[patch 00/15] security: pass path instead of inode to security ops

[patch 00/15] security: pass path instead of inode to security ops

[Miklos Szeredi]

This series is in preparation for the AppArmor merge.  It's rather
boring, except perhaps the last two patches, which deal with
permission().

VFS API is touched very little, since the path has already been passed
down by callers.

This is based on the vfs-cleanups(*) tree + the 8 patches posted
recently (which will be added to this tree shortly).  If no problems
are found I'll create a new "apparmor" branch on that tree and commit
these patches there.

Thanks,
Miklos

(*) git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git vfs-cleanups

--

[patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

[-- Attachment #1: security_create_path.patch --]
[-- Type: text/plain, Size: 6218 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_create() security operation and related functions pass
the path (vfsmount + dentry) to the parent directory instead of the
inode.  AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c               |   12 ++++++------
 include/linux/security.h |    9 ++++-----
 security/dummy.c         |    4 ++--
 security/security.c      |    4 ++--
 security/selinux/hooks.c |    5 +++--
 5 files changed, 17 insertions(+), 17 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:49.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:51.000000000 +0200
@@ -1586,11 +1586,11 @@ void unlock_rename(struct dentry *p1, st
 	}
 }
 
-static int vfs_create(struct dentry *dir_dentry, struct dentry *dentry,
+static int vfs_create(struct path *dir_path, struct dentry *dentry,
 		      int mode,	struct nameidata *nd)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_create(dir_dentry, dentry);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_create(dir_path->dentry, dentry);
 
 	if (error)
 		return error;
@@ -1599,7 +1599,7 @@ static int vfs_create(struct dentry *dir
 		return -EACCES;	/* shouldn't it be ENOSYS? */
 	mode &= S_IALLUGO;
 	mode |= S_IFREG;
-	error = security_inode_create(dir, dentry, mode);
+	error = security_inode_create(dir_path, dentry, mode);
 	if (error)
 		return error;
 	DQUOT_INIT(dir);
@@ -1615,7 +1615,7 @@ int path_create(struct path *dir_path, s
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_create(dir_path->dentry, dentry, mode, nd);
+		error = vfs_create(dir_path, dentry, mode, nd);
 		mnt_drop_write(dir_path->mnt);
 	}
 
@@ -1718,7 +1718,7 @@ static int __open_namei_create(struct na
 
 	if (!IS_POSIXACL(dir->d_inode))
 		mode &= ~current->fs->umask;
-	error = vfs_create(dir, path->dentry, mode, nd);
+	error = vfs_create(&nd->path, path->dentry, mode, nd);
 	mutex_unlock(&dir->d_inode->i_mutex);
 	dput(nd->path.dentry);
 	nd->path.dentry = path->dentry;
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:51.000000000 +0200
@@ -339,7 +339,7 @@ static inline void security_free_mnt_opt
  *		-ENOMEM on memory allocation failure.
  * @inode_create:
  *	Check permission to create a regular file.
- *	@dir contains inode structure of the parent of the new file.
+ *	@dir contains the path to the parent of the new file.
  *	@dentry contains the dentry structure for the file to be created.
  *	@mode contains the file mode of the file to be created.
  *	Return 0 if permission is granted.
@@ -1353,8 +1353,7 @@ struct security_operations {
 	void (*inode_free_security) (struct inode *inode);
 	int (*inode_init_security) (struct inode *inode, struct inode *dir,
 				    char **name, void **value, size_t *len);
-	int (*inode_create) (struct inode *dir,
-			     struct dentry *dentry, int mode);
+	int (*inode_create) (struct path *dir, struct dentry *dentry, int mode);
 	int (*inode_link) (struct dentry *old_dentry,
 			   struct inode *dir, struct dentry *new_dentry);
 	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
@@ -1626,7 +1625,7 @@ int security_inode_alloc(struct inode *i
 void security_inode_free(struct inode *inode);
 int security_inode_init_security(struct inode *inode, struct inode *dir,
 				  char **name, void **value, size_t *len);
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
+int security_inode_create(struct path *dir, struct dentry *dentry, int mode);
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
 			 struct dentry *new_dentry);
 int security_inode_unlink(struct inode *dir, struct dentry *dentry);
@@ -1964,7 +1963,7 @@ static inline int security_inode_init_se
 	return -EOPNOTSUPP;
 }
 
-static inline int security_inode_create(struct inode *dir,
+static inline int security_inode_create(struct path *dir,
 					 struct dentry *dentry,
 					 int mode)
 {
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:51.000000000 +0200
@@ -286,8 +286,8 @@ static int dummy_inode_init_security (st
 	return -EOPNOTSUPP;
 }
 
-static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
-			       int mask)
+static int dummy_inode_create(struct path *dir, struct dentry *dentry,
+			      int mask)
 {
 	return 0;
 }
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:51.000000000 +0200
@@ -2482,9 +2482,10 @@ static int selinux_inode_init_security(s
 	return 0;
 }
 
-static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
+static int selinux_inode_create(struct path *dir, struct dentry *dentry,
+				int mask)
 {
-	return may_create(dir, dentry, SECCLASS_FILE);
+	return may_create(dir->dentry->d_inode, dentry, SECCLASS_FILE);
 }
 
 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:51.000000000 +0200
@@ -388,9 +388,9 @@ int security_inode_init_security(struct 
 }
 EXPORT_SYMBOL(security_inode_init_security);
 
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
+int security_inode_create(struct path *dir, struct dentry *dentry, int mode)
 {
-	if (unlikely(IS_PRIVATE(dir)))
+	if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
 		return 0;
 	return security_ops->inode_create(dir, dentry, mode);
 }

--

[patch 02/15] security: pass path to inode_mknod

[Miklos Szeredi]

[-- Attachment #1: security_mknod_path.patch --]
[-- Type: text/plain, Size: 6084 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_mknod() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c               |   10 +++++-----
 include/linux/security.h |    9 +++++----
 security/dummy.c         |    4 ++--
 security/security.c      |    5 +++--
 security/selinux/hooks.c |    6 ++++--
 5 files changed, 19 insertions(+), 15 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:52.000000000 +0200
@@ -2044,11 +2044,11 @@ fail:
 }
 EXPORT_SYMBOL_GPL(lookup_create);
 
-static int vfs_mknod(struct dentry *dir_dentry, struct dentry *dentry,
+static int vfs_mknod(struct path *dir_path, struct dentry *dentry,
 		     int mode, dev_t dev)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_create(dir_dentry, dentry);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_create(dir_path->dentry, dentry);
 
 	if (error)
 		return error;
@@ -2063,7 +2063,7 @@ static int vfs_mknod(struct dentry *dir_
 	if (error)
 		return error;
 
-	error = security_inode_mknod(dir, dentry, mode, dev);
+	error = security_inode_mknod(dir_path, dentry, mode, dev);
 	if (error)
 		return error;
 
@@ -2080,7 +2080,7 @@ int path_mknod(struct path *dir_path, st
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_mknod(dir_path->dentry, dentry, mode, dev);
+		error = vfs_mknod(dir_path, dentry, mode, dev);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:52.000000000 +0200
@@ -377,7 +377,7 @@ static inline void security_free_mnt_opt
  *	file created via the mknod system call).  Note that if mknod operation
  *	is being done for a regular file, then the create hook will be called
  *	and not this hook.
- *	@dir contains the inode structure of parent of the new file.
+ *	@dir contains the path to the parent of the new file.
  *	@dentry contains the dentry structure of the new file.
  *	@mode contains the mode of the new file.
  *	@dev contains the device number.
@@ -1361,7 +1361,7 @@ struct security_operations {
 			      struct dentry *dentry, const char *old_name);
 	int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
 	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
-	int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
+	int (*inode_mknod) (struct path *dir, struct dentry *dentry,
 			    int mode, dev_t dev);
 	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
 			     struct inode *new_dir, struct dentry *new_dentry);
@@ -1633,7 +1633,8 @@ int security_inode_symlink(struct inode 
 			   const char *old_name);
 int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode);
 int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
+int security_inode_mknod(struct path *dir, struct dentry *dentry, int mode,
+			 dev_t dev);
 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
 			  struct inode *new_dir, struct dentry *new_dentry);
 int security_inode_readlink(struct dentry *dentry);
@@ -2003,7 +2004,7 @@ static inline int security_inode_rmdir(s
 	return 0;
 }
 
-static inline int security_inode_mknod(struct inode *dir,
+static inline int security_inode_mknod(struct path *dir,
 					struct dentry *dentry,
 					int mode, dev_t dev)
 {
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:52.000000000 +0200
@@ -320,8 +320,8 @@ static int dummy_inode_rmdir (struct ino
 	return 0;
 }
 
-static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
-			      int mode, dev_t dev)
+static int dummy_inode_mknod(struct path *dir, struct dentry *dentry,
+			     int mode, dev_t dev)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:52.000000000 +0200
@@ -432,9 +432,10 @@ int security_inode_rmdir(struct inode *d
 	return security_ops->inode_rmdir(dir, dentry);
 }
 
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+int security_inode_mknod(struct path *dir, struct dentry *dentry, int mode,
+			 dev_t dev)
 {
-	if (unlikely(IS_PRIVATE(dir)))
+	if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
 		return 0;
 	return security_ops->inode_mknod(dir, dentry, mode, dev);
 }
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:52.000000000 +0200
@@ -2523,7 +2523,8 @@ static int selinux_inode_rmdir(struct in
 	return may_link(dir, dentry, MAY_RMDIR);
 }
 
-static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+static int selinux_inode_mknod(struct path *dir, struct dentry *dentry,
+			       int mode, dev_t dev)
 {
 	int rc;
 
@@ -2531,7 +2532,8 @@ static int selinux_inode_mknod(struct in
 	if (rc)
 		return rc;
 
-	return may_create(dir, dentry, inode_mode_to_security_class(mode));
+	return may_create(dir->dentry->d_inode, dentry,
+			  inode_mode_to_security_class(mode));
 }
 
 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,

--

[patch 03/15] security: pass path to inode_mkdir

[Miklos Szeredi]

[-- Attachment #1: security_mkdir_path.patch --]
[-- Type: text/plain, Size: 5810 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_mkdir() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c               |   10 +++++-----
 include/linux/security.h |    8 ++++----
 security/dummy.c         |    4 ++--
 security/security.c      |    4 ++--
 security/selinux/hooks.c |    5 +++--
 5 files changed, 16 insertions(+), 15 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:52.000000000 +0200
@@ -2143,10 +2143,10 @@ asmlinkage long sys_mknod(const char __u
 	return sys_mknodat(AT_FDCWD, filename, mode, dev);
 }
 
-static int vfs_mkdir(struct dentry *dir_dentry, struct dentry *dentry, int mode)
+static int vfs_mkdir(struct path *dir_path, struct dentry *dentry, int mode)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_create(dir_dentry, dentry);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_create(dir_path->dentry, dentry);
 
 	if (error)
 		return error;
@@ -2155,7 +2155,7 @@ static int vfs_mkdir(struct dentry *dir_
 		return -EPERM;
 
 	mode &= (S_IRWXUGO|S_ISVTX);
-	error = security_inode_mkdir(dir, dentry, mode);
+	error = security_inode_mkdir(dir_path, dentry, mode);
 	if (error)
 		return error;
 
@@ -2171,7 +2171,7 @@ int path_mkdir(struct path *dir_path, st
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_mkdir(dir_path->dentry, dentry, mode);
+		error = vfs_mkdir(dir_path, dentry, mode);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:52.000000000 +0200
@@ -363,7 +363,7 @@ static inline void security_free_mnt_opt
  * @inode_mkdir:
  *	Check permissions to create a new directory in the existing directory
  *	associated with inode strcture @dir.
- *	@dir containst the inode structure of parent of the directory to be created.
+ *	@dir contains the path to the parent of the new directory.
  *	@dentry contains the dentry structure of new directory.
  *	@mode contains the mode of new directory.
  *	Return 0 if permission is granted.
@@ -1359,7 +1359,7 @@ struct security_operations {
 	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
 	int (*inode_symlink) (struct inode *dir,
 			      struct dentry *dentry, const char *old_name);
-	int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
+	int (*inode_mkdir) (struct path *dir, struct dentry *dentry, int mode);
 	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
 	int (*inode_mknod) (struct path *dir, struct dentry *dentry,
 			    int mode, dev_t dev);
@@ -1631,7 +1631,7 @@ int security_inode_link(struct dentry *o
 int security_inode_unlink(struct inode *dir, struct dentry *dentry);
 int security_inode_symlink(struct inode *dir, struct dentry *dentry,
 			   const char *old_name);
-int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode);
+int security_inode_mkdir(struct path *dir, struct dentry *dentry, int mode);
 int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
 int security_inode_mknod(struct path *dir, struct dentry *dentry, int mode,
 			 dev_t dev);
@@ -1991,7 +1991,7 @@ static inline int security_inode_symlink
 	return 0;
 }
 
-static inline int security_inode_mkdir(struct inode *dir,
+static inline int security_inode_mkdir(struct path *dir,
 					struct dentry *dentry,
 					int mode)
 {
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:52.000000000 +0200
@@ -309,8 +309,8 @@ static int dummy_inode_symlink (struct i
 	return 0;
 }
 
-static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
-			      int mask)
+static int dummy_inode_mkdir(struct path *dir, struct dentry *dentry,
+			     int mask)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:52.000000000 +0200
@@ -418,9 +418,9 @@ int security_inode_symlink(struct inode 
 	return security_ops->inode_symlink(dir, dentry, old_name);
 }
 
-int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
+int security_inode_mkdir(struct path *dir, struct dentry *dentry, int mode)
 {
-	if (unlikely(IS_PRIVATE(dir)))
+	if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
 		return 0;
 	return security_ops->inode_mkdir(dir, dentry, mode);
 }
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:52.000000000 +0200
@@ -2513,9 +2513,10 @@ static int selinux_inode_symlink(struct 
 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
 }
 
-static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
+static int selinux_inode_mkdir(struct path *dir, struct dentry *dentry,
+			       int mask)
 {
-	return may_create(dir, dentry, SECCLASS_DIR);
+	return may_create(dir->dentry->d_inode, dentry, SECCLASS_DIR);
 }
 
 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)

--

[patch 04/15] security: pass path to inode_rmdir

[Miklos Szeredi]

[-- Attachment #1: security_rmdir_path.patch --]
[-- Type: text/plain, Size: 6472 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_rmdir() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c                 |   10 +++++-----
 include/linux/security.h   |    8 ++++----
 security/dummy.c           |    2 +-
 security/security.c        |    2 +-
 security/selinux/hooks.c   |    4 ++--
 security/smack/smack_lsm.c |    4 ++--
 6 files changed, 15 insertions(+), 15 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:53.000000000 +0200
@@ -2244,10 +2244,10 @@ void dentry_unhash(struct dentry *dentry
 	spin_unlock(&dcache_lock);
 }
 
-static int vfs_rmdir(struct dentry *dir_dentry, struct dentry *dentry)
+static int vfs_rmdir(struct path *dir_path, struct dentry *dentry)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_delete(dir_dentry, dentry, 1);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_delete(dir_path->dentry, dentry, 1);
 
 	if (error)
 		return error;
@@ -2262,7 +2262,7 @@ static int vfs_rmdir(struct dentry *dir_
 	if (d_mountpoint(dentry))
 		error = -EBUSY;
 	else {
-		error = security_inode_rmdir(dir, dentry);
+		error = security_inode_rmdir(dir_path, dentry);
 		if (!error) {
 			error = dir->i_op->rmdir(dir, dentry);
 			if (!error)
@@ -2283,7 +2283,7 @@ int path_rmdir(struct path *dir_path, st
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_rmdir(dir_path->dentry, dentry);
+		error = vfs_rmdir(dir_path, dentry);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:53.000000000 +0200
@@ -369,7 +369,7 @@ static inline void security_free_mnt_opt
  *	Return 0 if permission is granted.
  * @inode_rmdir:
  *	Check the permission to remove a directory.
- *	@dir contains the inode structure of parent of the directory to be removed.
+ *	@dir contains the path to the parent of the directory to be removed.
  *	@dentry contains the dentry structure of directory to be removed.
  *	Return 0 if permission is granted.
  * @inode_mknod:
@@ -1360,7 +1360,7 @@ struct security_operations {
 	int (*inode_symlink) (struct inode *dir,
 			      struct dentry *dentry, const char *old_name);
 	int (*inode_mkdir) (struct path *dir, struct dentry *dentry, int mode);
-	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
+	int (*inode_rmdir) (struct path *dir, struct dentry *dentry);
 	int (*inode_mknod) (struct path *dir, struct dentry *dentry,
 			    int mode, dev_t dev);
 	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
@@ -1632,7 +1632,7 @@ int security_inode_unlink(struct inode *
 int security_inode_symlink(struct inode *dir, struct dentry *dentry,
 			   const char *old_name);
 int security_inode_mkdir(struct path *dir, struct dentry *dentry, int mode);
-int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
+int security_inode_rmdir(struct path *dir, struct dentry *dentry);
 int security_inode_mknod(struct path *dir, struct dentry *dentry, int mode,
 			 dev_t dev);
 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -1998,7 +1998,7 @@ static inline int security_inode_mkdir(s
 	return 0;
 }
 
