[PATCH 0/4] LSM/TOMOYO: Stop using per a cred variables and start using per a task_struct variables.

[PATCH 0/4] LSM/TOMOYO: Stop using per a cred variables and start using per a task_struct variables.

[Tetsuo Handa]

A thread titled "[RFC PATCH 0/3] System call to switch user credentials" has
started at https://lkml.org/lkml/2013/10/16/820 , and switch_cred() syscall was
proposed which will never be acceptable for TOMOYO. TOMOYO's security context
must not be switched by anything but successful do_execve() and successful
writing to securityfs interface.

Let me explain again. TOMOYO's security context represents the history of
programs current thread has successfully execve()d. That is, TOMOYO's security
context is by definition per a task_struct. TOMOYO's security context is always
subjective == objective. TOMOYO's security context must not be switched, even
temporarily, by any means other than successful do_execve() and successful
writing to securityfs interface.

This patchset is a repost of https://lkml.org/lkml/2013/6/11/258 for fixing
two of TOMOYO's long-standing bugs which exists since Linux 2.6.30, and also
protects TOMOYO from subjective != objective problem described above.

Bug 1:

  TOMOYO has been unable to check binary loader's permission upon execve()
  because TOMOYO uses different permission for the program passed to execve()
  request and the binary loader requested by the program passed to the execve()
  request, but TOMOYO was not able to distinguish them due to lack of ability
  to pass the proposed credential argument. Some attempt to pass the proposed
  credential was made but was not successful because it breaks DAC's behavior.

Bug 2:

  TOMOYO has been unable to remember that the current thread was once granted
  for managing policy, for there is no mechanism for cleanly allocating per a
  task_struct variables. As a result, TOMOYO needlessly has to check permission
  for updating policy whenever a line of policy was written. Also, if the
  userspace once deleted a line that is needed for updating policy, the current
  thread (which should be able to update policy) fails to write the rest of
  lines.
  Variables associated with copy on write credential do not help for fixing
  this bug because TOMOYO may not be allowed to modify it when TOMOYO wants to
  modify it.

This patchset has four patches. Patch 1 and 2 are essentially revival of LSM
hooks which existed until Linux 2.6.28.

[PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.
[PATCH 2/4] LSM: Revive security_task_alloc() hook.
[PATCH 3/4] TOMOYO: Remember the proposed domain while in execve() request.
[PATCH 4/4] TOMOYO: Allow caching policy manager's state until execve() request.

 b/fs/exec.c                |    1
 b/include/linux/security.h |   11 +++
 b/kernel/fork.c            |    7 +
 b/security/capability.c    |    5 +
 b/security/security.c      |    5 +
 b/security/tomoyo/common.c |   22 +++++-
 b/security/tomoyo/common.h |   34 +++++++++
 b/security/tomoyo/tomoyo.c |  163 +++++++++++++++++++++++++++++++++++++++++++--
 include/linux/security.h   |   10 ++
 security/capability.c      |    6 +
 security/security.c        |    5 +
 security/tomoyo/common.h   |    6 +
 security/tomoyo/tomoyo.c   |   32 ++++++++
 13 files changed, 298 insertions(+), 9 deletions(-)

[PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

[Tetsuo Handa]

>From 6bea9ec93a3596efb512292aee0ab88e219130cd Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 30 Sep 2013 20:07:24 +0900
Subject: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

Add a LSM hook which is called only when an execve operation failed after
prepare_bprm_creds() succeeded. This hook is used by TOMOYO for synchronously
cleaning up resources allocated during an execve operation.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/exec.c                |    1 +
 include/linux/security.h |   11 +++++++++++
 security/capability.c    |    5 +++++
 security/security.c      |    5 +++++
 4 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 8875dd1..89f0479 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1172,6 +1172,7 @@ void free_bprm(struct linux_binprm *bprm)
 {
 	free_arg_pages(bprm);
 	if (bprm->cred) {
+		security_bprm_aborting_creds(bprm);
 		mutex_unlock(&current->signal->cred_guard_mutex);
 		abort_creds(bprm->cred);
 	}
diff --git a/include/linux/security.h b/include/linux/security.h
index 5623a7f..6c71236 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -236,6 +236,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	linux_binprm structure.  This hook is a good place to perform state
  *	changes on the process such as clearing out non-inheritable signal
  *	state.  This is called immediately after commit_creds().
+ * @bprm_aborting_creds:
+ *	This hook is called when an execve operation failed after
+ *	prepare_bprm_creds() succeeded so that we can synchronously clean up
+ *	resources used by an execve operation.
+ *	@bprm points to the linux_binprm structure.
  * @bprm_secureexec:
  *	Return a boolean value (0 or 1) indicating whether a "secure exec"
  *	is required.  The flag is passed in the auxiliary table
@@ -1454,6 +1459,7 @@ struct security_operations {
 	int (*bprm_secureexec) (struct linux_binprm *bprm);
 	void (*bprm_committing_creds) (struct linux_binprm *bprm);
 	void (*bprm_committed_creds) (struct linux_binprm *bprm);
+	void (*bprm_aborting_creds) (struct linux_binprm *bprm);
 
 	int (*sb_alloc_security) (struct super_block *sb);
 	void (*sb_free_security) (struct super_block *sb);
@@ -1751,6 +1757,7 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
 void security_bprm_committing_creds(struct linux_binprm *bprm);
 void security_bprm_committed_creds(struct linux_binprm *bprm);
+void security_bprm_aborting_creds(struct linux_binprm *bprm);
 int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
@@ -1998,6 +2005,10 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static inline void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static inline int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return cap_bprm_secureexec(bprm);
diff --git a/security/capability.c b/security/capability.c
index 8b4f24a..7dc95f7 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -40,6 +40,10 @@ static void cap_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static void cap_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static int cap_sb_alloc_security(struct super_block *sb)
 {
 	return 0;
@@ -937,6 +941,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, bprm_set_creds);
 	set_to_cap_if_null(ops, bprm_committing_creds);
 	set_to_cap_if_null(ops, bprm_committed_creds);
+	set_to_cap_if_null(ops, bprm_aborting_creds);
 	set_to_cap_if_null(ops, bprm_check_security);
 	set_to_cap_if_null(ops, bprm_secureexec);
 	set_to_cap_if_null(ops, sb_alloc_security);
diff --git a/security/security.c b/security/security.c
index 15b6928..fc05875 100644
--- a/security/security.c
+++ b/security/security.c
@@ -236,6 +236,11 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
 	security_ops->bprm_committed_creds(bprm);
 }
 
