]>
Commit | Line | Data |
---|---|---|
4d1e5b62 AF |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass struct vfsmount to the inode_setxattr LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/xattr.c | 4 ++-- | |
12 | include/linux/security.h | 41 ++++++++++++++++++++++++++--------------- | |
13 | security/capability.c | 3 ++- | |
14 | security/commoncap.c | 5 +++-- | |
15 | security/security.c | 16 ++++++++++------ | |
16 | security/selinux/hooks.c | 8 +++++--- | |
17 | security/smack/smack_lsm.c | 12 ++++++++---- | |
18 | 7 files changed, 56 insertions(+), 33 deletions(-) | |
19 | ||
20 | --- a/fs/xattr.c | |
21 | +++ b/fs/xattr.c | |
22 | @@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru | |
23 | return error; | |
24 | ||
25 | mutex_lock(&inode->i_mutex); | |
26 | - error = security_inode_setxattr(dentry, name, value, size, flags); | |
27 | + error = security_inode_setxattr(dentry, mnt, name, value, size, flags); | |
28 | if (error) | |
29 | goto out; | |
30 | error = -EOPNOTSUPP; | |
31 | @@ -86,7 +86,7 @@ vfs_setxattr(struct dentry *dentry, stru | |
32 | error = inode->i_op->setxattr(dentry, name, value, size, flags); | |
33 | if (!error) { | |
34 | fsnotify_xattr(dentry); | |
35 | - security_inode_post_setxattr(dentry, name, value, | |
36 | + security_inode_post_setxattr(dentry, mnt, name, value, | |
37 | size, flags); | |
38 | } | |
39 | } else if (!strncmp(name, XATTR_SECURITY_PREFIX, | |
40 | --- a/include/linux/security.h | |
41 | +++ b/include/linux/security.h | |
42 | @@ -54,8 +54,9 @@ extern void cap_capset_set(struct task_s | |
43 | extern int cap_bprm_set_security(struct linux_binprm *bprm); | |
44 | extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); | |
45 | extern int cap_bprm_secureexec(struct linux_binprm *bprm); | |
46 | -extern int cap_inode_setxattr(struct dentry *dentry, const char *name, | |
47 | - const void *value, size_t size, int flags); | |
48 | +extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
49 | + const char *name, const void *value, size_t size, | |
50 | + int flags); | |
51 | extern int cap_inode_removexattr(struct dentry *dentry, const char *name); | |
52 | extern int cap_inode_need_killpriv(struct dentry *dentry); | |
53 | extern int cap_inode_killpriv(struct dentry *dentry); | |
54 | @@ -438,11 +439,11 @@ static inline void security_free_mnt_opt | |
55 | * inode. | |
56 | * @inode_setxattr: | |
57 | * Check permission before setting the extended attributes | |
58 | - * @value identified by @name for @dentry. | |
59 | + * @value identified by @name for @dentry and @mnt. | |
60 | * Return 0 if permission is granted. | |
61 | * @inode_post_setxattr: | |
62 | * Update inode security field after successful setxattr operation. | |
63 | - * @value identified by @name for @dentry. | |
64 | + * @value identified by @name for @dentry and @mnt. | |
65 | * @inode_getxattr: | |
66 | * Check permission before obtaining the extended attributes | |
67 | * identified by @name for @dentry. | |
68 | @@ -1392,10 +1393,13 @@ struct security_operations { | |
69 | struct iattr *attr); | |
70 | int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); | |
71 | void (*inode_delete) (struct inode *inode); | |
72 | - int (*inode_setxattr) (struct dentry *dentry, const char *name, | |
73 | - const void *value, size_t size, int flags); | |
74 | - void (*inode_post_setxattr) (struct dentry *dentry, const char *name, | |
75 | - const void *value, size_t size, int flags); | |
76 | + int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt, | |
77 | + const char *name, const void *value, size_t size, | |
78 | + int flags); | |
79 | + void (*inode_post_setxattr) (struct dentry *dentry, | |
80 | + struct vfsmount *mnt, | |
81 | + const char *name, const void *value, | |
82 | + size_t size, int flags); | |
