1 From: Tony Jones <tonyj@suse.de>
2 Subject: Pass struct vfsmount to the inode_setxattr LSM hook
4 This is needed for computing pathnames in the AppArmor LSM.
6 Signed-off-by: Tony Jones <tonyj@suse.de>
7 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
8 Signed-off-by: John Johansen <jjohansen@suse.de>
12 include/linux/security.h | 41 ++++++++++++++++++++++++++---------------
13 security/capability.c | 3 ++-
14 security/commoncap.c | 5 +++--
15 security/security.c | 16 ++++++++++------
16 security/selinux/hooks.c | 8 +++++---
17 security/smack/smack_lsm.c | 12 ++++++++----
18 7 files changed, 56 insertions(+), 33 deletions(-)
22 @@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru
25 mutex_lock(&inode->i_mutex);
26 - error = security_inode_setxattr(dentry, name, value, size, flags);
27 + error = security_inode_setxattr(dentry, mnt, name, value, size, flags);
31 @@ -86,7 +86,7 @@ vfs_setxattr(struct dentry *dentry, stru
32 error = inode->i_op->setxattr(dentry, name, value, size, flags);
34 fsnotify_xattr(dentry);
35 - security_inode_post_setxattr(dentry, name, value,
36 + security_inode_post_setxattr(dentry, mnt, name, value,
39 } else if (!strncmp(name, XATTR_SECURITY_PREFIX,
40 --- a/include/linux/security.h
41 +++ b/include/linux/security.h
42 @@ -54,8 +54,9 @@ extern void cap_capset_set(struct task_s
43 extern int cap_bprm_set_security(struct linux_binprm *bprm);
44 extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
45 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
46 -extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
47 - const void *value, size_t size, int flags);
48 +extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
49 + const char *name, const void *value, size_t size,
51 extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
52 extern int cap_inode_need_killpriv(struct dentry *dentry);
53 extern int cap_inode_killpriv(struct dentry *dentry);
54 @@ -438,11 +439,11 @@ static inline void security_free_mnt_opt
57 * Check permission before setting the extended attributes
58 - * @value identified by @name for @dentry.
59 + * @value identified by @name for @dentry and @mnt.
60 * Return 0 if permission is granted.
61 * @inode_post_setxattr:
62 * Update inode security field after successful setxattr operation.
63 - * @value identified by @name for @dentry.
64 + * @value identified by @name for @dentry and @mnt.
66 * Check permission before obtaining the extended attributes
67 * identified by @name for @dentry.
68 @@ -1392,10 +1393,13 @@ struct security_operations {
70 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
71 void (*inode_delete) (struct inode *inode);
72 - int (*inode_setxattr) (struct dentry *dentry, const char *name,
73 - const void *value, size_t size, int flags);
74 - void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
75 - const void *value, size_t size, int flags);
76 + int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt,
77 + const char *name, const void *value, size_t size,
79 + void (*inode_post_setxattr) (struct dentry *dentry,
80 + struct vfsmount *mnt,
81 + const char *name, const void *value,
82 + size_t size, int flags);
83 int (*inode_getxattr) (struct dentry *dentry, const char *name);
84 int (*inode_listxattr) (struct dentry *dentry);
85 int (*inode_removexattr) (struct dentry *dentry, const char *name);
86 @@ -1666,10 +1670,12 @@ int security_inode_setattr(struct dentry
88 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
89 void security_inode_delete(struct inode *inode);
90 -int security_inode_setxattr(struct dentry *dentry, const char *name,
91 - const void *value, size_t size, int flags);
92 -void security_inode_post_setxattr(struct dentry *dentry, const char *name,
93 - const void *value, size_t size, int flags);
94 +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
95 + const char *name, const void *value,
96 + size_t size, int flags);
97 +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
98 + const char *name, const void *value,
99 + size_t size, int flags);
100 int security_inode_getxattr(struct dentry *dentry, const char *name);
101 int security_inode_listxattr(struct dentry *dentry);
102 int security_inode_removexattr(struct dentry *dentry, const char *name);
103 @@ -2092,13 +2098,18 @@ static inline void security_inode_delete
106 static inline int security_inode_setxattr(struct dentry *dentry,
107 - const char *name, const void *value, size_t size, int flags)
108 + struct vfsmount *mnt,
109 + const char *name, const void *value,
110 + size_t size, int flags)
112 - return cap_inode_setxattr(dentry, name, value, size, flags);
