diff options
author | Eric Paris <eparis@redhat.com> | 2009-12-17 21:24:34 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2010-07-28 09:59:01 -0400 |
commit | c4ec54b40d33f8016fea970a383cc584dd0e6019 (patch) | |
tree | 8e8865170cf340d1e79dc379f56417588715b2c8 /include/linux | |
parent | d14f1729483fad3a8817fbbcbd017678b7d1ad26 (diff) |
fsnotify: new fsnotify hooks and events types for access decisions
introduce a new fsnotify hook, fsnotify_perm(), which is called from the
security code. This hook is used to allow fsnotify groups to make access
control decisions about events on the system. We also must change the
generic fsnotify function to return an error code if we intend these hooks
to be in any way useful.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/fsnotify.h | 19 | ||||
-rw-r--r-- | include/linux/fsnotify_backend.h | 15 | ||||
-rw-r--r-- | include/linux/security.h | 1 |
3 files changed, 30 insertions, 5 deletions
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index b8cf161f5a6d..64efda9aae62 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h | |||
@@ -34,6 +34,25 @@ static inline void fsnotify_parent(struct path *path, struct dentry *dentry, __u | |||
34 | __fsnotify_parent(path, dentry, mask); | 34 | __fsnotify_parent(path, dentry, mask); |
35 | } | 35 | } |
36 | 36 | ||
37 | /* simple call site for access decisions */ | ||
38 | static inline int fsnotify_perm(struct file *file, int mask) | ||
39 | { | ||
40 | struct path *path = &file->f_path; | ||
41 | struct inode *inode = path->dentry->d_inode; | ||
42 | __u32 fsnotify_mask; | ||
43 | |||
44 | if (file->f_mode & FMODE_NONOTIFY) | ||
45 | return 0; | ||
46 | if (!(mask & (MAY_READ | MAY_OPEN))) | ||
47 | return 0; | ||
48 | if (mask & MAY_READ) | ||
49 | fsnotify_mask = FS_ACCESS_PERM; | ||
50 | if (mask & MAY_OPEN) | ||
51 | fsnotify_mask = FS_OPEN_PERM; | ||
52 | |||
53 | return fsnotify(inode, fsnotify_mask, path, FSNOTIFY_EVENT_PATH, NULL, 0); | ||
54 | } | ||
55 | |||
37 | /* | 56 | /* |
38 | * fsnotify_d_move - dentry has been moved | 57 | * fsnotify_d_move - dentry has been moved |
39 | * Called with dcache_lock and dentry->d_lock held. | 58 | * Called with dcache_lock and dentry->d_lock held. |
diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h index efe9ba321cf2..c34728e7d8cb 100644 --- a/include/linux/fsnotify_backend.h +++ b/include/linux/fsnotify_backend.h | |||
@@ -41,6 +41,9 @@ | |||
41 | #define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ | 41 | #define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ |
42 | #define FS_IN_IGNORED 0x00008000 /* last inotify event here */ | 42 | #define FS_IN_IGNORED 0x00008000 /* last inotify event here */ |
43 | 43 | ||
44 | #define FS_OPEN_PERM 0x00010000 /* open event in an permission hook */ | ||
45 | #define FS_ACCESS_PERM 0x00020000 /* access event in a permissions hook */ | ||
46 | |||
44 | #define FS_IN_ISDIR 0x40000000 /* event occurred against dir */ | 47 | #define FS_IN_ISDIR 0x40000000 /* event occurred against dir */ |
45 | #define FS_IN_ONESHOT 0x80000000 /* only send event once */ | 48 | #define FS_IN_ONESHOT 0x80000000 /* only send event once */ |
46 | 49 | ||
@@ -282,8 +285,8 @@ struct fsnotify_mark { | |||
282 | /* called from the vfs helpers */ | 285 | /* called from the vfs helpers */ |
283 | 286 | ||
284 | /* main fsnotify call to send events */ | 287 | /* main fsnotify call to send events */ |
285 | extern void fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, | 288 | extern int fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, |
286 | const unsigned char *name, u32 cookie); | 289 | const unsigned char *name, u32 cookie); |
287 | extern void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask); | 290 | extern void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask); |
288 | extern void __fsnotify_inode_delete(struct inode *inode); | 291 | extern void __fsnotify_inode_delete(struct inode *inode); |
289 | extern void __fsnotify_vfsmount_delete(struct vfsmount *mnt); | 292 | extern void __fsnotify_vfsmount_delete(struct vfsmount *mnt); |
@@ -413,9 +416,11 @@ extern int fsnotify_replace_event(struct fsnotify_event_holder *old_holder, | |||
413 | 416 | ||
414 | #else | 417 | #else |
415 | 418 | ||
416 | static inline void fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, | 419 | static inline int fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, |
417 | const unsigned char *name, u32 cookie) | 420 | const unsigned char *name, u32 cookie) |
418 | {} | 421 | { |
422 | return 0; | ||
423 | } | ||
419 | 424 | ||
420 | static inline void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask) | 425 | static inline void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask) |
421 | {} | 426 | {} |
diff --git a/include/linux/security.h b/include/linux/security.h index 0c8819170463..24fc29540aa3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -23,6 +23,7 @@ | |||
23 | #define __LINUX_SECURITY_H | 23 | #define __LINUX_SECURITY_H |
24 | 24 | ||
25 | #include <linux/fs.h> | 25 | #include <linux/fs.h> |
26 | #include <linux/fsnotify.h> | ||
26 | #include <linux/binfmts.h> | 27 | #include <linux/binfmts.h> |
27 | #include <linux/signal.h> | 28 | #include <linux/signal.h> |
28 | #include <linux/resource.h> | 29 | #include <linux/resource.h> |