1 files changed, 137 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index f9c390494f18..1f2ab6353c00 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -336,17 +336,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dir contains the inode structure of the parent directory of the new link.
 *      @new_dentry contains the dentry structure for the new link.
 *      Return 0 if permission is granted.
+ * @path_link:
+ *      Check permission before creating a new hard link to a file.
+ *      @old_dentry contains the dentry structure for an existing link
+ *      to the file.
+ *      @new_dir contains the path structure of the parent directory of
+ *      the new link.
+ *      @new_dentry contains the dentry structure for the new link.
+ *      Return 0 if permission is granted.
 * @inode_unlink:
 *      Check the permission to remove a hard link to a file.
 *      @dir contains the inode structure of parent directory of the file.
 *      @dentry contains the dentry structure for file to be unlinked.
 *      Return 0 if permission is granted.
+ * @path_unlink:
+ *      Check the permission to remove a hard link to a file.
+ *      @dir contains the path structure of parent directory of the file.
+ *      @dentry contains the dentry structure for file to be unlinked.
+ *      Return 0 if permission is granted.
 * @inode_symlink:
 *      Check the permission to create a symbolic link to a file.
 *      @dir contains the inode structure of parent directory of the symbolic link.
 *      @dentry contains the dentry structure of the symbolic link.
 *      @old_name contains the pathname of file.
 *      Return 0 if permission is granted.
+ * @path_symlink:
+ *      Check the permission to create a symbolic link to a file.
+ *      @dir contains the path structure of parent directory of
+ *      the symbolic link.
+ *      @dentry contains the dentry structure of the symbolic link.
+ *      @old_name contains the pathname of file.
+ *      Return 0 if permission is granted.
 * @inode_mkdir:
 *      Check permissions to create a new directory in the existing directory
 *      associated with inode strcture @dir.
@@ -354,11 +374,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dentry contains the dentry structure of new directory.
 *      @mode contains the mode of new directory.
 *      Return 0 if permission is granted.
+ * @path_mkdir:
+ *      Check permissions to create a new directory in the existing directory
+ *      associated with path strcture @path.
+ *      @dir containst the path structure of parent of the directory
+ *      to be created.
+ *      @dentry contains the dentry structure of new directory.
+ *      @mode contains the mode of new directory.
+ *      Return 0 if permission is granted.
 * @inode_rmdir:
 *      Check the permission to remove a directory.
 *      @dir contains the inode structure of parent of the directory to be removed.
 *      @dentry contains the dentry structure of directory to be removed.
 *      Return 0 if permission is granted.
+ * @path_rmdir:
+ *      Check the permission to remove a directory.
+ *      @dir contains the path structure of parent of the directory to be
+ *      removed.
+ *      @dentry contains the dentry structure of directory to be removed.
+ *      Return 0 if permission is granted.
 * @inode_mknod:
 *      Check permissions when creating a special file (or a socket or a fifo
 *      file created via the mknod system call).  Note that if mknod operation
@@ -369,6 +403,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @mode contains the mode of the new file.
 *      @dev contains the device number.
 *      Return 0 if permission is granted.
+ * @path_mknod:
+ *      Check permissions when creating a file. Note that this hook is called
+ *      even if mknod operation is being done for a regular file.
+ *      @dir contains the path structure of parent of the new file.
+ *      @dentry contains the dentry structure of the new file.
+ *      @mode contains the mode of the new file.
+ *      @dev contains the undecoded device number. Use new_decode_dev() to get
+ *      the decoded device number.
+ *      Return 0 if permission is granted.
 * @inode_rename:
 *      Check for permission to rename a file or directory.
 *      @old_dir contains the inode structure for parent of the old link.
@@ -376,6 +419,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @new_dir contains the inode structure for parent of the new link.
 *      @new_dentry contains the dentry structure of the new link.
 *      Return 0 if permission is granted.
+ * @path_rename:
+ *      Check for permission to rename a file or directory.
