LSM: Add security_path_chmod() and security_path_chown().

This patch allows pathname based LSM modules to check chmod()/chown() operations. Since notify_change() does not receive "struct vfsmount *", we add security_path_chmod() and security_path_chown() to the caller of notify_change(). These hooks are used by TOMOYO. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2009-10-04 08:49:47 -0400
committer: James Morris <jmorris@namei.org> 2009-10-11 19:56:00 -0400
commit: 89eda06837094ce9f34fae269b8773fcfd70f046 (patch)
tree: dc11701c68ebcc8346d7567cfb53b9c7327ef445
parent: 941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e (diff)
4 files changed, 78 insertions, 4 deletions
diff --git a/fs/open.c b/fs/open.c
index 4f01e06227c6..b5c294d35bd1 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -616,6 +616,9 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
        err = mnt_want_write_file(file);
        if (err)
                goto out_putf;
+        err = security_path_chmod(dentry, file->f_vfsmnt, mode);
+        if (err)
+                goto out_drop_write;
        mutex_lock(&inode->i_mutex);
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
@@ -623,6 +626,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        err = notify_change(dentry, &newattrs);
        mutex_unlock(&inode->i_mutex);
+out_drop_write:
        mnt_drop_write(file->f_path.mnt);
 out_putf:
        fput(file);
@@ -645,6 +649,9 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
        error = mnt_want_write(path.mnt);
        if (error)
                goto dput_and_out;
+        error = security_path_chmod(path.dentry, path.mnt, mode);
+        if (error)
+                goto out_drop_write;
        mutex_lock(&inode->i_mutex);
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
@@ -652,6 +659,7 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        error = notify_change(path.dentry, &newattrs);
        mutex_unlock(&inode->i_mutex);
+out_drop_write:
        mnt_drop_write(path.mnt);
 dput_and_out:
        path_put(&path);
@@ -700,7 +708,9 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = security_path_chown(&path, user, group);
+        if (!error)
+                error = chown_common(path.dentry, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -725,7 +735,9 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = security_path_chown(&path, user, group);
+        if (!error)
+                error = chown_common(path.dentry, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -744,7 +756,9 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = security_path_chown(&path, user, group);
+        if (!error)
+                error = chown_common(path.dentry, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -767,7 +781,9 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
                goto out_fput;
        dentry = file->f_path.dentry;
        audit_inode(NULL, dentry);
-        error = chown_common(dentry, user, group);
+        error = security_path_chown(&file->f_path, user, group);
+        if (!error)
+                error = chown_common(dentry, user, group);
        mnt_drop_write(file->f_path.mnt);
 out_fput:
        fput(file);
diff --git a/include/linux/security.h b/include/linux/security.h
index 239e40d0450b..c8a584c26f7b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,18 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @new_dir contains the path structure for parent of the new link.
 *      @new_dentry contains the dentry structure of the new link.
 *      Return 0 if permission is granted.
+ * @path_chmod:
+ *      Check for permission to change DAC's permission of a file or directory.
+ *      @dentry contains the dentry structure.
+ *      @mnt contains the vfsmnt structure.
+ *      @mode contains DAC's mode.
+ *      Return 0 if permission is granted.
+ * @path_chown:
+ *      Check for permission to change owner/group of a file or directory.
+ *      @path contains the path structure.
+ *      @uid contains new owner's ID.
+ *      @gid contains new group's ID.
+ *      Return 0 if permission is granted.
 * @inode_readlink:
 *      Check the permission to read the symbolic link.
 *      @dentry contains the dentry structure for the file link.
@@ -1488,6 +1500,9 @@ struct security_operations {
                          struct dentry *new_dentry);
        int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
                            struct path *new_dir, struct dentry *new_dentry);
+        int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
+                           mode_t mode);
+        int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
 #endif
        int (*inode_alloc_security) (struct inode *inode);
@@ -2952,6 +2967,9 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
                       struct dentry *new_dentry);
 int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
                         struct path *new_dir, struct dentry *new_dentry);
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                        mode_t mode);
+int security_path_chown(struct path *path, uid_t uid, gid_t gid);
 #else   /* CONFIG_SECURITY_PATH */
 static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
 {
@@ -3001,6 +3019,18 @@ static inline int security_path_rename(struct path *old_dir,
 {
        return 0;
 }
+static inline int security_path_chmod(struct dentry *dentry,
+                                      struct vfsmount *mnt,
+                                      mode_t mode)
+{
+        return 0;
+}
+static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        return 0;
+}
 #endif  /* CONFIG_SECURITY_PATH */
 #ifdef CONFIG_KEYS
diff --git a/security/capability.c b/security/capability.c
index fce07a7bc825..09279a8d4a14 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -308,6 +308,17 @@ static int cap_path_truncate(struct path *path, loff_t length,
 {
        return 0;
 }
+static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                          mode_t mode)
+{
+        return 0;
+}
+static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        return 0;
+}
 #endif
 static int cap_file_permission(struct file *file, int mask)
@@ -977,6 +988,8 @@ void security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, path_link);
        set_to_cap_if_null(ops, path_rename);
        set_to_cap_if_null(ops, path_truncate);
+        set_to_cap_if_null(ops, path_chmod);
+        set_to_cap_if_null(ops, path_chown);
 #endif
        set_to_cap_if_null(ops, file_permission);
        set_to_cap_if_null(ops, file_alloc_security);
diff --git a/security/security.c b/security/security.c
index c4c673240c1c..5259270e558f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -434,6 +434,21 @@ int security_path_truncate(struct path *path, loff_t length,
                return 0;
        return security_ops->path_truncate(path, length, time_attrs);
 }
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                        mode_t mode)
+{
+        if (unlikely(IS_PRIVATE(dentry->d_inode)))
+                return 0;
+        return security_ops->path_chmod(dentry, mnt, mode);
+}
+int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+                return 0;
+        return security_ops->path_chown(path, uid, gid);
+}
 #endif
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
author	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>	2009-10-04 08:49:47 -0400
committer	James Morris <jmorris@namei.org>	2009-10-11 19:56:00 -0400
commit	89eda06837094ce9f34fae269b8773fcfd70f046 (patch)
tree	dc11701c68ebcc8346d7567cfb53b9c7327ef445
parent	941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e (diff)