mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
592 lines
20 KiB
Diff
592 lines
20 KiB
Diff
From: Andreas Gruenbacher <agruen@suse.de>
|
|
Subject: Pass struct file down the inode_*xattr security LSM hooks
|
|
|
|
This allows LSMs to also distinguish between file descriptor and path
|
|
access for the xattr operations. (The other relevant operations are
|
|
covered by the setattr hook.)
|
|
|
|
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
|
|
Signed-off-by: John Johansen <jjohansen@suse.de>
|
|
|
|
---
|
|
fs/xattr.c | 59 +++++++++++++++++++++++----------------------
|
|
include/linux/security.h | 38 ++++++++++++++++------------
|
|
include/linux/xattr.h | 9 +++---
|
|
security/capability.c | 5 ++-
|
|
security/commoncap.c | 4 +--
|
|
security/security.c | 17 ++++++------
|
|
security/selinux/hooks.c | 10 ++++---
|
|
security/smack/smack_lsm.c | 14 ++++++----
|
|
8 files changed, 87 insertions(+), 69 deletions(-)
|
|
|
|
--- a/fs/xattr.c
|
|
+++ b/fs/xattr.c
|
|
@@ -68,7 +68,7 @@ xattr_permission(struct inode *inode, co
|
|
|
|
int
|
|
vfs_setxattr(struct dentry *dentry, struct vfsmount *mnt, const char *name,
|
|
- const void *value, size_t size, int flags)
|
|
+ const void *value, size_t size, int flags, struct file *file)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
@@ -78,7 +78,7 @@ vfs_setxattr(struct dentry *dentry, stru
|
|
return error;
|
|
|
|
mutex_lock(&inode->i_mutex);
|
|
- error = security_inode_setxattr(dentry, mnt, name, value, size, flags);
|
|
+ error = security_inode_setxattr(dentry, mnt, name, value, size, flags, file);
|
|
if (error)
|
|
goto out;
|
|
error = -EOPNOTSUPP;
|
|
@@ -132,7 +132,7 @@ EXPORT_SYMBOL_GPL(xattr_getsecurity);
|
|
|
|
ssize_t
|
|
vfs_getxattr(struct dentry *dentry, struct vfsmount *mnt, const char *name,
|
|
- void *value, size_t size)
|
|
+ void *value, size_t size, struct file *file)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
@@ -141,7 +141,7 @@ vfs_getxattr(struct dentry *dentry, stru
|
|
if (error)
|
|
return error;
|
|
|
|
- error = security_inode_getxattr(dentry, mnt, name);
|
|
+ error = security_inode_getxattr(dentry, mnt, name, file);
|
|
if (error)
|
|
return error;
|
|
|
|
@@ -169,12 +169,12 @@ EXPORT_SYMBOL_GPL(vfs_getxattr);
|
|
|
|
ssize_t
|
|
vfs_listxattr(struct dentry *dentry, struct vfsmount *mnt, char *list,
|
|
- size_t size)
|
|
+ size_t size, struct file *file)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
ssize_t error;
|
|
|
|
- error = security_inode_listxattr(dentry, mnt);
|
|
+ error = security_inode_listxattr(dentry, mnt, file);
|
|
if (error)
|
|
return error;
|
|
error = -EOPNOTSUPP;
|
|
@@ -190,7 +190,8 @@ vfs_listxattr(struct dentry *dentry, str
|
|
EXPORT_SYMBOL_GPL(vfs_listxattr);
|
|
|
|
int
|
|
-vfs_removexattr(struct dentry *dentry, struct vfsmount *mnt, const char *name)
|
|
+vfs_removexattr(struct dentry *dentry, struct vfsmount *mnt, const char *name,
|
|
+ struct file *file)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
@@ -202,7 +203,7 @@ vfs_removexattr(struct dentry *dentry, s
|
|
if (error)
|
|
return error;
|
|
|
|
- error = security_inode_removexattr(dentry, mnt, name);
|
|
+ error = security_inode_removexattr(dentry, mnt, name, file);
|
|
if (error)
|
|
return error;
|
|
|
|
@@ -222,7 +223,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
|
|
*/
|
|
static long
|
|
