mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
78 lines
2.3 KiB
Text
78 lines
2.3 KiB
Text
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
|
|
|
|
patches.apparmor/add-security_path_permission added the ->path_permission
|
|
call. This patch converts apparmor_inode_permission to
|
|
apparmor_path_permission. The former is now a pass-all, which is how
|
|
it behaved in 2.6.26 if a NULL nameidata was passed.
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
security/apparmor/lsm.c | 41 +++++++++++++++++++++++++++--------------
|
|
1 file changed, 27 insertions(+), 14 deletions(-)
|
|
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -448,21 +448,9 @@ out:
|
|
return error;
|
|
}
|
|
|
|
-static int apparmor_inode_permission(struct inode *inode, int mask,
|
|
- struct nameidata *nd)
|
|
+static int apparmor_inode_permission(struct inode *inode, int mask)
|
|
{
|
|
- int check = 0;
|
|
-
|
|
- if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
|
|
- return 0;
|
|
- mask = aa_mask_permissions(mask);
|
|
- if (S_ISDIR(inode->i_mode)) {
|
|
- check |= AA_CHECK_DIR;
|
|
- /* allow traverse accesses to directories */
|
|
- mask &= ~MAY_EXEC;
|
|
- }
|
|
- return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
|
|
- mask, check);
|
|
+ return 0;
|
|
}
|
|
|
|
static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
|
|
!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
|
|
}
|
|
|
|
+static int apparmor_path_permission(struct path *path, int mask)
|
|
+{
|
|
+ struct inode *inode;
|
|
+ int check = 0;
|
|
+
|
|
+ if (!path)
|
|
+ return 0;
|
|
+
|
|
+ inode = path->dentry->d_inode;
|
|
+
|
|
+ mask = aa_mask_permissions(mask);
|
|
+ if (S_ISDIR(inode->i_mode)) {
|
|
+ check |= AA_CHECK_DIR;
|
|
+ /* allow traverse accesses to directories */
|
|
+ mask &= ~MAY_EXEC;
|
|
+ if (!mask)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return aa_permission("inode_permission", inode, path->dentry,
|
|
+ path->mnt, mask, check);
|
|
+}
|
|
+
|
|
static int apparmor_task_alloc_security(struct task_struct *task)
|
|
{
|
|
return aa_clone(task);
|
|
@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
|
|
.file_mprotect = apparmor_file_mprotect,
|
|
.file_lock = apparmor_file_lock,
|
|
|
|
+ .path_permission = apparmor_path_permission,
|
|
+
|
|
.task_alloc_security = apparmor_task_alloc_security,
|
|
.task_free_security = apparmor_task_free_security,
|
|
.task_post_setuid = cap_task_post_setuid,
|