Commit 745ca2475a6ac596e3d8d37c2759c0fbe2586227
Committed by
James Morris
James Morris
1 parent
88e67f3b88
Exists in
master
and in
4 other branches
CRED: Pass credentials through dentry_open()
Pass credentials through dentry_open() so that the COW creds patch can have SELinux's flush_unauthorized_files() pass the appropriate creds back to itself when it opens its null chardev. The security_dentry_open() call also now takes a creds pointer, as does the dentry_open hook in struct security_operations. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
Showing 19 changed files with 67 additions and 40 deletions Side-by-side Diff
- arch/powerpc/platforms/cell/spufs/inode.c
- arch/um/drivers/mconsole_kern.c
- fs/autofs4/dev-ioctl.c
- fs/ecryptfs/ecryptfs_kernel.h
- fs/ecryptfs/kthread.c
- fs/ecryptfs/main.c
- fs/exportfs/expfs.c
- fs/hppfs/hppfs.c
- fs/nfsctl.c
- fs/nfsd/nfs4recover.c
- fs/nfsd/vfs.c
- fs/open.c
- fs/xfs/linux-2.6/xfs_ioctl.c
- include/linux/fs.h
- include/linux/security.h
- ipc/mqueue.c
- security/capability.c
- security/security.c
- security/selinux/hooks.c
arch/powerpc/platforms/cell/spufs/inode.c
| ... | ... | @@ -323,7 +323,7 @@ |
| 323 | 323 | goto out; |
| 324 | 324 | } |
| 325 | 325 | |
| 326 | - filp = dentry_open(dentry, mnt, O_RDONLY); | |
| 326 | + filp = dentry_open(dentry, mnt, O_RDONLY, current_cred()); | |
| 327 | 327 | if (IS_ERR(filp)) { |
| 328 | 328 | put_unused_fd(ret); |
| 329 | 329 | ret = PTR_ERR(filp); |
| ... | ... | @@ -562,7 +562,7 @@ |
| 562 | 562 | goto out; |
| 563 | 563 | } |
| 564 | 564 | |
| 565 | - filp = dentry_open(dentry, mnt, O_RDONLY); | |
| 565 | + filp = dentry_open(dentry, mnt, O_RDONLY, current_cred()); | |
| 566 | 566 | if (IS_ERR(filp)) { |
| 567 | 567 | put_unused_fd(ret); |
| 568 | 568 | ret = PTR_ERR(filp); |
arch/um/drivers/mconsole_kern.c
| ... | ... | @@ -159,7 +159,8 @@ |
| 159 | 159 | goto out_kill; |
| 160 | 160 | } |
| 161 | 161 | |
| 162 | - file = dentry_open(nd.path.dentry, nd.path.mnt, O_RDONLY); | |
| 162 | + file = dentry_open(nd.path.dentry, nd.path.mnt, O_RDONLY, | |
| 163 | + current_cred()); | |
| 163 | 164 | if (IS_ERR(file)) { |
| 164 | 165 | mconsole_reply(req, "Failed to open file", 1, 0); |
| 165 | 166 | goto out_kill; |
fs/autofs4/dev-ioctl.c
fs/ecryptfs/ecryptfs_kernel.h
| ... | ... | @@ -691,7 +691,8 @@ |
| 691 | 691 | void ecryptfs_destroy_kthread(void); |
| 692 | 692 | int ecryptfs_privileged_open(struct file **lower_file, |
| 693 | 693 | struct dentry *lower_dentry, |
| 694 | - struct vfsmount *lower_mnt); | |
| 694 | + struct vfsmount *lower_mnt, | |
| 695 | + const struct cred *cred); | |
| 695 | 696 | int ecryptfs_init_persistent_file(struct dentry *ecryptfs_dentry); |
| 696 | 697 | |
| 697 | 698 | #endif /* #ifndef ECRYPTFS_KERNEL_H */ |
fs/ecryptfs/kthread.c
| ... | ... | @@ -73,7 +73,7 @@ |
| 73 | 73 | mntget(req->lower_mnt); |
