Commit 2875fa00830be62431f5ac22d8f85d57f9fa3033
1 parent
a8d05c81fb
Exists in
master
and in
20 other branches
SELinux: introduce path_has_perm
We currently have inode_has_perm and dentry_has_perm. dentry_has_perm just calls inode_has_perm with additional audit data. But dentry_has_perm can take either a dentry or a path. Split those to make the code obvious and to fix the previous problem where I thought dentry_has_perm always had a valid dentry and mnt. Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 1 changed file with 30 additions and 14 deletions Side-by-side Diff
security/selinux/hooks.c
| ... | ... | @@ -1499,16 +1499,29 @@ |
| 1499 | 1499 | the dentry to help the auditing code to more easily generate the |
| 1500 | 1500 | pathname if needed. */ |
| 1501 | 1501 | static inline int dentry_has_perm(const struct cred *cred, |
| 1502 | - struct vfsmount *mnt, | |
| 1503 | 1502 | struct dentry *dentry, |
| 1504 | 1503 | u32 av) |
| 1505 | 1504 | { |
| 1506 | 1505 | struct inode *inode = dentry->d_inode; |
| 1507 | 1506 | struct common_audit_data ad; |
| 1508 | 1507 | |
| 1508 | + COMMON_AUDIT_DATA_INIT(&ad, DENTRY); | |
| 1509 | + ad.u.dentry = dentry; | |
| 1510 | + return inode_has_perm(cred, inode, av, &ad, 0); | |
| 1511 | +} | |
| 1512 | + | |
| 1513 | +/* Same as inode_has_perm, but pass explicit audit data containing | |
| 1514 | + the path to help the auditing code to more easily generate the | |
| 1515 | + pathname if needed. */ | |
| 1516 | +static inline int path_has_perm(const struct cred *cred, | |
| 1517 | + struct path *path, | |
| 1518 | + u32 av) | |
| 1519 | +{ | |
| 1520 | + struct inode *inode = path->dentry->d_inode; | |
| 1521 | + struct common_audit_data ad; | |
| 1522 | + | |
| 1509 | 1523 | COMMON_AUDIT_DATA_INIT(&ad, PATH); |
| 1510 | - ad.u.path.mnt = mnt; | |
| 1511 | - ad.u.path.dentry = dentry; | |
| 1524 | + ad.u.path = *path; | |
| 1512 | 1525 | return inode_has_perm(cred, inode, av, &ad, 0); |
| 1513 | 1526 | } |
| 1514 | 1527 | |
| ... | ... | @@ -1896,7 +1909,7 @@ |
| 1896 | 1909 | { |
| 1897 | 1910 | const struct cred *cred = current_cred(); |
| 1898 | 1911 | |
| 1899 | - return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); | |
| 1912 | + return dentry_has_perm(cred, dentry, FILE__QUOTAON); | |
| 1900 | 1913 | } |
| 1901 | 1914 | |
| 1902 | 1915 | static int selinux_syslog(int type) |
| ... | ... | @@ -2496,8 +2509,7 @@ |
| 2496 | 2509 | return superblock_has_perm(cred, path->mnt->mnt_sb, |
| 2497 | 2510 | FILESYSTEM__REMOUNT, NULL); |
| 2498 | 2511 | else |
| 2499 | - return dentry_has_perm(cred, path->mnt, path->dentry, | |
| 2500 | - FILE__MOUNTON); | |
| 2512 | + return path_has_perm(cred, path, FILE__MOUNTON); | |
| 2501 | 2513 | } |
| 2502 | 2514 | |
| 2503 | 2515 | static int selinux_umount(struct vfsmount *mnt, int flags) |
| 2504 | 2516 | |
| ... | ... | @@ -2630,14 +2642,14 @@ |
| 2630 | 2642 | { |
| 2631 | 2643 | const struct cred *cred = current_cred(); |
| 2632 | 2644 | |
| 2633 | - return dentry_has_perm(cred, NULL, dentry, FILE__READ); | |
| 2645 | + return dentry_has_perm(cred, dentry, FILE__READ); | |
| 2634 | 2646 | } |
| 2635 | 2647 | |
| 2636 | 2648 | static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) |
| 2637 | 2649 | { |
| 2638 | 2650 | const struct cred *cred = current_cred(); |
| 2639 | 2651 | |
| 2640 | - return dentry_has_perm(cred, NULL, dentry, FILE__READ); | |
| 2652 | + return dentry_has_perm(cred, dentry, FILE__READ); | |
| 2641 | 2653 | } |
| 2642 | 2654 | |
| 2643 | 2655 | static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags) |
| 2644 | 2656 | |
| 2645 | 2657 | |
| 2646 | 2658 | |
| ... | ... | @@ -2680,16 +2692,20 @@ |
| 2680 | 2692 | |
| 2681 | 2693 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | |
| 2682 | 2694 | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) |
| 2683 | - return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); | |
| 2695 | + return dentry_has_perm(cred, dentry, FILE__SETATTR); | |
| 2684 | 2696 | |
| 2685 | - return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); | |
| 2697 | + return dentry_has_perm(cred, dentry, FILE__WRITE); | |
| 2686 | 2698 | } |
| 2687 | 2699 | |
| 2688 | 2700 | static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
| 2689 | 2701 | { |
| 2690 | 2702 | const struct cred *cred = current_cred(); |
| 2703 | + struct path path; | |
| 2691 | 2704 | |
| 2692 | - return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR); | |
| 2705 | + path.dentry = dentry; | |
| 2706 | + path.mnt = mnt; | |
| 2707 | + | |
| 2708 | + return path_has_perm(cred, &path, FILE__GETATTR); | |
| 2693 | 2709 | } |
| 2694 | 2710 | |
| 2695 | 2711 | static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) |
| ... | ... | @@ -2710,7 +2726,7 @@ |
| 2710 | 2726 | |
| 2711 | 2727 | /* Not an attribute we recognize, so just check the |
| 2712 | 2728 | ordinary setattr permission. */ |
| 2713 | - return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); | |
| 2729 | + return dentry_has_perm(cred, dentry, FILE__SETATTR); | |
| 2714 | 2730 | } |
| 2715 | 2731 | |
| 2716 | 2732 | static int selinux_inode_setxattr(struct dentry *dentry, const char *name, |
| 2717 | 2733 | |
| ... | ... | @@ -2797,14 +2813,14 @@ |
| 2797 | 2813 | { |
| 2798 | 2814 | const struct cred *cred = current_cred(); |
| 2799 | 2815 | |
| 2800 | - return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); | |
| 2816 | + return dentry_has_perm(cred, dentry, FILE__GETATTR); | |
| 2801 | 2817 | } |
| 2802 | 2818 | |
| 2803 | 2819 | static int selinux_inode_listxattr(struct dentry *dentry) |
| 2804 | 2820 | { |
| 2805 | 2821 | const struct cred *cred = current_cred(); |
| 2806 | 2822 | |
| 2807 | - return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); | |
| 2823 | + return dentry_has_perm(cred, dentry, FILE__GETATTR); | |
| 2808 | 2824 | } |
| 2809 | 2825 | |
| 2810 | 2826 | static int selinux_inode_removexattr(struct dentry *dentry, const char *name) |