[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks

This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as they are obsoleted by the new inode_init_security hook that enables atomic inode security labeling. If anyone sees any reason to retain these hooks, please speak now. Also, is anyone using the post_rename/link hooks; if not, those could also be removed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2005-09-09 16:01:44 -0400
committer: Linus Torvalds <torvalds@g5.osdl.org> 2005-09-09 16:57:28 -0400
commit: a74574aafea3a63add3251047601611111f44562 (patch)
tree: a8f4a809589513c666c6f5518cbe84f50ee5523e /security
parent: 570bc1c2e5ccdb408081e77507a385dc7ebed7fa (diff)
3 files changed, 0 insertions, 140 deletions
diff --git a/security/dummy.c b/security/dummy.c
index e8a00fa80469..5083314e14b1 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -270,12 +270,6 @@ static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
        return 0;
 }
-static void dummy_inode_post_create (struct inode *inode, struct dentry *dentry,
-                                     int mask)
-{
-        return;
-}
 static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
                             struct dentry *new_dentry)
 {
@@ -300,24 +294,12 @@ static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
        return 0;
 }
-static void dummy_inode_post_symlink (struct inode *inode,
-                                      struct dentry *dentry, const char *name)
-{
-        return;
-}
 static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
                              int mask)
 {
        return 0;
 }
-static void dummy_inode_post_mkdir (struct inode *inode, struct dentry *dentry,
-                                    int mask)
-{
-        return;
-}
 static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
 {
        return 0;
@@ -329,12 +311,6 @@ static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
        return 0;
 }
-static void dummy_inode_post_mknod (struct inode *inode, struct dentry *dentry,
-                                    int mode, dev_t dev)
-{
-        return;
-}
 static int dummy_inode_rename (struct inode *old_inode,
                               struct dentry *old_dentry,
                               struct inode *new_inode,
@@ -894,17 +870,13 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, inode_free_security);
        set_to_dummy_if_null(ops, inode_init_security);
        set_to_dummy_if_null(ops, inode_create);
-        set_to_dummy_if_null(ops, inode_post_create);
        set_to_dummy_if_null(ops, inode_link);
        set_to_dummy_if_null(ops, inode_post_link);
        set_to_dummy_if_null(ops, inode_unlink);
        set_to_dummy_if_null(ops, inode_symlink);
-        set_to_dummy_if_null(ops, inode_post_symlink);
        set_to_dummy_if_null(ops, inode_mkdir);
-        set_to_dummy_if_null(ops, inode_post_mkdir);
        set_to_dummy_if_null(ops, inode_rmdir);
        set_to_dummy_if_null(ops, inode_mknod);
-        set_to_dummy_if_null(ops, inode_post_mknod);
        set_to_dummy_if_null(ops, inode_rename);
        set_to_dummy_if_null(ops, inode_post_rename);
        set_to_dummy_if_null(ops, inode_readlink);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 265f33d3af9b..c9c20828be79 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1265,91 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
        return 0;
 }
-/* Set the security attributes on a newly created file. */
-static int post_create(struct inode *dir,
-                       struct dentry *dentry)
-{
-        struct task_security_struct *tsec;
-        struct inode *inode;
-        struct inode_security_struct *dsec;
-        struct superblock_security_struct *sbsec;
-        struct inode_security_struct *isec;
-        u32 newsid;
-        char *context;
-        unsigned int len;
-        int rc;
-        tsec = current->security;
-        dsec = dir->i_security;
-        sbsec = dir->i_sb->s_security;
-        inode = dentry->d_inode;
-        if (!inode) {
-                /* Some file system types (e.g. NFS) may not instantiate
-                   a dentry for all create operations (e.g. symlink),
-                   so we have to check to see if the inode is non-NULL. */
