summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2011-06-21 01:48:41 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2011-07-20 07:43:29 +0200
commiteecdd358b467405a084d400d5ec571bbdbfe97a3 (patch)
tree357332873b909a19964e77dbae3c4aed5c100dc6
parentselinux: don't transliterate MAY_NOT_BLOCK to IPERM_FLAG_RCU (diff)
downloadlinux-eecdd358b467405a084d400d5ec571bbdbfe97a3.tar.xz
linux-eecdd358b467405a084d400d5ec571bbdbfe97a3.zip
->permission() sanitizing: don't pass flags to exec_permission()
pass mask instead; kill security_inode_exec_permission() since we can use security_inode_permission() instead. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/namei.c17
-rw-r--r--include/linux/security.h7
-rw-r--r--security/security.c10
3 files changed, 7 insertions, 27 deletions
diff --git a/fs/namei.c b/fs/namei.c
index c5c382620a86..21eba95368f2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -304,7 +304,7 @@ int inode_permission(struct inode *inode, int mask)
/**
* exec_permission - check for right to do lookups in a given directory
* @inode: inode to check permission on
- * @flags: IPERM_FLAG_ flags.
+ * @mask: MAY_EXEC and possibly MAY_NOT_BLOCK flags.
*
* Short-cut version of inode_permission(), for calling on directories
* during pathname resolution. Combines parts of inode_permission()
@@ -314,13 +314,10 @@ int inode_permission(struct inode *inode, int mask)
* short-cut DAC fails, then call ->permission() to do more
* complete permission check.
*/
-static inline int exec_permission(struct inode *inode, unsigned int flags)
+static inline int exec_permission(struct inode *inode, int mask)
{
int ret;
struct user_namespace *ns = inode_userns(inode);
- int mask = MAY_EXEC;
- if (flags & IPERM_FLAG_RCU)
- mask |= MAY_NOT_BLOCK;
if (inode->i_op->permission) {
ret = inode->i_op->permission(inode, mask);
@@ -338,7 +335,7 @@ static inline int exec_permission(struct inode *inode, unsigned int flags)
}
return ret;
ok:
- return security_inode_exec_permission(inode, flags);
+ return security_inode_permission(inode, mask);
}
/**
@@ -1214,13 +1211,13 @@ retry:
static inline int may_lookup(struct nameidata *nd)
{
if (nd->flags & LOOKUP_RCU) {
- int err = exec_permission(nd->inode, IPERM_FLAG_RCU);
+ int err = exec_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
if (err != -ECHILD)
return err;
if (unlazy_walk(nd, NULL))
return -ECHILD;
}
- return exec_permission(nd->inode, 0);
+ return exec_permission(nd->inode, MAY_EXEC);
}
static inline int handle_dots(struct nameidata *nd, int type)
@@ -1495,7 +1492,7 @@ static int path_init(int dfd, const char *name, unsigned int flags,
if (!S_ISDIR(dentry->d_inode->i_mode))
goto fput_fail;
- retval = exec_permission(dentry->d_inode, 0);
+ retval = exec_permission(dentry->d_inode, MAY_EXEC);
if (retval)
goto fput_fail;
}
@@ -1652,7 +1649,7 @@ static struct dentry *__lookup_hash(struct qstr *name,
struct dentry *dentry;
int err;
- err = exec_permission(inode, 0);
+ err = exec_permission(inode, MAY_EXEC);
if (err)
return ERR_PTR(err);
diff --git a/include/linux/security.h b/include/linux/security.h
index ca02f1716736..ebd2a53a3d07 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1720,7 +1720,6 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
int security_inode_readlink(struct dentry *dentry);
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
int security_inode_permission(struct inode *inode, int mask);
-int security_inode_exec_permission(struct inode *inode, unsigned int flags);
int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
int security_inode_setxattr(struct dentry *dentry, const char *name,
@@ -2113,12 +2112,6 @@ static inline int security_inode_permission(struct inode *inode, int mask)
return 0;
}
-static inline int security_inode_exec_permission(struct inode *inode,
- unsigned int flags)
-{
- return 0;
-}
-
static inline int security_inode_setattr(struct dentry *dentry,
struct iattr *attr)
{
diff --git a/security/security.c b/security/security.c
index db3b750da353..0e4fccfef12c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -521,16 +521,6 @@ int security_inode_permission(struct inode *inode, int mask)
return security_ops->inode_permission(inode, mask);
}
-int security_inode_exec_permission(struct inode *inode, unsigned int flags)
-{
- int mask = MAY_EXEC;
- if (unlikely(IS_PRIVATE(inode)))
- return 0;
- if (flags)
- mask |= MAY_NOT_BLOCK;
- return security_ops->inode_permission(inode, mask);
-}
-
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))