83 | int (*inode_getxattr) (struct dentry *dentry, const char *name); | |
84 | int (*inode_listxattr) (struct dentry *dentry); | |
85 | int (*inode_removexattr) (struct dentry *dentry, const char *name); | |
86 | @@ -1666,10 +1670,12 @@ int security_inode_setattr(struct dentry | |
87 | struct iattr *attr); | |
88 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); | |
89 | void security_inode_delete(struct inode *inode); | |
90 | -int security_inode_setxattr(struct dentry *dentry, const char *name, | |
91 | - const void *value, size_t size, int flags); | |
92 | -void security_inode_post_setxattr(struct dentry *dentry, const char *name, | |
93 | - const void *value, size_t size, int flags); | |
94 | +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
95 | + const char *name, const void *value, | |
96 | + size_t size, int flags); | |
97 | +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
98 | + const char *name, const void *value, | |
99 | + size_t size, int flags); | |
100 | int security_inode_getxattr(struct dentry *dentry, const char *name); | |
101 | int security_inode_listxattr(struct dentry *dentry); | |
102 | int security_inode_removexattr(struct dentry *dentry, const char *name); | |
103 | @@ -2092,13 +2098,18 @@ static inline void security_inode_delete | |
104 | { } | |
105 | ||
106 | static inline int security_inode_setxattr(struct dentry *dentry, | |
107 | - const char *name, const void *value, size_t size, int flags) | |
108 | + struct vfsmount *mnt, | |
109 | + const char *name, const void *value, | |
110 | + size_t size, int flags) | |
111 | { | |
112 | - return cap_inode_setxattr(dentry, name, value, size, flags); | |
113 | + return cap_inode_setxattr(dentry, mnt, name, value, size, flags); | |
114 | } | |
115 | ||
116 | static inline void security_inode_post_setxattr(struct dentry *dentry, | |
117 | - const char *name, const void *value, size_t size, int flags) | |
118 | + struct vfsmount *mnt, | |
119 | + const char *name, | |
120 | + const void *value, | |
121 | + size_t size, int flags) | |
122 | { } | |
123 | ||
124 | static inline int security_inode_getxattr(struct dentry *dentry, | |
125 | --- a/security/capability.c | |
126 | +++ b/security/capability.c | |
127 | @@ -235,7 +235,8 @@ static void cap_inode_delete(struct inod | |
128 | { | |
129 | } | |
130 | ||
131 | -static void cap_inode_post_setxattr(struct dentry *dentry, const char *name, | |
132 | +static void cap_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
133 | + const char *name, | |
134 | const void *value, size_t size, int flags) | |
135 | { | |
136 | } | |
137 | --- a/security/commoncap.c | |
138 | +++ b/security/commoncap.c | |
139 | @@ -414,8 +414,9 @@ int cap_bprm_secureexec (struct linux_bi | |
140 | current->egid != current->gid); | |
141 | } | |
142 | ||
143 | -int cap_inode_setxattr(struct dentry *dentry, const char *name, | |
144 | - const void *value, size_t size, int flags) | |
145 | +int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
146 | + const char *name, const void *value, size_t size, | |
147 | + int flags) | |
148 | { | |
149 | if (!strcmp(name, XATTR_NAME_CAPS)) { | |
150 | if (!capable(CAP_SETFCAP)) | |
151 | --- a/security/security.c | |
152 | +++ b/security/security.c | |
153 | @@ -468,20 +468,24 @@ void security_inode_delete(struct inode | |
154 | security_ops->inode_delete(inode); | |
155 | } | |
156 | ||
157 | -int security_inode_setxattr(struct dentry *dentry, const char *name, | |
158 | - const void *value, size_t size, int flags) | |
159 | +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
160 | + const char *name, const void *value, size_t size, | |
161 | + int flags) | |
162 | { | |
163 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
164 | return 0; | |
165 | - return security_ops->inode_setxattr(dentry, name, value, size, flags); | |
