diff options
author | Eric Paris <eparis@redhat.com> | 2012-04-04 15:01:42 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2012-04-09 12:23:00 -0400 |
commit | 602a8dd6ea6abd463bc26310c4a1b44919f88e68 (patch) | |
tree | 426df8399ff298942a7e30c3a360a666e51ba920 /security | |
parent | 2e33405785d3eaec303c54b4a10afdebf3729da7 (diff) |
SELinux: remove inode_has_perm_noadp
Both callers could better be using file_has_perm() to get better audit
results.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 28 |
1 files changed, 4 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c99027dc0b36..8417a6afaf30 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1488,20 +1488,6 @@ static int inode_has_perm(const struct cred *cred, | |||
1488 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); | 1488 | return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); |
1489 | } | 1489 | } |
1490 | 1490 | ||
1491 | static int inode_has_perm_noadp(const struct cred *cred, | ||
1492 | struct inode *inode, | ||
1493 | u32 perms, | ||
1494 | unsigned flags) | ||
1495 | { | ||
1496 | struct common_audit_data ad; | ||
1497 | struct selinux_audit_data sad = {0,}; | ||
1498 | |||
1499 | COMMON_AUDIT_DATA_INIT(&ad, INODE); | ||
1500 | ad.u.inode = inode; | ||
1501 | ad.selinux_audit_data = &sad; | ||
1502 | return inode_has_perm(cred, inode, perms, &ad, flags); | ||
1503 | } | ||
1504 | |||
1505 | /* Same as inode_has_perm, but pass explicit audit data containing | 1491 | /* Same as inode_has_perm, but pass explicit audit data containing |
1506 | the dentry to help the auditing code to more easily generate the | 1492 | the dentry to help the auditing code to more easily generate the |
1507 | pathname if needed. */ | 1493 | pathname if needed. */ |
@@ -2128,21 +2114,17 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
2128 | spin_lock(&tty_files_lock); | 2114 | spin_lock(&tty_files_lock); |
2129 | if (!list_empty(&tty->tty_files)) { | 2115 | if (!list_empty(&tty->tty_files)) { |
2130 | struct tty_file_private *file_priv; | 2116 | struct tty_file_private *file_priv; |
2131 | struct inode *inode; | ||
2132 | 2117 | ||
2133 | /* Revalidate access to controlling tty. | 2118 | /* Revalidate access to controlling tty. |
2134 | Use inode_has_perm on the tty inode directly rather | 2119 | Use path_has_perm on the tty path directly rather |
2135 | than using file_has_perm, as this particular open | 2120 | than using file_has_perm, as this particular open |
2136 | file may belong to another process and we are only | 2121 | file may belong to another process and we are only |
2137 | interested in the inode-based check here. */ | 2122 | interested in the inode-based check here. */ |
2138 | file_priv = list_first_entry(&tty->tty_files, | 2123 | file_priv = list_first_entry(&tty->tty_files, |
2139 | struct tty_file_private, list); | 2124 | struct tty_file_private, list); |
2140 | file = file_priv->file; | 2125 | file = file_priv->file; |
2141 | inode = file->f_path.dentry->d_inode; | 2126 | if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) |
2142 | if (inode_has_perm_noadp(cred, inode, | ||
2143 | FILE__READ | FILE__WRITE, 0)) { | ||
2144 | drop_tty = 1; | 2127 | drop_tty = 1; |
2145 | } | ||
2146 | } | 2128 | } |
2147 | spin_unlock(&tty_files_lock); | 2129 | spin_unlock(&tty_files_lock); |
2148 | tty_kref_put(tty); | 2130 | tty_kref_put(tty); |
@@ -3276,12 +3258,10 @@ static int selinux_file_receive(struct file *file) | |||
3276 | static int selinux_file_open(struct file *file, const struct cred *cred) | 3258 | static int selinux_file_open(struct file *file, const struct cred *cred) |
3277 | { | 3259 | { |
3278 | struct file_security_struct *fsec; | 3260 | struct file_security_struct *fsec; |
3279 | struct inode *inode; | ||
3280 | struct inode_security_struct *isec; | 3261 | struct inode_security_struct *isec; |
3281 | 3262 | ||
3282 | inode = file->f_path.dentry->d_inode; | ||
3283 | fsec = file->f_security; | 3263 | fsec = file->f_security; |
3284 | isec = inode->i_security; | 3264 | isec = file->f_path.dentry->d_inode->i_security; |
3285 | /* | 3265 | /* |
3286 | * Save inode label and policy sequence number | 3266 | * Save inode label and policy sequence number |
3287 | * at open-time so that selinux_file_permission | 3267 | * at open-time so that selinux_file_permission |
@@ -3299,7 +3279,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) | |||
3299 | * new inode label or new policy. | 3279 | * new inode label or new policy. |
3300 | * This check is not redundant - do not remove. | 3280 | * This check is not redundant - do not remove. |
3301 | */ | 3281 | */ |
3302 | return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); | 3282 | return path_has_perm(cred, &file->f_path, open_file_to_av(file)); |
3303 | } | 3283 | } |
3304 | 3284 | ||
3305 | /* task security operations */ | 3285 | /* task security operations */ |