+ *      @old_dir contains the path structure for parent of the old link.
+ *      @old_dentry contains the dentry structure of the old link.
+ *      @new_dir contains the path structure for parent of the new link.
+ *      @new_dentry contains the dentry structure of the new link.
+ *      Return 0 if permission is granted.
 * @inode_readlink:
 *      Check the permission to read the symbolic link.
 *      @dentry contains the dentry structure for the file link.
@@ -404,6 +454,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @dentry contains the dentry structure for the file.
 *      @attr is the iattr structure containing the new file attributes.
 *      Return 0 if permission is granted.
+ * @path_truncate:
+ *      Check permission before truncating a file.
+ *      @path contains the path structure for the file.
+ *      @length is the new length of the file.
+ *      @time_attrs is the flags passed to do_truncate().
+ *      Return 0 if permission is granted.
 * @inode_getattr:
 *      Check permission before obtaining file attributes.
 *      @mnt is the vfsmount where the dentry was looked up
@@ -1336,6 +1392,22 @@ struct security_operations {
                                   struct super_block *newsb);
        int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
+#ifdef CONFIG_SECURITY_PATH
+        int (*path_unlink) (struct path *dir, struct dentry *dentry);
+        int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode);
+        int (*path_rmdir) (struct path *dir, struct dentry *dentry);
+        int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
+                           unsigned int dev);
+        int (*path_truncate) (struct path *path, loff_t length,
+                              unsigned int time_attrs);
+        int (*path_symlink) (struct path *dir, struct dentry *dentry,
+                             const char *old_name);
+        int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
+                          struct dentry *new_dentry);
+        int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
+                            struct path *new_dir, struct dentry *new_dentry);
+#endif
        int (*inode_alloc_security) (struct inode *inode);
        void (*inode_free_security) (struct inode *inode);
        int (*inode_init_security) (struct inode *inode, struct inode *dir,
@@ -2728,6 +2800,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
 #endif  /* CONFIG_SECURITY_NETWORK_XFRM */
+#ifdef CONFIG_SECURITY_PATH
+int security_path_unlink(struct path *dir, struct dentry *dentry);
+int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode);
+int security_path_rmdir(struct path *dir, struct dentry *dentry);
+int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
+                        unsigned int dev);
+int security_path_truncate(struct path *path, loff_t length,
+                           unsigned int time_attrs);
+int security_path_symlink(struct path *dir, struct dentry *dentry,
+                          const char *old_name);
+int security_path_link(struct dentry *old_dentry, struct path *new_dir,
+                       struct dentry *new_dentry);
+int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
+                         struct path *new_dir, struct dentry *new_dentry);
+#else   /* CONFIG_SECURITY_PATH */
+static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static inline int security_path_mkdir(struct path *dir, struct dentry *dentry,
+                                      int mode)
+{
+        return 0;
+}
+static inline int security_path_rmdir(struct path *dir, struct dentry *dentry)
+{
+        return 0;
+}
+static inline int security_path_mknod(struct path *dir, struct dentry *dentry,
+                                      int mode, unsigned int dev)
+{
+        return 0;
+}
+static inline int security_path_truncate(struct path *path, loff_t length,
+                                         unsigned int time_attrs)
+{
+        return 0;
+}
+static inline int security_path_symlink(struct path *dir, struct dentry *dentry,
+                                        const char *old_name)
+{
+        return 0;
+}
+static inline int security_path_link(struct dentry *old_dentry,
+                                     struct path *new_dir,
+                                     struct dentry *new_dentry)
+{
+        return 0;
+}
+static inline int security_path_rename(struct path *old_dir,
+                                       struct dentry *old_dentry,
+                                       struct path *new_dir,
+                                       struct dentry *new_dentry)
+{
+        return 0;
+}
+#endif  /* CONFIG_SECURITY_PATH */
 #ifdef CONFIG_KEYS
 #ifdef CONFIG_SECURITY

diff --git a/include/linux/security.h b/include/linux/security.h index f9c390494f18..1f2ab6353c00 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -336,17 +336,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
336	* @dir contains the inode structure of the parent directory of the new link.	336	* @dir contains the inode structure of the parent directory of the new link.
