diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-07-08 00:25:53 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-07-10 21:05:34 -0400 |
commit | 97fb35e413f256ded07b88c73b3d932ec31ea84e (patch) | |
tree | d16cb1dcb6d16938aa01c071fdcd1cbbf85b5153 /security | |
parent | 5b636857fee642694e287e3a181b523b16098c93 (diff) |
TOMOYO: Enable conditional ACL.
Enable conditional ACL by passing object's pointers.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/common.h | 3 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 53 | ||||
-rw-r--r-- | security/tomoyo/file.c | 35 | ||||
-rw-r--r-- | security/tomoyo/mount.c | 8 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 14 |
5 files changed, 80 insertions, 33 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 6c013b177791..f7fbaa66e443 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -836,7 +836,8 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
836 | struct path *path2); | 836 | struct path *path2); |
837 | int tomoyo_path_number_perm(const u8 operation, struct path *path, | 837 | int tomoyo_path_number_perm(const u8 operation, struct path *path, |
838 | unsigned long number); | 838 | unsigned long number); |
839 | int tomoyo_path_perm(const u8 operation, struct path *path); | 839 | int tomoyo_path_perm(const u8 operation, struct path *path, |
840 | const char *target); | ||
840 | int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, | 841 | int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, |
841 | const struct tomoyo_path_info *filename); | 842 | const struct tomoyo_path_info *filename); |
842 | int tomoyo_poll_control(struct file *file, poll_table *wait); | 843 | int tomoyo_poll_control(struct file *file, poll_table *wait); |
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 565249c42e39..878d0206f43e 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c | |||
@@ -575,23 +575,27 @@ out: | |||
575 | */ | 575 | */ |
576 | int tomoyo_find_next_domain(struct linux_binprm *bprm) | 576 | int tomoyo_find_next_domain(struct linux_binprm *bprm) |
577 | { | 577 | { |
578 | struct tomoyo_request_info r; | ||
579 | char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); | ||
580 | struct tomoyo_domain_info *old_domain = tomoyo_domain(); | 578 | struct tomoyo_domain_info *old_domain = tomoyo_domain(); |
581 | struct tomoyo_domain_info *domain = NULL; | 579 | struct tomoyo_domain_info *domain = NULL; |
582 | const char *original_name = bprm->filename; | 580 | const char *original_name = bprm->filename; |
583 | u8 mode; | ||
584 | bool is_enforce; | ||
585 | int retval = -ENOMEM; | 581 | int retval = -ENOMEM; |
586 | bool need_kfree = false; | 582 | bool need_kfree = false; |
587 | bool reject_on_transition_failure = false; | 583 | bool reject_on_transition_failure = false; |
588 | struct tomoyo_path_info rn = { }; /* real name */ | 584 | struct tomoyo_path_info rn = { }; /* real name */ |
589 | 585 | struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS); | |
590 | mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE); | 586 | if (!ee) |
591 | is_enforce = (mode == TOMOYO_CONFIG_ENFORCING); | 587 | return -ENOMEM; |
592 | if (!tmp) | 588 | ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); |
593 | goto out; | 589 | if (!ee->tmp) { |
594 | 590 | kfree(ee); | |
591 | return -ENOMEM; | ||
592 | } | ||
593 | /* ee->dump->data is allocated by tomoyo_dump_page(). */ | ||
594 | tomoyo_init_request_info(&ee->r, NULL, TOMOYO_MAC_FILE_EXECUTE); | ||
595 | ee->r.ee = ee; | ||
596 | ee->bprm = bprm; | ||
597 | ee->r.obj = &ee->obj; | ||
598 | ee->obj.path1 = bprm->file->f_path; | ||
595 | retry: | 599 | retry: |
596 | if (need_kfree) { | 600 | if (need_kfree) { |
597 | kfree(rn.name); | 601 | kfree(rn.name); |
@@ -625,7 +629,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
625 | } | 629 | } |
626 | 630 | ||
627 | /* Check execute permission. */ | 631 | /* Check execute permission. */ |
628 | retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn); | 632 | retval = tomoyo_path_permission(&ee->r, TOMOYO_TYPE_EXECUTE, &rn); |
629 | if (retval == TOMOYO_RETRY_REQUEST) | 633 | if (retval == TOMOYO_RETRY_REQUEST) |
630 | goto retry; | 634 | goto retry; |
631 | if (retval < 0) | 635 | if (retval < 0) |
@@ -636,12 +640,12 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
