diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:22 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:22 -0500 |
commit | 745ca2475a6ac596e3d8d37c2759c0fbe2586227 (patch) | |
tree | f87c34bdfbc8542477b16a014bbb4e3b415b286a /security/selinux | |
parent | 88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13 (diff) |
CRED: Pass credentials through dentry_open()
Pass credentials through dentry_open() so that the COW creds patch can have
SELinux's flush_unauthorized_files() pass the appropriate creds back to itself
when it opens its null chardev.
The security_dentry_open() call also now takes a creds pointer, as does the
dentry_open hook in struct security_operations.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cc6e5a3f10cc..f20cbd681ba6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -2150,9 +2150,9 @@ extern struct vfsmount *selinuxfs_mount; | |||
2150 | extern struct dentry *selinux_null; | 2150 | extern struct dentry *selinux_null; |
2151 | 2151 | ||
2152 | /* Derived from fs/exec.c:flush_old_files. */ | 2152 | /* Derived from fs/exec.c:flush_old_files. */ |
2153 | static inline void flush_unauthorized_files(struct files_struct *files) | 2153 | static inline void flush_unauthorized_files(const struct cred *cred, |
2154 | struct files_struct *files) | ||
2154 | { | 2155 | { |
2155 | const struct cred *cred = current_cred(); | ||
2156 | struct avc_audit_data ad; | 2156 | struct avc_audit_data ad; |
2157 | struct file *file, *devnull = NULL; | 2157 | struct file *file, *devnull = NULL; |
2158 | struct tty_struct *tty; | 2158 | struct tty_struct *tty; |
@@ -2222,7 +2222,10 @@ static inline void flush_unauthorized_files(struct files_struct *files) | |||
2222 | if (devnull) { | 2222 | if (devnull) { |
2223 | get_file(devnull); | 2223 | get_file(devnull); |
2224 | } else { | 2224 | } else { |
2225 | devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); | 2225 | devnull = dentry_open( |
2226 | dget(selinux_null), | ||
2227 | mntget(selinuxfs_mount), | ||
2228 | O_RDWR, cred); | ||
2226 | if (IS_ERR(devnull)) { | 2229 | if (IS_ERR(devnull)) { |
2227 | devnull = NULL; | 2230 | devnull = NULL; |
2228 | put_unused_fd(fd); | 2231 | put_unused_fd(fd); |
@@ -2302,6 +2305,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |||
2302 | */ | 2305 | */ |
2303 | static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | 2306 | static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) |
2304 | { | 2307 | { |
2308 | const struct cred *cred = current_cred(); | ||
2305 | struct task_security_struct *tsec; | 2309 | struct task_security_struct *tsec; |
2306 | struct rlimit *rlim, *initrlim; | 2310 | struct rlimit *rlim, *initrlim; |
2307 | struct itimerval itimer; | 2311 | struct itimerval itimer; |
@@ -2321,7 +2325,7 @@ static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | |||
2321 | return; | 2325 | return; |
2322 | 2326 | ||
2323 | /* Close files for which the new task SID is not authorized. */ | 2327 | /* Close files for which the new task SID is not authorized. */ |
2324 | flush_unauthorized_files(current->files); | 2328 | flush_unauthorized_files(cred, current->files); |
2325 | 2329 | ||
2326 | /* Check whether the new SID can inherit signal state | 2330 | /* Check whether the new SID can inherit signal state |
2327 | from the old SID. If not, clear itimers to avoid | 2331 | from the old SID. If not, clear itimers to avoid |
@@ -3202,9 +3206,8 @@ static int selinux_file_receive(struct file *file) | |||
3202 | return file_has_perm(cred, file, file_to_av(file)); | 3206 | return file_has_perm(cred, file, file_to_av(file)); |
3203 | } | 3207 | } |
3204 | 3208 | ||
3205 | static int selinux_dentry_open(struct file *file) | 3209 | static int selinux_dentry_open(struct file *file, const struct cred *cred) |
3206 | { | 3210 | { |
3207 | const struct cred *cred = current_cred(); | ||
3208 | struct file_security_struct *fsec; | 3211 | struct file_security_struct *fsec; |
3209 | struct inode *inode; | 3212 | struct inode *inode; |
3210 | struct inode_security_struct *isec; | 3213 | struct inode_security_struct *isec; |