[packages/kernel.git] / 2.6.0-t5-security_inode_permission-lkml.patch

 fs/namei.c               |    9 +++++----
 include/linux/security.h |   11 +++++++----
 security/dummy.c         |    2 +-
 security/selinux/hooks.c |    7 ++++++-
 4 files changed, 19 insertions(+), 10 deletions(-)

Index: linux-2.6/fs/namei.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/fs/namei.c,v
retrieving revision 1.13
diff -u -r1.13 namei.c
--- linux-2.6/fs/namei.c	25 Aug 2003 15:29:19 -0000	1.13
+++ linux-2.6/fs/namei.c	24 Sep 2003 14:54:40 -0000
@@ -218,7 +218,7 @@
 	if (retval)
 		return retval;
 
-	return security_inode_permission(inode, mask);
+	return security_inode_permission(inode, mask, nd);
 }
 
 /*
@@ -302,7 +302,8 @@
  * short-cut DAC fails, then call permission() to do more
  * complete permission check.
  */
-static inline int exec_permission_lite(struct inode *inode)
+static inline int exec_permission_lite(struct inode *inode,
+				       struct nameidata *nd)
 {
 	umode_t	mode = inode->i_mode;
 
@@ -325,7 +326,7 @@
 
 	return -EACCES;
 ok:
-	return security_inode_permission(inode, MAY_EXEC);
+	return security_inode_permission(inode, MAY_EXEC, nd);
 }
 
 /*
@@ -584,7 +585,7 @@
 		struct qstr this;
 		unsigned int c;
 
-		err = exec_permission_lite(inode);
+		err = exec_permission_lite(inode, nd);
 		if (err == -EAGAIN) { 
 			err = permission(inode, MAY_EXEC, nd);
 		}
Index: linux-2.6/include/linux/security.h
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/include/linux/security.h,v
retrieving revision 1.25
diff -u -r1.25 security.h
--- linux-2.6/include/linux/security.h	24 Jun 2003 14:55:43 -0000	1.25
+++ linux-2.6/include/linux/security.h	24 Sep 2003 14:55:17 -0000
@@ -334,6 +334,7 @@
  *	called when the actual read/write operations are performed.
  *	@inode contains the inode structure to check.
  *	@mask contains the permission mask.
+ *     @nd contains the nameidata (may be NULL).
  *	Return 0 if permission is granted.
  * @inode_setattr:
  *	Check permission before setting file attributes.  Note that the kernel
@@ -1055,7 +1056,7 @@
 	                           struct dentry *new_dentry);
 	int (*inode_readlink) (struct dentry *dentry);
 	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
-	int (*inode_permission) (struct inode *inode, int mask);
+	int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
 	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
 	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
         void (*inode_delete) (struct inode *inode);
@@ -1474,9 +1475,10 @@
 	return security_ops->inode_follow_link (dentry, nd);
 }
 
-static inline int security_inode_permission (struct inode *inode, int mask)
+static inline int security_inode_permission (struct inode *inode, int mask, 
+					     struct nameidata *nd)
 {
-	return security_ops->inode_permission (inode, mask);
+	return security_ops->inode_permission (inode, mask, nd);
 }
 
 static inline int security_inode_setattr (struct dentry *dentry,
@@ -2110,7 +2112,8 @@
 	return 0;
 }
 
-static inline int security_inode_permission (struct inode *inode, int mask)
+static inline int security_inode_permission (struct inode *inode, int mask,
+					     struct nameidata *nd)
 {
 	return 0;
 }
Index: linux-2.6/security/dummy.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/dummy.c,v
retrieving revision 1.22
diff -u -r1.22 dummy.c
--- linux-2.6/security/dummy.c	3 Jul 2003 14:31:12 -0000	1.22
+++ linux-2.6/security/dummy.c	24 Sep 2003 14:54:40 -0000
@@ -364,7 +364,7 @@
 	return 0;
 }
 
-static int dummy_inode_permission (struct inode *inode, int mask)
+static int dummy_inode_permission (struct inode *inode, int mask, struct nameidata *nd)
 {
 	return 0;
 }
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.73
diff -u -r1.73 hooks.c
--- linux-2.6/security/selinux/hooks.c	4 Sep 2003 18:23:49 -0000	1.73
+++ linux-2.6/security/selinux/hooks.c	24 Sep 2003 14:54:40 -0000
@@ -1730,12 +1730,17 @@
 	return dentry_has_perm(current, NULL, dentry, FILE__READ);
 }
 
-static int selinux_inode_permission(struct inode *inode, int mask)
+static int selinux_inode_permission(struct inode *inode, int mask,
+				    struct nameidata *nd)
 {
 	if (!mask) {
 		/* No permission to check.  Existence test. */
 		return 0;
 	}
+
+	if (nd && nd->dentry) 
+		return dentry_has_perm(current, nd->mnt, nd->dentry, 
+				       file_mask_to_av(inode->i_mode, mask));
 
