From: Miklos Szeredi <miklos@szeredi.hu>
To: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org
Cc: jmorris@namei.org, sds@tycho.nsa.gov, eparis@redhat.com,
casey@schaufler-ca.com, agruen@suse.de, jjohansen@suse.de,
penguin-kernel@I-love.SAKURA.ne.jp, hch@infradead.org,
viro@ZenIV.linux.org.uk, linux-kernel@vger.kernel.org
Subject: [patch 01/15] security: pass path to inode_create
Date: Thu, 29 May 2008 15:49:04 +0200 [thread overview]
Message-ID: <20080529134958.655985182@szeredi.hu> (raw)
In-Reply-To: 20080529134903.615127628@szeredi.hu
[-- Attachment #1: security_create_path.patch --]
[-- Type: text/plain, Size: 6218 bytes --]
From: Miklos Szeredi <mszeredi@suse.cz>
In the inode_create() security operation and related functions pass
the path (vfsmount + dentry) to the parent directory instead of the
inode. AppArmor will need this.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
fs/namei.c | 12 ++++++------
include/linux/security.h | 9 ++++-----
security/dummy.c | 4 ++--
security/security.c | 4 ++--
security/selinux/hooks.c | 5 +++--
5 files changed, 17 insertions(+), 17 deletions(-)
Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c 2008-05-29 12:20:49.000000000 +0200
+++ linux-2.6/fs/namei.c 2008-05-29 12:20:51.000000000 +0200
@@ -1586,11 +1586,11 @@ void unlock_rename(struct dentry *p1, st
}
}
-static int vfs_create(struct dentry *dir_dentry, struct dentry *dentry,
+static int vfs_create(struct path *dir_path, struct dentry *dentry,
int mode, struct nameidata *nd)
{
- struct inode *dir = dir_dentry->d_inode;
- int error = may_create(dir_dentry, dentry);
+ struct inode *dir = dir_path->dentry->d_inode;
+ int error = may_create(dir_path->dentry, dentry);
if (error)
return error;
@@ -1599,7 +1599,7 @@ static int vfs_create(struct dentry *dir
return -EACCES; /* shouldn't it be ENOSYS? */
mode &= S_IALLUGO;
mode |= S_IFREG;
- error = security_inode_create(dir, dentry, mode);
+ error = security_inode_create(dir_path, dentry, mode);
if (error)
return error;
DQUOT_INIT(dir);
@@ -1615,7 +1615,7 @@ int path_create(struct path *dir_path, s
int error = mnt_want_write(dir_path->mnt);
if (!error) {
- error = vfs_create(dir_path->dentry, dentry, mode, nd);
+ error = vfs_create(dir_path, dentry, mode, nd);
mnt_drop_write(dir_path->mnt);
}
@@ -1718,7 +1718,7 @@ static int __open_namei_create(struct na
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current->fs->umask;
- error = vfs_create(dir, path->dentry, mode, nd);
+ error = vfs_create(&nd->path, path->dentry, mode, nd);
mutex_unlock(&dir->d_inode->i_mutex);
dput(nd->path.dentry);
nd->path.dentry = path->dentry;
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h 2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/include/linux/security.h 2008-05-29 12:20:51.000000000 +0200
@@ -339,7 +339,7 @@ static inline void security_free_mnt_opt
* -ENOMEM on memory allocation failure.
* @inode_create:
* Check permission to create a regular file.
- * @dir contains inode structure of the parent of the new file.
+ * @dir contains the path to the parent of the new file.
* @dentry contains the dentry structure for the file to be created.
* @mode contains the file mode of the file to be created.
* Return 0 if permission is granted.
