From eecdd358b467405a084d400d5ec571bbdbfe97a3 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 20 Jun 2011 19:48:41 -0400 Subject: [PATCH] ->permission() sanitizing: don't pass flags to exec_permission() pass mask instead; kill security_inode_exec_permission() since we can use security_inode_permission() instead. Signed-off-by: Al Viro --- fs/namei.c | 17 +++++++---------- include/linux/security.h | 7 ------- security/security.c | 10 ---------- 3 files changed, 7 insertions(+), 27 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index c5c3826..21eba95 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -304,7 +304,7 @@ int inode_permission(struct inode *inode, int mask) /** * exec_permission - check for right to do lookups in a given directory * @inode: inode to check permission on - * @flags: IPERM_FLAG_ flags. + * @mask: MAY_EXEC and possibly MAY_NOT_BLOCK flags. * * Short-cut version of inode_permission(), for calling on directories * during pathname resolution. Combines parts of inode_permission() @@ -314,13 +314,10 @@ int inode_permission(struct inode *inode, int mask) * short-cut DAC fails, then call ->permission() to do more * complete permission check. */ -static inline int exec_permission(struct inode *inode, unsigned int flags) +static inline int exec_permission(struct inode *inode, int mask) { int ret; struct user_namespace *ns = inode_userns(inode); - int mask = MAY_EXEC; - if (flags & IPERM_FLAG_RCU) - mask |= MAY_NOT_BLOCK; if (inode->i_op->permission) { ret = inode->i_op->permission(inode, mask); @@ -338,7 +335,7 @@ static inline int exec_permission(struct inode *inode, unsigned int flags) } return ret; ok: - return security_inode_exec_permission(inode, flags); + return security_inode_permission(inode, mask); } /** @@ -1214,13 +1211,13 @@ retry: static inline int may_lookup(struct nameidata *nd) { if (nd->flags & LOOKUP_RCU) { - int err = exec_permission(nd->inode, IPERM_FLAG_RCU); + int err = exec_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK); if (err != -ECHILD) return err; if (unlazy_walk(nd, NULL)) return -ECHILD; } - return exec_permission(nd->inode, 0); + return exec_permission(nd->inode, MAY_EXEC); } static inline int handle_dots(struct nameidata *nd, int type) @@ -1495,7 +1492,7 @@ static int path_init(int dfd, const char *name, unsigned int flags, if (!S_ISDIR(dentry->d_inode->i_mode)) goto fput_fail; - retval = exec_permission(dentry->d_inode, 0); + retval = exec_permission(dentry->d_inode, MAY_EXEC); if (retval) goto fput_fail; } @@ -1652,7 +1649,7 @@ static struct dentry *__lookup_hash(struct qstr *name, struct dentry *dentry; int err; - err = exec_permission(inode, 0); + err = exec_permission(inode, MAY_EXEC); if (err) return ERR_PTR(err); diff --git a/include/linux/security.h b/include/linux/security.h index ca02f17..ebd2a53 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1720,7 +1720,6 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, int security_inode_readlink(struct dentry *dentry); int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); int security_inode_permission(struct inode *inode, int mask); -int security_inode_exec_permission(struct inode *inode, unsigned int flags); int security_inode_setattr(struct dentry *dentry, struct iattr *attr); int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); int security_inode_setxattr(struct dentry *dentry, const char *name, @@ -2113,12 +2112,6 @@ static inline int security_inode_permission(struct inode *inode, int mask) return 0; } -static inline int security_inode_exec_permission(struct inode *inode, - unsigned int flags) -{ - return 0; -} - static inline int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { diff --git a/security/security.c b/security/security.c index db3b750d..0e4fccf 100644 --- a/security/security.c +++ b/security/security.c @@ -521,16 +521,6 @@ int security_inode_permission(struct inode *inode, int mask) return security_ops->inode_permission(inode, mask); } -int security_inode_exec_permission(struct inode *inode, unsigned int flags) -{ - int mask = MAY_EXEC; - if (unlikely(IS_PRIVATE(inode))) - return 0; - if (flags) - mask |= MAY_NOT_BLOCK; - return security_ops->inode_permission(inode, mask); -} - int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { if (unlikely(IS_PRIVATE(dentry->d_inode))) -- 2.7.4