[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.25 / patches.apparmor / security-removexattr.diff

From: Tony Jones <tonyj@suse.de>
Subject: Pass struct vfsmount to the inode_removexattr LSM hook

This is needed for computing pathnames in the AppArmor LSM.

Signed-off-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>

---
 fs/xattr.c                 |    2 +-
 include/linux/security.h   |   14 +++++++++-----
 security/commoncap.c       |    3 ++-
 security/security.c        |    5 +++--
 security/selinux/hooks.c   |    3 ++-
 security/smack/smack_lsm.c |    6 ++++--
 6 files changed, 21 insertions(+), 12 deletions(-)

--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -202,7 +202,7 @@ vfs_removexattr(struct dentry *dentry, s
 	if (error)
 		return error;
 
-	error = security_inode_removexattr(dentry, name);
+	error = security_inode_removexattr(dentry, mnt, name);
 	if (error)
 		return error;
 
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -57,7 +57,8 @@ extern int cap_bprm_secureexec(struct li
 extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
 			      const char *name, const void *value, size_t size,
 			      int flags);
-extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
+extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+				 const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
 extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
@@ -1403,7 +1404,8 @@ struct security_operations {
 	int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
 			       const char *name);
 	int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
-	int (*inode_removexattr) (struct dentry *dentry, const char *name);
+	int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
+				  const char *name);
 	int (*inode_need_killpriv) (struct dentry *dentry);
 	int (*inode_killpriv) (struct dentry *dentry);
 	int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -1680,7 +1682,8 @@ void security_inode_post_setxattr(struct
 int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
 			    const char *name);
 int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
-int security_inode_removexattr(struct dentry *dentry, const char *name);
+int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+			       const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
 int security_inode_killpriv(struct dentry *dentry);
 int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -2128,9 +2131,10 @@ static inline int security_inode_listxat
 }
 
 static inline int security_inode_removexattr(struct dentry *dentry,
-			const char *name)
+					     struct vfsmount *mnt,
+					     const char *name)
 {
-	return cap_inode_removexattr(dentry, name);
+	return cap_inode_removexattr(dentry, mnt, name);
 }
 
 static inline int security_inode_need_killpriv(struct dentry *dentry)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -429,7 +429,8 @@ int cap_inode_setxattr(struct dentry *de
 	return 0;
 }
 
-int cap_inode_removexattr(struct dentry *dentry, const char *name)
+int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+			  const char *name)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
 		if (!capable(CAP_SETFCAP))
--- a/security/security.c
+++ b/security/security.c
@@ -506,11 +506,12 @@ int security_inode_listxattr(struct dent
 	return security_ops->inode_listxattr(dentry, mnt);
 }
 
-int security_inode_removexattr(struct dentry *dentry, const char *name)
+int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+			       const char *name)
 {
 	if (unlikely(IS_PRIVATE(dentry->d_inode)))
 		return 0;
-	return security_ops->inode_removexattr(dentry, name);
+	return security_ops->inode_removexattr(dentry, mnt, name);
 }
 
 int security_inode_need_killpriv(struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2807,7 +2807,8 @@ static int selinux_inode_listxattr(struc
 	return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
 }
 
-static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
+static int selinux_inode_removexattr(struct dentry *dentry,
+				     struct vfsmount *mnt, const char *name)
 {
 	if (strcmp(name, XATTR_NAME_SELINUX))
 		return selinux_inode_setotherxattr(dentry, name);
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -687,13 +687,15 @@ static int smack_inode_getxattr(struct d
 /*
  * smack_inode_removexattr - Smack check on removexattr
  * @dentry: the object
+ * @mnt: unused
  * @name: name of the attribute
  *
  * Removing the Smack attribute requires CAP_MAC_ADMIN
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+static int smack_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+				   const char *name)
 {
 	int rc = 0;
 
@@ -703,7 +705,7 @@ static int smack_inode_removexattr(struc
 		if (!capable(CAP_MAC_ADMIN))
 			rc = -EPERM;
 	} else
-		rc = cap_inode_removexattr(dentry, name);
+		rc = cap_inode_removexattr(dentry, mnt, name);
 
