introduce new LSM hooks where vfsmount is available.

Add new LSM hooks for path-based checks. Call them on directory-modifying operations at the points where we still know the vfsmount involved. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Kentaro Takeda <takedakn@nttdata.co.jp> 2008-12-16 23:24:15 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2008-12-31 18:07:37 -0500
commit: be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d (patch)
tree: 3a770f4cc676efeba443b28caa1ad195eeff49bc /security/capability.c
parent: 6a94cb73064c952255336cc57731904174b2c58f (diff)
1 files changed, 57 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c
index 2dce66fcb992..c545bd1300b5 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -263,6 +263,53 @@ static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
        *secid = 0;
 }
+#ifdef CONFIG_SECURITY_PATH
+static int cap_path_mknod(struct path *dir, struct dentry *dentry, int mode,
+                          unsigned int dev)
+{
+        return 0;
+}
+static int cap_path_mkdir(struct path *dir, struct dentry *dentry, int mode)
+{
+        return 0;
+}
+static int cap_path_rmdir(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static int cap_path_unlink(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static int cap_path_symlink(struct path *dir, struct dentry *dentry,
+                            const char *old_name)
+{
+        return 0;
+}
+static int cap_path_link(struct dentry *old_dentry, struct path *new_dir,
+                         struct dentry *new_dentry)
+{
+        return 0;
+}
+static int cap_path_rename(struct path *old_path, struct dentry *old_dentry,
+                           struct path *new_path, struct dentry *new_dentry)
+{
+        return 0;
+}
+static int cap_path_truncate(struct path *path, loff_t length,
+                             unsigned int time_attrs)
+{
+        return 0;
+}
+#endif
 static int cap_file_permission(struct file *file, int mask)
 {
        return 0;
@@ -883,6 +930,16 @@ void security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, inode_setsecurity);
        set_to_cap_if_null(ops, inode_listsecurity);
        set_to_cap_if_null(ops, inode_getsecid);
+#ifdef CONFIG_SECURITY_PATH
+        set_to_cap_if_null(ops, path_mknod);
+        set_to_cap_if_null(ops, path_mkdir);
+        set_to_cap_if_null(ops, path_rmdir);
+        set_to_cap_if_null(ops, path_unlink);
+        set_to_cap_if_null(ops, path_symlink);
+        set_to_cap_if_null(ops, path_link);
+        set_to_cap_if_null(ops, path_rename);
+        set_to_cap_if_null(ops, path_truncate);
+#endif
        set_to_cap_if_null(ops, file_permission);
        set_to_cap_if_null(ops, file_alloc_security);
        set_to_cap_if_null(ops, file_free_security);
author	Kentaro Takeda <takedakn@nttdata.co.jp>	2008-12-16 23:24:15 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2008-12-31 18:07:37 -0500
commit	be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d (patch)
tree	3a770f4cc676efeba443b28caa1ad195eeff49bc /security/capability.c
parent	6a94cb73064c952255336cc57731904174b2c58f (diff)

diff --git a/security/capability.c b/security/capability.c index 2dce66fcb992..c545bd1300b5 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -263,6 +263,53 @@ static void cap_inode_getsecid(const struct inode inode, u32 secid)
263	*secid = 0;	263	*secid = 0;
264	}	264	}
265		265
		266	#ifdef CONFIG_SECURITY_PATH
		267	static int cap_path_mknod(struct path dir, struct dentry dentry, int mode,
		268	unsigned int dev)
		269	{
		270	return 0;
		271	}
		272
		273	static int cap_path_mkdir(struct path dir, struct dentry dentry, int mode)
		274	{
		275	return 0;
		276	}
		277
		278	static int cap_path_rmdir(struct path dir, struct dentry dentry)
		279	{
		280	return 0;
		281	}
		282
		283	static int cap_path_unlink(struct path dir, struct dentry dentry)
		284	{
		285	return 0;
		286	}
		287
		288	static int cap_path_symlink(struct path dir, struct dentry dentry,
		289	const char *old_name)
		290	{
		291	return 0;
		292	}
		293
		294	static int cap_path_link(struct dentry old_dentry, struct path new_dir,
		295	struct dentry *new_dentry)
		296	{
		297	return 0;
		298	}
		299
		300	static int cap_path_rename(struct path old_path, struct dentry old_dentry,
		301	struct path new_path, struct dentry new_dentry)
		302	{
		303	return 0;
		304	}
		305
		306	static int cap_path_truncate(struct path *path, loff_t length,
		307	unsigned int time_attrs)
		308	{
		309	return 0;
		310	}
		311	#endif
		312
266	static int cap_file_permission(struct file *file, int mask)	313	static int cap_file_permission(struct file *file, int mask)
267	{	314	{
268	return 0;	315	return 0;
@@ -883,6 +930,16 @@ void security_fixup_ops(struct security_operations *ops)
883	set_to_cap_if_null(ops, inode_setsecurity);	930	set_to_cap_if_null(ops, inode_setsecurity);
884	set_to_cap_if_null(ops, inode_listsecurity);	931	set_to_cap_if_null(ops, inode_listsecurity);
885	set_to_cap_if_null(ops, inode_getsecid);	932	set_to_cap_if_null(ops, inode_getsecid);
		933	#ifdef CONFIG_SECURITY_PATH
		934	set_to_cap_if_null(ops, path_mknod);
		935	set_to_cap_if_null(ops, path_mkdir);
		936	set_to_cap_if_null(ops, path_rmdir);
		937	set_to_cap_if_null(ops, path_unlink);
		938	set_to_cap_if_null(ops, path_symlink);
		939	set_to_cap_if_null(ops, path_link);
		940	set_to_cap_if_null(ops, path_rename);
		941	set_to_cap_if_null(ops, path_truncate);
		942	#endif
886	set_to_cap_if_null(ops, file_permission);	943	set_to_cap_if_null(ops, file_permission);
887	set_to_cap_if_null(ops, file_alloc_security);	944	set_to_cap_if_null(ops, file_alloc_security);
888	set_to_cap_if_null(ops, file_free_security);	945	set_to_cap_if_null(ops, file_free_security);