setxattr(struct dentry *dentry, struct vfsmount *mnt, const char __user *name,
|
|
- const void __user *value, size_t size, int flags)
|
|
+ const void __user *value, size_t size, int flags, struct file *file)
|
|
{
|
|
int error;
|
|
void *kvalue = NULL;
|
|
@@ -249,7 +250,7 @@ setxattr(struct dentry *dentry, struct v
|
|
}
|
|
}
|
|
|
|
- error = vfs_setxattr(dentry, mnt, kname, kvalue, size, flags);
|
|
+ error = vfs_setxattr(dentry, mnt, kname, kvalue, size, flags, file);
|
|
kfree(kvalue);
|
|
return error;
|
|
}
|
|
@@ -266,7 +267,7 @@ sys_setxattr(const char __user *pathname
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
- error = setxattr(path.dentry, path.mnt, name, value, size, flags);
|
|
+ error = setxattr(path.dentry, path.mnt, name, value, size, flags, NULL);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
@@ -285,7 +286,7 @@ sys_lsetxattr(const char __user *pathnam
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
- error = setxattr(path.dentry, path.mnt, name, value, size, flags);
|
|
+ error = setxattr(path.dentry, path.mnt, name, value, size, flags, NULL);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
@@ -307,7 +308,8 @@ sys_fsetxattr(int fd, const char __user
|
|
audit_inode(NULL, dentry);
|
|
error = mnt_want_write(f->f_path.mnt);
|
|
if (!error) {
|
|
- error = setxattr(dentry, f->f_vfsmnt, name, value, size, flags);
|
|
+ error = setxattr(dentry, f->f_vfsmnt, name, value, size, flags,
|
|
+ f);
|
|
mnt_drop_write(f->f_path.mnt);
|
|
}
|
|
fput(f);
|
|
@@ -319,7 +321,7 @@ sys_fsetxattr(int fd, const char __user
|
|
*/
|
|
static ssize_t
|
|
getxattr(struct dentry *dentry, struct vfsmount *mnt, const char __user *name,
|
|
- void __user *value, size_t size)
|
|
+ void __user *value, size_t size, struct file *file)
|
|
{
|
|
ssize_t error;
|
|
void *kvalue = NULL;
|
|
@@ -339,7 +341,7 @@ getxattr(struct dentry *dentry, struct v
|
|
return -ENOMEM;
|
|
}
|
|
|
|
- error = vfs_getxattr(dentry, mnt, kname, kvalue, size);
|
|
+ error = vfs_getxattr(dentry, mnt, kname, kvalue, size, file);
|
|
if (error > 0) {
|
|
if (size && copy_to_user(value, kvalue, error))
|
|
error = -EFAULT;
|
|
@@ -362,7 +364,7 @@ sys_getxattr(const char __user *pathname
|
|
error = user_path(pathname, &path);
|
|
if (error)
|
|
return error;
|
|
- error = getxattr(path.dentry, path.mnt, name, value, size);
|
|
+ error = getxattr(path.dentry, path.mnt, name, value, size, NULL);
|
|
path_put(&path);
|
|
return error;
|
|
}
|
|
@@ -377,7 +379,7 @@ sys_lgetxattr(const char __user *pathnam
|
|
error = user_lpath(pathname, &path);
|
|
if (error)
|
|
return error;
|
|
- error = getxattr(path.dentry, path.mnt, name, value, size);
|
|
+ error = getxattr(path.dentry, path.mnt, name, value, size, NULL);
|
|
path_put(&path);
|
|
return error;
|
|
}
|
|
@@ -392,7 +394,7 @@ sys_fgetxattr(int fd, const char __user
|
|
if (!f)
|
|
return error;
|
|
audit_inode(NULL, f->f_path.dentry);
|
|
- error = getxattr(f->f_path.dentry, f->f_path.mnt, name, value, size);
|
|
+ error = getxattr(f->f_path.dentry, f->f_path.mnt, name, value, size, f);
|
|
fput(f);
|
|
return error;
|
|
}
|
|
@@ -402,7 +404,7 @@ sys_fgetxattr(int fd, const char __user
|
|
*/
|
|
static ssize_t
|
|
listxattr(struct dentry *dentry, struct vfsmount *mnt, char __user *list,
|
|
- size_t size)
|
|
+ size_t size, struct file *file)
|
|
{
|
|
ssize_t error;
|
|
char *klist = NULL;
|
|