166 | + return security_ops->inode_setxattr(dentry, mnt, name, value, size, | |
167 | + flags); | |
168 | } | |
169 | ||
170 | -void security_inode_post_setxattr(struct dentry *dentry, const char *name, | |
171 | - const void *value, size_t size, int flags) | |
172 | +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
173 | + const char *name, const void *value, | |
174 | + size_t size, int flags) | |
175 | { | |
176 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
177 | return; | |
178 | - security_ops->inode_post_setxattr(dentry, name, value, size, flags); | |
179 | + security_ops->inode_post_setxattr(dentry, mnt, name, value, size, | |
180 | + flags); | |
181 | } | |
182 | ||
183 | int security_inode_getxattr(struct dentry *dentry, const char *name) | |
184 | --- a/security/selinux/hooks.c | |
185 | +++ b/security/selinux/hooks.c | |
186 | @@ -2713,8 +2713,9 @@ static int selinux_inode_setotherxattr(s | |
187 | return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); | |
188 | } | |
189 | ||
190 | -static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |
191 | - const void *value, size_t size, int flags) | |
192 | +static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
193 | + const char *name, const void *value, | |
194 | + size_t size, int flags) | |
195 | { | |
196 | struct task_security_struct *tsec = current->security; | |
197 | struct inode *inode = dentry->d_inode; | |
198 | @@ -2768,7 +2769,8 @@ static int selinux_inode_setxattr(struct | |
199 | &ad); | |
200 | } | |
201 | ||
202 | -static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, | |
203 | +static void selinux_inode_post_setxattr(struct dentry *dentry, | |
204 | + struct vfsmount *mnt, const char *name, | |
205 | const void *value, size_t size, | |
206 | int flags) | |
207 | { | |
208 | --- a/security/smack/smack_lsm.c | |
209 | +++ b/security/smack/smack_lsm.c | |
210 | @@ -595,6 +595,7 @@ static int smack_inode_getattr(struct vf | |
211 | /** | |
212 | * smack_inode_setxattr - Smack check for setting xattrs | |
213 | * @dentry: the object | |
214 | + * @mnt: unused | |
215 | * @name: name of the attribute | |
216 | * @value: unused | |
217 | * @size: unused | |
218 | @@ -604,8 +605,9 @@ static int smack_inode_getattr(struct vf | |
219 | * | |
220 | * Returns 0 if access is permitted, an error code otherwise | |
221 | */ | |
222 | -static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |
223 | - const void *value, size_t size, int flags) | |
224 | +static int smack_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, | |
225 | + const char *name, const void *value, | |
226 | + size_t size, int flags) | |
227 | { | |
228 | int rc = 0; | |
229 | ||
230 | @@ -617,7 +619,7 @@ static int smack_inode_setxattr(struct d | |
231 | if (size == 0) | |
232 | rc = -EINVAL; | |
233 | } else | |
234 | - rc = cap_inode_setxattr(dentry, name, value, size, flags); | |
235 | + rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags); | |
236 | ||
237 | if (rc == 0) | |
238 | rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); | |
239 | @@ -628,6 +630,7 @@ static int smack_inode_setxattr(struct d | |
240 | /** | |
241 | * smack_inode_post_setxattr - Apply the Smack update approved above | |
242 | * @dentry: object | |
243 | + * @mnt: unused | |
244 | * @name: attribute name | |
245 | * @value: attribute value | |
246 | * @size: attribute size | |
247 | @@ -636,7 +639,8 @@ static int smack_inode_setxattr(struct d | |
248 | * Set the pointer in the inode blob to the entry found | |
249 | * in the master label list. | |
250 | */ | |
251 | -static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, | |
252 | +static void smack_inode_post_setxattr(struct dentry *dentry, | |
253 | + struct vfsmount *mnt, const char *name, | |
254 | const void *value, size_t size, int flags) | |
255 | { | |
256 | struct inode_smack *isp; |