aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c15
-rw-r--r--security/selinux/hooks.c28
-rw-r--r--security/selinux/include/avc.h6
3 files changed, 24 insertions, 25 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index e8529e2f51e5..187964e88af1 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -568,10 +568,11 @@ void avc_audit(u32 ssid, u32 tsid,
568 audit_log_format(ab, " capability=%d", a->u.cap); 568 audit_log_format(ab, " capability=%d", a->u.cap);
569 break; 569 break;
570 case AVC_AUDIT_DATA_FS: 570 case AVC_AUDIT_DATA_FS:
571 if (a->u.fs.dentry) { 571 if (a->u.fs.path.dentry) {
572 struct dentry *dentry = a->u.fs.dentry; 572 struct dentry *dentry = a->u.fs.path.dentry;
573 if (a->u.fs.mnt) { 573 if (a->u.fs.path.mnt) {
574 audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); 574 audit_log_d_path(ab, "path=",
575 &a->u.fs.path);
575 } else { 576 } else {
576 audit_log_format(ab, " name="); 577 audit_log_format(ab, " name=");
577 audit_log_untrustedstring(ab, dentry->d_name.name); 578 audit_log_untrustedstring(ab, dentry->d_name.name);
@@ -626,8 +627,12 @@ void avc_audit(u32 ssid, u32 tsid,
626 case AF_UNIX: 627 case AF_UNIX:
627 u = unix_sk(sk); 628 u = unix_sk(sk);
628 if (u->dentry) { 629 if (u->dentry) {
630 struct path path = {
631 .dentry = u->dentry,
632 .mnt = u->mnt
633 };
629 audit_log_d_path(ab, "path=", 634 audit_log_d_path(ab, "path=",
630 u->dentry, u->mnt); 635 &path);
631 break; 636 break;
632 } 637 }
633 if (!u->addr) 638 if (!u->addr)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ffeefa3c2c77..75c2e99bfb81 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1356,8 +1356,8 @@ static inline int dentry_has_perm(struct task_struct *tsk,
1356 struct inode *inode = dentry->d_inode; 1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad; 1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS); 1358 AVC_AUDIT_DATA_INIT(&ad,FS);
1359 ad.u.fs.mnt = mnt; 1359 ad.u.fs.path.mnt = mnt;
1360 ad.u.fs.dentry = dentry; 1360 ad.u.fs.path.dentry = dentry;
1361 return inode_has_perm(tsk, inode, av, &ad); 1361 return inode_has_perm(tsk, inode, av, &ad);
1362} 1362}
1363 1363
@@ -1375,15 +1375,12 @@ static int file_has_perm(struct task_struct *tsk,
1375{ 1375{
1376 struct task_security_struct *tsec = tsk->security; 1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security; 1377 struct file_security_struct *fsec = file->f_security;
1378 struct vfsmount *mnt = file->f_path.mnt; 1378 struct inode *inode = file->f_path.dentry->d_inode;
1379 struct dentry *dentry = file->f_path.dentry;
1380 struct inode *inode = dentry->d_inode;
1381 struct avc_audit_data ad; 1379 struct avc_audit_data ad;
1382 int rc; 1380 int rc;
1383 1381
1384 AVC_AUDIT_DATA_INIT(&ad, FS); 1382 AVC_AUDIT_DATA_INIT(&ad, FS);
1385 ad.u.fs.mnt = mnt; 1383 ad.u.fs.path = file->f_path;
1386 ad.u.fs.dentry = dentry;
1387 1384
1388 if (tsec->sid != fsec->sid) { 1385 if (tsec->sid != fsec->sid) {
1389 rc = avc_has_perm(tsec->sid, fsec->sid, 1386 rc = avc_has_perm(tsec->sid, fsec->sid,
@@ -1418,7 +1415,7 @@ static int may_create(struct inode *dir,
1418 sbsec = dir->i_sb->s_security; 1415 sbsec = dir->i_sb->s_security;
1419 1416
1420 AVC_AUDIT_DATA_INIT(&ad, FS); 1417 AVC_AUDIT_DATA_INIT(&ad, FS);
1421 ad.u.fs.dentry = dentry; 1418 ad.u.fs.path.dentry = dentry;
1422 1419
1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1420 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1424 DIR__ADD_NAME | DIR__SEARCH, 1421 DIR__ADD_NAME | DIR__SEARCH,
@@ -1476,7 +1473,7 @@ static int may_link(struct inode *dir,
1476 isec = dentry->d_inode->i_security; 1473 isec = dentry->d_inode->i_security;
1477 1474
1478 AVC_AUDIT_DATA_INIT(&ad, FS); 1475 AVC_AUDIT_DATA_INIT(&ad, FS);
1479 ad.u.fs.dentry = dentry; 1476 ad.u.fs.path.dentry = dentry;
