mirror of
https://github.com/adulau/aha.git
synced 2024-12-27 19:26:25 +00:00
[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks
This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as they are obsoleted by the new inode_init_security hook that enables atomic inode security labeling. If anyone sees any reason to retain these hooks, please speak now. Also, is anyone using the post_rename/link hooks; if not, those could also be removed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
570bc1c2e5
commit
a74574aafe
5 changed files with 4 additions and 242 deletions
16
fs/namei.c
16
fs/namei.c
|
@ -1316,10 +1316,8 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
|
|||
return error;
|
||||
DQUOT_INIT(dir);
|
||||
error = dir->i_op->create(dir, dentry, mode, nd);
|
||||
if (!error) {
|
||||
if (!error)
|
||||
fsnotify_create(dir, dentry->d_name.name);
|
||||
security_inode_post_create(dir, dentry, mode);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -1635,10 +1633,8 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
|
|||
|
||||
DQUOT_INIT(dir);
|
||||
error = dir->i_op->mknod(dir, dentry, mode, dev);
|
||||
if (!error) {
|
||||
if (!error)
|
||||
fsnotify_create(dir, dentry->d_name.name);
|
||||
security_inode_post_mknod(dir, dentry, mode, dev);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -1708,10 +1704,8 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
|
|||
|
||||
DQUOT_INIT(dir);
|
||||
error = dir->i_op->mkdir(dir, dentry, mode);
|
||||
if (!error) {
|
||||
if (!error)
|
||||
fsnotify_mkdir(dir, dentry->d_name.name);
|
||||
security_inode_post_mkdir(dir,dentry, mode);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -1947,10 +1941,8 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname, i
|
|||
|
||||
DQUOT_INIT(dir);
|
||||
error = dir->i_op->symlink(dir, dentry, oldname);
|
||||
if (!error) {
|
||||
if (!error)
|
||||
fsnotify_create(dir, dentry->d_name.name);
|
||||
security_inode_post_symlink(dir, dentry, oldname);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
|
|
@ -275,12 +275,6 @@ struct swap_info_struct;
|
|||
* @dentry contains the dentry structure for the file to be created.
|
||||
* @mode contains the file mode of the file to be created.
|
||||
* Return 0 if permission is granted.
|
||||
* @inode_post_create:
|
||||
* Set the security attributes on a newly created regular file. This hook
|
||||
* is called after a file has been successfully created.
|
||||
* @dir contains the inode structure of the parent directory of the new file.
|
||||
* @dentry contains the the dentry structure for the newly created file.
|
||||
* @mode contains the file mode.
|
||||
* @inode_link:
|
||||
* Check permission before creating a new hard link to a file.
|
||||
* @old_dentry contains the dentry structure for an existing link to the file.
|
||||
|
@ -303,13 +297,6 @@ struct swap_info_struct;
|
|||
* @dentry contains the dentry structure of the symbolic link.
|
||||
* @old_name contains the pathname of file.
|
||||
* Return 0 if permission is granted.
|
||||
* @inode_post_symlink:
|
||||
* @dir contains the inode structure of the parent directory of the new link.
|
||||
* @dentry contains the dentry structure of new symbolic link.
|
||||
* @old_name contains the pathname of file.
|
||||
* Set security attributes for a newly created symbolic link. Note that
|
||||
* @dentry->d_inode may be NULL, since the filesystem might not
|
||||
* instantiate the dentry (e.g. NFS).
|
||||
* @inode_mkdir:
|
||||
* Check permissions to create a new directory in the existing directory
|
||||
* associated with inode strcture @dir.
|
||||
|
@ -317,11 +304,6 @@ struct swap_info_struct;
|
|||
* @dentry contains the dentry structure of new directory.
|
||||
* @mode contains the mode of new directory.
|
||||
* Return 0 if permission is granted.
|
||||
* @inode_post_mkdir:
|
||||
* Set security attributes on a newly created directory.
|
||||
* @dir contains the inode structure of parent of the directory to be created.
|
||||
* @dentry contains the dentry structure of new directory.
|
||||
* @mode contains the mode of new directory.
|
||||
* @inode_rmdir:
|
||||
* Check the permission to remove a directory.
|
||||
* @dir contains the inode structure of parent of the directory to be removed.
|
||||
|
@ -337,13 +319,6 @@ struct swap_info_struct;
|
|||
* @mode contains the mode of the new file.
|
||||
* @dev contains the the device number.
|
||||
* Return 0 if permission is granted.
|
||||
* @inode_post_mknod:
|
||||
* Set security attributes on a newly created special file (or socket or
|
||||
* fifo file created via the mknod system call).
