Commit 2875fa00830be62431f5ac22d8f85d57f9fa3033
1 parent
a8d05c81fb
Exists in
master
and in
7 other branches
SELinux: introduce path_has_perm
We currently have inode_has_perm and dentry_has_perm. dentry_has_perm just calls inode_has_perm with additional audit data. But dentry_has_perm can take either a dentry or a path. Split those to make the code obvious and to fix the previous problem where I thought dentry_has_perm always had a valid dentry and mnt. Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 1 changed file with 30 additions and 14 deletions Side-by-side Diff
security/selinux/hooks.c
... | ... | @@ -1499,16 +1499,29 @@ |
1499 | 1499 | the dentry to help the auditing code to more easily generate the |
1500 | 1500 | pathname if needed. */ |
1501 | 1501 | static inline int dentry_has_perm(const struct cred *cred, |
1502 | - struct vfsmount *mnt, | |
1503 | 1502 | struct dentry *dentry, |
1504 | 1503 | u32 av) |
1505 | 1504 | { |
1506 | 1505 | struct inode *inode = dentry->d_inode; |
1507 | 1506 | struct common_audit_data ad; |
1508 | 1507 | |
1508 | + COMMON_AUDIT_DATA_INIT(&ad, DENTRY); | |
1509 | + ad.u.dentry = dentry; | |
1510 | + return inode_has_perm(cred, inode, av, &ad, 0); | |
1511 | +} | |
1512 | + | |
1513 | +/* Same as inode_has_perm, but pass explicit audit data containing | |
1514 | + the path to help the auditing code to more easily generate the | |
1515 | + pathname if needed. */ | |
1516 | +static inline int path_has_perm(const struct cred *cred, | |
1517 | + struct path *path, | |
1518 | + u32 av) | |
1519 | +{ | |
1520 | + struct inode *inode = path->dentry->d_inode; | |
1521 | + struct common_audit_data ad; | |
1522 | + | |
1509 | 1523 | COMMON_AUDIT_DATA_INIT(&ad, PATH); |
1510 | - ad.u.path.mnt = mnt; | |
1511 | - ad.u.path.dentry = dentry; | |
1524 | + ad.u.path = *path; | |
1512 | 1525 | return inode_has_perm(cred, inode, av, &ad, 0); |
1513 | 1526 | } |
1514 | 1527 | |
... | ... | @@ -1896,7 +1909,7 @@ |
1896 | 1909 | { |
1897 | 1910 | const struct cred *cred = current_cred(); |
1898 | 1911 | |
1899 | - return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | |
1912 | + return dentry_has_perm(cred, dentry, FILE__QUOTAON); | |
1900 | 1913 | } |
1901 | 1914 | |
1902 | 1915 | static int selinux_syslog(int type) |
... | ... | @@ -2496,8 +2509,7 @@ |
2496 | 2509 | return superblock_has_perm(cred, path->mnt->mnt_sb, |
2497 | 2510 | FILESYSTEM__REMOUNT, NULL); |
2498 | 2511 | else |
2499 | - return dentry_has_perm(cred, path->mnt, path->dentry, | |
2500 | - FILE__MOUNTON); | |
2512 | + return path_has_perm(cred, path, FILE__MOUNTON); | |
2501 | 2513 | } |
2502 | 2514 | |
2503 | 2515 | static int selinux_umount(struct vfsmount *mnt, int flags) |
2504 | 2516 | |
... | ... | @@ -2630,14 +2642,14 @@ |
2630 | 2642 | { |
2631 | 2643 | const struct cred *cred = current_cred(); |
2632 | 2644 | |
2633 | - return dentry_has_perm(cred, NULL, dentry, FILE__READ); | |
2645 | + return dentry_has_perm(cred, dentry, FILE__READ); | |
2634 | 2646 | } |
2635 | 2647 | |
2636 | 2648 | static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) |
2637 | 2649 | { |
2638 | 2650 | const struct cred *cred = current_cred(); |
2639 | 2651 | |
2640 | - return dentry_has_perm(cred, NULL, dentry, FILE__READ); | |
2652 | + return dentry_has_perm(cred, dentry, FILE__READ); | |
2641 | 2653 | } |
2642 | 2654 | |
2643 | 2655 | static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags) |
2644 | 2656 | |
2645 | 2657 | |
2646 | 2658 | |
... | ... | @@ -2680,16 +2692,20 @@ |
2680 | 2692 | |
2681 | 2693 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | |
2682 | 2694 | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) |
2683 | - return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); | |
2695 | + return dentry_has_perm(cred, dentry, FILE__SETATTR); | |
2684 | 2696 | |
2685 | - return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); | |
2697 | + return dentry_has_perm(cred, dentry, FILE__WRITE); | |
2686 | 2698 | } |
2687 | 2699 | |
2688 | 2700 | static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
2689 | 2701 | { |
2690 | 2702 | const struct cred *cred = current_cred(); |
2703 | + struct path path; | |
2691 | 2704 | |
2692 | - return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR); | |
2705 | + path.dentry = dentry; | |
2706 | + path.mnt = mnt; | |
2707 | + | |
2708 | + return path_has_perm(cred, &path, FILE__GETATTR); | |
2693 | 2709 | } |
2694 | 2710 | |
2695 | 2711 | static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) |
... | ... | @@ -2710,7 +2726,7 @@ |
2710 | 2726 | |
2711 | 2727 | /* Not an attribute we recognize, so just check the |
2712 | 2728 | ordinary setattr permission. */ |
2713 | - return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); | |
2729 | + return dentry_has_perm(cred, dentry, FILE__SETATTR); | |
2714 | 2730 | } |
2715 | 2731 | |
2716 | 2732 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, |
2717 | 2733 | |
... | ... | @@ -2797,14 +2813,14 @@ |
2797 | 2813 | { |
2798 | 2814 | const struct cred *cred = current_cred(); |
2799 | 2815 | |
2800 | - return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); | |
2816 | + return dentry_has_perm(cred, dentry, FILE__GETATTR); | |
2801 | 2817 | } |
2802 | 2818 | |
2803 | 2819 | static int selinux_inode_listxattr(struct dentry *dentry) |
2804 | 2820 | { |
2805 | 2821 | const struct cred *cred = current_cred(); |
2806 | 2822 | |
2807 | - return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); | |
2823 | + return dentry_has_perm(cred, dentry, FILE__GETATTR); | |
2808 | 2824 | } |
2809 | 2825 | |
2810 | 2826 | static int selinux_inode_removexattr(struct dentry *dentry, const char *name) |