+void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+	security_ops->bprm_aborting_creds(bprm);
+}
+
 int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return security_ops->bprm_secureexec(bprm);
-- 
1.7.1

Re: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

[Eric W. Biederman]

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:

>>From 6bea9ec93a3596efb512292aee0ab88e219130cd Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 30 Sep 2013 20:07:24 +0900
> Subject: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.
>
> Add a LSM hook which is called only when an execve operation failed after
> prepare_bprm_creds() succeeded. This hook is used by TOMOYO for synchronously
> cleaning up resources allocated during an execve operation.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  fs/exec.c                |    1 +
>  include/linux/security.h |   11 +++++++++++
>  security/capability.c    |    5 +++++
>  security/security.c      |    5 +++++
>  4 files changed, 22 insertions(+), 0 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 8875dd1..89f0479 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1172,6 +1172,7 @@ void free_bprm(struct linux_binprm *bprm)
>  {
>  	free_arg_pages(bprm);
>  	if (bprm->cred) {
> +		security_bprm_aborting_creds(bprm);

Can you move this look outside of the cred_guard_mutex?  It looks like
you can and I expect not unnecessarily extending the scope of the mutex
would be a good idea.

>  		mutex_unlock(&current->signal->cred_guard_mutex);
>  		abort_creds(bprm->cred);
>  	}

Re: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

[Tetsuo Handa]

Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> > diff --git a/fs/exec.c b/fs/exec.c
> > index 8875dd1..89f0479 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -1172,6 +1172,7 @@ void free_bprm(struct linux_binprm *bprm)
> >  {
> >  	free_arg_pages(bprm);
> >  	if (bprm->cred) {
> > +		security_bprm_aborting_creds(bprm);
> 
> Can you move this look outside of the cred_guard_mutex?  It looks like
> you can and I expect not unnecessarily extending the scope of the mutex
> would be a good idea.
> 
> >  		mutex_unlock(&current->signal->cred_guard_mutex);
> >  		abort_creds(bprm->cred);
> >  	}
> 

Sure. Here is the updated patch. Does this look OK to you?

>From b226aaf96303495a04d615cda6f8a06af3e822c3 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Fri, 18 Oct 2013 21:32:16 +0900
Subject: [PATCHv2 1/4] LSM: Add security_bprm_aborting_creds() hook.

Add a LSM hook which is called only when an execve operation failed after
prepare_bprm_creds() succeeded. This hook is used by TOMOYO for synchronously
cleaning up resources allocated during an execve operation.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/exec.c                |    1 +
 include/linux/security.h |   11 +++++++++++
 security/capability.c    |    5 +++++
 security/security.c      |    5 +++++
 4 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 8875dd1..b229f22 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1173,6 +1173,7 @@ void free_bprm(struct linux_binprm *bprm)
 	free_arg_pages(bprm);
 	if (bprm->cred) {
 		mutex_unlock(&current->signal->cred_guard_mutex);
+		security_bprm_aborting_creds(bprm);
 		abort_creds(bprm->cred);
 	}
 	/* If a binfmt changed the interp, free it. */
diff --git a/include/linux/security.h b/include/linux/security.h
index 9d37e2b..e9fff76 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -236,6 +236,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	linux_binprm structure.  This hook is a good place to perform state
  *	changes on the process such as clearing out non-inheritable signal
  *	state.  This is called immediately after commit_creds().
+ * @bprm_aborting_creds:
+ *	This hook is called when an execve operation failed after
+ *	prepare_bprm_creds() succeeded so that we can synchronously clean up
+ *	resources used by an execve operation.
+ *	@bprm points to the linux_binprm structure.
  * @bprm_secureexec:
  *	Return a boolean value (0 or 1) indicating whether a "secure exec"
  *	is required.  The flag is passed in the auxiliary table
@@ -1446,6 +1451,7 @@ struct security_operations {
 	int (*bprm_secureexec) (struct linux_binprm *bprm);
 	void (*bprm_committing_creds) (struct linux_binprm *bprm);
 	void (*bprm_committed_creds) (struct linux_binprm *bprm);
+	void (*bprm_aborting_creds) (struct linux_binprm *bprm);
 
 	int (*sb_alloc_security) (struct super_block *sb);
 	void (*sb_free_security) (struct super_block *sb);
@@ -1741,6 +1747,7 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
 void security_bprm_committing_creds(struct linux_binprm *bprm);
 void security_bprm_committed_creds(struct linux_binprm *bprm);
+void security_bprm_aborting_creds(struct linux_binprm *bprm);
 int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
@@ -1988,6 +1995,10 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static inline void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static inline int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return cap_bprm_secureexec(bprm);
diff --git a/security/capability.c b/security/capability.c
index dbeb9bc..44ca607 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -40,6 +40,10 @@ static void cap_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static void cap_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static int cap_sb_alloc_security(struct super_block *sb)
 {
 	return 0;
@@ -931,6 +935,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, bprm_set_creds);
 	set_to_cap_if_null(ops, bprm_committing_creds);
 	set_to_cap_if_null(ops, bprm_committed_creds);
+	set_to_cap_if_null(ops, bprm_aborting_creds);
 	set_to_cap_if_null(ops, bprm_check_security);
 	set_to_cap_if_null(ops, bprm_secureexec);
 	set_to_cap_if_null(ops, sb_alloc_security);
diff --git a/security/security.c b/security/security.c
index 4dc31f4..064da04 100644
--- a/security/security.c
+++ b/security/security.c
@@ -236,6 +236,11 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
 	security_ops->bprm_committed_creds(bprm);
 }
 