| 74 | 74 | (*req->lower_file) = dentry_open( |
| 75 | 75 | req->lower_dentry, req->lower_mnt, |
| 76 | - (O_RDWR | O_LARGEFILE)); | |
| 76 | + (O_RDWR | O_LARGEFILE), current_cred()); | |
| 77 | 77 | req->flags |= ECRYPTFS_REQ_PROCESSED; |
| 78 | 78 | } |
| 79 | 79 | wake_up(&req->wait); |
| ... | ... | @@ -132,7 +132,8 @@ |
| 132 | 132 | */ |
| 133 | 133 | int ecryptfs_privileged_open(struct file **lower_file, |
| 134 | 134 | struct dentry *lower_dentry, |
| 135 | - struct vfsmount *lower_mnt) | |
| 135 | + struct vfsmount *lower_mnt, | |
| 136 | + const struct cred *cred) | |
| 136 | 137 | { |
| 137 | 138 | struct ecryptfs_open_req *req; |
| 138 | 139 | int rc = 0; |
| ... | ... | @@ -143,7 +144,7 @@ |
| 143 | 144 | dget(lower_dentry); |
| 144 | 145 | mntget(lower_mnt); |
| 145 | 146 | (*lower_file) = dentry_open(lower_dentry, lower_mnt, |
| 146 | - (O_RDWR | O_LARGEFILE)); | |
| 147 | + (O_RDWR | O_LARGEFILE), cred); | |
| 147 | 148 | if (!IS_ERR(*lower_file)) |
| 148 | 149 | goto out; |
| 149 | 150 | req = kmem_cache_alloc(ecryptfs_open_req_cache, GFP_KERNEL); |
| ... | ... | @@ -184,7 +185,7 @@ |
| 184 | 185 | dget(lower_dentry); |
| 185 | 186 | mntget(lower_mnt); |
| 186 | 187 | (*lower_file) = dentry_open(lower_dentry, lower_mnt, |
| 187 | - (O_RDONLY | O_LARGEFILE)); | |
| 188 | + (O_RDONLY | O_LARGEFILE), cred); | |
| 188 | 189 | if (IS_ERR(*lower_file)) { |
| 189 | 190 | rc = PTR_ERR(*req->lower_file); |
| 190 | 191 | (*lower_file) = NULL; |
fs/ecryptfs/main.c
| ... | ... | @@ -115,6 +115,7 @@ |
| 115 | 115 | */ |
| 116 | 116 | int ecryptfs_init_persistent_file(struct dentry *ecryptfs_dentry) |
| 117 | 117 | { |
| 118 | + const struct cred *cred = current_cred(); | |
| 118 | 119 | struct ecryptfs_inode_info *inode_info = |
| 119 | 120 | ecryptfs_inode_to_private(ecryptfs_dentry->d_inode); |
| 120 | 121 | int rc = 0; |
| ... | ... | @@ -127,7 +128,7 @@ |
| 127 | 128 | |
| 128 | 129 | lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry); |
| 129 | 130 | rc = ecryptfs_privileged_open(&inode_info->lower_file, |
| 130 | - lower_dentry, lower_mnt); | |
| 131 | + lower_dentry, lower_mnt, cred); | |
| 131 | 132 | if (rc || IS_ERR(inode_info->lower_file)) { |
| 132 | 133 | printk(KERN_ERR "Error opening lower persistent file " |
| 133 | 134 | "for lower_dentry [0x%p] and lower_mnt [0x%p]; " |
fs/exportfs/expfs.c
| ... | ... | @@ -14,6 +14,7 @@ |
| 14 | 14 | #include <linux/module.h> |
| 15 | 15 | #include <linux/mount.h> |
| 16 | 16 | #include <linux/namei.h> |
| 17 | +#include <linux/sched.h> | |
| 17 | 18 | |
| 18 | 19 | #define dprintk(fmt, args...) do{}while(0) |
| 19 | 20 | |
| ... | ... | @@ -249,6 +250,7 @@ |
| 249 | 250 | static int get_name(struct vfsmount *mnt, struct dentry *dentry, |
| 250 | 251 | char *name, struct dentry *child) |
| 251 | 252 | { |
| 253 | + const struct cred *cred = current_cred(); | |