 	if (rc == 0)
 		rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
Commit	Line	Data
8f69975d BS	1	From: Tony Jones <tonyj@suse.de>
	2	Subject: Pass struct vfsmount to the inode_removexattr LSM hook
	3
	4	This is needed for computing pathnames in the AppArmor LSM.
	5
	6	Signed-off-by: Tony Jones <tonyj@suse.de>
	7	Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
	8	Signed-off-by: John Johansen <jjohansen@suse.de>
	9
	10	---
	11	fs/xattr.c \| 2 +-
	12	include/linux/security.h \| 14 +++++++++-----
	13	security/commoncap.c \| 3 ++-
	14	security/security.c \| 5 +++--
	15	security/selinux/hooks.c \| 3 ++-
	16	security/smack/smack_lsm.c \| 6 ++++--
	17	6 files changed, 21 insertions(+), 12 deletions(-)
	18
	19	--- a/fs/xattr.c
	20	+++ b/fs/xattr.c
	21	@@ -202,7 +202,7 @@ vfs_removexattr(struct dentry *dentry, s
	22	if (error)
	23	return error;
	24
	25	- error = security_inode_removexattr(dentry, name);
	26	+ error = security_inode_removexattr(dentry, mnt, name);
	27	if (error)
	28	return error;
	29
	30	--- a/include/linux/security.h
	31	+++ b/include/linux/security.h
	32	@@ -57,7 +57,8 @@ extern int cap_bprm_secureexec(struct li
	33	extern int cap_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
	34	const char name, const void value, size_t size,
	35	int flags);
	36	-extern int cap_inode_removexattr(struct dentry dentry, const char name);
	37	+extern int cap_inode_removexattr(struct dentry dentry, struct vfsmount mnt,
	38	+ const char *name);
	39	extern int cap_inode_need_killpriv(struct dentry *dentry);
	40	extern int cap_inode_killpriv(struct dentry *dentry);
	41	extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
	42	@@ -1403,7 +1404,8 @@ struct security_operations {
	43	int (inode_getxattr) (struct dentry dentry, struct vfsmount *mnt,
	44	const char *name);
	45	int (inode_listxattr) (struct dentry dentry, struct vfsmount *mnt);
	46	- int (inode_removexattr) (struct dentry dentry, const char *name);
	47	+ int (inode_removexattr) (struct dentry dentry, struct vfsmount *mnt,
	48	+ const char *name);
	49	int (inode_need_killpriv) (struct dentry dentry);
	50	int (inode_killpriv) (struct dentry dentry);
	51	int (inode_getsecurity) (const struct inode inode, const char name, void *buffer, bool alloc);
	52	@@ -1680,7 +1682,8 @@ void security_inode_post_setxattr(struct
	53	int security_inode_getxattr(struct dentry dentry, struct vfsmount mnt,
	54	const char *name);
	55	int security_inode_listxattr(struct dentry dentry, struct vfsmount mnt);
	56	-int security_inode_removexattr(struct dentry dentry, const char name);
	57	+int security_inode_removexattr(struct dentry dentry, struct vfsmount mnt,
	58	+ const char *name);
	59	int security_inode_need_killpriv(struct dentry *dentry);
	60	int security_inode_killpriv(struct dentry *dentry);
	61	int security_inode_getsecurity(const struct inode inode, const char name, void **buffer, bool alloc);
	62	@@ -2128,9 +2131,10 @@ static inline int security_inode_listxat
	63	}
	64
65	static inline int security_inode_removexattr(struct dentry *dentry,
66	- const char *name)
67	+ struct vfsmount *mnt,
68	+ const char *name)
69	{
70	- return cap_inode_removexattr(dentry, name);
71	+ return cap_inode_removexattr(dentry, mnt, name);
72	}
73
74	static inline int security_inode_need_killpriv(struct dentry *dentry)
75	--- a/security/commoncap.c
76	+++ b/security/commoncap.c
77	@@ -429,7 +429,8 @@ int cap_inode_setxattr(struct dentry *de
78	return 0;
79	}
80
81	-int cap_inode_removexattr(struct dentry dentry, const char name)
82	+int cap_inode_removexattr(struct dentry dentry, struct vfsmount mnt,
83	+ const char *name)
84	{
85	if (!strcmp(name, XATTR_NAME_CAPS)) {
86	if (!capable(CAP_SETFCAP))
87	--- a/security/security.c
88	+++ b/security/security.c
89	@@ -506,11 +506,12 @@ int security_inode_listxattr(struct dent
90	return security_ops->inode_listxattr(dentry, mnt);
91	}
92
93	-int security_inode_removexattr(struct dentry dentry, const char name)
94	+int security_inode_removexattr(struct dentry dentry, struct vfsmount mnt,
95	+ const char *name)
96	{
97	if (unlikely(IS_PRIVATE(dentry->d_inode)))
98	return 0;
99	- return security_ops->inode_removexattr(dentry, name);
100	+ return security_ops->inode_removexattr(dentry, mnt, name);
101	}
102
103	int security_inode_need_killpriv(struct dentry *dentry)
104	--- a/security/selinux/hooks.c
105	+++ b/security/selinux/hooks.c
106	@@ -2807,7 +2807,8 @@ static int selinux_inode_listxattr(struc
107	return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
108	}
109
110	-static int selinux_inode_removexattr(struct dentry dentry, const char name)
111	+static int selinux_inode_removexattr(struct dentry *dentry,
112	+ struct vfsmount mnt, const char name)
113	{
114	if (strcmp(name, XATTR_NAME_SELINUX))
115	return selinux_inode_setotherxattr(dentry, name);
116	--- a/security/smack/smack_lsm.c
117	+++ b/security/smack/smack_lsm.c
118	@@ -687,13 +687,15 @@ static int smack_inode_getxattr(struct d
119	/*
120	* smack_inode_removexattr - Smack check on removexattr
121	* @dentry: the object
122	+ * @mnt: unused
123	* @name: name of the attribute
124	*
125	* Removing the Smack attribute requires CAP_MAC_ADMIN
126	*
127	* Returns 0 if access is permitted, an error code otherwise
128	*/
129	-static int smack_inode_removexattr(struct dentry dentry, const char name)
130	+static int smack_inode_removexattr(struct dentry dentry, struct vfsmount mnt,
131	+ const char *name)
132	{
133	int rc = 0;
134
135	@@ -703,7 +705,7 @@ static int smack_inode_removexattr(struc
136	if (!capable(CAP_MAC_ADMIN))
137	rc = -EPERM;
138	} else
139	- rc = cap_inode_removexattr(dentry, name);
140	+ rc = cap_inode_removexattr(dentry, mnt, name);
141
142	if (rc == 0)
143	rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);