]>
Commit | Line | Data |
---|---|---|
4d1e5b62 AF |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass struct vfsmount to the inode_mknod LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/namei.c | 6 +++--- | |
12 | include/linux/security.h | 7 +++++-- | |
13 | security/capability.c | 2 +- | |
14 | security/security.c | 5 +++-- | |
15 | security/selinux/hooks.c | 5 +++-- | |
16 | 5 files changed, 15 insertions(+), 10 deletions(-) | |
17 | ||
18 | --- a/fs/namei.c | |
19 | +++ b/fs/namei.c | |
20 | @@ -1994,7 +1994,7 @@ int vfs_mknod(struct inode *dir, struct | |
21 | if (error) | |
22 | return error; | |
23 | ||
24 | - error = security_inode_mknod(dir, dentry, mode, dev); | |
25 | + error = security_inode_mknod(dir, dentry, mnt, mode, dev); | |
26 | if (error) | |
27 | return error; | |
28 | ||
29 | @@ -2056,11 +2056,11 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const | |
30 | break; | |
31 | case S_IFCHR: case S_IFBLK: | |
32 | error = vfs_mknod(nd.path.dentry->d_inode, dentry, | |
33 | - nd.path, mode, new_decode_dev(dev)); | |
34 | + nd.path.mnt, mode, new_decode_dev(dev)); | |
35 | break; | |
36 | case S_IFIFO: case S_IFSOCK: | |
37 | error = vfs_mknod(nd.path.dentry->d_inode, dentry, | |
38 | - nd.path, mode, 0); | |
39 | + nd.path.mnt, mode, 0); | |
40 | break; | |
41 | } | |
42 | mnt_drop_write(nd.path.mnt); | |
43 | --- a/include/linux/security.h | |
44 | +++ b/include/linux/security.h | |
45 | @@ -377,6 +377,7 @@ static inline void security_free_mnt_opt | |
46 | * and not this hook. | |
47 | * @dir contains the inode structure of parent of the new file. | |
48 | * @dentry contains the dentry structure of the new file. | |
49 | + * @mnt is the vfsmount corresponding to @dentry (may be NULL). | |
50 | * @mode contains the mode of the new file. | |
51 | * @dev contains the device number. | |
52 | * Return 0 if permission is granted. | |
53 | @@ -1368,7 +1369,7 @@ struct security_operations { | |
54 | struct vfsmount *mnt, int mode); | |
55 | int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); | |
56 | int (*inode_mknod) (struct inode *dir, struct dentry *dentry, | |
57 | - int mode, dev_t dev); | |
58 | + struct vfsmount *mnt, int mode, dev_t dev); | |
59 | int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, | |
60 | struct inode *new_dir, struct dentry *new_dentry); | |
61 | int (*inode_readlink) (struct dentry *dentry); | |
62 | @@ -1637,7 +1638,8 @@ int security_inode_symlink(struct inode | |
63 | int security_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
64 | struct vfsmount *mnt, int mode); | |
65 | int security_inode_rmdir(struct inode *dir, struct dentry *dentry); | |
66 | -int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev); | |
67 | +int security_inode_mknod(struct inode *dir, struct dentry *dentry, | |
68 | + struct vfsmount *mnt, int mode, dev_t dev); | |
69 | int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
70 | struct inode *new_dir, struct dentry *new_dentry); | |
71 | int security_inode_readlink(struct dentry *dentry); | |
72 | @@ -2018,6 +2020,7 @@ static inline int security_inode_rmdir(s | |
73 | ||
74 | static inline int security_inode_mknod(struct inode *dir, | |
75 | struct dentry *dentry, | |
76 | + struct vfsmount *mnt, | |
77 | int mode, dev_t dev) | |
78 | { | |
79 | return 0; | |
80 | --- a/security/capability.c | |
81 | +++ b/security/capability.c | |
82 | @@ -189,7 +189,7 @@ static int cap_inode_rmdir(struct inode | |
83 | } | |
84 | ||
85 | static int cap_inode_mknod(struct inode *inode, struct dentry *dentry, | |
86 | - int mode, dev_t dev) | |
87 | + struct vfsmount *mnt, int mode, dev_t dev) | |
88 | { | |
89 | return 0; | |
90 | } | |
91 | --- a/security/security.c | |
92 | +++ b/security/security.c | |
93 | @@ -401,11 +401,12 @@ int security_inode_rmdir(struct inode *d | |
94 | return security_ops->inode_rmdir(dir, dentry); | |
95 | } | |
96 | ||
97 | -int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | |
98 | +int security_inode_mknod(struct inode *dir, struct dentry *dentry, | |
99 | + struct vfsmount *mnt, int mode, dev_t dev) | |
100 | { | |
101 | if (unlikely(IS_PRIVATE(dir))) | |
102 | return 0; | |
103 | - return security_ops->inode_mknod(dir, dentry, mode, dev); | |
104 | + return security_ops->inode_mknod(dir, dentry, mnt, mode, dev); | |
105 | } | |
106 | ||
107 | int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
108 | --- a/security/selinux/hooks.c | |
109 | +++ b/security/selinux/hooks.c | |
110 | @@ -2608,11 +2608,12 @@ static int selinux_inode_rmdir(struct in | |
111 | return may_link(dir, dentry, MAY_RMDIR); | |
112 | } | |
113 | ||
114 | -static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | |
115 | +static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, | |
116 | + struct vfsmount *mnt, int mode, dev_t dev) | |
117 | { | |
118 | int rc; | |
119 | ||
120 | - rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); | |
121 | + rc = secondary_ops->inode_mknod(dir, dentry, mnt, mode, dev); | |
122 | if (rc) | |
123 | return rc; | |
124 |