aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-07-17 09:37:02 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2008-07-26 20:53:22 -0400
commitb77b0646ef4efe31a7449bb3d9360fd00f95433d (patch)
treef8487fe832fbe23400c9f98e808555f0251fb158
parenta110343f0d6d41f68b7cf8c00b57a3172c67f816 (diff)
[PATCH] pass MAY_OPEN to vfs_permission() explicitly
... and get rid of the last "let's deduce mask from nameidata->flags" bit. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/exec.c4
-rw-r--r--fs/namei.c13
-rw-r--r--include/linux/security.h7
-rw-r--r--security/capability.c3
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/hooks.c5
-rw-r--r--security/smack/smack_lsm.c3
7 files changed, 15 insertions, 24 deletions
diff --git a/fs/exec.c b/fs/exec.c
index b8792a131533..0ba5d355c5a1 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -118,7 +118,7 @@ asmlinkage long sys_uselib(const char __user * library)
118 if (!S_ISREG(nd.path.dentry->d_inode->i_mode)) 118 if (!S_ISREG(nd.path.dentry->d_inode->i_mode))
119 goto exit; 119 goto exit;
120 120
121 error = vfs_permission(&nd, MAY_READ | MAY_EXEC); 121 error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN);
122 if (error) 122 if (error)
123 goto exit; 123 goto exit;
124 124
@@ -666,7 +666,7 @@ struct file *open_exec(const char *name)
666 struct inode *inode = nd.path.dentry->d_inode; 666 struct inode *inode = nd.path.dentry->d_inode;
667 file = ERR_PTR(-EACCES); 667 file = ERR_PTR(-EACCES);
668 if (S_ISREG(inode->i_mode)) { 668 if (S_ISREG(inode->i_mode)) {
669 int err = vfs_permission(&nd, MAY_EXEC); 669 int err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN);
670 file = ERR_PTR(err); 670 file = ERR_PTR(err);
671 if (!err) { 671 if (!err) {
672 file = nameidata_to_filp(&nd, 672 file = nameidata_to_filp(&nd,
diff --git a/fs/namei.c b/fs/namei.c
index 33dcaf025c49..6b0e8e5e079e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -263,12 +263,7 @@ int permission(struct inode *inode, int mask, struct nameidata *nd)
263 263
264 /* Ordinary permission routines do not understand MAY_APPEND. */ 264 /* Ordinary permission routines do not understand MAY_APPEND. */
265 if (inode->i_op && inode->i_op->permission) { 265 if (inode->i_op && inode->i_op->permission) {
266 int extra = 0; 266 retval = inode->i_op->permission(inode, mask);
267 if (nd) {
268 if (nd->flags & LOOKUP_OPEN)
269 extra |= MAY_OPEN;
270 }
271 retval = inode->i_op->permission(inode, mask | extra);
272 if (!retval) { 267 if (!retval) {
273 /* 268 /*
274 * Exec permission on a regular file is denied if none 269 * Exec permission on a regular file is denied if none
@@ -292,7 +287,7 @@ int permission(struct inode *inode, int mask, struct nameidata *nd)
292 return retval; 287 return retval;
293 288
294 return security_inode_permission(inode, 289 return security_inode_permission(inode,
295 mask & (MAY_READ|MAY_WRITE|MAY_EXEC), nd); 290 mask & (MAY_READ|MAY_WRITE|MAY_EXEC));
296} 291}
297 292
298/** 293/**
@@ -492,7 +487,7 @@ static int exec_permission_lite(struct inode *inode,
492 487
493 return -EACCES; 488 return -EACCES;
494ok: 489ok:
495 return security_inode_permission(inode, MAY_EXEC, nd); 490 return security_inode_permission(inode, MAY_EXEC);
496} 491}
497 492
498/* 493/*
@@ -1692,7 +1687,7 @@ struct file *do_filp_open(int dfd, const char *pathname,
1692 int will_write; 1687 int will_write;
1693 int flag = open_to_namei_flags(open_flag); 1688 int flag = open_to_namei_flags(open_flag);
1694 1689
1695 acc_mode = ACC_MODE(flag); 1690 acc_mode = MAY_OPEN | ACC_MODE(flag);
1696 1691
1697 /* O_TRUNC implies we need access checks for write permissions */ 1692 /* O_TRUNC implies we need access checks for write permissions */
1698 if (flag & O_TRUNC) 1693 if (flag & O_TRUNC)
diff --git a/include/linux/security.h b/include/linux/security.h
index f0e9adb22ac2..fd96e7f8a6f9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1362,7 +1362,7 @@ struct security_operations {
1362 struct inode *new_dir, struct dentry *new_dentry); 1362 struct inode *new_dir, struct dentry *new_dentry);
1363 int (*inode_readlink) (struct dentry *dentry); 1363 int (*inode_readlink) (struct dentry *dentry);
1364 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1364 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
1365 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1365 int (*inode_permission) (struct inode *inode, int mask);
