#include <linux/mount.h>
#include <linux/security.h>
#include <linux/ptrace.h>
+#include <linux/seccomp.h>
+#include <linux/cpuset.h>
+#include <linux/audit.h>
#include <linux/vs_network.h>
#include "internal.h"
PROC_TGID_TASK,
PROC_TGID_STATUS,
PROC_TGID_MEM,
+#ifdef CONFIG_SECCOMP
+ PROC_TGID_SECCOMP,
+#endif
PROC_TGID_CWD,
PROC_TGID_ROOT,
PROC_TGID_EXE,
#ifdef CONFIG_SCHEDSTATS
PROC_TGID_SCHEDSTAT,
#endif
+#ifdef CONFIG_CPUSETS
+ PROC_TGID_CPUSET,
+#endif
#ifdef CONFIG_SECURITY
PROC_TGID_ATTR,
PROC_TGID_ATTR_CURRENT,
PROC_TID_INO,
PROC_TID_STATUS,
PROC_TID_MEM,
+#ifdef CONFIG_SECCOMP
+ PROC_TID_SECCOMP,
+#endif
PROC_TID_CWD,
PROC_TID_ROOT,
PROC_TID_EXE,
#ifdef CONFIG_SCHEDSTATS
PROC_TID_SCHEDSTAT,
#endif
+#ifdef CONFIG_CPUSETS
+ PROC_TID_CPUSET,
+#endif
#ifdef CONFIG_SECURITY
PROC_TID_ATTR,
PROC_TID_ATTR_CURRENT,
E(PROC_TGID_STATM, "statm", S_IFREG|S_IRUGO),
E(PROC_TGID_MAPS, "maps", S_IFREG|S_IRUGO),
E(PROC_TGID_MEM, "mem", S_IFREG|S_IRUSR|S_IWUSR),
+#ifdef CONFIG_SECCOMP
+ E(PROC_TGID_SECCOMP, "seccomp", S_IFREG|S_IRUSR|S_IWUSR),
+#endif
E(PROC_TGID_CWD, "cwd", S_IFLNK|S_IRWXUGO),
E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
#endif
#ifdef CONFIG_SCHEDSTATS
E(PROC_TGID_SCHEDSTAT, "schedstat", S_IFREG|S_IRUGO),
+#endif
+#ifdef CONFIG_CPUSETS
+ E(PROC_TGID_CPUSET, "cpuset", S_IFREG|S_IRUGO),
#endif
E(PROC_TGID_VX_INFO, "vinfo", S_IFREG|S_IRUGO),
E(PROC_TGID_IP_INFO, "ninfo", S_IFREG|S_IRUGO),
E(PROC_TID_STATM, "statm", S_IFREG|S_IRUGO),
E(PROC_TID_MAPS, "maps", S_IFREG|S_IRUGO),
E(PROC_TID_MEM, "mem", S_IFREG|S_IRUSR|S_IWUSR),
+#ifdef CONFIG_SECCOMP
+ E(PROC_TID_SECCOMP, "seccomp", S_IFREG|S_IRUSR|S_IWUSR),
+#endif
E(PROC_TID_CWD, "cwd", S_IFLNK|S_IRWXUGO),
E(PROC_TID_ROOT, "root", S_IFLNK|S_IRWXUGO),
E(PROC_TID_EXE, "exe", S_IFLNK|S_IRWXUGO),
#endif
#ifdef CONFIG_SCHEDSTATS
E(PROC_TID_SCHEDSTAT, "schedstat",S_IFREG|S_IRUGO),
+#endif
+#ifdef CONFIG_CPUSETS
+ E(PROC_TID_CPUSET, "cpuset", S_IFREG|S_IRUGO),
#endif
E(PROC_TID_VX_INFO, "vinfo", S_IFREG|S_IRUGO),
E(PROC_TID_IP_INFO, "ninfo", S_IFREG|S_IRUGO),
.open = mem_open,
};
-static ssize_t oom_adjust_read(struct file *file, char *buf,
+static ssize_t oom_adjust_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct task_struct *task = proc_task(file->f_dentry->d_inode);
return count;
}
-static ssize_t oom_adjust_write(struct file *file, const char *buf,
+static ssize_t oom_adjust_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
struct task_struct *task = proc_task(file->f_dentry->d_inode);
if (copy_from_user(buffer, buf, count))
return -EFAULT;
oom_adjust = simple_strtol(buffer, &end, 0);
- if (oom_adjust < -16 || oom_adjust > 15)
+ if ((oom_adjust < -16 || oom_adjust > 15) && oom_adjust != OOM_DISABLE)
return -EINVAL;
if (*end == '\n')
end++;
}
static struct file_operations proc_oom_adjust_operations = {
- read: oom_adjust_read,
- write: oom_adjust_write,
+ .read = oom_adjust_read,
+ .write = oom_adjust_write,
};
static struct inode_operations proc_mem_inode_operations = {
goto out_free_page;
}
- length = audit_set_loginuid(task->audit_context, loginuid);
+ length = audit_set_loginuid(task, loginuid);
if (likely(length == 0))
length = count;
};
#endif
+#ifdef CONFIG_SECCOMP
+static ssize_t seccomp_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct task_struct *tsk = proc_task(file->f_dentry->d_inode);
+ char __buf[20];
+ loff_t __ppos = *ppos;
+ size_t len;
+
+ /* no need to print the trailing zero, so use only len */
+ len = sprintf(__buf, "%u\n", tsk->seccomp.mode);
+ if (__ppos >= len)
+ return 0;
+ if (count > len - __ppos)
+ count = len - __ppos;
+ if (copy_to_user(buf, __buf + __ppos, count))
+ return -EFAULT;
+ *ppos = __ppos + count;
+ return count;
+}
+
+static ssize_t seccomp_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct task_struct *tsk = proc_task(file->f_dentry->d_inode);
+ char __buf[20], *end;
+ unsigned int seccomp_mode;
+
+ /* can set it only once to be even more secure */
+ if (unlikely(tsk->seccomp.mode))
+ return -EPERM;
+
+ memset(__buf, 0, sizeof(__buf));
