LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE

The lsm common audit code has wacky contortions making sure which pieces of information are set based on if it was given a path, dentry, or inode. Split this into path and inode to get rid of some of the code complexity. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
author: Eric Paris <eparis@redhat.com> 2011-04-25 12:54:27 -0400
committer: Eric Paris <eparis@redhat.com> 2011-04-25 18:13:15 -0400
commit: f48b7399840b453e7282b523f535561fe9638a2d (patch)
tree: 29eed009469d35473367708ea60b9c5b01fc0c5f /security
parent: 0dc1ba24f7fff659725eecbba2c9ad679a0954cd (diff)
5 files changed, 74 insertions, 68 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 908aa712816a..2e846052cbf4 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -210,7 +210,6 @@ static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
 static void dump_common_audit_data(struct audit_buffer *ab,
                                   struct common_audit_data *a)
 {
-        struct inode *inode = NULL;
        struct task_struct *tsk = current;
        if (a->tsk)
@@ -229,33 +228,40 @@ static void dump_common_audit_data(struct audit_buffer *ab,
        case LSM_AUDIT_DATA_CAP:
                audit_log_format(ab, " capability=%d ", a->u.cap);
                break;
-        case LSM_AUDIT_DATA_FS:
+        case LSM_AUDIT_DATA_PATH: {
-                if (a->u.fs.path.dentry) {
+                struct dentry *dentry = a->u.path.dentry;
-                        struct dentry *dentry = a->u.fs.path.dentry;
+                struct inode *inode;
-                        if (a->u.fs.path.mnt) {
-                                audit_log_d_path(ab, "path=", &a->u.fs.path);
+                if (a->u.path.mnt) {
-                        } else {
+                        audit_log_d_path(ab, "path=", &a->u.path);
-                                audit_log_format(ab, " name=");
+                } else {
-                                audit_log_untrustedstring(ab,
+                        audit_log_format(ab, " name=");
-                                                 dentry->d_name.name);
+                        audit_log_untrustedstring(ab,
-                        }
+                                         dentry->d_name.name);
-                        inode = dentry->d_inode;
-                } else if (a->u.fs.inode) {
-                        struct dentry *dentry;
-                        inode = a->u.fs.inode;
-                        dentry = d_find_alias(inode);
-                        if (dentry) {
-                                audit_log_format(ab, " name=");
-                                audit_log_untrustedstring(ab,
-                                                 dentry->d_name.name);
-                                dput(dentry);
-                        }
                }
+                inode = dentry->d_inode;
                if (inode)
                        audit_log_format(ab, " dev=%s ino=%lu",
                                        inode->i_sb->s_id,
                                        inode->i_ino);
                break;
+        }
+        case LSM_AUDIT_DATA_INODE: {
+                struct dentry *dentry;
+                struct inode *inode;
+                inode = a->u.inode;
+                dentry = d_find_alias(inode);
+                if (dentry) {
+                        audit_log_format(ab, " name=");
+                        audit_log_untrustedstring(ab,
+                                         dentry->d_name.name);
+                        dput(dentry);
+                }
+                audit_log_format(ab, " dev=%s ino=%lu", inode->i_sb->s_id,
+                                 inode->i_ino);
+                break;
+        }
        case LSM_AUDIT_DATA_TASK:
                tsk = a->u.tsk;
                if (tsk && tsk->pid) {
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 1d027e29ce8d..ce742f1778e1 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -531,7 +531,7 @@ int avc_audit(u32 ssid, u32 tsid,
         * during retry. However this is logically just as if the operation
         * happened a little later.
