src/patches/suse-2.6.27.25/patches.apparmor/security-removexattr.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass struct vfsmount to the inode_removexattr LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/xattr.c                 |    2 +-
  12  include/linux/security.h   |   14 +++++++++-----
  13  security/commoncap.c       |    3 ++-
  14  security/security.c        |    5 +++--
  15  security/selinux/hooks.c   |    3 ++-
  16  security/smack/smack_lsm.c |    6 ++++--
  17  6 files changed, 21 insertions(+), 12 deletions(-)
  18
  19 --- a/fs/xattr.c
  20 +++ b/fs/xattr.c
  21 @@ -202,7 +202,7 @@ vfs_removexattr(struct dentry *dentry, s
  22         if (error)
  23                 return error;
  24
  25 -       error = security_inode_removexattr(dentry, name);
  26 +       error = security_inode_removexattr(dentry, mnt, name);
  27         if (error)
  28                 return error;
  29
  30 --- a/include/linux/security.h
  31 +++ b/include/linux/security.h
  32 @@ -57,7 +57,8 @@ extern int cap_bprm_secureexec(struct li
  33  extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
  34                               const char *name, const void *value, size_t size,
  35                               int flags);
  36 -extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
  37 +extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
  38 +                                const char *name);
  39  extern int cap_inode_need_killpriv(struct dentry *dentry);
  40  extern int cap_inode_killpriv(struct dentry *dentry);
  41  extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
  42 @@ -1403,7 +1404,8 @@ struct security_operations {
  43         int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
  44                                const char *name);
  45         int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
  46 -       int (*inode_removexattr) (struct dentry *dentry, const char *name);
  47 +       int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
  48 +                                 const char *name);
  49         int (*inode_need_killpriv) (struct dentry *dentry);
  50         int (*inode_killpriv) (struct dentry *dentry);
  51         int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
  52 @@ -1680,7 +1682,8 @@ void security_inode_post_setxattr(struct
  53  int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
  54                             const char *name);
  55  int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
  56 -int security_inode_removexattr(struct dentry *dentry, const char *name);
  57 +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
  58 +                              const char *name);
  59  int security_inode_need_killpriv(struct dentry *dentry);
  60  int security_inode_killpriv(struct dentry *dentry);
  61  int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
  62 @@ -2128,9 +2131,10 @@ static inline int security_inode_listxat
  63  }
  64
  65  static inline int security_inode_removexattr(struct dentry *dentry,
  66 -                       const char *name)
  67 +                                            struct vfsmount *mnt,
  68 +                                            const char *name)
  69  {
  70 -       return cap_inode_removexattr(dentry, name);
  71 +       return cap_inode_removexattr(dentry, mnt, name);
  72  }
  73
  74  static inline int security_inode_need_killpriv(struct dentry *dentry)
  75 --- a/security/commoncap.c
  76 +++ b/security/commoncap.c
  77 @@ -429,7 +429,8 @@ int cap_inode_setxattr(struct dentry *de
  78         return 0;
  79  }
  80
  81 -int cap_inode_removexattr(struct dentry *dentry, const char *name)
  82 +int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
  83 +                         const char *name)
  84  {
  85         if (!strcmp(name, XATTR_NAME_CAPS)) {
  86                 if (!capable(CAP_SETFCAP))
  87 --- a/security/security.c
  88 +++ b/security/security.c
  89 @@ -506,11 +506,12 @@ int security_inode_listxattr(struct dent
  90         return security_ops->inode_listxattr(dentry, mnt);
  91  }
  92
  93 -int security_inode_removexattr(struct dentry *dentry, const char *name)
  94 +int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
  95 +                              const char *name)
  96  {
  97         if (unlikely(IS_PRIVATE(dentry->d_inode)))
  98                 return 0;
  99 -       return security_ops->inode_removexattr(dentry, name);
 100 +       return security_ops->inode_removexattr(dentry, mnt, name);
 101  }
 102
 103  int security_inode_need_killpriv(struct dentry *dentry)
 104 --- a/security/selinux/hooks.c
 105 +++ b/security/selinux/hooks.c
 106 @@ -2807,7 +2807,8 @@ static int selinux_inode_listxattr(struc
 107         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
 108  }
 109
 110 -static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
 111 +static int selinux_inode_removexattr(struct dentry *dentry,
 112 +                                    struct vfsmount *mnt, const char *name)
 113  {
 114         if (strcmp(name, XATTR_NAME_SELINUX))
 115                 return selinux_inode_setotherxattr(dentry, name);
 116 --- a/security/smack/smack_lsm.c
 117 +++ b/security/smack/smack_lsm.c
 118 @@ -687,13 +687,15 @@ static int smack_inode_getxattr(struct d
 119  /*
 120   * smack_inode_removexattr - Smack check on removexattr
 121   * @dentry: the object
 122 + * @mnt: unused
 123   * @name: name of the attribute
 124   *
 125   * Removing the Smack attribute requires CAP_MAC_ADMIN
 126   *
 127   * Returns 0 if access is permitted, an error code otherwise
 128   */
 129 -static int smack_inode_removexattr(struct dentry *dentry, const char *name)
 130 +static int smack_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
 131 +                                  const char *name)
 132  {
 133         int rc = 0;
 134
 135 @@ -703,7 +705,7 @@ static int smack_inode_removexattr(struc
 136                 if (!capable(CAP_MAC_ADMIN))
 137                         rc = -EPERM;
 138         } else
 139 -               rc = cap_inode_removexattr(dentry, name);
 140 +               rc = cap_inode_removexattr(dentry, mnt, name);
 141
 142         if (rc == 0)
 143                 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);