113 + return cap_inode_setxattr(dentry, mnt, name, value, size, flags);
116 static inline void security_inode_post_setxattr(struct dentry *dentry,
117 - const char *name, const void *value, size_t size, int flags)
118 + struct vfsmount *mnt,
121 + size_t size, int flags)
124 static inline int security_inode_getxattr(struct dentry *dentry,
125 --- a/security/capability.c
126 +++ b/security/capability.c
127 @@ -235,7 +235,8 @@ static void cap_inode_delete(struct inod
131 -static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
132 +static void cap_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
134 const void *value, size_t size, int flags)
137 --- a/security/commoncap.c
138 +++ b/security/commoncap.c
139 @@ -414,8 +414,9 @@ int cap_bprm_secureexec (struct linux_bi
140 current->egid != current->gid);
143 -int cap_inode_setxattr(struct dentry *dentry, const char *name,
144 - const void *value, size_t size, int flags)
145 +int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
146 + const char *name, const void *value, size_t size,
149 if (!strcmp(name, XATTR_NAME_CAPS)) {
150 if (!capable(CAP_SETFCAP))
151 --- a/security/security.c
152 +++ b/security/security.c
153 @@ -468,20 +468,24 @@ void security_inode_delete(struct inode
154 security_ops->inode_delete(inode);
157 -int security_inode_setxattr(struct dentry *dentry, const char *name,
158 - const void *value, size_t size, int flags)
159 +int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
160 + const char *name, const void *value, size_t size,
163 if (unlikely(IS_PRIVATE(dentry->d_inode)))
165 - return security_ops->inode_setxattr(dentry, name, value, size, flags);
166 + return security_ops->inode_setxattr(dentry, mnt, name, value, size,
170 -void security_inode_post_setxattr(struct dentry *dentry, const char *name,
171 - const void *value, size_t size, int flags)
172 +void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
173 + const char *name, const void *value,
174 + size_t size, int flags)
176 if (unlikely(IS_PRIVATE(dentry->d_inode)))
178 - security_ops->inode_post_setxattr(dentry, name, value, size, flags);
179 + security_ops->inode_post_setxattr(dentry, mnt, name, value, size,
183 int security_inode_getxattr(struct dentry *dentry, const char *name)
184 --- a/security/selinux/hooks.c
185 +++ b/security/selinux/hooks.c
186 @@ -2713,8 +2713,9 @@ static int selinux_inode_setotherxattr(s
187 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
190 -static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
191 - const void *value, size_t size, int flags)
192 +static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
193 + const char *name, const void *value,
194 + size_t size, int flags)
196 struct task_security_struct *tsec = current->security;
197 struct inode *inode = dentry->d_inode;
198 @@ -2768,7 +2769,8 @@ static int selinux_inode_setxattr(struct
202 -static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
203 +static void selinux_inode_post_setxattr(struct dentry *dentry,
204 + struct vfsmount *mnt, const char *name,
205 const void *value, size_t size,
208 --- a/security/smack/smack_lsm.c
209 +++ b/security/smack/smack_lsm.c
210 @@ -595,6 +595,7 @@ static int smack_inode_getattr(struct vf
212 * smack_inode_setxattr - Smack check for setting xattrs
213 * @dentry: the object
215 * @name: name of the attribute
218 @@ -604,8 +605,9 @@ static int smack_inode_getattr(struct vf
220 * Returns 0 if access is permitted, an error code otherwise
222 -static int smack_inode_setxattr(struct dentry *dentry, const char *name,
223 - const void *value, size_t size, int flags)
224 +static int smack_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
225 + const char *name, const void *value,
226 + size_t size, int flags)
230 @@ -617,7 +619,7 @@ static int smack_inode_setxattr(struct d
234 - rc = cap_inode_setxattr(dentry, name, value, size, flags);
235 + rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags);
238 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
239 @@ -628,6 +630,7 @@ static int smack_inode_setxattr(struct d
241 * smack_inode_post_setxattr - Apply the Smack update approved above
244 * @name: attribute name
245 * @value: attribute value
246 * @size: attribute size
247 @@ -636,7 +639,8 @@ static int smack_inode_setxattr(struct d
248 * Set the pointer in the inode blob to the entry found
249 * in the master label list.
251 -static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
252 +static void smack_inode_post_setxattr(struct dentry *dentry,
253 + struct vfsmount *mnt, const char *name,
254 const void *value, size_t size, int flags)
256 struct inode_smack *isp;