On 6 June 2015 at 04:04, Kees Cook <[email protected]> wrote: > On Mon, Jun 1, 2015 at 4:52 AM, Baolin Wang <[email protected]> > wrote: > > For introducing the do_sys_settimeofday64() function with > > timespec64 type to make it ready for 2038 issue, it need to > > introduce the security_settime64() function with timespec64 > > type firstly. > > > > Also introduce a default security_settime64() function with > > timespec64 type when it hasn't defined the CONFIG_SECURITY macro. > > > > Also this patch changes the "settime" pointer's argument with > > timespec64 type in security_operations structure for introducing > > the the security_settime64() function. > > > > Meanwhile moves the security_settime() defined in > > security/security.c file to include/linux/security.h file as a > > static function, that makes it convenient to delete the > > security_settime() later. > > > > And change the cap_settime() function's argument with timespec64 > > type to make it ready for 2038 issue, which is only used by > > security_settime64()/security_settime() function. > > > > Signed-off-by: Baolin Wang <[email protected]> > > --- > > include/linux/security.h | 25 ++++++++++++++++++++----- > > security/commoncap.c | 2 +- > > security/security.c | 2 +- > > 3 files changed, 22 insertions(+), 7 deletions(-) > > We certainly want this in, but this area has been rather radically > refactored recently. Can you rebase this patch against security-next? > > Thanks! > > -Kees > > > > > diff --git a/include/linux/security.h b/include/linux/security.h > > index a1b7dbd..5288794 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -75,7 +75,7 @@ struct timezone; > > */ > > extern int cap_capable(const struct cred *cred, struct user_namespace > *ns, > > int cap, int audit); > > -extern int cap_settime(const struct timespec *ts, const struct timezone > *tz); > > +extern int cap_settime(const struct timespec64 *ts, const struct > timezone *tz); > > extern int cap_ptrace_access_check(struct task_struct *child, unsigned > int mode); > > extern int cap_ptrace_traceme(struct task_struct *parent); > > extern int cap_capget(struct task_struct *target, kernel_cap_t > *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); > > @@ -1353,7 +1353,8 @@ static inline void security_free_mnt_opts(struct > security_mnt_opts *opts) > > * Return 0 if permission is granted. > > * @settime: > > * Check permission to change the system time. > > - * struct timespec and timezone are defined in include/linux/time.h > > + * struct timespec64 is defined in include/linux/time64.h and > timezone is > > + * defined in include/linux/time.h > > * @ts contains new time > > * @tz contains new timezone > > * Return 0 if permission is granted. > > @@ -1483,7 +1484,7 @@ struct security_operations { > > int (*quotactl) (int cmds, int type, int id, struct super_block > *sb); > > int (*quota_on) (struct dentry *dentry); > > int (*syslog) (int type); > > - int (*settime) (const struct timespec *ts, const struct timezone > *tz); > > + int (*settime) (const struct timespec64 *ts, const struct > timezone *tz); > > int (*vm_enough_memory) (struct mm_struct *mm, long pages); > > > > int (*bprm_set_creds) (struct linux_binprm *bprm); > > @@ -1790,7 +1791,13 @@ int security_capable_noaudit(const struct cred > *cred, struct user_namespace *ns, > > int security_quotactl(int cmds, int type, int id, struct super_block > *sb); > > int security_quota_on(struct dentry *dentry); > > int security_syslog(int type); > > -int security_settime(const struct timespec *ts, const struct timezone > *tz); > > +int security_settime64(const struct timespec64 *ts, const struct > timezone *tz); > > +static int security_settime(const struct timespec *ts, const struct > timezone *tz) > > +{ > > + struct timespec64 ts64 = timespec_to_timespec64(*ts); > > + > > + return security_settime64(&ts64, tz); > > +} > > int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); > > int security_bprm_set_creds(struct linux_binprm *bprm); > > int security_bprm_check(struct linux_binprm *bprm); > > @@ -2040,10 +2047,18 @@ static inline int security_syslog(int type) > > return 0; > > } > > > > +static inline int security_settime64(const struct timespec64 *ts, > > + const struct timezone *tz) > > +{ > > + return cap_settime(ts, tz); > > +} > > + > > static inline int security_settime(const struct timespec *ts, > > const struct timezone *tz) > > { > > - return cap_settime(ts, tz); > > + struct timsepc64 ts64 = timespec_to_timespec64(*ts); > > + > > + return cap_settime(&ts64, tz); > > } > > > > static inline int security_vm_enough_memory_mm(struct mm_struct *mm, > long pages) > > diff --git a/security/commoncap.c b/security/commoncap.c > > index f66713b..bdb8ec0 100644 > > --- a/security/commoncap.c > > +++ b/security/commoncap.c > > @@ -116,7 +116,7 @@ int cap_capable(const struct cred *cred, struct > user_namespace *targ_ns, > > * Determine whether the current process may set the system clock and > timezone > > * information, returning 0 if permission granted, -ve if denied. > > */ > > -int cap_settime(const struct timespec *ts, const struct timezone *tz) > > +int cap_settime(const struct timespec64 *ts, const struct timezone *tz) > > { > > if (!capable(CAP_SYS_TIME)) > > return -EPERM; > > diff --git a/security/security.c b/security/security.c > > index e81d5bb..0be5032 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -224,7 +224,7 @@ int security_syslog(int type) > > return security_ops->syslog(type); > > } > > > > -int security_settime(const struct timespec *ts, const struct timezone > *tz) > > +int security_settime64(const struct timespec64 *ts, const struct > timezone *tz) > > { > > return security_ops->settime(ts, tz); > > } > > -- > > 1.7.9.5 > > > > > > -- > Kees Cook > Chrome OS Security >
Hi Kees, Thanks for your comments, and i'll rebase this patch next step. -- Baolin.wang Best Regards _______________________________________________ Y2038 mailing list [email protected] https://lists.linaro.org/mailman/listinfo/y2038
