diff options
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 15 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 32 | ||||
| -rw-r--r-- | security/selinux/include/avc.h | 6 |
3 files changed, 26 insertions, 27 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e8529e2f51e5..187964e88af1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -568,10 +568,11 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 568 | audit_log_format(ab, " capability=%d", a->u.cap); | 568 | audit_log_format(ab, " capability=%d", a->u.cap); |
| 569 | break; | 569 | break; |
| 570 | case AVC_AUDIT_DATA_FS: | 570 | case AVC_AUDIT_DATA_FS: |
| 571 | if (a->u.fs.dentry) { | 571 | if (a->u.fs.path.dentry) { |
| 572 | struct dentry *dentry = a->u.fs.dentry; | 572 | struct dentry *dentry = a->u.fs.path.dentry; |
| 573 | if (a->u.fs.mnt) { | 573 | if (a->u.fs.path.mnt) { |
| 574 | audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); | 574 | audit_log_d_path(ab, "path=", |
| 575 | &a->u.fs.path); | ||
| 575 | } else { | 576 | } else { |
| 576 | audit_log_format(ab, " name="); | 577 | audit_log_format(ab, " name="); |
| 577 | audit_log_untrustedstring(ab, dentry->d_name.name); | 578 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| @@ -626,8 +627,12 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 626 | case AF_UNIX: | 627 | case AF_UNIX: |
| 627 | u = unix_sk(sk); | 628 | u = unix_sk(sk); |
| 628 | if (u->dentry) { | 629 | if (u->dentry) { |
| 630 | struct path path = { | ||
| 631 | .dentry = u->dentry, | ||
| 632 | .mnt = u->mnt | ||
| 633 | }; | ||
| 629 | audit_log_d_path(ab, "path=", | 634 | audit_log_d_path(ab, "path=", |
| 630 | u->dentry, u->mnt); | 635 | &path); |
| 631 | break; | 636 | break; |
| 632 | } | 637 | } |
| 633 | if (!u->addr) | 638 | if (!u->addr) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 44f16d9041e3..75c2e99bfb81 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1356,8 +1356,8 @@ static inline int dentry_has_perm(struct task_struct *tsk, | |||
| 1356 | struct inode *inode = dentry->d_inode; | 1356 | struct inode *inode = dentry->d_inode; |
| 1357 | struct avc_audit_data ad; | 1357 | struct avc_audit_data ad; |
| 1358 | AVC_AUDIT_DATA_INIT(&ad,FS); | 1358 | AVC_AUDIT_DATA_INIT(&ad,FS); |
| 1359 | ad.u.fs.mnt = mnt; | 1359 | ad.u.fs.path.mnt = mnt; |
| 1360 | ad.u.fs.dentry = dentry; | 1360 | ad.u.fs.path.dentry = dentry; |
| 1361 | return inode_has_perm(tsk, inode, av, &ad); | 1361 | return inode_has_perm(tsk, inode, av, &ad); |
| 1362 | } | 1362 | } |
| 1363 | 1363 | ||
| @@ -1375,15 +1375,12 @@ static int file_has_perm(struct task_struct *tsk, | |||
| 1375 | { | 1375 | { |
| 1376 | struct task_security_struct *tsec = tsk->security; | 1376 | struct task_security_struct *tsec = tsk->security; |
| 1377 | struct file_security_struct *fsec = file->f_security; | 1377 | struct file_security_struct *fsec = file->f_security; |
| 1378 | struct vfsmount *mnt = file->f_path.mnt; | 1378 | struct inode *inode = file->f_path.dentry->d_inode; |
| 1379 | struct dentry *dentry = file->f_path.dentry; | ||
| 1380 | struct inode *inode = dentry->d_inode; | ||
| 1381 | struct avc_audit_data ad; | 1379 | struct avc_audit_data ad; |
| 1382 | int rc; | 1380 | int rc; |
| 1383 | 1381 | ||
| 1384 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1382 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1385 | ad.u.fs.mnt = mnt; | 1383 | ad.u.fs.path = file->f_path; |
