From 471b4bc0b47b159ccb53b073afdbd4309e814d3a Mon Sep 17 00:00:00 2001 From: Andi Kleen Date: Thu, 21 Apr 2011 17:23:19 -0700 Subject: [PATCH] --- yaml --- r: 250791 b: refs/heads/master c: 1c9904297451f558191e211a48d8838b4bf792b0 h: refs/heads/master i: 250789: 0ac26f355378f4839cf1d5938ebe84fd1cd71a70 250787: b0ff07286724c3d049b03fe3fff6fc57d2973c9e 250783: 06f1916c9fb67a54efabca398e732095b048ceb2 v: v3 --- [refs] | 2 +- trunk/include/linux/security.h | 2 +- trunk/security/capability.c | 2 +- trunk/security/security.c | 6 ++---- trunk/security/selinux/hooks.c | 6 +++++- trunk/security/smack/smack_lsm.c | 6 +++++- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/[refs] b/[refs] index d71c42e1bf63..873f9a82b918 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 6b697323a78bed254ee372f71b1a6a2901bb4b7a +refs/heads/master: 1c9904297451f558191e211a48d8838b4bf792b0 diff --git a/trunk/include/linux/security.h b/trunk/include/linux/security.h index 84a202ac3de9..2f99ecd0fb2a 100644 --- a/trunk/include/linux/security.h +++ b/trunk/include/linux/security.h @@ -1454,7 +1454,7 @@ struct security_operations { struct inode *new_dir, struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); - int (*inode_permission) (struct inode *inode, int mask); + int (*inode_permission) (struct inode *inode, int mask, unsigned flags); int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); int (*inode_setxattr) (struct dentry *dentry, const char *name, diff --git a/trunk/security/capability.c b/trunk/security/capability.c index ab3d807accc3..56bb1605fd79 100644 --- a/trunk/security/capability.c +++ b/trunk/security/capability.c @@ -181,7 +181,7 @@ static int cap_inode_follow_link(struct dentry *dentry, return 0; } -static int cap_inode_permission(struct inode *inode, int mask) +static int cap_inode_permission(struct inode *inode, int mask, unsigned flags) { return 0; } diff --git a/trunk/security/security.c b/trunk/security/security.c index 47b8a447118f..7e34f98bf433 100644 --- a/trunk/security/security.c +++ b/trunk/security/security.c @@ -514,16 +514,14 @@ int security_inode_permission(struct inode *inode, int mask) { if (unlikely(IS_PRIVATE(inode))) return 0; - return security_ops->inode_permission(inode, mask); + return security_ops->inode_permission(inode, mask, 0); } int security_inode_exec_permission(struct inode *inode, unsigned int flags) { if (unlikely(IS_PRIVATE(inode))) return 0; - if (flags) - return -ECHILD; - return security_ops->inode_permission(inode, MAY_EXEC); + return security_ops->inode_permission(inode, MAY_EXEC, flags); } int security_inode_setattr(struct dentry *dentry, struct iattr *attr) diff --git a/trunk/security/selinux/hooks.c b/trunk/security/selinux/hooks.c index 7a630a8a5cef..9a220be17a3f 100644 --- a/trunk/security/selinux/hooks.c +++ b/trunk/security/selinux/hooks.c @@ -2635,7 +2635,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na return dentry_has_perm(cred, NULL, dentry, FILE__READ); } -static int selinux_inode_permission(struct inode *inode, int mask) +static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags) { const struct cred *cred = current_cred(); struct common_audit_data ad; @@ -2649,6 +2649,10 @@ static int selinux_inode_permission(struct inode *inode, int mask) if (!mask) return 0; + /* May be droppable after audit */ + if (flags & IPERM_FLAG_RCU) + return -ECHILD; + COMMON_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.inode = inode; diff --git a/trunk/security/smack/smack_lsm.c b/trunk/security/smack/smack_lsm.c index 23c7a6d0c80c..42fcb47747a3 100644 --- a/trunk/security/smack/smack_lsm.c +++ b/trunk/security/smack/smack_lsm.c @@ -686,7 +686,7 @@ static int smack_inode_rename(struct inode *old_inode, * * Returns 0 if access is permitted, -EACCES otherwise */ -static int smack_inode_permission(struct inode *inode, int mask) +static int smack_inode_permission(struct inode *inode, int mask, unsigned flags) { struct smk_audit_info ad; @@ -696,6 +696,10 @@ static int smack_inode_permission(struct inode *inode, int mask) */ if (mask == 0) return 0; + + /* May be droppable after audit */ + if (flags & IPERM_FLAG_RCU) + return -ECHILD; smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); smk_ad_setfield_u_fs_inode(&ad, inode); return smk_curacc(smk_of_inode(inode), mask, &ad);