-static inline int security_inode_rmdir(struct inode *dir,
+static inline int security_inode_rmdir(struct path *dir,
 					struct dentry *dentry)
 {
 	return 0;
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:53.000000000 +0200
@@ -315,7 +315,7 @@ static int dummy_inode_mkdir(struct path
 	return 0;
 }
 
-static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
+static int dummy_inode_rmdir(struct path *dir, struct dentry *dentry)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:53.000000000 +0200
@@ -425,7 +425,7 @@ int security_inode_mkdir(struct path *di
 	return security_ops->inode_mkdir(dir, dentry, mode);
 }
 
-int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
+int security_inode_rmdir(struct path *dir, struct dentry *dentry)
 {
 	if (unlikely(IS_PRIVATE(dentry->d_inode)))
 		return 0;
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:52.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:53.000000000 +0200
@@ -2519,9 +2519,9 @@ static int selinux_inode_mkdir(struct pa
 	return may_create(dir->dentry->d_inode, dentry, SECCLASS_DIR);
 }
 
-static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
+static int selinux_inode_rmdir(struct path *dir, struct dentry *dentry)
 {
-	return may_link(dir, dentry, MAY_RMDIR);
+	return may_link(dir->dentry->d_inode, dentry, MAY_RMDIR);
 }
 
 static int selinux_inode_mknod(struct path *dir, struct dentry *dentry,
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:48.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:53.000000000 +0200
@@ -463,7 +463,7 @@ static int smack_inode_unlink(struct ino
  * Returns 0 if current can write the containing directory
  * and the directory, error code otherwise
  */
-static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
+static int smack_inode_rmdir(struct path *dir, struct dentry *dentry)
 {
 	int rc;
 
@@ -475,7 +475,7 @@ static int smack_inode_rmdir(struct inod
 		/*
 		 * You also need write access to the containing directory
 		 */
-		rc = smk_curacc(smk_of_inode(dir), MAY_WRITE);
+		rc = smk_curacc(smk_of_inode(dir->dentry->d_inode), MAY_WRITE);
 
 	return rc;
 }

--

[patch 05/15] security: pass path to inode_unlink

[Miklos Szeredi]

[-- Attachment #1: security_unlink_path.patch --]
[-- Type: text/plain, Size: 6643 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_unlink() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c                 |   10 +++++-----
 include/linux/security.h   |    8 ++++----
 security/dummy.c           |    2 +-
 security/security.c        |    2 +-
 security/selinux/hooks.c   |    4 ++--
 security/smack/smack_lsm.c |    4 ++--
 6 files changed, 15 insertions(+), 15 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:53.000000000 +0200
@@ -2338,10 +2338,10 @@ asmlinkage long sys_rmdir(const char __u
 	return do_rmdir(AT_FDCWD, pathname);
 }
 
-static int vfs_unlink(struct dentry *dir_dentry, struct dentry *dentry)
+static int vfs_unlink(struct path *dir_path, struct dentry *dentry)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_delete(dir_dentry, dentry, 0);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_delete(dir_path->dentry, dentry, 0);
 
 	if (error)
 		return error;
@@ -2355,7 +2355,7 @@ static int vfs_unlink(struct dentry *dir
 	if (d_mountpoint(dentry))
 		error = -EBUSY;
 	else {
-		error = security_inode_unlink(dir, dentry);
+		error = security_inode_unlink(dir_path, dentry);
 		if (!error)
 			error = dir->i_op->unlink(dir, dentry);
 	}
@@ -2375,7 +2375,7 @@ int path_unlink(struct path *dir_path, s
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_unlink(dir_path->dentry, dentry);
+		error = vfs_unlink(dir_path, dentry);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:53.000000000 +0200
@@ -351,7 +351,7 @@ static inline void security_free_mnt_opt
  *	Return 0 if permission is granted.
  * @inode_unlink:
  *	Check the permission to remove a hard link to a file.
- *	@dir contains the inode structure of parent directory of the file.
+ *	@dir contains the path to the parent of the file to be removed.
  *	@dentry contains the dentry structure for file to be unlinked.
  *	Return 0 if permission is granted.
  * @inode_symlink:
@@ -1356,7 +1356,7 @@ struct security_operations {
 	int (*inode_create) (struct path *dir, struct dentry *dentry, int mode);
 	int (*inode_link) (struct dentry *old_dentry,
 			   struct inode *dir, struct dentry *new_dentry);
-	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
+	int (*inode_unlink) (struct path *dir, struct dentry *dentry);
 	int (*inode_symlink) (struct inode *dir,
 			      struct dentry *dentry, const char *old_name);
 	int (*inode_mkdir) (struct path *dir, struct dentry *dentry, int mode);
@@ -1628,7 +1628,7 @@ int security_inode_init_security(struct 
 int security_inode_create(struct path *dir, struct dentry *dentry, int mode);
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
 			 struct dentry *new_dentry);
-int security_inode_unlink(struct inode *dir, struct dentry *dentry);
+int security_inode_unlink(struct path *dir, struct dentry *dentry);
 int security_inode_symlink(struct inode *dir, struct dentry *dentry,
 			   const char *old_name);
 int security_inode_mkdir(struct path *dir, struct dentry *dentry, int mode);
@@ -1978,7 +1978,7 @@ static inline int security_inode_link(st
 	return 0;
 }
 
-static inline int security_inode_unlink(struct inode *dir,
+static inline int security_inode_unlink(struct path *dir,
 					 struct dentry *dentry)
 {
 	return 0;
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:53.000000000 +0200
@@ -298,7 +298,7 @@ static int dummy_inode_link (struct dent
 	return 0;
 }
 
-static int dummy_inode_unlink (struct inode *inode, struct dentry *dentry)
+static int dummy_inode_unlink(struct path *dir, struct dentry *dentry)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:53.000000000 +0200
@@ -403,7 +403,7 @@ int security_inode_link(struct dentry *o
 	return security_ops->inode_link(old_dentry, dir, new_dentry);
 }
 
-int security_inode_unlink(struct inode *dir, struct dentry *dentry)
+int security_inode_unlink(struct path *dir, struct dentry *dentry)
 {
 	if (unlikely(IS_PRIVATE(dentry->d_inode)))
 		return 0;
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:53.000000000 +0200
@@ -2498,14 +2498,14 @@ static int selinux_inode_link(struct den
 	return may_link(dir, old_dentry, MAY_LINK);
 }
 
-static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
+static int selinux_inode_unlink(struct path *dir, struct dentry *dentry)
 {
 	int rc;
 
 	rc = secondary_ops->inode_unlink(dir, dentry);
 	if (rc)
 		return rc;
-	return may_link(dir, dentry, MAY_UNLINK);
+	return may_link(dir->dentry->d_inode, dentry, MAY_UNLINK);
 }
 
 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:53.000000000 +0200
@@ -437,7 +437,7 @@ static int smack_inode_link(struct dentr
  * Returns 0 if current can write the containing directory
  * and the object, error code otherwise
  */
-static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
+static int smack_inode_unlink(struct path *dir, struct dentry *dentry)
 {
 	struct inode *ip = dentry->d_inode;
 	int rc;
@@ -450,7 +450,7 @@ static int smack_inode_unlink(struct ino
 		/*
 		 * You also need write access to the containing directory
 		 */
-		rc = smk_curacc(smk_of_inode(dir), MAY_WRITE);
+		rc = smk_curacc(smk_of_inode(dir->dentry->d_inode), MAY_WRITE);
 
 	return rc;
 }

--

[patch 06/15] security: pass path to inode_symlink

[Miklos Szeredi]

[-- Attachment #1: security_symlink_path.patch --]
[-- Type: text/plain, Size: 5413 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_symlink() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c               |   10 +++++-----
 include/linux/security.h |    6 +++---
 security/dummy.c         |    4 ++--
 security/security.c      |    4 ++--
 security/selinux/hooks.c |    5 +++--
 5 files changed, 15 insertions(+), 14 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:54.000000000 +0200
@@ -2452,11 +2452,11 @@ asmlinkage long sys_unlink(const char __
 	return do_unlinkat(AT_FDCWD, pathname);
 }
 
-static int vfs_symlink(struct dentry *dir_dentry, struct dentry *dentry,
+static int vfs_symlink(struct path *dir_path, struct dentry *dentry,
 		       const char *oldname)
 {
-	struct inode *dir = dir_dentry->d_inode;
-	int error = may_create(dir_dentry, dentry);
+	struct inode *dir = dir_path->dentry->d_inode;
+	int error = may_create(dir_path->dentry, dentry);
 
 	if (error)
 		return error;
@@ -2464,7 +2464,7 @@ static int vfs_symlink(struct dentry *di
 	if (!dir->i_op || !dir->i_op->symlink)
 		return -EPERM;
 
-	error = security_inode_symlink(dir, dentry, oldname);
+	error = security_inode_symlink(dir_path, dentry, oldname);
 	if (error)
 		return error;
 
@@ -2481,7 +2481,7 @@ int path_symlink(struct path *dir_path, 
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_symlink(dir_path->dentry, dentry, oldname);
+		error = vfs_symlink(dir_path, dentry, oldname);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:54.000000000 +0200
@@ -1357,7 +1357,7 @@ struct security_operations {
 	int (*inode_link) (struct dentry *old_dentry,
 			   struct inode *dir, struct dentry *new_dentry);
 	int (*inode_unlink) (struct path *dir, struct dentry *dentry);
-	int (*inode_symlink) (struct inode *dir,
+	int (*inode_symlink) (struct path *dir,
 			      struct dentry *dentry, const char *old_name);
 	int (*inode_mkdir) (struct path *dir, struct dentry *dentry, int mode);
 	int (*inode_rmdir) (struct path *dir, struct dentry *dentry);
@@ -1629,7 +1629,7 @@ int security_inode_create(struct path *d
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
 			 struct dentry *new_dentry);
 int security_inode_unlink(struct path *dir, struct dentry *dentry);
-int security_inode_symlink(struct inode *dir, struct dentry *dentry,
+int security_inode_symlink(struct path *dir, struct dentry *dentry,
 			   const char *old_name);
 int security_inode_mkdir(struct path *dir, struct dentry *dentry, int mode);
 int security_inode_rmdir(struct path *dir, struct dentry *dentry);
@@ -1984,7 +1984,7 @@ static inline int security_inode_unlink(
 	return 0;
 }
 
-static inline int security_inode_symlink(struct inode *dir,
+static inline int security_inode_symlink(struct path *dir,
 					  struct dentry *dentry,
 					  const char *old_name)
 {
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:54.000000000 +0200
@@ -303,8 +303,8 @@ static int dummy_inode_unlink(struct pat
 	return 0;
 }
 
-static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
-				const char *name)
+static int dummy_inode_symlink(struct path *dir, struct dentry *dentry,
+			       const char *name)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:54.000000000 +0200
@@ -410,10 +410,10 @@ int security_inode_unlink(struct path *d
 	return security_ops->inode_unlink(dir, dentry);
 }
 
-int security_inode_symlink(struct inode *dir, struct dentry *dentry,
+int security_inode_symlink(struct path *dir, struct dentry *dentry,
 			    const char *old_name)
 {
-	if (unlikely(IS_PRIVATE(dir)))
+	if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
 		return 0;
 	return security_ops->inode_symlink(dir, dentry, old_name);
 }
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:54.000000000 +0200
@@ -2508,9 +2508,10 @@ static int selinux_inode_unlink(struct p
 	return may_link(dir->dentry->d_inode, dentry, MAY_UNLINK);
 }
 
-static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
+static int selinux_inode_symlink(struct path *dir, struct dentry *dentry,
+				 const char *name)
 {
-	return may_create(dir, dentry, SECCLASS_LNK_FILE);
+	return may_create(dir->dentry->d_inode, dentry, SECCLASS_LNK_FILE);
 }
 
 static int selinux_inode_mkdir(struct path *dir, struct dentry *dentry,

--

[patch 07/15] security: pass path to inode_link

[Miklos Szeredi]

[-- Attachment #1: security_link_path.patch --]
[-- Type: text/plain, Size: 6722 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_link() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c                 |   10 +++++-----
 include/linux/security.h   |    8 ++++----
 security/dummy.c           |    4 ++--
 security/security.c        |    2 +-
 security/selinux/hooks.c   |    5 +++--
 security/smack/smack_lsm.c |    2 +-
 6 files changed, 16 insertions(+), 15 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:54.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:55.000000000 +0200
@@ -2531,17 +2531,17 @@ asmlinkage long sys_symlink(const char _
 	return sys_symlinkat(oldname, AT_FDCWD, newname);
 }
 
-static int vfs_link(struct dentry *old_dentry, struct dentry *new_dir_dentry,
+static int vfs_link(struct dentry *old_dentry, struct path *new_dir_path,
 		    struct dentry *new_dentry)
 {
-	struct inode *dir = new_dir_dentry->d_inode;
+	struct inode *dir = new_dir_path->dentry->d_inode;
 	struct inode *inode = old_dentry->d_inode;
 	int error;
 
 	if (!inode)
 		return -ENOENT;
 
-	error = may_create(new_dir_dentry, new_dentry);
+	error = may_create(new_dir_path->dentry, new_dentry);
 	if (error)
 		return error;
 
@@ -2558,7 +2558,7 @@ static int vfs_link(struct dentry *old_d
 	if (S_ISDIR(inode->i_mode))
 		return -EPERM;
 
-	error = security_inode_link(old_dentry, dir, new_dentry);
+	error = security_inode_link(old_dentry, new_dir_path, new_dentry);
 	if (error)
 		return error;
 
@@ -2577,7 +2577,7 @@ int path_link(struct dentry *old_dentry,
 	int error = mnt_want_write(dir_path->mnt);
 
 	if (!error) {
-		error = vfs_link(old_dentry, dir_path->dentry, new_dentry);
+		error = vfs_link(old_dentry, dir_path, new_dentry);
 		mnt_drop_write(dir_path->mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:54.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:55.000000000 +0200
@@ -346,7 +346,7 @@ static inline void security_free_mnt_opt
  * @inode_link:
  *	Check permission before creating a new hard link to a file.
  *	@old_dentry contains the dentry structure for an existing link to the file.
- *	@dir contains the inode structure of the parent directory of the new link.
+ *	@dir contains the path to the parent of the new link.
  *	@new_dentry contains the dentry structure for the new link.
  *	Return 0 if permission is granted.
  * @inode_unlink:
@@ -1355,7 +1355,7 @@ struct security_operations {
 				    char **name, void **value, size_t *len);
 	int (*inode_create) (struct path *dir, struct dentry *dentry, int mode);
 	int (*inode_link) (struct dentry *old_dentry,
-			   struct inode *dir, struct dentry *new_dentry);
+			   struct path *dir, struct dentry *new_dentry);
 	int (*inode_unlink) (struct path *dir, struct dentry *dentry);
 	int (*inode_symlink) (struct path *dir,
 			      struct dentry *dentry, const char *old_name);
@@ -1626,7 +1626,7 @@ void security_inode_free(struct inode *i
 int security_inode_init_security(struct inode *inode, struct inode *dir,
 				  char **name, void **value, size_t *len);
 int security_inode_create(struct path *dir, struct dentry *dentry, int mode);
-int security_inode_link(struct dentry *old_dentry, struct inode *dir,
+int security_inode_link(struct dentry *old_dentry, struct path *dir,
 			 struct dentry *new_dentry);
 int security_inode_unlink(struct path *dir, struct dentry *dentry);
 int security_inode_symlink(struct path *dir, struct dentry *dentry,
@@ -1972,7 +1972,7 @@ static inline int security_inode_create(
 }
 
 static inline int security_inode_link(struct dentry *old_dentry,
-				       struct inode *dir,
+				       struct path *dir,
 				       struct dentry *new_dentry)
 {
 	return 0;
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:54.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:55.000000000 +0200
@@ -292,8 +292,8 @@ static int dummy_inode_create(struct pat
 	return 0;
 }
 
-static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
-			     struct dentry *new_dentry)
+static int dummy_inode_link(struct dentry *old_dentry, struct path *dir,
+			    struct dentry *new_dentry)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:54.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:55.000000000 +0200
@@ -395,7 +395,7 @@ int security_inode_create(struct path *d
 	return security_ops->inode_create(dir, dentry, mode);
 }
 
-int security_inode_link(struct dentry *old_dentry, struct inode *dir,
+int security_inode_link(struct dentry *old_dentry, struct path *dir,
 			 struct dentry *new_dentry)
 {
 	if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:54.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:55.000000000 +0200
@@ -2488,14 +2488,15 @@ static int selinux_inode_create(struct p
 	return may_create(dir->dentry->d_inode, dentry, SECCLASS_FILE);
 }
 
-static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
+static int selinux_inode_link(struct dentry *old_dentry, struct path *dir,
+			      struct dentry *new_dentry)
 {
 	int rc;
 
 	rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
 	if (rc)
 		return rc;
-	return may_link(dir, old_dentry, MAY_LINK);
+	return may_link(dir->dentry->d_inode, old_dentry, MAY_LINK);
 }
 
 static int selinux_inode_unlink(struct path *dir, struct dentry *dentry)
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:53.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:55.000000000 +0200
@@ -412,7 +412,7 @@ static int smack_inode_init_security(str
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
+static int smack_inode_link(struct dentry *old_dentry, struct path *dir,
 			    struct dentry *new_dentry)
 {
 	int rc;