+void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+	security_ops->bprm_aborting_creds(bprm);
+}
+
 int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return security_ops->bprm_secureexec(bprm);
-- 
1.7.1

Re: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

[Eric W. Biederman]

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:

> Eric W. Biederman wrote:
>> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
>> > diff --git a/fs/exec.c b/fs/exec.c
>> > index 8875dd1..89f0479 100644
>> > --- a/fs/exec.c
>> > +++ b/fs/exec.c
>> > @@ -1172,6 +1172,7 @@ void free_bprm(struct linux_binprm *bprm)
>> >  {
>> >  	free_arg_pages(bprm);
>> >  	if (bprm->cred) {
>> > +		security_bprm_aborting_creds(bprm);
>> 
>> Can you move this look outside of the cred_guard_mutex?  It looks like
>> you can and I expect not unnecessarily extending the scope of the mutex
>> would be a good idea.
>> 
>> >  		mutex_unlock(&current->signal->cred_guard_mutex);
>> >  		abort_creds(bprm->cred);
>> >  	}
>> 
>
> Sure. Here is the updated patch. Does this look OK to you?

Yes.  I don't know about the semantics of the patch but moving
oustide of the cred_guard_mutex looks good.

Eric



>>From b226aaf96303495a04d615cda6f8a06af3e822c3 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Fri, 18 Oct 2013 21:32:16 +0900
> Subject: [PATCHv2 1/4] LSM: Add security_bprm_aborting_creds() hook.
>
> Add a LSM hook which is called only when an execve operation failed after
> prepare_bprm_creds() succeeded. This hook is used by TOMOYO for synchronously
> cleaning up resources allocated during an execve operation.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  fs/exec.c                |    1 +
>  include/linux/security.h |   11 +++++++++++
>  security/capability.c    |    5 +++++
>  security/security.c      |    5 +++++
>  4 files changed, 22 insertions(+), 0 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 8875dd1..b229f22 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1173,6 +1173,7 @@ void free_bprm(struct linux_binprm *bprm)
>  	free_arg_pages(bprm);
>  	if (bprm->cred) {
>  		mutex_unlock(&current->signal->cred_guard_mutex);
> +		security_bprm_aborting_creds(bprm);
>  		abort_creds(bprm->cred);
>  	}
>  	/* If a binfmt changed the interp, free it. */
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 9d37e2b..e9fff76 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -236,6 +236,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>   *	linux_binprm structure.  This hook is a good place to perform state
>   *	changes on the process such as clearing out non-inheritable signal
>   *	state.  This is called immediately after commit_creds().
> + * @bprm_aborting_creds:
> + *	This hook is called when an execve operation failed after
> + *	prepare_bprm_creds() succeeded so that we can synchronously clean up
> + *	resources used by an execve operation.
> + *	@bprm points to the linux_binprm structure.
>   * @bprm_secureexec:
>   *	Return a boolean value (0 or 1) indicating whether a "secure exec"
>   *	is required.  The flag is passed in the auxiliary table
> @@ -1446,6 +1451,7 @@ struct security_operations {
>  	int (*bprm_secureexec) (struct linux_binprm *bprm);
>  	void (*bprm_committing_creds) (struct linux_binprm *bprm);
>  	void (*bprm_committed_creds) (struct linux_binprm *bprm);
> +	void (*bprm_aborting_creds) (struct linux_binprm *bprm);
>  
>  	int (*sb_alloc_security) (struct super_block *sb);
>  	void (*sb_free_security) (struct super_block *sb);
> @@ -1741,6 +1747,7 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
>  int security_bprm_check(struct linux_binprm *bprm);
>  void security_bprm_committing_creds(struct linux_binprm *bprm);
>  void security_bprm_committed_creds(struct linux_binprm *bprm);
> +void security_bprm_aborting_creds(struct linux_binprm *bprm);
>  int security_bprm_secureexec(struct linux_binprm *bprm);
>  int security_sb_alloc(struct super_block *sb);
>  void security_sb_free(struct super_block *sb);
> @@ -1988,6 +1995,10 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
>  {
>  }
>  
> +static inline void security_bprm_aborting_creds(struct linux_binprm *bprm)
> +{
> +}
> +
>  static inline int security_bprm_secureexec(struct linux_binprm *bprm)
>  {
>  	return cap_bprm_secureexec(bprm);
> diff --git a/security/capability.c b/security/capability.c
> index dbeb9bc..44ca607 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -40,6 +40,10 @@ static void cap_bprm_committed_creds(struct linux_binprm *bprm)
>  {
>  }
>  
> +static void cap_bprm_aborting_creds(struct linux_binprm *bprm)
> +{
> +}
> +
>  static int cap_sb_alloc_security(struct super_block *sb)
>  {
>  	return 0;
> @@ -931,6 +935,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>  	set_to_cap_if_null(ops, bprm_set_creds);
>  	set_to_cap_if_null(ops, bprm_committing_creds);
>  	set_to_cap_if_null(ops, bprm_committed_creds);
> +	set_to_cap_if_null(ops, bprm_aborting_creds);
>  	set_to_cap_if_null(ops, bprm_check_security);
>  	set_to_cap_if_null(ops, bprm_secureexec);
>  	set_to_cap_if_null(ops, sb_alloc_security);
> diff --git a/security/security.c b/security/security.c
> index 4dc31f4..064da04 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -236,6 +236,11 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
>  	security_ops->bprm_committed_creds(bprm);
>  }
>  
> +void security_bprm_aborting_creds(struct linux_binprm *bprm)
> +{
> +	security_ops->bprm_aborting_creds(bprm);
> +}
> +
>  int security_bprm_secureexec(struct linux_binprm *bprm)
>  {
>  	return security_ops->bprm_secureexec(bprm);

[PATCH 2/4] LSM: Revive security_task_alloc() hook.

