lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SELinux: remove inode_has_perm_noadp

Browse Source 
Both callers could better be using file_has_perm() to get better audit
results.

Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris
2012-04-04 15:01:42 -04:00
parent 2e33405785
commit 602a8dd6ea
1 changed files with 4 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
security/selinux/hooks.c
View File

@@ -1488,20 +1488,6 @@ static int inode_has_perm(const struct cred *cred,
return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
} }
static int inode_has_perm_noadp(const struct cred *cred,
struct inode *inode,
u32 perms,
unsigned flags)
{
struct common_audit_data ad;
struct selinux_audit_data sad = {0,};
COMMON_AUDIT_DATA_INIT(&ad, INODE);
ad.u.inode = inode;
ad.selinux_audit_data = &sad;
return inode_has_perm(cred, inode, perms, &ad, flags);
}
/* Same as inode_has_perm, but pass explicit audit data containing /* Same as inode_has_perm, but pass explicit audit data containing
the dentry to help the auditing code to more easily generate the the dentry to help the auditing code to more easily generate the
pathname if needed. */ pathname if needed. */
@@ -2128,21 +2114,17 @@ static inline void flush_unauthorized_files(const struct cred *cred,
spin_lock(&tty_files_lock); spin_lock(&tty_files_lock);
if (!list_empty(&tty->tty_files)) { if (!list_empty(&tty->tty_files)) {
struct tty_file_private *file_priv; struct tty_file_private *file_priv;
struct inode *inode;
/* Revalidate access to controlling tty. /* Revalidate access to controlling tty.
Use inode_has_perm on the tty inode directly rather Use path_has_perm on the tty path directly rather
than using file_has_perm, as this particular open than using file_has_perm, as this particular open
file may belong to another process and we are only file may belong to another process and we are only
interested in the inode-based check here. */ interested in the inode-based check here. */
file_priv = list_first_entry(&tty->tty_files, file_priv = list_first_entry(&tty->tty_files,
struct tty_file_private, list); struct tty_file_private, list);
file = file_priv->file; file = file_priv->file;
inode = file->f_path.dentry->d_inode; if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
if (inode_has_perm_noadp(cred, inode,
FILE__READ | FILE__WRITE, 0)) {
drop_tty = 1; drop_tty = 1;
}
} }
spin_unlock(&tty_files_lock); spin_unlock(&tty_files_lock);
tty_kref_put(tty); tty_kref_put(tty);
@@ -3276,12 +3258,10 @@ static int selinux_file_receive(struct file *file)
static int selinux_file_open(struct file *file, const struct cred *cred) static int selinux_file_open(struct file *file, const struct cred *cred)
{ {
struct file_security_struct *fsec; struct file_security_struct *fsec;
struct inode *inode;
struct inode_security_struct *isec; struct inode_security_struct *isec;
inode = file->f_path.dentry->d_inode;
fsec = file->f_security; fsec = file->f_security;
isec = inode->i_security; isec = file->f_path.dentry->d_inode->i_security;
/* /*
* Save inode label and policy sequence number * Save inode label and policy sequence number
* at open-time so that selinux_file_permission * at open-time so that selinux_file_permission
@@ -3299,7 +3279,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
* new inode label or new policy. * new inode label or new policy.
* This check is not redundant - do not remove. * This check is not redundant - do not remove.
*/ */
return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); return path_has_perm(cred, &file->f_path, open_file_to_av(file));
} }
/* task security operations */ /* task security operations */