implements a task_settimerslack and
> task_gettimerslack LSM hooks so that the /proc//timerslack_ns
> interface can have finer grained security policies applied to it.
>
> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
> functions, as hiding it in the LSM hook seems too opaque, and doesn't
> seem like a widely enough adopted practice.
>
> Don't really know what I'm doing here, so close review would be
> appreciated!

Looks good. Thanks!

Reviewed-by: Nick Kralevich 

>
> Cc: Kees Cook 
> Cc: "Serge E. Hallyn" 
> Cc: Andrew Morton 
> Cc: Thomas Gleixner 
> CC: Arjan van de Ven 
> Cc: Oren Laadan 
> Cc: Ruchi Kandoi 
> Cc: Rom Lemarchand 
> Cc: Todd Kjos 
> Cc: Colin Cross 
> Cc: Nick Kralevich 
> Cc: Dmitry Shmidt 
> Cc: Elliott Hughes 
> Cc: Android Kernel Team 
> Cc: linux-security-mod...@vger.kernel.org
> Cc: seli...@tycho.nsa.gov
> Signed-off-by: John Stultz 
> ---
> v2:
>  * Initial swing at adding settimerslack LSM hook
> v3:
>  * Fix current/p switchup bug noted by NickK
>  * Add gettimerslack hook suggested by NickK
>
>  fs/proc/base.c| 10 ++
>  include/linux/lsm_hooks.h | 13 +
>  include/linux/security.h  | 12 
>  security/security.c   | 14 ++
>  security/selinux/hooks.c  | 12 
>  5 files changed, 61 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c94abae..cc66aa8 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
> const char __user *buf,
> goto out;
> }
>
> +   err = security_task_settimerslack(p, slack_ns);
> +   if (err) {
> +   count = err;
> +   goto out;
> +   }
> +
> task_lock(p);
> if (slack_ns == 0)
> p->timer_slack_ns = p->default_timer_slack_ns;
> @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
> *v)
> goto out;
> }
>
> +   ret = security_task_gettimerslack(p);
> +   if (ret)
> +   goto out;
> +
> task_lock(p);
> seq_printf(m, "%llu\n", p->timer_slack_ns);
> task_unlock(p);
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..290483e 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -627,6 +627,15 @@
>   * Check permission before moving memory owned by process @p.
>   * @p contains the task_struct for process.
>   * Return 0 if permission is granted.
> + * @task_settimerslack:
> + * Check permission before setting timerslack value of @p to @slack.
> + * @p contains the task_struct of a process.
> + * @slack contains the new slack value.
> + * Return 0 if permission is granted.
> + * @task_gettimerslack:
> + * Check permission before returning the timerslack value of @p.
> + * @p contains the task_struct of a process.
> + * Return 0 if permission is granted.
>   * @task_kill:
>   * Check permission before sending signal @sig to @p.  @info can be NULL,
>   * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
> @@ -1473,6 +1482,8 @@ union security_list_options {
> int (*task_setscheduler)(struct task_struct *p);
> int (*task_getscheduler)(struct task_struct *p);
> int (*task_movememory)(struct task_struct *p);
> +   int (*task_settimerslack)(struct task_struct *p, u64 slack);
> +   int (*task_gettimerslack)(struct task_struct *p);
> int (*task_kill)(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
> int (*task_wait)(struct task_struct *p);
> @@ -1732,6 +1743,8 @@ struct security_hook_heads {
> struct list_head task_setscheduler;
> struct list_head task_getscheduler;
> struct list_head task_movememory;
> +   struct list_head task_settimerslack;
> +   struct list_head task_gettimerslack;
> struct list_head task_kill;
> struct list_head task_wait;
> struct list_head task_prctl;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 14df373..ab70f47 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, 
> unsigned int resource,
>  int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct *p);
> +int security_task_settimerslack(struct task_struct *p, u64 slack);
> +int security_task_gettimerslack(struct task_struct *p);
>  int security_task_kill(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid);
>  int security_task_wait(struct task_struct *p);
> @@ -950,6 +952,16 @@ static inline int

[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread John Stultz

As requested, this patch implements a task_settimerslack and
task_gettimerslack LSM hooks so that the /proc//timerslack_ns
interface can have finer grained security policies applied to it.

