[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.apparmor / security-setxattr.diff

From: Tony Jones <tonyj@suse.de>
Subject: Pass struct vfsmount to the inode_setxattr LSM hook

This is needed for computing pathnames in the AppArmor LSM.

Signed-off-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>

---
 fs/xattr.c                 |    4 ++--
 include/linux/security.h   |   41 ++++++++++++++++++++++++++---------------
 security/capability.c      |    3 ++-
 security/commoncap.c       |    5 +++--
 security/security.c        |   16 ++++++++++------
 security/selinux/hooks.c   |    8 +++++---
 security/smack/smack_lsm.c |   12 ++++++++----
 7 files changed, 56 insertions(+), 33 deletions(-)

--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru
 		return error;
 
 	mutex_lock(&inode->i_mutex);
-	error = security_inode_setxattr(dentry, name, value, size, flags);
+	error = security_inode_setxattr(dentry, mnt, name, value, size, flags);
 	if (error)
 		goto out;
 	error = -EOPNOTSUPP;
@@ -86,7 +86,7 @@ vfs_setxattr(struct dentry *dentry, stru
 		error = inode->i_op->setxattr(dentry, name, value, size, flags);
 		if (!error) {
 			fsnotify_xattr(dentry);
-			security_inode_post_setxattr(dentry, name, value,
+			security_inode_post_setxattr(dentry, mnt, name, value,
 						     size, flags);
 		}
 	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -54,8 +54,9 @@ extern void cap_capset_set(struct task_s
 extern int cap_bprm_set_security(struct linux_binprm *bprm);
 extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
-extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
-			      const void *value, size_t size, int flags);
+extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+			      const char *name, const void *value, size_t size,
+			      int flags);
 extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
@@ -438,11 +439,11 @@ static inline void security_free_mnt_opt
  *	inode.
  * @inode_setxattr:
  *	Check permission before setting the extended attributes
- *	@value identified by @name for @dentry.
+ * 	@value identified by @name for @dentry and @mnt.
  *	Return 0 if permission is granted.
  * @inode_post_setxattr:
  *	Update inode security field after successful setxattr operation.
- *	@value identified by @name for @dentry.
+ * 	@value identified by @name for @dentry and @mnt.
  * @inode_getxattr:
  *	Check permission before obtaining the extended attributes
  *	identified by @name for @dentry.
@@ -1392,10 +1393,13 @@ struct security_operations {
 				 struct iattr *attr);
 	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
 	void (*inode_delete) (struct inode *inode);
-	int (*inode_setxattr) (struct dentry *dentry, const char *name,
-			       const void *value, size_t size, int flags);
-	void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
-				     const void *value, size_t size, int flags);
+	int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt,
+			       const char *name, const void *value, size_t size,
+			       int flags);
+	void (*inode_post_setxattr) (struct dentry *dentry,
+				     struct vfsmount *mnt,
+				     const char *name, const void *value,
+				     size_t size, int flags);
 	int (*inode_getxattr) (struct dentry *dentry, const char *name);
 	int (*inode_listxattr) (struct dentry *dentry);
 	int (*inode_removexattr) (struct dentry *dentry, const char *name);
@@ -1666,10 +1670,12 @@ int security_inode_setattr(struct dentry
 			   struct iattr *attr);
 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
 void security_inode_delete(struct inode *inode);
-int security_inode_setxattr(struct dentry *dentry, const char *name,
-			    const void *value, size_t size, int flags);
-void security_inode_post_setxattr(struct dentry *dentry, const char *name,
-				  const void *value, size_t size, int flags);
+int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+			    const char *name, const void *value,
+			    size_t size, int flags);
+void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+				  const char *name, const void *value,
+				  size_t size, int flags);
 int security_inode_getxattr(struct dentry *dentry, const char *name);
 int security_inode_listxattr(struct dentry *dentry);
 int security_inode_removexattr(struct dentry *dentry, const char *name);
@@ -2092,13 +2098,18 @@ static inline void security_inode_delete
 { }
 
