[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / file-handle-ops.diff

From: Andreas Gruenbacher <agruen@suse.de>
Subject: Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames

Struct iattr already contains ia_file since commit cc4e69de from 
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows LSMs to distinguish
operations on file descriptors from operations on paths.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>
Cc: Miklos Szeredi <mszeredi@suse.cz>

---
 fs/nfsd/vfs.c |   12 +++++++-----
 fs/open.c     |    5 ++++-
 2 files changed, 11 insertions(+), 6 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -425,7 +425,7 @@ static ssize_t nfsd_getxattr(struct dent
 {
 	ssize_t buflen;
 
-	buflen = vfs_getxattr(dentry, mnt, key, NULL, 0);
+	buflen = vfs_getxattr(dentry, mnt, key, NULL, 0, NULL);
 	if (buflen <= 0)
 		return buflen;
 
@@ -433,7 +433,7 @@ static ssize_t nfsd_getxattr(struct dent
 	if (!*buf)
 		return -ENOMEM;
 
-	return vfs_getxattr(dentry, mnt, key, *buf, buflen);
+	return vfs_getxattr(dentry, mnt, key, *buf, buflen, NULL);
 }
 #endif
 
@@ -459,7 +459,7 @@ set_nfsv4_acl_one(struct dentry *dentry,
 		goto out;
 	}
 
-	error = vfs_setxattr(dentry, mnt, key, buf, len, 0);
+	error = vfs_setxattr(dentry, mnt, key, buf, len, 0, NULL);
 out:
 	kfree(buf);
 	return error;
@@ -2133,12 +2133,14 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
 	if (error)
 		goto getout;
 	if (size)
-		error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size,0);
+		error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size, 0,
+				     NULL);
 	else {
 		if (!S_ISDIR(inode->i_mode) && type == ACL_TYPE_DEFAULT)
 			error = 0;
 		else {
-			error = vfs_removexattr(fhp->fh_dentry, mnt, name);
+			error = vfs_removexattr(fhp->fh_dentry, mnt, name,
+						NULL);
 			if (error == -ENODATA)
 				error = 0;
 		}
--- a/fs/open.c
+++ b/fs/open.c
@@ -623,7 +623,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
 	if (mode == (mode_t) -1)
 		mode = inode->i_mode;
 	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
-	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME | ATTR_FILE;
 	err = fnotify_change(dentry, file->f_path.mnt, &newattrs, file);
 	mutex_unlock(&inode->i_mutex);
 	mnt_drop_write(file->f_path.mnt);
@@ -686,6 +686,9 @@ static int chown_common(struct dentry * 
 	if (!S_ISDIR(inode->i_mode))
 		newattrs.ia_valid |=
 			ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
+	if (file)
+		newattrs.ia_valid |= ATTR_FILE;
+
 	mutex_lock(&inode->i_mutex);
 	error = fnotify_change(dentry, mnt, &newattrs, file);
 	mutex_unlock(&inode->i_mutex);
Commit	Line	Data
8f69975d BS	1	From: Andreas Gruenbacher <agruen@suse.de>
	2	Subject: Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames
	3
	4	Struct iattr already contains ia_file since commit cc4e69de from
	5	Miklos (which is related to commit befc649c). Use this to pass
	6	struct file down the setattr hooks. This allows LSMs to distinguish
	7	operations on file descriptors from operations on paths.
	8
	9	Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
	10	Signed-off-by: John Johansen <jjohansen@suse.de>
	11	Cc: Miklos Szeredi <mszeredi@suse.cz>
	12
	13	---
	14	fs/nfsd/vfs.c \| 12 +++++++-----
	15	fs/open.c \| 5 ++++-
	16	2 files changed, 11 insertions(+), 6 deletions(-)
	17
	18	--- a/fs/nfsd/vfs.c
	19	+++ b/fs/nfsd/vfs.c
	20	@@ -425,7 +425,7 @@ static ssize_t nfsd_getxattr(struct dent
	21	{
	22	ssize_t buflen;
	23
	24	- buflen = vfs_getxattr(dentry, mnt, key, NULL, 0);
	25	+ buflen = vfs_getxattr(dentry, mnt, key, NULL, 0, NULL);
	26	if (buflen <= 0)
	27	return buflen;
	28
	29	@@ -433,7 +433,7 @@ static ssize_t nfsd_getxattr(struct dent
	30	if (!*buf)
	31	return -ENOMEM;
	32
	33	- return vfs_getxattr(dentry, mnt, key, *buf, buflen);
	34	+ return vfs_getxattr(dentry, mnt, key, *buf, buflen, NULL);
	35	}
	36	#endif
	37
	38	@@ -459,7 +459,7 @@ set_nfsv4_acl_one(struct dentry *dentry,
	39	goto out;
	40	}
	41
	42	- error = vfs_setxattr(dentry, mnt, key, buf, len, 0);
	43	+ error = vfs_setxattr(dentry, mnt, key, buf, len, 0, NULL);
	44	out:
	45	kfree(buf);
	46	return error;
	47	@@ -2133,12 +2133,14 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
	48	if (error)
	49	goto getout;
	50	if (size)
	51	- error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size,0);
	52	+ error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size, 0,
	53	+ NULL);
	54	else {
	55	if (!S_ISDIR(inode->i_mode) && type == ACL_TYPE_DEFAULT)
	56	error = 0;
	57	else {
	58	- error = vfs_removexattr(fhp->fh_dentry, mnt, name);
	59	+ error = vfs_removexattr(fhp->fh_dentry, mnt, name,
	60	+ NULL);
	61	if (error == -ENODATA)
	62	error = 0;
	63	}
	64	--- a/fs/open.c
65	+++ b/fs/open.c
66	@@ -623,7 +623,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
67	if (mode == (mode_t) -1)
68	mode = inode->i_mode;
69	newattrs.ia_mode = (mode & S_IALLUGO) \| (inode->i_mode & ~S_IALLUGO);
70	- newattrs.ia_valid = ATTR_MODE \| ATTR_CTIME;
71	+ newattrs.ia_valid = ATTR_MODE \| ATTR_CTIME \| ATTR_FILE;
72	err = fnotify_change(dentry, file->f_path.mnt, &newattrs, file);
73	mutex_unlock(&inode->i_mutex);
74	mnt_drop_write(file->f_path.mnt);
75	@@ -686,6 +686,9 @@ static int chown_common(struct dentry *
76	if (!S_ISDIR(inode->i_mode))
77	newattrs.ia_valid \|=
78	ATTR_KILL_SUID \| ATTR_KILL_SGID \| ATTR_KILL_PRIV;
79	+ if (file)
80	+ newattrs.ia_valid \|= ATTR_FILE;
81	+
82	mutex_lock(&inode->i_mutex);
83	error = fnotify_change(dentry, mnt, &newattrs, file);
84	mutex_unlock(&inode->i_mutex);