@@ -415,7 +417,7 @@ listxattr(struct dentry *dentry, struct
|
|
return -ENOMEM;
|
|
}
|
|
|
|
- error = vfs_listxattr(dentry, mnt, klist, size);
|
|
+ error = vfs_listxattr(dentry, mnt, klist, size, file);
|
|
if (error > 0) {
|
|
if (size && copy_to_user(list, klist, error))
|
|
error = -EFAULT;
|
|
@@ -437,7 +439,7 @@ sys_listxattr(const char __user *pathnam
|
|
error = user_path(pathname, &path);
|
|
if (error)
|
|
return error;
|
|
- error = listxattr(path.dentry, path.mnt, list, size);
|
|
+ error = listxattr(path.dentry, path.mnt, list, size, NULL);
|
|
path_put(&path);
|
|
return error;
|
|
}
|
|
@@ -451,7 +453,7 @@ sys_llistxattr(const char __user *pathna
|
|
error = user_lpath(pathname, &path);
|
|
if (error)
|
|
return error;
|
|
- error = listxattr(path.dentry, path.mnt, list, size);
|
|
+ error = listxattr(path.dentry, path.mnt, list, size, NULL);
|
|
path_put(&path);
|
|
return error;
|
|
}
|
|
@@ -466,7 +468,7 @@ sys_flistxattr(int fd, char __user *list
|
|
if (!f)
|
|
return error;
|
|
audit_inode(NULL, f->f_path.dentry);
|
|
- error = listxattr(f->f_path.dentry, f->f_path.mnt, list, size);
|
|
+ error = listxattr(f->f_path.dentry, f->f_path.mnt, list, size, f);
|
|
fput(f);
|
|
return error;
|
|
}
|
|
@@ -475,7 +477,8 @@ sys_flistxattr(int fd, char __user *list
|
|
* Extended attribute REMOVE operations
|
|
*/
|
|
static long
|
|
-removexattr(struct dentry *dentry, struct vfsmount *mnt, const char __user *name)
|
|
+removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
+ const char __user *name, struct file *file)
|
|
{
|
|
int error;
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
@@ -486,7 +489,7 @@ removexattr(struct dentry *dentry, struc
|
|
if (error < 0)
|
|
return error;
|
|
|
|
- return vfs_removexattr(dentry, mnt, kname);
|
|
+ return vfs_removexattr(dentry, mnt, kname, file);
|
|
}
|
|
|
|
asmlinkage long
|
|
@@ -500,7 +503,7 @@ sys_removexattr(const char __user *pathn
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
- error = removexattr(path.dentry, path.mnt, name);
|
|
+ error = removexattr(path.dentry, path.mnt, name, NULL);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
@@ -518,7 +521,7 @@ sys_lremovexattr(const char __user *path
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
- error = removexattr(path.dentry, path.mnt, name);
|
|
+ error = removexattr(path.dentry, path.mnt, name, NULL);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
@@ -539,7 +542,7 @@ sys_fremovexattr(int fd, const char __us
|
|
audit_inode(NULL, dentry);
|
|
error = mnt_want_write(f->f_path.mnt);
|
|
if (!error) {
|
|
- error = removexattr(dentry, f->f_path.mnt, name);
|
|
+ error = removexattr(dentry, f->f_path.mnt, name, f);
|
|
mnt_drop_write(f->f_path.mnt);
|
|
}
|
|
fput(f);
|
|
--- a/include/linux/security.h
|
|
+++ b/include/linux/security.h
|
|
@@ -56,9 +56,9 @@ extern void cap_bprm_apply_creds(struct
|
|
extern int cap_bprm_secureexec(struct linux_binprm *bprm);
|
|
extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value, size_t size,
|
|
- int flags);
|
|
+ int flags, struct file *file);
|
|
extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name);
|
|
+ const char *name, struct file *file);
|
|
extern int cap_inode_need_killpriv(struct dentry *dentry);
|
|
extern int cap_inode_killpriv(struct dentry *dentry);
|
|
extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
|
|
