mask off MAX_EXEC checks for directories in inode_permission

2025-03-04 08:24:42 +01:00 · 2007-05-03 02:26:14 +00:00 · 2007-05-03 02:26:14 +00:00 · b7308dda2a
commit b7308dda2a
parent 1bd96a3266
1 changed files with 22 additions and 0 deletions
--- a/kernel-patches/for-mainline/fix_leaf.diff
+++ b/kernel-patches/for-mainline/fix_leaf.diff
@ -0,0 +1,22 @@
+---
+ security/apparmor/lsm.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -380,10 +380,12 @@ static int apparmor_inode_permission(str
+ 
+ 	if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
+ 		return 0;
+-	if (S_ISDIR(inode->i_mode))
+-		check |= AA_CHECK_DIR;
+ 	mask &= (MAY_READ | MAY_WRITE | MAY_EXEC);
+-
+	if (S_ISDIR(inode->i_mode)) {
+		check |= AA_CHECK_DIR;
+		/* allow traverse accesses to directories */
+		mask &= ~MAY_EXEC;
+	}
+ 	return aa_permission(inode, nd->dentry, nd->mnt, mask, check);
+ }
+