]>
Commit | Line | Data |
---|---|---|
8f69975d BS |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass struct vfsmount to the inode_removexattr LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/xattr.c | 2 +- | |
12 | include/linux/security.h | 14 +++++++++----- | |
13 | security/commoncap.c | 3 ++- | |
14 | security/security.c | 5 +++-- | |
15 | security/selinux/hooks.c | 3 ++- | |
16 | security/smack/smack_lsm.c | 6 ++++-- | |
17 | 6 files changed, 21 insertions(+), 12 deletions(-) | |
18 | ||
19 | --- a/fs/xattr.c | |
20 | +++ b/fs/xattr.c | |
21 | @@ -202,7 +202,7 @@ vfs_removexattr(struct dentry *dentry, s | |
22 | if (error) | |
23 | return error; | |
24 | ||
25 | - error = security_inode_removexattr(dentry, name); | |
26 | + error = security_inode_removexattr(dentry, mnt, name); | |
27 | if (error) | |
28 | return error; | |
29 | ||
30 | --- a/include/linux/security.h | |
31 | +++ b/include/linux/security.h | |
32 | @@ -57,7 +57,8 @@ extern int cap_bprm_secureexec(struct li | |
33 | extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
34 | const char *name, const void *value, size_t size, | |
35 | int flags); | |
36 | -extern int cap_inode_removexattr(struct dentry *dentry, const char *name); | |
37 | +extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, | |
38 | + const char *name); | |
39 | extern int cap_inode_need_killpriv(struct dentry *dentry); | |
40 | extern int cap_inode_killpriv(struct dentry *dentry); | |
41 | extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); | |
42 | @@ -1403,7 +1404,8 @@ struct security_operations { | |
43 | int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt, | |
44 | const char *name); | |
45 | int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt); | |
46 | - int (*inode_removexattr) (struct dentry *dentry, const char *name); | |
47 | + int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt, | |
48 | + const char *name); | |
49 | int (*inode_need_killpriv) (struct dentry *dentry); | |
50 | int (*inode_killpriv) (struct dentry *dentry); | |
51 | int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc); | |
52 | @@ -1680,7 +1682,8 @@ void security_inode_post_setxattr(struct | |
53 | int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt, | |
54 | const char *name); | |
55 | int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt); | |
56 | -int security_inode_removexattr(struct dentry *dentry, const char *name); | |
57 | +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, | |
58 | + const char *name); | |
59 | int security_inode_need_killpriv(struct dentry *dentry); | |
60 | int security_inode_killpriv(struct dentry *dentry); | |
61 | int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc); | |
62 | @@ -2128,9 +2131,10 @@ static inline int security_inode_listxat | |
63 | } | |
64 | ||
65 | static inline int security_inode_removexattr(struct dentry *dentry, | |
66 | - const char *name) | |
67 | + struct vfsmount *mnt, | |
68 | + const char *name) | |
69 | { | |
70 | - return cap_inode_removexattr(dentry, name); | |
71 | + return cap_inode_removexattr(dentry, mnt, name); | |
72 | } | |
73 | ||
74 | static inline int security_inode_need_killpriv(struct dentry *dentry) | |
75 | --- a/security/commoncap.c | |
76 | +++ b/security/commoncap.c | |
77 | @@ -429,7 +429,8 @@ int cap_inode_setxattr(struct dentry *de | |
78 | return 0; | |
79 | } | |
80 | ||
81 | -int cap_inode_removexattr(struct dentry *dentry, const char *name) | |
82 | +int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, | |
83 | + const char *name) | |
84 | { | |
85 | if (!strcmp(name, XATTR_NAME_CAPS)) { | |
86 | if (!capable(CAP_SETFCAP)) | |
87 | --- a/security/security.c | |
88 | +++ b/security/security.c | |
89 | @@ -506,11 +506,12 @@ int security_inode_listxattr(struct dent | |
90 | return security_ops->inode_listxattr(dentry, mnt); | |
91 | } | |
92 | ||
93 | -int security_inode_removexattr(struct dentry *dentry, const char *name) | |
94 | +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, | |
95 | + const char *name) | |
96 | { | |
97 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
98 | return 0; | |
99 | - return security_ops->inode_removexattr(dentry, name); | |
100 | + return security_ops->inode_removexattr(dentry, mnt, name); | |
101 | } | |
102 | ||
103 | int security_inode_need_killpriv(struct dentry *dentry) | |
104 | --- a/security/selinux/hooks.c | |
105 | +++ b/security/selinux/hooks.c | |
106 | @@ -2807,7 +2807,8 @@ static int selinux_inode_listxattr(struc | |
107 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); | |
108 | } | |
109 | ||
110 | -static int selinux_inode_removexattr(struct dentry *dentry, const char *name) | |
111 | +static int selinux_inode_removexattr(struct dentry *dentry, | |
112 | + struct vfsmount *mnt, const char *name) | |
113 | { | |
114 | if (strcmp(name, XATTR_NAME_SELINUX)) | |
115 | return selinux_inode_setotherxattr(dentry, name); | |
116 | --- a/security/smack/smack_lsm.c | |
117 | +++ b/security/smack/smack_lsm.c | |
118 | @@ -687,13 +687,15 @@ static int smack_inode_getxattr(struct d | |
119 | /* | |
120 | * smack_inode_removexattr - Smack check on removexattr | |
121 | * @dentry: the object | |
122 | + * @mnt: unused | |
123 | * @name: name of the attribute | |
124 | * | |
125 | * Removing the Smack attribute requires CAP_MAC_ADMIN | |
126 | * | |
127 | * Returns 0 if access is permitted, an error code otherwise | |
128 | */ | |
129 | -static int smack_inode_removexattr(struct dentry *dentry, const char *name) | |
130 | +static int smack_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, | |
131 | + const char *name) | |
132 | { | |
133 | int rc = 0; | |
134 | ||
135 | @@ -703,7 +705,7 @@ static int smack_inode_removexattr(struc | |
136 | if (!capable(CAP_MAC_ADMIN)) | |
137 | rc = -EPERM; | |
138 | } else | |
139 | - rc = cap_inode_removexattr(dentry, name); | |
140 | + rc = cap_inode_removexattr(dentry, mnt, name); | |
141 | ||
142 | if (rc == 0) | |
143 | rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); |