aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fs/namespace.c11
-rw-r--r--include/linux/security.h52
-rw-r--r--security/dummy.c10
-rw-r--r--security/security.c20
-rw-r--r--security/selinux/hooks.c8
-rw-r--r--security/smack/smack_lsm.c4
6 files changed, 53 insertions, 52 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index af2fb3707d0a..87d2d82010bb 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1220,7 +1220,7 @@ static int graft_tree(struct vfsmount *mnt, struct nameidata *nd)
1220 if (IS_DEADDIR(nd->path.dentry->d_inode)) 1220 if (IS_DEADDIR(nd->path.dentry->d_inode))
1221 goto out_unlock; 1221 goto out_unlock;
1222 1222
1223 err = security_sb_check_sb(mnt, nd); 1223 err = security_sb_check_sb(mnt, &nd->path);
1224 if (err) 1224 if (err)
1225 goto out_unlock; 1225 goto out_unlock;
1226 1226
@@ -1230,7 +1230,7 @@ static int graft_tree(struct vfsmount *mnt, struct nameidata *nd)
1230out_unlock: 1230out_unlock:
1231 mutex_unlock(&nd->path.dentry->d_inode->i_mutex); 1231 mutex_unlock(&nd->path.dentry->d_inode->i_mutex);
1232 if (!err) 1232 if (!err)
1233 security_sb_post_addmount(mnt, nd); 1233 security_sb_post_addmount(mnt, &nd->path);
1234 return err; 1234 return err;
1235} 1235}
1236 1236
@@ -1746,7 +1746,8 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
1746 if (retval) 1746 if (retval)
1747 return retval; 1747 return retval;
1748 1748
1749 retval = security_sb_mount(dev_name, &nd, type_page, flags, data_page); 1749 retval = security_sb_mount(dev_name, &nd.path,
1750 type_page, flags, data_page);
1750 if (retval) 1751 if (retval)
1751 goto dput_out; 1752 goto dput_out;
1752 1753
@@ -2007,7 +2008,7 @@ asmlinkage long sys_pivot_root(const char __user * new_root,
2007 if (error) 2008 if (error)
2008 goto out1; 2009 goto out1;
2009 2010
2010 error = security_sb_pivotroot(&old_nd, &new_nd); 2011 error = security_sb_pivotroot(&old_nd.path, &new_nd.path);
2011 if (error) { 2012 if (error) {
2012 path_put(&old_nd.path); 2013 path_put(&old_nd.path);
2013 goto out1; 2014 goto out1;
@@ -2070,7 +2071,7 @@ asmlinkage long sys_pivot_root(const char __user * new_root,
2070 touch_mnt_namespace(current->nsproxy->mnt_ns); 2071 touch_mnt_namespace(current->nsproxy->mnt_ns);
2071 spin_unlock(&vfsmount_lock); 2072 spin_unlock(&vfsmount_lock);
2072 chroot_fs_refs(&user_nd.path, &new_nd.path); 2073 chroot_fs_refs(&user_nd.path, &new_nd.path);
2073 security_sb_post_pivotroot(&user_nd, &new_nd); 2074 security_sb_post_pivotroot(&user_nd.path, &new_nd.path);
2074 error = 0; 2075 error = 0;
2075 path_put(&root_parent); 2076 path_put(&root_parent);
2076 path_put(&parent_path); 2077 path_put(&parent_path);
diff --git a/include/linux/security.h b/include/linux/security.h
index fea1f4aa4dd5..53a34539382a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -230,7 +230,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
230 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 230 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the
231 * pathname of the object being mounted. 231 * pathname of the object being mounted.
232 * @dev_name contains the name for object being mounted. 232 * @dev_name contains the name for object being mounted.
233 * @nd contains the nameidata structure for mount point object. 233 * @path contains the path for mount point object.
234 * @type contains the filesystem type. 234 * @type contains the filesystem type.
235 * @flags contains the mount flags. 235 * @flags contains the mount flags.
236 * @data contains the filesystem-specific data. 236 * @data contains the filesystem-specific data.
@@ -249,7 +249,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
249 * Check permission before the device with superblock @mnt->sb is mounted 249 * Check permission before the device with superblock @mnt->sb is mounted
250 * on the mount point named by @nd. 250 * on the mount point named by @nd.
251 * @mnt contains the vfsmount for device being mounted. 251 * @mnt contains the vfsmount for device being mounted.
252 * @nd contains the nameidata object for the mount point. 252 * @path contains the path for the mount point.
253 * Return 0 if permission is granted. 253 * Return 0 if permission is granted.