337	* @new_dentry contains the dentry structure for the new link.	337	* @new_dentry contains the dentry structure for the new link.
338	* Return 0 if permission is granted.	338	* Return 0 if permission is granted.
		339	* @path_link:
		340	* Check permission before creating a new hard link to a file.
		341	* @old_dentry contains the dentry structure for an existing link
		342	* to the file.
		343	* @new_dir contains the path structure of the parent directory of
		344	* the new link.
		345	* @new_dentry contains the dentry structure for the new link.
		346	* Return 0 if permission is granted.
339	* @inode_unlink:	347	* @inode_unlink:
340	* Check the permission to remove a hard link to a file.	348	* Check the permission to remove a hard link to a file.
341	* @dir contains the inode structure of parent directory of the file.	349	* @dir contains the inode structure of parent directory of the file.
342	* @dentry contains the dentry structure for file to be unlinked.	350	* @dentry contains the dentry structure for file to be unlinked.
343	* Return 0 if permission is granted.	351	* Return 0 if permission is granted.
		352	* @path_unlink:
		353	* Check the permission to remove a hard link to a file.
		354	* @dir contains the path structure of parent directory of the file.
		355	* @dentry contains the dentry structure for file to be unlinked.
		356	* Return 0 if permission is granted.
344	* @inode_symlink:	357	* @inode_symlink:
345	* Check the permission to create a symbolic link to a file.	358	* Check the permission to create a symbolic link to a file.
346	* @dir contains the inode structure of parent directory of the symbolic link.	359	* @dir contains the inode structure of parent directory of the symbolic link.
347	* @dentry contains the dentry structure of the symbolic link.	360	* @dentry contains the dentry structure of the symbolic link.
348	* @old_name contains the pathname of file.	361	* @old_name contains the pathname of file.
349	* Return 0 if permission is granted.	362	* Return 0 if permission is granted.
		363	* @path_symlink:
		364	* Check the permission to create a symbolic link to a file.
		365	* @dir contains the path structure of parent directory of
		366	* the symbolic link.
		367	* @dentry contains the dentry structure of the symbolic link.
		368	* @old_name contains the pathname of file.
		369	* Return 0 if permission is granted.
350	* @inode_mkdir:	370	* @inode_mkdir:
351	* Check permissions to create a new directory in the existing directory	371	* Check permissions to create a new directory in the existing directory
352	* associated with inode strcture @dir.	372	* associated with inode strcture @dir.
@@ -354,11 +374,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
354	* @dentry contains the dentry structure of new directory.	374	* @dentry contains the dentry structure of new directory.
355	* @mode contains the mode of new directory.	375	* @mode contains the mode of new directory.
356	* Return 0 if permission is granted.	376	* Return 0 if permission is granted.
		377	* @path_mkdir:
		378	* Check permissions to create a new directory in the existing directory
		379	* associated with path strcture @path.
		380	* @dir containst the path structure of parent of the directory
		381	* to be created.
		382	* @dentry contains the dentry structure of new directory.
		383	* @mode contains the mode of new directory.
		384	* Return 0 if permission is granted.
357	* @inode_rmdir:	385	* @inode_rmdir:
358	* Check the permission to remove a directory.	386	* Check the permission to remove a directory.
359	* @dir contains the inode structure of parent of the directory to be removed.	387	* @dir contains the inode structure of parent of the directory to be removed.
360	* @dentry contains the dentry structure of directory to be removed.	388	* @dentry contains the dentry structure of directory to be removed.
361	* Return 0 if permission is granted.	389	* Return 0 if permission is granted.