636 | * wildcard) rather than the pathname passed to execve() | 640 | * wildcard) rather than the pathname passed to execve() |
637 | * (which never contains wildcard). | 641 | * (which never contains wildcard). |
638 | */ | 642 | */ |
639 | if (r.param.path.matched_path) { | 643 | if (ee->r.param.path.matched_path) { |
640 | if (need_kfree) | 644 | if (need_kfree) |
641 | kfree(rn.name); | 645 | kfree(rn.name); |
642 | need_kfree = false; | 646 | need_kfree = false; |
643 | /* This is OK because it is read only. */ | 647 | /* This is OK because it is read only. */ |
644 | rn = *r.param.path.matched_path; | 648 | rn = *ee->r.param.path.matched_path; |
645 | } | 649 | } |
646 | 650 | ||
647 | /* Calculate domain to transit to. */ | 651 | /* Calculate domain to transit to. */ |
@@ -649,7 +653,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
649 | &rn)) { | 653 | &rn)) { |
650 | case TOMOYO_TRANSITION_CONTROL_RESET: | 654 | case TOMOYO_TRANSITION_CONTROL_RESET: |
651 | /* Transit to the root of specified namespace. */ | 655 | /* Transit to the root of specified namespace. */ |
652 | snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", rn.name); | 656 | snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", rn.name); |
653 | /* | 657 | /* |
654 | * Make do_execve() fail if domain transition across namespaces | 658 | * Make do_execve() fail if domain transition across namespaces |
655 | * has failed. | 659 | * has failed. |
@@ -658,7 +662,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
658 | break; | 662 | break; |
659 | case TOMOYO_TRANSITION_CONTROL_INITIALIZE: | 663 | case TOMOYO_TRANSITION_CONTROL_INITIALIZE: |
660 | /* Transit to the child of current namespace's root. */ | 664 | /* Transit to the child of current namespace's root. */ |
661 | snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", | 665 | snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", |
662 | old_domain->ns->name, rn.name); | 666 | old_domain->ns->name, rn.name); |
663 | break; | 667 | break; |
664 | case TOMOYO_TRANSITION_CONTROL_KEEP: | 668 | case TOMOYO_TRANSITION_CONTROL_KEEP: |
@@ -677,29 +681,30 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
677 | domain = old_domain; | 681 | domain = old_domain; |
678 | } else { | 682 | } else { |
679 | /* Normal domain transition. */ | 683 | /* Normal domain transition. */ |
680 | snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", | 684 | snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", |
681 | old_domain->domainname->name, rn.name); | 685 | old_domain->domainname->name, rn.name); |
682 | } | 686 | } |
683 | break; | 687 | break; |
684 | } | 688 | } |
685 | if (!domain) | 689 | if (!domain) |
686 | domain = tomoyo_assign_domain(tmp, true); | 690 | domain = tomoyo_assign_domain(ee->tmp, true); |
687 | if (domain) | 691 | if (domain) |
688 | retval = 0; | 692 | retval = 0; |
689 | else if (reject_on_transition_failure) { | 693 | else if (reject_on_transition_failure) { |
690 | printk(KERN_WARNING "ERROR: Domain '%s' not ready.\n", tmp); | 694 | printk(KERN_WARNING "ERROR: Domain '%s' not ready.\n", |
695 | ee->tmp); | ||
691 | retval = -ENOMEM; | 696 | retval = -ENOMEM; |
692 | } else if (r.mode == TOMOYO_CONFIG_ENFORCING) | 697 | } else if (ee->r.mode == TOMOYO_CONFIG_ENFORCING) |
693 | retval = -ENOMEM; | 698 | retval = -ENOMEM; |
694 | else { | 699 | else { |
695 | retval = 0; | 700 | retval = 0; |
696 | if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) { | 701 | if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) { |
697 | old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true; | 702 | old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true; |
698 | r.granted = false; | 703 | ee->r.granted = false; |
699 | tomoyo_write_log(&r, "%s", tomoyo_dif | 704 | tomoyo_write_log(&ee->r, "%s", tomoyo_dif |
700 | [TOMOYO_DIF_TRANSITION_FAILED]); | 705 | [TOMOYO_DIF_TRANSITION_FAILED]); |
701 | printk(KERN_WARNING | 706 | printk(KERN_WARNING |
702 | "ERROR: Domain '%s' not defined.\n", tmp); | 707 | "ERROR: Domain '%s' not defined.\n", ee->tmp); |
703 | } | 708 | } |
704 | } | 709 | } |
705 | out: | 710 | out: |
@@ -710,7 +715,9 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
710 | bprm->cred->security = domain; | 715 | bprm->cred->security = domain; |
711 | if (need_kfree) | 716 | if (need_kfree) |
712 | kfree(rn.name); | 717 | kfree(rn.name); |
713 | kfree(tmp); | 718 | kfree(ee->tmp); |
