diff options
| author | Eric Paris <eparis@redhat.com> | 2012-04-04 15:01:42 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2012-04-09 12:23:00 -0400 |
| commit | 602a8dd6ea6abd463bc26310c4a1b44919f88e68 (patch) | |
| tree | 426df8399ff298942a7e30c3a360a666e51ba920 /security/selinux/hooks.c | |
| parent | 2e33405785d3eaec303c54b4a10afdebf3729da7 (diff) | |
SELinux: remove inode_has_perm_noadp
Both callers could better be using file_has_perm() to get better audit
results.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 28 |
1 files changed, 4 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c99027dc0b36..8417a6afaf30 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1488,20 +1488,6 @@ static int inode_has_perm(const struct cred *cred, | |||
| 1488 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); | 1488 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); |
| 1489 | } | 1489 | } |
| 1490 | 1490 | ||
| 1491 | static int inode_has_perm_noadp(const struct cred *cred, | ||
| 1492 | struct inode *inode, | ||
| 1493 | u32 perms, | ||
| 1494 | unsigned flags) | ||
| 1495 | { | ||
| 1496 | struct common_audit_data ad; | ||
| 1497 | struct selinux_audit_data sad = {0,}; | ||
| 1498 | |||
| 1499 | COMMON_AUDIT_DATA_INIT(&ad, INODE); | ||
| 1500 | ad.u.inode = inode; | ||
| 1501 | ad.selinux_audit_data = &sad; | ||
| 1502 | return inode_has_perm(cred, inode, perms, &ad, flags); | ||
| 1503 | } | ||
| 1504 | |||
| 1505 | /* Same as inode_has_perm, but pass explicit audit data containing | 1491 | /* Same as inode_has_perm, but pass explicit audit data containing |
| 1506 | the dentry to help the auditing code to more easily generate the | 1492 | the dentry to help the auditing code to more easily generate the |
| 1507 | pathname if needed. */ | 1493 | pathname if needed. */ |
| @@ -2128,21 +2114,17 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
| 2128 | spin_lock(&tty_files_lock); | 2114 | spin_lock(&tty_files_lock); |
| 2129 | if (!list_empty(&tty->tty_files)) { | 2115 | if (!list_empty(&tty->tty_files)) { |
| 2130 | struct tty_file_private *file_priv; | 2116 | struct tty_file_private *file_priv; |
| 2131 | struct inode *inode; | ||
| 2132 | 2117 | ||
| 2133 | /* Revalidate access to controlling tty. | 2118 | /* Revalidate access to controlling tty. |
| 2134 | Use inode_has_perm on the tty inode directly rather | 2119 | Use path_has_perm on the tty path directly rather |
| 2135 | than using file_has_perm, as this particular open | 2120 | than using file_has_perm, as this particular open |
| 2136 | file may belong to another process and we are only | 2121 | file may belong to another process and we are only |
| 2137 | interested in the inode-based check here. */ | 2122 | interested in the inode-based check here. */ |
| 2138 | file_priv = list_first_entry(&tty->tty_files, | 2123 | file_priv = list_first_entry(&tty->tty_files, |
| 2139 | struct tty_file_private, list); | 2124 | struct tty_file_private, list); |
| 2140 | file = file_priv->file; | 2125 | file = file_priv->file; |
| 2141 | inode = file->f_path.dentry->d_inode; | 2126 | if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) |
| 2142 | if (inode_has_perm_noadp(cred, inode, | ||
| 2143 | FILE__READ | FILE__WRITE, 0)) { | ||
| 2144 | drop_tty = 1; | 2127 | drop_tty = 1; |
| 2145 | } | ||
| 2146 | } | 2128 | } |
| 2147 | spin_unlock(&tty_files_lock); | 2129 | spin_unlock(&tty_files_lock); |
| 2148 | tty_kref_put(tty); | 2130 | tty_kref_put(tty); |
| @@ -3276,12 +3258,10 @@ static int selinux_file_receive(struct file *file) | |||
| 3276 | static int selinux_file_open(struct file *file, const struct cred *cred) | 3258 | static int selinux_file_open(struct file *file, const struct cred *cred) |
| 3277 | { | 3259 | { |
| 3278 | struct file_security_struct *fsec; | 3260 | struct file_security_struct *fsec; |
| 3279 | struct inode *inode; | ||
| 3280 | struct inode_security_struct *isec; | 3261 | struct inode_security_struct *isec; |
| 3281 | 3262 | ||
| 3282 | inode = file->f_path.dentry->d_inode; | ||
| 3283 | fsec = file->f_security; | 3263 | fsec = file->f_security; |
| 3284 | isec = inode->i_security; | 3264 | isec = file->f_path.dentry->d_inode->i_security; |
| 3285 | /* | 3265 | /* |
| 3286 | * Save inode label and policy sequence number | 3266 | * Save inode label and policy sequence number |
| 3287 | * at open-time so that selinux_file_permission | 3267 | * at open-time so that selinux_file_permission |
| @@ -3299,7 +3279,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) | |||
| 3299 | * new inode label or new policy. | 3279 | * new inode label or new policy. |
| 3300 | * This check is not redundant - do not remove. | 3280 | * This check is not redundant - do not remove. |
| 3301 | */ | 3281 | */ |
| 3302 | return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); | 3282 | return path_has_perm(cred, &file->f_path, open_file_to_av(file)); |
| 3303 | } | 3283 | } |
| 3304 | 3284 | ||
| 3305 | /* task security operations */ | 3285 | /* task security operations */ |