| 252 | 254 | struct inode *dir = dentry->d_inode; |
| 253 | 255 | int error; |
| 254 | 256 | struct file *file; |
| ... | ... | @@ -263,7 +265,7 @@ |
| 263 | 265 | /* |
| 264 | 266 | * Open the directory ... |
| 265 | 267 | */ |
| 266 | - file = dentry_open(dget(dentry), mntget(mnt), O_RDONLY); | |
| 268 | + file = dentry_open(dget(dentry), mntget(mnt), O_RDONLY, cred); | |
| 267 | 269 | error = PTR_ERR(file); |
| 268 | 270 | if (IS_ERR(file)) |
| 269 | 271 | goto out; |
fs/hppfs/hppfs.c
| ... | ... | @@ -426,6 +426,7 @@ |
| 426 | 426 | |
| 427 | 427 | static int hppfs_open(struct inode *inode, struct file *file) |
| 428 | 428 | { |
| 429 | + const struct cred *cred = current_cred(); | |
| 429 | 430 | struct hppfs_private *data; |
| 430 | 431 | struct vfsmount *proc_mnt; |
| 431 | 432 | struct dentry *proc_dentry; |
| ... | ... | @@ -446,7 +447,7 @@ |
| 446 | 447 | |
| 447 | 448 | /* XXX This isn't closed anywhere */ |
| 448 | 449 | data->proc_file = dentry_open(dget(proc_dentry), mntget(proc_mnt), |
| 449 | - file_mode(file->f_mode)); | |
| 450 | + file_mode(file->f_mode), cred); | |
| 450 | 451 | err = PTR_ERR(data->proc_file); |
| 451 | 452 | if (IS_ERR(data->proc_file)) |
| 452 | 453 | goto out_free1; |
| ... | ... | @@ -489,6 +490,7 @@ |
| 489 | 490 | |
| 490 | 491 | static int hppfs_dir_open(struct inode *inode, struct file *file) |
| 491 | 492 | { |
| 493 | + const struct cred *cred = current_cred(); | |
| 492 | 494 | struct hppfs_private *data; |
| 493 | 495 | struct vfsmount *proc_mnt; |
| 494 | 496 | struct dentry *proc_dentry; |
| ... | ... | @@ -502,7 +504,7 @@ |
| 502 | 504 | proc_dentry = HPPFS_I(inode)->proc_dentry; |
| 503 | 505 | proc_mnt = inode->i_sb->s_fs_info; |
| 504 | 506 | data->proc_file = dentry_open(dget(proc_dentry), mntget(proc_mnt), |
| 505 | - file_mode(file->f_mode)); | |
| 507 | + file_mode(file->f_mode), cred); | |
| 506 | 508 | err = PTR_ERR(data->proc_file); |
| 507 | 509 | if (IS_ERR(data->proc_file)) |
| 508 | 510 | goto out_free; |
fs/nfsctl.c
| ... | ... | @@ -41,7 +41,8 @@ |
| 41 | 41 | error = may_open(&nd, MAY_WRITE, FMODE_WRITE); |
| 42 | 42 | |
| 43 | 43 | if (!error) |
| 44 | - return dentry_open(nd.path.dentry, nd.path.mnt, flags); | |
| 44 | + return dentry_open(nd.path.dentry, nd.path.mnt, flags, | |
| 45 | + current_cred()); | |
| 45 | 46 | |
| 46 | 47 | path_put(&nd.path); |
| 47 | 48 | return ERR_PTR(error); |
fs/nfsd/nfs4recover.c
| ... | ... | @@ -226,7 +226,8 @@ |
| 226 | 226 | |
| 227 | 227 | nfs4_save_user(&uid, &gid); |
| 228 | 228 | |
| 229 | - filp = dentry_open(dget(dir), mntget(rec_dir.mnt), O_RDONLY); | |
| 229 | + filp = dentry_open(dget(dir), mntget(rec_dir.mnt), O_RDONLY, | |
| 230 | + current_cred()); | |
| 230 | 231 | status = PTR_ERR(filp); |
| 231 | 232 | if (IS_ERR(filp)) |
| 232 | 233 | goto out; |
fs/nfsd/vfs.c