I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
functions, as hiding it in the LSM hook seems too opaque, and doesn't
seem like a widely enough adopted practice.

Don't really know what I'm doing here, so close review would be
appreciated!

Cc: Kees Cook 
Cc: "Serge E. Hallyn" 
Cc: Andrew Morton 
Cc: Thomas Gleixner 
CC: Arjan van de Ven 
Cc: Oren Laadan 
Cc: Ruchi Kandoi 
Cc: Rom Lemarchand 
Cc: Todd Kjos 
Cc: Colin Cross 
Cc: Nick Kralevich 
Cc: Dmitry Shmidt 
Cc: Elliott Hughes 
Cc: Android Kernel Team 
Cc: linux-security-mod...@vger.kernel.org
Cc: seli...@tycho.nsa.gov
Signed-off-by: John Stultz 
---
v2:
 * Initial swing at adding settimerslack LSM hook
v3:
 * Fix current/p switchup bug noted by NickK
 * Add gettimerslack hook suggested by NickK

 fs/proc/base.c| 10 ++
 include/linux/lsm_hooks.h | 13 +
 include/linux/security.h  | 12 
 security/security.c   | 14 ++
 security/selinux/hooks.c  | 12 
 5 files changed, 61 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index c94abae..cc66aa8 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
const char __user *buf,
goto out;
}
 
+   err = security_task_settimerslack(p, slack_ns);
+   if (err) {
+   count = err;
+   goto out;
+   }
+
task_lock(p);
if (slack_ns == 0)
p->timer_slack_ns = p->default_timer_slack_ns;
@@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
*v)
goto out;
}
 
+   ret = security_task_gettimerslack(p);
+   if (ret)
+   goto out;
+
task_lock(p);
seq_printf(m, "%llu\n", p->timer_slack_ns);
task_unlock(p);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 7ae3976..290483e 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -627,6 +627,15 @@
  * Check permission before moving memory owned by process @p.
  * @p contains the task_struct for process.
  * Return 0 if permission is granted.
+ * @task_settimerslack:
+ * Check permission before setting timerslack value of @p to @slack.
+ * @p contains the task_struct of a process.
+ * @slack contains the new slack value.
+ * Return 0 if permission is granted.
+ * @task_gettimerslack:
+ * Check permission before returning the timerslack value of @p.
+ * @p contains the task_struct of a process.
+ * Return 0 if permission is granted.
  * @task_kill:
  * Check permission before sending signal @sig to @p.  @info can be NULL,
  * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1473,6 +1482,8 @@ union security_list_options {
int (*task_setscheduler)(struct task_struct *p);
int (*task_getscheduler)(struct task_struct *p);
int (*task_movememory)(struct task_struct *p);
+   int (*task_settimerslack)(struct task_struct *p, u64 slack);
+   int (*task_gettimerslack)(struct task_struct *p);
int (*task_kill)(struct task_struct *p, struct siginfo *info,
int sig, u32 secid);
int (*task_wait)(struct task_struct *p);
@@ -1732,6 +1743,8 @@ struct security_hook_heads {
struct list_head task_setscheduler;
struct list_head task_getscheduler;
struct list_head task_movememory;
+   struct list_head task_settimerslack;
+   struct list_head task_gettimerslack;
struct list_head task_kill;
struct list_head task_wait;
struct list_head task_prctl;
diff --git a/include/linux/security.h b/include/linux/security.h
index 14df373..ab70f47 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, unsigned 
int resource,
 int security_task_setscheduler(struct task_struct *p);
 int security_task_getscheduler(struct task_struct *p);
 int security_task_movememory(struct task_struct *p);
+int security_task_settimerslack(struct task_struct *p, u64 slack);
+int security_task_gettimerslack(struct task_struct *p);
 int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid);
 int security_task_wait(struct task_struct *p);
@@ -950,6 +952,16 @@ static inline int security_task_movememory(struct 
task_struct

[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

2016-07-18 Thread John Stultz

As requested, this patch implements a task_settimerslack and
task_gettimerslack LSM hooks so that the /proc//timerslack_ns
interface can have finer grained security policies applied to it.

I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show
functions, as hiding it in the LSM hook seems too opaque, and doesn't
seem like a widely enough adopted practice.