@@ -1396,16 +1396,17 @@ struct security_operations {
|
|
void (*inode_delete) (struct inode *inode);
|
|
int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value, size_t size,
|
|
- int flags);
|
|
+ int flags, struct file *file);
|
|
void (*inode_post_setxattr) (struct dentry *dentry,
|
|
struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
size_t size, int flags);
|
|
int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name);
|
|
- int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
|
|
+ const char *name, struct file *file);
|
|
+ int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt,
|
|
+ struct file *file);
|
|
int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name);
|
|
+ const char *name, struct file *file);
|
|
int (*inode_need_killpriv) (struct dentry *dentry);
|
|
int (*inode_killpriv) (struct dentry *dentry);
|
|
int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
|
|
@@ -1675,15 +1676,16 @@ int security_inode_getattr(struct vfsmou
|
|
void security_inode_delete(struct inode *inode);
|
|
int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
- size_t size, int flags);
|
|
+ size_t size, int flags, struct file *file);
|
|
void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
size_t size, int flags);
|
|
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name);
|
|
-int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
|
|
+ const char *name, struct file *file);
|
|
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
+ struct file *file);
|
|
int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name);
|
|
+ const char *name, struct file *file);
|
|
int security_inode_need_killpriv(struct dentry *dentry);
|
|
int security_inode_killpriv(struct dentry *dentry);
|
|
int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
|
|
@@ -2105,9 +2107,10 @@ static inline void security_inode_delete
|
|
static inline int security_inode_setxattr(struct dentry *dentry,
|
|
struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
- size_t size, int flags)
|
|
+ size_t size, int flags,
|
|
+ struct file *file)
|
|
{
|
|
- return cap_inode_setxattr(dentry, mnt, name, value, size, flags);
|
|
+ return cap_inode_setxattr(dentry, mnt, name, value, size, flags, file);
|
|
}
|
|
|
|
static inline void security_inode_post_setxattr(struct dentry *dentry,
|
|
@@ -2119,22 +2122,25 @@ static inline void security_inode_post_s
|
|
|
|
static inline int security_inode_getxattr(struct dentry *dentry,
|
|
struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name,
|
|
+ struct file *file)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int security_inode_listxattr(struct dentry *dentry,
|
|
- struct vfsmount *mnt)
|
|
+ struct vfsmount *mnt,
|
|
+ struct file *file)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int security_inode_removexattr(struct dentry *dentry,
|
|
struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name,
|
|
+ struct file *file)
|
|
{
|
|
- return cap_inode_removexattr(dentry, mnt, name);
|
|
+ return cap_inode_removexattr(dentry, mnt, name, file);
|
|
}
|
|
|
|
static inline int security_inode_need_killpriv(struct dentry *dentry)
|
|
--- a/include/linux/xattr.h
|
|
+++ b/include/linux/xattr.h
|
|
@@ -17,6 +17,7 @@
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/mount.h>
|
|
+#include <linux/fs.h>
|
|
|
|
/* Namespaces */
|
|
#define XATTR_OS2_PREFIX "os2."
