[ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.apparmor / security-mknod.diff

From: Tony Jones <tonyj@suse.de>
Subject: Pass struct vfsmount to the inode_mknod LSM hook

This is needed for computing pathnames in the AppArmor LSM.

Signed-off-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>

---
 fs/namei.c               |    6 +++---
 include/linux/security.h |    7 +++++--
 security/capability.c    |    2 +-
 security/security.c      |    5 +++--
 security/selinux/hooks.c |    5 +++--
 5 files changed, 15 insertions(+), 10 deletions(-)

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1994,7 +1994,7 @@ int vfs_mknod(struct inode *dir, struct
 	if (error)
 		return error;
 
-	error = security_inode_mknod(dir, dentry, mode, dev);
+	error = security_inode_mknod(dir, dentry, mnt, mode, dev);
 	if (error)
 		return error;
 
@@ -2056,11 +2056,11 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
 			break;
 		case S_IFCHR: case S_IFBLK:
 			error = vfs_mknod(nd.path.dentry->d_inode, dentry,
-					  nd.path, mode, new_decode_dev(dev));
+					  nd.path.mnt, mode, new_decode_dev(dev));
 			break;
 		case S_IFIFO: case S_IFSOCK:
 			error = vfs_mknod(nd.path.dentry->d_inode, dentry,
-					  nd.path, mode, 0);
+					  nd.path.mnt, mode, 0);
 			break;
 	}
 	mnt_drop_write(nd.path.mnt);
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -377,6 +377,7 @@ static inline void security_free_mnt_opt
  *	and not this hook.
  *	@dir contains the inode structure of parent of the new file.
  *	@dentry contains the dentry structure of the new file.
+ *	@mnt is the vfsmount corresponding to @dentry (may be NULL).
  *	@mode contains the mode of the new file.
  *	@dev contains the device number.
  *	Return 0 if permission is granted.
@@ -1368,7 +1369,7 @@ struct security_operations {
 			    struct vfsmount *mnt, int mode);
 	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
 	int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
-			    int mode, dev_t dev);
+			    struct vfsmount *mnt, int mode, dev_t dev);
 	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
 			     struct inode *new_dir, struct dentry *new_dentry);
 	int (*inode_readlink) (struct dentry *dentry);
@@ -1637,7 +1638,8 @@ int security_inode_symlink(struct inode
 int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
 			 struct vfsmount *mnt, int mode);
 int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
+			 struct vfsmount *mnt, int mode, dev_t dev);
 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
 			  struct inode *new_dir, struct dentry *new_dentry);
 int security_inode_readlink(struct dentry *dentry);
@@ -2018,6 +2020,7 @@ static inline int security_inode_rmdir(s
 
 static inline int security_inode_mknod(struct inode *dir,
 					struct dentry *dentry,
+					struct vfsmount *mnt,
 					int mode, dev_t dev)
 {
 	return 0;
--- a/security/capability.c
+++ b/security/capability.c
@@ -189,7 +189,7 @@ static int cap_inode_rmdir(struct inode
 }
 
 static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
-			   int mode, dev_t dev)
+			   struct vfsmount *mnt, int mode, dev_t dev)
 {
 	return 0;
 }
--- a/security/security.c
+++ b/security/security.c
@@ -401,11 +401,12 @@ int security_inode_rmdir(struct inode *d
 	return security_ops->inode_rmdir(dir, dentry);
 }
 
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
+			 struct vfsmount *mnt, int mode, dev_t dev)
 {
 	if (unlikely(IS_PRIVATE(dir)))
 		return 0;
-	return security_ops->inode_mknod(dir, dentry, mode, dev);
+	return security_ops->inode_mknod(dir, dentry, mnt, mode, dev);
 }
 
 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2608,11 +2608,12 @@ static int selinux_inode_rmdir(struct in
 	return may_link(dir, dentry, MAY_RMDIR);
 }
 
-static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry,
+			       struct vfsmount *mnt, int mode, dev_t dev)
 {
 	int rc;
 
