diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/avc.c | 15 | ||||
-rw-r--r-- | security/selinux/hooks.c | 28 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 6 |
3 files changed, 24 insertions, 25 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e8529e2f51e5..187964e88af1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -568,10 +568,11 @@ void avc_audit(u32 ssid, u32 tsid, | |||
568 | audit_log_format(ab, " capability=%d", a->u.cap); | 568 | audit_log_format(ab, " capability=%d", a->u.cap); |
569 | break; | 569 | break; |
570 | case AVC_AUDIT_DATA_FS: | 570 | case AVC_AUDIT_DATA_FS: |
571 | if (a->u.fs.dentry) { | 571 | if (a->u.fs.path.dentry) { |
572 | struct dentry *dentry = a->u.fs.dentry; | 572 | struct dentry *dentry = a->u.fs.path.dentry; |
573 | if (a->u.fs.mnt) { | 573 | if (a->u.fs.path.mnt) { |
574 | audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); | 574 | audit_log_d_path(ab, "path=", |
575 | &a->u.fs.path); | ||
575 | } else { | 576 | } else { |
576 | audit_log_format(ab, " name="); | 577 | audit_log_format(ab, " name="); |
577 | audit_log_untrustedstring(ab, dentry->d_name.name); | 578 | audit_log_untrustedstring(ab, dentry->d_name.name); |
@@ -626,8 +627,12 @@ void avc_audit(u32 ssid, u32 tsid, | |||
626 | case AF_UNIX: | 627 | case AF_UNIX: |
627 | u = unix_sk(sk); | 628 | u = unix_sk(sk); |
628 | if (u->dentry) { | 629 | if (u->dentry) { |
630 | struct path path = { | ||
631 | .dentry = u->dentry, | ||
632 | .mnt = u->mnt | ||
633 | }; | ||
629 | audit_log_d_path(ab, "path=", | 634 | audit_log_d_path(ab, "path=", |
630 | u->dentry, u->mnt); | 635 | &path); |
631 | break; | 636 | break; |
632 | } | 637 | } |
633 | if (!u->addr) | 638 | if (!u->addr) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ffeefa3c2c77..75c2e99bfb81 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1356,8 +1356,8 @@ static inline int dentry_has_perm(struct task_struct *tsk, | |||
1356 | struct inode *inode = dentry->d_inode; | 1356 | struct inode *inode = dentry->d_inode; |
1357 | struct avc_audit_data ad; | 1357 | struct avc_audit_data ad; |
1358 | AVC_AUDIT_DATA_INIT(&ad,FS); | 1358 | AVC_AUDIT_DATA_INIT(&ad,FS); |
1359 | ad.u.fs.mnt = mnt; | 1359 | ad.u.fs.path.mnt = mnt; |
1360 | ad.u.fs.dentry = dentry; | 1360 | ad.u.fs.path.dentry = dentry; |
1361 | return inode_has_perm(tsk, inode, av, &ad); | 1361 | return inode_has_perm(tsk, inode, av, &ad); |
1362 | } | 1362 | } |
1363 | 1363 | ||
@@ -1375,15 +1375,12 @@ static int file_has_perm(struct task_struct *tsk, | |||
1375 | { | 1375 | { |
1376 | struct task_security_struct *tsec = tsk->security; | 1376 | struct task_security_struct *tsec = tsk->security; |
1377 | struct file_security_struct *fsec = file->f_security; | 1377 | struct file_security_struct *fsec = file->f_security; |
1378 | struct vfsmount *mnt = file->f_path.mnt; | 1378 | struct inode *inode = file->f_path.dentry->d_inode; |
1379 | struct dentry *dentry = file->f_path.dentry; | ||
1380 | struct inode *inode = dentry->d_inode; | ||
1381 | struct avc_audit_data ad; | 1379 | struct avc_audit_data ad; |
1382 | int rc; | 1380 | int rc; |
1383 | 1381 | ||
1384 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1382 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1385 | ad.u.fs.mnt = mnt; | 1383 | ad.u.fs.path = file->f_path; |
1386 | ad.u.fs.dentry = dentry; | ||
1387 | 1384 | ||
1388 | if (tsec->sid != fsec->sid) { | 1385 | if (tsec->sid != fsec->sid) { |
1389 | rc = avc_has_perm(tsec->sid, fsec->sid, | 1386 | rc = avc_has_perm(tsec->sid, fsec->sid, |
@@ -1418,7 +1415,7 @@ static int may_create(struct inode *dir, | |||
1418 | sbsec = dir->i_sb->s_security; | 1415 | sbsec = dir->i_sb->s_security; |
1419 | 1416 | ||
1420 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1417 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1421 | ad.u.fs.dentry = dentry; | 1418 | ad.u.fs.path.dentry = dentry; |
1422 | 1419 | ||
1423 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, | 1420 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, |
1424 | DIR__ADD_NAME | DIR__SEARCH, | 1421 | DIR__ADD_NAME | DIR__SEARCH, |
@@ -1476,7 +1473,7 @@ static int may_link(struct inode *dir, | |||
1476 | isec = dentry->d_inode->i_security; | 1473 | isec = dentry->d_inode->i_security; |
1477 | 1474 | ||
1478 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1475 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1479 | ad.u.fs.dentry = dentry; | 1476 | ad.u.fs.path.dentry = dentry; |
1480 | 1477 | ||