-                printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
-                       "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
-                return 0;
-        }
-        isec = inode->i_security;
-        if (isec->security_attr_init)
-                return 0;
-        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
-                newsid = tsec->create_sid;
-        } else {
-                rc = security_transition_sid(tsec->sid, dsec->sid,
-                                             inode_mode_to_security_class(inode->i_mode),
-                                             &newsid);
-                if (rc) {
-                        printk(KERN_WARNING "post_create:  "
-                               "security_transition_sid failed, rc=%d (dev=%s "
-                               "ino=%ld)\n",
-                               -rc, inode->i_sb->s_id, inode->i_ino);
-                        return rc;
-                }
-        }
-        rc = inode_security_set_sid(inode, newsid);
-        if (rc) {
-                printk(KERN_WARNING "post_create:  inode_security_set_sid "
-                       "failed, rc=%d (dev=%s ino=%ld)\n",
-                       -rc, inode->i_sb->s_id, inode->i_ino);
-                return rc;
-        }
-        if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
-            inode->i_op->setxattr) {
-                /* Use extended attributes. */
-                rc = security_sid_to_context(newsid, &context, &len);
-                if (rc) {
-                        printk(KERN_WARNING "post_create:  sid_to_context "
-                               "failed, rc=%d (dev=%s ino=%ld)\n",
-                               -rc, inode->i_sb->s_id, inode->i_ino);
-                        return rc;
-                }
-                down(&inode->i_sem);
-                rc = inode->i_op->setxattr(dentry,
-                                           XATTR_NAME_SELINUX,
-                                           context, len, 0);
-                up(&inode->i_sem);
-                kfree(context);
-                if (rc < 0) {
-                        printk(KERN_WARNING "post_create:  setxattr failed, "
-                               "rc=%d (dev=%s ino=%ld)\n",
-                               -rc, inode->i_sb->s_id, inode->i_ino);
-                        return rc;
-                }
-        }
-        return 0;
-}
 /* Hook functions begin here. */
 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
@@ -2076,8 +1991,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
                *len = clen;
        }
-        isec->security_attr_init = 1;
        return 0;
 }
@@ -2086,11 +1999,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma
        return may_create(dir, dentry, SECCLASS_FILE);
 }
-static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
-{
-        post_create(dir, dentry);
-}
 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
 {
        int rc;
@@ -2121,21 +2029,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
        return may_create(dir, dentry, SECCLASS_LNK_FILE);
 }
-static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
-{
-        post_create(dir, dentry);
-}
 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
 {
        return may_create(dir, dentry, SECCLASS_DIR);
 }
-static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
-{
-        post_create(dir, dentry);
-}
 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
 {
        return may_link(dir, dentry, MAY_RMDIR);
@@ -2152,11 +2050,6 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
        return may_create(dir, dentry, inode_mode_to_security_class(mode));
 }
-static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
-{
-        post_create(dir, dentry);
-}
 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
                                struct inode *new_inode, struct dentry *new_dentry)
 {
@@ -4363,17 +4256,13 @@ static struct security_operations selinux_ops = {
        .inode_free_security =          selinux_inode_free_security,
        .inode_init_security =          selinux_inode_init_security,
        .inode_create =                 selinux_inode_create,
-        .inode_post_create =            selinux_inode_post_create,