|
|
@@ -48,10 +49,10 @@ struct xattr_handler {
|
|
};
|
|
|
|
ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
|
|
-ssize_t vfs_getxattr(struct dentry *, struct vfsmount *, const char *, void *, size_t);
|
|
-ssize_t vfs_listxattr(struct dentry *d, struct vfsmount *, char *list, size_t size);
|
|
-int vfs_setxattr(struct dentry *, struct vfsmount *, const char *, const void *, size_t, int);
|
|
-int vfs_removexattr(struct dentry *, struct vfsmount *mnt, const char *);
|
|
+ssize_t vfs_getxattr(struct dentry *, struct vfsmount *, const char *, void *, size_t, struct file *file);
|
|
+ssize_t vfs_listxattr(struct dentry *d, struct vfsmount *, char *list, size_t size, struct file *file);
|
|
+int vfs_setxattr(struct dentry *, struct vfsmount *, const char *, const void *, size_t, int, struct file *file);
|
|
+int vfs_removexattr(struct dentry *, struct vfsmount *mnt, const char *, struct file *file);
|
|
|
|
ssize_t generic_getxattr(struct dentry *dentry, const char *name, void *buffer, size_t size);
|
|
ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size);
|
|
--- a/security/capability.c
|
|
+++ b/security/capability.c
|
|
@@ -242,12 +242,13 @@ static void cap_inode_post_setxattr(stru
|
|
}
|
|
|
|
static int cap_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *f)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
-static int cap_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
|
|
+static int cap_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
+ struct file *f)
|
|
{
|
|
return 0;
|
|
}
|
|
--- a/security/commoncap.c
|
|
+++ b/security/commoncap.c
|
|
@@ -413,7 +413,7 @@ int cap_bprm_secureexec (struct linux_bi
|
|
|
|
int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value, size_t size,
|
|
- int flags)
|
|
+ int flags, struct file *file)
|
|
{
|
|
if (!strcmp(name, XATTR_NAME_CAPS)) {
|
|
if (!capable(CAP_SETFCAP))
|
|
@@ -427,7 +427,7 @@ int cap_inode_setxattr(struct dentry *de
|
|
}
|
|
|
|
int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
if (!strcmp(name, XATTR_NAME_CAPS)) {
|
|
if (!capable(CAP_SETFCAP))
|
|
--- a/security/security.c
|
|
+++ b/security/security.c
|
|
@@ -473,12 +473,12 @@ void security_inode_delete(struct inode
|
|
|
|
int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value, size_t size,
|
|
- int flags)
|
|
+ int flags, struct file *file)
|
|
{
|
|
if (unlikely(IS_PRIVATE(dentry->d_inode)))
|
|
return 0;
|
|
return security_ops->inode_setxattr(dentry, mnt, name, value, size,
|
|
- flags);
|
|
+ flags, file);
|
|
}
|
|
|
|
void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
@@ -492,26 +492,27 @@ void security_inode_post_setxattr(struct
|
|
}
|
|
|
|
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
if (unlikely(IS_PRIVATE(dentry->d_inode)))
|
|
return 0;
|
|
- return security_ops->inode_getxattr(dentry, mnt, name);
|
|
+ return security_ops->inode_getxattr(dentry, mnt, name, file);
|
|
}
|
|
|
|
-int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
|
|
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
+ struct file *file)
|
|
{
|
|
if (unlikely(IS_PRIVATE(dentry->d_inode)))
|
|
return 0;
|
|
- return security_ops->inode_listxattr(dentry, mnt);
|
|
+ return security_ops->inode_listxattr(dentry, mnt, file);
|
|
}
|
|
|
|
int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
if (unlikely(IS_PRIVATE(dentry->d_inode)))
