security: Make inode argument of inode_getsecid non-const
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
This commit is contained in:
Andreas Gruenbacher
Paul Moore
parent
ea861dfd9e
commit
d6335d77a7
|
|
@ -137,7 +137,7 @@ extern void __audit_getname(struct filename *name);
|
||||||
extern void __audit_inode(struct filename *name, const struct dentry *dentry,
|
extern void __audit_inode(struct filename *name, const struct dentry *dentry,
|
||||||
unsigned int flags);
|
unsigned int flags);
|
||||||
extern void __audit_file(const struct file *);
|
extern void __audit_file(const struct file *);
|
||||||
extern void __audit_inode_child(const struct inode *parent,
|
extern void __audit_inode_child(struct inode *parent,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const unsigned char type);
|
const unsigned char type);
|
||||||
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
|
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
|
||||||
|
|
@ -202,7 +202,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
|
||||||
__audit_inode(name, dentry,
|
__audit_inode(name, dentry,
|
||||||
AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
|
AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
|
||||||
}
|
}
|
||||||
static inline void audit_inode_child(const struct inode *parent,
|
static inline void audit_inode_child(struct inode *parent,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const unsigned char type) {
|
const unsigned char type) {
|
||||||
if (unlikely(!audit_dummy_context()))
|
if (unlikely(!audit_dummy_context()))
|
||||||
|
|
@ -359,7 +359,7 @@ static inline void __audit_inode(struct filename *name,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
unsigned int flags)
|
unsigned int flags)
|
||||||
{ }
|
{ }
|
||||||
static inline void __audit_inode_child(const struct inode *parent,
|
static inline void __audit_inode_child(struct inode *parent,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const unsigned char type)
|
const unsigned char type)
|
||||||
{ }
|
{ }
|
||||||
|
|
@ -373,7 +373,7 @@ static inline void audit_file(struct file *file)
|
||||||
static inline void audit_inode_parent_hidden(struct filename *name,
|
static inline void audit_inode_parent_hidden(struct filename *name,
|
||||||
const struct dentry *dentry)
|
const struct dentry *dentry)
|
||||||
{ }
|
{ }
|
||||||
static inline void audit_inode_child(const struct inode *parent,
|
static inline void audit_inode_child(struct inode *parent,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const unsigned char type)
|
const unsigned char type)
|
||||||
{ }
|
{ }
|
||||||
|
|
|
||||||
|
|
@ -1420,7 +1420,7 @@ union security_list_options {
|
||||||
int flags);
|
int flags);
|
||||||
int (*inode_listsecurity)(struct inode *inode, char *buffer,
|
int (*inode_listsecurity)(struct inode *inode, char *buffer,
|
||||||
size_t buffer_size);
|
size_t buffer_size);
|
||||||
void (*inode_getsecid)(const struct inode *inode, u32 *secid);
|
void (*inode_getsecid)(struct inode *inode, u32 *secid);
|
||||||
|
|
||||||
int (*file_permission)(struct file *file, int mask);
|
int (*file_permission)(struct file *file, int mask);
|
||||||
int (*file_alloc_security)(struct file *file);
|
int (*file_alloc_security)(struct file *file);
|
||||||
|
|
|
||||||
|
|
@ -273,7 +273,7 @@ int security_inode_killpriv(struct dentry *dentry);
|
||||||
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc);
|
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc);
|
||||||
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
|
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
|
||||||
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
|
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
|
||||||
void security_inode_getsecid(const struct inode *inode, u32 *secid);
|
void security_inode_getsecid(struct inode *inode, u32 *secid);
|
||||||
int security_file_permission(struct file *file, int mask);
|
int security_file_permission(struct file *file, int mask);
|
||||||
int security_file_alloc(struct file *file);
|
int security_file_alloc(struct file *file);
|
||||||
void security_file_free(struct file *file);
|
void security_file_free(struct file *file);
|
||||||
|
|
@ -734,7 +734,7 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void security_inode_getsecid(const struct inode *inode, u32 *secid)
|
