From: Miklos Szeredi <mszeredi@suse.cz>
In the inode_permission() security operation and related functions
pass the path (vfsmount + dentry) instead of the inode. AppArmor will
need this.
Create a new security operation: inode_lookup() which will be called
for checking permission to lookup. Unfortunately it is necessary to
distinguish between lookup and non-lookup permissions, because the
path is not available from lookup_one_len(). One day, when
lookup_one_len() is gone, this operation can go too. AppArmor won't
need to check permission to lookup.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
fs/namei.c | 30 +++++++++++++++++++++---------
include/linux/security.h | 19 +++++++++++++++----
security/dummy.c | 8 +++++++-
security/security.c | 11 +++++++++--
security/selinux/hooks.c | 18 ++++++++++++++++--
security/smack/smack_lsm.c | 18 +++++++++++++++---
6 files changed, 83 insertions(+), 21 deletions(-)
Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c 2008-05-29 12:20:56.000000000 +0200
+++ linux-2.6/fs/namei.c 2008-05-29 12:20:59.000000000 +0200
@@ -280,11 +280,7 @@ static int dentry_permission(struct dent
if (retval)
return retval;
- retval = devcgroup_inode_permission(inode, mask);
- if (retval)
- return retval;
-
- return security_inode_permission(inode, mask);
+ return devcgroup_inode_permission(inode, mask);
}
/**
@@ -299,6 +295,7 @@ static int dentry_permission(struct dent
*/
int path_permission(struct path *path, int mask)
{
+ int err;
struct dentry *dentry = path->dentry;
struct inode *inode = dentry->d_inode;
@@ -313,7 +310,14 @@ int path_permission(struct path *path, i
return -EACCES;
}
- return dentry_permission(dentry, mask);
+ err = dentry_permission(dentry, mask);
+ if (err)
+ return err;
+
+ if (mask == MAY_LOOKUP)
+ return ...
