Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit d09ca73979460b96d5d4684d588b188be9a1f57d

Authored by Eric Paris
Committed by James Morris
1 parent 9cfcac810e
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

security: make LSMs explicitly mask off permissions 

SELinux needs to pass the MAY_ACCESS flag so it can handle auditting
correctly.  Presently the masking of MAY_* flags is done in the VFS.  In
order to allow LSMs to decide what flags they care about and what flags
they don't just pass them all and the each LSM mask off what they don't
need.  This patch should contain no functional changes to either the VFS or
any LSM.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 3 changed files with 5 additions and 2 deletions Side-by-side Diff

... ... @@ -282,8 +282,7 @@
282 282 if (retval)
283 283 return retval;
284 284  
285   - return security_inode_permission(inode,
286   - mask & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND));
  285 + return security_inode_permission(inode, mask);
287 286 }
288 287  
289 288 /**
security/selinux/hooks.c
Diff comments   View file @ d09ca73
... ... @@ -2645,6 +2645,8 @@
2645 2645 {
2646 2646 const struct cred *cred = current_cred();
2647 2647  
  2648 + mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
  2649 +
2648 2650 if (!mask) {
2649 2651 /* No permission to check. Existence test. */
2650 2652 return 0;
security/smack/smack_lsm.c
Diff comments   View file @ d09ca73
... ... @@ -598,6 +598,8 @@
598 598 static int smack_inode_permission(struct inode *inode, int mask)
599 599 {
600 600 struct smk_audit_info ad;
  601 +
  602 + mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
601 603 /*
602 604 * No permission to check. Existence test. Yup, it's there.
603 605 */