src/patches/suse-2.6.27.25/patches.apparmor/security-getxattr.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass struct vfsmount to the inode_getxattr LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/xattr.c                 |    2 +-
  12  include/linux/security.h   |   11 +++++++----
  13  security/capability.c      |    3 ++-
  14  security/security.c        |    5 +++--
  15  security/selinux/hooks.c   |    3 ++-
  16  security/smack/smack_lsm.c |    4 +++-
  17  6 files changed, 18 insertions(+), 10 deletions(-)
  18
  19 --- a/fs/xattr.c
  20 +++ b/fs/xattr.c
  21 @@ -141,7 +141,7 @@ vfs_getxattr(struct dentry *dentry, stru
  22         if (error)
  23                 return error;
  24
  25 -       error = security_inode_getxattr(dentry, name);
  26 +       error = security_inode_getxattr(dentry, mnt, name);
  27         if (error)
  28                 return error;
  29
  30 --- a/include/linux/security.h
  31 +++ b/include/linux/security.h
  32 @@ -446,7 +446,7 @@ static inline void security_free_mnt_opt
  33   *     @value identified by @name for @dentry and @mnt.
  34   * @inode_getxattr:
  35   *     Check permission before obtaining the extended attributes
  36 - *     identified by @name for @dentry.
  37 + *     identified by @name for @dentry and @mnt.
  38   *     Return 0 if permission is granted.
  39   * @inode_listxattr:
  40   *     Check permission before obtaining the list of extended attribute
  41 @@ -1400,7 +1400,8 @@ struct security_operations {
  42                                      struct vfsmount *mnt,
  43                                      const char *name, const void *value,
  44                                      size_t size, int flags);
  45 -       int (*inode_getxattr) (struct dentry *dentry, const char *name);
  46 +       int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
  47 +                              const char *name);
  48         int (*inode_listxattr) (struct dentry *dentry);
  49         int (*inode_removexattr) (struct dentry *dentry, const char *name);
  50         int (*inode_need_killpriv) (struct dentry *dentry);
  51 @@ -1676,7 +1677,8 @@ int security_inode_setxattr(struct dentr
  52  void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
  53                                   const char *name, const void *value,
  54                                   size_t size, int flags);
  55 -int security_inode_getxattr(struct dentry *dentry, const char *name);
  56 +int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
  57 +                           const char *name);
  58  int security_inode_listxattr(struct dentry *dentry);
  59  int security_inode_removexattr(struct dentry *dentry, const char *name);
  60  int security_inode_need_killpriv(struct dentry *dentry);
  61 @@ -2113,7 +2115,8 @@ static inline void security_inode_post_s
  62  { }
  63
  64  static inline int security_inode_getxattr(struct dentry *dentry,
  65 -                       const char *name)
  66 +                                         struct vfsmount *mnt,
  67 +                                         const char *name)
  68  {
  69         return 0;
  70  }
  71 --- a/security/capability.c
  72 +++ b/security/capability.c
  73 @@ -241,7 +241,8 @@ static void cap_inode_post_setxattr(stru
  74  {
  75  }
  76
  77 -static int cap_inode_getxattr(struct dentry *dentry, const char *name)
  78 +static int cap_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
  79 +                             const char *name)
  80  {
  81         return 0;
  82  }
  83 --- a/security/security.c
  84 +++ b/security/security.c
  85 @@ -491,11 +491,12 @@ void security_inode_post_setxattr(struct
  86                                           flags);
  87  }
  88
  89 -int security_inode_getxattr(struct dentry *dentry, const char *name)
  90 +int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
  91 +                           const char *name)
  92  {
  93         if (unlikely(IS_PRIVATE(dentry->d_inode)))
  94                 return 0;
  95 -       return security_ops->inode_getxattr(dentry, name);
  96 +       return security_ops->inode_getxattr(dentry, mnt, name);
  97  }
  98
  99  int security_inode_listxattr(struct dentry *dentry)
 100 --- a/security/selinux/hooks.c
 101 +++ b/security/selinux/hooks.c
 102 @@ -2796,7 +2796,8 @@ static void selinux_inode_post_setxattr(
 103         return;
 104  }
 105
 106 -static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
 107 +static int selinux_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
 108 +                                 const char *name)
 109  {
 110         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
 111  }
 112 --- a/security/smack/smack_lsm.c
 113 +++ b/security/smack/smack_lsm.c
 114 @@ -673,11 +673,13 @@ static void smack_inode_post_setxattr(st
 115  /*
 116   * smack_inode_getxattr - Smack check on getxattr
 117   * @dentry: the object
 118 + * @mnt: unused
 119   * @name: unused
 120   *
 121   * Returns 0 if access is permitted, an error code otherwise
 122   */
 123 -static int smack_inode_getxattr(struct dentry *dentry, const char *name)
 124 +static int smack_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
 125 +                               const char *name)
 126  {
 127         return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ);
 128  }