254 * @sb_umount: 254 * @sb_umount:
255 * Check permission before the @mnt file system is unmounted. 255 * Check permission before the @mnt file system is unmounted.
@@ -278,16 +278,16 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
278 * This hook is called any time a mount is successfully grafetd to 278 * This hook is called any time a mount is successfully grafetd to
279 * the tree. 279 * the tree.
280 * @mnt contains the mounted filesystem. 280 * @mnt contains the mounted filesystem.
281 * @mountpoint_nd contains the nameidata structure for the mount point. 281 * @mountpoint contains the path for the mount point.
282 * @sb_pivotroot: 282 * @sb_pivotroot:
283 * Check permission before pivoting the root filesystem. 283 * Check permission before pivoting the root filesystem.
284 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 284 * @old_path contains the path for the new location of the current root (put_old).
285 * @new_nd contains the nameidata structure for the new root (new_root). 285 * @new_path contains the path for the new root (new_root).
286 * Return 0 if permission is granted. 286 * Return 0 if permission is granted.
287 * @sb_post_pivotroot: 287 * @sb_post_pivotroot:
288 * Update module state after a successful pivot. 288 * Update module state after a successful pivot.
289 * @old_nd contains the nameidata structure for the old root. 289 * @old_path contains the path for the old root.
290 * @new_nd contains the nameidata structure for the new root. 290 * @new_path contains the path for the new root.
291 * @sb_get_mnt_opts: 291 * @sb_get_mnt_opts:
292 * Get the security relevant mount options used for a superblock 292 * Get the security relevant mount options used for a superblock
293 * @sb the superblock to get security mount options from 293 * @sb the superblock to get security mount options from
@@ -1315,20 +1315,20 @@ struct security_operations {
1315 int (*sb_copy_data)(char *orig, char *copy); 1315 int (*sb_copy_data)(char *orig, char *copy);
1316 int (*sb_kern_mount) (struct super_block *sb, void *data); 1316 int (*sb_kern_mount) (struct super_block *sb, void *data);
1317 int (*sb_statfs) (struct dentry *dentry); 1317 int (*sb_statfs) (struct dentry *dentry);
1318 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1318 int (*sb_mount) (char *dev_name, struct path *path,
1319 char *type, unsigned long flags, void *data); 1319 char *type, unsigned long flags, void *data);
1320 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1320 int (*sb_check_sb) (struct vfsmount * mnt, struct path *path);
1321 int (*sb_umount) (struct vfsmount * mnt, int flags); 1321 int (*sb_umount) (struct vfsmount * mnt, int flags);
1322 void (*sb_umount_close) (struct vfsmount * mnt); 1322 void (*sb_umount_close) (struct vfsmount * mnt);
1323 void (*sb_umount_busy) (struct vfsmount * mnt); 1323 void (*sb_umount_busy) (struct vfsmount * mnt);
1324 void (*sb_post_remount) (struct vfsmount * mnt, 1324 void (*sb_post_remount) (struct vfsmount * mnt,
1325 unsigned long flags, void *data); 1325 unsigned long flags, void *data);
1326 void (*sb_post_addmount) (struct vfsmount * mnt, 1326 void (*sb_post_addmount) (struct vfsmount * mnt,
1327 struct nameidata * mountpoint_nd); 1327 struct path *mountpoint);
1328 int (*sb_pivotroot) (struct nameidata * old_nd, 1328 int (*sb_pivotroot) (struct path *old_path,
1329 struct nameidata * new_nd); 1329 struct path *new_path);
1330 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1330 void (*sb_post_pivotroot) (struct path *old_path,
1331 struct nameidata * new_nd); 1331 struct path *new_path);
1332 int (*sb_get_mnt_opts) (const struct super_block *sb, 1332 int (*sb_get_mnt_opts) (const struct super_block *sb,
1333 struct security_mnt_opts *opts); 1333 struct security_mnt_opts *opts);
1334 int (*sb_set_mnt_opts) (struct super_block *sb, 1334 int (*sb_set_mnt_opts) (struct super_block *sb,
@@ -1593,16 +1593,16 @@ void security_sb_free(struct super_block *sb);
1593int security_sb_copy_data(char *orig, char *copy); 1593int security_sb_copy_data(char *orig, char *copy);
1594int security_sb_kern_mount(struct super_block *sb, void *data); 1594int security_sb_kern_mount(struct super_block *sb, void *data);
1595int security_sb_statfs(struct dentry *dentry); 1595int security_sb_statfs(struct dentry *dentry);
1596int security_sb_mount(char *dev_name, struct nameidata *nd, 1596int security_sb_mount(char *dev_name, struct path *path,