+ count = min(count, sizeof(__buf) - 1);
+ if (copy_from_user(__buf, buf, count))
+ return -EFAULT;
+ seccomp_mode = simple_strtoul(__buf, &end, 0);
+ if (*end == '\n')
+ end++;
+ if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) {
+ tsk->seccomp.mode = seccomp_mode;
+ set_tsk_thread_flag(tsk, TIF_SECCOMP);
+ } else
+ return -EINVAL;
+ if (unlikely(!(end - __buf)))
+ return -EIO;
+ return end - __buf;
+}
+
+static struct file_operations proc_seccomp_operations = {
+ .read = seccomp_read,
+ .write = seccomp_write,
+};
+#endif /* CONFIG_SECCOMP */
+
static int proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd)
{
struct inode *inode = dentry->d_inode;
extern int proc_pid_vx_info(struct task_struct *, char *);
extern int proc_pid_nx_info(struct task_struct *, char *);
+static int get_tid_list(int index, unsigned int *tids, struct inode *dir);
+
/* SMP-safe */
static struct dentry *proc_pident_lookup(struct inode *dir,
struct dentry *dentry,
*/
switch(p->type) {
case PROC_TGID_TASK:
- inode->i_nlink = 3;
+ inode->i_nlink = 2 + get_tid_list(2, NULL, dir);
inode->i_op = &proc_task_inode_operations;
inode->i_fop = &proc_task_operations;
break;
inode->i_op = &proc_mem_inode_operations;
inode->i_fop = &proc_mem_operations;
break;
+#ifdef CONFIG_SECCOMP
+ case PROC_TID_SECCOMP:
+ case PROC_TGID_SECCOMP:
+ inode->i_fop = &proc_seccomp_operations;
+ break;
+#endif /* CONFIG_SECCOMP */
case PROC_TID_MOUNTS:
case PROC_TGID_MOUNTS:
inode->i_fop = &proc_mounts_operations;
inode->i_fop = &proc_info_file_operations;
ei->op.proc_read = proc_pid_schedstat;
break;
+#endif
+#ifdef CONFIG_CPUSETS
+ case PROC_TID_CPUSET:
+ case PROC_TGID_CPUSET:
+ inode->i_fop = &proc_cpuset_operations;
+ break;
#endif
case PROC_TID_OOM_SCORE:
case PROC_TGID_OOM_SCORE:
};
/**
- * proc_pid_unhash - Unhash /proc/<pid> entry from the dcache.
+ * proc_pid_unhash - Unhash /proc/@pid entry from the dcache.
* @p: task that should be flushed.
*
- * Drops the /proc/<pid> dcache entry from the hash chains.
+ * Drops the /proc/@pid dcache entry from the hash chains.
*
- * Dropping /proc/<pid> entries and detach_pid must be synchroneous,
- * otherwise e.g. /proc/<pid>/exe might point to the wrong executable,
+ * Dropping /proc/@pid entries and detach_pid must be synchroneous,
+ * otherwise e.g. /proc/@pid/exe might point to the wrong executable,
* if the pid value is immediately reused. This is enforced by
* - caller must acquire spin_lock(p->proc_lock)
* - must be called before detach_pid()
if (proc_dentry != NULL) {
spin_lock(&dcache_lock);
+ spin_lock(&proc_dentry->d_lock);
if (!d_unhashed(proc_dentry)) {
dget_locked(proc_dentry);
__d_drop(proc_dentry);
- } else
+ spin_unlock(&proc_dentry->d_lock);
+ } else {
+ spin_unlock(&proc_dentry->d_lock);
proc_dentry = NULL;
+ }
spin_unlock(&dcache_lock);
}
return proc_dentry;
}
/**
- * proc_pid_flush - recover memory used by stale /proc/<pid>/x entries
- * @proc_entry: directoy to prune.
+ * proc_pid_flush - recover memory used by stale /proc/@pid/x entries
+ * @proc_dentry: directoy to prune.
*
* Shrink the /proc directory that was used by the just killed thread.
*/
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
- inode->i_nlink = 3;
inode->i_flags|=S_IMMUTABLE;
+#ifdef CONFIG_SECURITY
+ inode->i_nlink = 5;
+#else
+ inode->i_nlink = 4;
+#endif
dentry->d_op = &pid_base_dentry_operations;
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
inode->i_op = &proc_tid_base_inode_operations;
inode->i_fop = &proc_tid_base_operations;
- inode->i_nlink = 3;
inode->i_flags|=S_IMMUTABLE;
+#ifdef CONFIG_SECURITY
+ inode->i_nlink = 4;
+#else
+ inode->i_nlink = 3;
+#endif
dentry->d_op = &pid_base_dentry_operations;
continue;
if (--index >= 0)
continue;
- tids[nr_tids] = vx_map_pid(tid);
+ if (tids != NULL)
+ tids[nr_tids] = vx_map_pid(tid);
nr_tids++;
if (nr_tids >= PROC_MAXPIDS)
break;
}
nr_tids = get_tid_list(pos, tid_array, inode);
+ inode->i_nlink = pos + nr_tids;
for (i = 0; i < nr_tids; i++) {
unsigned long j = PROC_NUMBUF;
git://git.onelab.eu / linux-2.6.git / blobdiff