summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2005-09-09 16:01:44 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-09-09 16:57:28 -0400
commita74574aafea3a63add3251047601611111f44562 (patch)
treea8f4a809589513c666c6f5518cbe84f50ee5523e /security
parent570bc1c2e5ccdb408081e77507a385dc7ebed7fa (diff)
[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks
This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as they are obsoleted by the new inode_init_security hook that enables atomic inode security labeling. If anyone sees any reason to retain these hooks, please speak now. Also, is anyone using the post_rename/link hooks; if not, those could also be removed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
-rw-r--r--security/dummy.c28
-rw-r--r--security/selinux/hooks.c111
-rw-r--r--security/selinux/include/objsec.h1
3 files changed, 0 insertions, 140 deletions
diff --git a/security/dummy.c b/security/dummy.c
index e8a00fa80469..5083314e14b1 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -270,12 +270,6 @@ static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
270 return 0; 270 return 0;
271} 271}
272 272
273static void dummy_inode_post_create (struct inode *inode, struct dentry *dentry,
274 int mask)
275{
276 return;
277}
278
279static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode, 273static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
280 struct dentry *new_dentry) 274 struct dentry *new_dentry)
281{ 275{
@@ -300,24 +294,12 @@ static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
300 return 0; 294 return 0;
301} 295}
302 296
303static void dummy_inode_post_symlink (struct inode *inode,
304 struct dentry *dentry, const char *name)
305{
306 return;
307}
308
309static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry, 297static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
310 int mask) 298 int mask)
311{ 299{
312 return 0; 300 return 0;
313} 301}
314 302
315static void dummy_inode_post_mkdir (struct inode *inode, struct dentry *dentry,
316 int mask)
317{
318 return;
319}
320
321static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry) 303static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
322{ 304{
323 return 0; 305 return 0;
@@ -329,12 +311,6 @@ static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
329 return 0; 311 return 0;
330} 312}
331 313
332static void dummy_inode_post_mknod (struct inode *inode, struct dentry *dentry,
333 int mode, dev_t dev)
334{
335 return;
336}
337
338static int dummy_inode_rename (struct inode *old_inode, 314static int dummy_inode_rename (struct inode *old_inode,
339 struct dentry *old_dentry, 315 struct dentry *old_dentry,
340 struct inode *new_inode, 316 struct inode *new_inode,
@@ -894,17 +870,13 @@ void security_fixup_ops (struct security_operations *ops)
894 set_to_dummy_if_null(ops, inode_free_security); 870 set_to_dummy_if_null(ops, inode_free_security);
895 set_to_dummy_if_null(ops, inode_init_security); 871 set_to_dummy_if_null(ops, inode_init_security);
896 set_to_dummy_if_null(ops, inode_create); 872 set_to_dummy_if_null(ops, inode_create);
897 set_to_dummy_if_null(ops, inode_post_create);
898 set_to_dummy_if_null(ops, inode_link); 873 set_to_dummy_if_null(ops, inode_link);
899 set_to_dummy_if_null(ops, inode_post_link); 874 set_to_dummy_if_null(ops, inode_post_link);
900 set_to_dummy_if_null(ops, inode_unlink); 875 set_to_dummy_if_null(ops, inode_unlink);
901 set_to_dummy_if_null(ops, inode_symlink); 876 set_to_dummy_if_null(ops, inode_symlink);
902 set_to_dummy_if_null(ops, inode_post_symlink);
903 set_to_dummy_if_null(ops, inode_mkdir); 877 set_to_dummy_if_null(ops, inode_mkdir);
904 set_to_dummy_if_null(ops, inode_post_mkdir);
905 set_to_dummy_if_null(ops, inode_rmdir); 878 set_to_dummy_if_null(ops, inode_rmdir);
906 set_to_dummy_if_null(ops, inode_mknod); 879 set_to_dummy_if_null(ops, inode_mknod);
907 set_to_dummy_if_null(ops, inode_post_mknod);
908 set_to_dummy_if_null(ops, inode_rename); 880 set_to_dummy_if_null(ops, inode_rename);
909 set_to_dummy_if_null(ops, inode_post_rename); 881 set_to_dummy_if_null(ops, inode_post_rename);
910 set_to_dummy_if_null(ops, inode_readlink); 882 set_to_dummy_if_null(ops, inode_readlink);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 265f33d3af9b..c9c20828be79 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1265,91 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
1265 return 0; 1265 return 0;
1266} 1266}
1267 1267
1268/* Set the security attributes on a newly created file. */
1269static int post_create(struct inode *dir,
1270 struct dentry *dentry)
1271{
1272
1273 struct task_security_struct *tsec;
1274 struct inode *inode;
1275 struct inode_security_struct *dsec;
1276 struct superblock_security_struct *sbsec;
1277 struct inode_security_struct *isec;
1278 u32 newsid;
1279 char *context;
1280 unsigned int len;
1281 int rc;
1282
1283 tsec = current->security;
1284 dsec = dir->i_security;
1285 sbsec = dir->i_sb->s_security;
1286
1287 inode = dentry->d_inode;
1288 if (!inode) {
1289 /* Some file system types (e.g. NFS) may not instantiate
1290 a dentry for all create operations (e.g. symlink),
1291 so we have to check to see if the inode is non-NULL. */
1292 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1293 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1294 return 0;
1295 }
1296
1297 isec = inode->i_security;
1298
1299 if (isec->security_attr_init)
1300 return 0;
1301
1302 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1303 newsid = tsec->create_sid;
1304 } else {
1305 rc = security_transition_sid(tsec->sid, dsec->sid,
1306 inode_mode_to_security_class(inode->i_mode),
1307 &newsid);