1597 char *type, unsigned long flags, void *data); 1597 char *type, unsigned long flags, void *data);
1598int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd); 1598int security_sb_check_sb(struct vfsmount *mnt, struct path *path);
1599int security_sb_umount(struct vfsmount *mnt, int flags); 1599int security_sb_umount(struct vfsmount *mnt, int flags);
1600void security_sb_umount_close(struct vfsmount *mnt); 1600void security_sb_umount_close(struct vfsmount *mnt);
1601void security_sb_umount_busy(struct vfsmount *mnt); 1601void security_sb_umount_busy(struct vfsmount *mnt);
1602void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); 1602void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data);
1603void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); 1603void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint);
1604int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); 1604int security_sb_pivotroot(struct path *old_path, struct path *new_path);
1605void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); 1605void security_sb_post_pivotroot(struct path *old_path, struct path *new_path);
1606int security_sb_get_mnt_opts(const struct super_block *sb, 1606int security_sb_get_mnt_opts(const struct super_block *sb,
1607 struct security_mnt_opts *opts); 1607 struct security_mnt_opts *opts);
1608int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); 1608int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
@@ -1872,7 +1872,7 @@ static inline int security_sb_statfs (struct dentry *dentry)
1872 return 0; 1872 return 0;
1873} 1873}
1874 1874
1875static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1875static inline int security_sb_mount (char *dev_name, struct path *path,
1876 char *type, unsigned long flags, 1876 char *type, unsigned long flags,
1877 void *data) 1877 void *data)
1878{ 1878{
@@ -1880,7 +1880,7 @@ static inline int security_sb_mount (char *dev_name, struct nameidata *nd,
1880} 1880}
1881 1881
1882static inline int security_sb_check_sb (struct vfsmount *mnt, 1882static inline int security_sb_check_sb (struct vfsmount *mnt,
1883 struct nameidata *nd) 1883 struct path *path)
1884{ 1884{
1885 return 0; 1885 return 0;
1886} 1886}
@@ -1901,17 +1901,17 @@ static inline void security_sb_post_remount (struct vfsmount *mnt,
1901{ } 1901{ }
1902 1902
1903static inline void security_sb_post_addmount (struct vfsmount *mnt, 1903static inline void security_sb_post_addmount (struct vfsmount *mnt,
1904 struct nameidata *mountpoint_nd) 1904 struct path *mountpoint)
1905{ } 1905{ }
1906 1906
1907static inline int security_sb_pivotroot (struct nameidata *old_nd, 1907static inline int security_sb_pivotroot (struct path *old_path,
1908 struct nameidata *new_nd) 1908 struct path *new_path)
1909{ 1909{
1910 return 0; 1910 return 0;
1911} 1911}
1912 1912
1913static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1913static inline void security_sb_post_pivotroot (struct path *old_path,
1914 struct nameidata *new_nd) 1914 struct path *new_path)
1915{ } 1915{ }
1916static inline int security_sb_get_mnt_opts(const struct super_block *sb, 1916static inline int security_sb_get_mnt_opts(const struct super_block *sb,
1917 struct security_mnt_opts *opts) 1917 struct security_mnt_opts *opts)
diff --git a/security/dummy.c b/security/dummy.c
index 98d5f969cdc8..b0232bbf427b 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -196,13 +196,13 @@ static int dummy_sb_statfs (struct dentry *dentry)
196 return 0; 196 return 0;
197} 197}
198 198
199static int dummy_sb_mount (char *dev_name, struct nameidata *nd, char *type, 199static int dummy_sb_mount (char *dev_name, struct path *path, char *type,
200 unsigned long flags, void *data) 200 unsigned long flags, void *data)
201{ 201{
202 return 0; 202 return 0;
203} 203}
204 204
205static int dummy_sb_check_sb (struct vfsmount *mnt, struct nameidata *nd) 205static int dummy_sb_check_sb (struct vfsmount *mnt, struct path *path)
206{ 206{
207 return 0; 207 return 0;
208} 208}
@@ -229,17 +229,17 @@ static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags,
229} 229}
230 230
231 231
232static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) 232static void dummy_sb_post_addmount (struct vfsmount *mnt, struct path *path)
233{ 233{
234 return; 234 return;
235} 235}
236 236
237static int dummy_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) 237static int dummy_sb_pivotroot (struct path *old_path, struct path *new_path)
238{ 238{
239 return 0; 239 return 0;
240} 240}
241 241