719 | kfree(ee->dump.data); | ||
720 | kfree(ee); | ||
714 | return retval; | 721 | return retval; |
715 | } | 722 | } |
716 | 723 | ||
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 6ab9e4cdd61f..31a9a4ab7af9 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -667,6 +667,9 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
667 | unsigned long number) | 667 | unsigned long number) |
668 | { | 668 | { |
669 | struct tomoyo_request_info r; | 669 | struct tomoyo_request_info r; |
670 | struct tomoyo_obj_info obj = { | ||
671 | .path1 = *path, | ||
672 | }; | ||
670 | int error = -ENOMEM; | 673 | int error = -ENOMEM; |
671 | struct tomoyo_path_info buf; | 674 | struct tomoyo_path_info buf; |
672 | int idx; | 675 | int idx; |
@@ -677,6 +680,7 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
677 | idx = tomoyo_read_lock(); | 680 | idx = tomoyo_read_lock(); |
678 | if (!tomoyo_get_realpath(&buf, path)) | 681 | if (!tomoyo_get_realpath(&buf, path)) |
679 | goto out; | 682 | goto out; |
683 | r.obj = &obj; | ||
680 | if (type == TOMOYO_TYPE_MKDIR) | 684 | if (type == TOMOYO_TYPE_MKDIR) |
681 | tomoyo_add_slash(&buf); | 685 | tomoyo_add_slash(&buf); |
682 | r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; | 686 | r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; |
@@ -711,6 +715,9 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
711 | int error = 0; | 715 | int error = 0; |
712 | struct tomoyo_path_info buf; | 716 | struct tomoyo_path_info buf; |
713 | struct tomoyo_request_info r; | 717 | struct tomoyo_request_info r; |
718 | struct tomoyo_obj_info obj = { | ||
719 | .path1 = *path, | ||
720 | }; | ||
714 | int idx; | 721 | int idx; |
715 | 722 | ||
716 | buf.name = NULL; | 723 | buf.name = NULL; |
@@ -723,6 +730,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
723 | error = -ENOMEM; | 730 | error = -ENOMEM; |
724 | goto out; | 731 | goto out; |
725 | } | 732 | } |
733 | r.obj = &obj; | ||
726 | if (acc_mode & MAY_READ) | 734 | if (acc_mode & MAY_READ) |
727 | error = tomoyo_path_permission(&r, TOMOYO_TYPE_READ, | 735 | error = tomoyo_path_permission(&r, TOMOYO_TYPE_READ, |
728 | &buf); | 736 | &buf); |
@@ -745,15 +753,21 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
745 | * | 753 | * |
746 | * @operation: Type of operation. | 754 | * @operation: Type of operation. |
747 | * @path: Pointer to "struct path". | 755 | * @path: Pointer to "struct path". |
756 | * @target: Symlink's target if @operation is TOMOYO_TYPE_SYMLINK, | ||
757 | * NULL otherwise. | ||
748 | * | 758 | * |
749 | * Returns 0 on success, negative value otherwise. | 759 | * Returns 0 on success, negative value otherwise. |
750 | */ | 760 | */ |
751 | int tomoyo_path_perm(const u8 operation, struct path *path) | 761 | int tomoyo_path_perm(const u8 operation, struct path *path, const char *target) |
752 | { | 762 | { |
753 | struct tomoyo_request_info r; | 763 | struct tomoyo_request_info r; |
764 | struct tomoyo_obj_info obj = { | ||
765 | .path1 = *path, | ||
766 | }; | ||
754 | int error; | 767 | int error; |
755 | struct tomoyo_path_info buf; | 768 | struct tomoyo_path_info buf; |
756 | bool is_enforce; | 769 | bool is_enforce; |
770 | struct tomoyo_path_info symlink_target; | ||
757 | int idx; | 771 | int idx; |
758 | 772 | ||
759 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) | 773 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) |
@@ -765,13 +779,23 @@ int tomoyo_path_perm(const u8 operation, struct path *path) | |||
765 | idx = tomoyo_read_lock(); | 779 | idx = tomoyo_read_lock(); |
766 | if (!tomoyo_get_realpath(&buf, path)) | 780 | if (!tomoyo_get_realpath(&buf, path)) |
767 | goto out; | 781 | goto out; |
782 | r.obj = &obj; | ||
768 | switch (operation) { | 783 | switch (operation) { |
769 | case TOMOYO_TYPE_RMDIR: | 784 | case TOMOYO_TYPE_RMDIR: |
770 | case TOMOYO_TYPE_CHROOT: | 785 | case TOMOYO_TYPE_CHROOT: |
771 | tomoyo_add_slash(&buf); | 786 | tomoyo_add_slash(&buf); |
772 | break; | 787 | break; |
788 | case TOMOYO_TYPE_SYMLINK: | ||
789 | symlink_target.name = tomoyo_encode(target); | ||
790 | if (!symlink_target.name) | ||
791 | goto out; | ||
792 | tomoyo_fill_path_info(&symlink_target); | ||
793 | obj.symlink_target = &symlink_target; | ||
794 | break; | ||
773 | } | 795 | } |
774 | error = tomoyo_path_permission(&r, operation, &buf); | 796 | error = tomoyo_path_permission(&r, operation, &buf); |
