1 From: Tony Jones <tonyj@suse.de>
2 Subject: Pass struct vfsmount to the inode_removexattr LSM hook
4 This is needed for computing pathnames in the AppArmor LSM.
6 Signed-off-by: Tony Jones <tonyj@suse.de>
7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
8 Signed-off-by: John Johansen <jjohansen@suse.de>
12 include/linux/security.h | 14 +++++++++-----
13 security/commoncap.c | 3 ++-
14 security/security.c | 5 +++--
15 security/selinux/hooks.c | 3 ++-
16 security/smack/smack_lsm.c | 6 ++++--
17 6 files changed, 21 insertions(+), 12 deletions(-)
21 @@ -202,7 +202,7 @@ vfs_removexattr(struct dentry *dentry, s
25 - error = security_inode_removexattr(dentry, name);
26 + error = security_inode_removexattr(dentry, mnt, name);
30 --- a/include/linux/security.h
31 +++ b/include/linux/security.h
32 @@ -57,7 +57,8 @@ extern int cap_bprm_secureexec(struct li
33 extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
34 const char *name, const void *value, size_t size,
36 -extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
37 +extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
39 extern int cap_inode_need_killpriv(struct dentry *dentry);
40 extern int cap_inode_killpriv(struct dentry *dentry);
41 extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
42 @@ -1403,7 +1404,8 @@ struct security_operations {
43 int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
45 int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
46 - int (*inode_removexattr) (struct dentry *dentry, const char *name);
47 + int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
49 int (*inode_need_killpriv) (struct dentry *dentry);
50 int (*inode_killpriv) (struct dentry *dentry);
51 int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
52 @@ -1680,7 +1682,8 @@ void security_inode_post_setxattr(struct
53 int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
55 int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
56 -int security_inode_removexattr(struct dentry *dentry, const char *name);
57 +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
59 int security_inode_need_killpriv(struct dentry *dentry);
60 int security_inode_killpriv(struct dentry *dentry);
61 int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
62 @@ -2128,9 +2131,10 @@ static inline int security_inode_listxat
65 static inline int security_inode_removexattr(struct dentry *dentry,
67 + struct vfsmount *mnt,
70 - return cap_inode_removexattr(dentry, name);
71 + return cap_inode_removexattr(dentry, mnt, name);
74 static inline int security_inode_need_killpriv(struct dentry *dentry)
75 --- a/security/commoncap.c
76 +++ b/security/commoncap.c
77 @@ -429,7 +429,8 @@ int cap_inode_setxattr(struct dentry *de
81 -int cap_inode_removexattr(struct dentry *dentry, const char *name)
82 +int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
85 if (!strcmp(name, XATTR_NAME_CAPS)) {
86 if (!capable(CAP_SETFCAP))
87 --- a/security/security.c
88 +++ b/security/security.c
89 @@ -506,11 +506,12 @@ int security_inode_listxattr(struct dent
90 return security_ops->inode_listxattr(dentry, mnt);
93 -int security_inode_removexattr(struct dentry *dentry, const char *name)
94 +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
97 if (unlikely(IS_PRIVATE(dentry->d_inode)))
99 - return security_ops->inode_removexattr(dentry, name);
100 + return security_ops->inode_removexattr(dentry, mnt, name);
103 int security_inode_need_killpriv(struct dentry *dentry)
104 --- a/security/selinux/hooks.c
105 +++ b/security/selinux/hooks.c
106 @@ -2807,7 +2807,8 @@ static int selinux_inode_listxattr(struc
107 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
110 -static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
111 +static int selinux_inode_removexattr(struct dentry *dentry,
112 + struct vfsmount *mnt, const char *name)
114 if (strcmp(name, XATTR_NAME_SELINUX))
115 return selinux_inode_setotherxattr(dentry, name);
116 --- a/security/smack/smack_lsm.c
117 +++ b/security/smack/smack_lsm.c
118 @@ -687,13 +687,15 @@ static int smack_inode_getxattr(struct d
120 * smack_inode_removexattr - Smack check on removexattr
121 * @dentry: the object
123 * @name: name of the attribute
125 * Removing the Smack attribute requires CAP_MAC_ADMIN
127 * Returns 0 if access is permitted, an error code otherwise
129 -static int smack_inode_removexattr(struct dentry *dentry, const char *name)
130 +static int smack_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
135 @@ -703,7 +705,7 @@ static int smack_inode_removexattr(struc
136 if (!capable(CAP_MAC_ADMIN))
139 - rc = cap_inode_removexattr(dentry, name);
140 + rc = cap_inode_removexattr(dentry, mnt, name);
143 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);