diff options
| author | Eric Paris <eparis@redhat.com> | 2011-04-25 13:10:27 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2011-04-25 18:14:07 -0400 |
| commit | a269434d2fb48a4d66c1d7bf821b7874b59c5b41 (patch) | |
| tree | 9c84b5f3e9f3adb3dd4a7e9da2b72dd7fe7eec49 /security/smack | |
| parent | f48b7399840b453e7282b523f535561fe9638a2d (diff) | |
LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH
This patch separates and audit message that only contains a dentry from
one that contains a full path. This allows us to make it harder to
misuse the interfaces or for the interfaces to be implemented wrong.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack')
| -rw-r--r-- | security/smack/smack.h | 7 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 34 |
2 files changed, 21 insertions, 20 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index a16925c0e91a..2b6c6a516123 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
| @@ -316,12 +316,7 @@ static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, | |||
| 316 | static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, | 316 | static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, |
| 317 | struct dentry *d) | 317 | struct dentry *d) |
| 318 | { | 318 | { |
| 319 | a->a.u.path.dentry = d; | 319 | a->a.u.dentry = d; |
| 320 | } | ||
| 321 | static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a, | ||
| 322 | struct vfsmount *m) | ||
| 323 | { | ||
| 324 | a->a.u.path.mnt = m; | ||
| 325 | } | 320 | } |
| 326 | static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, | 321 | static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, |
| 327 | struct inode *i) | 322 | struct inode *i) |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index eeb393fbf925..a3bdd1383928 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -383,7 +383,7 @@ static int smack_sb_statfs(struct dentry *dentry) | |||
| 383 | int rc; | 383 | int rc; |
| 384 | struct smk_audit_info ad; | 384 | struct smk_audit_info ad; |
| 385 | 385 | ||
| 386 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 386 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 387 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 387 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 388 | 388 | ||
| 389 | rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); | 389 | rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); |
| @@ -425,10 +425,13 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags) | |||
| 425 | { | 425 | { |
| 426 | struct superblock_smack *sbp; | 426 | struct superblock_smack *sbp; |
| 427 | struct smk_audit_info ad; | 427 | struct smk_audit_info ad; |
| 428 | struct path path; | ||
| 429 | |||
| 430 | path.dentry = mnt->mnt_root; | ||
| 431 | path.mnt = mnt; | ||
| 428 | 432 | ||
| 429 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 433 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); |
| 430 | smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root); | 434 | smk_ad_setfield_u_fs_path(&ad, path); |
| 431 | smk_ad_setfield_u_fs_path_mnt(&ad, mnt); | ||
| 432 | 435 | ||
| 433 | sbp = mnt->mnt_sb->s_security; | 436 | sbp = mnt->mnt_sb->s_security; |
| 434 | return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); | 437 | return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); |
| @@ -563,7 +566,7 @@ static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, | |||
| 563 | struct smk_audit_info ad; | 566 | struct smk_audit_info ad; |
| 564 | int rc; | 567 | int rc; |
| 565 | 568 | ||
| 566 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 569 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 567 | smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); | 570 | smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); |
| 568 | 571 | ||
| 569 | isp = smk_of_inode(old_dentry->d_inode); | 572 | isp = smk_of_inode(old_dentry->d_inode); |
| @@ -592,7 +595,7 @@ static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) | |||
| 592 | struct smk_audit_info ad; | 595 | struct smk_audit_info ad; |
| 593 | int rc; | 596 | int rc; |
| 594 | 597 | ||
| 595 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 598 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 596 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 599 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 597 | 600 | ||
| 598 | /* | 601 | /* |
| @@ -623,7 +626,7 @@ static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) | |||
| 623 | struct smk_audit_info ad; | 626 | struct smk_audit_info ad; |
| 624 | int rc; | 627 | int rc; |
| 625 | 628 | ||
| 626 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 629 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 627 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 630 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 628 | 631 | ||
| 629 | /* | 632 | /* |
| @@ -663,7 +666,7 @@ static int smack_inode_rename(struct inode *old_inode, | |||
| 663 | char *isp; | 666 | char *isp; |
| 664 | struct smk_audit_info ad; | 667 | struct smk_audit_info ad; |
| 665 | 668 | ||
| 666 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 669 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 667 | smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); | 670 | smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); |
| 668 | 671 | ||
| 669 | isp = smk_of_inode(old_dentry->d_inode); | 672 | isp = smk_of_inode(old_dentry->d_inode); |
| @@ -720,7 +723,7 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) | |||
| 720 | */ | 723 | */ |
| 721 | if (iattr->ia_valid & ATTR_FORCE) | 724 | if (iattr->ia_valid & ATTR_FORCE) |
| 722 | return 0; | 725 | return 0; |
| 723 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 726 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 724 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 727 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 725 | 728 | ||
| 726 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); | 729 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); |
| @@ -736,10 +739,13 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) | |||
| 736 | static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | 739 | static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
| 737 | { | 740 | { |
| 738 | struct smk_audit_info ad; | 741 | struct smk_audit_info ad; |
| 742 | struct path path; | ||
| 743 | |||
| 744 | path.dentry = dentry; | ||
| 745 | path.mnt = mnt; | ||
| 739 | 746 | ||
| 740 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 747 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); |
| 741 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 748 | smk_ad_setfield_u_fs_path(&ad, path); |
| 742 | smk_ad_setfield_u_fs_path_mnt(&ad, mnt); | ||
| 743 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); | 749 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); |
| 744 | } | 750 | } |
| 745 | 751 | ||
| @@ -784,7 +790,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 784 | } else | 790 | } else |
| 785 | rc = cap_inode_setxattr(dentry, name, value, size, flags); | 791 | rc = cap_inode_setxattr(dentry, name, value, size, flags); |
| 786 | 792 | ||
| 787 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 793 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 788 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 794 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 789 | 795 | ||
| 790 | if (rc == 0) | 796 | if (rc == 0) |
| @@ -845,7 +851,7 @@ static int smack_inode_getxattr(struct dentry *dentry, const char *name) | |||
| 845 | { | 851 | { |
| 846 | struct smk_audit_info ad; | 852 | struct smk_audit_info ad; |
| 847 | 853 | ||
| 848 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 854 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 849 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 855 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 850 | 856 | ||
| 851 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); | 857 | return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); |
| @@ -877,7 +883,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) | |||
| 877 | } else | 883 | } else |
| 878 | rc = cap_inode_removexattr(dentry, name); | 884 | rc = cap_inode_removexattr(dentry, name); |
| 879 | 885 | ||
| 880 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 886 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 881 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); | 887 | smk_ad_setfield_u_fs_path_dentry(&ad, dentry); |
| 882 | if (rc == 0) | 888 | if (rc == 0) |
| 883 | rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); | 889 | rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); |
| @@ -1070,7 +1076,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd) | |||
| 1070 | { | 1076 | { |
| 1071 | struct smk_audit_info ad; | 1077 | struct smk_audit_info ad; |
| 1072 | 1078 | ||
| 1073 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); | 1079 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); |
| 1074 | smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry); | 1080 | smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry); |
| 1075 | return smk_curacc(file->f_security, MAY_WRITE, &ad); | 1081 | return smk_curacc(file->f_security, MAY_WRITE, &ad); |
| 1076 | } | 1082 | } |