1308 if (rc) {
1309 printk(KERN_WARNING "post_create: "
1310 "security_transition_sid failed, rc=%d (dev=%s "
1311 "ino=%ld)\n",
1312 -rc, inode->i_sb->s_id, inode->i_ino);
1313 return rc;
1314 }
1315 }
1316
1317 rc = inode_security_set_sid(inode, newsid);
1318 if (rc) {
1319 printk(KERN_WARNING "post_create: inode_security_set_sid "
1320 "failed, rc=%d (dev=%s ino=%ld)\n",
1321 -rc, inode->i_sb->s_id, inode->i_ino);
1322 return rc;
1323 }
1324
1325 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1326 inode->i_op->setxattr) {
1327 /* Use extended attributes. */
1328 rc = security_sid_to_context(newsid, &context, &len);
1329 if (rc) {
1330 printk(KERN_WARNING "post_create: sid_to_context "
1331 "failed, rc=%d (dev=%s ino=%ld)\n",
1332 -rc, inode->i_sb->s_id, inode->i_ino);
1333 return rc;
1334 }
1335 down(&inode->i_sem);
1336 rc = inode->i_op->setxattr(dentry,
1337 XATTR_NAME_SELINUX,
1338 context, len, 0);
1339 up(&inode->i_sem);
1340 kfree(context);
1341 if (rc < 0) {
1342 printk(KERN_WARNING "post_create: setxattr failed, "
1343 "rc=%d (dev=%s ino=%ld)\n",
1344 -rc, inode->i_sb->s_id, inode->i_ino);
1345 return rc;
1346 }
1347 }
1348
1349 return 0;
1350}
1351
1352
1353/* Hook functions begin here. */ 1268/* Hook functions begin here. */
1354 1269
1355static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1270static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
@@ -2076,8 +1991,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2076 *len = clen; 1991 *len = clen;
2077 } 1992 }
2078 1993
2079 isec->security_attr_init = 1;
2080
2081 return 0; 1994 return 0;
2082} 1995}
2083 1996
@@ -2086,11 +1999,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma
2086 return may_create(dir, dentry, SECCLASS_FILE); 1999 return may_create(dir, dentry, SECCLASS_FILE);
2087} 2000}
2088 2001
2089static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2090{
2091 post_create(dir, dentry);
2092}
2093
2094static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2002static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2095{ 2003{
2096 int rc; 2004 int rc;
@@ -2121,21 +2029,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
2121 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2029 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2122} 2030}
2123 2031
2124static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2125{
2126 post_create(dir, dentry);
2127}
2128
2129static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2032static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2130{ 2033{
2131 return may_create(dir, dentry, SECCLASS_DIR); 2034 return may_create(dir, dentry, SECCLASS_DIR);
2132} 2035}
2133 2036
2134static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2135{
2136 post_create(dir, dentry);
2137}
2138
2139static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2037static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2140{ 2038{
2141 return may_link(dir, dentry, MAY_RMDIR); 2039 return may_link(dir, dentry, MAY_RMDIR);
@@ -2152,11 +2050,6 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
2152 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2050 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2153} 2051}
2154 2052
2155static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2156{
2157 post_create(dir, dentry);
2158}
2159
2160static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2053static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2161 struct inode *new_inode, struct dentry *new_dentry) 2054 struct inode *new_inode, struct dentry *new_dentry)
2162{ 2055{
@@ -4363,17 +4256,13 @@ static struct security_operations selinux_ops = {
4363 .inode_free_security = selinux_inode_free_security, 4256 .inode_free_security = selinux_inode_free_security,
4364 .inode_init_security = selinux_inode_init_security, 4257 .inode_init_security = selinux_inode_init_security,
4365 .inode_create = selinux_inode_create, 4258 .inode_create = selinux_inode_create,
4366 .inode_post_create = selinux_inode_post_create,
4367 .inode_link = selinux_inode_link, 4259 .inode_link = selinux_inode_link,
4368 .inode_post_link = selinux_inode_post_link, 4260 .inode_post_link = selinux_inode_post_link,
4369 .inode_unlink = selinux_inode_unlink, 4261 .inode_unlink = selinux_inode_unlink,
4370 .inode_symlink = selinux_inode_symlink, 4262 .inode_symlink = selinux_inode_symlink,
4371 .inode_post_symlink = selinux_inode_post_symlink,
4372 .inode_mkdir = selinux_inode_mkdir, 4263 .inode_mkdir = selinux_inode_mkdir,
4373 .inode_post_mkdir = selinux_inode_post_mkdir,
4374 .inode_rmdir = selinux_inode_rmdir, 4264 .inode_rmdir = selinux_inode_rmdir,
4375 .inode_mknod = selinux_inode_mknod, 4265 .inode_mknod = selinux_inode_mknod,
4376 .inode_post_mknod = selinux_inode_post_mknod,
4377 .inode_rename = selinux_inode_rename, 4266 .inode_rename = selinux_inode_rename,
4378 .inode_post_rename = selinux_inode_post_rename, 4267 .inode_post_rename = selinux_inode_post_rename,
4379 .inode_readlink = selinux_inode_readlink, 4268 .inode_readlink = selinux_inode_readlink,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c515bc0b58a1..887937c8134a 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -46,7 +46,6 @@ struct inode_security_struct {
46 unsigned char initialized; /* initialization flag */ 46 unsigned char initialized; /* initialization flag */
47 struct semaphore sem; 47 struct semaphore sem;
48 unsigned char inherit; /* inherit SID from parent entry */ 48 unsigned char inherit; /* inherit SID from parent entry */
49 unsigned char security_attr_init; /* security attributes init flag */
50}; 49};
51 50
52struct file_security_struct { 51struct file_security_struct {