| ... | ... | @@ -671,6 +671,7 @@ |
| 671 | 671 | nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, |
| 672 | 672 | int access, struct file **filp) |
| 673 | 673 | { |
| 674 | + const struct cred *cred = current_cred(); | |
| 674 | 675 | struct dentry *dentry; |
| 675 | 676 | struct inode *inode; |
| 676 | 677 | int flags = O_RDONLY|O_LARGEFILE; |
| ... | ... | @@ -725,7 +726,7 @@ |
| 725 | 726 | DQUOT_INIT(inode); |
| 726 | 727 | } |
| 727 | 728 | *filp = dentry_open(dget(dentry), mntget(fhp->fh_export->ex_path.mnt), |
| 728 | - flags); | |
| 729 | + flags, cred); | |
| 729 | 730 | if (IS_ERR(*filp)) |
| 730 | 731 | host_err = PTR_ERR(*filp); |
| 731 | 732 | out_nfserr: |
fs/open.c
| ... | ... | @@ -783,7 +783,8 @@ |
| 783 | 783 | |
| 784 | 784 | static struct file *__dentry_open(struct dentry *dentry, struct vfsmount *mnt, |
| 785 | 785 | int flags, struct file *f, |
| 786 | - int (*open)(struct inode *, struct file *)) | |
| 786 | + int (*open)(struct inode *, struct file *), | |
| 787 | + const struct cred *cred) | |
| 787 | 788 | { |
| 788 | 789 | struct inode *inode; |
| 789 | 790 | int error; |
| ... | ... | @@ -807,7 +808,7 @@ |
| 807 | 808 | f->f_op = fops_get(inode->i_fop); |
| 808 | 809 | file_move(f, &inode->i_sb->s_files); |
| 809 | 810 | |
| 810 | - error = security_dentry_open(f); | |
| 811 | + error = security_dentry_open(f, cred); | |
| 811 | 812 | if (error) |
| 812 | 813 | goto cleanup_all; |
| 813 | 814 | |
| ... | ... | @@ -882,6 +883,8 @@ |
| 882 | 883 | struct file *lookup_instantiate_filp(struct nameidata *nd, struct dentry *dentry, |
| 883 | 884 | int (*open)(struct inode *, struct file *)) |
| 884 | 885 | { |
| 886 | + const struct cred *cred = current_cred(); | |
| 887 | + | |
| 885 | 888 | if (IS_ERR(nd->intent.open.file)) |
| 886 | 889 | goto out; |
| 887 | 890 | if (IS_ERR(dentry)) |
| ... | ... | @@ -889,7 +892,7 @@ |
| 889 | 892 | nd->intent.open.file = __dentry_open(dget(dentry), mntget(nd->path.mnt), |
| 890 | 893 | nd->intent.open.flags - 1, |
| 891 | 894 | nd->intent.open.file, |
| 892 | - open); | |
| 895 | + open, cred); | |
| 893 | 896 | out: |
| 894 | 897 | return nd->intent.open.file; |
| 895 | 898 | out_err: |
| ... | ... | @@ -908,6 +911,7 @@ |
| 908 | 911 | */ |
| 909 | 912 | struct file *nameidata_to_filp(struct nameidata *nd, int flags) |
| 910 | 913 | { |
| 914 | + const struct cred *cred = current_cred(); | |
| 911 | 915 | struct file *filp; |
| 912 | 916 | |
| 913 | 917 | /* Pick up the filp from the open intent */ |
| ... | ... | @@ -915,7 +919,7 @@ |
| 915 | 919 | /* Has the filesystem initialised the file for us? */ |
| 916 | 920 | if (filp->f_path.dentry == NULL) |
| 917 | 921 | filp = __dentry_open(nd->path.dentry, nd->path.mnt, flags, filp, |
| 918 | - NULL); | |
| 922 | + NULL, cred); | |
| 919 | 923 | else |
| 920 | 924 | path_put(&nd->path); |
| 921 | 925 | return filp; |