		390	* @path_rmdir:
		391	* Check the permission to remove a directory.
		392	* @dir contains the path structure of parent of the directory to be
		393	* removed.
		394	* @dentry contains the dentry structure of directory to be removed.
		395	* Return 0 if permission is granted.
362	* @inode_mknod:	396	* @inode_mknod:
363	* Check permissions when creating a special file (or a socket or a fifo	397	* Check permissions when creating a special file (or a socket or a fifo
364	* file created via the mknod system call). Note that if mknod operation	398	* file created via the mknod system call). Note that if mknod operation
@@ -369,6 +403,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
369	* @mode contains the mode of the new file.	403	* @mode contains the mode of the new file.
370	* @dev contains the device number.	404	* @dev contains the device number.
371	* Return 0 if permission is granted.	405	* Return 0 if permission is granted.
		406	* @path_mknod:
		407	* Check permissions when creating a file. Note that this hook is called
		408	* even if mknod operation is being done for a regular file.
		409	* @dir contains the path structure of parent of the new file.
		410	* @dentry contains the dentry structure of the new file.
		411	* @mode contains the mode of the new file.
		412	* @dev contains the undecoded device number. Use new_decode_dev() to get
		413	* the decoded device number.
		414	* Return 0 if permission is granted.
372	* @inode_rename:	415	* @inode_rename:
373	* Check for permission to rename a file or directory.	416	* Check for permission to rename a file or directory.
374	* @old_dir contains the inode structure for parent of the old link.	417	* @old_dir contains the inode structure for parent of the old link.
@@ -376,6 +419,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
376	* @new_dir contains the inode structure for parent of the new link.	419	* @new_dir contains the inode structure for parent of the new link.
377	* @new_dentry contains the dentry structure of the new link.	420	* @new_dentry contains the dentry structure of the new link.
378	* Return 0 if permission is granted.	421	* Return 0 if permission is granted.
		422	* @path_rename:
		423	* Check for permission to rename a file or directory.
		424	* @old_dir contains the path structure for parent of the old link.
		425	* @old_dentry contains the dentry structure of the old link.
		426	* @new_dir contains the path structure for parent of the new link.
		427	* @new_dentry contains the dentry structure of the new link.
		428	* Return 0 if permission is granted.
379	* @inode_readlink:	429	* @inode_readlink:
380	* Check the permission to read the symbolic link.	430	* Check the permission to read the symbolic link.
381	* @dentry contains the dentry structure for the file link.	431	* @dentry contains the dentry structure for the file link.
@@ -404,6 +454,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
404	* @dentry contains the dentry structure for the file.	454	* @dentry contains the dentry structure for the file.
405	* @attr is the iattr structure containing the new file attributes.	455	* @attr is the iattr structure containing the new file attributes.
406	* Return 0 if permission is granted.	456	* Return 0 if permission is granted.
		457	* @path_truncate:
		458	* Check permission before truncating a file.
		459	* @path contains the path structure for the file.
		460	* @length is the new length of the file.
		461	* @time_attrs is the flags passed to do_truncate().
		462	* Return 0 if permission is granted.
407	* @inode_getattr:	463	* @inode_getattr:
408	* Check permission before obtaining file attributes.	464	* Check permission before obtaining file attributes.