 static inline int security_inode_setxattr(struct dentry *dentry,
-		const char *name, const void *value, size_t size, int flags)
+					  struct vfsmount *mnt,
+					  const char *name, const void *value,
+					  size_t size, int flags)
 {
-	return cap_inode_setxattr(dentry, name, value, size, flags);
+	return cap_inode_setxattr(dentry, mnt, name, value, size, flags);
 }
 
 static inline void security_inode_post_setxattr(struct dentry *dentry,
-		const char *name, const void *value, size_t size, int flags)
+						struct vfsmount *mnt,
+						const char *name,
+						const void *value,
+						size_t size, int flags)
 { }
 
 static inline int security_inode_getxattr(struct dentry *dentry,
--- a/security/capability.c
+++ b/security/capability.c
@@ -235,7 +235,8 @@ static void cap_inode_delete(struct inod
 {
 }
 
-static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
+static void cap_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+				    const char *name,
 				    const void *value, size_t size, int flags)
 {
 }
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -414,8 +414,9 @@ int cap_bprm_secureexec (struct linux_bi
 		current->egid != current->gid);
 }
 
-int cap_inode_setxattr(struct dentry *dentry, const char *name,
-		       const void *value, size_t size, int flags)
+int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+		       const char *name, const void *value, size_t size,
+		       int flags)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
 		if (!capable(CAP_SETFCAP))
--- a/security/security.c
+++ b/security/security.c
@@ -468,20 +468,24 @@ void security_inode_delete(struct inode
 	security_ops->inode_delete(inode);
 }
 
-int security_inode_setxattr(struct dentry *dentry, const char *name,
-			    const void *value, size_t size, int flags)
+int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+			    const char *name, const void *value, size_t size,
+			    int flags)
 {
 	if (unlikely(IS_PRIVATE(dentry->d_inode)))
 		return 0;
-	return security_ops->inode_setxattr(dentry, name, value, size, flags);
+	return security_ops->inode_setxattr(dentry, mnt, name, value, size,
+					    flags);
 }
 
-void security_inode_post_setxattr(struct dentry *dentry, const char *name,
-				  const void *value, size_t size, int flags)
+void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+				  const char *name, const void *value,
+				  size_t size, int flags)
 {
 	if (unlikely(IS_PRIVATE(dentry->d_inode)))
 		return;
-	security_ops->inode_post_setxattr(dentry, name, value, size, flags);
+	security_ops->inode_post_setxattr(dentry, mnt, name, value, size,
+					  flags);
 }
 
 int security_inode_getxattr(struct dentry *dentry, const char *name)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2713,8 +2713,9 @@ static int selinux_inode_setotherxattr(s
 	return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
 }
 
-static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
-				  const void *value, size_t size, int flags)
+static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+				  const char *name, const void *value,
+				  size_t size, int flags)
 {
 	struct task_security_struct *tsec = current->security;
 	struct inode *inode = dentry->d_inode;
@@ -2768,7 +2769,8 @@ static int selinux_inode_setxattr(struct
 			    &ad);
 }
 
-static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
+static void selinux_inode_post_setxattr(struct dentry *dentry,
+					struct vfsmount *mnt, const char *name,
 					const void *value, size_t size,
 					int flags)
 {
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -595,6 +595,7 @@ static int smack_inode_getattr(struct vf
 /**
  * smack_inode_setxattr - Smack check for setting xattrs
  * @dentry: the object
+ * @mnt: unused
  * @name: name of the attribute
  * @value: unused
  * @size: unused
@@ -604,8 +605,9 @@ static int smack_inode_getattr(struct vf
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_setxattr(struct dentry *dentry, const char *name,
-				const void *value, size_t size, int flags)
+static int smack_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+				const char *name, const void *value,
+				size_t size, int flags)
 {
 	int rc = 0;
 
