aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-12-17 21:24:34 -0500
committerEric Paris <eparis@redhat.com>2010-07-28 09:59:01 -0400
commitc4ec54b40d33f8016fea970a383cc584dd0e6019 (patch)
tree8e8865170cf340d1e79dc379f56417588715b2c8 /include/linux
parentd14f1729483fad3a8817fbbcbd017678b7d1ad26 (diff)
fsnotify: new fsnotify hooks and events types for access decisions
introduce a new fsnotify hook, fsnotify_perm(), which is called from the security code. This hook is used to allow fsnotify groups to make access control decisions about events on the system. We also must change the generic fsnotify function to return an error code if we intend these hooks to be in any way useful. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/fsnotify.h19
-rw-r--r--include/linux/fsnotify_backend.h15
-rw-r--r--include/linux/security.h1
3 files changed, 30 insertions, 5 deletions
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
index b8cf161f5a6d..64efda9aae62 100644
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -34,6 +34,25 @@ static inline void fsnotify_parent(struct path *path, struct dentry *dentry, __u
34 __fsnotify_parent(path, dentry, mask); 34 __fsnotify_parent(path, dentry, mask);
35} 35}
36 36
37/* simple call site for access decisions */
38static inline int fsnotify_perm(struct file *file, int mask)
39{
40 struct path *path = &file->f_path;
41 struct inode *inode = path->dentry->d_inode;
42 __u32 fsnotify_mask;
43
44 if (file->f_mode & FMODE_NONOTIFY)
45 return 0;
46 if (!(mask & (MAY_READ | MAY_OPEN)))
47 return 0;
48 if (mask & MAY_READ)
49 fsnotify_mask = FS_ACCESS_PERM;
50 if (mask & MAY_OPEN)
51 fsnotify_mask = FS_OPEN_PERM;
52
53 return fsnotify(inode, fsnotify_mask, path, FSNOTIFY_EVENT_PATH, NULL, 0);
54}
55
37/* 56/*
38 * fsnotify_d_move - dentry has been moved 57 * fsnotify_d_move - dentry has been moved
39 * Called with dcache_lock and dentry->d_lock held. 58 * Called with dcache_lock and dentry->d_lock held.
diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
index efe9ba321cf2..c34728e7d8cb 100644
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -41,6 +41,9 @@
41#define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ 41#define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */
42#define FS_IN_IGNORED 0x00008000 /* last inotify event here */ 42#define FS_IN_IGNORED 0x00008000 /* last inotify event here */
43 43
44#define FS_OPEN_PERM 0x00010000 /* open event in an permission hook */
45#define FS_ACCESS_PERM 0x00020000 /* access event in a permissions hook */
46
44#define FS_IN_ISDIR 0x40000000 /* event occurred against dir */ 47#define FS_IN_ISDIR 0x40000000 /* event occurred against dir */
45#define FS_IN_ONESHOT 0x80000000 /* only send event once */ 48#define FS_IN_ONESHOT 0x80000000 /* only send event once */
46 49
@@ -282,8 +285,8 @@ struct fsnotify_mark {
282/* called from the vfs helpers */ 285/* called from the vfs helpers */
283 286
284/* main fsnotify call to send events */ 287/* main fsnotify call to send events */
285extern void fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, 288extern int fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is,
286 const unsigned char *name, u32 cookie); 289 const unsigned char *name, u32 cookie);
287extern void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask); 290extern void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask);
288extern void __fsnotify_inode_delete(struct inode *inode); 291extern void __fsnotify_inode_delete(struct inode *inode);
289extern void __fsnotify_vfsmount_delete(struct vfsmount *mnt); 292extern void __fsnotify_vfsmount_delete(struct vfsmount *mnt);
@@ -413,9 +416,11 @@ extern int fsnotify_replace_event(struct fsnotify_event_holder *old_holder,
413 416
414#else 417#else
415 418
416static inline void fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is, 419static inline int fsnotify(struct inode *to_tell, __u32 mask, void *data, int data_is,
417 const unsigned char *name, u32 cookie) 420 const unsigned char *name, u32 cookie)
418{} 421{
422 return 0;
423}
419 424
420static inline void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask) 425static inline void __fsnotify_parent(struct path *path, struct dentry *dentry, __u32 mask)
421{} 426{}
diff --git a/include/linux/security.h b/include/linux/security.h
index 0c8819170463..24fc29540aa3 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -23,6 +23,7 @@
23#define __LINUX_SECURITY_H 23#define __LINUX_SECURITY_H
24 24
25#include <linux/fs.h> 25#include <linux/fs.h>
26#include <linux/fsnotify.h>
26#include <linux/binfmts.h> 27#include <linux/binfmts.h>
27#include <linux/signal.h> 28#include <linux/signal.h>
28#include <linux/resource.h> 29#include <linux/resource.h>