1480 1477
1481 av = DIR__SEARCH; 1478 av = DIR__SEARCH;
1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1479 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1523,7 +1520,7 @@ static inline int may_rename(struct inode *old_dir,
1523 1520
1524 AVC_AUDIT_DATA_INIT(&ad, FS); 1521 AVC_AUDIT_DATA_INIT(&ad, FS);
1525 1522
1526 ad.u.fs.dentry = old_dentry; 1523 ad.u.fs.path.dentry = old_dentry;
1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1524 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1525 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1529 if (rc) 1526 if (rc)
@@ -1539,7 +1536,7 @@ static inline int may_rename(struct inode *old_dir,
1539 return rc; 1536 return rc;
1540 } 1537 }
1541 1538
1542 ad.u.fs.dentry = new_dentry; 1539 ad.u.fs.path.dentry = new_dentry;
1543 av = DIR__ADD_NAME | DIR__SEARCH; 1540 av = DIR__ADD_NAME | DIR__SEARCH;
1544 if (new_dentry->d_inode) 1541 if (new_dentry->d_inode)
1545 av |= DIR__REMOVE_NAME; 1542 av |= DIR__REMOVE_NAME;
@@ -1918,8 +1915,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
1918 } 1915 }
1919 1916
1920 AVC_AUDIT_DATA_INIT(&ad, FS); 1917 AVC_AUDIT_DATA_INIT(&ad, FS);
1921 ad.u.fs.mnt = bprm->file->f_path.mnt; 1918 ad.u.fs.path = bprm->file->f_path;
1922 ad.u.fs.dentry = bprm->file->f_path.dentry;
1923 1919
1924 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1920 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1925 newsid = tsec->sid; 1921 newsid = tsec->sid;
@@ -2315,7 +2311,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2315 return rc; 2311 return rc;
2316 2312
2317 AVC_AUDIT_DATA_INIT(&ad,FS); 2313 AVC_AUDIT_DATA_INIT(&ad,FS);
2318 ad.u.fs.dentry = sb->s_root; 2314 ad.u.fs.path.dentry = sb->s_root;
2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2315 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2320} 2316}
2321 2317
@@ -2324,7 +2320,7 @@ static int selinux_sb_statfs(struct dentry *dentry)
2324 struct avc_audit_data ad; 2320 struct avc_audit_data ad;
2325 2321
2326 AVC_AUDIT_DATA_INIT(&ad,FS); 2322 AVC_AUDIT_DATA_INIT(&ad,FS);
2327 ad.u.fs.dentry = dentry->d_sb->s_root; 2323 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2324 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2329} 2325}
2330 2326
@@ -2587,7 +2583,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
2587 return -EPERM; 2583 return -EPERM;
2588 2584
2589 AVC_AUDIT_DATA_INIT(&ad,FS); 2585 AVC_AUDIT_DATA_INIT(&ad,FS);
2590 ad.u.fs.dentry = dentry; 2586 ad.u.fs.path.dentry = dentry;
2591 2587
2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2588 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2593 FILE__RELABELFROM, &ad); 2589 FILE__RELABELFROM, &ad);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 80c28fa6621c..8e23d7a873a4 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -13,6 +13,7 @@
13#include <linux/spinlock.h> 13#include <linux/spinlock.h>
14#include <linux/init.h> 14#include <linux/init.h>
15#include <linux/in6.h> 15#include <linux/in6.h>
16#include <linux/path.h>
16#include <asm/system.h> 17#include <asm/system.h>
17#include "flask.h" 18#include "flask.h"
18#include "av_permissions.h" 19#include "av_permissions.h"
@@ -30,8 +31,6 @@ extern int selinux_enforcing;
30struct avc_entry; 31struct avc_entry;
31 32
32struct task_struct; 33struct task_struct;
33struct vfsmount;
34struct dentry;
35struct inode; 34struct inode;
36struct sock; 35struct sock;
37struct sk_buff; 36struct sk_buff;
@@ -46,8 +45,7 @@ struct avc_audit_data {
46 struct task_struct *tsk; 45 struct task_struct *tsk;
47 union { 46 union {
48 struct { 47 struct {
49 struct vfsmount *mnt; 48 struct path path;
50 struct dentry *dentry;
51 struct inode *inode; 49 struct inode *inode;
52 } fs; 50 } fs;
53 struct { 51 struct {