|
||||
* @dir contains the inode structure of parent of the new node.
|
||||
* @dentry contains the dentry structure of the new node.
|
||||
* @mode contains the mode of the new node.
|
||||
* @dev contains the the device number.
|
||||
* @inode_rename:
|
||||
* Check for permission to rename a file or directory.
|
||||
* @old_dir contains the inode structure for parent of the old link.
|
||||
|
@ -1103,8 +1078,6 @@ struct security_operations {
|
|||
char **name, void **value, size_t *len);
|
||||
int (*inode_create) (struct inode *dir,
|
||||
struct dentry *dentry, int mode);
|
||||
void (*inode_post_create) (struct inode *dir,
|
||||
struct dentry *dentry, int mode);
|
||||
int (*inode_link) (struct dentry *old_dentry,
|
||||
struct inode *dir, struct dentry *new_dentry);
|
||||
void (*inode_post_link) (struct dentry *old_dentry,
|
||||
|
@ -1112,17 +1085,10 @@ struct security_operations {
|
|||
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
|
||||
int (*inode_symlink) (struct inode *dir,
|
||||
struct dentry *dentry, const char *old_name);
|
||||
void (*inode_post_symlink) (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
const char *old_name);
|
||||
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
|
||||
void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry,
|
||||
int mode);
|
||||
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
|
||||
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
|
||||
int mode, dev_t dev);
|
||||
void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry,
|
||||
int mode, dev_t dev);
|
||||
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
|
||||
struct inode *new_dir, struct dentry *new_dentry);
|
||||
void (*inode_post_rename) (struct inode *old_dir,
|
||||
|
@ -1484,15 +1450,6 @@ static inline int security_inode_create (struct inode *dir,
|
|||
return security_ops->inode_create (dir, dentry, mode);
|
||||
}
|
||||
|
||||
static inline void security_inode_post_create (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
{
|
||||
if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode)))
|
||||
return;
|
||||
security_ops->inode_post_create (dir, dentry, mode);
|
||||
}
|
||||
|
||||
static inline int security_inode_link (struct dentry *old_dentry,
|
||||
struct inode *dir,
|
||||
struct dentry *new_dentry)
|
||||
|
@ -1528,15 +1485,6 @@ static inline int security_inode_symlink (struct inode *dir,
|
|||
return security_ops->inode_symlink (dir, dentry, old_name);
|
||||
}
|
||||
|
||||
static inline void security_inode_post_symlink (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
const char *old_name)
|
||||
{
|
||||
if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode)))
|
||||
return;
|
||||
security_ops->inode_post_symlink (dir, dentry, old_name);
|
||||
}
|
||||
|
||||
static inline int security_inode_mkdir (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
|
@ -1546,15 +1494,6 @@ static inline int security_inode_mkdir (struct inode *dir,
|
|||
return security_ops->inode_mkdir (dir, dentry, mode);
|
||||
}
|
||||
|
||||
static inline void security_inode_post_mkdir (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
{
|
||||
if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode)))
|
||||
return;
|
||||
security_ops->inode_post_mkdir (dir, dentry, mode);
|
||||
}
|
||||
|
||||
static inline int security_inode_rmdir (struct inode *dir,
|
||||
struct dentry *dentry)
|
||||
{
|
||||
|
@ -1572,15 +1511,6 @@ static inline int security_inode_mknod (struct inode *dir,
|
|||
return security_ops->inode_mknod (dir, dentry, mode, dev);
|
||||
}
|
||||
|
||||
static inline void security_inode_post_mknod (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode, dev_t dev)
|
||||
{
|
||||
if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode)))
|
||||
return;
|
||||
security_ops->inode_post_mknod (dir, dentry, mode, dev);
|
||||
}
|
||||
|
||||
static inline int security_inode_rename (struct inode *old_dir,
|
||||
struct dentry *old_dentry,
|
||||
struct inode *new_dir,
|
||||
|
@ -2220,11 +2150,6 @@ static inline int security_inode_create (struct inode *dir,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_inode_post_create (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
{ }
|
||||
|
||||
static inline int security_inode_link (struct dentry *old_dentry,
|
||||
struct inode *dir,
|
||||
struct dentry *new_dentry)
|
||||
|
