src/patches/suse-2.6.27.31/patches.apparmor/security-setxattr.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass struct vfsmount to the inode_setxattr LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/xattr.c                 |    4 ++--
  12  include/linux/security.h   |   41 ++++++++++++++++++++++++++---------------
  13  security/capability.c      |    3 ++-
  14  security/commoncap.c       |    5 +++--
  15  security/security.c        |   16 ++++++++++------
  16  security/selinux/hooks.c   |    8 +++++---
  17  security/smack/smack_lsm.c |   12 ++++++++----
  18  7 files changed, 56 insertions(+), 33 deletions(-)
  19
  20 --- a/fs/xattr.c
  21 +++ b/fs/xattr.c
  22 @@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru
  23                 return error;
  24
  25         mutex_lock(&inode->i_mutex);
  26 -       error = security_inode_setxattr(dentry, name, value, size, flags);
  27 +       error = security_inode_setxattr(dentry, mnt, name, value, size, flags);
  28         if (error)
  29                 goto out;
  30         error = -EOPNOTSUPP;
  31 @@ -86,7 +86,7 @@ vfs_setxattr(struct dentry *dentry, stru
  32                 error = inode->i_op->setxattr(dentry, name, value, size, flags);
  33                 if (!error) {
  34                         fsnotify_xattr(dentry);
  35 -                       security_inode_post_setxattr(dentry, name, value,
  36 +                       security_inode_post_setxattr(dentry, mnt, name, value,
  37                                                      size, flags);
  38                 }
  39         } else if (!strncmp(name, XATTR_SECURITY_PREFIX,
  40 --- a/include/linux/security.h
  41 +++ b/include/linux/security.h
  42 @@ -54,8 +54,9 @@ extern void cap_capset_set(struct task_s
  43  extern int cap_bprm_set_security(struct linux_binprm *bprm);
  44  extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
  45  extern int cap_bprm_secureexec(struct linux_binprm *bprm);
  46 -extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
  47 -                             const void *value, size_t size, int flags);
  48 +extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
  49 +                             const char *name, const void *value, size_t size,
  50 +                             int flags);
  51  extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
  52  extern int cap_inode_need_killpriv(struct dentry *dentry);
  53  extern int cap_inode_killpriv(struct dentry *dentry);
  54 @@ -438,11 +439,11 @@ static inline void security_free_mnt_opt
  55   *     inode.
  56   * @inode_setxattr:
  57   *     Check permission before setting the extended attributes
  58 - *     @value identified by @name for @dentry.
  59 + *     @value identified by @name for @dentry and @mnt.
  60   *     Return 0 if permission is granted.
  61   * @inode_post_setxattr:
  62   *     Update inode security field after successful setxattr operation.
  63 - *     @value identified by @name for @dentry.
  64 + *     @value identified by @name for @dentry and @mnt.
  65   * @inode_getxattr:
  66   *     Check permission before obtaining the extended attributes
  67   *     identified by @name for @dentry.
  68 @@ -1392,10 +1393,13 @@ struct security_operations {
  69                                  struct iattr *attr);
  70         int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
  71         void (*inode_delete) (struct inode *inode);
  72 -       int (*inode_setxattr) (struct dentry *dentry, const char *name,
  73 -                              const void *value, size_t size, int flags);
  74 -       void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
  75 -                                    const void *value, size_t size, int flags);
  76 +       int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt,
  77 +                              const char *name, const void *value, size_t size,
  78 +                              int flags);
  79 +       void (*inode_post_setxattr) (struct dentry *dentry,
  80 +                                    struct vfsmount *mnt,
  81 +                                    const char *name, const void *value,
  82 +                                    size_t size, int flags);
  83         int (*inode_getxattr) (struct dentry *dentry, const char *name);
  84         int (*inode_listxattr) (struct dentry *dentry);
  85         int (*inode_removexattr) (struct dentry *dentry, const char *name);
  86 @@ -1666,10 +1670,12 @@ int security_inode_setattr(struct dentry
  87                            struct iattr *attr);
  88  int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
  89  void security_inode_delete(struct inode *inode);
  90 -int security_inode_setxattr(struct dentry *dentry, const char *name,
  91 -                           const void *value, size_t size, int flags);
  92 -void security_inode_post_setxattr(struct dentry *dentry, const char *name,
  93 -                                 const void *value, size_t size, int flags);
  94 +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
  95 +                           const char *name, const void *value,
  96 +                           size_t size, int flags);
  97 +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
  98 +                                 const char *name, const void *value,
  99 +                                 size_t size, int flags);
 100  int security_inode_getxattr(struct dentry *dentry, const char *name);
 101  int security_inode_listxattr(struct dentry *dentry);
 102  int security_inode_removexattr(struct dentry *dentry, const char *name);
 103 @@ -2092,13 +2098,18 @@ static inline void security_inode_delete
 104  { }
 105
 106  static inline int security_inode_setxattr(struct dentry *dentry,
 107 -               const char *name, const void *value, size_t size, int flags)
 108 +                                         struct vfsmount *mnt,
 109 +                                         const char *name, const void *value,
 110 +                                         size_t size, int flags)
 111  {
 112 -       return cap_inode_setxattr(dentry, name, value, size, flags);
 113 +       return cap_inode_setxattr(dentry, mnt, name, value, size, flags);
 114  }
 115
 116  static inline void security_inode_post_setxattr(struct dentry *dentry,
 117 -               const char *name, const void *value, size_t size, int flags)
