1
From: Tony Jones <tonyj@suse.de>
2
Subject: Pass struct vfsmount to the inode_unlink LSM hook
4
This is needed for computing pathnames in the AppArmor LSM.
6
Signed-off-by: Tony Jones <tonyj@suse.de>
7
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
8
Signed-off-by: John Johansen <jjohansen@suse.de>
12
include/linux/security.h | 10 +++++++---
13
security/capability.c | 3 ++-
14
security/security.c | 5 +++--
15
security/selinux/hooks.c | 5 +++--
16
security/smack/smack_lsm.c | 4 +++-
17
6 files changed, 19 insertions(+), 10 deletions(-)
21
@@ -2215,7 +2215,7 @@ int vfs_unlink(struct inode *dir, struct
22
if (d_mountpoint(dentry))
25
- error = security_inode_unlink(dir, dentry);
26
+ error = security_inode_unlink(dir, dentry, mnt);
28
error = dir->i_op->unlink(dir, dentry);
30
--- a/include/linux/security.h
31
+++ b/include/linux/security.h
32
@@ -352,6 +352,7 @@ static inline void security_free_mnt_opt
33
* Check the permission to remove a hard link to a file.
34
* @dir contains the inode structure of parent directory of the file.
35
* @dentry contains the dentry structure for file to be unlinked.
36
+ * @mnt is the vfsmount corresponding to @dentry (may be NULL).
37
* Return 0 if permission is granted.
39
* Check the permission to create a symbolic link to a file.
40
@@ -1368,7 +1369,8 @@ struct security_operations {
41
int (*inode_link) (struct dentry *old_dentry, struct vfsmount *old_mnt,
42
struct inode *dir, struct dentry *new_dentry,
43
struct vfsmount *new_mnt);
44
- int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
45
+ int (*inode_unlink) (struct inode *dir, struct dentry *dentry,
46
+ struct vfsmount *mnt);
47
int (*inode_symlink) (struct inode *dir, struct dentry *dentry,
48
struct vfsmount *mnt, const char *old_name);
49
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
50
@@ -1636,7 +1638,8 @@ int security_inode_create(struct inode *
51
int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
52
struct inode *dir, struct dentry *new_dentry,
53
struct vfsmount *new_mnt);
54
-int security_inode_unlink(struct inode *dir, struct dentry *dentry);
55
+int security_inode_unlink(struct inode *dir, struct dentry *dentry,
56
+ struct vfsmount *mnt);
57
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
58
struct vfsmount *mnt, const char *old_name);
59
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
60
@@ -2008,7 +2011,8 @@ static inline int security_inode_link(st
63
static inline int security_inode_unlink(struct inode *dir,
64
- struct dentry *dentry)
65
+ struct dentry *dentry,
66
+ struct vfsmount *mnt)
70
--- a/security/capability.c
71
+++ b/security/capability.c
72
@@ -167,7 +167,8 @@ static int cap_inode_link(struct dentry
76
-static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
77
+static int cap_inode_unlink(struct inode *inode, struct dentry *dentry,
78
+ struct vfsmount *mnt)
82
--- a/security/security.c
83
+++ b/security/security.c
84
@@ -385,11 +385,12 @@ int security_inode_link(struct dentry *o
88
-int security_inode_unlink(struct inode *dir, struct dentry *dentry)
89
+int security_inode_unlink(struct inode *dir, struct dentry *dentry,
90
+ struct vfsmount *mnt)
92
if (unlikely(IS_PRIVATE(dentry->d_inode)))
94
- return security_ops->inode_unlink(dir, dentry);
95
+ return security_ops->inode_unlink(dir, dentry, mnt);
98
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
99
--- a/security/selinux/hooks.c
100
+++ b/security/selinux/hooks.c
101
@@ -2585,11 +2585,12 @@ static int selinux_inode_link(struct den
102
return may_link(dir, old_dentry, MAY_LINK);
105
-static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
106
+static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry,
107
+ struct vfsmount *mnt)
111
- rc = secondary_ops->inode_unlink(dir, dentry);
112
+ rc = secondary_ops->inode_unlink(dir, dentry, mnt);
115
return may_link(dir, dentry, MAY_UNLINK);
116
--- a/security/smack/smack_lsm.c
117
+++ b/security/smack/smack_lsm.c
118
@@ -454,11 +454,13 @@ static int smack_inode_link(struct dentr
119
* smack_inode_unlink - Smack check on inode deletion
120
* @dir: containing directory object
121
* @dentry: file to unlink
122
+ * @mnt: vfsmount of file to unlink
124
* Returns 0 if current can write the containing directory
125
* and the object, error code otherwise
127
-static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
128
+static int smack_inode_unlink(struct inode *dir, struct dentry *dentry,
129
+ struct vfsmount *mnt)
131
struct inode *ip = dentry->d_inode;