static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||||
{
|
{
|
||||||
*secid = 0;
|
*secid = 0;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1722,7 +1722,7 @@ static inline int audit_copy_fcaps(struct audit_names *name,
|
||||||
|
|
||||||
/* Copy inode data into an audit_names. */
|
/* Copy inode data into an audit_names. */
|
||||||
void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
|
void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
|
||||||
const struct inode *inode)
|
struct inode *inode)
|
||||||
{
|
{
|
||||||
name->ino = inode->i_ino;
|
name->ino = inode->i_ino;
|
||||||
name->dev = inode->i_sb->s_dev;
|
name->dev = inode->i_sb->s_dev;
|
||||||
|
|
|
||||||
|
|
@ -207,7 +207,7 @@ extern u32 audit_ever_enabled;
|
||||||
|
|
||||||
extern void audit_copy_inode(struct audit_names *name,
|
extern void audit_copy_inode(struct audit_names *name,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const struct inode *inode);
|
struct inode *inode);
|
||||||
extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
|
extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
|
||||||
kernel_cap_t *cap);
|
kernel_cap_t *cap);
|
||||||
extern void audit_log_name(struct audit_context *context,
|
extern void audit_log_name(struct audit_context *context,
|
||||||
|
|
|
||||||
|
|
@ -1754,7 +1754,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
|
||||||
unsigned int flags)
|
unsigned int flags)
|
||||||
{
|
{
|
||||||
struct audit_context *context = current->audit_context;
|
struct audit_context *context = current->audit_context;
|
||||||
const struct inode *inode = d_backing_inode(dentry);
|
struct inode *inode = d_backing_inode(dentry);
|
||||||
struct audit_names *n;
|
struct audit_names *n;
|
||||||
bool parent = flags & AUDIT_INODE_PARENT;
|
bool parent = flags & AUDIT_INODE_PARENT;
|
||||||
|
|
||||||
|
|
@ -1848,12 +1848,12 @@ void __audit_file(const struct file *file)
|
||||||
* must be hooked prior, in order to capture the target inode during
|
* must be hooked prior, in order to capture the target inode during
|
||||||
* unsuccessful attempts.
|
* unsuccessful attempts.
|
||||||
*/
|
*/
|
||||||
void __audit_inode_child(const struct inode *parent,
|
void __audit_inode_child(struct inode *parent,
|
||||||
const struct dentry *dentry,
|
const struct dentry *dentry,
|
||||||
const unsigned char type)
|
const unsigned char type)
|
||||||
{
|
{
|
||||||
struct audit_context *context = current->audit_context;
|
struct audit_context *context = current->audit_context;
|
||||||
const struct inode *inode = d_backing_inode(dentry);
|
struct inode *inode = d_backing_inode(dentry);
|
||||||
const char *dname = dentry->d_name.name;
|
const char *dname = dentry->d_name.name;
|
||||||
struct audit_names *n, *found_parent = NULL, *found_child = NULL;
|
struct audit_names *n, *found_parent = NULL, *found_child = NULL;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -721,7 +721,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(security_inode_listsecurity);
|
EXPORT_SYMBOL(security_inode_listsecurity);
|
||||||
|
|
||||||
void security_inode_getsecid(const struct inode *inode, u32 *secid)
|
void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||||
{
|
{
|
||||||
call_void_hook(inode_getsecid, inode, secid);
|
call_void_hook(inode_getsecid, inode, secid);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3180,7 +3180,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
|
||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
|
static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
|
||||||
{
|
{
|
||||||
struct inode_security_struct *isec = inode->i_security;
|
struct inode_security_struct *isec = inode->i_security;
|
||||||
*secid = isec->sid;
|
*secid = isec->sid;
|
||||||
|
|
|
||||||
|
|
@ -1538,7 +1538,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
|
||||||
* @inode: inode to extract the info from
|
* @inode: inode to extract the info from
|
||||||
* @secid: where result will be saved
|
* @secid: where result will be saved
|
||||||
*/
|
*/
|
||||||
static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
|
static void smack_inode_getsecid(struct inode *inode, u32 *secid)
|
||||||
{
|
{
|
||||||
struct inode_smack *isp = inode->i_security;
|
struct inode_smack *isp = inode->i_security;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue