tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

d_path: Use struct path in struct avc_audit_data

audit_log_d_path() is a d_path() wrapper that is used by the audit code. To
use a struct path in audit_log_d_path() I need to embed it into struct
avc_audit_data.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jan Blunck <jblunck@suse.de>
Acked-by: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Neil Brown <neilb@suse.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Jan Blunck and committed by
Linus Torvalds 44707fdf a03a8a70

+43 -51
+2 -3
include/linux/audit.h
··· 534 534 const char *string); 535 535 extern void audit_log_d_path(struct audit_buffer *ab, 536 536 const char *prefix, 537 - struct dentry *dentry, 538 - struct vfsmount *vfsmnt); 537 + struct path *path); 539 538 extern void audit_log_lost(const char *message); 540 539 /* Private API (for audit.c only) */ 541 540 extern int audit_filter_user(struct netlink_skb_parms *cb, int type); ··· 551 552 #define audit_log_hex(a,b,l) do { ; } while (0) 552 553 #define audit_log_untrustedstring(a,s) do { ; } while (0) 553 554 #define audit_log_n_untrustedstring(a,n,s) do { ; } while (0) 554 - #define audit_log_d_path(b,p,d,v) do { ; } while (0) 555 + #define audit_log_d_path(b, p, d) do { ; } while (0) 555 556 #define audit_enabled 0 556 557 #endif 557 558 #endif
+6 -6
kernel/audit.c
··· 1312 1312 1313 1313 /* This is a helper-function to print the escaped d_path */ 1314 1314 void audit_log_d_path(struct audit_buffer *ab, const char *prefix, 1315 - struct dentry *dentry, struct vfsmount *vfsmnt) 1315 + struct path *path) 1316 1316 { 1317 - char *p, *path; 1317 + char *p, *pathname; 1318 1318 1319 1319 if (prefix) 1320 1320 audit_log_format(ab, " %s", prefix); 1321 1321 1322 1322 /* We will allow 11 spaces for ' (deleted)' to be appended */ 1323 - path = kmalloc(PATH_MAX+11, ab->gfp_mask); 1324 - if (!path) { 1323 + pathname = kmalloc(PATH_MAX+11, ab->gfp_mask); 1324 + if (!pathname) { 1325 1325 audit_log_format(ab, "<no memory>"); 1326 1326 return; 1327 1327 } 1328 - p = d_path(dentry, vfsmnt, path, PATH_MAX+11); 1328 + p = d_path(path->dentry, path->mnt, pathname, PATH_MAX+11); 1329 1329 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */ 1330 1330 /* FIXME: can we save some information here? */ 1331 1331 audit_log_format(ab, "<too long>"); 1332 1332 } else 1333 1333 audit_log_untrustedstring(ab, p); 1334 - kfree(path); 1334 + kfree(pathname); 1335 1335 } 1336 1336 1337 1337 /**
+11 -17
kernel/auditsc.c
··· 208 208 int name_count; 209 209 struct audit_names names[AUDIT_NAMES]; 210 210 char * filterkey; /* key for rule that triggered record */ 211 - struct dentry * pwd; 212 - struct vfsmount * pwdmnt; 211 + struct path pwd; 213 212 struct audit_context *previous; /* For nested syscalls */ 214 213 struct audit_aux_data *aux; 215 214 struct audit_aux_data *aux_pids; ··· 785 786 __putname(context->names[i].name); 786 787 } 787 788 context->name_count = 0; 788 - if (context->pwd) 789 - dput(context->pwd); 790 - if (context->pwdmnt) 791 - mntput(context->pwdmnt); 792 - context->pwd = NULL; 793 - context->pwdmnt = NULL; 789 + path_put(&context->pwd); 