summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorChristian Brauner <brauner@kernel.org>2023-01-13 12:49:24 +0100
committerChristian Brauner (Microsoft) <brauner@kernel.org>2023-01-19 09:24:28 +0100
commit700b7940526d31117fd20b7ed31156df134fbe7f (patch)
tree26483e522f6032750ed3a77b13f92ab7fe88c076 /security/integrity
parentfs: port xattr to mnt_idmap (diff)
downloadlinux-700b7940526d31117fd20b7ed31156df134fbe7f.tar.xz
linux-700b7940526d31117fd20b7ed31156df134fbe7f.zip
fs: port acl to mnt_idmap
Convert to struct mnt_idmap. Last cycle we merged the necessary infrastructure in 256c8aed2b42 ("fs: introduce dedicated idmap type for mounts"). This is just the conversion to struct mnt_idmap. Currently we still pass around the plain namespace that was attached to a mount. This is in general pretty convenient but it makes it easy to conflate namespaces that are relevant on the filesystem with namespaces that are relevent on the mount level. Especially for non-vfs developers without detailed knowledge in this area this can be a potential source for bugs. Once the conversion to struct mnt_idmap is done all helpers down to the really low-level helpers will take a struct mnt_idmap argument instead of two namespace arguments. This way it becomes impossible to conflate the two eliminating the possibility of any bugs. All of the vfs and all filesystems only operate on struct mnt_idmap. Acked-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/evm/evm_main.c12
-rw-r--r--security/integrity/ima/ima_appraise.c2
2 files changed, 7 insertions, 7 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 99f7bd8af19a..4e5adddb3577 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -610,7 +610,7 @@ int evm_inode_removexattr(struct mnt_idmap *idmap,
}
#ifdef CONFIG_FS_POSIX_ACL
-static int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
+static int evm_inode_set_acl_change(struct mnt_idmap *idmap,
struct dentry *dentry, const char *name,
struct posix_acl *kacl)
{
@@ -622,14 +622,14 @@ static int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
if (!kacl)
return 1;
- rc = posix_acl_update_mode(mnt_userns, inode, &mode, &kacl);
+ rc = posix_acl_update_mode(idmap, inode, &mode, &kacl);
if (rc || (inode->i_mode != mode))
return 1;
return 0;
}
#else
-static inline int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
+static inline int evm_inode_set_acl_change(struct mnt_idmap *idmap,
struct dentry *dentry,
const char *name,
struct posix_acl *kacl)
@@ -640,7 +640,7 @@ static inline int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
/**
* evm_inode_set_acl - protect the EVM extended attribute from posix acls
- * @mnt_userns: user namespace of the idmapped mount
+ * @idmap: idmap of the idmapped mount
* @dentry: pointer to the affected dentry
* @acl_name: name of the posix acl
* @kacl: pointer to the posix acls
@@ -649,7 +649,7 @@ static inline int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
* and 'security.evm' xattr updated, unless the existing 'security.evm' is
* valid.
*/
-int evm_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry,
+int evm_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
const char *acl_name, struct posix_acl *kacl)
{
enum integrity_status evm_status;
@@ -678,7 +678,7 @@ int evm_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry,
return 0;
if (evm_status == INTEGRITY_PASS_IMMUTABLE &&
- !evm_inode_set_acl_change(mnt_userns, dentry, acl_name, kacl))
+ !evm_inode_set_acl_change(idmap, dentry, acl_name, kacl))
return 0;
if (evm_status != INTEGRITY_PASS_IMMUTABLE)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4078a9ad8531..555342d337f9 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -774,7 +774,7 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
return result;
}
-int ima_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry,
+int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
const char *acl_name, struct posix_acl *kacl)
{
if (evm_revalidate_status(acl_name))