@ -2250,11 +2175,6 @@ static inline int security_inode_symlink (struct inode *dir,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_inode_post_symlink (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
const char *old_name)
|
||||
{ }
|
||||
|
||||
static inline int security_inode_mkdir (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
|
@ -2262,11 +2182,6 @@ static inline int security_inode_mkdir (struct inode *dir,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_inode_post_mkdir (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode)
|
||||
{ }
|
||||
|
||||
static inline int security_inode_rmdir (struct inode *dir,
|
||||
struct dentry *dentry)
|
||||
{
|
||||
|
@ -2280,11 +2195,6 @@ static inline int security_inode_mknod (struct inode *dir,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_inode_post_mknod (struct inode *dir,
|
||||
struct dentry *dentry,
|
||||
int mode, dev_t dev)
|
||||
{ }
|
||||
|
||||
static inline int security_inode_rename (struct inode *old_dir,
|
||||
struct dentry *old_dentry,
|
||||
struct inode *new_dir,
|
||||
|
|
|
@ -270,12 +270,6 @@ static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void dummy_inode_post_create (struct inode *inode, struct dentry *dentry,
|
||||
int mask)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
|
||||
struct dentry *new_dentry)
|
||||
{
|
||||
|
@ -300,24 +294,12 @@ static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void dummy_inode_post_symlink (struct inode *inode,
|
||||
struct dentry *dentry, const char *name)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
|
||||
int mask)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void dummy_inode_post_mkdir (struct inode *inode, struct dentry *dentry,
|
||||
int mask)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
|
||||
{
|
||||
return 0;
|
||||
|
@ -329,12 +311,6 @@ static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void dummy_inode_post_mknod (struct inode *inode, struct dentry *dentry,
|
||||
int mode, dev_t dev)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
static int dummy_inode_rename (struct inode *old_inode,
|
||||
struct dentry *old_dentry,
|
||||
struct inode *new_inode,
|
||||
|
@ -894,17 +870,13 @@ void security_fixup_ops (struct security_operations *ops)
|
|||
set_to_dummy_if_null(ops, inode_free_security);
|
||||
set_to_dummy_if_null(ops, inode_init_security);
|
||||
set_to_dummy_if_null(ops, inode_create);
|
||||
set_to_dummy_if_null(ops, inode_post_create);
|
||||
set_to_dummy_if_null(ops, inode_link);
|
||||
set_to_dummy_if_null(ops, inode_post_link);
|
||||
set_to_dummy_if_null(ops, inode_unlink);
|
||||
set_to_dummy_if_null(ops, inode_symlink);
|
||||
set_to_dummy_if_null(ops, inode_post_symlink);
|
||||
set_to_dummy_if_null(ops, inode_mkdir);
|
||||
set_to_dummy_if_null(ops, inode_post_mkdir);
|
||||
set_to_dummy_if_null(ops, inode_rmdir);
|
||||
set_to_dummy_if_null(ops, inode_mknod);
|
||||
set_to_dummy_if_null(ops, inode_post_mknod);
|
||||
set_to_dummy_if_null(ops, inode_rename);
|
||||
set_to_dummy_if_null(ops, inode_post_rename);
|
||||
set_to_dummy_if_null(ops, inode_readlink);
|
||||
|
|
|
@ -1265,91 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Set the security attributes on a newly created file. */
|
||||
static int post_create(struct inode *dir,
|
||||
struct dentry *dentry)
|
||||
{
|
||||
|
||||
struct task_security_struct *tsec;
|
||||
struct inode *inode;
|
||||
struct inode_security_struct *dsec;
|
||||
struct superblock_security_struct *sbsec;
|
||||
struct inode_security_struct *isec;
|
||||
u32 newsid;
|
||||
char *context;
|
||||
unsigned int len;
|
||||
int rc;
|
||||
|
||||
tsec = current->security;
|
||||
dsec = dir->i_security;
|
||||
sbsec = dir->i_sb->s_security;
|
||||
|
||||
inode = dentry->d_inode;
|
||||
if (!inode) {
|
||||
/* Some file system types (e.g. NFS) may not instantiate
|
||||
a dentry for all create operations (e.g. symlink),
|
||||
so we have to check to see if the inode is non-NULL. */
|
||||
printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
|
||||
"ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
|
||||
return 0;
|
||||
}
|
||||
|
||||
isec = inode->i_security;
|
||||
|
||||
if (isec->security_attr_init)
|
||||
return 0;
|
||||
|
||||
if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
|
||||
newsid = tsec->create_sid;
|
||||
} else {
|
||||
