projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 8f69975d BS |
1 | From: Tony Jones <tonyj@suse.de> |
| 2 | Subject: Pass struct vfsmount to the inode_readlink LSM hook | |
| 3 | ||
| 4 | This is needed for computing pathnames in the AppArmor LSM. | |
| 5 | ||
| 6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
| 7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
| 8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
| 9 | ||
| 10 | --- | |
| 11 | fs/stat.c | 2 +- | |
| 12 | include/linux/security.h | 8 +++++--- | |
| 13 | security/capability.c | 2 +- | |
| 14 | security/security.c | 4 ++-- | |
| 15 | security/selinux/hooks.c | 2 +- | |
| 16 | 5 files changed, 10 insertions(+), 8 deletions(-) | |
| 17 | ||
| 18 | --- a/fs/stat.c | |
| 19 | +++ b/fs/stat.c | |
| 20 | @@ -308,7 +308,7 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, co | |
| 21 | ||
| 22 | error = -EINVAL; | |
| 23 | if (inode->i_op && inode->i_op->readlink) { | |
| 24 | - error = security_inode_readlink(path.dentry); | |
| 25 | + error = security_inode_readlink(path.dentry, path.mnt); | |
| 26 | if (!error) { | |
| 27 | touch_atime(path.mnt, path.dentry); | |
| 28 | error = inode->i_op->readlink(path.dentry, | |
| 29 | --- a/include/linux/security.h | |
| 30 | +++ b/include/linux/security.h | |
| 31 | @@ -392,6 +392,7 @@ static inline void security_free_mnt_opt | |
| 32 | * @inode_readlink: | |
| 33 | * Check the permission to read the symbolic link. | |
| 34 | * @dentry contains the dentry structure for the file link. | |
| 35 | + * @mnt is the vfsmount corresponding to @dentry (may be NULL). | |
| 36 | * Return 0 if permission is granted. | |
| 37 | * @inode_follow_link: | |
| 38 | * Check permission to follow a symbolic link when looking up a pathname. | |
| 39 | @@ -1373,7 +1374,7 @@ struct security_operations { | |
| 40 | struct vfsmount *mnt, int mode, dev_t dev); | |
| 41 | int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, | |
| 42 | struct inode *new_dir, struct dentry *new_dentry); | |
| 43 | - int (*inode_readlink) (struct dentry *dentry); | |
| 44 | + int (*inode_readlink) (struct dentry *dentry, struct vfsmount *mnt); | |
| 45 | int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); | |
| 46 | int (*inode_permission) (struct inode *inode, int mask); | |
| 47 | int (*inode_setattr) (struct dentry *dentry, struct vfsmount *, | |
| 48 | @@ -1643,7 +1644,7 @@ int security_inode_mknod(struct inode *d | |
| 49 | struct vfsmount *mnt, int mode, dev_t dev); | |
| 50 | int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
| 51 | struct inode *new_dir, struct dentry *new_dentry); | |
| 52 | -int security_inode_readlink(struct dentry *dentry); | |
| 53 | +int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt); | |
| 54 | int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); | |
| 55 | int security_inode_permission(struct inode *inode, int mask); | |
| 56 | int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt, | |
| 57 | @@ -2036,7 +2037,8 @@ static inline int security_inode_rename( | |
| 58 | return 0; | |
| 59 | } | |
| 60 | ||
| 61 | -static inline int security_inode_readlink(struct dentry *dentry) | |
| 62 | +static inline int security_inode_readlink(struct dentry *dentry, | |
| 63 | + struct vfsmount *mnt) | |
| 64 | { | |
| 65 | return 0; | |
| 66 | } | |
| 67 | --- a/security/capability.c | |
| 68 | +++ b/security/capability.c | |
| 69 | @@ -200,7 +200,7 @@ static int cap_inode_rename(struct inode | |
| 70 | return 0; | |
| 71 | } | |
| 72 | ||
| 73 | -static int cap_inode_readlink(struct dentry *dentry) | |
| 74 | +static int cap_inode_readlink(struct dentry *dentry, struct vfsmount *mnt) | |
| 75 | { | |
| 76 | return 0; | |
| 77 | } | |
| 78 | --- a/security/security.c | |
| 79 | +++ b/security/security.c | |
| 80 | @@ -422,11 +422,11 @@ int security_inode_rename(struct inode * | |
| 81 | new_dir, new_dentry); | |
| 82 | } | |
| 83 | ||
| 84 | -int security_inode_readlink(struct dentry *dentry) | |
| 85 | +int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt) | |
| 86 | { | |
| 87 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
| 88 | return 0; | |
| 89 | - return security_ops->inode_readlink(dentry); | |
| 90 | + return security_ops->inode_readlink(dentry, mnt); | |
| 91 | } | |
| 92 | ||
| 93 | int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) | |
| 94 | --- a/security/selinux/hooks.c | |
| 95 | +++ b/security/selinux/hooks.c | |
| 96 | @@ -2627,7 +2627,7 @@ static int selinux_inode_rename(struct i | |
| 97 | return may_rename(old_inode, old_dentry, new_inode, new_dentry); | |
| 98 | } | |
| 99 | ||
| 100 | -static int selinux_inode_readlink(struct dentry *dentry) | |
| 101 | +static int selinux_inode_readlink(struct dentry *dentry, struct vfsmount *mnt) | |
| 102 | { | |
| 103 | return dentry_has_perm(current, NULL, dentry, FILE__READ); | |
| 104 | } |