@@ -617,7 +619,7 @@ static int smack_inode_setxattr(struct d
 		if (size == 0)
 			rc = -EINVAL;
 	} else
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+		rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags);
 
 	if (rc == 0)
 		rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
@@ -628,6 +630,7 @@ static int smack_inode_setxattr(struct d
 /**
  * smack_inode_post_setxattr - Apply the Smack update approved above
  * @dentry: object
+ * @mnt: unused
  * @name: attribute name
  * @value: attribute value
  * @size: attribute size
@@ -636,7 +639,8 @@ static int smack_inode_setxattr(struct d
  * Set the pointer in the inode blob to the entry found
  * in the master label list.
  */
-static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
+static void smack_inode_post_setxattr(struct dentry *dentry,
+				      struct vfsmount *mnt, const char *name,
 				      const void *value, size_t size, int flags)
 {
 	struct inode_smack *isp;
Commit	Line	Data
4d1e5b62 AF	1	From: Tony Jones <tonyj@suse.de>
	2	Subject: Pass struct vfsmount to the inode_setxattr LSM hook
	3
	4	This is needed for computing pathnames in the AppArmor LSM.
	5
	6	Signed-off-by: Tony Jones <tonyj@suse.de>
	7	Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
	8	Signed-off-by: John Johansen <jjohansen@suse.de>
	9
	10	---
	11	fs/xattr.c \| 4 ++--
	12	include/linux/security.h \| 41 ++++++++++++++++++++++++++---------------
	13	security/capability.c \| 3 ++-
	14	security/commoncap.c \| 5 +++--
	15	security/security.c \| 16 ++++++++++------
	16	security/selinux/hooks.c \| 8 +++++---
	17	security/smack/smack_lsm.c \| 12 ++++++++----
	18	7 files changed, 56 insertions(+), 33 deletions(-)
	19
	20	--- a/fs/xattr.c
	21	+++ b/fs/xattr.c
	22	@@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru
	23	return error;
	24
	25	mutex_lock(&inode->i_mutex);
	26	- error = security_inode_setxattr(dentry, name, value, size, flags);
	27	+ error = security_inode_setxattr(dentry, mnt, name, value, size, flags);
	28	if (error)
	29	goto out;
	30	error = -EOPNOTSUPP;
	31	@@ -86,7 +86,7 @@ vfs_setxattr(struct dentry *dentry, stru
	32	error = inode->i_op->setxattr(dentry, name, value, size, flags);
	33	if (!error) {
	34	fsnotify_xattr(dentry);
	35	- security_inode_post_setxattr(dentry, name, value,
	36	+ security_inode_post_setxattr(dentry, mnt, name, value,
	37	size, flags);
	38	}
	39	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
	40	--- a/include/linux/security.h
	41	+++ b/include/linux/security.h
	42	@@ -54,8 +54,9 @@ extern void cap_capset_set(struct task_s
	43	extern int cap_bprm_set_security(struct linux_binprm *bprm);
	44	extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
	45	extern int cap_bprm_secureexec(struct linux_binprm *bprm);
	46	-extern int cap_inode_setxattr(struct dentry dentry, const char name,
	47	- const void *value, size_t size, int flags);
	48	+extern int cap_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
	49	+ const char name, const void value, size_t size,
	50	+ int flags);
	51	extern int cap_inode_removexattr(struct dentry dentry, const char name);
	52	extern int cap_inode_need_killpriv(struct dentry *dentry);
	53	extern int cap_inode_killpriv(struct dentry *dentry);
	54	@@ -438,11 +439,11 @@ static inline void security_free_mnt_opt
	55	* inode.
	56	* @inode_setxattr:
	57	* Check permission before setting the extended attributes
	58	- * @value identified by @name for @dentry.
	59	+ * @value identified by @name for @dentry and @mnt.
	60	* Return 0 if permission is granted.
	61	* @inode_post_setxattr:
	62	* Update inode security field after successful setxattr operation.
	63	- * @value identified by @name for @dentry.
	64	+ * @value identified by @name for @dentry and @mnt.
65	* @inode_getxattr:
66	* Check permission before obtaining the extended attributes