--

[patch 08/15] security: pass path to inode_rename

[Miklos Szeredi]

[-- Attachment #1: security_rename_path.patch --]
[-- Type: text/plain, Size: 9633 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_rename() security operation and related functions pass the
path (vfsmount + dentry) to the parent directory instead of the inode.
AppArmor will need this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c                 |   51 +++++++++++++++++++++------------------------
 include/linux/security.h   |   16 +++++++-------
 security/dummy.c           |    6 +----
 security/security.c        |    4 +--
 security/selinux/hooks.c   |    7 +++---
 security/smack/smack_lsm.c |    8 +++----
 6 files changed, 44 insertions(+), 48 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:55.000000000 +0200
@@ -2682,20 +2682,6 @@ static int vfs_rename_dir(struct inode *
 	int error = 0;
 	struct inode *target;
 
-	/*
-	 * If we are going to change the parent - check write permissions,
-	 * we'll need to flip '..'.
-	 */
-	if (new_dir != old_dir) {
-		error = dentry_permission(old_dentry, MAY_MOVE_DIR);
-		if (error)
-			return error;
-	}
-
-	error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
-	if (error)
-		return error;
-
 	target = new_dentry->d_inode;
 	if (target) {
 		mutex_lock(&target->i_mutex);
@@ -2725,10 +2711,6 @@ static int vfs_rename_other(struct inode
 	struct inode *target;
 	int error;
 
-	error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
-	if (error)
-		return error;
-
 	dget(new_dentry);
 	target = new_dentry->d_inode;
 	if (target)
@@ -2747,11 +2729,11 @@ static int vfs_rename_other(struct inode
 	return error;
 }
 
-static int vfs_rename(struct dentry *old_dir_dentry, struct dentry *old_dentry,
-		      struct dentry *new_dir_dentry, struct dentry *new_dentry)
+static int vfs_rename(struct path *old_dir_path, struct dentry *old_dentry,
+		      struct path *new_dir_path, struct dentry *new_dentry)
 {
-	struct inode *old_dir = old_dir_dentry->d_inode;
-	struct inode *new_dir = new_dir_dentry->d_inode;
+	struct inode *old_dir = old_dir_path->dentry->d_inode;
+	struct inode *new_dir = new_dir_path->dentry->d_inode;
 	int error;
 	int is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
 	const char *old_name;
@@ -2759,20 +2741,35 @@ static int vfs_rename(struct dentry *old
 	if (old_dentry->d_inode == new_dentry->d_inode)
  		return 0;
  
-	error = may_delete(old_dir_dentry, old_dentry, is_dir);
+	error = may_delete(old_dir_path->dentry, old_dentry, is_dir);
 	if (error)
 		return error;
 
 	if (!new_dentry->d_inode)
-		error = may_create(new_dir_dentry, new_dentry);
+		error = may_create(new_dir_path->dentry, new_dentry);
 	else
-		error = may_delete(new_dir_dentry, new_dentry, is_dir);
+		error = may_delete(new_dir_path->dentry, new_dentry, is_dir);
 	if (error)
 		return error;
 
 	if (!old_dir->i_op || !old_dir->i_op->rename)
 		return -EPERM;
 
+	/*
+	 * If we are going to change the parent - check write permissions,
+	 * we'll need to flip '..'.
+	 */
+	if (is_dir && new_dir != old_dir) {
+		error = dentry_permission(old_dentry, MAY_MOVE_DIR);
+		if (error)
+			return error;
+	}
+
+	error = security_inode_rename(old_dir_path, old_dentry,
+				      new_dir_path, new_dentry);
+	if (error)
+		return error;
+
 	DQUOT_INIT(old_dir);
 	DQUOT_INIT(new_dir);
 
@@ -2802,8 +2799,8 @@ int path_rename(struct path *old_dir_pat
 
 	error = mnt_want_write(mnt);
 	if (!error) {
-		error = vfs_rename(old_dir_path->dentry, old_dentry,
-				   new_dir_path->dentry, new_dentry);
+		error = vfs_rename(old_dir_path, old_dentry,
+				   new_dir_path, new_dentry);
 		mnt_drop_write(mnt);
 	}
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:55.000000000 +0200
@@ -384,9 +384,9 @@ static inline void security_free_mnt_opt
  *	Return 0 if permission is granted.
  * @inode_rename:
  *	Check for permission to rename a file or directory.
- *	@old_dir contains the inode structure for parent of the old link.
+ *	@old_dir contains the path to the parent of the old link.
  *	@old_dentry contains the dentry structure of the old link.
- *	@new_dir contains the inode structure for parent of the new link.
+ *	@new_dir contains the path to the parent of the new link.
  *	@new_dentry contains the dentry structure of the new link.
  *	Return 0 if permission is granted.
  * @inode_readlink:
@@ -1363,8 +1363,8 @@ struct security_operations {
 	int (*inode_rmdir) (struct path *dir, struct dentry *dentry);
 	int (*inode_mknod) (struct path *dir, struct dentry *dentry,
 			    int mode, dev_t dev);
-	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
-			     struct inode *new_dir, struct dentry *new_dentry);
+	int (*inode_rename) (struct path *old_dir, struct dentry *old_dentry,
+			     struct path *new_dir, struct dentry *new_dentry);
 	int (*inode_readlink) (struct dentry *dentry);
 	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
 	int (*inode_permission) (struct inode *inode, int mask);
@@ -1635,8 +1635,8 @@ int security_inode_mkdir(struct path *di
 int security_inode_rmdir(struct path *dir, struct dentry *dentry);
 int security_inode_mknod(struct path *dir, struct dentry *dentry, int mode,
 			 dev_t dev);
-int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
-			  struct inode *new_dir, struct dentry *new_dentry);
+int security_inode_rename(struct path *old_dir, struct dentry *old_dentry,
+			  struct path *new_dir, struct dentry *new_dentry);
 int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
 int security_inode_permission(struct inode *inode, int mask);
@@ -2011,9 +2011,9 @@ static inline int security_inode_mknod(s
 	return 0;
 }
 
-static inline int security_inode_rename(struct inode *old_dir,
+static inline int security_inode_rename(struct path *old_dir,
 					 struct dentry *old_dentry,
-					 struct inode *new_dir,
+					 struct path *new_dir,
 					 struct dentry *new_dentry)
 {
 	return 0;
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:55.000000000 +0200
@@ -326,10 +326,8 @@ static int dummy_inode_mknod(struct path
 	return 0;
 }
 
-static int dummy_inode_rename (struct inode *old_inode,
-			       struct dentry *old_dentry,
-			       struct inode *new_inode,
-			       struct dentry *new_dentry)
+static int dummy_inode_rename(struct path *old_dir, struct dentry *old_dentry,
+			      struct path *new_dir, struct dentry *new_dentry)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:55.000000000 +0200
@@ -440,8 +440,8 @@ int security_inode_mknod(struct path *di
 	return security_ops->inode_mknod(dir, dentry, mode, dev);
 }
 
-int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
-			   struct inode *new_dir, struct dentry *new_dentry)
+int security_inode_rename(struct path *old_dir, struct dentry *old_dentry,
+			   struct path *new_dir, struct dentry *new_dentry)
 {
         if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
             (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:55.000000000 +0200
@@ -2539,10 +2539,11 @@ static int selinux_inode_mknod(struct pa
 			  inode_mode_to_security_class(mode));
 }
 
-static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
-				struct inode *new_inode, struct dentry *new_dentry)
+static int selinux_inode_rename(struct path *old_dir, struct dentry *old_dentry,
+				struct path *new_dir, struct dentry *new_dentry)
 {
-	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
+	return may_rename(old_dir->dentry->d_inode, old_dentry,
+			  new_dir->dentry->d_inode, new_dentry);
 }
 
 static int selinux_inode_readlink(struct dentry *dentry)
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:55.000000000 +0200
@@ -482,9 +482,9 @@ static int smack_inode_rmdir(struct path
 
 /**
  * smack_inode_rename - Smack check on rename
- * @old_inode: the old directory
+ * @old_dir: the old directory
  * @old_dentry: unused
- * @new_inode: the new directory
+ * @new_dir: the new directory
  * @new_dentry: unused
  *
  * Read and write access is required on both the old and
@@ -492,9 +492,9 @@ static int smack_inode_rmdir(struct path
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_rename(struct inode *old_inode,
+static int smack_inode_rename(struct path *old_dir,
 			      struct dentry *old_dentry,
-			      struct inode *new_inode,
+			      struct path *new_dir,
 			      struct dentry *new_dentry)
 {
 	int rc;

--

[patch 09/15] security: pass path to inode_setattr

[Miklos Szeredi]

[-- Attachment #1: security_setattr_path.patch --]
[-- Type: text/plain, Size: 12336 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_setattr() security operation and related functions pass
the path (vfsmount + dentry) instead of the dentry.  AppArmor will need
this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/attr.c                  |    9 +++++----
 fs/fat/file.c              |    2 +-
 fs/namei.c                 |    2 +-
 fs/open.c                  |   17 +++++++++--------
 include/linux/fs.h         |    4 ++--
 include/linux/security.h   |    9 ++++-----
 mm/filemap.c               |   14 ++++----------
 security/dummy.c           |    2 +-
 security/security.c        |    6 +++---
 security/selinux/hooks.c   |    5 +++--
 security/smack/smack_lsm.c |    6 +++---
 11 files changed, 36 insertions(+), 40 deletions(-)

Index: linux-2.6/fs/attr.c
===================================================================
--- linux-2.6.orig/fs/attr.c	2008-05-29 12:20:15.000000000 +0200
+++ linux-2.6/fs/attr.c	2008-05-29 12:20:56.000000000 +0200
@@ -101,8 +101,9 @@ int inode_setattr(struct inode * inode, 
 }
 EXPORT_SYMBOL(inode_setattr);
 
-int notify_change(struct dentry * dentry, struct iattr * attr)
+int notify_change(struct path *path, struct iattr *attr)
 {
+	struct dentry *dentry = path->dentry;
 	struct inode *inode = dentry->d_inode;
 	mode_t mode = inode->i_mode;
 	int error;
@@ -165,13 +166,13 @@ int notify_change(struct dentry * dentry
 		down_write(&dentry->d_inode->i_alloc_sem);
 
 	if (inode->i_op && inode->i_op->setattr) {
-		error = security_inode_setattr(dentry, attr);
+		error = security_inode_setattr(path, attr);
 		if (!error)
 			error = inode->i_op->setattr(dentry, attr);
 	} else {
 		error = inode_change_ok(inode, attr);
 		if (!error)
-			error = security_inode_setattr(dentry, attr);
+			error = security_inode_setattr(path, attr);
 		if (!error) {
 			if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) ||
 			    (ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid))
@@ -195,7 +196,7 @@ int path_setattr(struct path *path, stru
 	int error = mnt_want_write(path->mnt);
 
 	if (!error) {
-		error = notify_change(path->dentry, attr);
+		error = notify_change(path, attr);
 		mnt_drop_write(path->mnt);
 	}
 
Index: linux-2.6/fs/open.c
===================================================================
--- linux-2.6.orig/fs/open.c	2008-05-29 12:20:49.000000000 +0200
+++ linux-2.6/fs/open.c	2008-05-29 12:20:56.000000000 +0200
@@ -197,16 +197,17 @@ out:
 
 /*
  * do_truncate - truncate (or extend) an inode
- * @dentry: the dentry to truncate
+ * @path: the path of the file to truncate
  * @length: the new length
  * @time_attrs: file times to be updated (e.g. ATTR_MTIME|ATTR_CTIME)
  * @filp: an open file or NULL (see file_truncate() as well)
  */
-int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
+int do_truncate(struct path *path, loff_t length, unsigned int time_attrs,
 	struct file *filp)
 {
 	int err;
 	struct iattr newattrs;
+	struct inode *inode = path->dentry->d_inode;
 
 	/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
 	if (length < 0)
@@ -220,11 +221,11 @@ int do_truncate(struct dentry *dentry, l
 	}
 
 	/* Remove suid/sgid on truncate too */
-	newattrs.ia_valid |= should_remove_suid(dentry);
+	newattrs.ia_valid |= should_remove_suid(path->dentry);
 
-	mutex_lock(&dentry->d_inode->i_mutex);
-	err = notify_change(dentry, &newattrs);
-	mutex_unlock(&dentry->d_inode->i_mutex);
+	mutex_lock(&inode->i_mutex);
+	err = notify_change(path, &newattrs);
+	mutex_unlock(&inode->i_mutex);
 	return err;
 }
 
@@ -236,7 +237,7 @@ int do_truncate(struct dentry *dentry, l
  */
 int file_truncate(struct file *filp, loff_t length, unsigned int time_attrs)
 {
-	return do_truncate(filp->f_path.dentry, length, time_attrs, filp);
+	return do_truncate(&filp->f_path, length, time_attrs, filp);
 }
 
 static long do_sys_truncate(const char __user * path, loff_t length)
@@ -290,7 +291,7 @@ static long do_sys_truncate(const char _
 	error = locks_verify_truncate(inode, NULL, length);
 	if (!error) {
 		DQUOT_INIT(inode);
-		error = do_truncate(nd.path.dentry, length, 0, NULL);
+		error = do_truncate(&nd.path, length, 0, NULL);
 	}
 
 put_write_and_out:
Index: linux-2.6/include/linux/fs.h
===================================================================
--- linux-2.6.orig/include/linux/fs.h	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/include/linux/fs.h	2008-05-29 12:20:56.000000000 +0200
@@ -1628,7 +1628,7 @@ static inline int break_lease(struct ino
 
 /* fs/open.c */
 
-extern int do_truncate(struct dentry *, loff_t start, unsigned int time_attrs,
+extern int do_truncate(struct path *, loff_t start, unsigned int time_attrs,
 		       struct file *filp);
 extern int file_truncate(struct file *filp, loff_t start,
 			 unsigned int time_attrs);
@@ -1785,7 +1785,7 @@ extern int do_remount_sb(struct super_bl
 #ifdef CONFIG_BLOCK
 extern sector_t bmap(struct inode *, sector_t);
 #endif
-extern int notify_change(struct dentry *, struct iattr *);
+extern int notify_change(struct path *, struct iattr *);
 extern int path_setattr(struct path *, struct iattr *);
 extern int generic_permission(struct inode *, int,
 		int (*check_acl)(struct inode *, int));
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:56.000000000 +0200
@@ -413,7 +413,7 @@ static inline void security_free_mnt_opt
  *	call to notify_change is performed from several locations, whenever
  *	file attributes change (such as when a file is truncated, chown/chmod
  *	operations, transferring disk quotas, etc).
- *	@dentry contains the dentry structure for the file.
+ *	@path contains the path to the file.
  *	@attr is the iattr structure containing the new file attributes.
  *	Return 0 if permission is granted.
  * @inode_getattr:
@@ -1368,7 +1368,7 @@ struct security_operations {
 	int (*inode_readlink) (struct dentry *dentry);
 	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
 	int (*inode_permission) (struct inode *inode, int mask);
-	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
+	int (*inode_setattr)	(struct path *path, struct iattr *attr);
 	int (*inode_getattr) (struct path *path);
 	void (*inode_delete) (struct inode *inode);
 	int (*inode_setxattr) (struct dentry *dentry, const char *name,
@@ -1640,7 +1640,7 @@ int security_inode_rename(struct path *o
 int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
 int security_inode_permission(struct inode *inode, int mask);
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
+int security_inode_setattr(struct path *path, struct iattr *attr);
 int security_inode_getattr(struct path *path);
 void security_inode_delete(struct inode *inode);
 int security_inode_setxattr(struct dentry *dentry, const char *name,
@@ -2035,8 +2035,7 @@ static inline int security_inode_permiss
 	return 0;
 }
 
-static inline int security_inode_setattr(struct dentry *dentry,
-					  struct iattr *attr)
+static inline int security_inode_setattr(struct path *path, struct iattr *attr)
 {
 	return 0;
 }
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:56.000000000 +0200
@@ -348,7 +348,7 @@ static int dummy_inode_permission (struc
 	return 0;
 }
 
-static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr)
+static int dummy_inode_setattr(struct path *path, struct iattr *iattr)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:56.000000000 +0200
@@ -471,11 +471,11 @@ int security_inode_permission(struct ino
 	return security_ops->inode_permission(inode, mask);
 }
 
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
+int security_inode_setattr(struct path *path, struct iattr *attr)
 {
-	if (unlikely(IS_PRIVATE(dentry->d_inode)))
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->inode_setattr(dentry, attr);
+	return security_ops->inode_setattr(path, attr);
 }
 EXPORT_SYMBOL_GPL(security_inode_setattr);
 
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:56.000000000 +0200
@@ -2579,11 +2579,12 @@ static int selinux_inode_permission(stru
 			       open_file_mask_to_av(inode->i_mode, mask), NULL);
 }
 
-static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+static int selinux_inode_setattr(struct path *path, struct iattr *iattr)
 {
+	struct dentry *dentry = path->dentry;
 	int rc;
 