        .inode_link =                   selinux_inode_link,
        .inode_post_link =              selinux_inode_post_link,
        .inode_unlink =                 selinux_inode_unlink,
        .inode_symlink =                selinux_inode_symlink,
-        .inode_post_symlink =           selinux_inode_post_symlink,
        .inode_mkdir =                  selinux_inode_mkdir,
-        .inode_post_mkdir =             selinux_inode_post_mkdir,
        .inode_rmdir =                  selinux_inode_rmdir,
        .inode_mknod =                  selinux_inode_mknod,
-        .inode_post_mknod =             selinux_inode_post_mknod,
        .inode_rename =                 selinux_inode_rename,
        .inode_post_rename =            selinux_inode_post_rename,
        .inode_readlink =               selinux_inode_readlink,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c515bc0b58a1..887937c8134a 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -46,7 +46,6 @@ struct inode_security_struct {
        unsigned char initialized;     /* initialization flag */
        struct semaphore sem;
        unsigned char inherit;         /* inherit SID from parent entry */
-        unsigned char security_attr_init; /* security attributes init flag */
 };
 struct file_security_struct {
author	Stephen Smalley <sds@tycho.nsa.gov>	2005-09-09 16:01:44 -0400
committer	Linus Torvalds <torvalds@g5.osdl.org>	2005-09-09 16:57:28 -0400
commit	a74574aafea3a63add3251047601611111f44562 (patch)
tree	a8f4a809589513c666c6f5518cbe84f50ee5523e /security
parent	570bc1c2e5ccdb408081e77507a385dc7ebed7fa (diff)

diff --git a/security/dummy.c b/security/dummy.c index e8a00fa80469..5083314e14b1 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -270,12 +270,6 @@ static int dummy_inode_create (struct inode inode, struct dentry dentry,
270	return 0;	270	return 0;
271	}	271	}
272		272
273	static void dummy_inode_post_create (struct inode inode, struct dentry dentry,
274	int mask)
275	{
276	return;
277	}
278
279	static int dummy_inode_link (struct dentry old_dentry, struct inode inode,	273	static int dummy_inode_link (struct dentry old_dentry, struct inode inode,
280	struct dentry *new_dentry)	274	struct dentry *new_dentry)
281	{	275	{
@@ -300,24 +294,12 @@ static int dummy_inode_symlink (struct inode inode, struct dentry dentry,
300	return 0;	294	return 0;
301	}	295	}
302		296
303	static void dummy_inode_post_symlink (struct inode *inode,
304	struct dentry dentry, const char name)
305	{
306	return;
307	}
308
309	static int dummy_inode_mkdir (struct inode inode, struct dentry dentry,	297	static int dummy_inode_mkdir (struct inode inode, struct dentry dentry,
310	int mask)	298	int mask)
311	{	299	{
312	return 0;	300	return 0;
313	}	301	}
314		302
315	static void dummy_inode_post_mkdir (struct inode inode, struct dentry dentry,
316	int mask)
317	{
318	return;
319	}
320
321	static int dummy_inode_rmdir (struct inode inode, struct dentry dentry)	303	static int dummy_inode_rmdir (struct inode inode, struct dentry dentry)
322	{	304	{
323	return 0;	305	return 0;
@@ -329,12 +311,6 @@ static int dummy_inode_mknod (struct inode inode, struct dentry dentry,
329	return 0;	311	return 0;
330	}	312	}
331		313
332	static void dummy_inode_post_mknod (struct inode inode, struct dentry dentry,
333	int mode, dev_t dev)
334	{
335	return;
336	}
337
338	static int dummy_inode_rename (struct inode *old_inode,	314	static int dummy_inode_rename (struct inode *old_inode,
339	struct dentry *old_dentry,	315	struct dentry *old_dentry,
340	struct inode *new_inode,	316	struct inode *new_inode,
@@ -894,17 +870,13 @@ void security_fixup_ops (struct security_operations *ops)
894	set_to_dummy_if_null(ops, inode_free_security);	870	set_to_dummy_if_null(ops, inode_free_security);
895	set_to_dummy_if_null(ops, inode_init_security);	871	set_to_dummy_if_null(ops, inode_init_security);
896	set_to_dummy_if_null(ops, inode_create);	872	set_to_dummy_if_null(ops, inode_create);
897	set_to_dummy_if_null(ops, inode_post_create);
898	set_to_dummy_if_null(ops, inode_link);	873	set_to_dummy_if_null(ops, inode_link);
899	set_to_dummy_if_null(ops, inode_post_link);	874	set_to_dummy_if_null(ops, inode_post_link);
900	set_to_dummy_if_null(ops, inode_unlink);	875	set_to_dummy_if_null(ops, inode_unlink);
