1
From: Tony Jones <tonyj@suse.de>
2
Subject: Pass struct vfsmount to the inode_mknod LSM hook
4
This is needed for computing pathnames in the AppArmor LSM.
6
Signed-off-by: Tony Jones <tonyj@suse.de>
7
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
8
Signed-off-by: John Johansen <jjohansen@suse.de>
12
include/linux/security.h | 7 +++++--
13
security/dummy.c | 2 +-
14
security/security.c | 5 +++--
15
security/selinux/hooks.c | 5 +++--
16
5 files changed, 15 insertions(+), 10 deletions(-)
20
@@ -2041,7 +2041,7 @@ int vfs_mknod(struct inode *dir, struct
24
- error = security_inode_mknod(dir, dentry, mode, dev);
25
+ error = security_inode_mknod(dir, dentry, mnt, mode, dev);
29
@@ -2105,11 +2105,11 @@ asmlinkage long sys_mknodat(int dfd, con
31
case S_IFCHR: case S_IFBLK:
32
error = vfs_mknod(nd.path.dentry->d_inode, dentry,
33
- nd.path, mode, new_decode_dev(dev));
34
+ nd.path.mnt, mode, new_decode_dev(dev));
36
case S_IFIFO: case S_IFSOCK:
37
error = vfs_mknod(nd.path.dentry->d_inode, dentry,
39
+ nd.path.mnt, mode, 0);
42
mnt_drop_write(nd.path.mnt);
43
--- a/include/linux/security.h
44
+++ b/include/linux/security.h
45
@@ -381,6 +381,7 @@ static inline void security_free_mnt_opt
47
* @dir contains the inode structure of parent of the new file.
48
* @dentry contains the dentry structure of the new file.
49
+ * @mnt is the vfsmount corresponding to @dentry (may be NULL).
50
* @mode contains the mode of the new file.
51
* @dev contains the device number.
52
* Return 0 if permission is granted.
53
@@ -1369,7 +1370,7 @@ struct security_operations {
54
struct vfsmount *mnt, int mode);
55
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
56
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
57
- int mode, dev_t dev);
58
+ struct vfsmount *mnt, int mode, dev_t dev);
59
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
60
struct inode *new_dir, struct dentry *new_dentry);
61
int (*inode_readlink) (struct dentry *dentry);
62
@@ -1643,7 +1644,8 @@ int security_inode_symlink(struct inode
63
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
64
struct vfsmount *mnt, int mode);
65
int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
66
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
67
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
68
+ struct vfsmount *mnt, int mode, dev_t dev);
69
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
70
struct inode *new_dir, struct dentry *new_dentry);
71
int security_inode_readlink(struct dentry *dentry);
72
@@ -2018,6 +2020,7 @@ static inline int security_inode_rmdir(s
74
static inline int security_inode_mknod(struct inode *dir,
75
struct dentry *dentry,
76
+ struct vfsmount *mnt,
80
--- a/security/dummy.c
81
+++ b/security/dummy.c
82
@@ -323,7 +323,7 @@ static int dummy_inode_rmdir (struct ino
85
static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
86
- int mode, dev_t dev)
87
+ struct vfsmount *mnt, int mode, dev_t dev)
91
--- a/security/security.c
92
+++ b/security/security.c
93
@@ -434,11 +434,12 @@ int security_inode_rmdir(struct inode *d
94
return security_ops->inode_rmdir(dir, dentry);
97
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
98
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
99
+ struct vfsmount *mnt, int mode, dev_t dev)
101
if (unlikely(IS_PRIVATE(dir)))
103
- return security_ops->inode_mknod(dir, dentry, mode, dev);
104
+ return security_ops->inode_mknod(dir, dentry, mnt, mode, dev);
107
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
108
--- a/security/selinux/hooks.c
109
+++ b/security/selinux/hooks.c
110
@@ -2549,11 +2549,12 @@ static int selinux_inode_rmdir(struct in
111
return may_link(dir, dentry, MAY_RMDIR);
114
-static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
115
+static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry,
116
+ struct vfsmount *mnt, int mode, dev_t dev)
120
- rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
121
+ rc = secondary_ops->inode_mknod(dir, dentry, mnt, mode, dev);