-	rc = secondary_ops->inode_setattr(dentry, iattr);
+	rc = secondary_ops->inode_setattr(path, iattr);
 	if (rc)
 		return rc;
 
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:56.000000000 +0200
@@ -534,12 +534,12 @@ static int smack_inode_permission(struct
 
 /**
  * smack_inode_setattr - Smack check for setting attributes
- * @dentry: the object
+ * @path: the object
  * @iattr: for the force flag
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+static int smack_inode_setattr(struct path *path, struct iattr *iattr)
 {
 	/*
 	 * Need to allow for clearing the setuid bit.
@@ -547,7 +547,7 @@ static int smack_inode_setattr(struct de
 	if (iattr->ia_valid & ATTR_FORCE)
 		return 0;
 
-	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
+	return smk_curacc(smk_of_inode(path->dentry->d_inode), MAY_WRITE);
 }
 
 /**
Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:56.000000000 +0200
@@ -1691,7 +1691,7 @@ int may_open(struct nameidata *nd, int a
 		if (!error) {
 			DQUOT_INIT(inode);
 
-			error = do_truncate(dentry, 0,
+			error = do_truncate(&nd->path, 0,
 					    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
 					    NULL);
 		}
Index: linux-2.6/fs/fat/file.c
===================================================================
--- linux-2.6.orig/fs/fat/file.c	2008-05-29 12:20:15.000000000 +0200
+++ linux-2.6/fs/fat/file.c	2008-05-29 12:20:56.000000000 +0200
@@ -99,7 +99,7 @@ int fat_generic_ioctl(struct inode *inod
 		 * out the RO attribute for checking by the security
 		 * module, just because it maps to a file mode.
 		 */
-		err = security_inode_setattr(filp->f_path.dentry, &ia);
+		err = security_inode_setattr(&filp->f_path, &ia);
 		if (err)
 			goto up;
 
Index: linux-2.6/mm/filemap.c
===================================================================
--- linux-2.6.orig/mm/filemap.c	2008-05-29 12:20:51.000000000 +0200
+++ linux-2.6/mm/filemap.c	2008-05-29 12:20:56.000000000 +0200
@@ -1660,14 +1660,6 @@ int should_remove_suid(struct dentry *de
 }
 EXPORT_SYMBOL(should_remove_suid);
 
-static int __remove_suid(struct dentry *dentry, int kill)
-{
-	struct iattr newattrs;
-
-	newattrs.ia_valid = ATTR_FORCE | kill;
-	return notify_change(dentry, &newattrs);
-}
-
 int file_remove_suid(struct file *file)
 {
 	struct dentry *dentry = file->f_path.dentry;
@@ -1679,8 +1671,10 @@ int file_remove_suid(struct file *file)
 		return killpriv;
 	if (killpriv)
 		error = security_inode_killpriv(dentry);
-	if (!error && killsuid)
-		error = __remove_suid(dentry, killsuid);
+	if (!error && killsuid) {
+		struct iattr newattrs = {.ia_valid = ATTR_FORCE | killsuid };
+		error = notify_change(&file->f_path, &newattrs);
+	}
 
 	return error;
 }

--

[patch 10/15] security: pass path to inode_getxattr

[Miklos Szeredi]

[-- Attachment #1: security_getxattr_path.patch --]
[-- Type: text/plain, Size: 5842 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_getxattr() security operation and related functions pass
the path (vfsmount + dentry) instead of the dentry.  AppArmor will need
this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/xattr.c                 |    2 +-
 include/linux/security.h   |    9 ++++-----
 security/dummy.c           |    2 +-
 security/security.c        |    6 +++---
 security/selinux/hooks.c   |    4 ++--
 security/smack/smack_lsm.c |    6 +++---
 6 files changed, 14 insertions(+), 15 deletions(-)

Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:57.000000000 +0200
@@ -435,7 +435,7 @@ static inline void security_free_mnt_opt
  *	@value identified by @name for @dentry.
  * @inode_getxattr:
  *	Check permission before obtaining the extended attributes
- *	identified by @name for @dentry.
+ *	identified by @name for @path.
  *	Return 0 if permission is granted.
  * @inode_listxattr:
  *	Check permission before obtaining the list of extended attribute
@@ -1375,7 +1375,7 @@ struct security_operations {
 			       const void *value, size_t size, int flags);
 	void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
 				     const void *value, size_t size, int flags);
-	int (*inode_getxattr) (struct dentry *dentry, const char *name);
+	int (*inode_getxattr) (struct path *path, const char *name);
 	int (*inode_listxattr) (struct dentry *dentry);
 	int (*inode_removexattr) (struct dentry *dentry, const char *name);
 	int (*inode_need_killpriv) (struct dentry *dentry);
@@ -1647,7 +1647,7 @@ int security_inode_setxattr(struct dentr
 			    const void *value, size_t size, int flags);
 void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 				  const void *value, size_t size, int flags);
-int security_inode_getxattr(struct dentry *dentry, const char *name);
+int security_inode_getxattr(struct path *path, const char *name);
 int security_inode_listxattr(struct dentry *dentry);
 int security_inode_removexattr(struct dentry *dentry, const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
@@ -2058,8 +2058,7 @@ static inline void security_inode_post_s
 		const char *name, const void *value, size_t size, int flags)
 { }
 
-static inline int security_inode_getxattr(struct dentry *dentry,
-			const char *name)
+static inline int security_inode_getxattr(struct path *path, const char *name)
 {
 	return 0;
 }
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:57.000000000 +0200
@@ -379,7 +379,7 @@ static void dummy_inode_post_setxattr (s
 {
 }
 
-static int dummy_inode_getxattr (struct dentry *dentry, const char *name)
+static int dummy_inode_getxattr(struct path *path, const char *name)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:57.000000000 +0200
@@ -509,11 +509,11 @@ void security_inode_post_setxattr(struct
 	security_ops->inode_post_setxattr(dentry, name, value, size, flags);
 }
 
-int security_inode_getxattr(struct dentry *dentry, const char *name)
+int security_inode_getxattr(struct path *path, const char *name)
 {
-	if (unlikely(IS_PRIVATE(dentry->d_inode)))
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->inode_getxattr(dentry, name);
+	return security_ops->inode_getxattr(path, name);
 }
 
 int security_inode_listxattr(struct dentry *dentry)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:57.000000000 +0200
@@ -2697,9 +2697,9 @@ static void selinux_inode_post_setxattr(
 	return;
 }
 
-static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
+static int selinux_inode_getxattr(struct path *path, const char *name)
 {
-	return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
+	return dentry_has_perm(current, NULL, path->dentry, FILE__GETATTR);
 }
 
 static int selinux_inode_listxattr(struct dentry *dentry)
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:57.000000000 +0200
@@ -635,14 +635,14 @@ static void smack_inode_post_setxattr(st
 
 /*
  * smack_inode_getxattr - Smack check on getxattr
- * @dentry: the object
+ * @path: the object
  * @name: unused
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_getxattr(struct dentry *dentry, const char *name)
+static int smack_inode_getxattr(struct path *path, const char *name)
 {
-	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ);
+	return smk_curacc(smk_of_inode(path->dentry->d_inode), MAY_READ);
 }
 
 /*
Index: linux-2.6/fs/xattr.c
===================================================================
--- linux-2.6.orig/fs/xattr.c	2008-05-29 12:20:49.000000000 +0200
+++ linux-2.6/fs/xattr.c	2008-05-29 12:20:57.000000000 +0200
@@ -157,7 +157,7 @@ path_getxattr(struct path *path, const c
 	if (error)
 		return error;
 
-	error = security_inode_getxattr(dentry, name);
+	error = security_inode_getxattr(path, name);
 	if (error)
 		return error;
 

--

[patch 11/15] security: pass path to inode_listxattr

[Miklos Szeredi]

[-- Attachment #1: security_listxattr_path.patch --]
[-- Type: text/plain, Size: 4812 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_listxattr() security operation and related functions pass
the path (vfsmount + dentry) instead of the dentry.  AppArmor will need
this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/xattr.c               |    2 +-
 include/linux/security.h |    8 ++++----
 security/dummy.c         |    2 +-
 security/security.c      |    6 +++---
 security/selinux/hooks.c |    4 ++--
 5 files changed, 11 insertions(+), 11 deletions(-)

Index: linux-2.6/fs/xattr.c
===================================================================
--- linux-2.6.orig/fs/xattr.c	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/fs/xattr.c	2008-05-29 12:20:58.000000000 +0200
@@ -189,7 +189,7 @@ path_listxattr(struct path *path, char *
 	struct dentry *d = path->dentry;
 	ssize_t error;
 
-	error = security_inode_listxattr(d);
+	error = security_inode_listxattr(path);
 	if (error)
 		return error;
 	error = -EOPNOTSUPP;
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:58.000000000 +0200
@@ -439,7 +439,7 @@ static inline void security_free_mnt_opt
  *	Return 0 if permission is granted.
  * @inode_listxattr:
  *	Check permission before obtaining the list of extended attribute
- *	names for @dentry.
+ *	names for @path.
  *	Return 0 if permission is granted.
  * @inode_removexattr:
  *	Check permission before removing the extended attribute
@@ -1376,7 +1376,7 @@ struct security_operations {
 	void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
 				     const void *value, size_t size, int flags);
 	int (*inode_getxattr) (struct path *path, const char *name);
-	int (*inode_listxattr) (struct dentry *dentry);
+	int (*inode_listxattr) (struct path *path);
 	int (*inode_removexattr) (struct dentry *dentry, const char *name);
 	int (*inode_need_killpriv) (struct dentry *dentry);
 	int (*inode_killpriv) (struct dentry *dentry);
@@ -1648,7 +1648,7 @@ int security_inode_setxattr(struct dentr
 void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 				  const void *value, size_t size, int flags);
 int security_inode_getxattr(struct path *path, const char *name);
-int security_inode_listxattr(struct dentry *dentry);
+int security_inode_listxattr(struct path *path);
 int security_inode_removexattr(struct dentry *dentry, const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
 int security_inode_killpriv(struct dentry *dentry);
@@ -2063,7 +2063,7 @@ static inline int security_inode_getxatt
 	return 0;
 }
 
-static inline int security_inode_listxattr(struct dentry *dentry)
+static inline int security_inode_listxattr(struct path *path)
 {
 	return 0;
 }
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:58.000000000 +0200
@@ -384,7 +384,7 @@ static int dummy_inode_getxattr(struct p
 	return 0;
 }
 
-static int dummy_inode_listxattr (struct dentry *dentry)
+static int dummy_inode_listxattr(struct path *path)
 {
 	return 0;
 }
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:58.000000000 +0200
@@ -516,11 +516,11 @@ int security_inode_getxattr(struct path 
 	return security_ops->inode_getxattr(path, name);
 }
 
-int security_inode_listxattr(struct dentry *dentry)
+int security_inode_listxattr(struct path *path)
 {
-	if (unlikely(IS_PRIVATE(dentry->d_inode)))
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->inode_listxattr(dentry);
+	return security_ops->inode_listxattr(path);
 }
 
 int security_inode_removexattr(struct dentry *dentry, const char *name)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:58.000000000 +0200
@@ -2702,9 +2702,9 @@ static int selinux_inode_getxattr(struct
 	return dentry_has_perm(current, NULL, path->dentry, FILE__GETATTR);
 }
 
-static int selinux_inode_listxattr(struct dentry *dentry)
+static int selinux_inode_listxattr(struct path *path)
 {
-	return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
+	return dentry_has_perm(current, NULL, path->dentry, FILE__GETATTR);
 }
 
 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)

--

[patch 12/15] security: pass path to inode_setxattr

[Miklos Szeredi]

[-- Attachment #1: security_setxattr_path.patch --]
[-- Type: text/plain, Size: 8126 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_setxattr() security operation and related functions pass
the path (vfsmount + dentry) instead of the dentry.  AppArmor will need
this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/xattr.c                 |    2 +-
 include/linux/security.h   |   12 ++++++------
 security/commoncap.c       |    2 +-
 security/dummy.c           |    4 ++--
 security/security.c        |    6 +++---
 security/selinux/hooks.c   |    3 ++-
 security/smack/smack_lsm.c |    7 ++++---
 7 files changed, 19 insertions(+), 17 deletions(-)

Index: linux-2.6/fs/xattr.c
===================================================================
--- linux-2.6.orig/fs/xattr.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/fs/xattr.c	2008-05-29 12:20:58.000000000 +0200
@@ -81,7 +81,7 @@ vfs_setxattr(struct path *path, const ch
 		return error;
 
 	mutex_lock(&inode->i_mutex);
-	error = security_inode_setxattr(dentry, name, value, size, flags);
+	error = security_inode_setxattr(path, name, value, size, flags);
 	if (error)
 		goto out;
 	error = -EOPNOTSUPP;
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:58.000000000 +0200
@@ -53,7 +53,7 @@ extern void cap_capset_set(struct task_s
 extern int cap_bprm_set_security(struct linux_binprm *bprm);
 extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
-extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
+extern int cap_inode_setxattr(struct path *path, const char *name,
 			      const void *value, size_t size, int flags);
 extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
@@ -428,7 +428,7 @@ static inline void security_free_mnt_opt
  *	inode.
  * @inode_setxattr:
  *	Check permission before setting the extended attributes
- *	@value identified by @name for @dentry.
+ *	@value identified by @name for @path.
  *	Return 0 if permission is granted.
  * @inode_post_setxattr:
  *	Update inode security field after successful setxattr operation.
@@ -1371,7 +1371,7 @@ struct security_operations {
 	int (*inode_setattr)	(struct path *path, struct iattr *attr);
 	int (*inode_getattr) (struct path *path);
 	void (*inode_delete) (struct inode *inode);
-	int (*inode_setxattr) (struct dentry *dentry, const char *name,
+	int (*inode_setxattr) (struct path *path, const char *name,
 			       const void *value, size_t size, int flags);
 	void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
 				     const void *value, size_t size, int flags);
@@ -1643,7 +1643,7 @@ int security_inode_permission(struct ino
 int security_inode_setattr(struct path *path, struct iattr *attr);
 int security_inode_getattr(struct path *path);
 void security_inode_delete(struct inode *inode);
-int security_inode_setxattr(struct dentry *dentry, const char *name,
+int security_inode_setxattr(struct path *path, const char *name,
 			    const void *value, size_t size, int flags);
 void security_inode_post_setxattr(struct dentry *dentry, const char *name,
 				  const void *value, size_t size, int flags);
@@ -2048,10 +2048,10 @@ static inline int security_inode_getattr
 static inline void security_inode_delete(struct inode *inode)
 { }
 
-static inline int security_inode_setxattr(struct dentry *dentry,
+static inline int security_inode_setxattr(struct path *path,
 		const char *name, const void *value, size_t size, int flags)
 {
-	return cap_inode_setxattr(dentry, name, value, size, flags);
+	return cap_inode_setxattr(path, name, value, size, flags);
 }
 
 static inline void security_inode_post_setxattr(struct dentry *dentry,
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:58.000000000 +0200
@@ -363,8 +363,8 @@ static void dummy_inode_delete (struct i
 	return;
 }
 
-static int dummy_inode_setxattr (struct dentry *dentry, const char *name,
-				 const void *value, size_t size, int flags)
+static int dummy_inode_setxattr(struct path *path, const char *name,
+				const void *value, size_t size, int flags)
 {
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:58.000000000 +0200
@@ -493,12 +493,12 @@ void security_inode_delete(struct inode 
 	security_ops->inode_delete(inode);
 }
 
-int security_inode_setxattr(struct dentry *dentry, const char *name,
+int security_inode_setxattr(struct path *path, const char *name,
 			    const void *value, size_t size, int flags)
 {
-	if (unlikely(IS_PRIVATE(dentry->d_inode)))
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->inode_setxattr(dentry, name, value, size, flags);
+	return security_ops->inode_setxattr(path, name, value, size, flags);
 }
 
 void security_inode_post_setxattr(struct dentry *dentry, const char *name,
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:58.000000000 +0200
@@ -2622,10 +2622,11 @@ static int selinux_inode_setotherxattr(s
 	return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
 }
 
-static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
+static int selinux_inode_setxattr(struct path *path, const char *name,
 				  const void *value, size_t size, int flags)
 {
 	struct task_security_struct *tsec = current->security;
+	struct dentry *dentry = path->dentry;
 	struct inode *inode = dentry->d_inode;
 	struct inode_security_struct *isec = inode->i_security;
 	struct superblock_security_struct *sbsec;
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:57.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:58.000000000 +0200
@@ -563,7 +563,7 @@ static int smack_inode_getattr(struct pa
 
 /**
  * smack_inode_setxattr - Smack check for setting xattrs
- * @dentry: the object
+ * @path: the object
  * @name: name of the attribute
  * @value: unused
  * @size: unused
@@ -573,9 +573,10 @@ static int smack_inode_getattr(struct pa
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_setxattr(struct dentry *dentry, const char *name,
+static int smack_inode_setxattr(struct path *path, const char *name,
 				const void *value, size_t size, int flags)
 {
+	struct dentry *dentry = path->dentry;
 	int rc = 0;
 
 	if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
@@ -584,7 +585,7 @@ static int smack_inode_setxattr(struct d
 		if (!capable(CAP_MAC_ADMIN))
 			rc = -EPERM;
 	} else
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+		rc = cap_inode_setxattr(path, name, value, size, flags);
 
 	if (rc == 0)
 		rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
Index: linux-2.6/security/commoncap.c
===================================================================
--- linux-2.6.orig/security/commoncap.c	2008-05-29 12:20:15.000000000 +0200
+++ linux-2.6/security/commoncap.c	2008-05-29 12:20:58.000000000 +0200
@@ -383,7 +383,7 @@ int cap_bprm_secureexec (struct linux_bi
 		current->egid != current->gid);
 }
 
-int cap_inode_setxattr(struct dentry *dentry, const char *name,
+int cap_inode_setxattr(struct path *path, const char *name,
 		       const void *value, size_t size, int flags)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {

--

[patch 13/15] security: pass path to inode_removexattr

[Miklos Szeredi]

[-- Attachment #1: security_removexattr_path.patch --]
[-- Type: text/plain, Size: 7720 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_removexattr() security operation and related functions pass
the path (vfsmount + dentry) instead of the dentry.  AppArmor will need
this.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/xattr.c                 |    2 +-
 include/linux/security.h   |   12 ++++++------
 security/commoncap.c       |    2 +-
 security/dummy.c           |    2 +-
 security/security.c        |    6 +++---
 security/selinux/hooks.c   |    4 ++--
 security/smack/smack_lsm.c |    8 ++++----
 7 files changed, 18 insertions(+), 18 deletions(-)

Index: linux-2.6/fs/xattr.c
===================================================================
--- linux-2.6.orig/fs/xattr.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/fs/xattr.c	2008-05-29 12:20:59.000000000 +0200
@@ -218,7 +218,7 @@ vfs_removexattr(struct path *path, const
 	if (error)
 		return error;
 
-	error = security_inode_removexattr(dentry, name);
+	error = security_inode_removexattr(path, name);
 	if (error)
 		return error;
 
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:59.000000000 +0200
@@ -55,7 +55,7 @@ extern void cap_bprm_apply_creds(struct 
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
 extern int cap_inode_setxattr(struct path *path, const char *name,
 			      const void *value, size_t size, int flags);
-extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
+extern int cap_inode_removexattr(struct path *path, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
 extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
@@ -443,7 +443,7 @@ static inline void security_free_mnt_opt
  *	Return 0 if permission is granted.
  * @inode_removexattr:
  *	Check permission before removing the extended attribute
- *	identified by @name for @dentry.
+ *	identified by @name for @path.
  *	Return 0 if permission is granted.
  * @inode_getsecurity:
  *	Retrieve a copy of the extended attribute representation of the
@@ -1377,7 +1377,7 @@ struct security_operations {
 				     const void *value, size_t size, int flags);
 	int (*inode_getxattr) (struct path *path, const char *name);
 	int (*inode_listxattr) (struct path *path);
-	int (*inode_removexattr) (struct dentry *dentry, const char *name);
+	int (*inode_removexattr) (struct path *path, const char *name);
 	int (*inode_need_killpriv) (struct dentry *dentry);
 	int (*inode_killpriv) (struct dentry *dentry);
 	int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -1649,7 +1649,7 @@ void security_inode_post_setxattr(struct
 				  const void *value, size_t size, int flags);
 int security_inode_getxattr(struct path *path, const char *name);
 int security_inode_listxattr(struct path *path);
-int security_inode_removexattr(struct dentry *dentry, const char *name);
+int security_inode_removexattr(struct path *path, const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
 int security_inode_killpriv(struct dentry *dentry);
 int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -2068,10 +2068,10 @@ static inline int security_inode_listxat
 	return 0;
 }
 
-static inline int security_inode_removexattr(struct dentry *dentry,
+static inline int security_inode_removexattr(struct path *path,
 			const char *name)
 {
-	return cap_inode_removexattr(dentry, name);
+	return cap_inode_removexattr(path, name);
 }
 
 static inline int security_inode_need_killpriv(struct dentry *dentry)
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:59.000000000 +0200
@@ -389,7 +389,7 @@ static int dummy_inode_listxattr(struct 
 	return 0;
 }
 
-static int dummy_inode_removexattr (struct dentry *dentry, const char *name)
+static int dummy_inode_removexattr(struct path *path, const char *name)
 {
 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:59.000000000 +0200
@@ -523,11 +523,11 @@ int security_inode_listxattr(struct path
 	return security_ops->inode_listxattr(path);
 }
 
-int security_inode_removexattr(struct dentry *dentry, const char *name)
+int security_inode_removexattr(struct path *path, const char *name)
 {
-	if (unlikely(IS_PRIVATE(dentry->d_inode)))
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->inode_removexattr(dentry, name);
+	return security_ops->inode_removexattr(path, name);
 }
 
 int security_inode_need_killpriv(struct dentry *dentry)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:59.000000000 +0200
@@ -2708,10 +2708,10 @@ static int selinux_inode_listxattr(struc
 	return dentry_has_perm(current, NULL, path->dentry, FILE__GETATTR);
 }
 
-static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
+static int selinux_inode_removexattr(struct path *path, const char *name)
 {
 	if (strcmp(name, XATTR_NAME_SELINUX))
-		return selinux_inode_setotherxattr(dentry, name);
+		return selinux_inode_setotherxattr(path->dentry, name);
 
 	/* No one is allowed to remove a SELinux security label.
 	   You can change the label, but all data must be labeled. */
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:59.000000000 +0200
@@ -648,14 +648,14 @@ static int smack_inode_getxattr(struct p
 
 /*
  * smack_inode_removexattr - Smack check on removexattr
- * @dentry: the object
+ * @path: the object
  * @name: name of the attribute
  *
  * Removing the Smack attribute requires CAP_MAC_ADMIN
  *
  * Returns 0 if access is permitted, an error code otherwise
  */
-static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+static int smack_inode_removexattr(struct path *path, const char *name)
 {
 	int rc = 0;
 
@@ -665,10 +665,10 @@ static int smack_inode_removexattr(struc
 		if (!capable(CAP_MAC_ADMIN))
 			rc = -EPERM;
 	} else
-		rc = cap_inode_removexattr(dentry, name);
+		rc = cap_inode_removexattr(path, name);
 
 	if (rc == 0)
-		rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
+		rc = smk_curacc(smk_of_inode(path->dentry->d_inode), MAY_WRITE);
 
 	return rc;
 }
Index: linux-2.6/security/commoncap.c
===================================================================
--- linux-2.6.orig/security/commoncap.c	2008-05-29 12:20:58.000000000 +0200
+++ linux-2.6/security/commoncap.c	2008-05-29 12:20:59.000000000 +0200
@@ -397,7 +397,7 @@ int cap_inode_setxattr(struct path *path
 	return 0;
 }
 
-int cap_inode_removexattr(struct dentry *dentry, const char *name)
+int cap_inode_removexattr(struct path *path, const char *name)
 {
 	if (!strcmp(name, XATTR_NAME_CAPS)) {
 		if (!capable(CAP_SETFCAP))

--

[patch 14/15] vfs: more path_permission() conversions

[Miklos Szeredi]

[-- Attachment #1: path_permission_more.patch --]
[-- Type: text/plain, Size: 4984 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

Use path_permission() instead of dentry_permission() from may_delete()
may_create() and vfs_rename().

dentry_permission() is now only called from lookup_one_len() and
path_permission().

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c |   39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:55.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:56.000000000 +0200
@@ -1475,10 +1475,10 @@ static inline int check_sticky(struct in
  * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
  *     nfs_async_unlink().
  */
-static int may_delete(struct dentry *dir_dentry, struct dentry *victim,
+static int may_delete(struct path *dir_path, struct dentry *victim,
 		      int isdir)
 {
-	struct inode *dir = dir_dentry->d_inode;
+	struct inode *dir = dir_path->dentry->d_inode;
 	int error;
 
 	if (!victim->d_inode)
@@ -1487,7 +1487,7 @@ static int may_delete(struct dentry *dir
 	BUG_ON(victim->d_parent->d_inode != dir);
 	audit_inode_child(victim->d_name.name, victim, dir);
 
-	error = dentry_permission(dir_dentry, MAY_DELETE);
+	error = path_permission(dir_path, MAY_DELETE);
 	if (error)
 		return error;
 	if (IS_APPEND(dir))
@@ -1517,13 +1517,13 @@ static int may_delete(struct dentry *dir
  *  3. We should have write and exec permissions on dir
  *  4. We can't do it if dir is immutable (done in permission())
  */
-static inline int may_create(struct dentry *dir_dentry, struct dentry *child)
+static inline int may_create(struct path *dir_path, struct dentry *child)
 {
 	if (child->d_inode)
 		return -EEXIST;
-	if (IS_DEADDIR(dir_dentry->d_inode))
+	if (IS_DEADDIR(dir_path->dentry->d_inode))
 		return -ENOENT;
-	return dentry_permission(dir_dentry, MAY_CREATE);
+	return path_permission(dir_path, MAY_CREATE);
 }
 
 /* 
@@ -1590,7 +1590,7 @@ static int vfs_create(struct path *dir_p
 		      int mode,	struct nameidata *nd)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_create(dir_path->dentry, dentry);
+	int error = may_create(dir_path, dentry);
 
 	if (error)
 		return error;
@@ -2048,7 +2048,7 @@ static int vfs_mknod(struct path *dir_pa
 		     int mode, dev_t dev)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_create(dir_path->dentry, dentry);
+	int error = may_create(dir_path, dentry);
 
 	if (error)
 		return error;
@@ -2146,7 +2146,7 @@ asmlinkage long sys_mknod(const char __u
 static int vfs_mkdir(struct path *dir_path, struct dentry *dentry, int mode)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_create(dir_path->dentry, dentry);
+	int error = may_create(dir_path, dentry);
 
 	if (error)
 		return error;
@@ -2247,7 +2247,7 @@ void dentry_unhash(struct dentry *dentry
 static int vfs_rmdir(struct path *dir_path, struct dentry *dentry)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_delete(dir_path->dentry, dentry, 1);
+	int error = may_delete(dir_path, dentry, 1);
 
 	if (error)
 		return error;
@@ -2341,7 +2341,7 @@ asmlinkage long sys_rmdir(const char __u
 static int vfs_unlink(struct path *dir_path, struct dentry *dentry)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_delete(dir_path->dentry, dentry, 0);
+	int error = may_delete(dir_path, dentry, 0);
 
 	if (error)
 		return error;
@@ -2456,7 +2456,7 @@ static int vfs_symlink(struct path *dir_
 		       const char *oldname)
 {
 	struct inode *dir = dir_path->dentry->d_inode;
-	int error = may_create(dir_path->dentry, dentry);
+	int error = may_create(dir_path, dentry);
 
 	if (error)
 		return error;
@@ -2541,7 +2541,7 @@ static int vfs_link(struct dentry *old_d
 	if (!inode)
 		return -ENOENT;
 
-	error = may_create(new_dir_path->dentry, new_dentry);
+	error = may_create(new_dir_path, new_dentry);
 	if (error)
 		return error;
 
@@ -2741,14 +2741,14 @@ static int vfs_rename(struct path *old_d
 	if (old_dentry->d_inode == new_dentry->d_inode)
  		return 0;
  
-	error = may_delete(old_dir_path->dentry, old_dentry, is_dir);
+	error = may_delete(old_dir_path, old_dentry, is_dir);
 	if (error)
 		return error;
 
 	if (!new_dentry->d_inode)
-		error = may_create(new_dir_path->dentry, new_dentry);
+		error = may_create(new_dir_path, new_dentry);
 	else
-		error = may_delete(new_dir_path->dentry, new_dentry, is_dir);
+		error = may_delete(new_dir_path, new_dentry, is_dir);
 	if (error)
 		return error;
 
@@ -2760,7 +2760,12 @@ static int vfs_rename(struct path *old_d
 	 * we'll need to flip '..'.
 	 */
 	if (is_dir && new_dir != old_dir) {
-		error = dentry_permission(old_dentry, MAY_MOVE_DIR);
+		struct path old_path = {
+			.mnt = old_dir_path->mnt,
+			.dentry = old_dentry,
+		};
+
+		error = path_permission(&old_path, MAY_MOVE_DIR);
 		if (error)
 			return error;
 	}

--

[patch 15/15] security: pass path to inode_permission

[Miklos Szeredi]

[-- Attachment #1: security_permission_path.patch --]
[-- Type: text/plain, Size: 10176 bytes --]

From: Miklos Szeredi <mszeredi@suse.cz>

In the inode_permission() security operation and related functions
pass the path (vfsmount + dentry) instead of the inode.  AppArmor will
need this.

Create a new security operation: inode_lookup() which will be called
for checking permission to lookup.  Unfortunately it is necessary to
distinguish between lookup and non-lookup permissions, because the
path is not available from lookup_one_len().  One day, when
lookup_one_len() is gone, this operation can go too.  AppArmor won't
need to check permission to lookup.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namei.c                 |   30 +++++++++++++++++++++---------
 include/linux/security.h   |   19 +++++++++++++++----
 security/dummy.c           |    8 +++++++-
 security/security.c        |   11 +++++++++--
 security/selinux/hooks.c   |   18 ++++++++++++++++--
 security/smack/smack_lsm.c |   18 +++++++++++++++---
 6 files changed, 83 insertions(+), 21 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/fs/namei.c	2008-05-29 12:20:59.000000000 +0200
@@ -280,11 +280,7 @@ static int dentry_permission(struct dent
 	if (retval)
 		return retval;
 
-	retval = devcgroup_inode_permission(inode, mask);
-	if (retval)
-		return retval;
-
-	return security_inode_permission(inode, mask);
+	return devcgroup_inode_permission(inode, mask);
 }
 
 /**
@@ -299,6 +295,7 @@ static int dentry_permission(struct dent
  */
 int path_permission(struct path *path, int mask)
 {
+	int err;
 	struct dentry *dentry = path->dentry;
 	struct inode *inode = dentry->d_inode;
 
@@ -313,7 +310,14 @@ int path_permission(struct path *path, i
 			return -EACCES;
 	}
 
-	return dentry_permission(dentry, mask);
+	err = dentry_permission(dentry, mask);
+	if (err)
+		return err;
+
+	if (mask == MAY_LOOKUP)
+		return security_inode_lookup(inode);
+	else
+		return security_inode_permission(path, mask);
 }
 
 /**
@@ -492,7 +496,7 @@ static int exec_permission_lite(struct i
 
 	return -EACCES;
 ok:
-	return security_inode_permission(inode, MAY_LOOKUP);
+	return security_inode_lookup(inode);
 }
 
 /*
@@ -1393,12 +1397,20 @@ struct dentry *lookup_one_len(const char
 
 	err = __lookup_one_len(name, &this, base, len);
 	if (err)
-		return ERR_PTR(err);
+		goto error;
 
 	err = dentry_permission(base, MAY_LOOKUP);
 	if (err)
-		return ERR_PTR(err);
+		goto error;
+
+	err = security_inode_lookup(base->d_inode);
+	if (err)
+		goto error;
+
 	return __lookup_hash(&this, base, NULL);
+
+error:
+	return ERR_PTR(err);
 }
 
 /**
Index: linux-2.6/include/linux/security.h
===================================================================
--- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:59.000000000 +0200
+++ linux-2.6/include/linux/security.h	2008-05-29 12:20:59.000000000 +0200
@@ -405,9 +405,13 @@ static inline void security_free_mnt_opt
  *	Notice that this hook is called when a file is opened (as well as many
  *	other operations), whereas the file_security_ops permission hook is
  *	called when the actual read/write operations are performed.
- *	@inode contains the inode structure to check.
+ *	@path contains the path to check.
  *	@mask contains the permission mask.
  *	Return 0 if permission is granted.
+ * @inode_lookup:
+ *	Check permissions for lookup.
+ *	@inode contains the inode structure to check.
+ *	Return 0 if permission is granted.
  * @inode_setattr:
  *	Check permission before setting file attributes.  Note that the kernel
  *	call to notify_change is performed from several locations, whenever
@@ -1367,7 +1371,8 @@ struct security_operations {
 			     struct path *new_dir, struct dentry *new_dentry);
 	int (*inode_readlink) (struct dentry *dentry);
 	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
-	int (*inode_permission) (struct inode *inode, int mask);
+	int (*inode_permission) (struct path *path, int mask);
+	int (*inode_lookup) (struct inode *inode);
 	int (*inode_setattr)	(struct path *path, struct iattr *attr);
 	int (*inode_getattr) (struct path *path);
 	void (*inode_delete) (struct inode *inode);
@@ -1639,7 +1644,8 @@ int security_inode_rename(struct path *o
 			  struct path *new_dir, struct dentry *new_dentry);
 int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
-int security_inode_permission(struct inode *inode, int mask);
+int security_inode_permission(struct path *path, int mask);
+int security_inode_lookup(struct inode *inode);
 int security_inode_setattr(struct path *path, struct iattr *attr);
 int security_inode_getattr(struct path *path);
 void security_inode_delete(struct inode *inode);
@@ -2030,7 +2036,12 @@ static inline int security_inode_follow_
 	return 0;
 }
 