797 | if (operation == TOMOYO_TYPE_SYMLINK) | ||
798 | kfree(symlink_target.name); | ||
775 | out: | 799 | out: |
776 | kfree(buf.name); | 800 | kfree(buf.name); |
777 | tomoyo_read_unlock(idx); | 801 | tomoyo_read_unlock(idx); |
@@ -794,6 +818,9 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
794 | const unsigned int mode, unsigned int dev) | 818 | const unsigned int mode, unsigned int dev) |
795 | { | 819 | { |
796 | struct tomoyo_request_info r; | 820 | struct tomoyo_request_info r; |
821 | struct tomoyo_obj_info obj = { | ||
822 | .path1 = *path, | ||
823 | }; | ||
797 | int error = -ENOMEM; | 824 | int error = -ENOMEM; |
798 | struct tomoyo_path_info buf; | 825 | struct tomoyo_path_info buf; |
799 | int idx; | 826 | int idx; |
@@ -804,6 +831,7 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
804 | idx = tomoyo_read_lock(); | 831 | idx = tomoyo_read_lock(); |
805 | error = -ENOMEM; | 832 | error = -ENOMEM; |
806 | if (tomoyo_get_realpath(&buf, path)) { | 833 | if (tomoyo_get_realpath(&buf, path)) { |
834 | r.obj = &obj; | ||
807 | dev = new_decode_dev(dev); | 835 | dev = new_decode_dev(dev); |
808 | r.param_type = TOMOYO_TYPE_MKDEV_ACL; | 836 | r.param_type = TOMOYO_TYPE_MKDEV_ACL; |
809 | r.param.mkdev.filename = &buf; | 837 | r.param.mkdev.filename = &buf; |
@@ -837,6 +865,10 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
837 | struct tomoyo_path_info buf1; | 865 | struct tomoyo_path_info buf1; |
838 | struct tomoyo_path_info buf2; | 866 | struct tomoyo_path_info buf2; |
839 | struct tomoyo_request_info r; | 867 | struct tomoyo_request_info r; |
868 | struct tomoyo_obj_info obj = { | ||
869 | .path1 = *path1, | ||
870 | .path2 = *path2, | ||
871 | }; | ||
840 | int idx; | 872 | int idx; |
841 | 873 | ||
842 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) | 874 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) |
@@ -861,6 +893,7 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
861 | tomoyo_add_slash(&buf2); | 893 | tomoyo_add_slash(&buf2); |
862 | break; | 894 | break; |
863 | } | 895 | } |
896 | r.obj = &obj; | ||
864 | r.param_type = TOMOYO_TYPE_PATH2_ACL; | 897 | r.param_type = TOMOYO_TYPE_PATH2_ACL; |
865 | r.param.path2.operation = operation; | 898 | r.param.path2.operation = operation; |
866 | r.param.path2.filename1 = &buf1; | 899 | r.param.path2.filename1 = &buf1; |
diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 0bbba8b67821..408385307470 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c | |||
@@ -75,6 +75,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, | |||
75 | struct path *dir, const char *type, | 75 | struct path *dir, const char *type, |
76 | unsigned long flags) | 76 | unsigned long flags) |
77 | { | 77 | { |
78 | struct tomoyo_obj_info obj = { }; | ||
78 | struct path path; | 79 | struct path path; |
79 | struct file_system_type *fstype = NULL; | 80 | struct file_system_type *fstype = NULL; |
80 | const char *requested_type = NULL; | 81 | const char *requested_type = NULL; |
@@ -85,6 +86,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, | |||
85 | struct tomoyo_path_info rdir; | 86 | struct tomoyo_path_info rdir; |
86 | int need_dev = 0; | 87 | int need_dev = 0; |
87 | int error = -ENOMEM; | 88 | int error = -ENOMEM; |
89 | r->obj = &obj; | ||
88 | 90 | ||
89 | /* Get fstype. */ | 91 | /* Get fstype. */ |
90 | requested_type = tomoyo_encode(type); | 92 | requested_type = tomoyo_encode(type); |
@@ -94,6 +96,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, | |||
94 | tomoyo_fill_path_info(&rtype); | 96 | tomoyo_fill_path_info(&rtype); |
95 | 97 | ||
96 | /* Get mount point. */ | 98 | /* Get mount point. */ |
99 | obj.path2 = *dir; | ||
97 | requested_dir_name = tomoyo_realpath_from_path(dir); | 100 | requested_dir_name = tomoyo_realpath_from_path(dir); |
98 | if (!requested_dir_name) { | 101 | if (!requested_dir_name) { |
99 | error = -ENOMEM; | 102 | error = -ENOMEM; |
@@ -129,8 +132,8 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, | |||
129 | error = -ENOENT; | 132 | error = -ENOENT; |
130 | goto out; | 133 | goto out; |
131 | } | 134 | } |
135 | obj.path1 = path; | ||
132 | requested_dev_name = tomoyo_realpath_from_path(&path); | 136 | requested_dev_name = tomoyo_realpath_from_path(&path); |
133 | path_put(&path); | ||
134 | if (!requested_dev_name) { | 137 | if (!requested_dev_name) { |
