aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-04-04 15:01:42 -0400
committerEric Paris <eparis@redhat.com>2012-04-09 12:23:00 -0400
commit602a8dd6ea6abd463bc26310c4a1b44919f88e68 (patch)
tree426df8399ff298942a7e30c3a360a666e51ba920 /security
parent2e33405785d3eaec303c54b4a10afdebf3729da7 (diff)
SELinux: remove inode_has_perm_noadp
Both callers could better be using file_has_perm() to get better audit results. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c28
1 files changed, 4 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c99027dc0b36..8417a6afaf30 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1488,20 +1488,6 @@ static int inode_has_perm(const struct cred *cred,
1488 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1488 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489} 1489}
1490 1490
1491static int inode_has_perm_noadp(const struct cred *cred,
1492 struct inode *inode,
1493 u32 perms,
1494 unsigned flags)
1495{
1496 struct common_audit_data ad;
1497 struct selinux_audit_data sad = {0,};
1498
1499 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500 ad.u.inode = inode;
1501 ad.selinux_audit_data = &sad;
1502 return inode_has_perm(cred, inode, perms, &ad, flags);
1503}
1504
1505/* Same as inode_has_perm, but pass explicit audit data containing 1491/* Same as inode_has_perm, but pass explicit audit data containing
1506 the dentry to help the auditing code to more easily generate the 1492 the dentry to help the auditing code to more easily generate the
1507 pathname if needed. */ 1493 pathname if needed. */
@@ -2128,21 +2114,17 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2128 spin_lock(&tty_files_lock); 2114 spin_lock(&tty_files_lock);
2129 if (!list_empty(&tty->tty_files)) { 2115 if (!list_empty(&tty->tty_files)) {
2130 struct tty_file_private *file_priv; 2116 struct tty_file_private *file_priv;
2131 struct inode *inode;
2132 2117
2133 /* Revalidate access to controlling tty. 2118 /* Revalidate access to controlling tty.
2134 Use inode_has_perm on the tty inode directly rather 2119 Use path_has_perm on the tty path directly rather
2135 than using file_has_perm, as this particular open 2120 than using file_has_perm, as this particular open
2136 file may belong to another process and we are only 2121 file may belong to another process and we are only
2137 interested in the inode-based check here. */ 2122 interested in the inode-based check here. */
2138 file_priv = list_first_entry(&tty->tty_files, 2123 file_priv = list_first_entry(&tty->tty_files,
2139 struct tty_file_private, list); 2124 struct tty_file_private, list);
2140 file = file_priv->file; 2125 file = file_priv->file;
2141 inode = file->f_path.dentry->d_inode; 2126 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2142 if (inode_has_perm_noadp(cred, inode,
2143 FILE__READ | FILE__WRITE, 0)) {
2144 drop_tty = 1; 2127 drop_tty = 1;
2145 }
2146 } 2128 }
2147 spin_unlock(&tty_files_lock); 2129 spin_unlock(&tty_files_lock);
2148 tty_kref_put(tty); 2130 tty_kref_put(tty);
@@ -3276,12 +3258,10 @@ static int selinux_file_receive(struct file *file)
3276static int selinux_file_open(struct file *file, const struct cred *cred) 3258static int selinux_file_open(struct file *file, const struct cred *cred)
3277{ 3259{
3278 struct file_security_struct *fsec; 3260 struct file_security_struct *fsec;
3279 struct inode *inode;
3280 struct inode_security_struct *isec; 3261 struct inode_security_struct *isec;
3281 3262
3282 inode = file->f_path.dentry->d_inode;
3283 fsec = file->f_security; 3263 fsec = file->f_security;
3284 isec = inode->i_security; 3264 isec = file->f_path.dentry->d_inode->i_security;
3285 /* 3265 /*
3286 * Save inode label and policy sequence number 3266 * Save inode label and policy sequence number
3287 * at open-time so that selinux_file_permission 3267 * at open-time so that selinux_file_permission
@@ -3299,7 +3279,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3299 * new inode label or new policy. 3279 * new inode label or new policy.
3300 * This check is not redundant - do not remove. 3280 * This check is not redundant - do not remove.
3301 */ 3281 */
3302 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); 3282 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3303} 3283}
3304 3284
3305/* task security operations */ 3285/* task security operations */