Don't really know what I'm doing here, so close review would be
appreciated!

Cc: Kees Cook 
Cc: "Serge E. Hallyn" 
Cc: Andrew Morton 
Cc: Thomas Gleixner 
CC: Arjan van de Ven 
Cc: Oren Laadan 
Cc: Ruchi Kandoi 
Cc: Rom Lemarchand 
Cc: Todd Kjos 
Cc: Colin Cross 
Cc: Nick Kralevich 
Cc: Dmitry Shmidt 
Cc: Elliott Hughes 
Cc: Android Kernel Team 
Cc: linux-security-mod...@vger.kernel.org
Cc: seli...@tycho.nsa.gov
Signed-off-by: John Stultz 
---
v2:
 * Initial swing at adding settimerslack LSM hook
v3:
 * Fix current/p switchup bug noted by NickK
 * Add gettimerslack hook suggested by NickK

 fs/proc/base.c| 10 ++
 include/linux/lsm_hooks.h | 13 +
 include/linux/security.h  | 12 
 security/security.c   | 14 ++
 security/selinux/hooks.c  | 12 
 5 files changed, 61 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index c94abae..cc66aa8 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, 
const char __user *buf,
goto out;
}
 
+   err = security_task_settimerslack(p, slack_ns);
+   if (err) {
+   count = err;
+   goto out;
+   }
+
task_lock(p);
if (slack_ns == 0)
p->timer_slack_ns = p->default_timer_slack_ns;
@@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void 
*v)
goto out;
}
 
+   ret = security_task_gettimerslack(p);
+   if (ret)
+   goto out;
+
task_lock(p);
seq_printf(m, "%llu\n", p->timer_slack_ns);
task_unlock(p);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 7ae3976..290483e 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -627,6 +627,15 @@
  * Check permission before moving memory owned by process @p.
  * @p contains the task_struct for process.
  * Return 0 if permission is granted.
+ * @task_settimerslack:
+ * Check permission before setting timerslack value of @p to @slack.
+ * @p contains the task_struct of a process.
+ * @slack contains the new slack value.
+ * Return 0 if permission is granted.
+ * @task_gettimerslack:
+ * Check permission before returning the timerslack value of @p.
+ * @p contains the task_struct of a process.
+ * Return 0 if permission is granted.
  * @task_kill:
  * Check permission before sending signal @sig to @p.  @info can be NULL,
  * the constant 1, or a pointer to a siginfo structure.  If @info is 1 or
@@ -1473,6 +1482,8 @@ union security_list_options {
int (*task_setscheduler)(struct task_struct *p);
int (*task_getscheduler)(struct task_struct *p);
int (*task_movememory)(struct task_struct *p);
+   int (*task_settimerslack)(struct task_struct *p, u64 slack);
+   int (*task_gettimerslack)(struct task_struct *p);
int (*task_kill)(struct task_struct *p, struct siginfo *info,
int sig, u32 secid);
int (*task_wait)(struct task_struct *p);
@@ -1732,6 +1743,8 @@ struct security_hook_heads {
struct list_head task_setscheduler;
struct list_head task_getscheduler;
struct list_head task_movememory;
+   struct list_head task_settimerslack;
+   struct list_head task_gettimerslack;
struct list_head task_kill;
struct list_head task_wait;
struct list_head task_prctl;
diff --git a/include/linux/security.h b/include/linux/security.h
index 14df373..ab70f47 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, unsigned 
int resource,
 int security_task_setscheduler(struct task_struct *p);
 int security_task_getscheduler(struct task_struct *p);
 int security_task_movememory(struct task_struct *p);
+int security_task_settimerslack(struct task_struct *p, u64 slack);
+int security_task_gettimerslack(struct task_struct *p);
 int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid);
 int security_task_wait(struct task_struct *p);
@@ -950,6 +952,16 @@ static inline int security_task_movememory(struct 
task_struct *p)
return 0;
 }
 
+static inline int security_task_settimerslack(struct task_struct *p, u64 slack)
+{
+   return 0;
+}
+
+static inline int security_task_gettimerslack(struct task_struct *p)
+{
+   return 0;
+}
+
 static inline int security_task_kill(struct task_struct *p,

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook

14 matches

Site Navigation

Mail list logo

Footer information