| 1386 | ad.u.fs.dentry = dentry; | ||
| 1387 | 1384 | ||
| 1388 | if (tsec->sid != fsec->sid) { | 1385 | if (tsec->sid != fsec->sid) { |
| 1389 | rc = avc_has_perm(tsec->sid, fsec->sid, | 1386 | rc = avc_has_perm(tsec->sid, fsec->sid, |
| @@ -1418,7 +1415,7 @@ static int may_create(struct inode *dir, | |||
| 1418 | sbsec = dir->i_sb->s_security; | 1415 | sbsec = dir->i_sb->s_security; |
| 1419 | 1416 | ||
| 1420 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1417 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1421 | ad.u.fs.dentry = dentry; | 1418 | ad.u.fs.path.dentry = dentry; |
| 1422 | 1419 | ||
| 1423 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, | 1420 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, |
| 1424 | DIR__ADD_NAME | DIR__SEARCH, | 1421 | DIR__ADD_NAME | DIR__SEARCH, |
| @@ -1476,7 +1473,7 @@ static int may_link(struct inode *dir, | |||
| 1476 | isec = dentry->d_inode->i_security; | 1473 | isec = dentry->d_inode->i_security; |
| 1477 | 1474 | ||
| 1478 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1475 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1479 | ad.u.fs.dentry = dentry; | 1476 | ad.u.fs.path.dentry = dentry; |
| 1480 | 1477 | ||
| 1481 | av = DIR__SEARCH; | 1478 | av = DIR__SEARCH; |
| 1482 | av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); | 1479 | av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); |
| @@ -1523,7 +1520,7 @@ static inline int may_rename(struct inode *old_dir, | |||
| 1523 | 1520 | ||
| 1524 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1521 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1525 | 1522 | ||
| 1526 | ad.u.fs.dentry = old_dentry; | 1523 | ad.u.fs.path.dentry = old_dentry; |
| 1527 | rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, | 1524 | rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, |
| 1528 | DIR__REMOVE_NAME | DIR__SEARCH, &ad); | 1525 | DIR__REMOVE_NAME | DIR__SEARCH, &ad); |
| 1529 | if (rc) | 1526 | if (rc) |
| @@ -1539,7 +1536,7 @@ static inline int may_rename(struct inode *old_dir, | |||
| 1539 | return rc; | 1536 | return rc; |
| 1540 | } | 1537 | } |
| 1541 | 1538 | ||
| 1542 | ad.u.fs.dentry = new_dentry; | 1539 | ad.u.fs.path.dentry = new_dentry; |
| 1543 | av = DIR__ADD_NAME | DIR__SEARCH; | 1540 | av = DIR__ADD_NAME | DIR__SEARCH; |
| 1544 | if (new_dentry->d_inode) | 1541 | if (new_dentry->d_inode) |
| 1545 | av |= DIR__REMOVE_NAME; | 1542 | av |= DIR__REMOVE_NAME; |
| @@ -1918,8 +1915,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
| 1918 | } | 1915 | } |
| 1919 | 1916 | ||
| 1920 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1917 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1921 | ad.u.fs.mnt = bprm->file->f_path.mnt; | 1918 | ad.u.fs.path = bprm->file->f_path; |
| 1922 | ad.u.fs.dentry = bprm->file->f_path.dentry; | ||
| 1923 | 1919 | ||
| 1924 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 1920 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
| 1925 | newsid = tsec->sid; | 1921 | newsid = tsec->sid; |
| @@ -2315,7 +2311,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) | |||
| 2315 | return rc; | 2311 | return rc; |
| 2316 | 2312 | ||
| 2317 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2313 | AVC_AUDIT_DATA_INIT(&ad,FS); |
