lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks

Browse Source 
This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as
they are obsoleted by the new inode_init_security hook that enables atomic
inode security labeling.

If anyone sees any reason to retain these hooks, please speak now.  Also,
is anyone using the post_rename/link hooks; if not, those could also be
removed.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Stephen Smalley
2005-09-09 13:01:44 -07:00
committed by Linus Torvalds
parent 570bc1c2e5
commit a74574aafe
5 changed files with 4 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
security/selinux/hooks.c
View File

@ -1265,91 +1265,6 @@ static int inode_security_set_sid(struct inode *inode, u32 sid)
return 0;
}
/* Set the security attributes on a newly created file. */
static int post_create(struct inode *dir,
struct dentry *dentry)
{
struct task_security_struct *tsec;
struct inode *inode;
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
struct inode_security_struct *isec;
u32 newsid;
char *context;
unsigned int len;
int rc;
tsec = current->security;
dsec = dir->i_security;
sbsec = dir->i_sb->s_security;
inode = dentry->d_inode;
if (!inode) {
/* Some file system types (e.g. NFS) may not instantiate
a dentry for all create operations (e.g. symlink),
so we have to check to see if the inode is non-NULL. */
printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
"ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
return 0;
}
isec = inode->i_security;
if (isec->security_attr_init)
return 0;
if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
newsid = tsec->create_sid;
} else {
rc = security_transition_sid(tsec->sid, dsec->sid,
inode_mode_to_security_class(inode->i_mode),
&newsid);
if (rc) {
printk(KERN_WARNING "post_create: "
"security_transition_sid failed, rc=%d (dev=%s "
"ino=%ld)\n",
-rc, inode->i_sb->s_id, inode->i_ino);
return rc;
}
}
rc = inode_security_set_sid(inode, newsid);
if (rc) {
printk(KERN_WARNING "post_create: inode_security_set_sid "
"failed, rc=%d (dev=%s ino=%ld)\n",
-rc, inode->i_sb->s_id, inode->i_ino);
return rc;
}
if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
inode->i_op->setxattr) {
/* Use extended attributes. */
rc = security_sid_to_context(newsid, &context, &len);
if (rc) {
printk(KERN_WARNING "post_create: sid_to_context "
"failed, rc=%d (dev=%s ino=%ld)\n",
-rc, inode->i_sb->s_id, inode->i_ino);
return rc;
}
down(&inode->i_sem);
rc = inode->i_op->setxattr(dentry,
XATTR_NAME_SELINUX,
context, len, 0);
up(&inode->i_sem);
kfree(context);
if (rc < 0) {
printk(KERN_WARNING "post_create: setxattr failed, "
"rc=%d (dev=%s ino=%ld)\n",
-rc, inode->i_sb->s_id, inode->i_ino);
return rc;
}
}
return 0;
}
/* Hook functions begin here. */
static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
@ -2076,8 +1991,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
*len = clen;
}
isec->security_attr_init = 1;
return 0;
}
@ -2086,11 +1999,6 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma
return may_create(dir, dentry, SECCLASS_FILE);
}
static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
{
post_create(dir, dentry);
}
static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
{
int rc;
@ -2121,21 +2029,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const
return may_create(dir, dentry, SECCLASS_LNK_FILE);
}
static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
{
post_create(dir, dentry);
}
static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
{
return may_create(dir, dentry, SECCLASS_DIR);
}
static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
{
post_create(dir, dentry);
}
static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
return may_link(dir, dentry, MAY_RMDIR);
@ -2152,11 +2050,6 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod
return may_create(dir, dentry, inode_mode_to_security_class(mode));
}
static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
{
post_create(dir, dentry);
}
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
struct inode *new_inode, struct dentry *new_dentry)
{
@ -4363,17 +4256,13 @@ static struct security_operations selinux_ops = {
.inode_free_security = selinux_inode_free_security,
.inode_init_security = selinux_inode_init_security,
.inode_create = selinux_inode_create,
.inode_post_create = selinux_inode_post_create,
.inode_link = selinux_inode_link,
.inode_post_link = selinux_inode_post_link,
.inode_unlink = selinux_inode_unlink,
.inode_symlink = selinux_inode_symlink,
.inode_post_symlink = selinux_inode_post_symlink,
.inode_mkdir = selinux_inode_mkdir,
.inode_post_mkdir = selinux_inode_post_mkdir,
.inode_rmdir = selinux_inode_rmdir,
.inode_mknod = selinux_inode_mknod,
.inode_post_mknod = selinux_inode_post_mknod,
.inode_rename = selinux_inode_rename,
.inode_post_rename = selinux_inode_post_rename,
.inode_readlink = selinux_inode_readlink,