]>
Commit | Line | Data |
---|---|---|
8f69975d BS |
1 | From: Tony Jones <tonyj@suse.de> |
2 | Subject: Pass struct vfsmount to the inode_rmdir LSM hook | |
3 | ||
4 | This is needed for computing pathnames in the AppArmor LSM. | |
5 | ||
6 | Signed-off-by: Tony Jones <tonyj@suse.de> | |
7 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
8 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
9 | ||
10 | --- | |
11 | fs/namei.c | 2 +- | |
12 | include/linux/security.h | 10 +++++++--- | |
13 | security/capability.c | 3 ++- | |
14 | security/security.c | 5 +++-- | |
15 | security/selinux/hooks.c | 3 ++- | |
16 | security/smack/smack_lsm.c | 4 +++- | |
17 | 6 files changed, 18 insertions(+), 9 deletions(-) | |
18 | ||
19 | --- a/fs/namei.c | |
20 | +++ b/fs/namei.c | |
21 | @@ -2184,7 +2184,7 @@ int vfs_rmdir(struct inode *dir, struct | |
22 | if (d_mountpoint(dentry)) | |
23 | error = -EBUSY; | |
24 | else { | |
25 | - error = security_inode_rmdir(dir, dentry); | |
26 | + error = security_inode_rmdir(dir, dentry, mnt); | |
27 | if (!error) { | |
28 | error = dir->i_op->rmdir(dir, dentry); | |
29 | if (!error) | |
30 | --- a/include/linux/security.h | |
31 | +++ b/include/linux/security.h | |
32 | @@ -372,6 +372,7 @@ static inline void security_free_mnt_opt | |
33 | * Check the permission to remove a directory. | |
34 | * @dir contains the inode structure of parent of the directory to be removed. | |
35 | * @dentry contains the dentry structure of directory to be removed. | |
36 | + * @mnt is the vfsmount corresponding to @dentry (may be NULL). | |
37 | * Return 0 if permission is granted. | |
38 | * @inode_mknod: | |
39 | * Check permissions when creating a special file (or a socket or a fifo | |
40 | @@ -1372,7 +1373,8 @@ struct security_operations { | |
41 | struct vfsmount *mnt, const char *old_name); | |
42 | int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, | |
43 | struct vfsmount *mnt, int mode); | |
44 | - int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); | |
45 | + int (*inode_rmdir) (struct inode *dir, struct dentry *dentry, | |
46 | + struct vfsmount *mnt); | |
47 | int (*inode_mknod) (struct inode *dir, struct dentry *dentry, | |
48 | struct vfsmount *mnt, int mode, dev_t dev); | |
49 | int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, | |
50 | @@ -1643,7 +1645,8 @@ int security_inode_symlink(struct inode | |
51 | struct vfsmount *mnt, const char *old_name); | |
52 | int security_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
53 | struct vfsmount *mnt, int mode); | |
54 | -int security_inode_rmdir(struct inode *dir, struct dentry *dentry); | |
55 | +int security_inode_rmdir(struct inode *dir, struct dentry *dentry, | |
56 | + struct vfsmount *mnt); | |
57 | int security_inode_mknod(struct inode *dir, struct dentry *dentry, | |
58 | struct vfsmount *mnt, int mode, dev_t dev); | |
59 | int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
60 | @@ -2022,7 +2025,8 @@ static inline int security_inode_mkdir(s | |
61 | } | |
62 | ||
63 | static inline int security_inode_rmdir(struct inode *dir, | |
64 | - struct dentry *dentry) | |
65 | + struct dentry *dentry, | |
66 | + struct vfsmount *mnt) | |
67 | { | |
68 | return 0; | |
69 | } | |
70 | --- a/security/capability.c | |
71 | +++ b/security/capability.c | |
72 | @@ -184,7 +184,8 @@ static int cap_inode_mkdir(struct inode | |
73 | return 0; | |
74 | } | |
75 | ||
76 | -static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry) | |
77 | +static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry, | |
78 | + struct vfsmount *mnt) | |
79 | { | |
80 | return 0; | |
81 | } | |
82 | --- a/security/security.c | |
83 | +++ b/security/security.c | |
84 | @@ -399,11 +399,12 @@ int security_inode_mkdir(struct inode *d | |
85 | return security_ops->inode_mkdir(dir, dentry, mnt, mode); | |
86 | } | |
87 | ||
88 | -int security_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
89 | +int security_inode_rmdir(struct inode *dir, struct dentry *dentry, | |
90 | + struct vfsmount *mnt) | |
91 | { | |
92 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
93 | return 0; | |
94 | - return security_ops->inode_rmdir(dir, dentry); | |
95 | + return security_ops->inode_rmdir(dir, dentry, mnt); | |
96 | } | |
97 | ||
98 | int security_inode_mknod(struct inode *dir, struct dentry *dentry, | |
99 | --- a/security/selinux/hooks.c | |
100 | +++ b/security/selinux/hooks.c | |
101 | @@ -2609,7 +2609,8 @@ static int selinux_inode_mkdir(struct in | |
102 | return may_create(dir, dentry, SECCLASS_DIR); | |
103 | } | |
104 | ||
105 | -static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
106 | +static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry, | |
107 | + struct vfsmount *mnt) | |
108 | { | |
109 | return may_link(dir, dentry, MAY_RMDIR); | |
110 | } | |
111 | --- a/security/smack/smack_lsm.c | |
112 | +++ b/security/smack/smack_lsm.c | |
113 | @@ -480,11 +480,13 @@ static int smack_inode_unlink(struct ino | |
114 | * smack_inode_rmdir - Smack check on directory deletion | |
115 | * @dir: containing directory object | |
116 | * @dentry: directory to unlink | |
117 | + * @mnt: vfsmount @dentry to unlink | |
118 | * | |
119 | * Returns 0 if current can write the containing directory | |
120 | * and the directory, error code otherwise | |
121 | */ | |
122 | -static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
123 | +static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry, | |
124 | + struct vfsmount *mnt) | |
125 | { | |
126 | int rc; | |
127 |