901	set_to_dummy_if_null(ops, inode_symlink);	876	set_to_dummy_if_null(ops, inode_symlink);
902	set_to_dummy_if_null(ops, inode_post_symlink);
903	set_to_dummy_if_null(ops, inode_mkdir);	877	set_to_dummy_if_null(ops, inode_mkdir);
904	set_to_dummy_if_null(ops, inode_post_mkdir);
905	set_to_dummy_if_null(ops, inode_rmdir);	878	set_to_dummy_if_null(ops, inode_rmdir);
906	set_to_dummy_if_null(ops, inode_mknod);	879	set_to_dummy_if_null(ops, inode_mknod);
907	set_to_dummy_if_null(ops, inode_post_mknod);
908	set_to_dummy_if_null(ops, inode_rename);	880	set_to_dummy_if_null(ops, inode_rename);
909	set_to_dummy_if_null(ops, inode_post_rename);	881	set_to_dummy_if_null(ops, inode_post_rename);
910	set_to_dummy_if_null(ops, inode_readlink);	882	set_to_dummy_if_null(ops, inode_readlink);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 265f33d3af9b..c9c20828be79 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1265,91 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
1265	return 0;	1265	return 0;
1266	}	1266	}
1267		1267
1268	/* Set the security attributes on a newly created file. */
1269	static int post_create(struct inode *dir,
1270	struct dentry *dentry)
1271	{
1272
1273	struct task_security_struct *tsec;
1274	struct inode *inode;
1275	struct inode_security_struct *dsec;
1276	struct superblock_security_struct *sbsec;
1277	struct inode_security_struct *isec;
1278	u32 newsid;
1279	char *context;
1280	unsigned int len;
1281	int rc;
1282
1283	tsec = current->security;
1284	dsec = dir->i_security;
1285	sbsec = dir->i_sb->s_security;
1286
1287	inode = dentry->d_inode;
1288	if (!inode) {
1289	/* Some file system types (e.g. NFS) may not instantiate
1290	a dentry for all create operations (e.g. symlink),
1291	so we have to check to see if the inode is non-NULL. */
1292	printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1293	"ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1294	return 0;
1295	}
1296
1297	isec = inode->i_security;
1298
1299	if (isec->security_attr_init)
1300	return 0;
1301
1302	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1303	newsid = tsec->create_sid;
1304	} else {
1305	rc = security_transition_sid(tsec->sid, dsec->sid,
1306	inode_mode_to_security_class(inode->i_mode),
1307	&newsid);
1308	if (rc) {
1309	printk(KERN_WARNING "post_create: "
1310	"security_transition_sid failed, rc=%d (dev=%s "
1311	"ino=%ld)\n",
1312	-rc, inode->i_sb->s_id, inode->i_ino);
1313	return rc;
1314	}
1315	}
1316
1317	rc = inode_security_set_sid(inode, newsid);
1318	if (rc) {
1319	printk(KERN_WARNING "post_create: inode_security_set_sid "
1320	"failed, rc=%d (dev=%s ino=%ld)\n",
1321	-rc, inode->i_sb->s_id, inode->i_ino);
1322	return rc;
1323	}
1324
1325	if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1326	inode->i_op->setxattr) {
1327	/* Use extended attributes. */
1328	rc = security_sid_to_context(newsid, &context, &len);
1329	if (rc) {
1330	printk(KERN_WARNING "post_create: sid_to_context "
1331	"failed, rc=%d (dev=%s ino=%ld)\n",
1332	-rc, inode->i_sb->s_id, inode->i_ino);
1333	return rc;
1334	}
1335	down(&inode->i_sem);
1336	rc = inode->i_op->setxattr(dentry,
1337	XATTR_NAME_SELINUX,
1338	context, len, 0);
1339	up(&inode->i_sem);
1340	kfree(context);
1341	if (rc < 0) {
1342	printk(KERN_WARNING "post_create: setxattr failed, "
1343	"rc=%d (dev=%s ino=%ld)\n",
1344	-rc, inode->i_sb->s_id, inode->i_ino);
1345	return rc;
1346	}
1347	}
1348
1349	return 0;
1350	}
1351
1352
1353	/* Hook functions begin here. */	1268	/* Hook functions begin here. */
1354		1269
1355	static int selinux_ptrace(struct task_struct parent, struct task_struct child)	1270	static int selinux_ptrace(struct task_struct parent, struct task_struct child)
@@ -2076,8 +1991,6 @@ static int selinux_inode_init_security(struct inode inode, struct inode dir,
2076	*len = clen;	1991	*len = clen;
2077	}	1992	}
2078		1993
2079	isec->security_attr_init = 1;
2080
2081	return 0;	1994	return 0;
2082	}	1995	}
2083		1996
@@ -2086,11 +1999,6 @@ static int selinux_inode_create(struct inode dir, struct dentry dentry, int ma
2086	return may_create(dir, dentry, SECCLASS_FILE);	1999	return may_create(dir, dentry, SECCLASS_FILE);
2087	}	2000	}
2088		2001
2089	static void selinux_inode_post_create(struct inode dir, struct dentry dentry, int mask)
