diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2009-10-04 08:49:47 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-10-11 19:56:00 -0400 |
| commit | 89eda06837094ce9f34fae269b8773fcfd70f046 (patch) | |
| tree | dc11701c68ebcc8346d7567cfb53b9c7327ef445 /fs | |
| parent | 941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e (diff) | |
LSM: Add security_path_chmod() and security_path_chown().
This patch allows pathname based LSM modules to check chmod()/chown()
operations. Since notify_change() does not receive "struct vfsmount *",
we add security_path_chmod() and security_path_chown() to the caller of
notify_change().
These hooks are used by TOMOYO.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/open.c | 24 |
1 files changed, 20 insertions, 4 deletions
| @@ -616,6 +616,9 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode) | |||
| 616 | err = mnt_want_write_file(file); | 616 | err = mnt_want_write_file(file); |
| 617 | if (err) | 617 | if (err) |
| 618 | goto out_putf; | 618 | goto out_putf; |
| 619 | err = security_path_chmod(dentry, file->f_vfsmnt, mode); | ||
| 620 | if (err) | ||
| 621 | goto out_drop_write; | ||
| 619 | mutex_lock(&inode->i_mutex); | 622 | mutex_lock(&inode->i_mutex); |
| 620 | if (mode == (mode_t) -1) | 623 | if (mode == (mode_t) -1) |
| 621 | mode = inode->i_mode; | 624 | mode = inode->i_mode; |
| @@ -623,6 +626,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode) | |||
| 623 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | 626 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; |
| 624 | err = notify_change(dentry, &newattrs); | 627 | err = notify_change(dentry, &newattrs); |
| 625 | mutex_unlock(&inode->i_mutex); | 628 | mutex_unlock(&inode->i_mutex); |
| 629 | out_drop_write: | ||
| 626 | mnt_drop_write(file->f_path.mnt); | 630 | mnt_drop_write(file->f_path.mnt); |
| 627 | out_putf: | 631 | out_putf: |
| 628 | fput(file); | 632 | fput(file); |
| @@ -645,6 +649,9 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode) | |||
| 645 | error = mnt_want_write(path.mnt); | 649 | error = mnt_want_write(path.mnt); |
| 646 | if (error) | 650 | if (error) |
| 647 | goto dput_and_out; | 651 | goto dput_and_out; |
| 652 | error = security_path_chmod(path.dentry, path.mnt, mode); | ||
| 653 | if (error) | ||
| 654 | goto out_drop_write; | ||
| 648 | mutex_lock(&inode->i_mutex); | 655 | mutex_lock(&inode->i_mutex); |
| 649 | if (mode == (mode_t) -1) | 656 | if (mode == (mode_t) -1) |
| 650 | mode = inode->i_mode; | 657 | mode = inode->i_mode; |
| @@ -652,6 +659,7 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode) | |||
| 652 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | 659 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; |
| 653 | error = notify_change(path.dentry, &newattrs); | 660 | error = notify_change(path.dentry, &newattrs); |
| 654 | mutex_unlock(&inode->i_mutex); | 661 | mutex_unlock(&inode->i_mutex); |
| 662 | out_drop_write: | ||
| 655 | mnt_drop_write(path.mnt); | 663 | mnt_drop_write(path.mnt); |
| 656 | dput_and_out: | 664 | dput_and_out: |
| 657 | path_put(&path); | 665 | path_put(&path); |
| @@ -700,7 +708,9 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group) | |||
| 700 | error = mnt_want_write(path.mnt); | 708 | error = mnt_want_write(path.mnt); |
| 701 | if (error) | 709 | if (error) |
| 702 | goto out_release; | 710 | goto out_release; |
| 703 | error = chown_common(path.dentry, user, group); | 711 | error = security_path_chown(&path, user, group); |
| 712 | if (!error) | ||
| 713 | error = chown_common(path.dentry, user, group); | ||
| 704 | mnt_drop_write(path.mnt); | 714 | mnt_drop_write(path.mnt); |
| 705 | out_release: | 715 | out_release: |
| 706 | path_put(&path); | 716 | path_put(&path); |
| @@ -725,7 +735,9 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user, | |||
| 725 | error = mnt_want_write(path.mnt); | 735 | error = mnt_want_write(path.mnt); |
| 726 | if (error) | 736 | if (error) |
| 727 | goto out_release; | 737 | goto out_release; |
| 728 | error = chown_common(path.dentry, user, group); | 738 | error = security_path_chown(&path, user, group); |
| 739 | if (!error) | ||
| 740 | error = chown_common(path.dentry, user, group); | ||
| 729 | mnt_drop_write(path.mnt); | 741 | mnt_drop_write(path.mnt); |
| 730 | out_release: | 742 | out_release: |
| 731 | path_put(&path); | 743 | path_put(&path); |
| @@ -744,7 +756,9 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group | |||
| 744 | error = mnt_want_write(path.mnt); | 756 | error = mnt_want_write(path.mnt); |
| 745 | if (error) | 757 | if (error) |
| 746 | goto out_release; | 758 | goto out_release; |
| 747 | error = chown_common(path.dentry, user, group); | 759 | error = security_path_chown(&path, user, group); |
| 760 | if (!error) | ||
| 761 | error = chown_common(path.dentry, user, group); | ||
| 748 | mnt_drop_write(path.mnt); | 762 | mnt_drop_write(path.mnt); |
| 749 | out_release: | 763 | out_release: |
| 750 | path_put(&path); | 764 | path_put(&path); |
| @@ -767,7 +781,9 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group) | |||
| 767 | goto out_fput; | 781 | goto out_fput; |
| 768 | dentry = file->f_path.dentry; | 782 | dentry = file->f_path.dentry; |
| 769 | audit_inode(NULL, dentry); | 783 | audit_inode(NULL, dentry); |
| 770 | error = chown_common(dentry, user, group); | 784 | error = security_path_chown(&file->f_path, user, group); |
| 785 | if (!error) | ||
| 786 | error = chown_common(dentry, user, group); | ||
| 771 | mnt_drop_write(file->f_path.mnt); | 787 | mnt_drop_write(file->f_path.mnt); |
| 772 | out_fput: | 788 | out_fput: |
| 773 | fput(file); | 789 | fput(file); |