diff options
Diffstat (limited to 'security/smack/smack_lsm.c')
| -rw-r--r-- | security/smack/smack_lsm.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 23c7a6d0c80c..400a5d5cde61 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -686,7 +686,7 @@ static int smack_inode_rename(struct inode *old_inode, | |||
| 686 | * | 686 | * |
| 687 | * Returns 0 if access is permitted, -EACCES otherwise | 687 | * Returns 0 if access is permitted, -EACCES otherwise |
| 688 | */ | 688 | */ |
| 689 | static int smack_inode_permission(struct inode *inode, int mask) | 689 | static int smack_inode_permission(struct inode *inode, int mask, unsigned flags) |
| 690 | { | 690 | { |
| 691 | struct smk_audit_info ad; | 691 | struct smk_audit_info ad; |
| 692 | 692 | ||
| @@ -696,6 +696,10 @@ static int smack_inode_permission(struct inode *inode, int mask) | |||
| 696 | */ | 696 | */ |
| 697 | if (mask == 0) | 697 | if (mask == 0) |
| 698 | return 0; | 698 | return 0; |
| 699 | |||
| 700 | /* May be droppable after audit */ | ||
| 701 | if (flags & IPERM_FLAG_RCU) | ||
| 702 | return -ECHILD; | ||
| 699 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); | 703 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); |
| 700 | smk_ad_setfield_u_fs_inode(&ad, inode); | 704 | smk_ad_setfield_u_fs_inode(&ad, inode); |
| 701 | return smk_curacc(smk_of_inode(inode), mask, &ad); | 705 | return smk_curacc(smk_of_inode(inode), mask, &ad); |
| @@ -1794,7 +1798,7 @@ static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) | |||
| 1794 | * Casey says that CIPSO is good enough for now. | 1798 | * Casey says that CIPSO is good enough for now. |
| 1795 | * It can be used to effect. | 1799 | * It can be used to effect. |
| 1796 | * It can also be abused to effect when necessary. | 1800 | * It can also be abused to effect when necessary. |
| 1797 | * Appologies to the TSIG group in general and GW in particular. | 1801 | * Apologies to the TSIG group in general and GW in particular. |
| 1798 | */ | 1802 | */ |
| 1799 | static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) | 1803 | static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) |
| 1800 | { | 1804 | { |
| @@ -2530,7 +2534,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
| 2530 | switch (sbp->s_magic) { | 2534 | switch (sbp->s_magic) { |
| 2531 | case SMACK_MAGIC: | 2535 | case SMACK_MAGIC: |
| 2532 | /* | 2536 | /* |
| 2533 | * Casey says that it's a little embarassing | 2537 | * Casey says that it's a little embarrassing |
| 2534 | * that the smack file system doesn't do | 2538 | * that the smack file system doesn't do |
| 2535 | * extended attributes. | 2539 | * extended attributes. |
| 2536 | */ | 2540 | */ |
| @@ -3084,7 +3088,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
| 3084 | /* | 3088 | /* |
| 3085 | * We need to decide if we want to label the incoming connection here | 3089 | * We need to decide if we want to label the incoming connection here |
| 3086 | * if we do we only need to label the request_sock and the stack will | 3090 | * if we do we only need to label the request_sock and the stack will |
| 3087 | * propogate the wire-label to the sock when it is created. | 3091 | * propagate the wire-label to the sock when it is created. |
| 3088 | */ | 3092 | */ |
| 3089 | hdr = ip_hdr(skb); | 3093 | hdr = ip_hdr(skb); |
| 3090 | addr.sin_addr.s_addr = hdr->saddr; | 3094 | addr.sin_addr.s_addr = hdr->saddr; |