         */
-        if ((a->type == LSM_AUDIT_DATA_FS) &&
+        if ((a->type == LSM_AUDIT_DATA_INODE) &&
            (flags & IPERM_FLAG_RCU))
                return -ECHILD;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ed5f29aa0a38..ad664d3056eb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1488,8 +1488,8 @@ static int inode_has_perm(const struct cred *cred,
        if (!adp) {
                adp = &ad;
-                COMMON_AUDIT_DATA_INIT(&ad, FS);
+                COMMON_AUDIT_DATA_INIT(&ad, INODE);
-                ad.u.fs.inode = inode;
+                ad.u.inode = inode;
        }
        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
@@ -1506,9 +1506,9 @@ static inline int dentry_has_perm(const struct cred *cred,
        struct inode *inode = dentry->d_inode;
        struct common_audit_data ad;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.mnt = mnt;
+        ad.u.path.mnt = mnt;
-        ad.u.fs.path.dentry = dentry;
+        ad.u.path.dentry = dentry;
        return inode_has_perm(cred, inode, av, &ad, 0);
 }
@@ -1530,8 +1530,8 @@ static int file_has_perm(const struct cred *cred,
        u32 sid = cred_sid(cred);
        int rc;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path = file->f_path;
+        ad.u.path = file->f_path;
        if (sid != fsec->sid) {
                rc = avc_has_perm(sid, fsec->sid,
@@ -1569,8 +1569,8 @@ static int may_create(struct inode *dir,
        sid = tsec->sid;
        newsid = tsec->create_sid;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = dentry;
+        ad.u.path.dentry = dentry;
        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
                          DIR__ADD_NAME | DIR__SEARCH,
@@ -1621,8 +1621,8 @@ static int may_link(struct inode *dir,
        dsec = dir->i_security;
        isec = dentry->d_inode->i_security;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = dentry;
+        ad.u.path.dentry = dentry;
        av = DIR__SEARCH;
        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1667,9 +1667,9 @@ static inline int may_rename(struct inode *old_dir,
        old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
        new_dsec = new_dir->i_security;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = old_dentry;
+        ad.u.path.dentry = old_dentry;
        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
        if (rc)
@@ -1685,7 +1685,7 @@ static inline int may_rename(struct inode *old_dir,
                        return rc;
        }
-        ad.u.fs.path.dentry = new_dentry;
+        ad.u.path.dentry = new_dentry;
        av = DIR__ADD_NAME | DIR__SEARCH;
        if (new_dentry->d_inode)
                av |= DIR__REMOVE_NAME;
@@ -1991,8 +1991,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
                        return rc;
        }
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path = bprm->file->f_path;
+        ad.u.path = bprm->file->f_path;
        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
                new_tsec->sid = old_tsec->sid;
@@ -2120,7 +2120,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
        /* Revalidate access to inherited open files. */
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, INODE);
        spin_lock(&files->file_lock);
        for (;;) {
@@ -2468,8 +2468,8 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
        if (flags & MS_KERNMOUNT)
                return 0;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = sb->s_root;
+        ad.u.path.dentry = sb->s_root;
        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
 }
@@ -2478,8 +2478,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
        const struct cred *cred = current_cred();
        struct common_audit_data ad;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = dentry->d_sb->s_root;
+        ad.u.path.dentry = dentry->d_sb->s_root;
        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
 }
@@ -2653,8 +2653,8 @@ static int selinux_inode_permission(struct inode *inode, int mask, unsigned flag
        if (!mask)
                return 0;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, INODE);
-        ad.u.fs.inode = inode;
+        ad.u.inode = inode;
        if (from_access)
                ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
@@ -2732,8 +2732,8 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        if (!is_owner_or_cap(inode))
                return -EPERM;
-        COMMON_AUDIT_DATA_INIT(&ad, FS);
+        COMMON_AUDIT_DATA_INIT(&ad, PATH);
-        ad.u.fs.path.dentry = dentry;
+        ad.u.path.dentry = dentry;
        rc = avc_has_perm(sid, isec->sid, isec->sclass,
                          FILE__RELABELFROM, &ad);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index b449cfdad21c..a16925c0e91a 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -316,22 +316,22 @@ static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
 static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
                                                    struct dentry *d)
 {
-        a->a.u.fs.path.dentry = d;
+        a->a.u.path.dentry = d;
 }
 static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
                                                 struct vfsmount *m)
 {
-        a->a.u.fs.path.mnt = m;
+        a->a.u.path.mnt = m;
 }
 static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
                                              struct inode *i)
 {
-        a->a.u.fs.inode = i;
+        a->a.u.inode = i;
 }
 static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
                                             struct path p)
 {
-        a->a.u.fs.path = p;
+        a->a.u.path = p;
 }
 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
                                            struct sock *sk)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 42fcb47747a3..eeb393fbf925 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -383,7 +383,7 @@ static int smack_sb_statfs(struct dentry *dentry)
        int rc;
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
@@ -407,7 +407,7 @@ static int smack_sb_mount(char *dev_name, struct path *path,
        struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path(&ad, *path);
        return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
@@ -426,7 +426,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
        struct superblock_smack *sbp;
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root);
        smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
@@ -563,7 +563,7 @@ static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
        struct smk_audit_info ad;
        int rc;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
        isp = smk_of_inode(old_dentry->d_inode);
@@ -592,7 +592,7 @@ static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
        struct smk_audit_info ad;
        int rc;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        /*
@@ -623,7 +623,7 @@ static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
        struct smk_audit_info ad;
        int rc;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        /*
@@ -663,7 +663,7 @@ static int smack_inode_rename(struct inode *old_inode,
        char *isp;
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
        isp = smk_of_inode(old_dentry->d_inode);
@@ -700,7 +700,7 @@ static int smack_inode_permission(struct inode *inode, int mask, unsigned flags)
        /* May be droppable after audit */
        if (flags & IPERM_FLAG_RCU)
                return -ECHILD;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
        smk_ad_setfield_u_fs_inode(&ad, inode);
        return smk_curacc(smk_of_inode(inode), mask, &ad);
 }
@@ -720,7 +720,7 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
         */
        if (iattr->ia_valid & ATTR_FORCE)
                return 0;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
@@ -737,7 +737,7 @@ static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
 {
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
        return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
@@ -784,7 +784,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
        } else
                rc = cap_inode_setxattr(dentry, name, value, size, flags);
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        if (rc == 0)
@@ -845,7 +845,7 @@ static int smack_inode_getxattr(struct dentry *dentry, const char *name)
 {