@@ -1353,8 +1353,7 @@ struct security_operations {
void (*inode_free_security) (struct inode *inode);
int (*inode_init_security) (struct inode *inode, struct inode *dir,
char **name, void **value, size_t *len);
- int (*inode_create) (struct inode *dir,
- struct dentry *dentry, int mode);
+ int (*inode_create) (struct path *dir, struct dentry *dentry, int mode);
int (*inode_link) (struct dentry *old_dentry,
struct inode *dir, struct dentry *new_dentry);
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
@@ -1626,7 +1625,7 @@ int security_inode_alloc(struct inode *i
void security_inode_free(struct inode *inode);
int security_inode_init_security(struct inode *inode, struct inode *dir,
char **name, void **value, size_t *len);
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
+int security_inode_create(struct path *dir, struct dentry *dentry, int mode);
int security_inode_link(struct dentry *old_dentry, struct inode *dir,
struct dentry *new_dentry);
int security_inode_unlink(struct inode *dir, struct dentry *dentry);
@@ -1964,7 +1963,7 @@ static inline int security_inode_init_se
return -EOPNOTSUPP;
}
-static inline int security_inode_create(struct inode *dir,
+static inline int security_inode_create(struct path *dir,
struct dentry *dentry,
int mode)
{
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c 2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/dummy.c 2008-05-29 12:20:51.000000000 +0200
@@ -286,8 +286,8 @@ static int dummy_inode_init_security (st
return -EOPNOTSUPP;
}
-static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
- int mask)
+static int dummy_inode_create(struct path *dir, struct dentry *dentry,
+ int mask)
{
return 0;
}
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c 2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c 2008-05-29 12:20:51.000000000 +0200
@@ -2482,9 +2482,10 @@ static int selinux_inode_init_security(s
return 0;
}
-static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
+static int selinux_inode_create(struct path *dir, struct dentry *dentry,
+ int mask)
{
- return may_create(dir, dentry, SECCLASS_FILE);
+ return may_create(dir->dentry->d_inode, dentry, SECCLASS_FILE);
}
static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c 2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/security.c 2008-05-29 12:20:51.000000000 +0200
@@ -388,9 +388,9 @@ int security_inode_init_security(struct
}
EXPORT_SYMBOL(security_inode_init_security);
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
+int security_inode_create(struct path *dir, struct dentry *dentry, int mode)
{
- if (unlikely(IS_PRIVATE(dir)))
+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
return security_ops->inode_create(dir, dentry, mode);
}
--
next prev parent reply other threads:[~2008-05-29 13:54 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-29 13:49 [patch 00/15] security: pass path instead of inode to security ops Miklos Szeredi
2008-05-29 13:49 ` Miklos Szeredi [this message]
2008-05-31 8:30 ` [patch 01/15] security: pass path to inode_create Christoph Hellwig
2008-05-31 10:48 ` Tetsuo Handa
2008-06-01 20:52 ` Miklos Szeredi
2008-06-02 6:01 ` Christoph Hellwig
2008-06-02 7:02 ` Miklos Szeredi
2008-06-02 9:13 ` Christoph Hellwig
2008-06-02 9:32 ` Miklos Szeredi
2008-06-02 9:36 ` Christoph Hellwig
2008-06-02 9:52 ` Miklos Szeredi
2008-06-02 10:42 ` Christoph Hellwig
2008-06-02 10:55 ` Miklos Szeredi
2008-06-02 11:04 ` Pekka Enberg
2008-06-02 11:13 ` Miklos Szeredi
2008-06-02 15:05 ` Evgeniy Polyakov
2008-06-02 15:31 ` Toshiharu Harada
2008-06-02 15:51 ` Evgeniy Polyakov
2008-06-02 16:29 ` Toshiharu Harada
2008-06-02 16:52 ` Evgeniy Polyakov
2008-06-02 23:37 ` Toshiharu Harada
2008-06-03 6:08 ` Miklos Szeredi
2008-06-02 18:59 ` Serge E. Hallyn
2008-06-02 10:04 ` Andreas Gruenbacher
2008-06-02 11:23 ` Matthew Wilcox
2008-06-02 11:34 ` Miklos Szeredi
2008-06-02 11:52 ` Miklos Szeredi
2008-06-02 12:32 ` Matthew Wilcox
2008-06-02 12:45 ` Andreas Gruenbacher
2008-06-02 12:49 ` Matthew Wilcox
2008-06-02 13:24 ` Andreas Gruenbacher
2008-06-14 8:27 ` Tetsuo Handa
2008-06-03 13:43 ` Stephen Smalley
2008-06-04 5:09 ` Tetsuo Handa
2008-05-29 13:49 ` [patch 02/15] security: pass path to inode_mknod Miklos Szeredi
2008-05-29 13:49 ` [patch 03/15] security: pass path to inode_mkdir Miklos Szeredi
2008-05-29 13:49 ` [patch 04/15] security: pass path to inode_rmdir Miklos Szeredi
2008-05-29 13:49 ` [patch 05/15] security: pass path to inode_unlink Miklos Szeredi
2008-05-29 13:49 ` [patch 06/15] security: pass path to inode_symlink Miklos Szeredi
2008-05-29 13:49 ` [patch 07/15] security: pass path to inode_link Miklos Szeredi
2008-05-29 13:49 ` [patch 08/15] security: pass path to inode_rename Miklos Szeredi
2008-05-29 13:49 ` [patch 09/15] security: pass path to inode_setattr Miklos Szeredi
2008-05-29 13:49 ` [patch 10/15] security: pass path to inode_getxattr Miklos Szeredi
2008-05-29 13:49 ` [patch 11/15] security: pass path to inode_listxattr Miklos Szeredi
2008-05-29 13:49 ` [patch 12/15] security: pass path to inode_setxattr Miklos Szeredi
2008-05-29 13:49 ` [patch 13/15] security: pass path to inode_removexattr Miklos Szeredi
2008-05-29 13:49 ` [patch 14/15] vfs: more path_permission() conversions Miklos Szeredi
2008-05-29 13:49 ` [patch 15/15] security: pass path to inode_permission Miklos Szeredi
2008-05-30 13:37 ` [patch 00/15] security: pass path instead of inode to security ops Tetsuo Handa
2008-05-30 17:17 ` Miklos Szeredi
2008-05-31 0:33 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080529134958.655985182@szeredi.hu \
--to=miklos@szeredi.hu \
--cc=agruen@suse.de \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=hch@infradead.org \
--cc=jjohansen@suse.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.