]>
Commit | Line | Data |
---|---|---|
00e5a55c BS |
1 | From: Jeff Mahoney <jeffm@suse.com> |
2 | Subject: [PATCH] apparmor: convert apparmor_inode_permission to path | |
3 | ||
4 | patches.apparmor/add-security_path_permission added the ->path_permission | |
5 | call. This patch converts apparmor_inode_permission to | |
6 | apparmor_path_permission. The former is now a pass-all, which is how | |
7 | it behaved in 2.6.26 if a NULL nameidata was passed. | |
8 | ||
9 | Signed-off-by: Jeff Mahoney <jeffm@suse.com> | |
10 | --- | |
11 | security/apparmor/lsm.c | 41 +++++++++++++++++++++++++++-------------- | |
12 | 1 file changed, 27 insertions(+), 14 deletions(-) | |
13 | ||
14 | --- a/security/apparmor/lsm.c | |
15 | +++ b/security/apparmor/lsm.c | |
16 | @@ -448,21 +448,9 @@ out: | |
17 | return error; | |
18 | } | |
19 | ||
20 | -static int apparmor_inode_permission(struct inode *inode, int mask, | |
21 | - struct nameidata *nd) | |
22 | +static int apparmor_inode_permission(struct inode *inode, int mask) | |
23 | { | |
24 | - int check = 0; | |
25 | - | |
26 | - if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE)) | |
27 | - return 0; | |
28 | - mask = aa_mask_permissions(mask); | |
29 | - if (S_ISDIR(inode->i_mode)) { | |
30 | - check |= AA_CHECK_DIR; | |
31 | - /* allow traverse accesses to directories */ | |
32 | - mask &= ~MAY_EXEC; | |
33 | - } | |
34 | - return aa_permission("inode_permission", inode, nd->dentry, nd->mnt, | |
35 | - mask, check); | |
36 | + return 0; | |
37 | } | |
38 | ||
39 | static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt, | |
40 | @@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct | |
41 | !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); | |
42 | } | |
43 | ||
44 | +static int apparmor_path_permission(struct path *path, int mask) | |
45 | +{ | |
46 | + struct inode *inode; | |
47 | + int check = 0; | |
48 | + | |
49 | + if (!path) | |
50 | + return 0; | |
51 | + | |
52 | + inode = path->dentry->d_inode; | |
53 | + | |
54 | + mask = aa_mask_permissions(mask); | |
55 | + if (S_ISDIR(inode->i_mode)) { | |
56 | + check |= AA_CHECK_DIR; | |
57 | + /* allow traverse accesses to directories */ | |
58 | + mask &= ~MAY_EXEC; | |
59 | + if (!mask) | |
60 | + return 0; | |
61 | + } | |
62 | + | |
63 | + return aa_permission("inode_permission", inode, path->dentry, | |
64 | + path->mnt, mask, check); | |
65 | +} | |
66 | + | |
67 | static int apparmor_task_alloc_security(struct task_struct *task) | |
68 | { | |
69 | return aa_clone(task); | |
70 | @@ -800,6 +811,8 @@ struct security_operations apparmor_ops | |
71 | .file_mprotect = apparmor_file_mprotect, | |
72 | .file_lock = apparmor_file_lock, | |
73 | ||
74 | + .path_permission = apparmor_path_permission, | |
75 | + | |
76 | .task_alloc_security = apparmor_task_alloc_security, | |
77 | .task_free_security = apparmor_task_free_security, | |
78 | .task_post_setuid = cap_task_post_setuid, |