67	* identified by @name for @dentry.
68	@@ -1392,10 +1393,13 @@ struct security_operations {
69	struct iattr *attr);
70	int (inode_getattr) (struct vfsmount mnt, struct dentry *dentry);
71	void (inode_delete) (struct inode inode);
72	- int (inode_setxattr) (struct dentry dentry, const char *name,
73	- const void *value, size_t size, int flags);
74	- void (inode_post_setxattr) (struct dentry dentry, const char *name,
75	- const void *value, size_t size, int flags);
76	+ int (inode_setxattr) (struct dentry dentry, struct vfsmount *mnt,
77	+ const char name, const void value, size_t size,
78	+ int flags);
79	+ void (inode_post_setxattr) (struct dentry dentry,
80	+ struct vfsmount *mnt,
81	+ const char name, const void value,
82	+ size_t size, int flags);
83	int (inode_getxattr) (struct dentry dentry, const char *name);
84	int (inode_listxattr) (struct dentry dentry);
85	int (inode_removexattr) (struct dentry dentry, const char *name);
86	@@ -1666,10 +1670,12 @@ int security_inode_setattr(struct dentry
87	struct iattr *attr);
88	int security_inode_getattr(struct vfsmount mnt, struct dentry dentry);
89	void security_inode_delete(struct inode *inode);
90	-int security_inode_setxattr(struct dentry dentry, const char name,
91	- const void *value, size_t size, int flags);
92	-void security_inode_post_setxattr(struct dentry dentry, const char name,
93	- const void *value, size_t size, int flags);
94	+int security_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
95	+ const char name, const void value,
96	+ size_t size, int flags);
97	+void security_inode_post_setxattr(struct dentry dentry, struct vfsmount mnt,
98	+ const char name, const void value,
99	+ size_t size, int flags);
100	int security_inode_getxattr(struct dentry dentry, const char name);
101	int security_inode_listxattr(struct dentry *dentry);
102	int security_inode_removexattr(struct dentry dentry, const char name);
103	@@ -2092,13 +2098,18 @@ static inline void security_inode_delete
104	{ }
105
106	static inline int security_inode_setxattr(struct dentry *dentry,
107	- const char name, const void value, size_t size, int flags)
108	+ struct vfsmount *mnt,
109	+ const char name, const void value,
110	+ size_t size, int flags)
111	{
112	- return cap_inode_setxattr(dentry, name, value, size, flags);
113	+ return cap_inode_setxattr(dentry, mnt, name, value, size, flags);
114	}
115
116	static inline void security_inode_post_setxattr(struct dentry *dentry,
117	- const char name, const void value, size_t size, int flags)
118	+ struct vfsmount *mnt,
119	+ const char *name,
120	+ const void *value,
121	+ size_t size, int flags)
122	{ }
123
124	static inline int security_inode_getxattr(struct dentry *dentry,
125	--- a/security/capability.c
126	+++ b/security/capability.c
127	@@ -235,7 +235,8 @@ static void cap_inode_delete(struct inod
128	{
129	}
130
131	-static void cap_inode_post_setxattr(struct dentry dentry, const char name,
132	+static void cap_inode_post_setxattr(struct dentry dentry, struct vfsmount mnt,
133	+ const char *name,
134	const void *value, size_t size, int flags)
135	{
136	}
137	--- a/security/commoncap.c
138	+++ b/security/commoncap.c
139	@@ -414,8 +414,9 @@ int cap_bprm_secureexec (struct linux_bi
140	current->egid != current->gid);
141	}
142
143	-int cap_inode_setxattr(struct dentry dentry, const char name,
144	- const void *value, size_t size, int flags)
145	+int cap_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
146	+ const char name, const void value, size_t size,
147	+ int flags)
148	{
149	if (!strcmp(name, XATTR_NAME_CAPS)) {
150	if (!capable(CAP_SETFCAP))
151	--- a/security/security.c
152	+++ b/security/security.c
153	@@ -468,20 +468,24 @@ void security_inode_delete(struct inode
154	security_ops->inode_delete(inode);
155	}
156