 118 +                                               struct vfsmount *mnt,
 119 +                                               const char *name,
 120 +                                               const void *value,
 121 +                                               size_t size, int flags)
 122  { }
 123
 124  static inline int security_inode_getxattr(struct dentry *dentry,
 125 --- a/security/capability.c
 126 +++ b/security/capability.c
 127 @@ -235,7 +235,8 @@ static void cap_inode_delete(struct inod
 128  {
 129  }
 130
 131 -static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
 132 +static void cap_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 133 +                                   const char *name,
 134                                     const void *value, size_t size, int flags)
 135  {
 136  }
 137 --- a/security/commoncap.c
 138 +++ b/security/commoncap.c
 139 @@ -414,8 +414,9 @@ int cap_bprm_secureexec (struct linux_bi
 140                 current->egid != current->gid);
 141  }
 142
 143 -int cap_inode_setxattr(struct dentry *dentry, const char *name,
 144 -                      const void *value, size_t size, int flags)
 145 +int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 146 +                      const char *name, const void *value, size_t size,
 147 +                      int flags)
 148  {
 149         if (!strcmp(name, XATTR_NAME_CAPS)) {
 150                 if (!capable(CAP_SETFCAP))
 151 --- a/security/security.c
 152 +++ b/security/security.c
 153 @@ -468,20 +468,24 @@ void security_inode_delete(struct inode
 154         security_ops->inode_delete(inode);
 155  }
 156
 157 -int security_inode_setxattr(struct dentry *dentry, const char *name,
 158 -                           const void *value, size_t size, int flags)
 159 +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 160 +                           const char *name, const void *value, size_t size,
 161 +                           int flags)
 162  {
 163         if (unlikely(IS_PRIVATE(dentry->d_inode)))
 164                 return 0;
 165 -       return security_ops->inode_setxattr(dentry, name, value, size, flags);
 166 +       return security_ops->inode_setxattr(dentry, mnt, name, value, size,
 167 +                                           flags);
 168  }
 169
 170 -void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 171 -                                 const void *value, size_t size, int flags)
 172 +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 173 +                                 const char *name, const void *value,
 174 +                                 size_t size, int flags)
 175  {
 176         if (unlikely(IS_PRIVATE(dentry->d_inode)))
 177                 return;
 178 -       security_ops->inode_post_setxattr(dentry, name, value, size, flags);
 179 +       security_ops->inode_post_setxattr(dentry, mnt, name, value, size,
 180 +                                         flags);
 181  }
 182
 183  int security_inode_getxattr(struct dentry *dentry, const char *name)
 184 --- a/security/selinux/hooks.c
 185 +++ b/security/selinux/hooks.c
 186 @@ -2713,8 +2713,9 @@ static int selinux_inode_setotherxattr(s
 187         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
 188  }
 189
 190 -static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 191 -                                 const void *value, size_t size, int flags)
 192 +static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 193 +                                 const char *name, const void *value,
 194 +                                 size_t size, int flags)
 195  {
 196         struct task_security_struct *tsec = current->security;
 197         struct inode *inode = dentry->d_inode;
 198 @@ -2768,7 +2769,8 @@ static int selinux_inode_setxattr(struct
 199                             &ad);
 200  }
 201
 202 -static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 203 +static void selinux_inode_post_setxattr(struct dentry *dentry,
 204 +                                       struct vfsmount *mnt, const char *name,
 205                                         const void *value, size_t size,
 206                                         int flags)
 207  {
 208 --- a/security/smack/smack_lsm.c
 209 +++ b/security/smack/smack_lsm.c
 210 @@ -595,6 +595,7 @@ static int smack_inode_getattr(struct vf
 211  /**
 212   * smack_inode_setxattr - Smack check for setting xattrs
 213   * @dentry: the object
 214 + * @mnt: unused
 215   * @name: name of the attribute
 216   * @value: unused
 217   * @size: unused
 218 @@ -604,8 +605,9 @@ static int smack_inode_getattr(struct vf
 219   *
 220   * Returns 0 if access is permitted, an error code otherwise
 221   */
 222 -static int smack_inode_setxattr(struct dentry *dentry, const char *name,
 223 -                               const void *value, size_t size, int flags)
 224 +static int smack_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 225 +                               const char *name, const void *value,
 226 +                               size_t size, int flags)
 227  {
 228         int rc = 0;
 229
 230 @@ -617,7 +619,7 @@ static int smack_inode_setxattr(struct d
 231                 if (size == 0)
 232                         rc = -EINVAL;
 233         } else
 234 -               rc = cap_inode_setxattr(dentry, name, value, size, flags);
 235 +               rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags);
 236
 237         if (rc == 0)
 238                 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
 239 @@ -628,6 +630,7 @@ static int smack_inode_setxattr(struct d
 240  /**
 241   * smack_inode_post_setxattr - Apply the Smack update approved above
 242   * @dentry: object
 243 + * @mnt: unused
 244   * @name: attribute name
 245   * @value: attribute value
 246   * @size: attribute size
 247 @@ -636,7 +639,8 @@ static int smack_inode_setxattr(struct d
 248   * Set the pointer in the inode blob to the entry found
 249   * in the master label list.
 250   */
 251 -static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
 252 +static void smack_inode_post_setxattr(struct dentry *dentry,
 253 +                                     struct vfsmount *mnt, const char *name,
 254                                       const void *value, size_t size, int flags)
 255  {
 256         struct inode_smack *isp;