diff options
| -rw-r--r-- | fs/namei.c | 17 | ||||
| -rw-r--r-- | include/linux/security.h | 7 | ||||
| -rw-r--r-- | security/security.c | 10 |
3 files changed, 7 insertions, 27 deletions
diff --git a/fs/namei.c b/fs/namei.c index c5c382620a86..21eba95368f2 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
| @@ -304,7 +304,7 @@ int inode_permission(struct inode *inode, int mask) | |||
| 304 | /** | 304 | /** |
| 305 | * exec_permission - check for right to do lookups in a given directory | 305 | * exec_permission - check for right to do lookups in a given directory |
| 306 | * @inode: inode to check permission on | 306 | * @inode: inode to check permission on |
| 307 | * @flags: IPERM_FLAG_ flags. | 307 | * @mask: MAY_EXEC and possibly MAY_NOT_BLOCK flags. |
| 308 | * | 308 | * |
| 309 | * Short-cut version of inode_permission(), for calling on directories | 309 | * Short-cut version of inode_permission(), for calling on directories |
| 310 | * during pathname resolution. Combines parts of inode_permission() | 310 | * during pathname resolution. Combines parts of inode_permission() |
| @@ -314,13 +314,10 @@ int inode_permission(struct inode *inode, int mask) | |||
| 314 | * short-cut DAC fails, then call ->permission() to do more | 314 | * short-cut DAC fails, then call ->permission() to do more |
| 315 | * complete permission check. | 315 | * complete permission check. |
| 316 | */ | 316 | */ |
| 317 | static inline int exec_permission(struct inode *inode, unsigned int flags) | 317 | static inline int exec_permission(struct inode *inode, int mask) |
| 318 | { | 318 | { |
| 319 | int ret; | 319 | int ret; |
| 320 | struct user_namespace *ns = inode_userns(inode); | 320 | struct user_namespace *ns = inode_userns(inode); |
| 321 | int mask = MAY_EXEC; | ||
| 322 | if (flags & IPERM_FLAG_RCU) | ||
| 323 | mask |= MAY_NOT_BLOCK; | ||
| 324 | 321 | ||
| 325 | if (inode->i_op->permission) { | 322 | if (inode->i_op->permission) { |
| 326 | ret = inode->i_op->permission(inode, mask); | 323 | ret = inode->i_op->permission(inode, mask); |
| @@ -338,7 +335,7 @@ static inline int exec_permission(struct inode *inode, unsigned int flags) | |||
| 338 | } | 335 | } |
| 339 | return ret; | 336 | return ret; |
| 340 | ok: | 337 | ok: |
| 341 | return security_inode_exec_permission(inode, flags); | 338 | return security_inode_permission(inode, mask); |
| 342 | } | 339 | } |
| 343 | 340 | ||
| 344 | /** | 341 | /** |
| @@ -1214,13 +1211,13 @@ retry: | |||
| 1214 | static inline int may_lookup(struct nameidata *nd) | 1211 | static inline int may_lookup(struct nameidata *nd) |
| 1215 | { | 1212 | { |
| 1216 | if (nd->flags & LOOKUP_RCU) { | 1213 | if (nd->flags & LOOKUP_RCU) { |
| 1217 | int err = exec_permission(nd->inode, IPERM_FLAG_RCU); | 1214 | int err = exec_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK); |
| 1218 | if (err != -ECHILD) | 1215 | if (err != -ECHILD) |
| 1219 | return err; | 1216 | return err; |
| 1220 | if (unlazy_walk(nd, NULL)) | 1217 | if (unlazy_walk(nd, NULL)) |
| 1221 | return -ECHILD; | 1218 | return -ECHILD; |
| 1222 | } | 1219 | } |
| 1223 | return exec_permission(nd->inode, 0); | 1220 | return exec_permission(nd->inode, MAY_EXEC); |
| 1224 | } | 1221 | } |
| 1225 | 1222 | ||
| 1226 | static inline int handle_dots(struct nameidata *nd, int type) | 1223 | static inline int handle_dots(struct nameidata *nd, int type) |
| @@ -1495,7 +1492,7 @@ static int path_init(int dfd, const char *name, unsigned int flags, | |||
