src/patches/suse-2.6.27.25/patches.apparmor/security-rmdir.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass struct vfsmount to the inode_rmdir LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/namei.c                 |    2 +-
  12  include/linux/security.h   |   10 +++++++---
  13  security/capability.c      |    3 ++-
  14  security/security.c        |    5 +++--
  15  security/selinux/hooks.c   |    3 ++-
  16  security/smack/smack_lsm.c |    4 +++-
  17  6 files changed, 18 insertions(+), 9 deletions(-)
  18
  19 --- a/fs/namei.c
  20 +++ b/fs/namei.c
  21 @@ -2184,7 +2184,7 @@ int vfs_rmdir(struct inode *dir, struct
  22         if (d_mountpoint(dentry))
  23                 error = -EBUSY;
  24         else {
  25 -               error = security_inode_rmdir(dir, dentry);
  26 +               error = security_inode_rmdir(dir, dentry, mnt);
  27                 if (!error) {
  28                         error = dir->i_op->rmdir(dir, dentry);
  29                         if (!error)
  30 --- a/include/linux/security.h
  31 +++ b/include/linux/security.h
  32 @@ -372,6 +372,7 @@ static inline void security_free_mnt_opt
  33   *     Check the permission to remove a directory.
  34   *     @dir contains the inode structure of parent of the directory to be removed.
  35   *     @dentry contains the dentry structure of directory to be removed.
  36 + *     @mnt is the vfsmount corresponding to @dentry (may be NULL).
  37   *     Return 0 if permission is granted.
  38   * @inode_mknod:
  39   *     Check permissions when creating a special file (or a socket or a fifo
  40 @@ -1372,7 +1373,8 @@ struct security_operations {
  41                               struct vfsmount *mnt, const char *old_name);
  42         int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
  43                             struct vfsmount *mnt, int mode);
  44 -       int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
  45 +       int (*inode_rmdir) (struct inode *dir, struct dentry *dentry,
  46 +                           struct vfsmount *mnt);
  47         int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
  48                             struct vfsmount *mnt, int mode, dev_t dev);
  49         int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
  50 @@ -1643,7 +1645,8 @@ int security_inode_symlink(struct inode
  51                            struct vfsmount *mnt, const char *old_name);
  52  int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
  53                          struct vfsmount *mnt, int mode);
  54 -int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
  55 +int security_inode_rmdir(struct inode *dir, struct dentry *dentry,
  56 +                        struct vfsmount *mnt);
  57  int security_inode_mknod(struct inode *dir, struct dentry *dentry,
  58                          struct vfsmount *mnt, int mode, dev_t dev);
  59  int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
  60 @@ -2022,7 +2025,8 @@ static inline int security_inode_mkdir(s
  61  }
  62
  63  static inline int security_inode_rmdir(struct inode *dir,
  64 -                                       struct dentry *dentry)
  65 +                                      struct dentry *dentry,
  66 +                                      struct vfsmount *mnt)
  67  {
  68         return 0;
  69  }
  70 --- a/security/capability.c
  71 +++ b/security/capability.c
  72 @@ -184,7 +184,8 @@ static int cap_inode_mkdir(struct inode
  73         return 0;
  74  }
  75
  76 -static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
  77 +static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry,
  78 +                          struct vfsmount *mnt)
  79  {
  80         return 0;
  81  }
  82 --- a/security/security.c
  83 +++ b/security/security.c
  84 @@ -399,11 +399,12 @@ int security_inode_mkdir(struct inode *d
  85         return security_ops->inode_mkdir(dir, dentry, mnt, mode);
  86  }
  87
  88 -int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
  89 +int security_inode_rmdir(struct inode *dir, struct dentry *dentry,
  90 +                        struct vfsmount *mnt)
  91  {
  92         if (unlikely(IS_PRIVATE(dentry->d_inode)))
  93                 return 0;
  94 -       return security_ops->inode_rmdir(dir, dentry);
  95 +       return security_ops->inode_rmdir(dir, dentry, mnt);
  96  }
  97
  98  int security_inode_mknod(struct inode *dir, struct dentry *dentry,
  99 --- a/security/selinux/hooks.c
 100 +++ b/security/selinux/hooks.c
 101 @@ -2609,7 +2609,8 @@ static int selinux_inode_mkdir(struct in
 102         return may_create(dir, dentry, SECCLASS_DIR);
 103  }
 104
 105 -static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
 106 +static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry,
 107 +                              struct vfsmount *mnt)
 108  {
 109         return may_link(dir, dentry, MAY_RMDIR);
 110  }
 111 --- a/security/smack/smack_lsm.c
 112 +++ b/security/smack/smack_lsm.c
 113 @@ -480,11 +480,13 @@ static int smack_inode_unlink(struct ino
 114   * smack_inode_rmdir - Smack check on directory deletion
 115   * @dir: containing directory object
 116   * @dentry: directory to unlink
 117 + * @mnt: vfsmount @dentry to unlink
 118   *
 119   * Returns 0 if current can write the containing directory
 120   * and the directory, error code otherwise
 121   */
 122 -static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
 123 +static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry,
 124 +                            struct vfsmount *mnt)
 125  {
 126         int rc;
 127