diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c6f2cd2d095..db1fca990a24 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1547,6 +1547,18 @@ static inline int path_has_perm(const struct cred *cred, | |||
| 1547 | return inode_has_perm(cred, inode, av, &ad, 0); | 1547 | return inode_has_perm(cred, inode, av, &ad, 0); |
| 1548 | } | 1548 | } |
| 1549 | 1549 | ||
| 1550 | /* Same as path_has_perm, but uses the inode from the file struct. */ | ||
| 1551 | static inline int file_path_has_perm(const struct cred *cred, | ||
| 1552 | struct file *file, | ||
| 1553 | u32 av) | ||
| 1554 | { | ||
| 1555 | struct common_audit_data ad; | ||
| 1556 | |||
| 1557 | ad.type = LSM_AUDIT_DATA_PATH; | ||
| 1558 | ad.u.path = file->f_path; | ||
| 1559 | return inode_has_perm(cred, file_inode(file), av, &ad, 0); | ||
| 1560 | } | ||
| 1561 | |||
| 1550 | /* Check whether a task can use an open file descriptor to | 1562 | /* Check whether a task can use an open file descriptor to |
| 1551 | access an inode in a given way. Check access to the | 1563 | access an inode in a given way. Check access to the |
| 1552 | descriptor itself, and then use dentry_has_perm to | 1564 | descriptor itself, and then use dentry_has_perm to |
| @@ -2141,14 +2153,14 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
| 2141 | struct tty_file_private *file_priv; | 2153 | struct tty_file_private *file_priv; |
| 2142 | 2154 | ||
| 2143 | /* Revalidate access to controlling tty. | 2155 | /* Revalidate access to controlling tty. |
| 2144 | Use path_has_perm on the tty path directly rather | 2156 | Use file_path_has_perm on the tty path directly |
| 2145 | than using file_has_perm, as this particular open | 2157 | rather than using file_has_perm, as this particular |
| 2146 | file may belong to another process and we are only | 2158 | open file may belong to another process and we are |
| 2147 | interested in the inode-based check here. */ | 2159 | only interested in the inode-based check here. */ |
| 2148 | file_priv = list_first_entry(&tty->tty_files, | 2160 | file_priv = list_first_entry(&tty->tty_files, |
| 2149 | struct tty_file_private, list); | 2161 | struct tty_file_private, list); |
| 2150 | file = file_priv->file; | 2162 | file = file_priv->file; |
| 2151 | if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) | 2163 | if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) |
| 2152 | drop_tty = 1; | 2164 | drop_tty = 1; |
| 2153 | } | 2165 | } |
| 2154 | spin_unlock(&tty_files_lock); | 2166 | spin_unlock(&tty_files_lock); |
| @@ -3259,7 +3271,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) | |||
| 3259 | * new inode label or new policy. | 3271 | * new inode label or new policy. |
| 3260 | * This check is not redundant - do not remove. | 3272 | * This check is not redundant - do not remove. |
| 3261 | */ | 3273 | */ |
| 3262 | return path_has_perm(cred, &file->f_path, open_file_to_av(file)); | 3274 | return file_path_has_perm(cred, file, open_file_to_av(file)); |
| 3263 | } | 3275 | } |
| 3264 | 3276 | ||
| 3265 | /* task security operations */ | 3277 | /* task security operations */ |