1481 | av = DIR__SEARCH; | 1478 | av = DIR__SEARCH; |
1482 | av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); | 1479 | av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); |
@@ -1523,7 +1520,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1523 | 1520 | ||
1524 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1521 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1525 | 1522 | ||
1526 | ad.u.fs.dentry = old_dentry; | 1523 | ad.u.fs.path.dentry = old_dentry; |
1527 | rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, | 1524 | rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, |
1528 | DIR__REMOVE_NAME | DIR__SEARCH, &ad); | 1525 | DIR__REMOVE_NAME | DIR__SEARCH, &ad); |
1529 | if (rc) | 1526 | if (rc) |
@@ -1539,7 +1536,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1539 | return rc; | 1536 | return rc; |
1540 | } | 1537 | } |
1541 | 1538 | ||
1542 | ad.u.fs.dentry = new_dentry; | 1539 | ad.u.fs.path.dentry = new_dentry; |
1543 | av = DIR__ADD_NAME | DIR__SEARCH; | 1540 | av = DIR__ADD_NAME | DIR__SEARCH; |
1544 | if (new_dentry->d_inode) | 1541 | if (new_dentry->d_inode) |
1545 | av |= DIR__REMOVE_NAME; | 1542 | av |= DIR__REMOVE_NAME; |
@@ -1918,8 +1915,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
1918 | } | 1915 | } |
1919 | 1916 | ||
1920 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1917 | AVC_AUDIT_DATA_INIT(&ad, FS); |
1921 | ad.u.fs.mnt = bprm->file->f_path.mnt; | 1918 | ad.u.fs.path = bprm->file->f_path; |
1922 | ad.u.fs.dentry = bprm->file->f_path.dentry; | ||
1923 | 1919 | ||
1924 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 1920 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
1925 | newsid = tsec->sid; | 1921 | newsid = tsec->sid; |
@@ -2315,7 +2311,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) | |||
2315 | return rc; | 2311 | return rc; |
2316 | 2312 | ||
2317 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2313 | AVC_AUDIT_DATA_INIT(&ad,FS); |
2318 | ad.u.fs.dentry = sb->s_root; | 2314 | ad.u.fs.path.dentry = sb->s_root; |
2319 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); | 2315 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); |
2320 | } | 2316 | } |
2321 | 2317 | ||
@@ -2324,7 +2320,7 @@ static int selinux_sb_statfs(struct dentry *dentry) | |||
2324 | struct avc_audit_data ad; | 2320 | struct avc_audit_data ad; |
2325 | 2321 | ||
2326 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2322 | AVC_AUDIT_DATA_INIT(&ad,FS); |
2327 | ad.u.fs.dentry = dentry->d_sb->s_root; | 2323 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
2328 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2324 | return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
2329 | } | 2325 | } |
2330 | 2326 | ||
@@ -2587,7 +2583,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value | |||
2587 | return -EPERM; | 2583 | return -EPERM; |
2588 | 2584 | ||
2589 | AVC_AUDIT_DATA_INIT(&ad,FS); | 2585 | AVC_AUDIT_DATA_INIT(&ad,FS); |
2590 | ad.u.fs.dentry = dentry; | 2586 | ad.u.fs.path.dentry = dentry; |
2591 | 2587 | ||
2592 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, | 2588 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, |
2593 | FILE__RELABELFROM, &ad); | 2589 | FILE__RELABELFROM, &ad); |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 80c28fa6621c..8e23d7a873a4 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -13,6 +13,7 @@ | |||
13 | #include <linux/spinlock.h> | 13 | #include <linux/spinlock.h> |
14 | #include <linux/init.h> | 14 | #include <linux/init.h> |
15 | #include <linux/in6.h> | 15 | #include <linux/in6.h> |
16 | #include <linux/path.h> | ||
16 | #include <asm/system.h> | 17 | #include <asm/system.h> |
17 | #include "flask.h" | 18 | #include "flask.h" |
18 | #include "av_permissions.h" | 19 | #include "av_permissions.h" |
@@ -30,8 +31,6 @@ extern int selinux_enforcing; | |||
30 | struct avc_entry; | 31 | struct avc_entry; |
31 | 32 | ||
32 | struct task_struct; | 33 | struct task_struct; |
33 | struct vfsmount; | ||
34 | struct dentry; | ||
35 | struct inode; | 34 | struct inode; |
36 | struct sock; | 35 | struct sock; |
37 | struct sk_buff; | 36 | struct sk_buff; |
@@ -46,8 +45,7 @@ struct avc_audit_data { | |||
46 | struct task_struct *tsk; | 45 | struct task_struct *tsk; |
47 | union { | 46 | union { |
48 | struct { | 47 | struct { |
49 | struct vfsmount *mnt; | 48 | struct path path; |
50 | struct dentry *dentry; | ||
51 | struct inode *inode; | 49 | struct inode *inode; |
52 | } fs; | 50 | } fs; |
53 | struct { | 51 | struct { |