1366 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1366 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr);
1367 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1367 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
1368 void (*inode_delete) (struct inode *inode); 1368 void (*inode_delete) (struct inode *inode);
@@ -1628,7 +1628,7 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
1628 struct inode *new_dir, struct dentry *new_dentry); 1628 struct inode *new_dir, struct dentry *new_dentry);
1629int security_inode_readlink(struct dentry *dentry); 1629int security_inode_readlink(struct dentry *dentry);
1630int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); 1630int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
1631int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd); 1631int security_inode_permission(struct inode *inode, int mask);
1632int security_inode_setattr(struct dentry *dentry, struct iattr *attr); 1632int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
1633int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); 1633int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
1634void security_inode_delete(struct inode *inode); 1634void security_inode_delete(struct inode *inode);
@@ -2021,8 +2021,7 @@ static inline int security_inode_follow_link(struct dentry *dentry,
2021 return 0; 2021 return 0;
2022} 2022}
2023 2023
2024static inline int security_inode_permission(struct inode *inode, int mask, 2024static inline int security_inode_permission(struct inode *inode, int mask)
2025 struct nameidata *nd)
2026{ 2025{
2027 return 0; 2026 return 0;
2028} 2027}
diff --git a/security/capability.c b/security/capability.c
index 5b01c0b02422..63d10da515a5 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -211,8 +211,7 @@ static int cap_inode_follow_link(struct dentry *dentry,
211 return 0; 211 return 0;
212} 212}
213 213
214static int cap_inode_permission(struct inode *inode, int mask, 214static int cap_inode_permission(struct inode *inode, int mask)
215 struct nameidata *nd)
216{ 215{
217 return 0; 216 return 0;
218} 217}
diff --git a/security/security.c b/security/security.c
index 59f23b5918b3..78ed3ffde242 100644
--- a/security/security.c
+++ b/security/security.c
@@ -429,11 +429,11 @@ int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
429 return security_ops->inode_follow_link(dentry, nd); 429 return security_ops->inode_follow_link(dentry, nd);
430} 430}
431 431
432int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd) 432int security_inode_permission(struct inode *inode, int mask)
433{ 433{
434 if (unlikely(IS_PRIVATE(inode))) 434 if (unlikely(IS_PRIVATE(inode)))
435 return 0; 435 return 0;
436 return security_ops->inode_permission(inode, mask, nd); 436 return security_ops->inode_permission(inode, mask);
437} 437}
438 438
439int security_inode_setattr(struct dentry *dentry, struct iattr *attr) 439int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3481cde5bf15..5ba13908b5b4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2624,12 +2624,11 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2624 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2624 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2625} 2625}
2626 2626
2627static int selinux_inode_permission(struct inode *inode, int mask, 2627static int selinux_inode_permission(struct inode *inode, int mask)
2628 struct nameidata *nd)
2629{ 2628{
2630 int rc; 2629 int rc;
2631 2630
2632 rc = secondary_ops->inode_permission(inode, mask, nd); 2631 rc = secondary_ops->inode_permission(inode, mask);
2633 if (rc) 2632 if (rc)
2634 return rc; 2633 return rc;
2635 2634
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index ee5a51cbc5eb..1b40e558f983 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -522,8 +522,7 @@ static int smack_inode_rename(struct inode *old_inode,
522 * 522 *
523 * Returns 0 if access is permitted, -EACCES otherwise 523 * Returns 0 if access is permitted, -EACCES otherwise
524 */ 524 */
525static int smack_inode_permission(struct inode *inode, int mask, 525static int smack_inode_permission(struct inode *inode, int mask)
526 struct nameidata *nd)
527{ 526{
528 /* 527 /*
529 * No permission to check. Existence test. Yup, it's there. 528 * No permission to check. Existence test. Yup, it's there.