[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / apparmor-path_permission

From: Jeff Mahoney <jeffm@suse.com>
Subject: [PATCH] apparmor: convert apparmor_inode_permission to path

 patches.apparmor/add-security_path_permission added the ->path_permission
 call. This patch converts apparmor_inode_permission to
 apparmor_path_permission. The former is now a pass-all, which is how
 it behaved in 2.6.26 if a NULL nameidata was passed.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 security/apparmor/lsm.c |   41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -448,21 +448,9 @@ out:
 	return error;
 }
 
-static int apparmor_inode_permission(struct inode *inode, int mask,
-				     struct nameidata *nd)
+static int apparmor_inode_permission(struct inode *inode, int mask)
 {
-	int check = 0;
-
-	if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
-		return 0;
-	mask = aa_mask_permissions(mask);
-	if (S_ISDIR(inode->i_mode)) {
-		check |= AA_CHECK_DIR;
-		/* allow traverse accesses to directories */
-		mask &= ~MAY_EXEC;
-	}
-	return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
-			     mask, check);
+	return 0;
 }
 
 static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
 		       !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 }
 
+static int apparmor_path_permission(struct path *path, int mask)
+{
+	struct inode *inode;
+	int check = 0;
+
+	if (!path)
+		return 0;
+
+	inode = path->dentry->d_inode;
+
+	mask = aa_mask_permissions(mask);
+	if (S_ISDIR(inode->i_mode)) {
+		check |= AA_CHECK_DIR;
+		/* allow traverse accesses to directories */
+		mask &= ~MAY_EXEC;
+		if (!mask)
+			return 0;
+	}
+
+	return aa_permission("inode_permission", inode, path->dentry,
+			     path->mnt, mask, check);
+}
+
 static int apparmor_task_alloc_security(struct task_struct *task)
 {
 	return aa_clone(task);
@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
 	.file_mprotect =		apparmor_file_mprotect,
 	.file_lock =			apparmor_file_lock,
 
+	.path_permission =		apparmor_path_permission,
+
 	.task_alloc_security =		apparmor_task_alloc_security,
 	.task_free_security =		apparmor_task_free_security,
 	.task_post_setuid =		cap_task_post_setuid,
Commit	Line	Data
00e5a55c BS	1	From: Jeff Mahoney <jeffm@suse.com>
	2	Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
	3
	4	patches.apparmor/add-security_path_permission added the ->path_permission
	5	call. This patch converts apparmor_inode_permission to
	6	apparmor_path_permission. The former is now a pass-all, which is how
	7	it behaved in 2.6.26 if a NULL nameidata was passed.
	8
	9	Signed-off-by: Jeff Mahoney <jeffm@suse.com>
	10	---
	11	security/apparmor/lsm.c \| 41 +++++++++++++++++++++++++++--------------
	12	1 file changed, 27 insertions(+), 14 deletions(-)
	13
	14	--- a/security/apparmor/lsm.c
	15	+++ b/security/apparmor/lsm.c
	16	@@ -448,21 +448,9 @@ out:
	17	return error;
	18	}
	19
	20	-static int apparmor_inode_permission(struct inode *inode, int mask,
	21	- struct nameidata *nd)
	22	+static int apparmor_inode_permission(struct inode *inode, int mask)
	23	{
	24	- int check = 0;
	25	-
	26	- if (!nd \|\| nd->flags & (LOOKUP_PARENT \| LOOKUP_CONTINUE))
	27	- return 0;
	28	- mask = aa_mask_permissions(mask);
	29	- if (S_ISDIR(inode->i_mode)) {
	30	- check \|= AA_CHECK_DIR;
	31	- /* allow traverse accesses to directories */
	32	- mask &= ~MAY_EXEC;
	33	- }
	34	- return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
	35	- mask, check);
	36	+ return 0;
	37	}
	38
	39	static int apparmor_inode_setattr(struct dentry dentry, struct vfsmount mnt,
	40	@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
	41	!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
	42	}
	43
	44	+static int apparmor_path_permission(struct path *path, int mask)
	45	+{
	46	+ struct inode *inode;
	47	+ int check = 0;
	48	+
	49	+ if (!path)
	50	+ return 0;
	51	+
	52	+ inode = path->dentry->d_inode;
	53	+
	54	+ mask = aa_mask_permissions(mask);
	55	+ if (S_ISDIR(inode->i_mode)) {
	56	+ check \|= AA_CHECK_DIR;
	57	+ /* allow traverse accesses to directories */
	58	+ mask &= ~MAY_EXEC;
	59	+ if (!mask)
	60	+ return 0;
	61	+ }
	62	+
	63	+ return aa_permission("inode_permission", inode, path->dentry,
	64	+ path->mnt, mask, check);
65	+}
66	+
67	static int apparmor_task_alloc_security(struct task_struct *task)
68	{
69	return aa_clone(task);
70	@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
71	.file_mprotect = apparmor_file_mprotect,
72	.file_lock = apparmor_file_lock,
73
74	+ .path_permission = apparmor_path_permission,
75	+
76	.task_alloc_security = apparmor_task_alloc_security,
77	.task_free_security = apparmor_task_free_security,
78	.task_post_setuid = cap_task_post_setuid,