| ... | ... | @@ -925,7 +929,8 @@ |
| 925 | 929 | * dentry_open() will have done dput(dentry) and mntput(mnt) if it returns an |
| 926 | 930 | * error. |
| 927 | 931 | */ |
| 928 | -struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags) | |
| 932 | +struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags, | |
| 933 | + const struct cred *cred) | |
| 929 | 934 | { |
| 930 | 935 | int error; |
| 931 | 936 | struct file *f; |
| ... | ... | @@ -950,7 +955,7 @@ |
| 950 | 955 | return ERR_PTR(error); |
| 951 | 956 | } |
| 952 | 957 | |
| 953 | - return __dentry_open(dentry, mnt, flags, f, NULL); | |
| 958 | + return __dentry_open(dentry, mnt, flags, f, NULL, cred); | |
| 954 | 959 | } |
| 955 | 960 | EXPORT_SYMBOL(dentry_open); |
| 956 | 961 |
fs/xfs/linux-2.6/xfs_ioctl.c
| ... | ... | @@ -256,6 +256,7 @@ |
| 256 | 256 | struct file *parfilp, |
| 257 | 257 | struct inode *parinode) |
| 258 | 258 | { |
| 259 | + const struct cred *cred = current_cred(); | |
| 259 | 260 | int error; |
| 260 | 261 | int new_fd; |
| 261 | 262 | int permflag; |
| ... | ... | @@ -321,7 +322,7 @@ |
| 321 | 322 | mntget(parfilp->f_path.mnt); |
| 322 | 323 | |
| 323 | 324 | /* Create file pointer. */ |
| 324 | - filp = dentry_open(dentry, parfilp->f_path.mnt, hreq.oflags); | |
| 325 | + filp = dentry_open(dentry, parfilp->f_path.mnt, hreq.oflags, cred); | |
| 325 | 326 | if (IS_ERR(filp)) { |
| 326 | 327 | put_unused_fd(new_fd); |
| 327 | 328 | return -XFS_ERROR(-PTR_ERR(filp)); |
include/linux/fs.h
| ... | ... | @@ -315,6 +315,7 @@ |
| 315 | 315 | struct kstatfs; |
| 316 | 316 | struct vm_area_struct; |
| 317 | 317 | struct vfsmount; |
| 318 | +struct cred; | |
| 318 | 319 | |
| 319 | 320 | extern void __init inode_init(void); |
| 320 | 321 | extern void __init inode_init_early(void); |
| ... | ... | @@ -1673,7 +1674,8 @@ |
| 1673 | 1674 | extern long do_sys_open(int dfd, const char __user *filename, int flags, |
| 1674 | 1675 | int mode); |
| 1675 | 1676 | extern struct file *filp_open(const char *, int, int); |
| 1676 | -extern struct file * dentry_open(struct dentry *, struct vfsmount *, int); | |
| 1677 | +extern struct file * dentry_open(struct dentry *, struct vfsmount *, int, | |
| 1678 | + const struct cred *); | |
| 1677 | 1679 | extern int filp_close(struct file *, fl_owner_t id); |
| 1678 | 1680 | extern char * getname(const char __user *); |
| 1679 | 1681 |
include/linux/security.h
| ... | ... | @@ -1402,7 +1402,7 @@ |
| 1402 | 1402 | int (*file_send_sigiotask) (struct task_struct *tsk, |
| 1403 | 1403 | struct fown_struct *fown, int sig); |
| 1404 | 1404 | int (*file_receive) (struct file *file); |
| 1405 | - int (*dentry_open) (struct file *file); | |
| 1405 | + int (*dentry_open) (struct file *file, const struct cred *cred); | |
| 1406 | 1406 | |
| 1407 | 1407 | int (*task_create) (unsigned long clone_flags); |