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
@@ -877,7 +877,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
        } else
                rc = cap_inode_removexattr(dentry, name);
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
        if (rc == 0)
                rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
@@ -1047,7 +1047,7 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
        int rc = 0;
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path(&ad, file->f_path);
        if (_IOC_DIR(cmd) & _IOC_WRITE)
@@ -1070,7 +1070,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
 {
        struct smk_audit_info ad;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry);
        return smk_curacc(file->f_security, MAY_WRITE, &ad);
 }
@@ -1089,7 +1089,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
        struct smk_audit_info ad;
        int rc;
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
        smk_ad_setfield_u_fs_path(&ad, file->f_path);
        switch (cmd) {
author	Eric Paris <eparis@redhat.com>	2011-04-25 12:54:27 -0400
committer	Eric Paris <eparis@redhat.com>	2011-04-25 18:13:15 -0400
commit	f48b7399840b453e7282b523f535561fe9638a2d (patch)
tree	29eed009469d35473367708ea60b9c5b01fc0c5f /security
parent	0dc1ba24f7fff659725eecbba2c9ad679a0954cd (diff)

diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 908aa712816a..2e846052cbf4 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c
@@ -210,7 +210,6 @@ static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
210	static void dump_common_audit_data(struct audit_buffer *ab,	210	static void dump_common_audit_data(struct audit_buffer *ab,
211	struct common_audit_data *a)	211	struct common_audit_data *a)
212	{	212	{
213	struct inode *inode = NULL;
214	struct task_struct *tsk = current;	213	struct task_struct *tsk = current;
215		214
216	if (a->tsk)	215	if (a->tsk)
@@ -229,33 +228,40 @@ static void dump_common_audit_data(struct audit_buffer *ab,
229	case LSM_AUDIT_DATA_CAP:	228	case LSM_AUDIT_DATA_CAP:
230	audit_log_format(ab, " capability=%d ", a->u.cap);	229	audit_log_format(ab, " capability=%d ", a->u.cap);
231	break;	230	break;
232	case LSM_AUDIT_DATA_FS:	231	case LSM_AUDIT_DATA_PATH: {
233	if (a->u.fs.path.dentry) {	232	struct dentry *dentry = a->u.path.dentry;
234	struct dentry *dentry = a->u.fs.path.dentry;	233	struct inode *inode;
235	if (a->u.fs.path.mnt) {	234
236	audit_log_d_path(ab, "path=", &a->u.fs.path);	235	if (a->u.path.mnt) {
237	} else {	236	audit_log_d_path(ab, "path=", &a->u.path);
238	audit_log_format(ab, " name=");	237	} else {
239	audit_log_untrustedstring(ab,	238	audit_log_format(ab, " name=");
240	dentry->d_name.name);	239	audit_log_untrustedstring(ab,
241	}	240	dentry->d_name.name);
242	inode = dentry->d_inode;
243	} else if (a->u.fs.inode) {
244	struct dentry *dentry;
245	inode = a->u.fs.inode;
246	dentry = d_find_alias(inode);
247	if (dentry) {
248	audit_log_format(ab, " name=");
249	audit_log_untrustedstring(ab,
250	dentry->d_name.name);
251	dput(dentry);
252	}
253	}	241	}
		242	inode = dentry->d_inode;
254	if (inode)	243	if (inode)
255	audit_log_format(ab, " dev=%s ino=%lu",	244	audit_log_format(ab, " dev=%s ino=%lu",
256	inode->i_sb->s_id,	245	inode->i_sb->s_id,
257	inode->i_ino);	246	inode->i_ino);
258	break;	247	break;
		248	}
		249	case LSM_AUDIT_DATA_INODE: {
		250	struct dentry *dentry;
		251	struct inode *inode;
		252
		253	inode = a->u.inode;
		254	dentry = d_find_alias(inode);
		255	if (dentry) {
		256	audit_log_format(ab, " name=");
		257	audit_log_untrustedstring(ab,
		258	dentry->d_name.name);
		259	dput(dentry);
		260	}
		261	audit_log_format(ab, " dev=%s ino=%lu", inode->i_sb->s_id,
		262	inode->i_ino);
		263	break;
		264	}
259	case LSM_AUDIT_DATA_TASK:	265	case LSM_AUDIT_DATA_TASK:
260	tsk = a->u.tsk;	266	tsk = a->u.tsk;
261	if (tsk && tsk->pid) {	267	if (tsk && tsk->pid) {


diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 1d027e29ce8d..ce742f1778e1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -531,7 +531,7 @@ int avc_audit(u32 ssid, u32 tsid,
531	* during retry. However this is logically just as if the operation	531	* during retry. However this is logically just as if the operation
532	* happened a little later.	532	* happened a little later.
