src/patches/suse-2.6.27.31/patches.apparmor/apparmor-path_permission

   1 From: Jeff Mahoney <jeffm@suse.com>
   2 Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
   3
   4  patches.apparmor/add-security_path_permission added the ->path_permission
   5  call. This patch converts apparmor_inode_permission to
   6  apparmor_path_permission. The former is now a pass-all, which is how
   7  it behaved in 2.6.26 if a NULL nameidata was passed.
   8
   9 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
  10 ---
  11  security/apparmor/lsm.c |   41 +++++++++++++++++++++++++++--------------
  12  1 file changed, 27 insertions(+), 14 deletions(-)
  13
  14 --- a/security/apparmor/lsm.c
  15 +++ b/security/apparmor/lsm.c
  16 @@ -448,21 +448,9 @@ out:
  17         return error;
  18  }
  19
  20 -static int apparmor_inode_permission(struct inode *inode, int mask,
  21 -                                    struct nameidata *nd)
  22 +static int apparmor_inode_permission(struct inode *inode, int mask)
  23  {
  24 -       int check = 0;
  25 -
  26 -       if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
  27 -               return 0;
  28 -       mask = aa_mask_permissions(mask);
  29 -       if (S_ISDIR(inode->i_mode)) {
  30 -               check |= AA_CHECK_DIR;
  31 -               /* allow traverse accesses to directories */
  32 -               mask &= ~MAY_EXEC;
  33 -       }
  34 -       return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
  35 -                            mask, check);
  36 +       return 0;
  37  }
  38
  39  static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
  40 @@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
  41                        !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
  42  }
  43
  44 +static int apparmor_path_permission(struct path *path, int mask)
  45 +{
  46 +       struct inode *inode;
  47 +       int check = 0;
  48 +
  49 +       if (!path)
  50 +               return 0;
  51 +
  52 +       inode = path->dentry->d_inode;
  53 +
  54 +       mask = aa_mask_permissions(mask);
  55 +       if (S_ISDIR(inode->i_mode)) {
  56 +               check |= AA_CHECK_DIR;
  57 +               /* allow traverse accesses to directories */
  58 +               mask &= ~MAY_EXEC;
  59 +               if (!mask)
  60 +                       return 0;
  61 +       }
  62 +
  63 +       return aa_permission("inode_permission", inode, path->dentry,
  64 +                            path->mnt, mask, check);
  65 +}
  66 +
  67  static int apparmor_task_alloc_security(struct task_struct *task)
  68  {
  69         return aa_clone(task);
  70 @@ -800,6 +811,8 @@ struct security_operations apparmor_ops
  71         .file_mprotect =                apparmor_file_mprotect,
  72         .file_lock =                    apparmor_file_lock,
  73
  74 +       .path_permission =              apparmor_path_permission,
  75 +
  76         .task_alloc_security =          apparmor_task_alloc_security,
  77         .task_free_security =           apparmor_task_free_security,
  78         .task_post_setuid =             cap_task_post_setuid,