]>
Commit | Line | Data |
---|---|---|
8f69975d BS |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass the struct vfsmounts to the inode_link LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/namei.c | 3 ++- | |
12 | include/linux/security.h | 18 ++++++++++++------ | |
13 | security/capability.c | 5 +++-- | |
14 | security/security.c | 8 +++++--- | |
15 | security/selinux/hooks.c | 9 +++++++-- | |
16 | security/smack/smack_lsm.c | 5 +++-- | |
17 | 6 files changed, 32 insertions(+), 16 deletions(-) | |
18 | ||
19 | --- a/fs/namei.c | |
20 | +++ b/fs/namei.c | |
21 | @@ -2437,7 +2437,8 @@ int vfs_link(struct dentry *old_dentry, | |
22 | if (S_ISDIR(inode->i_mode)) | |
23 | return -EPERM; | |
24 | ||
25 | - error = security_inode_link(old_dentry, dir, new_dentry); | |
26 | + error = security_inode_link(old_dentry, old_mnt, dir, new_dentry, | |
27 | + new_mnt); | |
28 | if (error) | |
29 | return error; | |
30 | ||
31 | --- a/include/linux/security.h | |
32 | +++ b/include/linux/security.h | |
33 | @@ -343,8 +343,10 @@ static inline void security_free_mnt_opt | |
34 | * @inode_link: | |
35 | * Check permission before creating a new hard link to a file. | |
36 | * @old_dentry contains the dentry structure for an existing link to the file. | |
37 | + * @old_mnt is the vfsmount corresponding to @old_dentry (may be NULL). | |
38 | * @dir contains the inode structure of the parent directory of the new link. | |
39 | * @new_dentry contains the dentry structure for the new link. | |
40 | + * @new_mnt is the vfsmount corresponding to @new_dentry (may be NULL). | |
41 | * Return 0 if permission is granted. | |
42 | * @inode_unlink: | |
43 | * Check the permission to remove a hard link to a file. | |
44 | @@ -1362,8 +1364,9 @@ struct security_operations { | |
45 | char **name, void **value, size_t *len); | |
46 | int (*inode_create) (struct inode *dir, struct dentry *dentry, | |
47 | struct vfsmount *mnt, int mode); | |
48 | - int (*inode_link) (struct dentry *old_dentry, | |
49 | - struct inode *dir, struct dentry *new_dentry); | |
50 | + int (*inode_link) (struct dentry *old_dentry, struct vfsmount *old_mnt, | |
51 | + struct inode *dir, struct dentry *new_dentry, | |
52 | + struct vfsmount *new_mnt); | |
53 | int (*inode_unlink) (struct inode *dir, struct dentry *dentry); | |
54 | int (*inode_symlink) (struct inode *dir, struct dentry *dentry, | |
55 | struct vfsmount *mnt, const char *old_name); | |
56 | @@ -1632,8 +1635,9 @@ int security_inode_init_security(struct | |
57 | char **name, void **value, size_t *len); | |
58 | int security_inode_create(struct inode *dir, struct dentry *dentry, | |
59 | struct vfsmount *mnt, int mode); | |
60 | -int security_inode_link(struct dentry *old_dentry, struct inode *dir, | |
61 | - struct dentry *new_dentry); | |
62 | +int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt, | |
63 | + struct inode *dir, struct dentry *new_dentry, | |
64 | + struct vfsmount *new_mnt); | |
65 | int security_inode_unlink(struct inode *dir, struct dentry *dentry); | |
66 | int security_inode_symlink(struct inode *dir, struct dentry *dentry, | |
67 | struct vfsmount *mnt, const char *old_name); | |
68 | @@ -1987,8 +1991,10 @@ static inline int security_inode_create( | |
69 | } | |
70 | ||
71 | static inline int security_inode_link(struct dentry *old_dentry, | |
72 | - struct inode *dir, | |
73 | - struct dentry *new_dentry) | |
74 | + struct vfsmount *old_mnt, | |
75 | + struct inode *dir, | |
76 | + struct dentry *new_dentry, | |
77 | + struct vfsmount *new_mnt) | |
78 | { | |
79 | return 0; | |
80 | } | |
81 | --- a/security/capability.c | |
82 | +++ b/security/capability.c | |
83 | @@ -160,8 +160,9 @@ static int cap_inode_create(struct inode | |
84 | return 0; | |
85 | } | |
86 | ||
87 | -static int cap_inode_link(struct dentry *old_dentry, struct inode *inode, | |
88 | - struct dentry *new_dentry) | |
89 | +static int cap_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt, | |
90 | + struct inode *inode, | |
91 | + struct dentry *new_dentry, struct vfsmount *new_mnt) | |
92 | { | |
93 | return 0; | |
94 | } | |
95 | --- a/security/security.c | |
96 | +++ b/security/security.c | |
97 | @@ -366,12 +366,14 @@ int security_inode_create(struct inode * | |
98 | return security_ops->inode_create(dir, dentry, mnt, mode); | |
99 | } | |
100 | ||
101 | -int security_inode_link(struct dentry *old_dentry, struct inode *dir, | |
102 | - struct dentry *new_dentry) | |
103 | +int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt, | |
104 | + struct inode *dir, struct dentry *new_dentry, | |
105 | + struct vfsmount *new_mnt) | |
106 | { | |
107 | if (unlikely(IS_PRIVATE(old_dentry->d_inode))) | |
108 | return 0; | |
109 | - return security_ops->inode_link(old_dentry, dir, new_dentry); | |
110 | + return security_ops->inode_link(old_dentry, old_mnt, dir, | |
111 | + new_dentry, new_mnt); | |
112 | } | |
113 | ||
114 | int security_inode_unlink(struct inode *dir, struct dentry *dentry) | |
115 | --- a/security/selinux/hooks.c | |
116 | +++ b/security/selinux/hooks.c | |
117 | @@ -2572,11 +2572,16 @@ static int selinux_inode_create(struct i | |
118 | return may_create(dir, dentry, SECCLASS_FILE); | |
119 | } | |
120 | ||
121 | -static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) | |
122 | +static int selinux_inode_link(struct dentry *old_dentry, | |
123 | + struct vfsmount *old_mnt, | |
124 | + struct inode *dir, | |
125 | + struct dentry *new_dentry, | |
126 | + struct vfsmount *new_mnt) | |
127 | { | |
128 | int rc; | |
129 | ||
130 | - rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); | |
131 | + rc = secondary_ops->inode_link(old_dentry, old_mnt, dir, new_dentry, | |
132 | + new_mnt); | |
133 | if (rc) | |
134 | return rc; | |
135 | return may_link(dir, old_dentry, MAY_LINK); | |
136 | --- a/security/smack/smack_lsm.c | |
137 | +++ b/security/smack/smack_lsm.c | |
138 | @@ -432,8 +432,9 @@ static int smack_inode_init_security(str | |
139 | * | |
140 | * Returns 0 if access is permitted, an error code otherwise | |
141 | */ | |
142 | -static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, | |
143 | - struct dentry *new_dentry) | |
144 | +static int smack_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt, | |
145 | + struct inode *dir, | |
146 | + struct dentry *new_dentry, struct vfsmount *new_mnt) | |
147 | { | |
148 | int rc; | |
149 | char *isp; |