533	*/	533	*/
534	if ((a->type == LSM_AUDIT_DATA_FS) &&	534	if ((a->type == LSM_AUDIT_DATA_INODE) &&
535	(flags & IPERM_FLAG_RCU))	535	(flags & IPERM_FLAG_RCU))
536	return -ECHILD;	536	return -ECHILD;
537		537


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ed5f29aa0a38..ad664d3056eb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1488,8 +1488,8 @@ static int inode_has_perm(const struct cred *cred,
1488		1488
1489	if (!adp) {	1489	if (!adp) {
1490	adp = &ad;	1490	adp = &ad;
1491	COMMON_AUDIT_DATA_INIT(&ad, FS);	1491	COMMON_AUDIT_DATA_INIT(&ad, INODE);
1492	ad.u.fs.inode = inode;	1492	ad.u.inode = inode;
1493	}	1493	}
1494		1494
1495	return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);	1495	return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
@@ -1506,9 +1506,9 @@ static inline int dentry_has_perm(const struct cred *cred,
1506	struct inode *inode = dentry->d_inode;	1506	struct inode *inode = dentry->d_inode;
1507	struct common_audit_data ad;	1507	struct common_audit_data ad;
1508		1508
1509	COMMON_AUDIT_DATA_INIT(&ad, FS);	1509	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1510	ad.u.fs.path.mnt = mnt;	1510	ad.u.path.mnt = mnt;
1511	ad.u.fs.path.dentry = dentry;	1511	ad.u.path.dentry = dentry;
1512	return inode_has_perm(cred, inode, av, &ad, 0);	1512	return inode_has_perm(cred, inode, av, &ad, 0);
1513	}	1513	}
1514		1514
@@ -1530,8 +1530,8 @@ static int file_has_perm(const struct cred *cred,
1530	u32 sid = cred_sid(cred);	1530	u32 sid = cred_sid(cred);
1531	int rc;	1531	int rc;
1532		1532
1533	COMMON_AUDIT_DATA_INIT(&ad, FS);	1533	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1534	ad.u.fs.path = file->f_path;	1534	ad.u.path = file->f_path;
1535		1535
1536	if (sid != fsec->sid) {	1536	if (sid != fsec->sid) {
1537	rc = avc_has_perm(sid, fsec->sid,	1537	rc = avc_has_perm(sid, fsec->sid,
@@ -1569,8 +1569,8 @@ static int may_create(struct inode *dir,
1569	sid = tsec->sid;	1569	sid = tsec->sid;
1570	newsid = tsec->create_sid;	1570	newsid = tsec->create_sid;
1571		1571
1572	COMMON_AUDIT_DATA_INIT(&ad, FS);	1572	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1573	ad.u.fs.path.dentry = dentry;	1573	ad.u.path.dentry = dentry;
1574		1574
1575	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,	1575	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1576	DIR__ADD_NAME \| DIR__SEARCH,	1576	DIR__ADD_NAME \| DIR__SEARCH,
@@ -1621,8 +1621,8 @@ static int may_link(struct inode *dir,
1621	dsec = dir->i_security;	1621	dsec = dir->i_security;
1622	isec = dentry->d_inode->i_security;	1622	isec = dentry->d_inode->i_security;
1623		1623
1624	COMMON_AUDIT_DATA_INIT(&ad, FS);	1624	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1625	ad.u.fs.path.dentry = dentry;	1625	ad.u.path.dentry = dentry;
1626		1626
1627	av = DIR__SEARCH;	1627	av = DIR__SEARCH;
1628	av \|= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);	1628	av \|= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1667,9 +1667,9 @@ static inline int may_rename(struct inode *old_dir,
1667	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);	1667	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1668	new_dsec = new_dir->i_security;	1668	new_dsec = new_dir->i_security;
1669		1669
1670	COMMON_AUDIT_DATA_INIT(&ad, FS);	1670	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1671		1671
1672	ad.u.fs.path.dentry = old_dentry;	1672	ad.u.path.dentry = old_dentry;
1673	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,	1673	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1674	DIR__REMOVE_NAME \| DIR__SEARCH, &ad);	1674	DIR__REMOVE_NAME \| DIR__SEARCH, &ad);
1675	if (rc)	1675	if (rc)
@@ -1685,7 +1685,7 @@ static inline int may_rename(struct inode *old_dir,
1685	return rc;	1685	return rc;
1686	}	1686	}
1687		1687
1688	ad.u.fs.path.dentry = new_dentry;	1688	ad.u.path.dentry = new_dentry;
1689	av = DIR__ADD_NAME \| DIR__SEARCH;	1689	av = DIR__ADD_NAME \| DIR__SEARCH;
1690	if (new_dentry->d_inode)	1690	if (new_dentry->d_inode)
1691	av \|= DIR__REMOVE_NAME;	1691	av \|= DIR__REMOVE_NAME;
@@ -1991,8 +1991,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1991	return rc;	1991	return rc;
1992	}	1992	}
1993		1993
1994	COMMON_AUDIT_DATA_INIT(&ad, FS);	1994	COMMON_AUDIT_DATA_INIT(&ad, PATH);
