1 From: Jeff Mahoney <jeffm@suse.com>
2 Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
4 patches.apparmor/add-security_path_permission added the ->path_permission
5 call. This patch converts apparmor_inode_permission to
6 apparmor_path_permission. The former is now a pass-all, which is how
7 it behaved in 2.6.26 if a NULL nameidata was passed.
9 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
11 security/apparmor/lsm.c | 41 +++++++++++++++++++++++++++--------------
12 1 file changed, 27 insertions(+), 14 deletions(-)
14 --- a/security/apparmor/lsm.c
15 +++ b/security/apparmor/lsm.c
16 @@ -448,21 +448,9 @@ out:
20 -static int apparmor_inode_permission(struct inode *inode, int mask,
21 - struct nameidata *nd)
22 +static int apparmor_inode_permission(struct inode *inode, int mask)
26 - if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
28 - mask = aa_mask_permissions(mask);
29 - if (S_ISDIR(inode->i_mode)) {
30 - check |= AA_CHECK_DIR;
31 - /* allow traverse accesses to directories */
34 - return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
39 static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
40 @@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
41 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
44 +static int apparmor_path_permission(struct path *path, int mask)
46 + struct inode *inode;
52 + inode = path->dentry->d_inode;
54 + mask = aa_mask_permissions(mask);
55 + if (S_ISDIR(inode->i_mode)) {
56 + check |= AA_CHECK_DIR;
57 + /* allow traverse accesses to directories */
63 + return aa_permission("inode_permission", inode, path->dentry,
64 + path->mnt, mask, check);
67 static int apparmor_task_alloc_security(struct task_struct *task)
69 return aa_clone(task);
70 @@ -800,6 +811,8 @@ struct security_operations apparmor_ops
71 .file_mprotect = apparmor_file_mprotect,
72 .file_lock = apparmor_file_lock,
74 + .path_permission = apparmor_path_permission,
76 .task_alloc_security = apparmor_task_alloc_security,
77 .task_free_security = apparmor_task_free_security,
78 .task_post_setuid = cap_task_post_setuid,