rc = security_transition_sid(tsec->sid, dsec->sid,
|
||||
inode_mode_to_security_class(inode->i_mode),
|
||||
&newsid);
|
||||
if (rc) {
|
||||
printk(KERN_WARNING "post_create: "
|
||||
"security_transition_sid failed, rc=%d (dev=%s "
|
||||
"ino=%ld)\n",
|
||||
-rc, inode->i_sb->s_id, inode->i_ino);
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
||||
rc = inode_security_set_sid(inode, newsid);
|
||||
if (rc) {
|
||||
printk(KERN_WARNING "post_create: inode_security_set_sid "
|
||||
"failed, rc=%d (dev=%s ino=%ld)\n",
|
||||
-rc, inode->i_sb->s_id, inode->i_ino);
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
|
||||
inode->i_op->setxattr) {
|
||||
/* Use extended attributes. */
|
||||
rc = security_sid_to_context(newsid, &context, &len);
|
||||
if (rc) {
|
||||
printk(KERN_WARNING "post_create: sid_to_context "
|
||||
"failed, rc=%d (dev=%s ino=%ld)\n",
|
||||
-rc, inode->i_sb->s_id, inode->i_ino);
|
||||
return rc;
|
||||
}
|
||||
down(&inode->i_sem);
|
||||
rc = inode->i_op->setxattr(dentry,
|
||||
XATTR_NAME_SELINUX,
|
||||
context, len, 0);
|
||||
up(&inode->i_sem);
|
||||
kfree(context);
|
||||
if (rc < 0) {
|
||||
printk(KERN_WARNING "post_create: setxattr failed, "
|
||||
"rc=%d (dev=%s ino=%ld)\n",
|
||||
-rc, inode->i_sb->s_id, inode->i_ino);
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Hook functions begin here. */
|
||||
|
||||
static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
|
||||
|
@ -2076,8 +1991,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
|
|||
*len = clen;
|
||||
}
|
||||
|
||||
isec->security_attr_init = 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -2086,11 +1999,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma
|
|||
return may_create(dir, dentry, SECCLASS_FILE);
|
||||
}
|
||||
|
||||
static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
|
||||
{
|
||||
post_create(dir, dentry);
|
||||
}
|
||||
|
||||
static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
|
||||
{
|
||||
int rc;
|
||||
|
@ -2121,21 +2029,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
|
|||
return may_create(dir, dentry, SECCLASS_LNK_FILE);
|
||||
}
|
||||
|
||||
static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
|
||||
{
|
||||
post_create(dir, dentry);
|
||||
}
|
||||
|
||||
static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
|
||||
{
|
||||
return may_create(dir, dentry, SECCLASS_DIR);
|
||||
}
|
||||
|
||||
static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
|
||||
{
|
||||
post_create(dir, dentry);
|
||||
}
|
||||
|
||||
static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
|
||||
{
|
||||
return may_link(dir, dentry, MAY_RMDIR);
|
||||
|
@ -2152,11 +2050,6 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
|
|||
return may_create(dir, dentry, inode_mode_to_security_class(mode));
|
||||
}
|
||||
|
||||
static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
|
||||
{
|
||||
post_create(dir, dentry);
|
||||
}
|
||||
|
||||
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
|
||||
struct inode *new_inode, struct dentry *new_dentry)
|
||||
{
|
||||
|
@ -4363,17 +4256,13 @@ static struct security_operations selinux_ops = {
|
|||
.inode_free_security = selinux_inode_free_security,
|
||||
.inode_init_security = selinux_inode_init_security,
|
||||
.inode_create = selinux_inode_create,
|
||||
.inode_post_create = selinux_inode_post_create,
|
||||
.inode_link = selinux_inode_link,
|
||||
.inode_post_link = selinux_inode_post_link,
|
||||
.inode_unlink = selinux_inode_unlink,
|
||||
.inode_symlink = selinux_inode_symlink,
|
||||
.inode_post_symlink = selinux_inode_post_symlink,
|
||||
.inode_mkdir = selinux_inode_mkdir,
|
||||
.inode_post_mkdir = selinux_inode_post_mkdir,
|
||||
.inode_rmdir = selinux_inode_rmdir,
|
||||
.inode_mknod = selinux_inode_mknod,
|
||||
.inode_post_mknod = selinux_inode_post_mknod,
|
||||
.inode_rename = selinux_inode_rename,
|
||||
.inode_post_rename = selinux_inode_post_rename,
|
||||
.inode_readlink = selinux_inode_readlink,
|
||||
|
|
|
@ -46,7 +46,6 @@ struct inode_security_struct {
|
|||
unsigned char initialized; /* initialization flag */
|
||||
struct semaphore sem;
|
||||
unsigned char inherit; /* inherit SID from parent entry */
|
||||
unsigned char security_attr_init; /* security attributes init flag */
|
||||
};
|
||||
|
||||
struct file_security_struct {
|
||||
|
|
Loading…
Reference in a new issue