-static inline int security_inode_permission(struct inode *inode, int mask)
+static inline int security_inode_permission(struct path *path, int mask)
+{
+	return 0;
+}
+
+static inline int security_inode_lookup(struct inode *inode)
 {
 	return 0;
 }
Index: linux-2.6/security/dummy.c
===================================================================
--- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:59.000000000 +0200
+++ linux-2.6/security/dummy.c	2008-05-29 12:20:59.000000000 +0200
@@ -343,7 +343,12 @@ static int dummy_inode_follow_link (stru
 	return 0;
 }
 
-static int dummy_inode_permission (struct inode *inode, int mask)
+static int dummy_inode_permission(struct path *path, int mask)
+{
+	return 0;
+}
+
+static int dummy_inode_lookup(struct inode *inode)
 {
 	return 0;
 }
@@ -1091,6 +1096,7 @@ void security_fixup_ops (struct security
 	set_to_dummy_if_null(ops, inode_readlink);
 	set_to_dummy_if_null(ops, inode_follow_link);
 	set_to_dummy_if_null(ops, inode_permission);
+	set_to_dummy_if_null(ops, inode_lookup);
 	set_to_dummy_if_null(ops, inode_setattr);
 	set_to_dummy_if_null(ops, inode_getattr);
 	set_to_dummy_if_null(ops, inode_delete);
Index: linux-2.6/security/security.c
===================================================================
--- linux-2.6.orig/security/security.c	2008-05-29 12:20:59.000000000 +0200
+++ linux-2.6/security/security.c	2008-05-29 12:20:59.000000000 +0200
@@ -464,11 +464,18 @@ int security_inode_follow_link(struct de
 	return security_ops->inode_follow_link(dentry, nd);
 }
 
-int security_inode_permission(struct inode *inode, int mask)
+int security_inode_permission(struct path *path, int mask)
+{
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+		return 0;
+	return security_ops->inode_permission(path, mask);
+}
+
+int security_inode_lookup(struct inode *inode)
 {
 	if (unlikely(IS_PRIVATE(inode)))
 		return 0;
-	return security_ops->inode_permission(inode, mask);
+	return security_ops->inode_lookup(inode);
 }
 
 int security_inode_setattr(struct path *path, struct iattr *attr)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
--- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:59.000000000 +0200
+++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:59.000000000 +0200
@@ -2561,11 +2561,12 @@ static int selinux_inode_follow_link(str
 	return dentry_has_perm(current, NULL, dentry, FILE__READ);
 }
 
-static int selinux_inode_permission(struct inode *inode, int mask)
+static int selinux_inode_permission(struct path *path, int mask)
 {
+	struct inode *inode = path->dentry->d_inode;
 	int rc;
 
-	rc = secondary_ops->inode_permission(inode, mask);
+	rc = secondary_ops->inode_permission(path, mask);
 	if (rc)
 		return rc;
 
@@ -2579,6 +2580,18 @@ static int selinux_inode_permission(stru
 			       open_file_mask_to_av(inode->i_mode, mask), NULL);
 }
 
+static int selinux_inode_lookup(struct inode *inode)
+{
+	int rc;
+
+	rc = secondary_ops->inode_lookup(inode);
+	if (rc)
+		return rc;
+
+	return inode_has_perm(current, inode,
+			open_file_mask_to_av(inode->i_mode, MAY_EXEC), NULL);
+}
+
 static int selinux_inode_setattr(struct path *path, struct iattr *iattr)
 {
 	struct dentry *dentry = path->dentry;
@@ -5350,6 +5363,7 @@ static struct security_operations selinu
 	.inode_readlink =		selinux_inode_readlink,
 	.inode_follow_link =		selinux_inode_follow_link,
 	.inode_permission =		selinux_inode_permission,
+	.inode_lookup =			selinux_inode_lookup,
 	.inode_setattr =		selinux_inode_setattr,
 	.inode_getattr =		selinux_inode_getattr,
 	.inode_setxattr =		selinux_inode_setxattr,
Index: linux-2.6/security/smack/smack_lsm.c
===================================================================
--- linux-2.6.orig/security/smack/smack_lsm.c	2008-05-29 12:20:59.000000000 +0200
+++ linux-2.6/security/smack/smack_lsm.c	2008-05-29 12:20:59.000000000 +0200
@@ -513,14 +513,14 @@ static int smack_inode_rename(struct pat
 
 /**
  * smack_inode_permission - Smack version of permission()
- * @inode: the inode in question
+ * @path: the object
  * @mask: the access requested
  *
  * This is the important Smack hook.
  *
  * Returns 0 if access is permitted, -EACCES otherwise
  */
-static int smack_inode_permission(struct inode *inode, int mask)
+static int smack_inode_permission(struct path *path, int mask)
 {
 	/*
 	 * No permission to check. Existence test. Yup, it's there.
@@ -529,7 +529,18 @@ static int smack_inode_permission(struct
 	if (mask == 0)
 		return 0;
 
-	return smk_curacc(smk_of_inode(inode), mask);
+	return smk_curacc(smk_of_inode(path->dentry->d_inode), mask);
+}
+
+/**
+ * smack_inode_lookup - Permission to lookup
+ * @inode: the inode in question
+ *
+ * Returns 0 if access is permitted, -EACCES otherwise
+ */
+static int smack_inode_lookup(struct inode *inode)
+{
+	return smk_curacc(smk_of_inode(inode), MAY_EXEC);
 }
 
 /**
@@ -2589,6 +2600,7 @@ struct security_operations smack_ops = {
 	.inode_rmdir = 			smack_inode_rmdir,
 	.inode_rename = 		smack_inode_rename,
 	.inode_permission = 		smack_inode_permission,
+	.inode_lookup = 		smack_inode_lookup,
 	.inode_setattr = 		smack_inode_setattr,
 	.inode_getattr = 		smack_inode_getattr,
 	.inode_setxattr = 		smack_inode_setxattr,

--

Re: [patch 00/15] security: pass path instead of inode to security ops

[Tetsuo Handa]

Hello.

Miklos Szeredi wrote:
> This is based on the vfs-cleanups(*) tree + the 8 patches posted
> recently (which will be added to this tree shortly).

Patching these 15 patches fails. I think this is because the 8 patches are missing.
Can I see the 8 patches?

  2 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  2 out of 3 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  2 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  Reversed (or previously applied) patch detected!  Assume -R? [n]
  Apply anyway? [n]
  5 out of 5 hunks ignored -- saving rejects to file fs/namei.c.rej
  1 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  2 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  1 out of 2 hunks FAILED -- saving rejects to file mm/filemap.c.rej
  2 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  2 out of 5 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  11 out of 12 hunks FAILED -- saving rejects to file fs/namei.c.rej
  2 out of 5 hunks FAILED -- saving rejects to file fs/namei.c.rej
  2 out of 4 hunks FAILED -- saving rejects to file include/linux/security.h.rej
  1 out of 3 hunks FAILED -- saving rejects to file security/selinux/hooks.c.rej

Regards.

Re: [patch 00/15] security: pass path instead of inode to security ops

[Miklos Szeredi]

> > This is based on the vfs-cleanups(*) tree + the 8 patches posted
> > recently (which will be added to this tree shortly).
> 
> Patching these 15 patches fails. I think this is because the 8
> patches are missing.  Can I see the 8 patches?

I've now committed those to the vfs-cleanups tree.

Thanks,
Miklos

Re: [patch 00/15] security: pass path instead of inode to security ops

[Tetsuo Handa]

Hello.

Miklos Szeredi wrote:
> > > This is based on the vfs-cleanups(*) tree + the 8 patches posted
> > > recently (which will be added to this tree shortly).
> > 
> > Patching these 15 patches fails. I think this is because the 8
> > patches are missing.  Can I see the 8 patches?
> 
> I've now committed those to the vfs-cleanups tree.
> 
All 15 patches successfully applied on vfs-cleanups tree.

And I verified that these 15 patches also satisfy all modifications needed by TOMOYO Linux.
http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/trunk/2.2.x/tomoyo-lsm/patches/?rev=1251&root=tomoyo

Please go ahead. Thank you.

Re: [patch 01/15] security: pass path to inode_create

[Christoph Hellwig]

On Thu, May 29, 2008 at 03:49:04PM +0200, Miklos Szeredi wrote:
> From: Miklos Szeredi <mszeredi@suse.cz>
> 
> In the inode_create() security operation and related functions pass
> the path (vfsmount + dentry) to the parent directory instead of the
> inode.  AppArmor will need this.

So you're once again switching vfs_ to a pass a vfsmount argument, this
time hidden under struct path.  It's really hard to grasp a "no"
sometimes, isn't it? :)

Re: [patch 01/15] security: pass path to inode_create

[Tetsuo Handa]

Christoph Hellwig wrote:
> On Thu, May 29, 2008 at 03:49:04PM +0200, Miklos Szeredi wrote:
> > From: Miklos Szeredi <mszeredi@suse.cz>
> > 
> > In the inode_create() security operation and related functions pass
> > the path (vfsmount + dentry) to the parent directory instead of the
> > inode.  AppArmor will need this.
> 
> So you're once again switching vfs_ to a pass a vfsmount argument, this
> time hidden under struct path.  It's really hard to grasp a "no"
> sometimes, isn't it? :)
> 
The vfs-cleanups git tree is developed for passing "vfsmount" argument so that
r/o bind mounts shall not fail to check "vfsmount" by reconstructing vfs_*() callers
and marking vfs_*() as "static".

If this vfs-cleanups git tree has no problem regarding "vfsmount" argument,
I think there is no advantage of adding security_path_*() hooks inside the path_*() functions
since everybody calls the vfs_*() functions via path_*() functions.

Passing "vfsmount" to vfs_*() functions is better for AppArmor and TOMOYO and auditing purpose
(we can obtain the absolute pathname compared to the relative pathname from the mount point) than
adding security_path_*(), isn't it?

Are you worrying that there might be a case where the "vfsmount" argument passed to
path_*() functions is invalid or NULL?

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > 
> > In the inode_create() security operation and related functions pass
> > the path (vfsmount + dentry) to the parent directory instead of the
> > inode.  AppArmor will need this.
> 
> So you're once again switching vfs_ to a pass a vfsmount argument, this
> time hidden under struct path.  It's really hard to grasp a "no"
> sometimes, isn't it? :)

I'm sorry Christoph, but have you considered the remote possibility,
that you and Al are both wrong on this one?  Well, there's one
excercise for you.

If you haven't noticed, I don't take "no" for an answer, until I'm
sufficiently convinced that there's a better way.  In this case I
haven't heard a solution, that is remotely close in cleanliness to
what I've proposed.  And also please note that "not merging apparmor"
is _not_ the answer, however much you would like that to be.  So
please try harder to find an alternative, and then I'll listen.

Miklos

Re: [patch 01/15] security: pass path to inode_create

[Christoph Hellwig]

On Sun, Jun 01, 2008 at 10:52:33PM +0200, Miklos Szeredi wrote:
> If you haven't noticed, I don't take "no" for an answer,

And now please tell us step 2 in your secret plan to win friends and
influence.

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > If you haven't noticed, I don't take "no" for an answer,
> 
> And now please tell us step 2 in your secret plan to win friends and
> influence.

WTF are you getting at?  You think kernel development is about
boot-licking instead of standing by your technical arguments?  What
have you been smoking lately?

I maintain, that moving lsm hooks into callers is insane.  And that's
*the* sanest alternative that anybody has been able to come up with to
passing down vfsmounts into the vfs.

So again, can you offer an alternative?

I *am* genuinely interested, so any ideas from anybody wanting to help
resolve this issue are welcome.

Thanks,
Miklos

Re: [patch 01/15] security: pass path to inode_create

[Christoph Hellwig]

On Mon, Jun 02, 2008 at 09:02:14AM +0200, Miklos Szeredi wrote:
> > > If you haven't noticed, I don't take "no" for an answer,
> > 
> > And now please tell us step 2 in your secret plan to win friends and
> > influence.
> 
> WTF are you getting at?  You think kernel development is about
> boot-licking instead of standing by your technical arguments?  What
> have you been smoking lately?

No licking required :)  But running against a wall continuously and
pissing off the people working in that area and maintainer is generally
not the smartest idea :)

> So again, can you offer an alternative?

Just give up on this dumb idea completely.

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > So again, can you offer an alternative?
> 
> Just give up on this dumb idea completely.

You mean apparmor?  I've already told you, that's not the answer.  Go
up 4 mails and read again.

You act like a happy prince of VFS, but let me tell you one thing,
there's only one king in this kingdom of Linux, and that's Linus
Torvalds I.  And our wise king already said that apparmor can come, so
the question is not "if" but "how".

If you don't want to help, that's a pity, but of course I don't want
to (and can't) force you.  I can understand if personally you don't
think this is a good idea, and don't want to have anything to do with
it.  In that case I can leave you off the CC's for the parts which are
not just generic VFS cleanups but explicitly towards apparmor
integration.  Would that suit you?

Thanks,
Miklos

Re: [patch 01/15] security: pass path to inode_create

[Christoph Hellwig]

On Mon, Jun 02, 2008 at 11:32:44AM +0200, Miklos Szeredi wrote:
> You act like a happy prince of VFS, but let me tell you one thing,
> there's only one king in this kingdom of Linux, and that's Linus
> Torvalds I.  And our wise king already said that apparmor can come, so
> the question is not "if" but "how".
> 
> If you don't want to help, that's a pity, but of course I don't want
> to (and can't) force you.  I can understand if personally you don't
> think this is a good idea, and don't want to have anything to do with
> it.  In that case I can leave you off the CC's for the parts which are
> not just generic VFS cleanups but explicitly towards apparmor
> integration.  Would that suit you?

No, and Agenda doesn't make these patches any better.

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > You act like a happy prince of VFS, but let me tell you one thing,
> > there's only one king in this kingdom of Linux, and that's Linus
> > Torvalds I.  And our wise king already said that apparmor can come, so
> > the question is not "if" but "how".
> > 
> > If you don't want to help, that's a pity, but of course I don't want
> > to (and can't) force you.  I can understand if personally you don't
> > think this is a good idea, and don't want to have anything to do with
> > it.  In that case I can leave you off the CC's for the parts which are
> > not just generic VFS cleanups but explicitly towards apparmor
> > integration.  Would that suit you?
> 
> No, 

So shall I leave you _on_ the CC's then?

> and Agenda doesn't make these patches any better.

Umm, what's wrong with the patches then?  What exactly do they break?
How do they make the kernel bigger and slower?  How do they make the
code less readable?

These patches fix several issues raised at previous submissions:

 - passing NULL vfsmounts
 - using nameidata
 - using extra stack for vfsmount argument

So, it seems to me that there's in fact no issues remaining and the
best excuse you can come up with is that it's a dumb idea.  Well,
that's not a very imressive technical argument IMNSHO.

Miklos

Re: [patch 01/15] security: pass path to inode_create

[Andreas Gruenbacher]

On Monday 02 June 2008 11:13:41 Christoph Hellwig wrote:
> On Mon, Jun 02, 2008 at 09:02:14AM +0200, Miklos Szeredi wrote:
> > So again, can you offer an alternative?
>
> Just give up on this dumb idea completely.

The AppArmor guys have really gone a long way in arguing their case, and all 
discussions so far have ended in you decreeing that pathnames are bad at some 
point. Thanks a lot for your constructive input on other areas of the code, 
but could you please come up with technical arguments why pathnames are 
bad this time?

Thanks a lot!

Andreas

Re: [patch 01/15] security: pass path to inode_create

[Christoph Hellwig]

On Mon, Jun 02, 2008 at 11:52:52AM +0200, Miklos Szeredi wrote:
> These patches fix several issues raised at previous submissions:
> 
>  - passing NULL vfsmounts
>  - using nameidata
>  - using extra stack for vfsmount argument
> 
> So, it seems to me that there's in fact no issues remaining and the
> best excuse you can come up with is that it's a dumb idea.  Well,
> that's not a very imressive technical argument IMNSHO.

Well, pathname based access control is a dumb idea, and we've been
through this N times.  You've also been told that vfs_ routines should
remain without vfsmount, and no that's not a stack-related issue no idea
where that part came from.

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > These patches fix several issues raised at previous submissions:
> > 
> >  - passing NULL vfsmounts
> >  - using nameidata
> >  - using extra stack for vfsmount argument
> > 
> > So, it seems to me that there's in fact no issues remaining and the
> > best excuse you can come up with is that it's a dumb idea.  Well,
> > that's not a very imressive technical argument IMNSHO.
> 
> Well, pathname based access control is a dumb idea, and we've been
> through this N times.

You think it's a dumb idea.  Several major distros, which ship the
code, *despite* being out-of-tree, don't.

> You've also been told that vfs_ routines should
> remain without vfsmount,

Oh, I've been told.  But valid technical reason given?  No.

Such hand waving won't help your cause at all.  It's time for you to
actually look at the patches and stat technical reasons why they are
wrong, or let them be included.  Is it so hard to understand that the
decision to include apparmor is not in your hands?