790 + context->pwd.dentry = NULL; 791 + context->pwd.mnt = NULL; 794 792 } 795 793 796 794 static inline void audit_free_aux(struct audit_context *context) ··· 926 930 if ((vma->vm_flags & VM_EXECUTABLE) && 927 931 vma->vm_file) { 928 932 audit_log_d_path(ab, "exe=", 929 - vma->vm_file->f_path.dentry, 930 - vma->vm_file->f_path.mnt); 933 + &vma->vm_file->f_path); 931 934 break; 932 935 } 933 936 vma = vma->vm_next; ··· 1336 1341 context->target_sid, context->target_comm)) 1337 1342 call_panic = 1; 1338 1343 1339 - if (context->pwd && context->pwdmnt) { 1344 + if (context->pwd.dentry && context->pwd.mnt) { 1340 1345 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1341 1346 if (ab) { 1342 - audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1347 + audit_log_d_path(ab, "cwd=", &context->pwd); 1343 1348 audit_log_end(ab); 1344 1349 } 1345 1350 } ··· 1362 1367 case 0: 1363 1368 /* name was specified as a relative path and the 1364 1369 * directory component is the cwd */ 1365 - audit_log_d_path(ab, " name=", context->pwd, 1366 - context->pwdmnt); 1370 + audit_log_d_path(ab, " name=", &context->pwd); 1367 1371 break; 1368 1372 default: 1369 1373 /* log the name's directory component */ ··· 1689 1695 context->names[context->name_count].ino = (unsigned long)-1; 1690 1696 context->names[context->name_count].osid = 0; 1691 1697 ++context->name_count; 1692 - if (!context->pwd) { 1698 + if (!context->pwd.dentry) { 1693 1699 read_lock(&current->fs->lock); 1694 - context->pwd = dget(current->fs->pwd.dentry); 1695 - context->pwdmnt = mntget(current->fs->pwd.mnt); 1700 + context->pwd = current->fs->pwd; 1701 + path_get(&current->fs->pwd); 1696 1702 read_unlock(&current->fs->lock); 1697 1703 } 1698 1704
+10 -5
security/selinux/avc.c
··· 568 568 audit_log_format(ab, " capability=%d", a->u.cap); 569 569 break; 570 570 case AVC_AUDIT_DATA_FS: 571 - if (a->u.fs.dentry) { 572 - struct dentry *dentry = a->u.fs.dentry; 573 - if (a->u.fs.mnt) { 574 - audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); 571 + if (a->u.fs.path.dentry) { 572 + struct dentry *dentry = a->u.fs.path.dentry; 573 + if (a->u.fs.path.mnt) { 574 + audit_log_d_path(ab, "path=", 575 + &a->u.fs.path); 575 576 } else { 576 577 audit_log_format(ab, " name="); 577 578 audit_log_untrustedstring(ab, dentry->d_name.name); ··· 627 626 case AF_UNIX: 628 627 u = unix_sk(sk); 629 628 if (u->dentry) { 629 + struct path path = { 630 + .dentry = u->dentry, 631 + .mnt = u->mnt 632 + }; 630 633 audit_log_d_path(ab, "path=", 631 - u->dentry, u->mnt); 634 + &path); 632 635 break; 633 636 } 634 637 if (!u->addr)
+12 -16
security/selinux/hooks.c
··· 1356 1356 struct inode *inode = dentry->d_inode; 1357 1357 struct avc_audit_data ad; 1358 1358 AVC_AUDIT_DATA_INIT(&ad,FS); 1359 - ad.u.fs.mnt = mnt; 1360 - ad.u.fs.dentry = dentry; 1359 + ad.u.fs.path.mnt = mnt; 1360 + ad.u.fs.path.dentry = dentry; 1361 1361 return inode_has_perm(tsk, inode, av, &ad); 1362 1362 } 1363 1363 ··· 1375 1375 { 1376 1376 struct task_security_struct *tsec = tsk->security; 1377 1377 struct file_security_struct *fsec = file->f_security; 1378 - struct vfsmount *mnt = file->f_path.mnt; 1379 - struct dentry *dentry = file->f_path.dentry; 1380 - struct inode *inode = dentry->d_inode; 1378 + struct inode *inode = file->f_path.dentry->d_inode; 1381 1379 struct avc_audit_data ad; 1382 1380 int rc; 1383 1381 1384 1382 AVC_AUDIT_DATA_INIT(&ad, FS); 1385 - ad.u.fs.mnt = mnt; 1386 - ad.u.fs.dentry = dentry; 1383 + ad.u.fs.path = file->f_path; 1387 1384 1388 1385 if (tsec->sid != fsec->sid) { 1389 1386 rc = avc_has_perm(tsec->sid, fsec->sid, ··· 1415 1418 sbsec = dir->i_sb->s_security; 1416 1419 1417 1420 AVC_AUDIT_DATA_INIT(&ad, FS); 1418 - ad.u.fs.dentry = dentry; 1421 + ad.u.fs.path.dentry = dentry; 1419 1422 1420 1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1421 1424 DIR__ADD_NAME | DIR__SEARCH, ··· 1473 1476 isec = dentry->d_inode->i_security; 1474 1477 1475 1478 AVC_AUDIT_DATA_INIT(&ad, FS); 1476 - ad.u.fs.dentry = dentry; 1479 + ad.u.fs.path.dentry = dentry; 1477 1480 1478 1481 av = DIR__SEARCH; 1479 1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); ··· 1520 1523 1521 1524 AVC_AUDIT_DATA_INIT(&ad, FS); 1522 1525 1523 - ad.u.fs.dentry = old_dentry; 1526 + ad.u.fs.path.dentry = old_dentry; 1524 1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1525 1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1526 1529 if (rc) ··· 1536 1539 return rc; 1537 1540 } 1538 1541 1539 - ad.u.fs.dentry = new_dentry; 1542 + ad.u.fs.path.dentry = new_dentry; 1540 1543 av = DIR__ADD_NAME | DIR__SEARCH; 1541 1544 if (new_dentry->d_inode) 1542 1545 av |= DIR__REMOVE_NAME; ··· 1915 1918 } 1916 1919 1917 1920 AVC_AUDIT_DATA_INIT(&ad, FS); 1918 - ad.u.fs.mnt = bprm->file->f_path.mnt; 1919 - ad.u.fs.dentry = bprm->file->f_path.dentry; 1921 + ad.u.fs.path = bprm->file->f_path; 1920 1922 1921 1923 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1922 1924 newsid = tsec->sid; ··· 2311 2315 return rc; 2312 2316 2313 2317 AVC_AUDIT_DATA_INIT(&ad,FS); 2314 - ad.u.fs.dentry = sb->s_root; 2318 + ad.u.fs.path.dentry = sb->s_root; 2315 2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2316 2320 } 2317 2321 ··· 2320 2324 struct avc_audit_data ad; 2321 2325 2322 2326 AVC_AUDIT_DATA_INIT(&ad,FS); 2323 - ad.u.fs.dentry = dentry->d_sb->s_root; 2327 + ad.u.fs.path.dentry = dentry->d_sb->s_root; 2324 2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2325 2329 } 2326 2330 ··· 2583 2587 return -EPERM; 2584 2588 2585 2589 AVC_AUDIT_DATA_INIT(&ad,FS); 2586 - ad.u.fs.dentry = dentry; 2590 + ad.u.fs.path.dentry = dentry; 2587 2591 2588 2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2589 2593 FILE__RELABELFROM, &ad);
+2 -4
security/selinux/include/avc.h
··· 13 13 #include <linux/spinlock.h> 14 14 #include <linux/init.h> 15 15 #include <linux/in6.h> 16 + #include <linux/path.h> 16 17 #include <asm/system.h> 17 18 #include "flask.h" 18 19 #include "av_permissions.h" ··· 31 30 struct avc_entry; 32 31 33 32 struct task_struct; 34 - struct vfsmount; 35 - struct dentry; 36 33 struct inode; 37 34 struct sock; 38 35 struct sk_buff; ··· 45 46 struct task_struct *tsk; 46 47 union { 47 48 struct { 48 - struct vfsmount *mnt; 49 - struct dentry *dentry; 49 + struct path path; 50 50 struct inode *inode; 51 51 } fs; 52 52 struct {