2090	{
2091	post_create(dir, dentry);
2092	}
2093
2094	static int selinux_inode_link(struct dentry old_dentry, struct inode dir, struct dentry *new_dentry)	2002	static int selinux_inode_link(struct dentry old_dentry, struct inode dir, struct dentry *new_dentry)
2095	{	2003	{
2096	int rc;	2004	int rc;
@@ -2121,21 +2029,11 @@ static int selinux_inode_symlink(struct inode dir, struct dentry dentry, const
2121	return may_create(dir, dentry, SECCLASS_LNK_FILE);	2029	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2122	}	2030	}
2123		2031
2124	static void selinux_inode_post_symlink(struct inode dir, struct dentry dentry, const char *name)
2125	{
2126	post_create(dir, dentry);
2127	}
2128
2129	static int selinux_inode_mkdir(struct inode dir, struct dentry dentry, int mask)	2032	static int selinux_inode_mkdir(struct inode dir, struct dentry dentry, int mask)
2130	{	2033	{
2131	return may_create(dir, dentry, SECCLASS_DIR);	2034	return may_create(dir, dentry, SECCLASS_DIR);
2132	}	2035	}
2133		2036
2134	static void selinux_inode_post_mkdir(struct inode dir, struct dentry dentry, int mask)
2135	{
2136	post_create(dir, dentry);
2137	}
2138
2139	static int selinux_inode_rmdir(struct inode dir, struct dentry dentry)	2037	static int selinux_inode_rmdir(struct inode dir, struct dentry dentry)
2140	{	2038	{
2141	return may_link(dir, dentry, MAY_RMDIR);	2039	return may_link(dir, dentry, MAY_RMDIR);
@@ -2152,11 +2050,6 @@ static int selinux_inode_mknod(struct inode dir, struct dentry dentry, int mod
2152	return may_create(dir, dentry, inode_mode_to_security_class(mode));	2050	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2153	}	2051	}
2154		2052
2155	static void selinux_inode_post_mknod(struct inode dir, struct dentry dentry, int mode, dev_t dev)
2156	{
2157	post_create(dir, dentry);
2158	}
2159
2160	static int selinux_inode_rename(struct inode old_inode, struct dentry old_dentry,	2053	static int selinux_inode_rename(struct inode old_inode, struct dentry old_dentry,
2161	struct inode new_inode, struct dentry new_dentry)	2054	struct inode new_inode, struct dentry new_dentry)
2162	{	2055	{
@@ -4363,17 +4256,13 @@ static struct security_operations selinux_ops = {
4363	.inode_free_security = selinux_inode_free_security,	4256	.inode_free_security = selinux_inode_free_security,
4364	.inode_init_security = selinux_inode_init_security,	4257	.inode_init_security = selinux_inode_init_security,
4365	.inode_create = selinux_inode_create,	4258	.inode_create = selinux_inode_create,
4366	.inode_post_create = selinux_inode_post_create,
4367	.inode_link = selinux_inode_link,	4259	.inode_link = selinux_inode_link,
4368	.inode_post_link = selinux_inode_post_link,	4260	.inode_post_link = selinux_inode_post_link,
4369	.inode_unlink = selinux_inode_unlink,	4261	.inode_unlink = selinux_inode_unlink,
4370	.inode_symlink = selinux_inode_symlink,	4262	.inode_symlink = selinux_inode_symlink,
4371	.inode_post_symlink = selinux_inode_post_symlink,
4372	.inode_mkdir = selinux_inode_mkdir,	4263	.inode_mkdir = selinux_inode_mkdir,
4373	.inode_post_mkdir = selinux_inode_post_mkdir,
4374	.inode_rmdir = selinux_inode_rmdir,	4264	.inode_rmdir = selinux_inode_rmdir,
4375	.inode_mknod = selinux_inode_mknod,	4265	.inode_mknod = selinux_inode_mknod,
4376	.inode_post_mknod = selinux_inode_post_mknod,
4377	.inode_rename = selinux_inode_rename,	4266	.inode_rename = selinux_inode_rename,
4378	.inode_post_rename = selinux_inode_post_rename,	4267	.inode_post_rename = selinux_inode_post_rename,
4379	.inode_readlink = selinux_inode_readlink,	4268	.inode_readlink = selinux_inode_readlink,


diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c515bc0b58a1..887937c8134a 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h
@@ -46,7 +46,6 @@ struct inode_security_struct {
46	unsigned char initialized; /* initialization flag */	46	unsigned char initialized; /* initialization flag */
47	struct semaphore sem;	47	struct semaphore sem;
48	unsigned char inherit; /* inherit SID from parent entry */	48	unsigned char inherit; /* inherit SID from parent entry */
49	unsigned char security_attr_init; /* security attributes init flag */
50	};	49	};
51		50
52	struct file_security_struct {	51	struct file_security_struct {