1
From: Jeff Mahoney <jeffm@suse.com>
2
Subject: [PATCH] apparmor: convert apparmor_inode_permission to path
4
patches.apparmor/add-security_path_permission added the ->path_permission
5
call. This patch converts apparmor_inode_permission to
6
apparmor_path_permission. The former is now a pass-all, which is how
7
it behaved in 2.6.26 if a NULL nameidata was passed.
9
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
11
security/apparmor/lsm.c | 41 +++++++++++++++++++++++++++--------------
12
1 file changed, 27 insertions(+), 14 deletions(-)
14
--- a/security/apparmor/lsm.c
15
+++ b/security/apparmor/lsm.c
16
@@ -448,21 +448,9 @@ out:
20
-static int apparmor_inode_permission(struct inode *inode, int mask,
21
- struct nameidata *nd)
22
+static int apparmor_inode_permission(struct inode *inode, int mask)
26
- if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
28
- mask = aa_mask_permissions(mask);
29
- if (S_ISDIR(inode->i_mode)) {
30
- check |= AA_CHECK_DIR;
31
- /* allow traverse accesses to directories */
34
- return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
39
static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
40
@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
41
!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
44
+static int apparmor_path_permission(struct path *path, int mask)
46
+ struct inode *inode;
52
+ inode = path->dentry->d_inode;
54
+ mask = aa_mask_permissions(mask);
55
+ if (S_ISDIR(inode->i_mode)) {
56
+ check |= AA_CHECK_DIR;
57
+ /* allow traverse accesses to directories */
63
+ return aa_permission("inode_permission", inode, path->dentry,
64
+ path->mnt, mask, check);
67
static int apparmor_task_alloc_security(struct task_struct *task)
69
return aa_clone(task);
70
@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
71
.file_mprotect = apparmor_file_mprotect,
72
.file_lock = apparmor_file_lock,
74
+ .path_permission = apparmor_path_permission,
76
.task_alloc_security = apparmor_task_alloc_security,
77
.task_free_security = apparmor_task_free_security,
78
.task_post_setuid = cap_task_post_setuid,