4 files changed, 88 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c
index 93a2ffe65905..fce07a7bc825 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -822,6 +822,20 @@ static void cap_release_secctx(char *secdata, u32 seclen)
 {
 }
+static int cap_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+{
+        return 0;
+}
+static int cap_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
+{
+        return 0;
+}
+static int cap_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+        return 0;
+}
 #ifdef CONFIG_KEYS
 static int cap_key_alloc(struct key *key, const struct cred *cred,
                         unsigned long flags)
@@ -1032,6 +1046,9 @@ void security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, secid_to_secctx);
        set_to_cap_if_null(ops, secctx_to_secid);
        set_to_cap_if_null(ops, release_secctx);
+        set_to_cap_if_null(ops, inode_notifysecctx);
+        set_to_cap_if_null(ops, inode_setsecctx);
+        set_to_cap_if_null(ops, inode_getsecctx);
 #ifdef CONFIG_SECURITY_NETWORK
        set_to_cap_if_null(ops, unix_stream_connect);
        set_to_cap_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index d8b727637f02..c4c673240c1c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -974,6 +974,24 @@ void security_release_secctx(char *secdata, u32 seclen)
 }
 EXPORT_SYMBOL(security_release_secctx);
+int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+{
+        return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_inode_notifysecctx);
+int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
+{
+        return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_inode_setsecctx);
+int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+        return security_ops->inode_getsecctx(inode, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_inode_getsecctx);
 #ifdef CONFIG_SECURITY_NETWORK
 int security_unix_stream_connect(struct socket *sock, struct socket *other,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 134a9c0d2004..7118be2a74a5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5351,6 +5351,32 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
        kfree(secdata);
 }
+/*
+ *      called with inode->i_mutex locked
+ */
+static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+{
+        return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
+}
+/*
+ *      called with inode->i_mutex locked
+ */
+static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
+{
+        return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
+}
+static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+        int len = 0;
+        len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
+                                                ctx, true);
+        if (len < 0)
+                return len;
+        *ctxlen = len;
+        return 0;
+}
 #ifdef CONFIG_KEYS
 static int selinux_key_alloc(struct key *k, const struct cred *cred,
@@ -5550,6 +5576,9 @@ static struct security_operations selinux_ops = {
        .secid_to_secctx =              selinux_secid_to_secctx,
        .secctx_to_secid =              selinux_secctx_to_secid,
        .release_secctx =               selinux_release_secctx,
+        .inode_notifysecctx =           selinux_inode_notifysecctx,
+        .inode_setsecctx =              selinux_inode_setsecctx,
+        .inode_getsecctx =              selinux_inode_getsecctx,
        .unix_stream_connect =          selinux_socket_unix_stream_connect,
        .unix_may_send =                selinux_socket_unix_may_send,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 969f5fee1906..0b3bb646f90e 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3057,6 +3057,27 @@ static void smack_release_secctx(char *secdata, u32 seclen)
 {
 }
+static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+{
+        return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
+}
+static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
+{
+        return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
+}
+static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+        int len = 0;
+        len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true);
+        if (len < 0)
+                return len;
+        *ctxlen = len;
+        return 0;
+}
 struct security_operations smack_ops = {
        .name =                         "smack",
@@ -3185,6 +3206,9 @@ struct security_operations smack_ops = {
        .secid_to_secctx =              smack_secid_to_secctx,
        .secctx_to_secid =              smack_secctx_to_secid,
        .release_secctx =               smack_release_secctx,
+        .inode_notifysecctx =           smack_inode_notifysecctx,
+        .inode_setsecctx =              smack_inode_setsecctx,
+        .inode_getsecctx =              smack_inode_getsecctx,
 };

diff --git a/security/capability.c b/security/capability.c index 93a2ffe65905..fce07a7bc825 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -822,6 +822,20 @@ static void cap_release_secctx(char *secdata, u32 seclen)
822	{	822	{
823	}	823	}
824		824
		825	static int cap_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)
		826	{
		827	return 0;
		828	}
		829
		830	static int cap_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)
		831	{
		832	return 0;
		833	}
		834
		835	static int cap_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
		836	{
		837	return 0;
		838	}
825	#ifdef CONFIG_KEYS	839	#ifdef CONFIG_KEYS
826	static int cap_key_alloc(struct key key, const struct cred cred,	840	static int cap_key_alloc(struct key key, const struct cred cred,
827	unsigned long flags)	841	unsigned long flags)
@@ -1032,6 +1046,9 @@ void security_fixup_ops(struct security_operations *ops)
1032	set_to_cap_if_null(ops, secid_to_secctx);	1046	set_to_cap_if_null(ops, secid_to_secctx);
1033	set_to_cap_if_null(ops, secctx_to_secid);	1047	set_to_cap_if_null(ops, secctx_to_secid);
1034	set_to_cap_if_null(ops, release_secctx);	1048	set_to_cap_if_null(ops, release_secctx);
		1049	set_to_cap_if_null(ops, inode_notifysecctx);
		1050	set_to_cap_if_null(ops, inode_setsecctx);
		1051	set_to_cap_if_null(ops, inode_getsecctx);
1035	#ifdef CONFIG_SECURITY_NETWORK	1052	#ifdef CONFIG_SECURITY_NETWORK
1036	set_to_cap_if_null(ops, unix_stream_connect);	1053	set_to_cap_if_null(ops, unix_stream_connect);
1037	set_to_cap_if_null(ops, unix_may_send);	1054	set_to_cap_if_null(ops, unix_may_send);