409	* @mnt is the vfsmount where the dentry was looked up	465	* @mnt is the vfsmount where the dentry was looked up
@@ -1336,6 +1392,22 @@ struct security_operations {
1336	struct super_block *newsb);	1392	struct super_block *newsb);
1337	int (sb_parse_opts_str) (char options, struct security_mnt_opts *opts);	1393	int (sb_parse_opts_str) (char options, struct security_mnt_opts *opts);
1338		1394
		1395	#ifdef CONFIG_SECURITY_PATH
		1396	int (path_unlink) (struct path dir, struct dentry *dentry);
		1397	int (path_mkdir) (struct path dir, struct dentry *dentry, int mode);
		1398	int (path_rmdir) (struct path dir, struct dentry *dentry);
		1399	int (path_mknod) (struct path dir, struct dentry *dentry, int mode,
		1400	unsigned int dev);
		1401	int (path_truncate) (struct path path, loff_t length,
		1402	unsigned int time_attrs);
		1403	int (path_symlink) (struct path dir, struct dentry *dentry,
		1404	const char *old_name);
		1405	int (path_link) (struct dentry old_dentry, struct path *new_dir,
		1406	struct dentry *new_dentry);
		1407	int (path_rename) (struct path old_dir, struct dentry *old_dentry,
		1408	struct path new_dir, struct dentry new_dentry);
		1409	#endif
		1410
1339	int (inode_alloc_security) (struct inode inode);	1411	int (inode_alloc_security) (struct inode inode);
1340	void (inode_free_security) (struct inode inode);	1412	void (inode_free_security) (struct inode inode);
1341	int (inode_init_security) (struct inode inode, struct inode *dir,	1413	int (inode_init_security) (struct inode inode, struct inode *dir,
@@ -2728,6 +2800,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
2728		2800
2729	#endif /* CONFIG_SECURITY_NETWORK_XFRM */	2801	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
2730		2802
		2803	#ifdef CONFIG_SECURITY_PATH
		2804	int security_path_unlink(struct path dir, struct dentry dentry);
		2805	int security_path_mkdir(struct path dir, struct dentry dentry, int mode);
		2806	int security_path_rmdir(struct path dir, struct dentry dentry);
		2807	int security_path_mknod(struct path dir, struct dentry dentry, int mode,
		2808	unsigned int dev);
		2809	int security_path_truncate(struct path *path, loff_t length,
		2810	unsigned int time_attrs);
		2811	int security_path_symlink(struct path dir, struct dentry dentry,
		2812	const char *old_name);
		2813	int security_path_link(struct dentry old_dentry, struct path new_dir,
		2814	struct dentry *new_dentry);
		2815	int security_path_rename(struct path old_dir, struct dentry old_dentry,
		2816	struct path new_dir, struct dentry new_dentry);
		2817	#else /* CONFIG_SECURITY_PATH */
		2818	static inline int security_path_unlink(struct path dir, struct dentry dentry)
		2819	{
		2820	return 0;
		2821	}
		2822
		2823	static inline int security_path_mkdir(struct path dir, struct dentry dentry,
		2824	int mode)
		2825	{
		2826	return 0;
		2827	}
		2828
		2829	static inline int security_path_rmdir(struct path dir, struct dentry dentry)
		2830	{
		2831	return 0;
		2832	}
		2833
		2834	static inline int security_path_mknod(struct path dir, struct dentry dentry,
		2835	int mode, unsigned int dev)
		2836	{
		2837	return 0;
		2838	}
		2839
		2840	static inline int security_path_truncate(struct path *path, loff_t length,
		2841	unsigned int time_attrs)
		2842	{
		2843	return 0;
		2844	}
		2845
		2846	static inline int security_path_symlink(struct path dir, struct dentry dentry,
		2847	const char *old_name)
		2848	{
		2849	return 0;
		2850	}
		2851
		2852	static inline int security_path_link(struct dentry *old_dentry,
		2853	struct path *new_dir,
		2854	struct dentry *new_dentry)
		2855	{
		2856	return 0;
		2857	}
		2858
		2859	static inline int security_path_rename(struct path *old_dir,
		2860	struct dentry *old_dentry,
		2861	struct path *new_dir,
		2862	struct dentry *new_dentry)
		2863	{
		2864	return 0;
		2865	}
		2866	#endif /* CONFIG_SECURITY_PATH */
		2867
2731	#ifdef CONFIG_KEYS	2868	#ifdef CONFIG_KEYS
2732	#ifdef CONFIG_SECURITY	2869	#ifdef CONFIG_SECURITY
2733		2870