[Tetsuo Handa]

>From b705c8f3c0776cbc4d7a9f5209edcde8b9160d24 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 30 Sep 2013 20:08:10 +0900
Subject: [PATCH 2/4] LSM: Revive security_task_alloc() hook.

Revive a LSM hook which is called when a task_struct is allocated.
This hook is used by TOMOYO for inheriting per a task_struct variables.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 include/linux/security.h |   10 ++++++++++
 kernel/fork.c            |    7 ++++++-
 security/capability.c    |    6 ++++++
 security/security.c      |    5 +++++
 4 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 6c71236..8f9e4f2 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -673,6 +673,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	manual page for definitions of the @clone_flags.
  *	@clone_flags contains the flags indicating what should be shared.
  *	Return 0 if permission is granted.
+ * @task_alloc:
+ *	@task task being allocated.
+ *	Handle allocation of task-related resources.
  * @task_free:
  *	@task task being freed
  *	Handle release of task-related resources. (Note that this can be called
@@ -1562,6 +1565,7 @@ struct security_operations {
 	int (*file_open) (struct file *file, const struct cred *cred);
 
 	int (*task_create) (unsigned long clone_flags);
+	int (*task_alloc) (struct task_struct *task);
 	void (*task_free) (struct task_struct *task);
 	int (*cred_alloc_blank) (struct cred *cred, gfp_t gfp);
 	void (*cred_free) (struct cred *cred);
@@ -1835,6 +1839,7 @@ int security_file_send_sigiotask(struct task_struct *tsk,
 int security_file_receive(struct file *file);
 int security_file_open(struct file *file, const struct cred *cred);
 int security_task_create(unsigned long clone_flags);
+int security_task_alloc(struct task_struct *task);
 void security_task_free(struct task_struct *task);
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
 void security_cred_free(struct cred *cred);
@@ -2337,6 +2342,11 @@ static inline int security_task_create(unsigned long clone_flags)
 	return 0;
 }
 
+static inline int security_task_alloc(struct task_struct *task)
+{
+	return 0;
+}
+
 static inline void security_task_free(struct task_struct *task)
 { }
 
diff --git a/kernel/fork.c b/kernel/fork.c
index 086fe73..ce24b3e 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1318,9 +1318,12 @@ static struct task_struct *copy_process(unsigned long clone_flags,
 	retval = perf_event_init_task(p);
 	if (retval)
 		goto bad_fork_cleanup_policy;
-	retval = audit_alloc(p);
+	retval = security_task_alloc(p);
 	if (retval)
 		goto bad_fork_cleanup_policy;
+	retval = audit_alloc(p);
+	if (retval)
+		goto bad_fork_cleanup_security;
 	/* copy all the process information */
 	retval = copy_semundo(clone_flags, p);
 	if (retval)
@@ -1517,6 +1520,8 @@ bad_fork_cleanup_semundo:
 	exit_sem(p);
 bad_fork_cleanup_audit:
 	audit_free(p);
+bad_fork_cleanup_security:
+	security_task_free(p);
 bad_fork_cleanup_policy:
 	perf_event_free_task(p);
 #ifdef CONFIG_NUMA
diff --git a/security/capability.c b/security/capability.c
index 7dc95f7..4e55ce2 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -373,6 +373,11 @@ static int cap_task_create(unsigned long clone_flags)
 	return 0;
 }
 
+static int cap_task_alloc(struct task_struct *task)
+{
+	return 0;
+}
+
 static void cap_task_free(struct task_struct *task)
 {
 }
@@ -1012,6 +1017,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, file_receive);
 	set_to_cap_if_null(ops, file_open);
 	set_to_cap_if_null(ops, task_create);
+	set_to_cap_if_null(ops, task_alloc);
 	set_to_cap_if_null(ops, task_free);
 	set_to_cap_if_null(ops, cred_alloc_blank);
 	set_to_cap_if_null(ops, cred_free);
diff --git a/security/security.c b/security/security.c
index fc05875..97e177f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -794,6 +794,11 @@ int security_task_create(unsigned long clone_flags)
 	return security_ops->task_create(clone_flags);
 }
 
+int security_task_alloc(struct task_struct *task)
+{
+	return security_ops->task_alloc(task);
+}
+
 void security_task_free(struct task_struct *task)
 {
 #ifdef CONFIG_SECURITY_YAMA_STACKED
-- 
1.7.1

[PATCH 3/4] TOMOYO: Remember the proposed domain while in execve() request.

[Tetsuo Handa]

>From fa547d8dd859238a19f059dd92c7c86184744fa7 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 30 Sep 2013 20:08:56 +0900
Subject: [PATCH 3/4] TOMOYO: Remember the proposed domain while in execve() request.