242static void dummy_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) 242static void dummy_sb_post_pivotroot (struct path *old_path, struct path *new_path)
243{ 243{
244 return; 244 return;
245} 245}
diff --git a/security/security.c b/security/security.c
index 2e250c7028eb..8a285c7b9962 100644
--- a/security/security.c
+++ b/security/security.c
@@ -296,15 +296,15 @@ int security_sb_statfs(struct dentry *dentry)
296 return security_ops->sb_statfs(dentry); 296 return security_ops->sb_statfs(dentry);
297} 297}
298 298
299int security_sb_mount(char *dev_name, struct nameidata *nd, 299int security_sb_mount(char *dev_name, struct path *path,
300 char *type, unsigned long flags, void *data) 300 char *type, unsigned long flags, void *data)
301{ 301{
302 return security_ops->sb_mount(dev_name, nd, type, flags, data); 302 return security_ops->sb_mount(dev_name, path, type, flags, data);
303} 303}
304 304
305int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd) 305int security_sb_check_sb(struct vfsmount *mnt, struct path *path)
306{ 306{
307 return security_ops->sb_check_sb(mnt, nd); 307 return security_ops->sb_check_sb(mnt, path);
308} 308}
309 309
310int security_sb_umount(struct vfsmount *mnt, int flags) 310int security_sb_umount(struct vfsmount *mnt, int flags)
@@ -327,19 +327,19 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d
327 security_ops->sb_post_remount(mnt, flags, data); 327 security_ops->sb_post_remount(mnt, flags, data);
328} 328}
329 329
330void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) 330void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint)
331{ 331{
332 security_ops->sb_post_addmount(mnt, mountpoint_nd); 332 security_ops->sb_post_addmount(mnt, mountpoint);
333} 333}
334 334
335int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) 335int security_sb_pivotroot(struct path *old_path, struct path *new_path)
336{ 336{
337 return security_ops->sb_pivotroot(old_nd, new_nd); 337 return security_ops->sb_pivotroot(old_path, new_path);
338} 338}
339 339
340void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) 340void security_sb_post_pivotroot(struct path *old_path, struct path *new_path)
341{ 341{
342 security_ops->sb_post_pivotroot(old_nd, new_nd); 342 security_ops->sb_post_pivotroot(old_path, new_path);
343} 343}
344 344
345int security_sb_get_mnt_opts(const struct super_block *sb, 345int security_sb_get_mnt_opts(const struct super_block *sb,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1bf2543ea942..38fbb168dbed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2392,22 +2392,22 @@ static int selinux_sb_statfs(struct dentry *dentry)
2392} 2392}
2393 2393
2394static int selinux_mount(char *dev_name, 2394static int selinux_mount(char *dev_name,
2395 struct nameidata *nd, 2395 struct path *path,
2396 char *type, 2396 char *type,
2397 unsigned long flags, 2397 unsigned long flags,
2398 void *data) 2398 void *data)
2399{ 2399{
2400 int rc; 2400 int rc;
2401 2401
2402 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2402 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2403 if (rc) 2403 if (rc)
2404 return rc; 2404 return rc;
2405 2405
2406 if (flags & MS_REMOUNT) 2406 if (flags & MS_REMOUNT)
2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2407 return superblock_has_perm(current, path->mnt->mnt_sb,
2408 FILESYSTEM__REMOUNT, NULL); 2408 FILESYSTEM__REMOUNT, NULL);
2409 else 2409 else
2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2410 return dentry_has_perm(current, path->mnt, path->dentry,
2411 FILE__MOUNTON); 2411 FILE__MOUNTON);
2412} 2412}
2413 2413
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 93f5b0ce662a..4215971434e6 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -315,10 +315,10 @@ static int smack_sb_statfs(struct dentry *dentry)
315 * Returns 0 if current can write the floor of the filesystem 315 * Returns 0 if current can write the floor of the filesystem
316 * being mounted on, an error code otherwise. 316 * being mounted on, an error code otherwise.
317 */ 317 */
318static int smack_sb_mount(char *dev_name, struct nameidata *nd, 318static int smack_sb_mount(char *dev_name, struct path *path,
319 char *type, unsigned long flags, void *data) 319 char *type, unsigned long flags, void *data)
320{ 320{
321 struct superblock_smack *sbp = nd->path.mnt->mnt_sb->s_security; 321 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;
322 322
323 return smk_curacc(sbp->smk_floor, MAY_WRITE); 323 return smk_curacc(sbp->smk_floor, MAY_WRITE);
324} 324}