diff --git a/security/security.c b/security/security.c index d8b727637f02..c4c673240c1c 100644 --- a/security/security.c +++ b/security/security.c
@@ -974,6 +974,24 @@ void security_release_secctx(char *secdata, u32 seclen)
974	}	974	}
975	EXPORT_SYMBOL(security_release_secctx);	975	EXPORT_SYMBOL(security_release_secctx);
976		976
		977	int security_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)
		978	{
		979	return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
		980	}
		981	EXPORT_SYMBOL(security_inode_notifysecctx);
		982
		983	int security_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)
		984	{
		985	return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
		986	}
		987	EXPORT_SYMBOL(security_inode_setsecctx);
		988
		989	int security_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
		990	{
		991	return security_ops->inode_getsecctx(inode, ctx, ctxlen);
		992	}
		993	EXPORT_SYMBOL(security_inode_getsecctx);
		994
977	#ifdef CONFIG_SECURITY_NETWORK	995	#ifdef CONFIG_SECURITY_NETWORK
978		996
979	int security_unix_stream_connect(struct socket sock, struct socket other,	997	int security_unix_stream_connect(struct socket sock, struct socket other,


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 134a9c0d2004..7118be2a74a5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -5351,6 +5351,32 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
5351	kfree(secdata);	5351	kfree(secdata);
5352	}	5352	}
5353		5353
		5354	/*
		5355	* called with inode->i_mutex locked
		5356	*/
		5357	static int selinux_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)
		5358	{
		5359	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
		5360	}
		5361
		5362	/*
		5363	* called with inode->i_mutex locked
		5364	*/
		5365	static int selinux_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)
		5366	{
		5367	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
		5368	}
		5369
		5370	static int selinux_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
		5371	{
		5372	int len = 0;
		5373	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
		5374	ctx, true);
		5375	if (len < 0)
		5376	return len;
		5377	*ctxlen = len;
		5378	return 0;
		5379	}
5354	#ifdef CONFIG_KEYS	5380	#ifdef CONFIG_KEYS
5355		5381
5356	static int selinux_key_alloc(struct key k, const struct cred cred,	5382	static int selinux_key_alloc(struct key k, const struct cred cred,
@@ -5550,6 +5576,9 @@ static struct security_operations selinux_ops = {
5550	.secid_to_secctx = selinux_secid_to_secctx,	5576	.secid_to_secctx = selinux_secid_to_secctx,
5551	.secctx_to_secid = selinux_secctx_to_secid,	5577	.secctx_to_secid = selinux_secctx_to_secid,
5552	.release_secctx = selinux_release_secctx,	5578	.release_secctx = selinux_release_secctx,
		5579	.inode_notifysecctx = selinux_inode_notifysecctx,
		5580	.inode_setsecctx = selinux_inode_setsecctx,
		5581	.inode_getsecctx = selinux_inode_getsecctx,
5553		5582
5554	.unix_stream_connect = selinux_socket_unix_stream_connect,	5583	.unix_stream_connect = selinux_socket_unix_stream_connect,
5555	.unix_may_send = selinux_socket_unix_may_send,	5584	.unix_may_send = selinux_socket_unix_may_send,


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 969f5fee1906..0b3bb646f90e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -3057,6 +3057,27 @@ static void smack_release_secctx(char *secdata, u32 seclen)
3057	{	3057	{
3058	}	3058	}
3059		3059
		3060	static int smack_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)
		3061	{
		3062	return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
		3063	}
		3064
		3065	static int smack_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)
		3066	{
		3067	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
		3068	}
		3069
		3070	static int smack_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
		3071	{
		3072	int len = 0;
		3073	len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true);
		3074
		3075	if (len < 0)
		3076	return len;
		3077	*ctxlen = len;
		3078	return 0;
		3079	}
		3080
3060	struct security_operations smack_ops = {	3081	struct security_operations smack_ops = {
3061	.name = "smack",	3082	.name = "smack",
3062		3083
@@ -3185,6 +3206,9 @@ struct security_operations smack_ops = {
3185	.secid_to_secctx = smack_secid_to_secctx,	3206	.secid_to_secctx = smack_secid_to_secctx,
3186	.secctx_to_secid = smack_secctx_to_secid,	3207	.secctx_to_secid = smack_secctx_to_secid,
3187	.release_secctx = smack_release_secctx,	3208	.release_secctx = smack_release_secctx,
		3209	.inode_notifysecctx = smack_inode_notifysecctx,
		3210	.inode_setsecctx = smack_inode_setsecctx,
		3211	.inode_getsecctx = smack_inode_getsecctx,
3188	};	3212	};
3189		3213
3190		3214