| 1408 | 1408 | int (*cred_alloc_security) (struct cred *cred); |
| ... | ... | @@ -1658,7 +1658,7 @@ |
| 1658 | 1658 | int security_file_send_sigiotask(struct task_struct *tsk, |
| 1659 | 1659 | struct fown_struct *fown, int sig); |
| 1660 | 1660 | int security_file_receive(struct file *file); |
| 1661 | -int security_dentry_open(struct file *file); | |
| 1661 | +int security_dentry_open(struct file *file, const struct cred *cred); | |
| 1662 | 1662 | int security_task_create(unsigned long clone_flags); |
| 1663 | 1663 | int security_cred_alloc(struct cred *cred); |
| 1664 | 1664 | void security_cred_free(struct cred *cred); |
| ... | ... | @@ -2171,7 +2171,8 @@ |
| 2171 | 2171 | return 0; |
| 2172 | 2172 | } |
| 2173 | 2173 | |
| 2174 | -static inline int security_dentry_open(struct file *file) | |
| 2174 | +static inline int security_dentry_open(struct file *file, | |
| 2175 | + const struct cred *cred) | |
| 2175 | 2176 | { |
| 2176 | 2177 | return 0; |
| 2177 | 2178 | } |
ipc/mqueue.c
| ... | ... | @@ -594,6 +594,7 @@ |
| 594 | 594 | static struct file *do_create(struct dentry *dir, struct dentry *dentry, |
| 595 | 595 | int oflag, mode_t mode, struct mq_attr __user *u_attr) |
| 596 | 596 | { |
| 597 | + const struct cred *cred = current_cred(); | |
| 597 | 598 | struct mq_attr attr; |
| 598 | 599 | struct file *result; |
| 599 | 600 | int ret; |
| ... | ... | @@ -618,7 +619,7 @@ |
| 618 | 619 | if (ret) |
| 619 | 620 | goto out_drop_write; |
| 620 | 621 | |
| 621 | - result = dentry_open(dentry, mqueue_mnt, oflag); | |
| 622 | + result = dentry_open(dentry, mqueue_mnt, oflag, cred); | |
| 622 | 623 | /* |
| 623 | 624 | * dentry_open() took a persistent mnt_want_write(), |
| 624 | 625 | * so we can now drop this one. |
| 625 | 626 | |
| ... | ... | @@ -637,9 +638,11 @@ |
| 637 | 638 | /* Opens existing queue */ |
| 638 | 639 | static struct file *do_open(struct dentry *dentry, int oflag) |
| 639 | 640 | { |
| 640 | -static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE, | |
| 641 | - MAY_READ | MAY_WRITE }; | |
| 641 | + const struct cred *cred = current_cred(); | |
| 642 | 642 | |
| 643 | + static const int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE, | |
| 644 | + MAY_READ | MAY_WRITE }; | |
| 645 | + | |
| 643 | 646 | if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) { |
| 644 | 647 | dput(dentry); |
| 645 | 648 | mntput(mqueue_mnt); |
| ... | ... | @@ -652,7 +655,7 @@ |
| 652 | 655 | return ERR_PTR(-EACCES); |
| 653 | 656 | } |
| 654 | 657 | |
| 655 | - return dentry_open(dentry, mqueue_mnt, oflag); | |
| 658 | + return dentry_open(dentry, mqueue_mnt, oflag, cred); | |
| 656 | 659 | } |
| 657 | 660 | |
| 658 | 661 | asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode, |
security/capability.c
security/security.c
| ... | ... | @@ -606,9 +606,9 @@ |
| 606 | 606 | return security_ops->file_receive(file); |
