diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2013-07-03 12:10:19 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-07-03 12:10:19 -0400 |
| commit | 790eac5640abf7a57fa3a644386df330e18c11b0 (patch) | |
| tree | 08de20bde44f59e51b91ff473a71047c2957e8c9 /security | |
| parent | 0b0585c3e192967cb2ef0ac0816eb8a8c8d99840 (diff) | |
| parent | 48bde8d3620f5f3c6ae9ff599eb404055ae51664 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull second set of VFS changes from Al Viro:
"Assorted f_pos race fixes, making do_splice_direct() safe to call with
i_mutex on parent, O_TMPFILE support, Jeff's locks.c series,
->d_hash/->d_compare calling conventions changes from Linus, misc
stuff all over the place."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
Document ->tmpfile()
ext4: ->tmpfile() support
vfs: export lseek_execute() to modules
lseek_execute() doesn't need an inode passed to it
block_dev: switch to fixed_size_llseek()
cpqphp_sysfs: switch to fixed_size_llseek()
tile-srom: switch to fixed_size_llseek()
proc_powerpc: switch to fixed_size_llseek()
ubi/cdev: switch to fixed_size_llseek()
pci/proc: switch to fixed_size_llseek()
isapnp: switch to fixed_size_llseek()
lpfc: switch to fixed_size_llseek()
locks: give the blocked_hash its own spinlock
locks: add a new "lm_owner_key" lock operation
locks: turn the blocked_list into a hashtable
locks: convert fl_link to a hlist_node
locks: avoid taking global lock if possible when waking up blocked waiters
locks: protect most of the file_lock handling with i_lock
locks: encapsulate the fl_link list handling
locks: make "added" in __posix_lock_file a bool
...
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 2 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 24 |
2 files changed, 19 insertions, 7 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 6c491a63128e..e9508d5bbfcf 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -57,7 +57,7 @@ __setup("ima_hash=", hash_setup); | |||
| 57 | static void ima_rdwr_violation_check(struct file *file) | 57 | static void ima_rdwr_violation_check(struct file *file) |
| 58 | { | 58 | { |
| 59 | struct dentry *dentry = file->f_path.dentry; | 59 | struct dentry *dentry = file->f_path.dentry; |
| 60 | struct inode *inode = dentry->d_inode; | 60 | struct inode *inode = file_inode(file); |
| 61 | fmode_t mode = file->f_mode; | 61 | fmode_t mode = file->f_mode; |
| 62 | int must_measure; | 62 | int must_measure; |
| 63 | bool send_tomtou = false, send_writers = false; | 63 | bool send_tomtou = false, send_writers = false; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c6f2cd2d095..db1fca990a24 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1547,6 +1547,18 @@ static inline int path_has_perm(const struct cred *cred, | |||
| 1547 | return inode_has_perm(cred, inode, av, &ad, 0); | 1547 | return inode_has_perm(cred, inode, av, &ad, 0); |
| 1548 | } | 1548 | } |
| 1549 | 1549 | ||
| 1550 | /* Same as path_has_perm, but uses the inode from the file struct. */ | ||
| 1551 | static inline int file_path_has_perm(const struct cred *cred, | ||
| 1552 | struct file *file, | ||
| 1553 | u32 av) | ||
| 1554 | { | ||
| 1555 | struct common_audit_data ad; | ||
| 1556 | |||
| 1557 | ad.type = LSM_AUDIT_DATA_PATH; | ||
| 1558 | ad.u.path = file->f_path; | ||
| 1559 | return inode_has_perm(cred, file_inode(file), av, &ad, 0); | ||
| 1560 | } | ||
| 1561 | |||
| 1550 | /* Check whether a task can use an open file descriptor to | 1562 | /* Check whether a task can use an open file descriptor to |
| 1551 | access an inode in a given way. Check access to the | 1563 | access an inode in a given way. Check access to the |
| 1552 | descriptor itself, and then use dentry_has_perm to | 1564 | descriptor itself, and then use dentry_has_perm to |
| @@ -2141,14 +2153,14 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
| 2141 | struct tty_file_private *file_priv; | 2153 | struct tty_file_private *file_priv; |
| 2142 | 2154 | ||
| 2143 | /* Revalidate access to controlling tty. | 2155 | /* Revalidate access to controlling tty. |
| 2144 | Use path_has_perm on the tty path directly rather | 2156 | Use file_path_has_perm on the tty path directly |
| 2145 | than using file_has_perm, as this particular open | 2157 | rather than using file_has_perm, as this particular |
| 2146 | file may belong to another process and we are only | 2158 | open file may belong to another process and we are |
| 2147 | interested in the inode-based check here. */ | 2159 | only interested in the inode-based check here. */ |
| 2148 | file_priv = list_first_entry(&tty->tty_files, | 2160 | file_priv = list_first_entry(&tty->tty_files, |
| 2149 | struct tty_file_private, list); | 2161 | struct tty_file_private, list); |
| 2150 | file = file_priv->file; | 2162 | file = file_priv->file; |
| 2151 | if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) | 2163 | if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) |
| 2152 | drop_tty = 1; | 2164 | drop_tty = 1; |
| 2153 | } | 2165 | } |
| 2154 | spin_unlock(&tty_files_lock); | 2166 | spin_unlock(&tty_files_lock); |
| @@ -3259,7 +3271,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) | |||
| 3259 | * new inode label or new policy. | 3271 | * new inode label or new policy. |
| 3260 | * This check is not redundant - do not remove. | 3272 | * This check is not redundant - do not remove. |
| 3261 | */ | 3273 | */ |
| 3262 | return path_has_perm(cred, &file->f_path, open_file_to_av(file)); | 3274 | return file_path_has_perm(cred, file, open_file_to_av(file)); |
| 3263 | } | 3275 | } |
| 3264 | 3276 | ||
| 3265 | /* task security operations */ | 3277 | /* task security operations */ |