157	-int security_inode_setxattr(struct dentry dentry, const char name,
158	- const void *value, size_t size, int flags)
159	+int security_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
160	+ const char name, const void value, size_t size,
161	+ int flags)
162	{
163	if (unlikely(IS_PRIVATE(dentry->d_inode)))
164	return 0;
165	- return security_ops->inode_setxattr(dentry, name, value, size, flags);
166	+ return security_ops->inode_setxattr(dentry, mnt, name, value, size,
167	+ flags);
168	}
169
170	-void security_inode_post_setxattr(struct dentry dentry, const char name,
171	- const void *value, size_t size, int flags)
172	+void security_inode_post_setxattr(struct dentry dentry, struct vfsmount mnt,
173	+ const char name, const void value,
174	+ size_t size, int flags)
175	{
176	if (unlikely(IS_PRIVATE(dentry->d_inode)))
177	return;
178	- security_ops->inode_post_setxattr(dentry, name, value, size, flags);
179	+ security_ops->inode_post_setxattr(dentry, mnt, name, value, size,
180	+ flags);
181	}
182
183	int security_inode_getxattr(struct dentry dentry, const char name)
184	--- a/security/selinux/hooks.c
185	+++ b/security/selinux/hooks.c
186	@@ -2713,8 +2713,9 @@ static int selinux_inode_setotherxattr(s
187	return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
188	}
189
190	-static int selinux_inode_setxattr(struct dentry dentry, const char name,
191	- const void *value, size_t size, int flags)
192	+static int selinux_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
193	+ const char name, const void value,
194	+ size_t size, int flags)
195	{
196	struct task_security_struct *tsec = current->security;
197	struct inode *inode = dentry->d_inode;
198	@@ -2768,7 +2769,8 @@ static int selinux_inode_setxattr(struct
199	&ad);
200	}
201
202	-static void selinux_inode_post_setxattr(struct dentry dentry, const char name,
203	+static void selinux_inode_post_setxattr(struct dentry *dentry,
204	+ struct vfsmount mnt, const char name,
205	const void *value, size_t size,
206	int flags)
207	{
208	--- a/security/smack/smack_lsm.c
209	+++ b/security/smack/smack_lsm.c
210	@@ -595,6 +595,7 @@ static int smack_inode_getattr(struct vf
211	/**
212	* smack_inode_setxattr - Smack check for setting xattrs
213	* @dentry: the object
214	+ * @mnt: unused
215	* @name: name of the attribute
216	* @value: unused
217	* @size: unused
218	@@ -604,8 +605,9 @@ static int smack_inode_getattr(struct vf
219	*
220	* Returns 0 if access is permitted, an error code otherwise
221	*/
222	-static int smack_inode_setxattr(struct dentry dentry, const char name,
223	- const void *value, size_t size, int flags)
224	+static int smack_inode_setxattr(struct dentry dentry, struct vfsmount mnt,
225	+ const char name, const void value,
226	+ size_t size, int flags)
227	{
228	int rc = 0;
229
230	@@ -617,7 +619,7 @@ static int smack_inode_setxattr(struct d
231	if (size == 0)
232	rc = -EINVAL;
233	} else
234	- rc = cap_inode_setxattr(dentry, name, value, size, flags);
235	+ rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags);
236
237	if (rc == 0)
238	rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
239	@@ -628,6 +630,7 @@ static int smack_inode_setxattr(struct d
240	/**
241	* smack_inode_post_setxattr - Apply the Smack update approved above
242	* @dentry: object
243	+ * @mnt: unused
244	* @name: attribute name
245	* @value: attribute value
246	* @size: attribute size
247	@@ -636,7 +639,8 @@ static int smack_inode_setxattr(struct d
248	* Set the pointer in the inode blob to the entry found
249	* in the master label list.
250	*/
251	-static void smack_inode_post_setxattr(struct dentry dentry, const char name,
252	+static void smack_inode_post_setxattr(struct dentry *dentry,
253	+ struct vfsmount mnt, const char name,
254	const void *value, size_t size, int flags)
255	{
256	struct inode_smack *isp;