1995	ad.u.fs.path = bprm->file->f_path;	1995	ad.u.path = bprm->file->f_path;
1996		1996
1997	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)	1997	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1998	new_tsec->sid = old_tsec->sid;	1998	new_tsec->sid = old_tsec->sid;
@@ -2120,7 +2120,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2120		2120
2121	/* Revalidate access to inherited open files. */	2121	/* Revalidate access to inherited open files. */
2122		2122
2123	COMMON_AUDIT_DATA_INIT(&ad, FS);	2123	COMMON_AUDIT_DATA_INIT(&ad, INODE);
2124		2124
2125	spin_lock(&files->file_lock);	2125	spin_lock(&files->file_lock);
2126	for (;;) {	2126	for (;;) {
@@ -2468,8 +2468,8 @@ static int selinux_sb_kern_mount(struct super_block sb, int flags, void data)
2468	if (flags & MS_KERNMOUNT)	2468	if (flags & MS_KERNMOUNT)
2469	return 0;	2469	return 0;
2470		2470
2471	COMMON_AUDIT_DATA_INIT(&ad, FS);	2471	COMMON_AUDIT_DATA_INIT(&ad, PATH);
2472	ad.u.fs.path.dentry = sb->s_root;	2472	ad.u.path.dentry = sb->s_root;
2473	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);	2473	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2474	}	2474	}
2475		2475
@@ -2478,8 +2478,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
2478	const struct cred *cred = current_cred();	2478	const struct cred *cred = current_cred();
2479	struct common_audit_data ad;	2479	struct common_audit_data ad;
2480		2480
2481	COMMON_AUDIT_DATA_INIT(&ad, FS);	2481	COMMON_AUDIT_DATA_INIT(&ad, PATH);
2482	ad.u.fs.path.dentry = dentry->d_sb->s_root;	2482	ad.u.path.dentry = dentry->d_sb->s_root;
2483	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);	2483	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2484	}	2484	}
2485		2485
@@ -2653,8 +2653,8 @@ static int selinux_inode_permission(struct inode *inode, int mask, unsigned flag
2653	if (!mask)	2653	if (!mask)
2654	return 0;	2654	return 0;
2655		2655
2656	COMMON_AUDIT_DATA_INIT(&ad, FS);	2656	COMMON_AUDIT_DATA_INIT(&ad, INODE);
2657	ad.u.fs.inode = inode;	2657	ad.u.inode = inode;
2658		2658
2659	if (from_access)	2659	if (from_access)
2660	ad.selinux_audit_data.auditdeny \|= FILE__AUDIT_ACCESS;	2660	ad.selinux_audit_data.auditdeny \|= FILE__AUDIT_ACCESS;
@@ -2732,8 +2732,8 @@ static int selinux_inode_setxattr(struct dentry dentry, const char name,
2732	if (!is_owner_or_cap(inode))	2732	if (!is_owner_or_cap(inode))
2733	return -EPERM;	2733	return -EPERM;
2734		2734
2735	COMMON_AUDIT_DATA_INIT(&ad, FS);	2735	COMMON_AUDIT_DATA_INIT(&ad, PATH);
2736	ad.u.fs.path.dentry = dentry;	2736	ad.u.path.dentry = dentry;
2737		2737
2738	rc = avc_has_perm(sid, isec->sid, isec->sclass,	2738	rc = avc_has_perm(sid, isec->sid, isec->sclass,
2739	FILE__RELABELFROM, &ad);	2739	FILE__RELABELFROM, &ad);


diff --git a/security/smack/smack.h b/security/smack/smack.h index b449cfdad21c..a16925c0e91a 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h
@@ -316,22 +316,22 @@ static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
316	static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,	316	static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
317	struct dentry *d)	317	struct dentry *d)
318	{	318	{
319	a->a.u.fs.path.dentry = d;	319	a->a.u.path.dentry = d;
320	}	320	}
321	static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,	321	static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
322	struct vfsmount *m)	322	struct vfsmount *m)
323	{	323	{
324	a->a.u.fs.path.mnt = m;	324	a->a.u.path.mnt = m;
325	}	325	}
326	static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,	326	static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
327	struct inode *i)	327	struct inode *i)
328	{	328	{
329	a->a.u.fs.inode = i;	329	a->a.u.inode = i;
330	}	330	}
331	static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,	331	static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
332	struct path p)	332	struct path p)
333	{	333	{
334	a->a.u.fs.path = p;	334	a->a.u.path = p;
335	}	335	}
336	static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,	336	static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
337	struct sock *sk)	337	struct sock *sk)


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 42fcb47747a3..eeb393fbf925 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -383,7 +383,7 @@ static int smack_sb_statfs(struct dentry *dentry)
