From: Hawk Xu <hxunix@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, jmorris@namei.org,
serue@us.ibm.com, chrisw@sous-sol.org, sds@tycho.nsa.gov,
greg@kroah.com, eparis@redhat.com
Subject: [PATCH] [RFC] security: add hook inode_post_removexattr
Date: Wed, 27 Jun 2007 20:52:07 +0800 [thread overview]
Message-ID: <46825D77.4050608@gmail.com> (raw)
Add hook inode_post_removexattr for updating inode security field after successful removexattr operation.
Signed-off-by: Hawk Xu <hxunix@gmail.com>
---
fs/xattr.c | 7 +++++--
include/linux/security.h | 19 +++++++++++++++++++
security/dummy.c | 6 ++++++
3 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 4523aca..22c2438 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -180,10 +180,13 @@ vfs_removexattr(struct dentry *dentry, char *name)
mutex_lock(&inode->i_mutex);
error = inode->i_op->removexattr(dentry, name);
+ if (!error) {
+ fsnotify_xattr(dentry);
+ security_inode_post_removexattr(dentry, name, value,
+ size, flags);
+ }
mutex_unlock(&inode->i_mutex);
- if (!error)
- fsnotify_xattr(dentry);
return error;
}
EXPORT_SYMBOL_GPL(vfs_removexattr);
diff --git a/include/linux/security.h b/include/linux/security.h
index 1a362c8..5100b23 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -393,6 +393,9 @@ struct request_sock;
* Check permission before removing the extended attribute
* identified by @name for @dentry.
* Return 0 if permission is granted.
+ * @inode_post_removexattr:
+ * Update inode security field after successful removexattr operation.
+ * @value identified by @name for @dentry.
* @inode_getsecurity:
* Copy the extended attribute representation of the security label
* associated with @name for @inode into @buffer. @buffer may be
@@ -1234,6 +1237,8 @@ struct security_operations {
int (*inode_getxattr) (struct dentry *dentry, char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, char *name);
+ void (*inode_post_removexattr) (struct dentry *dentry, char *name,
+ void *value, size_t size, int flags);
const char *(*inode_xattr_getsuffix) (void);
int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
@@ -1769,6 +1774,15 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
return security_ops->inode_removexattr (dentry, name);
}
+static inline void security_inode_post_removexattr (struct dentry *dentry,
+ char *name, void *value,
+ size_t size, int flags)
+{
+ if (unlikely (IS_PRIVATE (dentry->d_inode)))
+ return;
+ security_ops->inode_post_removexattr (dentry, name, value, size, flags);
+}
+
static inline const char *security_inode_xattr_getsuffix(void)
{
return security_ops->inode_xattr_getsuffix();
@@ -2452,6 +2466,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
return cap_inode_removexattr(dentry, name);
}
+static inline void security_inode_post_removexattr (struct dentry *dentry,
+ char *name, void *value,
+ size_t size, int flags)
+{ }
+
static inline const char *security_inode_xattr_getsuffix (void)
{
return NULL ;
diff --git a/security/dummy.c b/security/dummy.c
index bdd0d70..4953f06 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -377,6 +377,11 @@ static int dummy_inode_removexattr (struct dentry *dentry, char *name)
return 0;
}
+static void dummy_inode_post_removexattr (struct dentry *dentry, char *name,
+ void *value, size_t size, int flags)
+{
+}
+
static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
return -EOPNOTSUPP;
@@ -1014,6 +1019,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, inode_getxattr);
set_to_dummy_if_null(ops, inode_listxattr);
set_to_dummy_if_null(ops, inode_removexattr);
+ set_to_dummy_if_null(ops, inode_post_removexattr);
set_to_dummy_if_null(ops, inode_xattr_getsuffix);
set_to_dummy_if_null(ops, inode_getsecurity);
set_to_dummy_if_null(ops, inode_setsecurity);
next reply other threads:[~2007-06-27 12:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-27 12:52 Hawk Xu [this message]
2007-06-27 13:12 ` [PATCH] [RFC] security: add hook inode_post_removexattr Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46825D77.4050608@gmail.com \
--to=hxunix@gmail.com \
--cc=chrisw@sous-sol.org \
--cc=eparis@redhat.com \
--cc=greg@kroah.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.