src/patches/suse-2.6.27.25/patches.apparmor/security-unlink.diff

   1 From: Tony Jones <tonyj@suse.de>
   2 Subject: Pass struct vfsmount to the inode_unlink LSM hook
   3
   4 This is needed for computing pathnames in the AppArmor LSM.
   5
   6 Signed-off-by: Tony Jones <tonyj@suse.de>
   7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
   8 Signed-off-by: John Johansen <jjohansen@suse.de>
   9
  10 ---
  11  fs/namei.c                 |    2 +-
  12  include/linux/security.h   |   10 +++++++---
  13  security/capability.c      |    3 ++-
  14  security/security.c        |    5 +++--
  15  security/selinux/hooks.c   |    5 +++--
  16  security/smack/smack_lsm.c |    4 +++-
  17  6 files changed, 19 insertions(+), 10 deletions(-)
  18
  19 --- a/fs/namei.c
  20 +++ b/fs/namei.c
  21 @@ -2264,7 +2264,7 @@ int vfs_unlink(struct inode *dir, struct
  22         if (d_mountpoint(dentry))
  23                 error = -EBUSY;
  24         else {
  25 -               error = security_inode_unlink(dir, dentry);
  26 +               error = security_inode_unlink(dir, dentry, mnt);
  27                 if (!error)
  28                         error = dir->i_op->unlink(dir, dentry);
  29         }
  30 --- a/include/linux/security.h
  31 +++ b/include/linux/security.h
  32 @@ -352,6 +352,7 @@ static inline void security_free_mnt_opt
  33   *     Check the permission to remove a hard link to a file.
  34   *     @dir contains the inode structure of parent directory of the file.
  35   *     @dentry contains the dentry structure for file to be unlinked.
  36 + *     @mnt is the vfsmount corresponding to @dentry (may be NULL).
  37   *     Return 0 if permission is granted.
  38   * @inode_symlink:
  39   *     Check the permission to create a symbolic link to a file.
  40 @@ -1368,7 +1369,8 @@ struct security_operations {
  41         int (*inode_link) (struct dentry *old_dentry, struct vfsmount *old_mnt,
  42                            struct inode *dir, struct dentry *new_dentry,
  43                            struct vfsmount *new_mnt);
  44 -       int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
  45 +       int (*inode_unlink) (struct inode *dir, struct dentry *dentry,
  46 +                            struct vfsmount *mnt);
  47         int (*inode_symlink) (struct inode *dir, struct dentry *dentry,
  48                               struct vfsmount *mnt, const char *old_name);
  49         int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
  50 @@ -1640,7 +1642,8 @@ int security_inode_create(struct inode *
  51  int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
  52                         struct inode *dir, struct dentry *new_dentry,
  53                         struct vfsmount *new_mnt);
  54 -int security_inode_unlink(struct inode *dir, struct dentry *dentry);
  55 +int security_inode_unlink(struct inode *dir, struct dentry *dentry,
  56 +                         struct vfsmount *mnt);
  57  int security_inode_symlink(struct inode *dir, struct dentry *dentry,
  58                            struct vfsmount *mnt, const char *old_name);
  59  int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
  60 @@ -2003,7 +2006,8 @@ static inline int security_inode_link(st
  61  }
  62
  63  static inline int security_inode_unlink(struct inode *dir,
  64 -                                        struct dentry *dentry)
  65 +                                       struct dentry *dentry,
  66 +                                       struct vfsmount *mnt)
  67  {
  68         return 0;
  69  }
  70 --- a/security/capability.c
  71 +++ b/security/capability.c
  72 @@ -167,7 +167,8 @@ static int cap_inode_link(struct dentry
  73         return 0;
  74  }
  75
  76 -static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
  77 +static int cap_inode_unlink(struct inode *inode, struct dentry *dentry,
  78 +                           struct vfsmount *mnt)
  79  {
  80         return 0;
  81  }
  82 --- a/security/security.c
  83 +++ b/security/security.c
  84 @@ -376,11 +376,12 @@ int security_inode_link(struct dentry *o
  85                                          new_dentry, new_mnt);
  86  }
  87
  88 -int security_inode_unlink(struct inode *dir, struct dentry *dentry)
  89 +int security_inode_unlink(struct inode *dir, struct dentry *dentry,
  90 +                         struct vfsmount *mnt)
  91  {
  92         if (unlikely(IS_PRIVATE(dentry->d_inode)))
  93                 return 0;
  94 -       return security_ops->inode_unlink(dir, dentry);
  95 +       return security_ops->inode_unlink(dir, dentry, mnt);
  96  }
  97
  98  int security_inode_symlink(struct inode *dir, struct dentry *dentry,
  99 --- a/security/selinux/hooks.c
 100 +++ b/security/selinux/hooks.c
 101 @@ -2587,11 +2587,12 @@ static int selinux_inode_link(struct den
 102         return may_link(dir, old_dentry, MAY_LINK);
 103  }
 104
 105 -static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
 106 +static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry,
 107 +                               struct vfsmount *mnt)
 108  {
 109         int rc;
 110
 111 -       rc = secondary_ops->inode_unlink(dir, dentry);
 112 +       rc = secondary_ops->inode_unlink(dir, dentry, mnt);
 113         if (rc)
 114                 return rc;
 115         return may_link(dir, dentry, MAY_UNLINK);
 116 --- a/security/smack/smack_lsm.c
 117 +++ b/security/smack/smack_lsm.c
 118 @@ -454,11 +454,13 @@ static int smack_inode_link(struct dentr
 119   * smack_inode_unlink - Smack check on inode deletion
 120   * @dir: containing directory object
 121   * @dentry: file to unlink
 122 + * @mnt: vfsmount of file to unlink
 123   *
 124   * Returns 0 if current can write the containing directory
 125   * and the object, error code otherwise
 126   */
 127 -static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
 128 +static int smack_inode_unlink(struct inode *dir, struct dentry *dentry,
 129 +                             struct vfsmount *mnt)
 130  {
 131         struct inode *ip = dentry->d_inode;
 132         int rc;