383	int rc;	383	int rc;
384	struct smk_audit_info ad;	384	struct smk_audit_info ad;
385		385
386	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	386	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
387	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	387	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
388		388
389	rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);	389	rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
@@ -407,7 +407,7 @@ static int smack_sb_mount(char dev_name, struct path path,
407	struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;	407	struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;
408	struct smk_audit_info ad;	408	struct smk_audit_info ad;
409		409
410	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	410	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
411	smk_ad_setfield_u_fs_path(&ad, *path);	411	smk_ad_setfield_u_fs_path(&ad, *path);
412		412
413	return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);	413	return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
@@ -426,7 +426,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
426	struct superblock_smack *sbp;	426	struct superblock_smack *sbp;
427	struct smk_audit_info ad;	427	struct smk_audit_info ad;
428		428
429	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	429	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
430	smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root);	430	smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root);
431	smk_ad_setfield_u_fs_path_mnt(&ad, mnt);	431	smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
432		432
@@ -563,7 +563,7 @@ static int smack_inode_link(struct dentry old_dentry, struct inode dir,
563	struct smk_audit_info ad;	563	struct smk_audit_info ad;
564	int rc;	564	int rc;
565		565
566	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	566	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
567	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);	567	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
568		568
569	isp = smk_of_inode(old_dentry->d_inode);	569	isp = smk_of_inode(old_dentry->d_inode);
@@ -592,7 +592,7 @@ static int smack_inode_unlink(struct inode dir, struct dentry dentry)
592	struct smk_audit_info ad;	592	struct smk_audit_info ad;
593	int rc;	593	int rc;
594		594
595	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	595	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
596	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	596	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
597		597
598	/*	598	/*
@@ -623,7 +623,7 @@ static int smack_inode_rmdir(struct inode dir, struct dentry dentry)
623	struct smk_audit_info ad;	623	struct smk_audit_info ad;
624	int rc;	624	int rc;
625		625
626	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	626	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
627	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	627	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
628		628
629	/*	629	/*
@@ -663,7 +663,7 @@ static int smack_inode_rename(struct inode *old_inode,
663	char *isp;	663	char *isp;
664	struct smk_audit_info ad;	664	struct smk_audit_info ad;
665		665
666	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	666	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
667	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);	667	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
668		668
669	isp = smk_of_inode(old_dentry->d_inode);	669	isp = smk_of_inode(old_dentry->d_inode);
@@ -700,7 +700,7 @@ static int smack_inode_permission(struct inode *inode, int mask, unsigned flags)
700	/* May be droppable after audit */	700	/* May be droppable after audit */
701	if (flags & IPERM_FLAG_RCU)	701	if (flags & IPERM_FLAG_RCU)
702	return -ECHILD;	702	return -ECHILD;
703	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	703	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
704	smk_ad_setfield_u_fs_inode(&ad, inode);	704	smk_ad_setfield_u_fs_inode(&ad, inode);
705	return smk_curacc(smk_of_inode(inode), mask, &ad);	705	return smk_curacc(smk_of_inode(inode), mask, &ad);
706	}	706	}
@@ -720,7 +720,7 @@ static int smack_inode_setattr(struct dentry dentry, struct iattr iattr)