| 2318 | ad.u.fs.dentry = sb->s_root; | 2314 | ad.u.fs.path.dentry = sb->s_root; |
| 2319 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); | 2315 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); |
| 2320 | } | 2316 | } |
| 2321 | 2317 | ||
| @@ -2324,7 +2320,7 @@ static int selinux_sb_statfs(struct dentry *dentry) | |||
| 2324 | struct avc_audit_data ad; | 2320 | struct avc_audit_data ad; |
| 2325 | 2321 | ||
| 2326 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2322 | AVC_AUDIT_DATA_INIT(&ad,FS); |
| 2327 | ad.u.fs.dentry = dentry->d_sb->s_root; | 2323 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
| 2328 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2324 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
| 2329 | } | 2325 | } |
| 2330 | 2326 | ||
| @@ -2341,10 +2337,10 @@ static int selinux_mount(char * dev_name, | |||
| 2341 | return rc; | 2337 | return rc; |
| 2342 | 2338 | ||
| 2343 | if (flags & MS_REMOUNT) | 2339 | if (flags & MS_REMOUNT) |
| 2344 | return superblock_has_perm(current, nd->mnt->mnt_sb, | 2340 | return superblock_has_perm(current, nd->path.mnt->mnt_sb, |
| 2345 | FILESYSTEM__REMOUNT, NULL); | 2341 | FILESYSTEM__REMOUNT, NULL); |
| 2346 | else | 2342 | else |
| 2347 | return dentry_has_perm(current, nd->mnt, nd->dentry, | 2343 | return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, |
| 2348 | FILE__MOUNTON); | 2344 | FILE__MOUNTON); |
| 2349 | } | 2345 | } |
| 2350 | 2346 | ||
| @@ -2587,7 +2583,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value | |||
| 2587 | return -EPERM; | 2583 | return -EPERM; |
| 2588 | 2584 | ||
| 2589 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2585 | AVC_AUDIT_DATA_INIT(&ad,FS); |
| 2590 | ad.u.fs.dentry = dentry; | 2586 | ad.u.fs.path.dentry = dentry; |
| 2591 | 2587 | ||
| 2592 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, | 2588 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, |
| 2593 | FILE__RELABELFROM, &ad); | 2589 | FILE__RELABELFROM, &ad); |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 80c28fa6621c..8e23d7a873a4 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
| @@ -13,6 +13,7 @@ | |||
| 13 | #include <linux/spinlock.h> | 13 | #include <linux/spinlock.h> |
| 14 | #include <linux/init.h> | 14 | #include <linux/init.h> |
| 15 | #include <linux/in6.h> | 15 | #include <linux/in6.h> |
| 16 | #include <linux/path.h> | ||
| 16 | #include <asm/system.h> | 17 | #include <asm/system.h> |
| 17 | #include "flask.h" | 18 | #include "flask.h" |
| 18 | #include "av_permissions.h" | 19 | #include "av_permissions.h" |
| @@ -30,8 +31,6 @@ extern int selinux_enforcing; | |||
| 30 | struct avc_entry; | 31 | struct avc_entry; |
| 31 | 32 | ||
| 32 | struct task_struct; | 33 | struct task_struct; |
| 33 | struct vfsmount; | ||
| 34 | struct dentry; | ||
| 35 | struct inode; | 34 | struct inode; |
| 36 | struct sock; | 35 | struct sock; |
| 37 | struct sk_buff; | 36 | struct sk_buff; |
| @@ -46,8 +45,7 @@ struct avc_audit_data { | |||
| 46 | struct task_struct *tsk; | 45 | struct task_struct *tsk; |
| 47 | union { | 46 | union { |
| 48 | struct { | 47 | struct { |
| 49 | struct vfsmount *mnt; | 48 | struct path path; |
| 50 | struct dentry *dentry; | ||
| 51 | struct inode *inode; | 49 | struct inode *inode; |
| 52 | } fs; | 50 | } fs; |
| 53 | struct { | 51 | struct { |