]>
Commit | Line | Data |
---|---|---|
6a930a95 BS |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass struct vfsmount to the inode_create LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/namei.c | 2 +- | |
12 | include/linux/security.h | 9 ++++++--- | |
13 | security/capability.c | 2 +- | |
14 | security/security.c | 5 +++-- | |
15 | security/selinux/hooks.c | 3 ++- | |
16 | 5 files changed, 13 insertions(+), 8 deletions(-) | |
17 | ||
18 | --- a/fs/namei.c | |
19 | +++ b/fs/namei.c | |
20 | @@ -1543,7 +1543,7 @@ int vfs_create(struct inode *dir, struct | |
21 | return -EACCES; /* shouldn't it be ENOSYS? */ | |
22 | mode &= S_IALLUGO; | |
23 | mode |= S_IFREG; | |
24 | - error = security_inode_create(dir, dentry, mode); | |
25 | + error = security_inode_create(dir, dentry, nd ? nd->path.mnt : NULL, mode); | |
26 | if (error) | |
27 | return error; | |
28 | DQUOT_INIT(dir); | |
29 | --- a/include/linux/security.h | |
30 | +++ b/include/linux/security.h | |
31 | @@ -337,6 +337,7 @@ static inline void security_free_mnt_opt | |
32 | * Check permission to create a regular file. | |
33 | * @dir contains inode structure of the parent of the new file. | |
34 | * @dentry contains the dentry structure for the file to be created. | |
35 | + * @mnt is the vfsmount corresponding to @dentry (may be NULL). | |
36 | * @mode contains the file mode of the file to be created. | |
37 | * Return 0 if permission is granted. | |
38 | * @inode_link: | |
39 | @@ -1354,8 +1355,8 @@ struct security_operations { | |
40 | void (*inode_free_security) (struct inode *inode); | |
41 | int (*inode_init_security) (struct inode *inode, struct inode *dir, | |
42 | char **name, void **value, size_t *len); | |
43 | - int (*inode_create) (struct inode *dir, | |
44 | - struct dentry *dentry, int mode); | |
45 | + int (*inode_create) (struct inode *dir, struct dentry *dentry, | |
46 | + struct vfsmount *mnt, int mode); | |
47 | int (*inode_link) (struct dentry *old_dentry, | |
48 | struct inode *dir, struct dentry *new_dentry); | |
49 | int (*inode_unlink) (struct inode *dir, struct dentry *dentry); | |
50 | @@ -1622,7 +1623,8 @@ int security_inode_alloc(struct inode *i | |
51 | void security_inode_free(struct inode *inode); | |
52 | int security_inode_init_security(struct inode *inode, struct inode *dir, | |
53 | char **name, void **value, size_t *len); | |
54 | -int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); | |
55 | +int security_inode_create(struct inode *dir, struct dentry *dentry, | |
56 | + struct vfsmount *mnt, int mode); | |
57 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | |
58 | struct dentry *new_dentry); | |
59 | int security_inode_unlink(struct inode *dir, struct dentry *dentry); | |
60 | @@ -1968,6 +1970,7 @@ static inline int security_inode_init_se | |
61 | ||
62 | static inline int security_inode_create(struct inode *dir, | |
63 | struct dentry *dentry, | |
64 | + struct vfsmount *mnt, | |
65 | int mode) | |
66 | { | |
67 | return 0; | |
68 | --- a/security/capability.c | |
69 | +++ b/security/capability.c | |
70 | @@ -155,7 +155,7 @@ static int cap_inode_init_security(struc | |
71 | } | |
72 | ||
73 | static int cap_inode_create(struct inode *inode, struct dentry *dentry, | |
74 | - int mask) | |
75 | + struct vfsmount *mnt, int mask) | |
76 | { | |
77 | return 0; | |
78 | } | |
79 | --- a/security/security.c | |
80 | +++ b/security/security.c | |
81 | @@ -355,11 +355,12 @@ int security_inode_init_security(struct | |
82 | } | |
83 | EXPORT_SYMBOL(security_inode_init_security); | |
84 | ||
85 | -int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) | |
86 | +int security_inode_create(struct inode *dir, struct dentry *dentry, | |
87 | + struct vfsmount *mnt, int mode) | |
88 | { | |
89 | if (unlikely(IS_PRIVATE(dir))) | |
90 | return 0; | |
91 | - return security_ops->inode_create(dir, dentry, mode); | |
92 | + return security_ops->inode_create(dir, dentry, mnt, mode); | |
93 | } | |
94 | ||
95 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | |
96 | --- a/security/selinux/hooks.c | |
97 | +++ b/security/selinux/hooks.c | |
98 | @@ -2566,7 +2566,8 @@ static int selinux_inode_init_security(s | |
99 | return 0; | |
100 | } | |
101 | ||
102 | -static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) | |
103 | +static int selinux_inode_create(struct inode *dir, struct dentry *dentry, | |
104 | + struct vfsmount *mnt, int mask) | |
105 | { | |
106 | return may_create(dir, dentry, SECCLASS_FILE); | |
107 | } |