-	rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
+	rc = secondary_ops->inode_mknod(dir, dentry, mnt, mode, dev);
 	if (rc)
 		return rc;
Commit	Line	Data
4d1e5b62 AF	1	From: Tony Jones <tonyj@suse.de>
	2	Subject: Pass struct vfsmount to the inode_mknod LSM hook
	3
	4	This is needed for computing pathnames in the AppArmor LSM.
	5
	6	Signed-off-by: Tony Jones <tonyj@suse.de>
	7	Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
	8	Signed-off-by: John Johansen <jjohansen@suse.de>
	9
	10	---
	11	fs/namei.c \| 6 +++---
	12	include/linux/security.h \| 7 +++++--
	13	security/capability.c \| 2 +-
	14	security/security.c \| 5 +++--
	15	security/selinux/hooks.c \| 5 +++--
	16	5 files changed, 15 insertions(+), 10 deletions(-)
	17
	18	--- a/fs/namei.c
	19	+++ b/fs/namei.c
	20	@@ -1994,7 +1994,7 @@ int vfs_mknod(struct inode *dir, struct
	21	if (error)
	22	return error;
	23
	24	- error = security_inode_mknod(dir, dentry, mode, dev);
	25	+ error = security_inode_mknod(dir, dentry, mnt, mode, dev);
	26	if (error)
	27	return error;
	28
	29	@@ -2056,11 +2056,11 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
	30	break;
	31	case S_IFCHR: case S_IFBLK:
	32	error = vfs_mknod(nd.path.dentry->d_inode, dentry,
	33	- nd.path, mode, new_decode_dev(dev));
	34	+ nd.path.mnt, mode, new_decode_dev(dev));
	35	break;
	36	case S_IFIFO: case S_IFSOCK:
	37	error = vfs_mknod(nd.path.dentry->d_inode, dentry,
	38	- nd.path, mode, 0);
	39	+ nd.path.mnt, mode, 0);
	40	break;
	41	}
	42	mnt_drop_write(nd.path.mnt);
	43	--- a/include/linux/security.h
	44	+++ b/include/linux/security.h
	45	@@ -377,6 +377,7 @@ static inline void security_free_mnt_opt
	46	* and not this hook.
	47	* @dir contains the inode structure of parent of the new file.
	48	* @dentry contains the dentry structure of the new file.
	49	+ * @mnt is the vfsmount corresponding to @dentry (may be NULL).
	50	* @mode contains the mode of the new file.
	51	* @dev contains the device number.
	52	* Return 0 if permission is granted.
	53	@@ -1368,7 +1369,7 @@ struct security_operations {
	54	struct vfsmount *mnt, int mode);
	55	int (inode_rmdir) (struct inode dir, struct dentry *dentry);
	56	int (inode_mknod) (struct inode dir, struct dentry *dentry,
	57	- int mode, dev_t dev);
	58	+ struct vfsmount *mnt, int mode, dev_t dev);
	59	int (inode_rename) (struct inode old_dir, struct dentry *old_dentry,
	60	struct inode new_dir, struct dentry new_dentry);
	61	int (inode_readlink) (struct dentry dentry);
	62	@@ -1637,7 +1638,8 @@ int security_inode_symlink(struct inode
	63	int security_inode_mkdir(struct inode dir, struct dentry dentry,
	64	struct vfsmount *mnt, int mode);
65	int security_inode_rmdir(struct inode dir, struct dentry dentry);
66	-int security_inode_mknod(struct inode dir, struct dentry dentry, int mode, dev_t dev);
67	+int security_inode_mknod(struct inode dir, struct dentry dentry,
68	+ struct vfsmount *mnt, int mode, dev_t dev);
69	int security_inode_rename(struct inode old_dir, struct dentry old_dentry,
70	struct inode new_dir, struct dentry new_dentry);
71	int security_inode_readlink(struct dentry *dentry);
72	@@ -2018,6 +2020,7 @@ static inline int security_inode_rmdir(s
73
74	static inline int security_inode_mknod(struct inode *dir,
75	struct dentry *dentry,
76	+ struct vfsmount *mnt,
77	int mode, dev_t dev)
78	{
79	return 0;
80	--- a/security/capability.c
81	+++ b/security/capability.c
82	@@ -189,7 +189,7 @@ static int cap_inode_rmdir(struct inode
83	}
84
85	static int cap_inode_mknod(struct inode inode, struct dentry dentry,
86	- int mode, dev_t dev)
87	+ struct vfsmount *mnt, int mode, dev_t dev)
88	{
89	return 0;
90	}
91	--- a/security/security.c
92	+++ b/security/security.c
93	@@ -401,11 +401,12 @@ int security_inode_rmdir(struct inode *d
94	return security_ops->inode_rmdir(dir, dentry);
95	}
96
97	-int security_inode_mknod(struct inode dir, struct dentry dentry, int mode, dev_t dev)
98	+int security_inode_mknod(struct inode dir, struct dentry dentry,
99	+ struct vfsmount *mnt, int mode, dev_t dev)
100	{
101	if (unlikely(IS_PRIVATE(dir)))
102	return 0;
103	- return security_ops->inode_mknod(dir, dentry, mode, dev);
104	+ return security_ops->inode_mknod(dir, dentry, mnt, mode, dev);
105	}
106
107	int security_inode_rename(struct inode old_dir, struct dentry old_dentry,
108	--- a/security/selinux/hooks.c
109	+++ b/security/selinux/hooks.c
110	@@ -2608,11 +2608,12 @@ static int selinux_inode_rmdir(struct in
111	return may_link(dir, dentry, MAY_RMDIR);
112	}
113
114	-static int selinux_inode_mknod(struct inode dir, struct dentry dentry, int mode, dev_t dev)
115	+static int selinux_inode_mknod(struct inode dir, struct dentry dentry,
116	+ struct vfsmount *mnt, int mode, dev_t dev)
117	{
118	int rc;
119
120	- rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
121	+ rc = secondary_ops->inode_mknod(dir, dentry, mnt, mode, dev);
122	if (rc)
123	return rc;
124