1
Reintroduce revalidation.
3
Index: b/security/apparmor/lsm.c
4
===================================================================
5
--- a/security/apparmor/lsm.c
6
+++ b/security/apparmor/lsm.c
7
@@ -421,6 +421,55 @@ static int apparmor_inode_removexattr(st
11
+static int apparmor_file_permission(struct file *file, int mask)
13
+ struct aa_profile *profile;
14
+ struct aa_profile *file_profile = (struct aa_profile*)file->f_security;
21
+ * If this file was opened under a different profile, we
22
+ * revalidate the access against the current profile.
24
+ profile = aa_get_profile(current);
25
+ if (profile && file_profile != profile) {
26
+ struct dentry *dentry = file->f_dentry;
27
+ struct vfsmount *mnt = file->f_vfsmnt;
30
+ * FIXME: We should remember which profiles we revalidated
33
+ mask &= (MAY_READ | MAY_WRITE | MAY_EXEC);
34
+ error = aa_permission(dentry->d_inode, dentry, mnt, mask, 1);
36
+ aa_put_profile(profile);
42
+static int apparmor_file_alloc_security(struct file *file)
44
+ struct aa_profile *profile;
46
+ profile = aa_get_profile(current);
48
+ file->f_security = profile;
53
+static void apparmor_file_free_security(struct file *file)
55
+ struct aa_profile *file_profile = (struct aa_profile*)file->f_security;
57
+ aa_put_profile(file_profile);
60
static inline int aa_mmap(struct file *file, unsigned long prot,
63
@@ -644,6 +693,9 @@ struct security_operations apparmor_ops
64
.inode_getxattr = apparmor_inode_getxattr,
65
.inode_listxattr = apparmor_inode_listxattr,
66
.inode_removexattr = apparmor_inode_removexattr,
67
+ .file_permission = apparmor_file_permission,
68
+ .file_alloc_security = apparmor_file_alloc_security,
69
+ .file_free_security = apparmor_file_free_security,
70
.file_mmap = apparmor_file_mmap,
71
.file_mprotect = apparmor_file_mprotect,