aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-11-13 18:39:22 -0500
committerJames Morris <jmorris@namei.org>2008-11-13 18:39:22 -0500
commit745ca2475a6ac596e3d8d37c2759c0fbe2586227 (patch)
treef87c34bdfbc8542477b16a014bbb4e3b415b286a /security/selinux
parent88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13 (diff)
CRED: Pass credentials through dentry_open()
Pass credentials through dentry_open() so that the COW creds patch can have SELinux's flush_unauthorized_files() pass the appropriate creds back to itself when it opens its null chardev. The security_dentry_open() call also now takes a creds pointer, as does the dentry_open hook in struct security_operations. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cc6e5a3f10cc..f20cbd681ba6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2150,9 +2150,9 @@ extern struct vfsmount *selinuxfs_mount;
2150extern struct dentry *selinux_null; 2150extern struct dentry *selinux_null;
2151 2151
2152/* Derived from fs/exec.c:flush_old_files. */ 2152/* Derived from fs/exec.c:flush_old_files. */
2153static inline void flush_unauthorized_files(struct files_struct *files) 2153static inline void flush_unauthorized_files(const struct cred *cred,
2154 struct files_struct *files)
2154{ 2155{
2155 const struct cred *cred = current_cred();
2156 struct avc_audit_data ad; 2156 struct avc_audit_data ad;
2157 struct file *file, *devnull = NULL; 2157 struct file *file, *devnull = NULL;
2158 struct tty_struct *tty; 2158 struct tty_struct *tty;
@@ -2222,7 +2222,10 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2222 if (devnull) { 2222 if (devnull) {
2223 get_file(devnull); 2223 get_file(devnull);
2224 } else { 2224 } else {
2225 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2225 devnull = dentry_open(
2226 dget(selinux_null),
2227 mntget(selinuxfs_mount),
2228 O_RDWR, cred);
2226 if (IS_ERR(devnull)) { 2229 if (IS_ERR(devnull)) {
2227 devnull = NULL; 2230 devnull = NULL;
2228 put_unused_fd(fd); 2231 put_unused_fd(fd);
@@ -2302,6 +2305,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2302 */ 2305 */
2303static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2306static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2304{ 2307{
2308 const struct cred *cred = current_cred();
2305 struct task_security_struct *tsec; 2309 struct task_security_struct *tsec;
2306 struct rlimit *rlim, *initrlim; 2310 struct rlimit *rlim, *initrlim;
2307 struct itimerval itimer; 2311 struct itimerval itimer;
@@ -2321,7 +2325,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2321 return; 2325 return;
2322 2326
2323 /* Close files for which the new task SID is not authorized. */ 2327 /* Close files for which the new task SID is not authorized. */
2324 flush_unauthorized_files(current->files); 2328 flush_unauthorized_files(cred, current->files);
2325 2329
2326 /* Check whether the new SID can inherit signal state 2330 /* Check whether the new SID can inherit signal state
2327 from the old SID. If not, clear itimers to avoid 2331 from the old SID. If not, clear itimers to avoid
@@ -3202,9 +3206,8 @@ static int selinux_file_receive(struct file *file)
3202 return file_has_perm(cred, file, file_to_av(file)); 3206 return file_has_perm(cred, file, file_to_av(file));
3203} 3207}
3204 3208
3205static int selinux_dentry_open(struct file *file) 3209static int selinux_dentry_open(struct file *file, const struct cred *cred)
3206{ 3210{
3207 const struct cred *cred = current_cred();
3208 struct file_security_struct *fsec; 3211 struct file_security_struct *fsec;
3209 struct inode *inode; 3212 struct inode *inode;
3210 struct inode_security_struct *isec; 3213 struct inode_security_struct *isec;