src/patches/suse-2.6.27.25/patches.apparmor/security-link.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass the struct vfsmounts to the inode_link LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/namei.c                 |    3 ++-
  12  include/linux/security.h   |   18 ++++++++++++------
  13  security/capability.c      |    5 +++--
  14  security/security.c        |    8 +++++---
  15  security/selinux/hooks.c   |    9 +++++++--
  16  security/smack/smack_lsm.c |    5 +++--
  17  6 files changed, 32 insertions(+), 16 deletions(-)
  18
  19 --- a/fs/namei.c
  20 +++ b/fs/namei.c
  21 @@ -2437,7 +2437,8 @@ int vfs_link(struct dentry *old_dentry,
  22         if (S_ISDIR(inode->i_mode))
  23                 return -EPERM;
  24
  25 -       error = security_inode_link(old_dentry, dir, new_dentry);
  26 +       error = security_inode_link(old_dentry, old_mnt, dir, new_dentry,
  27 +                                   new_mnt);
  28         if (error)
  29                 return error;
  30
  31 --- a/include/linux/security.h
  32 +++ b/include/linux/security.h
  33 @@ -343,8 +343,10 @@ static inline void security_free_mnt_opt
  34   * @inode_link:
  35   *     Check permission before creating a new hard link to a file.
  36   *     @old_dentry contains the dentry structure for an existing link to the file.
  37 + *     @old_mnt is the vfsmount corresponding to @old_dentry (may be NULL).
  38   *     @dir contains the inode structure of the parent directory of the new link.
  39   *     @new_dentry contains the dentry structure for the new link.
  40 + *     @new_mnt is the vfsmount corresponding to @new_dentry (may be NULL).
  41   *     Return 0 if permission is granted.
  42   * @inode_unlink:
  43   *     Check the permission to remove a hard link to a file.
  44 @@ -1362,8 +1364,9 @@ struct security_operations {
  45                                     char **name, void **value, size_t *len);
  46         int (*inode_create) (struct inode *dir, struct dentry *dentry,
  47                              struct vfsmount *mnt, int mode);
  48 -       int (*inode_link) (struct dentry *old_dentry,
  49 -                          struct inode *dir, struct dentry *new_dentry);
  50 +       int (*inode_link) (struct dentry *old_dentry, struct vfsmount *old_mnt,
  51 +                          struct inode *dir, struct dentry *new_dentry,
  52 +                          struct vfsmount *new_mnt);
  53         int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
  54         int (*inode_symlink) (struct inode *dir, struct dentry *dentry,
  55                               struct vfsmount *mnt, const char *old_name);
  56 @@ -1632,8 +1635,9 @@ int security_inode_init_security(struct
  57                                   char **name, void **value, size_t *len);
  58  int security_inode_create(struct inode *dir, struct dentry *dentry,
  59                           struct vfsmount *mnt, int mode);
  60 -int security_inode_link(struct dentry *old_dentry, struct inode *dir,
  61 -                        struct dentry *new_dentry);
  62 +int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
  63 +                       struct inode *dir, struct dentry *new_dentry,
  64 +                       struct vfsmount *new_mnt);
  65  int security_inode_unlink(struct inode *dir, struct dentry *dentry);
  66  int security_inode_symlink(struct inode *dir, struct dentry *dentry,
  67                            struct vfsmount *mnt, const char *old_name);
  68 @@ -1987,8 +1991,10 @@ static inline int security_inode_create(
  69  }
  70
  71  static inline int security_inode_link(struct dentry *old_dentry,
  72 -                                      struct inode *dir,
  73 -                                      struct dentry *new_dentry)
  74 +                                     struct vfsmount *old_mnt,
  75 +                                     struct inode *dir,
  76 +                                     struct dentry *new_dentry,
  77 +                                     struct vfsmount *new_mnt)
  78  {
  79         return 0;
  80  }
  81 --- a/security/capability.c
  82 +++ b/security/capability.c
  83 @@ -160,8 +160,9 @@ static int cap_inode_create(struct inode
  84         return 0;
  85  }
  86
  87 -static int cap_inode_link(struct dentry *old_dentry, struct inode *inode,
  88 -                         struct dentry *new_dentry)
  89 +static int cap_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
  90 +                         struct inode *inode,
  91 +                         struct dentry *new_dentry, struct vfsmount *new_mnt)
  92  {
  93         return 0;
  94  }
  95 --- a/security/security.c
  96 +++ b/security/security.c
  97 @@ -366,12 +366,14 @@ int security_inode_create(struct inode *
  98         return security_ops->inode_create(dir, dentry, mnt, mode);
  99  }
 100
 101 -int security_inode_link(struct dentry *old_dentry, struct inode *dir,
 102 -                        struct dentry *new_dentry)
 103 +int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
 104 +                       struct inode *dir, struct dentry *new_dentry,
 105 +                       struct vfsmount *new_mnt)
 106  {
 107         if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
 108                 return 0;
 109 -       return security_ops->inode_link(old_dentry, dir, new_dentry);
 110 +       return security_ops->inode_link(old_dentry, old_mnt, dir,
 111 +                                        new_dentry, new_mnt);
 112  }
 113
 114  int security_inode_unlink(struct inode *dir, struct dentry *dentry)
 115 --- a/security/selinux/hooks.c
 116 +++ b/security/selinux/hooks.c
 117 @@ -2572,11 +2572,16 @@ static int selinux_inode_create(struct i
 118         return may_create(dir, dentry, SECCLASS_FILE);
 119  }
 120
 121 -static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
 122 +static int selinux_inode_link(struct dentry *old_dentry,
 123 +                             struct vfsmount *old_mnt,
 124 +                             struct inode *dir,
 125 +                             struct dentry *new_dentry,
 126 +                             struct vfsmount *new_mnt)
 127  {
 128         int rc;
 129
 130 -       rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
 131 +       rc = secondary_ops->inode_link(old_dentry, old_mnt, dir, new_dentry,
 132 +                                      new_mnt);
 133         if (rc)
 134                 return rc;
 135         return may_link(dir, old_dentry, MAY_LINK);
 136 --- a/security/smack/smack_lsm.c
 137 +++ b/security/smack/smack_lsm.c
 138 @@ -432,8 +432,9 @@ static int smack_inode_init_security(str
 139   *
 140   * Returns 0 if access is permitted, an error code otherwise
 141   */
 142 -static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
 143 -                           struct dentry *new_dentry)
 144 +static int smack_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
 145 +                           struct inode *dir,
 146 +                           struct dentry *new_dentry, struct vfsmount *new_mnt)
 147  {
 148         int rc;
 149         char *isp;