You can argue against the concept of apparmor itself, but you better
argue with Crispin, because I'm quite clueless about that part.  When
you've convinced him (and Linus (and Ubuntu, and SUSE, and Mandriva))
that apparmor is a stupid idea, then I'll give up.  Good luck with
that!

Miklos

Re: [patch 01/15] security: pass path to inode_create

[Pekka Enberg]

On Mon, Jun 2, 2008 at 1:55 PM, Miklos Szeredi <miklos@szeredi.hu> wrote:
> You can argue against the concept of apparmor itself, but you better
> argue with Crispin, because I'm quite clueless about that part.  When
> you've convinced him (and Linus (and Ubuntu, and SUSE, and Mandriva))
> that apparmor is a stupid idea, then I'll give up.  Good luck with
> that!

But then I guess you can just by-pass the VFS maintainers and send
your patches directly to Andrew/Linus. Good luck with that! :-)

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > You can argue against the concept of apparmor itself, but you better
> > argue with Crispin, because I'm quite clueless about that part.  When
> > you've convinced him (and Linus (and Ubuntu, and SUSE, and Mandriva))
> > that apparmor is a stupid idea, then I'll give up.  Good luck with
> > that!
> 
> But then I guess you can just by-pass the VFS maintainers and send
> your patches directly to Andrew/Linus. Good luck with that! :-)

You know what?  I do think I'd stand a better chance, than Christoph
convincing Crispin :)

But no, that's not what I want to do.  I do think that the VFS
maintainers are intelligent poeple, who can be convinced that fighting
against apparmor is not going to help anyone, and get back to the
technical issues of "how".

Miklos

Re: [patch 01/15] security: pass path to inode_create

[Matthew Wilcox]

On Mon, Jun 02, 2008 at 09:02:14AM +0200, Miklos Szeredi wrote:
> I maintain, that moving lsm hooks into callers is insane.  And that's
> *the* sanest alternative that anybody has been able to come up with to
> passing down vfsmounts into the vfs.

Not so.  I showed how pathname-based security could be done *without*
passing vfsmounts down at all.  Unfortunately, you weren't interested.

-- 
Intel are signing my paycheques ... these opinions are still mine
"Bill, look, we understand that you're interested in selling us this
operating system, but compare it to ours.  We can't possibly take such
a retrograde step."

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > I maintain, that moving lsm hooks into callers is insane.  And that's
> > *the* sanest alternative that anybody has been able to come up with to
> > passing down vfsmounts into the vfs.
> 
> Not so.  I showed how pathname-based security could be done *without*
> passing vfsmounts down at all.  Unfortunately, you weren't interested.

Umm, not sure what you are referring to.  Could you please give a
pointer?  I'm sure the apparmor developers would be more than
interested in such a scheme, if it does indeed work.

Thanks,
Miklos

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> > > I maintain, that moving lsm hooks into callers is insane.  And that's
> > > *the* sanest alternative that anybody has been able to come up with to
> > > passing down vfsmounts into the vfs.
> > 
> > Not so.  I showed how pathname-based security could be done *without*
> > passing vfsmounts down at all.  Unfortunately, you weren't interested.
> 
> Umm, not sure what you are referring to.  Could you please give a
> pointer?  I'm sure the apparmor developers would be more than
> interested in such a scheme, if it does indeed work.

Found it:

   http://lkml.org/lkml/2008/4/9/98

I did not take part in that discussion and could not have been able to
contribute anyway.  From a cursory read of the thread, the idea was
good, but not entirely applicable to apparmor.  Or did I miss
something?

Thanks,
Miklos

Re: [patch 01/15] security: pass path to inode_create

[Matthew Wilcox]

On Mon, Jun 02, 2008 at 01:52:21PM +0200, Miklos Szeredi wrote:
> Found it:
> 
>    http://lkml.org/lkml/2008/4/9/98
> 
> I did not take part in that discussion and could not have been able to
> contribute anyway.  From a cursory read of the thread, the idea was
> good, but not entirely applicable to apparmor.  Or did I miss
> something?

Sorry, I thought you were on the CC for that.

The conversation was somewhat unclear, at least in part because I'd
misunderstood the apparmour deny vs allow logic.  It was also extremely
unhelpful when certain people decided to have a debate about path-name
based security.  So let me try again.

The point is to resolve pathnames into dev_t + inode in the
context where the rule is set up.  Then you can implement (say)
security_inode_permission() without needing to pass in a vfsmount -- all
you need are the inode->i_ino and inode->i_sb->s_dev to do a comparison.

Yes, if someone mounts /etc onto /etc2/ and has a rule to allow them to
access /etc/shadow, they will then be able to access /etc2/shadow as
well (which they weren't able to under previous apparmour).  But I can't
think of a way that permits Something Bad to happen (since the contents
of the file could have been accessed through /etc/shadow *anyway*).

-- 
Intel are signing my paycheques ... these opinions are still mine
"Bill, look, we understand that you're interested in selling us this
operating system, but compare it to ours.  We can't possibly take such
a retrograde step."

Re: [patch 01/15] security: pass path to inode_create

[Andreas Gruenbacher]

On Monday 02 June 2008 14:32:46 Matthew Wilcox wrote:
> The point is to resolve pathnames into dev_t + inode in the
> context where the rule is set up.  Then you can implement (say)
> security_inode_permission() without needing to pass in a vfsmount -- all
> you need are the inode->i_ino and inode->i_sb->s_dev to do a comparison.

Without the vfsmount, when something is mounted in more than once place, you 
cannot report which of the name aliases a process is accessing. This is 
unacceptable; the logs would become unusable. With pathname-based, the 
AppArmor and TOMOYO folks really mean pathname-based, not a hybrid pathname / 
mount point model.

> Yes, if someone mounts /etc onto /etc2/ and has a rule to allow them to
> access /etc/shadow, they will then be able to access /etc2/shadow as
> well (which they weren't able to under previous apparmour).  But I can't
> think of a way that permits Something Bad to happen (since the contents
> of the file could have been accessed through /etc/shadow *anyway*).

Yes, when a security policy specifies different permissions for the same 
object on different paths, processes are of course limited to the least 
restrictive of those paths.

One consequence of this is that pathname-based models must control who is 
allowed to create aliases where, of course.

Andreas

Re: [patch 01/15] security: pass path to inode_create

[Matthew Wilcox]

On Mon, Jun 02, 2008 at 02:45:10PM +0200, Andreas Gruenbacher wrote:
> Without the vfsmount, when something is mounted in more than once place, you 
> cannot report which of the name aliases a process is accessing. This is 
> unacceptable; the logs would become unusable. With pathname-based, the 
> AppArmor and TOMOYO folks really mean pathname-based, not a hybrid pathname / 
> mount point model.

audit_getname manages to do this.  You're just not thinking hard enough ;-)

> One consequence of this is that pathname-based models must control who is 
> allowed to create aliases where, of course.

Absolutely.

-- 
Intel are signing my paycheques ... these opinions are still mine
"Bill, look, we understand that you're interested in selling us this
operating system, but compare it to ours.  We can't possibly take such
a retrograde step."

Re: [patch 01/15] security: pass path to inode_create

[Andreas Gruenbacher]

On Monday 02 June 2008 14:49:06 Matthew Wilcox wrote:
> On Mon, Jun 02, 2008 at 02:45:10PM +0200, Andreas Gruenbacher wrote:
> > Without the vfsmount, when something is mounted in more than once place,
> > you cannot report which of the name aliases a process is accessing. This
> > is unacceptable; the logs would become unusable. With pathname-based, the
> > AppArmor and TOMOYO folks really mean pathname-based, not a hybrid
> > pathname / mount point model.
>
> audit_getname manages to do this.

You would assume, but no: audit_getname() grabs a reference to the pwd and the 
absolute or relative pathname. The vfs resolves this to a dentry, but there 
is no guarantee that the audit system will end up with the same pathname for 
reporting: the namespace may have changed arbitrarily in the meantime.

(I find it rather interesting that this is consistent enough for audit; in my 
opinion it isn't.)

On the other hand, AppArmor computes the path it uses for checking from the 
dentry/vfsmount atomically with respect to namespace changes, and so the path 
used for checking and reporting is always consistent (and it is guaranteed 
that the object has been reachable via this path at the time the path has 
been generated).

Andreas

Re: [patch 01/15] security: pass path to inode_create

[Evgeniy Polyakov]

Hi.

On Mon, Jun 02, 2008 at 12:55:33PM +0200, Miklos Szeredi (miklos@szeredi.hu) wrote:
> Oh, I've been told.  But valid technical reason given?  No.

This is a really interesting flame, can you proceed,
we will run for cola and peanuts :)

For the technical reason: in case of stackable/bind, which path should
be checked? Whatever answer is, there will always be another party,
which wants different behaviour.

-- 
	Evgeniy Polyakov

Re: [patch 01/15] security: pass path to inode_create

[Toshiharu Harada]

2008/6/3 Evgeniy Polyakov <johnpol@2ka.mipt.ru>:
> On Mon, Jun 02, 2008 at 12:55:33PM +0200, Miklos Szeredi (miklos@szeredi.hu) wrote:
>> Oh, I've been told.  But valid technical reason given?  No.
>
> This is a really interesting flame, can you proceed,
> we will run for cola and peanuts :)

Let me quote a message by Chris Wright from LSM ml:
"You cannot discover the path used to access an inode without knowing
both the dentry and the vfsmount objects. "

Another one by Stephen Smalley:
"Pathname-based security considered harmful.  You want to control access
to an object, not a name, and the name-to-object mapping is neither
one-to-one nor immutable."

Can you guess when they were posted?
The answer is December 2003. :)
Do we need more time? I don't think so.

I'm viewing Miklos' patches as *enhancements* not only for AppArmor (and
other pathname-based LSM modules). Everyone can make use of
information and lose nothing.  Am I too simple minded?

> For the technical reason: in case of stackable/bind, which path should
> be checked? Whatever answer is, there will always be another party,
> which wants different behaviour.

-- 
Toshiharu Harada
haradats@gmail.com

Re: [patch 01/15] security: pass path to inode_create

[Evgeniy Polyakov]

On Tue, Jun 03, 2008 at 12:31:14AM +0900, Toshiharu Harada (haradats@gmail.com) wrote:
> > This is a really interesting flame, can you proceed,
> > we will run for cola and peanuts :)
> 
> Let me quote a message by Chris Wright from LSM ml:
> "You cannot discover the path used to access an inode without knowing
> both the dentry and the vfsmount objects. "

Depending on what path you really want. If you want it related to bind
mount, you can (trivially). And even full path with vfsmount with
additional work.

Without any single additional patch on top of security system.

It maybe a bit slower, more complex, duplicate, whatever...
Active security was never a fast solution and was never a compromiss
between those who like it and who do not.

Technically you can be inside created limits and formally do not change
security model, but in practice implement you lovely path based security
checks.

> Another one by Stephen Smalley:
> "Pathname-based security considered harmful.  You want to control access
> to an object, not a name, and the name-to-object mapping is neither
> one-to-one nor immutable."

For those who care exactly about path, they do not want to have security
checks for object, which was there. As addition, selinux
maintainer/architector opinion is a bit biassed :)

> Can you guess when they were posted?
> The answer is December 2003. :)
> Do we need more time? I don't think so.

Apparently we do :)

> I'm viewing Miklos' patches as *enhancements* not only for AppArmor (and
> other pathname-based LSM modules). Everyone can make use of
> information and lose nothing.  Am I too simple minded?

What I wanted to say, is that people who do want to implement theirs
idea, will find a way to do it without breaking other approach.
With additional changes, with more complex approach, more code and
possibly some duplication/optimization/whatever.

So, if people continue to kick theirs head to the wall, they want
exactly that flame, that void talks and so on :)

-- 
	Evgeniy Polyakov

Re: [patch 01/15] security: pass path to inode_create

[Toshiharu Harada]

2008/6/3 Evgeniy Polyakov <johnpol@2ka.mipt.ru>:
> On Tue, Jun 03, 2008 at 12:31:14AM +0900, Toshiharu Harada (haradats@gmail.com) wrote:
>> > This is a really interesting flame, can you proceed,
>> > we will run for cola and peanuts :)
>>
>> Let me quote a message by Chris Wright from LSM ml:
>> "You cannot discover the path used to access an inode without knowing
>> both the dentry and the vfsmount objects. "
>
> Depending on what path you really want. If you want it related to bind
> mount, you can (trivially). And even full path with vfsmount with
> additional work.
>
> Without any single additional patch on top of security system.
>
> It maybe a bit slower, more complex, duplicate, whatever...
> Active security was never a fast solution and was never a compromiss
> between those who like it and who do not.
>
> Technically you can be inside created limits and formally do not change
> security model, but in practice implement you lovely path based security
> checks.
>
>> Another one by Stephen Smalley:
>> "Pathname-based security considered harmful.  You want to control access
>> to an object, not a name, and the name-to-object mapping is neither
>> one-to-one nor immutable."
>
> For those who care exactly about path, they do not want to have security
> checks for object, which was there. As addition, selinux
> maintainer/architector opinion is a bit biassed :)

This is a very important point.

The world of Linux consists of the two pieces, userland and kernel.
Objects have names and inodes. Information flow control need to be
handled using inodes (labels), but pathnames need to be
controlled because objects are represented by names in userland.
Both pieces work together. Vfsmount is a missing piece.

AppArmor and TOMOYO Linux are not claiming they are better MAC for Linux.
(that's how I understood Stephen's words. I am agreed)
So people don't have to eliminate pathname-based MACs.

>> Can you guess when they were posted?
>> The answer is December 2003. :)
>> Do we need more time? I don't think so.
>
> Apparently we do :)
Okay, I'll go and get my coke. ;)

>> I'm viewing Miklos' patches as *enhancements* not only for AppArmor (and
>> other pathname-based LSM modules). Everyone can make use of
>> information and lose nothing.  Am I too simple minded?
>
> What I wanted to say, is that people who do want to implement theirs
> idea, will find a way to do it without breaking other approach.
> With additional changes, with more complex approach, more code and
> possibly some duplication/optimization/whatever.
100% agreed.

> So, if people continue to kick theirs head to the wall, they want
> exactly that flame, that void talks and so on :)

-- 
Toshiharu Harada
haradats@gmail.com

Re: [patch 01/15] security: pass path to inode_create

[Evgeniy Polyakov]

On Tue, Jun 03, 2008 at 01:29:33AM +0900, Toshiharu Harada (haradats@gmail.com) wrote:
> > For those who care exactly about path, they do not want to have security
> > checks for object, which was there. As addition, selinux
> > maintainer/architector opinion is a bit biassed :)
> 
> This is a very important point.
> 
> The world of Linux consists of the two pieces, userland and kernel.
> Objects have names and inodes. Information flow control need to be
> handled using inodes (labels), but pathnames need to be
> controlled because objects are represented by names in userland.
> Both pieces work together. Vfsmount is a missing piece.
> 
> AppArmor and TOMOYO Linux are not claiming they are better MAC for Linux.
> (that's how I understood Stephen's words. I am agreed)
> So people don't have to eliminate pathname-based MACs.

They can, if really want, to get vfsmount.

A hint: there is security_sb_check_sb() and security_sb_post_addmount().
Store that vsmount in private cache, search the very root dentry for any inode
inside that cache of vfsmounts and get a pointer. Looks a bit ugly
though, and slower (really a bit), but it can solve a problem.
It is also possible to implement own path cache isntead of using dentry
cache, since apparently dentry is not needed neither to apparmor nor to
tomoyo, but path info (in own format). And that will be even better
solution, since it will be exactly what selinux does with its data. 
Only to different objects. This will complicate move/rename and other
pathname manipulation. There are of course underwater rocks, but they
can be worked out with existing inode-biased approach.

-- 
	Evgeniy Polyakov

Re: [patch 01/15] security: pass path to inode_create

[Serge E. Hallyn]

Quoting Christoph Hellwig (hch@infradead.org):
> On Mon, Jun 02, 2008 at 11:52:52AM +0200, Miklos Szeredi wrote:
> > These patches fix several issues raised at previous submissions:
> > 
> >  - passing NULL vfsmounts
> >  - using nameidata
> >  - using extra stack for vfsmount argument
> > 
> > So, it seems to me that there's in fact no issues remaining and the
> > best excuse you can come up with is that it's a dumb idea.  Well,
> > that's not a very imressive technical argument IMNSHO.
> 
> Well, pathname based access control is a dumb idea, and we've been
> through this N times.  You've also been told that vfs_ routines should
> remain without vfsmount, and no that's not a stack-related issue no idea
> where that part came from.

