LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH

This patch separates and audit message that only contains a dentry from one that contains a full path. This allows us to make it harder to misuse the interfaces or for the interfaces to be implemented wrong. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
author: Eric Paris <eparis@redhat.com> 2011-04-25 13:10:27 -0400
committer: Eric Paris <eparis@redhat.com> 2011-04-25 18:14:07 -0400
commit: a269434d2fb48a4d66c1d7bf821b7874b59c5b41 (patch)
tree: 9c84b5f3e9f3adb3dd4a7e9da2b72dd7fe7eec49 /security/selinux
parent: f48b7399840b453e7282b523f535561fe9638a2d (diff)
1 files changed, 13 insertions, 13 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad664d3056eb..9e8078a42a94 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1569,8 +1569,8 @@ static int may_create(struct inode *dir,
        sid = tsec->sid;
        newsid = tsec->create_sid;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = dentry;
+        ad.u.dentry = dentry;
        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
                          DIR__ADD_NAME | DIR__SEARCH,
@@ -1621,8 +1621,8 @@ static int may_link(struct inode *dir,
        dsec = dir->i_security;
        isec = dentry->d_inode->i_security;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = dentry;
+        ad.u.dentry = dentry;
        av = DIR__SEARCH;
        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1667,9 +1667,9 @@ static inline int may_rename(struct inode *old_dir,
        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
        new_dsec = new_dir->i_security;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = old_dentry;
+        ad.u.dentry = old_dentry;
        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
        if (rc)
@@ -1685,7 +1685,7 @@ static inline int may_rename(struct inode *old_dir,
                        return rc;
        }
-        ad.u.path.dentry = new_dentry;
+        ad.u.dentry = new_dentry;
        av = DIR__ADD_NAME | DIR__SEARCH;
        if (new_dentry->d_inode)
                av |= DIR__REMOVE_NAME;
@@ -2468,8 +2468,8 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
        if (flags & MS_KERNMOUNT)
                return 0;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = sb->s_root;
+        ad.u.dentry = sb->s_root;
        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
 }
@@ -2478,8 +2478,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
        const struct cred *cred = current_cred();
        struct common_audit_data ad;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = dentry->d_sb->s_root;
+        ad.u.dentry = dentry->d_sb->s_root;
        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
 }
@@ -2732,8 +2732,8 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        if (!is_owner_or_cap(inode))
                return -EPERM;
-        COMMON_AUDIT_DATA_INIT(&ad, PATH);
+        COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
-        ad.u.path.dentry = dentry;
+        ad.u.dentry = dentry;
        rc = avc_has_perm(sid, isec->sid, isec->sclass,
                          FILE__RELABELFROM, &ad);
author	Eric Paris <eparis@redhat.com>	2011-04-25 13:10:27 -0400
committer	Eric Paris <eparis@redhat.com>	2011-04-25 18:14:07 -0400
commit	a269434d2fb48a4d66c1d7bf821b7874b59c5b41 (patch)
tree	9c84b5f3e9f3adb3dd4a7e9da2b72dd7fe7eec49 /security/selinux
parent	f48b7399840b453e7282b523f535561fe9638a2d (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad664d3056eb..9e8078a42a94 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1569,8 +1569,8 @@ static int may_create(struct inode *dir,
1569	sid = tsec->sid;	1569	sid = tsec->sid;
1570	newsid = tsec->create_sid;	1570	newsid = tsec->create_sid;
1571		1571
1572	COMMON_AUDIT_DATA_INIT(&ad, PATH);	1572	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1573	ad.u.path.dentry = dentry;	1573	ad.u.dentry = dentry;
1574		1574
1575	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,	1575	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1576	DIR__ADD_NAME \| DIR__SEARCH,	1576	DIR__ADD_NAME \| DIR__SEARCH,
@@ -1621,8 +1621,8 @@ static int may_link(struct inode *dir,
1621	dsec = dir->i_security;	1621	dsec = dir->i_security;
1622	isec = dentry->d_inode->i_security;	1622	isec = dentry->d_inode->i_security;
1623		1623
1624	COMMON_AUDIT_DATA_INIT(&ad, PATH);	1624	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1625	ad.u.path.dentry = dentry;	1625	ad.u.dentry = dentry;
1626		1626
1627	av = DIR__SEARCH;	1627	av = DIR__SEARCH;
1628	av \|= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);	1628	av \|= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1667,9 +1667,9 @@ static inline int may_rename(struct inode *old_dir,
1667	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);	1667	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668	new_dsec = new_dir->i_security;	1668	new_dsec = new_dir->i_security;
1669		1669
1670	COMMON_AUDIT_DATA_INIT(&ad, PATH);	1670	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1671		1671
1672	ad.u.path.dentry = old_dentry;	1672	ad.u.dentry = old_dentry;
1673	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,	1673	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674	DIR__REMOVE_NAME \| DIR__SEARCH, &ad);	1674	DIR__REMOVE_NAME \| DIR__SEARCH, &ad);
1675	if (rc)	1675	if (rc)
@@ -1685,7 +1685,7 @@ static inline int may_rename(struct inode *old_dir,
1685	return rc;	1685	return rc;
1686	}	1686	}
1687		1687
1688	ad.u.path.dentry = new_dentry;	1688	ad.u.dentry = new_dentry;
1689	av = DIR__ADD_NAME \| DIR__SEARCH;	1689	av = DIR__ADD_NAME \| DIR__SEARCH;
1690	if (new_dentry->d_inode)	1690	if (new_dentry->d_inode)
1691	av \|= DIR__REMOVE_NAME;	1691	av \|= DIR__REMOVE_NAME;
@@ -2468,8 +2468,8 @@ static int selinux_sb_kern_mount(struct super_block sb, int flags, void data)
2468	if (flags & MS_KERNMOUNT)	2468	if (flags & MS_KERNMOUNT)
2469	return 0;	2469	return 0;
2470		2470
2471	COMMON_AUDIT_DATA_INIT(&ad, PATH);	2471	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2472	ad.u.path.dentry = sb->s_root;	2472	ad.u.dentry = sb->s_root;
2473	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);	2473	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2474	}	2474	}
2475		2475
@@ -2478,8 +2478,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
2478	const struct cred *cred = current_cred();	2478	const struct cred *cred = current_cred();
2479	struct common_audit_data ad;	2479	struct common_audit_data ad;
2480		2480
2481	COMMON_AUDIT_DATA_INIT(&ad, PATH);	2481	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2482	ad.u.path.dentry = dentry->d_sb->s_root;	2482	ad.u.dentry = dentry->d_sb->s_root;
2483	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);	2483	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2484	}	2484	}
2485		2485
@@ -2732,8 +2732,8 @@ static int selinux_inode_setxattr(struct dentry dentry, const char name,
2732	if (!is_owner_or_cap(inode))	2732	if (!is_owner_or_cap(inode))
2733	return -EPERM;	2733	return -EPERM;
2734		2734
2735	COMMON_AUDIT_DATA_INIT(&ad, PATH);	2735	COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2736	ad.u.path.dentry = dentry;	2736	ad.u.dentry = dentry;
2737		2737
2738	rc = avc_has_perm(sid, isec->sid, isec->sclass,	2738	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2739	FILE__RELABELFROM, &ad);	2739	FILE__RELABELFROM, &ad);