Commit d09ca739 authored by Eric Paris's avatar Eric Paris Committed by James Morris

security: make LSMs explicitly mask off permissions

SELinux needs to pass the MAY_ACCESS flag so it can handle auditting
correctly.  Presently the masking of MAY_* flags is done in the VFS.  In
order to allow LSMs to decide what flags they care about and what flags
they don't just pass them all and the each LSM mask off what they don't
need.  This patch should contain no functional changes to either the VFS or
any LSM.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 9cfcac81
...@@ -282,8 +282,7 @@ int inode_permission(struct inode *inode, int mask) ...@@ -282,8 +282,7 @@ int inode_permission(struct inode *inode, int mask)
if (retval) if (retval)
return retval; return retval;
return security_inode_permission(inode, return security_inode_permission(inode, mask);
mask & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND));
} }
/** /**
......
...@@ -2645,6 +2645,8 @@ static int selinux_inode_permission(struct inode *inode, int mask) ...@@ -2645,6 +2645,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
if (!mask) { if (!mask) {
/* No permission to check. Existence test. */ /* No permission to check. Existence test. */
return 0; return 0;
......
...@@ -598,6 +598,8 @@ static int smack_inode_rename(struct inode *old_inode, ...@@ -598,6 +598,8 @@ static int smack_inode_rename(struct inode *old_inode,
static int smack_inode_permission(struct inode *inode, int mask) static int smack_inode_permission(struct inode *inode, int mask)
{ {
struct smk_audit_info ad; struct smk_audit_info ad;
mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
/* /*
* No permission to check. Existence test. Yup, it's there. * No permission to check. Existence test. Yup, it's there.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment