SECURITY: Move exec_permission RCU checks into security modules

Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.

Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=y

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Eric Paris <eparis@redhat.com>

1 files changed, 2 insertions, 4 deletions

diff --git a/security/security.c b/security/security.c
index 47b8a447118f..7e34f98bf433 100644
--- a/security/security.c
+++ b/security/security.c
@@ -514,16 +514,14 @@ int security_inode_permission(struct inode *inode, int mask)
 {
         if (unlikely(IS_PRIVATE(inode)))
                 return 0;
-        return security_ops->inode_permission(inode, mask);
+        return security_ops->inode_permission(inode, mask, 0);
 }
 
 int security_inode_exec_permission(struct inode *inode, unsigned int flags)
 {
         if (unlikely(IS_PRIVATE(inode)))
                 return 0;
-        if (flags)
-                return -ECHILD;
-        return security_ops->inode_permission(inode, MAY_EXEC);
+        return security_ops->inode_permission(inode, MAY_EXEC, flags);
 }
 
 int security_inode_setattr(struct dentry *dentry, struct iattr *attr)