Introduce per a task_struct variable which remembers the proposed domain
so that TOMOYO can find the proposed domain before execve() succeeds.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/common.h |   34 +++++++++-
 security/tomoyo/tomoyo.c |  163 ++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 191 insertions(+), 6 deletions(-)

diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index b897d48..60e5800 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -36,6 +36,9 @@
 
 /********** Constants definitions. **********/
 
+/* Current thread is doing do_execve() ? */
+#define TOMOYO_TASK_IS_IN_EXECVE 1
+
 /*
  * TOMOYO uses this hash only when appending a string into the string
  * table. Frequency of appending strings is very low. So we don't need
@@ -398,6 +401,16 @@ enum tomoyo_pref_index {
 
 /********** Structure definitions. **********/
 
+/* Per a task_struct variable. */
+struct tomoyo_security {
+	struct list_head list;
+	const struct task_struct *task;
+	/* NULL unless tomoyo_flags has TOMOYO_TASK_IS_IN_EXECVE flag. */
+	struct tomoyo_domain_info *tomoyo_domain_info;
+	u32 tomoyo_flags;
+	struct rcu_head rcu;
+};
+
 /* Common header for holding ACL entries. */
 struct tomoyo_acl_head {
 	struct list_head list;
@@ -913,6 +926,7 @@ struct tomoyo_policy_namespace {
 
 /********** Function prototypes. **********/
 
+struct tomoyo_security *tomoyo_find_task_security(void);
 bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
 				  const struct tomoyo_group *group);
 bool tomoyo_compare_number_union(const unsigned long value,
@@ -1202,7 +1216,25 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
  */
 static inline struct tomoyo_domain_info *tomoyo_domain(void)
 {
-	return current_cred()->security;
+	/*
+	 * Return the proposed domain stored in "struct linux_binprm *"
+	 * if current thread is in do_execve(). The proposed domain will be
+	 * cleared when do_execve() finished.
+	 */
+	struct tomoyo_security *ptr = tomoyo_find_task_security();
+	return ptr && (ptr->tomoyo_flags & TOMOYO_TASK_IS_IN_EXECVE) ?
+		ptr->tomoyo_domain_info : current_cred()->security;
+}
+
+/**
+ * tomoyo_current_flags - Get flags for current thread.
+ *
+ * Returns flags for current thread.
+ */
+static inline u32 tomoyo_current_flags(void)
+{
+	struct tomoyo_security *ptr = tomoyo_find_task_security();
+	return ptr ? ptr->tomoyo_flags : 0;
 }
 
 /**
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index f0b756e..7039302 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -7,6 +7,110 @@
 #include <linux/security.h>
 #include "common.h"
 
+/* List of "struct tomoyo_security" associated with "struct task_struct". */
+static LIST_HEAD(tomoyo_task_security_list);
+/* Lock for protecting tomoyo_task_security_list list. */
+static DEFINE_SPINLOCK(tomoyo_task_security_list_lock);
+
+/**
+ * tomoyo_del_task_security - Release "struct tomoyo_security".
+ *
+ * @ptr: Pointer to "struct tomoyo_security".
+ *
+ * Returns nothing.
+ */
+static void tomoyo_del_task_security(struct tomoyo_security *ptr)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tomoyo_task_security_list_lock, flags);
+	list_del_rcu(&ptr->list);
+	spin_unlock_irqrestore(&tomoyo_task_security_list_lock, flags);
+	kfree_rcu(ptr, rcu);
+}
+
+/**
+ * tomoyo_add_task_security - Add "struct tomoyo_security" to list.
+ *
+ * @ptr:  Pointer to "struct tomoyo_security".
+ *
+ * Returns nothing.
+ */
+static void tomoyo_add_task_security(struct tomoyo_security *ptr)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tomoyo_task_security_list_lock, flags);
+	list_add_rcu(&ptr->list, &tomoyo_task_security_list);
+	spin_unlock_irqrestore(&tomoyo_task_security_list_lock, flags);
+}
+
+/**
+ * tomoyo_find_task_security - Find "struct tomoyo_security" for current thread.
+ *
+ * Returns pointer to "struct tomoyo_security" if found, NULL otherwise.
+ */
+struct tomoyo_security *tomoyo_find_task_security(void)
+{
+	const struct task_struct *task = current;
+	struct tomoyo_security *ptr;
+	rcu_read_lock();
+	list_for_each_entry_rcu(ptr, &tomoyo_task_security_list, list) {
+		if (ptr->task != task)
+			continue;
+		rcu_read_unlock();
+		return ptr;
+	}
+	rcu_read_unlock();
+	return NULL;
+}
+
+/**
+ * tomoyo_task_free - Schedule for garbage collection.
+ *
+ * @task: Unused.
+ *
+ * Returns nothing.
+ */
+static void tomoyo_task_free(struct task_struct *task)
+{
+	struct tomoyo_security *ptr;
+	rcu_read_lock();
+	list_for_each_entry_rcu(ptr, &tomoyo_task_security_list, list) {
+		if (ptr->task != task)
+			continue;
+		tomoyo_del_task_security(ptr);
+		break;
+	}
+	rcu_read_unlock();
+}
+
+/**
+ * tomoyo_bprm_committing_creds - Forget the proposed domain.
+ *
+ * @bprm: Pointer to "struct linux_binprm".
+ *
+ * Returns nothing.
+ */
+static void tomoyo_bprm_committing_creds(struct linux_binprm *bprm)
+{
+	struct tomoyo_security *ptr = tomoyo_find_task_security();
+	if (ptr)
+		tomoyo_del_task_security(ptr);
+}
+
+/**
+ * tomoyo_bprm_aborting_creds - Forget the proposed domain.
+ *
+ * @bprm: Pointer to "struct linux_binprm".
+ *
+ * Returns nothing.
+ */
+static void tomoyo_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+	struct tomoyo_security *ptr = tomoyo_find_task_security();
+	if (ptr)
+		tomoyo_del_task_security(ptr);
+}
+
 /**
  * tomoyo_cred_alloc_blank - Target for security_cred_alloc_blank().
  *
@@ -124,12 +228,48 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
 	 * using current domain.
 	 */
 	if (!domain) {
+		struct tomoyo_security *entry;
 		const int idx = tomoyo_read_lock();
 		const int err = tomoyo_find_next_domain(bprm);
 		tomoyo_read_unlock(idx);
-		return err;
+		if (err)
+			return err;
+		domain = bprm->cred->security;
+		/*
+		 * For backward compatibility, don't check read permission
+		 * against binary loaders. This will be done by not setting
+		 * TOMOYO_TASK_IS_IN_EXECVE flag.
+		 */
+		if (domain->ns->profile_version == 20110903)
+			return 0;
+		/*
+		 * Remember the proposed domain associated with
+		 * "struct task_struct" so that read permission will later be
+		 * checked against interpreters and binary loaders at
+		 * tomoyo_file_open().
+		 */
+		entry = tomoyo_find_task_security();
+		if (!entry)
+			entry = kzalloc(sizeof(*entry), GFP_KERNEL);
+		if (!entry)
+			return -ENOMEM;
+		entry->tomoyo_flags |= TOMOYO_TASK_IS_IN_EXECVE;
+		entry->tomoyo_domain_info = domain;
+		if (!entry->list.next) {
+			entry->task = current;
+			tomoyo_add_task_security(entry);
+		}
+		return 0;
 	}
 	/*
+	 * By setting TOMOYO_TASK_IS_IN_EXECVE flag, read permission will later
+	 * be checked against interpreters and binary loaders at
+	 * tomoyo_file_open().
+	 */
+	if (tomoyo_current_flags() & TOMOYO_TASK_IS_IN_EXECVE)
+		return 0;
+	/*
+	 * Backward compatibility.
 	 * Read permission is checked against interpreters using next domain.
 	 */
 	return tomoyo_check_open_permission(domain, &bprm->file->f_path,
@@ -328,11 +468,21 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
  */
 static int tomoyo_file_open(struct file *f, const struct cred *cred)
 {
-	int flags = f->f_flags;
-	/* Don't check read permission here if called from do_execve(). */
-	if (current->in_execve)
+	struct tomoyo_domain_info *domain = tomoyo_domain();
+
+	/*
+	 * Don't check read permission here if this hook is called for checking
+	 * the executable passed to do_execve(); execute permission will later
+	 * be checked at tomoyo_bprm_check_security().
+	 *
+	 * Check read permission here if this hook is called for checking the
+	 * interpreters and binary loaders needed by the executable passed to
+	 * do_execve().
+	 */
+	if (current->in_execve &&
+	    !(tomoyo_current_flags() & TOMOYO_TASK_IS_IN_EXECVE))
 		return 0;
-	return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags);
+	return tomoyo_check_open_permission(domain, &f->f_path, f->f_flags);
 }
 