| 1495 | if (!S_ISDIR(dentry->d_inode->i_mode)) | 1492 | if (!S_ISDIR(dentry->d_inode->i_mode)) |
| 1496 | goto fput_fail; | 1493 | goto fput_fail; |
| 1497 | 1494 | ||
| 1498 | retval = exec_permission(dentry->d_inode, 0); | 1495 | retval = exec_permission(dentry->d_inode, MAY_EXEC); |
| 1499 | if (retval) | 1496 | if (retval) |
| 1500 | goto fput_fail; | 1497 | goto fput_fail; |
| 1501 | } | 1498 | } |
| @@ -1652,7 +1649,7 @@ static struct dentry *__lookup_hash(struct qstr *name, | |||
| 1652 | struct dentry *dentry; | 1649 | struct dentry *dentry; |
| 1653 | int err; | 1650 | int err; |
| 1654 | 1651 | ||
| 1655 | err = exec_permission(inode, 0); | 1652 | err = exec_permission(inode, MAY_EXEC); |
| 1656 | if (err) | 1653 | if (err) |
| 1657 | return ERR_PTR(err); | 1654 | return ERR_PTR(err); |
| 1658 | 1655 | ||
diff --git a/include/linux/security.h b/include/linux/security.h index ca02f1716736..ebd2a53a3d07 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -1720,7 +1720,6 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |||
| 1720 | int security_inode_readlink(struct dentry *dentry); | 1720 | int security_inode_readlink(struct dentry *dentry); |
| 1721 | int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); | 1721 | int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); |
| 1722 | int security_inode_permission(struct inode *inode, int mask); | 1722 | int security_inode_permission(struct inode *inode, int mask); |
| 1723 | int security_inode_exec_permission(struct inode *inode, unsigned int flags); | ||
| 1724 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr); | 1723 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr); |
| 1725 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); | 1724 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); |
| 1726 | int security_inode_setxattr(struct dentry *dentry, const char *name, | 1725 | int security_inode_setxattr(struct dentry *dentry, const char *name, |
| @@ -2113,12 +2112,6 @@ static inline int security_inode_permission(struct inode *inode, int mask) | |||
| 2113 | return 0; | 2112 | return 0; |
| 2114 | } | 2113 | } |
| 2115 | 2114 | ||
| 2116 | static inline int security_inode_exec_permission(struct inode *inode, | ||
| 2117 | unsigned int flags) | ||
| 2118 | { | ||
| 2119 | return 0; | ||
| 2120 | } | ||
| 2121 | |||
| 2122 | static inline int security_inode_setattr(struct dentry *dentry, | 2115 | static inline int security_inode_setattr(struct dentry *dentry, |
| 2123 | struct iattr *attr) | 2116 | struct iattr *attr) |
| 2124 | { | 2117 | { |
diff --git a/security/security.c b/security/security.c index db3b750da353..0e4fccfef12c 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -521,16 +521,6 @@ int security_inode_permission(struct inode *inode, int mask) | |||
| 521 | return security_ops->inode_permission(inode, mask); | 521 | return security_ops->inode_permission(inode, mask); |
| 522 | } | 522 | } |
| 523 | 523 | ||
| 524 | int security_inode_exec_permission(struct inode *inode, unsigned int flags) | ||
| 525 | { | ||
| 526 | int mask = MAY_EXEC; | ||
| 527 | if (unlikely(IS_PRIVATE(inode))) | ||
| 528 | return 0; | ||
| 529 | if (flags) | ||
| 530 | mask |= MAY_NOT_BLOCK; | ||
| 531 | return security_ops->inode_permission(inode, mask); | ||
| 532 | } | ||
| 533 | |||
| 534 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | 524 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) |
| 535 | { | 525 | { |
| 536 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | 526 | if (unlikely(IS_PRIVATE(dentry->d_inode))) |