| 607 | 607 | } |
| 608 | 608 | |
| 609 | -int security_dentry_open(struct file *file) | |
| 609 | +int security_dentry_open(struct file *file, const struct cred *cred) | |
| 610 | 610 | { |
| 611 | - return security_ops->dentry_open(file); | |
| 611 | + return security_ops->dentry_open(file, cred); | |
| 612 | 612 | } |
| 613 | 613 | |
| 614 | 614 | int security_task_create(unsigned long clone_flags) |
security/selinux/hooks.c
| ... | ... | @@ -2150,9 +2150,9 @@ |
| 2150 | 2150 | extern struct dentry *selinux_null; |
| 2151 | 2151 | |
| 2152 | 2152 | /* Derived from fs/exec.c:flush_old_files. */ |
| 2153 | -static inline void flush_unauthorized_files(struct files_struct *files) | |
| 2153 | +static inline void flush_unauthorized_files(const struct cred *cred, | |
| 2154 | + struct files_struct *files) | |
| 2154 | 2155 | { |
| 2155 | - const struct cred *cred = current_cred(); | |
| 2156 | 2156 | struct avc_audit_data ad; |
| 2157 | 2157 | struct file *file, *devnull = NULL; |
| 2158 | 2158 | struct tty_struct *tty; |
| ... | ... | @@ -2222,7 +2222,10 @@ |
| 2222 | 2222 | if (devnull) { |
| 2223 | 2223 | get_file(devnull); |
| 2224 | 2224 | } else { |
| 2225 | - devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); | |
| 2225 | + devnull = dentry_open( | |
| 2226 | + dget(selinux_null), | |
| 2227 | + mntget(selinuxfs_mount), | |
| 2228 | + O_RDWR, cred); | |
| 2226 | 2229 | if (IS_ERR(devnull)) { |
| 2227 | 2230 | devnull = NULL; |
| 2228 | 2231 | put_unused_fd(fd); |
| ... | ... | @@ -2302,6 +2305,7 @@ |
| 2302 | 2305 | */ |
| 2303 | 2306 | static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) |
| 2304 | 2307 | { |
| 2308 | + const struct cred *cred = current_cred(); | |
| 2305 | 2309 | struct task_security_struct *tsec; |
| 2306 | 2310 | struct rlimit *rlim, *initrlim; |
| 2307 | 2311 | struct itimerval itimer; |
| ... | ... | @@ -2321,7 +2325,7 @@ |
| 2321 | 2325 | return; |
| 2322 | 2326 | |
| 2323 | 2327 | /* Close files for which the new task SID is not authorized. */ |
| 2324 | - flush_unauthorized_files(current->files); | |
| 2328 | + flush_unauthorized_files(cred, current->files); | |
| 2325 | 2329 | |
| 2326 | 2330 | /* Check whether the new SID can inherit signal state |
| 2327 | 2331 | from the old SID. If not, clear itimers to avoid |
| 2328 | 2332 | |
| ... | ... | @@ -3202,9 +3206,8 @@ |
| 3202 | 3206 | return file_has_perm(cred, file, file_to_av(file)); |
| 3203 | 3207 | } |
| 3204 | 3208 | |
| 3205 | -static int selinux_dentry_open(struct file *file) | |
| 3209 | +static int selinux_dentry_open(struct file *file, const struct cred *cred) | |
| 3206 | 3210 | { |
| 3207 | - const struct cred *cred = current_cred(); | |
| 3208 | 3211 | struct file_security_struct *fsec; |
| 3209 | 3212 | struct inode *inode; |
| 3210 | 3213 | struct inode_security_struct *isec; |