|
|
return 0;
|
|
- return security_ops->inode_removexattr(dentry, mnt, name);
|
|
+ return security_ops->inode_removexattr(dentry, mnt, name, file);
|
|
}
|
|
|
|
int security_inode_need_killpriv(struct dentry *dentry)
|
|
--- a/security/selinux/hooks.c
|
|
+++ b/security/selinux/hooks.c
|
|
@@ -2715,7 +2715,7 @@ static int selinux_inode_setotherxattr(s
|
|
|
|
static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
- size_t size, int flags)
|
|
+ size_t size, int flags, struct file *file)
|
|
{
|
|
struct task_security_struct *tsec = current->security;
|
|
struct inode *inode = dentry->d_inode;
|
|
@@ -2797,18 +2797,20 @@ static void selinux_inode_post_setxattr(
|
|
}
|
|
|
|
static int selinux_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
|
|
}
|
|
|
|
-static int selinux_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
|
|
+static int selinux_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
+ struct file *file)
|
|
{
|
|
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
|
|
}
|
|
|
|
static int selinux_inode_removexattr(struct dentry *dentry,
|
|
- struct vfsmount *mnt, const char *name)
|
|
+ struct vfsmount *mnt, const char *name,
|
|
+ struct file *file)
|
|
{
|
|
if (strcmp(name, XATTR_NAME_SELINUX))
|
|
return selinux_inode_setotherxattr(dentry, name);
|
|
--- a/security/smack/smack_lsm.c
|
|
+++ b/security/smack/smack_lsm.c
|
|
@@ -600,6 +600,7 @@ static int smack_inode_getattr(struct vf
|
|
* @value: unused
|
|
* @size: unused
|
|
* @flags: unused
|
|
+ * @file: unused
|
|
*
|
|
* This protects the Smack attribute explicitly.
|
|
*
|
|
@@ -607,7 +608,7 @@ static int smack_inode_getattr(struct vf
|
|
*/
|
|
static int smack_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const void *value,
|
|
- size_t size, int flags)
|
|
+ size_t size, int flags, struct file *file)
|
|
{
|
|
int rc = 0;
|
|
|
|
@@ -617,7 +618,8 @@ static int smack_inode_setxattr(struct d
|
|
if (!capable(CAP_MAC_ADMIN))
|
|
rc = -EPERM;
|
|
} else
|
|
- rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags);
|
|
+ rc = cap_inode_setxattr(dentry, mnt, name, value, size, flags,
|
|
+ file);
|
|
|
|
if (rc == 0)
|
|
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
|
|
@@ -673,11 +675,12 @@ static void smack_inode_post_setxattr(st
|
|
* @dentry: the object
|
|
* @mnt: unused
|
|
* @name: unused
|
|
+ * @file: unused
|
|
*
|
|
* Returns 0 if access is permitted, an error code otherwise
|
|
*/
|
|
static int smack_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ);
|
|
}
|
|
@@ -687,13 +690,14 @@ static int smack_inode_getxattr(struct d
|
|
* @dentry: the object
|
|
* @mnt: unused
|
|
* @name: name of the attribute
|
|
+ * @file: unused
|
|
*
|
|
* Removing the Smack attribute requires CAP_MAC_ADMIN
|
|
*
|
|
* Returns 0 if access is permitted, an error code otherwise
|
|
*/
|
|
static int smack_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
- const char *name)
|
|
+ const char *name, struct file *file)
|
|
{
|
|
int rc = 0;
|
|
|
|
@@ -703,7 +707,7 @@ static int smack_inode_removexattr(struc
|
|
if (!capable(CAP_MAC_ADMIN))
|
|
rc = -EPERM;
|
|
} else
|
|
- rc = cap_inode_removexattr(dentry, mnt, name);
|
|
+ rc = cap_inode_removexattr(dentry, mnt, name, file);
|
|
|
|
if (rc == 0)
|
|
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
|