 	return inode_has_perm(current, inode,
 			       file_mask_to_av(inode->i_mode, mask), NULL, NULL);
Commit	Line	Data
34318f06	1	fs/namei.c \| 9 +++++----
	2	include/linux/security.h \| 11 +++++++----
	3	security/dummy.c \| 2 +-
	4	security/selinux/hooks.c \| 7 ++++++-
	5	4 files changed, 19 insertions(+), 10 deletions(-)
	6
	7	Index: linux-2.6/fs/namei.c
	8	===================================================================
	9	RCS file: /nfshome/pal/CVS/linux-2.6/fs/namei.c,v
	10	retrieving revision 1.13
	11	diff -u -r1.13 namei.c
	12	--- linux-2.6/fs/namei.c 25 Aug 2003 15:29:19 -0000 1.13
	13	+++ linux-2.6/fs/namei.c 24 Sep 2003 14:54:40 -0000
	14	@@ -218,7 +218,7 @@
	15	if (retval)
	16	return retval;
	17
	18	- return security_inode_permission(inode, mask);
	19	+ return security_inode_permission(inode, mask, nd);
	20	}
	21
	22	/*
	23	@@ -302,7 +302,8 @@
	24	* short-cut DAC fails, then call permission() to do more
	25	* complete permission check.
	26	*/
	27	-static inline int exec_permission_lite(struct inode *inode)
	28	+static inline int exec_permission_lite(struct inode *inode,
	29	+ struct nameidata *nd)
	30	{
	31	umode_t mode = inode->i_mode;
	32
	33	@@ -325,7 +326,7 @@
	34
	35	return -EACCES;
	36	ok:
	37	- return security_inode_permission(inode, MAY_EXEC);
	38	+ return security_inode_permission(inode, MAY_EXEC, nd);
	39	}
	40
	41	/*
	42	@@ -584,7 +585,7 @@
	43	struct qstr this;
	44	unsigned int c;
	45
	46	- err = exec_permission_lite(inode);
	47	+ err = exec_permission_lite(inode, nd);
	48	if (err == -EAGAIN) {
	49	err = permission(inode, MAY_EXEC, nd);
	50	}
	51	Index: linux-2.6/include/linux/security.h
	52	===================================================================
	53	RCS file: /nfshome/pal/CVS/linux-2.6/include/linux/security.h,v
	54	retrieving revision 1.25
	55	diff -u -r1.25 security.h
	56	--- linux-2.6/include/linux/security.h 24 Jun 2003 14:55:43 -0000 1.25
	57	+++ linux-2.6/include/linux/security.h 24 Sep 2003 14:55:17 -0000
	58	@@ -334,6 +334,7 @@
	59	* called when the actual read/write operations are performed.
	60	* @inode contains the inode structure to check.
	61	* @mask contains the permission mask.
	62	+ * @nd contains the nameidata (may be NULL).
	63	* Return 0 if permission is granted.
	64	* @inode_setattr:
65	* Check permission before setting file attributes. Note that the kernel
66	@@ -1055,7 +1056,7 @@
67	struct dentry *new_dentry);
68	int (inode_readlink) (struct dentry dentry);
69	int (inode_follow_link) (struct dentry dentry, struct nameidata *nd);
70	- int (inode_permission) (struct inode inode, int mask);
71	+ int (inode_permission) (struct inode inode, int mask, struct nameidata *nd);
72	int (inode_setattr) (struct dentry dentry, struct iattr *attr);
73	int (inode_getattr) (struct vfsmount mnt, struct dentry *dentry);
74	void (inode_delete) (struct inode inode);
75	@@ -1474,9 +1475,10 @@
76	return security_ops->inode_follow_link (dentry, nd);
77	}
78
79	-static inline int security_inode_permission (struct inode *inode, int mask)
80	+static inline int security_inode_permission (struct inode *inode, int mask,
81	+ struct nameidata *nd)
82	{
83	- return security_ops->inode_permission (inode, mask);
84	+ return security_ops->inode_permission (inode, mask, nd);
85	}
86
87	static inline int security_inode_setattr (struct dentry *dentry,
88	@@ -2110,7 +2112,8 @@
89	return 0;
90	}
91
92	-static inline int security_inode_permission (struct inode *inode, int mask)
93	+static inline int security_inode_permission (struct inode *inode, int mask,
94	+ struct nameidata *nd)
95	{
96	return 0;
97	}
98	Index: linux-2.6/security/dummy.c
99	===================================================================
100	RCS file: /nfshome/pal/CVS/linux-2.6/security/dummy.c,v
101	retrieving revision 1.22
102	diff -u -r1.22 dummy.c
103	--- linux-2.6/security/dummy.c 3 Jul 2003 14:31:12 -0000 1.22
104	+++ linux-2.6/security/dummy.c 24 Sep 2003 14:54:40 -0000
105	@@ -364,7 +364,7 @@
106	return 0;
107	}
108
109	-static int dummy_inode_permission (struct inode *inode, int mask)
110	+static int dummy_inode_permission (struct inode inode, int mask, struct nameidata nd)
111	{
112	return 0;
113	}
114	Index: linux-2.6/security/selinux/hooks.c
115	===================================================================
116	RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
117	retrieving revision 1.73
118	diff -u -r1.73 hooks.c
119	--- linux-2.6/security/selinux/hooks.c 4 Sep 2003 18:23:49 -0000 1.73
120	+++ linux-2.6/security/selinux/hooks.c 24 Sep 2003 14:54:40 -0000
121	@@ -1730,12 +1730,17 @@
122	return dentry_has_perm(current, NULL, dentry, FILE__READ);
123	}
124
125	-static int selinux_inode_permission(struct inode *inode, int mask)
126	+static int selinux_inode_permission(struct inode *inode, int mask,
127	+ struct nameidata *nd)
128	{
129	if (!mask) {
130	/* No permission to check. Existence test. */
131	return 0;
132	}
133	+
134	+ if (nd && nd->dentry)
135	+ return dentry_has_perm(current, nd->mnt, nd->dentry,
136	+ file_mask_to_av(inode->i_mode, mask));
137
138	return inode_has_perm(current, inode,
139	file_mask_to_av(inode->i_mode, mask), NULL, NULL);