135 | error = -ENOENT; | 138 | error = -ENOENT; |
136 | goto out; | 139 | goto out; |
@@ -163,6 +166,9 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, | |||
163 | if (fstype) | 166 | if (fstype) |
164 | put_filesystem(fstype); | 167 | put_filesystem(fstype); |
165 | kfree(requested_type); | 168 | kfree(requested_type); |
169 | /* Drop refcount obtained by kern_path(). */ | ||
170 | if (obj.path1.dentry) | ||
171 | path_put(&obj.path1); | ||
166 | return error; | 172 | return error; |
167 | } | 173 | } |
168 | 174 | ||
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index d6f68a0ec2dc..a536cb182c05 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c | |||
@@ -98,18 +98,18 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) | |||
98 | static int tomoyo_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | 98 | static int tomoyo_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) |
99 | { | 99 | { |
100 | struct path path = { mnt, dentry }; | 100 | struct path path = { mnt, dentry }; |
101 | return tomoyo_path_perm(TOMOYO_TYPE_GETATTR, &path); | 101 | return tomoyo_path_perm(TOMOYO_TYPE_GETATTR, &path, NULL); |
102 | } | 102 | } |
103 | 103 | ||
104 | static int tomoyo_path_truncate(struct path *path) | 104 | static int tomoyo_path_truncate(struct path *path) |
105 | { | 105 | { |
106 | return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path); | 106 | return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL); |
107 | } | 107 | } |
108 | 108 | ||
109 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) | 109 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) |
110 | { | 110 | { |
111 | struct path path = { parent->mnt, dentry }; | 111 | struct path path = { parent->mnt, dentry }; |
112 | return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path); | 112 | return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL); |
113 | } | 113 | } |
114 | 114 | ||
115 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, | 115 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, |
@@ -123,14 +123,14 @@ static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, | |||
123 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) | 123 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) |
124 | { | 124 | { |
125 | struct path path = { parent->mnt, dentry }; | 125 | struct path path = { parent->mnt, dentry }; |
126 | return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path); | 126 | return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL); |
127 | } | 127 | } |
128 | 128 | ||
129 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, | 129 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, |
130 | const char *old_name) | 130 | const char *old_name) |
131 | { | 131 | { |
132 | struct path path = { parent->mnt, dentry }; | 132 | struct path path = { parent->mnt, dentry }; |
133 | return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path); | 133 | return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name); |
134 | } | 134 | } |
135 | 135 | ||
136 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, | 136 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, |
@@ -225,7 +225,7 @@ static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) | |||
225 | 225 | ||
226 | static int tomoyo_path_chroot(struct path *path) | 226 | static int tomoyo_path_chroot(struct path *path) |
227 | { | 227 | { |
228 | return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path); | 228 | return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL); |
229 | } | 229 | } |
230 | 230 | ||
231 | static int tomoyo_sb_mount(char *dev_name, struct path *path, | 231 | static int tomoyo_sb_mount(char *dev_name, struct path *path, |
@@ -237,7 +237,7 @@ static int tomoyo_sb_mount(char *dev_name, struct path *path, | |||
237 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) | 237 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) |
238 | { | 238 | { |
239 | struct path path = { mnt, mnt->mnt_root }; | 239 | struct path path = { mnt, mnt->mnt_root }; |
240 | return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path); | 240 | return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL); |
241 | } | 241 | } |
242 | 242 | ||
243 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) | 243 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) |