 /**
@@ -505,12 +655,15 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
  */
 static struct security_operations tomoyo_security_ops = {
 	.name                = "tomoyo",
+	.task_free           = tomoyo_task_free,
 	.cred_alloc_blank    = tomoyo_cred_alloc_blank,
 	.cred_prepare        = tomoyo_cred_prepare,
 	.cred_transfer	     = tomoyo_cred_transfer,
 	.cred_free           = tomoyo_cred_free,
 	.bprm_set_creds      = tomoyo_bprm_set_creds,
 	.bprm_check_security = tomoyo_bprm_check_security,
+	.bprm_committing_creds = tomoyo_bprm_committing_creds,
+	.bprm_aborting_creds = tomoyo_bprm_aborting_creds,
 	.file_fcntl          = tomoyo_file_fcntl,
 	.file_open           = tomoyo_file_open,
 	.path_truncate       = tomoyo_path_truncate,
-- 
1.7.1

[PATCH 4/4] TOMOYO: Allow caching policy manager's state until execve() request.

[Tetsuo Handa]

>From aee19efdae75422f8d4ec9bf7cb9ea8a726cdf2c Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 30 Sep 2013 20:09:34 +0900
Subject: [PATCH 4/4] TOMOYO: Allow caching policy manager's state until execve() request.

Extend the lifetime of the per a task_struct variable from "start of execve()
to end of do_execve()" to "arbitrary moment to the end of exexve()" so that
we can remember that the current thread (and threads created afterwards from
current thread) can update policy without checking permission to update policy
for each line.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/common.c |   22 +++++++++++++++++++++-
 security/tomoyo/common.h |    6 ++++++
 security/tomoyo/tomoyo.c |   32 +++++++++++++++++++++++++++++++-
 3 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 283862a..40ae993 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -921,10 +921,14 @@ static bool tomoyo_manager(void)
 	const char *exe;
 	const struct task_struct *task = current;
 	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
+	struct tomoyo_security *security;
 	bool found = false;
 
 	if (!tomoyo_policy_loaded)
 		return true;
+	security = tomoyo_find_task_security();
+	if (security && (security->tomoyo_flags & TOMOYO_TASK_IS_MANAGER))
+		return true;
 	if (!tomoyo_manage_by_non_root &&
 	    (!uid_eq(task->cred->uid,  GLOBAL_ROOT_UID) ||
 	     !uid_eq(task->cred->euid, GLOBAL_ROOT_UID)))
@@ -951,7 +955,23 @@ static bool tomoyo_manager(void)
 		}
 	}
 	kfree(exe);
-	return found;
+	if (!found)
+		return false;
+	/*
+	 * Remember that the current thread is allowed to update
+	 * policies until do_execve().
+	 */
+	if (security) {
+		security->tomoyo_flags |= TOMOYO_TASK_IS_MANAGER;
+		return true;
+	}
+	security = kzalloc(sizeof(*security), GFP_KERNEL);
+	if (security) {
+		security->task = task;
+		security->tomoyo_flags |= TOMOYO_TASK_IS_MANAGER;
+		tomoyo_add_task_security(security);
+	}
+	return true;
 }
 
 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 60e5800..923d237 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -38,6 +38,11 @@
 
 /* Current thread is doing do_execve() ? */
 #define TOMOYO_TASK_IS_IN_EXECVE 1
+/*
+ * Current thread is allowed to modify policy via /sys/kernel/security/tomoyo/
+ * interface?
+ */
+#define TOMOYO_TASK_IS_MANAGER   2
 
