mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-11 04:18:39 +08:00
LSM: Fix for security_inode_getsecurity and -EOPNOTSUPP
Serge Hallyn pointed out that the current implementation of security_inode_getsecurity() works if there is only one hook provided for it, but will fail if there is more than one and the attribute requested isn't supplied by the first module. This isn't a problem today, since only SELinux and Smack provide this hook and there is (currently) no way to enable both of those modules at the same time. Serge, however, wants to introduce a capability attribute and an inode_getsecurity hook in the capability security module to handle it. This addresses that upcoming problem, will be required for "extreme stacking" and is just a better implementation. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
parent
39baa7e6ad
commit
2885c1e3e0
@ -700,18 +700,39 @@ int security_inode_killpriv(struct dentry *dentry)
|
|||||||
|
|
||||||
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
|
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
|
||||||
{
|
{
|
||||||
|
struct security_hook_list *hp;
|
||||||
|
int rc;
|
||||||
|
|
||||||
if (unlikely(IS_PRIVATE(inode)))
|
if (unlikely(IS_PRIVATE(inode)))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
return call_int_hook(inode_getsecurity, -EOPNOTSUPP, inode, name,
|
/*
|
||||||
buffer, alloc);
|
* Only one module will provide an attribute with a given name.
|
||||||
|
*/
|
||||||
|
list_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
|
||||||
|
rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
|
||||||
|
if (rc != -EOPNOTSUPP)
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
|
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
|
||||||
{
|
{
|
||||||
|
struct security_hook_list *hp;
|
||||||
|
int rc;
|
||||||
|
|
||||||
if (unlikely(IS_PRIVATE(inode)))
|
if (unlikely(IS_PRIVATE(inode)))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
return call_int_hook(inode_setsecurity, -EOPNOTSUPP, inode, name,
|
/*
|
||||||
value, size, flags);
|
* Only one module will provide an attribute with a given name.
|
||||||
|
*/
|
||||||
|
list_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
|
||||||
|
rc = hp->hook.inode_setsecurity(inode, name, value, size,
|
||||||
|
flags);
|
||||||
|
if (rc != -EOPNOTSUPP)
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
|
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
|
||||||
|
Loading…
Reference in New Issue
Block a user