Sorry, noone else asked, so just out of curiosity - the *actual* reason
is api layering?  Or am I missing another reason?

thanks,
-serge

Re: [patch 01/15] security: pass path to inode_create

[Toshiharu Harada]

2008/6/3 Evgeniy Polyakov <johnpol@2ka.mipt.ru>:
> On Tue, Jun 03, 2008 at 01:29:33AM +0900, Toshiharu Harada (haradats@gmail.com) wrote:
>> > For those who care exactly about path, they do not want to have security
>> > checks for object, which was there. As addition, selinux
>> > maintainer/architector opinion is a bit biassed :)
>>
>> This is a very important point.
>>
>> The world of Linux consists of the two pieces, userland and kernel.
>> Objects have names and inodes. Information flow control need to be
>> handled using inodes (labels), but pathnames need to be
>> controlled because objects are represented by names in userland.
>> Both pieces work together. Vfsmount is a missing piece.
>>
>> AppArmor and TOMOYO Linux are not claiming they are better MAC for Linux.
>> (that's how I understood Stephen's words. I am agreed)
>> So people don't have to eliminate pathname-based MACs.
>
> They can, if really want, to get vfsmount.
>
> A hint: there is security_sb_check_sb() and security_sb_post_addmount().
> Store that vsmount in private cache, search the very root dentry for any inode
> inside that cache of vfsmounts and get a pointer. Looks a bit ugly
> though, and slower (really a bit), but it can solve a problem.
> It is also possible to implement own path cache isntead of using dentry
> cache, since apparently dentry is not needed neither to apparmor nor to
> tomoyo, but path info (in own format). And that will be even better
> solution, since it will be exactly what selinux does with its data.
> Only to different objects. This will complicate move/rename and other
> pathname manipulation. There are of course underwater rocks, but they
> can be worked out with existing inode-biased approach.
>
> --
>        Evgeniy Polyakov

Actually, another option has been suggested last month.
http://lkml.org/lkml/2008/4/9/93

Miklos' patches seem to me well suited after vfs cleanup jobs, but...

-- 
Toshiharu Harada
haradats@gmail.com

Re: [patch 01/15] security: pass path to inode_create

[Miklos Szeredi]

> Actually, another option has been suggested last month.
> http://lkml.org/lkml/2008/4/9/93

Yes, thanks for the link.

Here's the relevant quote from that mail from Stephen Smalley:

 "2) Submit patches to add new security hooks to the callers where the
  vfsmount is already available (some have suggested moving the
  existing security_inode hooks to the callers, but that would cause
  problems for SELinux as I've posted elsewhere, so adding new hooks
  is preferable, and then SELinux can just default to the dummy
  functions for those new hooks)."

True, this is an alternative, but from the VFS point of view it's
actually _worse_ than moving the hooks out, since we now have two sets
of security hooks littering the code for no good reason.

If Matthew Wilcox's idea can be made to work, that's obviously the
best, since it means that the VFS doesn't need to be touched at all.

Otherwise passing down vfsmounts is a superior solution to everything
else.  It has *absolutely* *no* downsides.  None, zero, zilch.

Well apart from the matter of VFS maintainers opinions.  But damit,
this is an open source project, where decisions are made on technical
merit, and not on personal whims.

If the VFS maintainers don't like it, they better state their reasons
in clear and concise terms.  An no, things like "someone might perhaps
maybe in the future need to call the vfs without a vfsmount" is
absolutely not a good reason.  When we have such a caller, we'll fix
the code.  It happens all the time.  Prepering for everything that
might happen is called overdesign and it's one of the worst and
commonest mistakes in software engineering.

Miklos

Re: [patch 01/15] security: pass path to inode_create

[Stephen Smalley]

On Thu, 2008-05-29 at 15:49 +0200, Miklos Szeredi wrote:
> plain text document attachment (security_create_path.patch)
> From: Miklos Szeredi <mszeredi@suse.cz>
> 
> In the inode_create() security operation and related functions pass
> the path (vfsmount + dentry) to the parent directory instead of the
> inode.  AppArmor will need this.
> 
> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
> ---
>  fs/namei.c               |   12 ++++++------
>  include/linux/security.h |    9 ++++-----
>  security/dummy.c         |    4 ++--
>  security/security.c      |    4 ++--
>  security/selinux/hooks.c |    5 +++--
>  5 files changed, 17 insertions(+), 17 deletions(-)
> 
> Index: linux-2.6/fs/namei.c
> ===================================================================
> --- linux-2.6.orig/fs/namei.c	2008-05-29 12:20:49.000000000 +0200
> +++ linux-2.6/fs/namei.c	2008-05-29 12:20:51.000000000 +0200
> @@ -1586,11 +1586,11 @@ void unlock_rename(struct dentry *p1, st
>  	}
>  }
>  
> -static int vfs_create(struct dentry *dir_dentry, struct dentry *dentry,
> +static int vfs_create(struct path *dir_path, struct dentry *dentry,
>  		      int mode,	struct nameidata *nd)
>  {
> -	struct inode *dir = dir_dentry->d_inode;
> -	int error = may_create(dir_dentry, dentry);
> +	struct inode *dir = dir_path->dentry->d_inode;
> +	int error = may_create(dir_path->dentry, dentry);
>  
>  	if (error)
>  		return error;
> @@ -1599,7 +1599,7 @@ static int vfs_create(struct dentry *dir
>  		return -EACCES;	/* shouldn't it be ENOSYS? */
>  	mode &= S_IALLUGO;
>  	mode |= S_IFREG;
> -	error = security_inode_create(dir, dentry, mode);
> +	error = security_inode_create(dir_path, dentry, mode);
>  	if (error)
>  		return error;
>  	DQUOT_INIT(dir);
> @@ -1615,7 +1615,7 @@ int path_create(struct path *dir_path, s
>  	int error = mnt_want_write(dir_path->mnt);
>  
>  	if (!error) {
> -		error = vfs_create(dir_path->dentry, dentry, mode, nd);
> +		error = vfs_create(dir_path, dentry, mode, nd);
>  		mnt_drop_write(dir_path->mnt);
>  	}
>  
> @@ -1718,7 +1718,7 @@ static int __open_namei_create(struct na
>  
>  	if (!IS_POSIXACL(dir->d_inode))
>  		mode &= ~current->fs->umask;
> -	error = vfs_create(dir, path->dentry, mode, nd);
> +	error = vfs_create(&nd->path, path->dentry, mode, nd);
>  	mutex_unlock(&dir->d_inode->i_mutex);
>  	dput(nd->path.dentry);
>  	nd->path.dentry = path->dentry;
> Index: linux-2.6/include/linux/security.h
> ===================================================================
> --- linux-2.6.orig/include/linux/security.h	2008-05-29 12:20:48.000000000 +0200
> +++ linux-2.6/include/linux/security.h	2008-05-29 12:20:51.000000000 +0200
> @@ -339,7 +339,7 @@ static inline void security_free_mnt_opt
>   *		-ENOMEM on memory allocation failure.
>   * @inode_create:
>   *	Check permission to create a regular file.
> - *	@dir contains inode structure of the parent of the new file.
> + *	@dir contains the path to the parent of the new file.
>   *	@dentry contains the dentry structure for the file to be created.
>   *	@mode contains the file mode of the file to be created.
>   *	Return 0 if permission is granted.
> @@ -1353,8 +1353,7 @@ struct security_operations {
>  	void (*inode_free_security) (struct inode *inode);
>  	int (*inode_init_security) (struct inode *inode, struct inode *dir,
>  				    char **name, void **value, size_t *len);
> -	int (*inode_create) (struct inode *dir,
> -			     struct dentry *dentry, int mode);
> +	int (*inode_create) (struct path *dir, struct dentry *dentry, int mode);
>  	int (*inode_link) (struct dentry *old_dentry,
>  			   struct inode *dir, struct dentry *new_dentry);
>  	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
> @@ -1626,7 +1625,7 @@ int security_inode_alloc(struct inode *i
>  void security_inode_free(struct inode *inode);
>  int security_inode_init_security(struct inode *inode, struct inode *dir,
>  				  char **name, void **value, size_t *len);
> -int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
> +int security_inode_create(struct path *dir, struct dentry *dentry, int mode);
>  int security_inode_link(struct dentry *old_dentry, struct inode *dir,
>  			 struct dentry *new_dentry);
>  int security_inode_unlink(struct inode *dir, struct dentry *dentry);
> @@ -1964,7 +1963,7 @@ static inline int security_inode_init_se
>  	return -EOPNOTSUPP;
>  }
>  
> -static inline int security_inode_create(struct inode *dir,
> +static inline int security_inode_create(struct path *dir,
>  					 struct dentry *dentry,
>  					 int mode)
>  {
> Index: linux-2.6/security/dummy.c
> ===================================================================
> --- linux-2.6.orig/security/dummy.c	2008-05-29 12:20:48.000000000 +0200
> +++ linux-2.6/security/dummy.c	2008-05-29 12:20:51.000000000 +0200
> @@ -286,8 +286,8 @@ static int dummy_inode_init_security (st
>  	return -EOPNOTSUPP;
>  }
>  
> -static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
> -			       int mask)
> +static int dummy_inode_create(struct path *dir, struct dentry *dentry,
> +			      int mask)
>  {
>  	return 0;
>  }
> Index: linux-2.6/security/selinux/hooks.c
> ===================================================================
> --- linux-2.6.orig/security/selinux/hooks.c	2008-05-29 12:20:48.000000000 +0200
> +++ linux-2.6/security/selinux/hooks.c	2008-05-29 12:20:51.000000000 +0200
> @@ -2482,9 +2482,10 @@ static int selinux_inode_init_security(s
>  	return 0;
>  }
>  
> -static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
> +static int selinux_inode_create(struct path *dir, struct dentry *dentry,
> +				int mask)
>  {
> -	return may_create(dir, dentry, SECCLASS_FILE);
> +	return may_create(dir->dentry->d_inode, dentry, SECCLASS_FILE);
>  }
>  
>  static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)

This may be moot given the vfs maintainers' objections, but if you were
to make this change, then logically you'd push the struct path all the
way down and set it in the avc_audit_data so that it could be used by
avc_audit() for emitting a pathname in the audit record.  Likewise for
the other hook changes.

-- 
Stephen Smalley
National Security Agency

Re: [patch 01/15] security: pass path to inode_create

[Tetsuo Handa]

Stephen Smalley wrote:
> This may be moot given the vfs maintainers' objections, but if you were
> to make this change, then logically you'd push the struct path all the
> way down and set it in the avc_audit_data so that it could be used by
> avc_audit() for emitting a pathname in the audit record.  Likewise for
> the other hook changes.

Yes. That's one of improvements made possible by Miklos's patches.

----------
Subject: SELINUX: Set vfsmount field for audit logs.

By applying Miklos's patches which pass "struct vfsmount" to LSM
(posted at http://lkml.org/lkml/2008/5/29/207 ),
SELinux's audit logs can generate absolute pathnames for more operations.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/selinux/hooks.c |   35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

--- vfs.orig/security/selinux/hooks.c
+++ vfs/security/selinux/hooks.c
@@ -1427,10 +1427,11 @@ static int file_has_perm(struct task_str
 }
 
 /* Check whether a task can create a file. */
-static int may_create(struct inode *dir,
+static int may_create(struct path *dir_path,
 		      struct dentry *dentry,
 		      u16 tclass)
 {
+	struct inode *dir = dir_path->dentry->d_inode;
 	struct task_security_struct *tsec;
 	struct inode_security_struct *dsec;
 	struct superblock_security_struct *sbsec;
@@ -1443,6 +1444,7 @@ static int may_create(struct inode *dir,
 	sbsec = dir->i_sb->s_security;
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
+	ad.u.fs.path.mnt = dir_path->mnt;
 	ad.u.fs.path.dentry = dentry;
 
 	rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
@@ -1485,11 +1487,12 @@ static int may_create_key(u32 ksid,
 #define MAY_RMDIR	2
 
 /* Check whether a task can link, unlink, or rmdir a file/directory. */
-static int may_link(struct inode *dir,
+static int may_link(struct path *dir_path,
 		    struct dentry *dentry,
 		    int kind)
 
 {
+	struct inode *dir = dir_path->dentry->d_inode;
 	struct task_security_struct *tsec;
 	struct inode_security_struct *dsec, *isec;
 	struct avc_audit_data ad;
@@ -1501,6 +1504,7 @@ static int may_link(struct inode *dir,
 	isec = dentry->d_inode->i_security;
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
+	ad.u.fs.path.mnt = dir_path->mnt;
 	ad.u.fs.path.dentry = dentry;
 
 	av = DIR__SEARCH;
@@ -1529,11 +1533,13 @@ static int may_link(struct inode *dir,
 	return rc;
 }
 
-static inline int may_rename(struct inode *old_dir,
+static inline int may_rename(struct path *old_dir_path,
 			     struct dentry *old_dentry,
-			     struct inode *new_dir,
+			     struct path *new_dir_path,
 			     struct dentry *new_dentry)
 {
+	struct inode *old_dir = old_dir_path->dentry->d_inode;
+	struct inode *new_dir = new_dir_path->dentry->d_inode;
 	struct task_security_struct *tsec;
 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
 	struct avc_audit_data ad;
@@ -1549,6 +1555,7 @@ static inline int may_rename(struct inod
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 
+	ad.u.fs.path.mnt = old_dir_path->mnt;
 	ad.u.fs.path.dentry = old_dentry;
 	rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
@@ -1565,6 +1572,7 @@ static inline int may_rename(struct inod
 			return rc;
 	}
 
+	ad.u.fs.path.mnt = new_dir_path->mnt;
 	ad.u.fs.path.dentry = new_dentry;
 	av = DIR__ADD_NAME | DIR__SEARCH;
 	if (new_dentry->d_inode)
@@ -2485,7 +2493,7 @@ static int selinux_inode_init_security(s
 static int selinux_inode_create(struct path *dir, struct dentry *dentry,
 				int mask)
 {
-	return may_create(dir->dentry->d_inode, dentry, SECCLASS_FILE);
+	return may_create(dir, dentry, SECCLASS_FILE);
 }
 
 static int selinux_inode_link(struct dentry *old_dentry, struct path *dir,
@@ -2496,7 +2504,7 @@ static int selinux_inode_link(struct den
 	rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
 	if (rc)
 		return rc;
-	return may_link(dir->dentry->d_inode, old_dentry, MAY_LINK);
+	return may_link(dir, old_dentry, MAY_LINK);
 }
 
 static int selinux_inode_unlink(struct path *dir, struct dentry *dentry)
@@ -2506,24 +2514,24 @@ static int selinux_inode_unlink(struct p
 	rc = secondary_ops->inode_unlink(dir, dentry);
 	if (rc)
 		return rc;
-	return may_link(dir->dentry->d_inode, dentry, MAY_UNLINK);
+	return may_link(dir, dentry, MAY_UNLINK);
 }
 
 static int selinux_inode_symlink(struct path *dir, struct dentry *dentry,
 				 const char *name)
 {
-	return may_create(dir->dentry->d_inode, dentry, SECCLASS_LNK_FILE);
+	return may_create(dir, dentry, SECCLASS_LNK_FILE);
 }
 
 static int selinux_inode_mkdir(struct path *dir, struct dentry *dentry,
 			       int mask)
 {
-	return may_create(dir->dentry->d_inode, dentry, SECCLASS_DIR);
+	return may_create(dir, dentry, SECCLASS_DIR);
 }
 
 static int selinux_inode_rmdir(struct path *dir, struct dentry *dentry)
 {
-	return may_link(dir->dentry->d_inode, dentry, MAY_RMDIR);
+	return may_link(dir, dentry, MAY_RMDIR);
 }
 
 static int selinux_inode_mknod(struct path *dir, struct dentry *dentry,
@@ -2535,15 +2543,15 @@ static int selinux_inode_mknod(struct pa
 	if (rc)
 		return rc;
 
-	return may_create(dir->dentry->d_inode, dentry,
+	return may_create(dir, dentry,
 			  inode_mode_to_security_class(mode));
 }
 
 static int selinux_inode_rename(struct path *old_dir, struct dentry *old_dentry,
 				struct path *new_dir, struct dentry *new_dentry)
 {
-	return may_rename(old_dir->dentry->d_inode, old_dentry,
-			  new_dir->dentry->d_inode, new_dentry);
+	return may_rename(old_dir, old_dentry,
+			  new_dir, new_dentry);
 }
 
 static int selinux_inode_readlink(struct dentry *dentry)
@@ -2658,6 +2666,7 @@ static int selinux_inode_setxattr(struct
 		return -EPERM;
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
+	ad.u.fs.path.mnt = path->mnt;
 	ad.u.fs.path.dentry = dentry;
 
 	rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,

Re: [patch 01/15] security: pass path to inode_create

[Tetsuo Handa]

Quoting Christoph wrote:
> Well, pathname based access control is a dumb idea, and we've been
> through this N times.
I have a question for you.

Matthew Wilcox wrote:
> Yes, if someone mounts /etc onto /etc2/ and has a rule to allow them to
> access /etc/shadow, they will then be able to access /etc2/shadow as
> well (which they weren't able to under previous apparmour).  But I can't
> think of a way that permits Something Bad to happen (since the contents
> of the file could have been accessed through /etc/shadow *anyway*).
No. Something Bad happens even if you use object based access controls.

Andreas Gruenbacher wrote:
> One consequence of this is that pathname-based models must control who is
> allowed to create aliases where, of course.
The object based access controls *also* have to care about pathnames,
or Something Bad happens.

Have you ever thought that the pathname plays some part of security?
Please read part 3 and part 4 of http://lkml.org/lkml/2008/4/12/63 if
you have never thought that.
"Applications depend on pathnames, not on inode's number or labels.
 Thinking little of pathnames leads to serious result."

Why do you think it is a bad thing to implement an access control that
restricts pathnames?