 /*
  * TOMOYO uses this hash only when appending a string into the string
@@ -927,6 +932,7 @@ struct tomoyo_policy_namespace {
 /********** Function prototypes. **********/
 
 struct tomoyo_security *tomoyo_find_task_security(void);
+void tomoyo_add_task_security(struct tomoyo_security *ptr);
 bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
 				  const struct tomoyo_group *group);
 bool tomoyo_compare_number_union(const unsigned long value,
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 7039302..de4c7f9 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -35,7 +35,7 @@ static void tomoyo_del_task_security(struct tomoyo_security *ptr)
  *
  * Returns nothing.
  */
-static void tomoyo_add_task_security(struct tomoyo_security *ptr)
+void tomoyo_add_task_security(struct tomoyo_security *ptr)
 {
 	unsigned long flags;
 	spin_lock_irqsave(&tomoyo_task_security_list_lock, flags);
@@ -84,6 +84,29 @@ static void tomoyo_task_free(struct task_struct *task)
 }
 
 /**
+ * tomoyo_task_alloc - Make snapshot of security context for new task.
+ *
+ * @p: Pointer to "struct task_struct".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_task_alloc(struct task_struct *p)
+{
+	struct tomoyo_security *old_security = tomoyo_find_task_security();
+	struct tomoyo_security *new_security;
+
+	if (!old_security)
+		return 0;
+	new_security = kzalloc(sizeof(*new_security), GFP_KERNEL);
+	if (!new_security)
+		return -ENOMEM;
+	new_security->task = p;
+	new_security->tomoyo_flags = old_security->tomoyo_flags;
+	tomoyo_add_task_security(new_security);
+	return 0;
+}
+
+/**
  * tomoyo_bprm_committing_creds - Forget the proposed domain.
  *
  * @bprm: Pointer to "struct linux_binprm".
@@ -209,6 +232,12 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
 	 * execve operation.
 	 */
 	bprm->cred->security = NULL;
+	/* Clear the manager flag. */
+	{
+		struct tomoyo_security *ptr = tomoyo_find_task_security();
+		if (ptr)
+			ptr->tomoyo_flags &= ~TOMOYO_TASK_IS_MANAGER;
+	}
 	return 0;
 }
 
@@ -655,6 +684,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
  */
 static struct security_operations tomoyo_security_ops = {
 	.name                = "tomoyo",
+	.task_alloc          = tomoyo_task_alloc,
 	.task_free           = tomoyo_task_free,
 	.cred_alloc_blank    = tomoyo_cred_alloc_blank,
 	.cred_prepare        = tomoyo_cred_prepare,
-- 
1.7.1

Re: [PATCH 0/4] LSM/TOMOYO: Stop using per a cred variables and start using per a task_struct variables.

[Tetsuo Handa]

Hello James.

Is there any remaining issues/questions regarding this patchset?
I think this patchset is ready to go to linux-security.git#next .

Tetsuo Handa wrote:
> This patchset is a repost of https://lkml.org/lkml/2013/6/11/258 for fixing
> two of TOMOYO's long-standing bugs which exists since Linux 2.6.30, and also
> protects TOMOYO from subjective != objective problem described above.

Re: [PATCH 0/4] LSM/TOMOYO: Stop using per a cred variables and start using per a task_struct variables.

[James Morris]

On Wed, 30 Oct 2013, Tetsuo Handa wrote:

> Hello James.
> 
> Is there any remaining issues/questions regarding this patchset?
> I think this patchset is ready to go to linux-security.git#next .
> 
> Tetsuo Handa wrote:
> > This patchset is a repost of https://lkml.org/lkml/2013/6/11/258 for fixing
> > two of TOMOYO's long-standing bugs which exists since Linux 2.6.30, and also
> > protects TOMOYO from subjective != objective problem described above.
> 

Not enough discussion on the need to add these LSM hooks back.

Also, nobody seems to be using Tomoyo.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/4] LSM/TOMOYO: Stop using per a cred variables andstart using per a task_struct variables.

[Tetsuo Handa]

James Morris wrote:
> On Wed, 30 Oct 2013, Tetsuo Handa wrote:
> 
> > Hello James.
> > 
> > Is there any remaining issues/questions regarding this patchset?
> > I think this patchset is ready to go to linux-security.git#next .
> > 
> > Tetsuo Handa wrote:
> > > This patchset is a repost of https://lkml.org/lkml/2013/6/11/258 for fixing
> > > two of TOMOYO's long-standing bugs which exists since Linux 2.6.30, and also
> > > protects TOMOYO from subjective != objective problem described above.
> > 
> 
> Not enough discussion on the need to add these LSM hooks back.

These LSM hooks are needed for doing per a task_struct tracking.

As I said at https://lkml.org/lkml/2013/11/1/206 in the switch_creds() thread,
the "calling commit_creds() is prohibited between override_creds() and
revert_creds()" is unacceptable barrier for doing per a task_struct tracking.

TOMOYO's security context is by nature per a task_struct variable. Therefore,
I don't want TOMOYO's security context be disturbed by override_creds().
Although I can emulate security_bprm_aborting_creds() and security_task_alloc()
hooks using currently available hooks, reviving security_bprm_aborting_creds()
and security_task_alloc() hooks will be the cleanest way for doing per a
task_struct tracking.

Above will be enough explanation, won't it?

> Also, nobody seems to be using Tomoyo.

What is your criterion for determining that "somebody seems to be using it"?
Depending on your answer, I would say "Nobody seems to be using SELinux".

[PATCH 0/4] LSM/TOMOYO: Introduce per a task_struct variables.

[Tetsuo Handa]

This patchset is for fixing two of TOMOYO's long-standing bugs which exists
since Linux 2.6.30.

