->permission() sanitizing: don't pass flags to ->inode_permission()
pass that via mask instead. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
10556cb21a
commit
e74f71eb78
5 changed files with 13 additions and 8 deletions
|
@ -1456,7 +1456,7 @@ struct security_operations {
|
|||
struct inode *new_dir, struct dentry *new_dentry);
|
||||
int (*inode_readlink) (struct dentry *dentry);
|
||||
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
|
||||
int (*inode_permission) (struct inode *inode, int mask, unsigned flags);
|
||||
int (*inode_permission) (struct inode *inode, int mask);
|
||||
int (*inode_setattr) (struct dentry *dentry, struct iattr *attr);
|
||||
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
|
||||
int (*inode_setxattr) (struct dentry *dentry, const char *name,
|
||||
|
|
|
@ -181,7 +181,7 @@ static int cap_inode_follow_link(struct dentry *dentry,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int cap_inode_permission(struct inode *inode, int mask, unsigned flags)
|
||||
static int cap_inode_permission(struct inode *inode, int mask)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -518,14 +518,17 @@ int security_inode_permission(struct inode *inode, int mask)
|
|||
{
|
||||
if (unlikely(IS_PRIVATE(inode)))
|
||||
return 0;
|
||||
return security_ops->inode_permission(inode, mask, 0);
|
||||
return security_ops->inode_permission(inode, mask);
|
||||
}
|
||||
|
||||
int security_inode_exec_permission(struct inode *inode, unsigned int flags)
|
||||
{
|
||||
int mask = MAY_EXEC;
|
||||
if (unlikely(IS_PRIVATE(inode)))
|
||||
return 0;
|
||||
return security_ops->inode_permission(inode, MAY_EXEC, flags);
|
||||
if (flags)
|
||||
mask |= MAY_NOT_BLOCK;
|
||||
return security_ops->inode_permission(inode, mask);
|
||||
}
|
||||
|
||||
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
|
||||
|
|
|
@ -2659,12 +2659,13 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
|
|||
return dentry_has_perm(cred, dentry, FILE__READ);
|
||||
}
|
||||
|
||||
static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
|
||||
static int selinux_inode_permission(struct inode *inode, int mask)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
struct common_audit_data ad;
|
||||
u32 perms;
|
||||
bool from_access;
|
||||
unsigned __flags = mask & MAY_NOT_BLOCK ? IPERM_FLAG_RCU : 0;
|
||||
|
||||
from_access = mask & MAY_ACCESS;
|
||||
mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
|
||||
|
@ -2681,7 +2682,7 @@ static int selinux_inode_permission(struct inode *inode, int mask, unsigned flag
|
|||
|
||||
perms = file_mask_to_av(inode->i_mode, mask);
|
||||
|
||||
return inode_has_perm(cred, inode, perms, &ad, flags);
|
||||
return inode_has_perm(cred, inode, perms, &ad, __flags);
|
||||
}
|
||||
|
||||
static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
|
||||
|
|
|
@ -689,9 +689,10 @@ static int smack_inode_rename(struct inode *old_inode,
|
|||
*
|
||||
* Returns 0 if access is permitted, -EACCES otherwise
|
||||
*/
|
||||
static int smack_inode_permission(struct inode *inode, int mask, unsigned flags)
|
||||
static int smack_inode_permission(struct inode *inode, int mask)
|
||||
{
|
||||
struct smk_audit_info ad;
|
||||
int no_block = mask & MAY_NOT_BLOCK;
|
||||
|
||||
mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
|
||||
/*
|
||||
|
@ -701,7 +702,7 @@ static int smack_inode_permission(struct inode *inode, int mask, unsigned flags)
|
|||
return 0;
|
||||
|
||||
/* May be droppable after audit */
|
||||
if (flags & IPERM_FLAG_RCU)
|
||||
if (no_block)
|
||||
return -ECHILD;
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
|
||||
smk_ad_setfield_u_fs_inode(&ad, inode);
|
||||
|
|
Loading…
Reference in a new issue