720	*/	720	*/
721	if (iattr->ia_valid & ATTR_FORCE)	721	if (iattr->ia_valid & ATTR_FORCE)
722	return 0;	722	return 0;
723	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	723	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
724	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	724	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
725		725
726	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);	726	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
@@ -737,7 +737,7 @@ static int smack_inode_getattr(struct vfsmount mnt, struct dentry dentry)
737	{	737	{
738	struct smk_audit_info ad;	738	struct smk_audit_info ad;
739		739
740	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	740	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
741	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	741	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
742	smk_ad_setfield_u_fs_path_mnt(&ad, mnt);	742	smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
743	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);	743	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
@@ -784,7 +784,7 @@ static int smack_inode_setxattr(struct dentry dentry, const char name,
784	} else	784	} else
785	rc = cap_inode_setxattr(dentry, name, value, size, flags);	785	rc = cap_inode_setxattr(dentry, name, value, size, flags);
786		786
787	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	787	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
788	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	788	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
789		789
790	if (rc == 0)	790	if (rc == 0)
@@ -845,7 +845,7 @@ static int smack_inode_getxattr(struct dentry dentry, const char name)
845	{	845	{
846	struct smk_audit_info ad;	846	struct smk_audit_info ad;
847		847
848	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	848	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
849	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	849	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
850		850
851	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);	851	return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
@@ -877,7 +877,7 @@ static int smack_inode_removexattr(struct dentry dentry, const char name)
877	} else	877	} else
878	rc = cap_inode_removexattr(dentry, name);	878	rc = cap_inode_removexattr(dentry, name);
879		879
880	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	880	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
881	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);	881	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
882	if (rc == 0)	882	if (rc == 0)
883	rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);	883	rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
@@ -1047,7 +1047,7 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
1047	int rc = 0;	1047	int rc = 0;
1048	struct smk_audit_info ad;	1048	struct smk_audit_info ad;
1049		1049
1050	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	1050	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1051	smk_ad_setfield_u_fs_path(&ad, file->f_path);	1051	smk_ad_setfield_u_fs_path(&ad, file->f_path);
1052		1052
1053	if (_IOC_DIR(cmd) & _IOC_WRITE)	1053	if (_IOC_DIR(cmd) & _IOC_WRITE)
@@ -1070,7 +1070,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
1070	{	1070	{
1071	struct smk_audit_info ad;	1071	struct smk_audit_info ad;
1072		1072
1073	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	1073	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1074	smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry);	1074	smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry);
1075	return smk_curacc(file->f_security, MAY_WRITE, &ad);	1075	return smk_curacc(file->f_security, MAY_WRITE, &ad);
1076	}	1076	}
@@ -1089,7 +1089,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
1089	struct smk_audit_info ad;	1089	struct smk_audit_info ad;
1090	int rc;	1090	int rc;
1091		1091
1092	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);	1092	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1093	smk_ad_setfield_u_fs_path(&ad, file->f_path);	1093	smk_ad_setfield_u_fs_path(&ad, file->f_path);
1094		1094
1095	switch (cmd) {	1095	switch (cmd) {