Bug 1:

  TOMOYO has been unable to check binary loader's permission upon execve()
  because TOMOYO uses different permission for the program passed to execve()
  request and the binary loader requested by the program passed to the execve()
  request, but TOMOYO was not able to distinguish them due to lack of ability
  to pass the proposed credential argument. Some attempt to pass the proposed
  credential was made but was not successful because it breaks DAC's behavior.

Bug 2:

  TOMOYO has been unable to remember that the current thread was once granted
  for managing policy, for there is no mechanism for cleanly allocating per a
  task_struct variables. As a result, TOMOYO needlessly has to check permission
  for updating policy whenever a line of policy was written. Also, if the
  userspace once deleted a line that is needed for updating policy, the current
  thread (which should be able to update policy) fails to write the rest of
  lines.
  Variables associated with copy on write credential do not help for fixing
  this bug because TOMOYO may not be allowed to modify it when TOMOYO wants to
  modify it.

This patchset has four patches. Patch 1 and 2 are essentially revival of LSM
hooks which existed until Linux 2.6.28.

[PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.
[PATCH 2/4] LSM: Revive security_task_alloc() hook.
[PATCH 3/4] TOMOYO: Remember the proposed domain while in execve() request.
[PATCH 4/4] TOMOYO: Allow caching policy manager's state until execve() request.

 b/fs/exec.c                |    1
 b/include/linux/security.h |   11 +++
 b/kernel/fork.c            |    7 +
 b/security/capability.c    |    5 +
 b/security/security.c      |    5 +
 b/security/tomoyo/common.c |   22 +++++-
 b/security/tomoyo/common.h |   34 +++++++++
 b/security/tomoyo/tomoyo.c |  163 +++++++++++++++++++++++++++++++++++++++++++--
 include/linux/security.h   |   10 ++
 security/capability.c      |    6 +
 security/security.c        |    5 +
 security/tomoyo/common.h   |    6 +
 security/tomoyo/tomoyo.c   |   32 ++++++++
 13 files changed, 298 insertions(+), 9 deletions(-)

[PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

[Tetsuo Handa]

>From 27dfd0d7652917601a53f4439678097c8ce67b2b Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 11 Jun 2013 21:26:53 +0900
Subject: [PATCH 1/4] LSM: Add security_bprm_aborting_creds() hook.

Add a LSM hook which is called only when an execve operation failed after
prepare_bprm_creds() succeeded. This hook is used by TOMOYO for synchronously
cleaning up resources allocated during an execve operation.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/exec.c                |    1 +
 include/linux/security.h |   11 +++++++++++
 security/capability.c    |    5 +++++
 security/security.c      |    5 +++++
 4 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 6430195..f71b2ae 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1175,6 +1175,7 @@ void free_bprm(struct linux_binprm *bprm)
 {
 	free_arg_pages(bprm);
 	if (bprm->cred) {
+		security_bprm_aborting_creds(bprm);
 		mutex_unlock(&current->signal->cred_guard_mutex);
 		abort_creds(bprm->cred);
 	}
diff --git a/include/linux/security.h b/include/linux/security.h
index 40560f4..6f03e37 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -232,6 +232,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	linux_binprm structure.  This hook is a good place to perform state
  *	changes on the process such as clearing out non-inheritable signal
  *	state.  This is called immediately after commit_creds().
+ * @bprm_aborting_creds:
+ *	This hook is called when an execve operation failed after
+ *	prepare_bprm_creds() succeeded so that we can synchronously clean up
+ *	resources used by an execve operation.
+ *	@bprm points to the linux_binprm structure.
  * @bprm_secureexec:
  *	Return a boolean value (0 or 1) indicating whether a "secure exec"
  *	is required.  The flag is passed in the auxiliary table
@@ -1426,6 +1431,7 @@ struct security_operations {
 	int (*bprm_secureexec) (struct linux_binprm *bprm);
 	void (*bprm_committing_creds) (struct linux_binprm *bprm);
 	void (*bprm_committed_creds) (struct linux_binprm *bprm);
+	void (*bprm_aborting_creds) (struct linux_binprm *bprm);
 
 	int (*sb_alloc_security) (struct super_block *sb);
 	void (*sb_free_security) (struct super_block *sb);
@@ -1714,6 +1720,7 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
 void security_bprm_committing_creds(struct linux_binprm *bprm);
 void security_bprm_committed_creds(struct linux_binprm *bprm);
+void security_bprm_aborting_creds(struct linux_binprm *bprm);
 int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
@@ -1954,6 +1961,10 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static inline void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static inline int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return cap_bprm_secureexec(bprm);
diff --git a/security/capability.c b/security/capability.c
index 1728d4e..34b6f09 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -40,6 +40,10 @@ static void cap_bprm_committed_creds(struct linux_binprm *bprm)
 {
 }
 
+static void cap_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+}
+
 static int cap_sb_alloc_security(struct super_block *sb)
 {
 	return 0;
@@ -916,6 +920,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, bprm_set_creds);
 	set_to_cap_if_null(ops, bprm_committing_creds);
 	set_to_cap_if_null(ops, bprm_committed_creds);
+	set_to_cap_if_null(ops, bprm_aborting_creds);
 	set_to_cap_if_null(ops, bprm_check_security);
 	set_to_cap_if_null(ops, bprm_secureexec);
 	set_to_cap_if_null(ops, sb_alloc_security);
diff --git a/security/security.c b/security/security.c
index a3dce87..7123178 100644
--- a/security/security.c
+++ b/security/security.c
@@ -235,6 +235,11 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
 	security_ops->bprm_committed_creds(bprm);
 }
 
+void security_bprm_aborting_creds(struct linux_binprm *bprm)
+{
+	security_ops->bprm_aborting_creds(bprm);
+}
+
 int security_bprm_secureexec(struct linux_binprm *bprm)
 {
 	return security_ops->bprm_secureexec(bprm);
-- 
1.7.1