Move xen patchset to new version's subdir.

[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / apparmor-path_permission

diff --git a/src/patches/suse-2.6.27.31/patches.apparmor/apparmor-path_permission b/src/patches/suse-2.6.27.31/patches.apparmor/apparmor-path_permission
new file mode 100644 (file)
index 0000000..41b7ad1
--- /dev/null
+++ b/src/patches/suse-2.6.27.31/patches.apparmor/apparmor-path_permission
@@ -0,0 +1,78 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
+
+ patches.apparmor/add-security_path_permission added the ->path_permission
+ call. This patch converts apparmor_inode_permission to
+ apparmor_path_permission. The former is now a pass-all, which is how
+ it behaved in 2.6.26 if a NULL nameidata was passed.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+---
+ security/apparmor/lsm.c |   41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -448,21 +448,9 @@ out:
+       return error;
+ }
+ 
+-static int apparmor_inode_permission(struct inode *inode, int mask,
+-                                   struct nameidata *nd)
++static int apparmor_inode_permission(struct inode *inode, int mask)
+ {
+-      int check = 0;
+-
+-      if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
+-              return 0;
+-      mask = aa_mask_permissions(mask);
+-      if (S_ISDIR(inode->i_mode)) {
+-              check |= AA_CHECK_DIR;
+-              /* allow traverse accesses to directories */
+-              mask &= ~MAY_EXEC;
+-      }
+-      return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
+-                           mask, check);
++      return 0;
+ }
+ 
+ static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
+@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
+                      !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
++static int apparmor_path_permission(struct path *path, int mask)
++{
++      struct inode *inode;
++      int check = 0;
++
++      if (!path)
++              return 0;
++
++      inode = path->dentry->d_inode;
++
++      mask = aa_mask_permissions(mask);
++      if (S_ISDIR(inode->i_mode)) {
++              check |= AA_CHECK_DIR;
++              /* allow traverse accesses to directories */
++              mask &= ~MAY_EXEC;
++              if (!mask)
++                      return 0;
++      }
++
++      return aa_permission("inode_permission", inode, path->dentry,
++                           path->mnt, mask, check);
++}
++
+ static int apparmor_task_alloc_security(struct task_struct *task)
+ {
+       return aa_clone(task);
+@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
+       .file_mprotect =                apparmor_file_mprotect,
+       .file_lock =                    apparmor_file_lock,
+ 
++      .path_permission =              apparmor_path_permission,
++
+       .task_alloc_security =          apparmor_task_alloc_security,
+       .task_free_security =           apparmor_task_free_security,
+       .task_post_setuid =             cap_task_post_setuid,