lsm.c - OpenGrok cross reference for /linux/security/apparmor/lsm.c

Deleted Added

sdiffudifftextold (b2c85814..)new (f4fee216..)

lsm.c (b2c858148acf96290b9a9af259a04e080a169f51)	lsm.c (f4fee216df7d28b87d1c9cc60bcebfecb51c1a05)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. --- 447 unchanged lines hidden (view full) --- 456 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 457} 458 459static int apparmor_file_open(struct file file) 460{ 461 struct aa_file_ctx fctx = file_ctx(file); 462 struct aa_label *label; 463 int error = 0;	1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. --- 447 unchanged lines hidden (view full) --- 456 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 457} 458 459static int apparmor_file_open(struct file file) 460{ 461 struct aa_file_ctx fctx = file_ctx(file); 462 struct aa_label *label; 463 int error = 0;
	464 bool needput;
464 465 if (!path_mediated_fs(file->f_path.dentry)) 466 return 0; 467 468 /* If in exec, permission is handled by bprm hooks. 469 * Cache permissions granted by the previous exec check, with 470 * implicit read and executable mmap which are required to 471 * actually execute the image. 472 * 473 * Illogically, FMODE_EXEC is in f_flags, not f_mode. 474 */ 475 if (file->f_flags & __FMODE_EXEC) { 476 fctx->allow = MAY_EXEC \| MAY_READ \| AA_EXEC_MMAP; 477 return 0; 478 } 479	465 466 if (!path_mediated_fs(file->f_path.dentry)) 467 return 0; 468 469 /* If in exec, permission is handled by bprm hooks. 470 * Cache permissions granted by the previous exec check, with 471 * implicit read and executable mmap which are required to 472 * actually execute the image. 473 * 474 * Illogically, FMODE_EXEC is in f_flags, not f_mode. 475 */ 476 if (file->f_flags & __FMODE_EXEC) { 477 fctx->allow = MAY_EXEC \| MAY_READ \| AA_EXEC_MMAP; 478 return 0; 479 } 480
480 label = aa_get_newest_cred_label(file->f_cred);	481 label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
481 if (!unconfined(label)) { 482 struct mnt_idmap idmap = file_mnt_idmap(file); 483 struct inode inode = file_inode(file); 484 vfsuid_t vfsuid; 485 struct path_cond cond = { 486 .mode = inode->i_mode, 487 }; 488 vfsuid = i_uid_into_vfsuid(idmap, inode); 489 cond.uid = vfsuid_into_kuid(vfsuid); 490 491 error = aa_path_perm(OP_OPEN, file->f_cred, 492 label, &file->f_path, 0, 493 aa_map_file_to_perms(file), &cond); 494 /* todo cache full allowed permissions set and state */ 495 fctx->allow = aa_map_file_to_perms(file); 496 }	482 if (!unconfined(label)) { 483 struct mnt_idmap idmap = file_mnt_idmap(file); 484 struct inode inode = file_inode(file); 485 vfsuid_t vfsuid; 486 struct path_cond cond = { 487 .mode = inode->i_mode, 488 }; 489 vfsuid = i_uid_into_vfsuid(idmap, inode); 490 cond.uid = vfsuid_into_kuid(vfsuid); 491 492 error = aa_path_perm(OP_OPEN, file->f_cred, 493 label, &file->f_path, 0, 494 aa_map_file_to_perms(file), &cond); 495 /* todo cache full allowed permissions set and state */ 496 fctx->allow = aa_map_file_to_perms(file); 497 }
497 aa_put_label(label);	498 aa_put_label_condref(label, needput);
498 499 return error; 500} 501 502static int apparmor_file_alloc_security(struct file file) 503{ 504 struct aa_file_ctx ctx = file_ctx(file); 505 struct aa_label label = begin_current_label_crit_section(); --- 1785 unchanged lines hidden* ---	499 500 return error; 501} 502 503static int apparmor_file_alloc_security(struct file file) 504{ 505 struct aa_file_ctx ctx = file_ctx(file); 506 struct aa_label label = begin_current_label_crit_section(); --- 1785 unchanged lines hidden* ---

lsm.c (b2c858148acf96290b9a9af259a04e080a169f51)	lsm.c (f4fee216df7d28b87d1c9cc60bcebfecb51c1a05)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. --- 447 unchanged lines hidden (view full) --- 456 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 457} 458 459static int apparmor_file_open(struct file file) 460{ 461 struct aa_file_ctx fctx = file_ctx(file); 462 struct aa_label *label; 463 int error = 0;	1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. --- 447 unchanged lines hidden (view full) --- 456 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 457} 458 459static int apparmor_file_open(struct file file) 460{ 461 struct aa_file_ctx fctx = file_ctx(file); 462 struct aa_label *label; 463 int error = 0;
	464 bool needput;
464 465 if (!path_mediated_fs(file->f_path.dentry)) 466 return 0; 467 468 /* If in exec, permission is handled by bprm hooks. 469 * Cache permissions granted by the previous exec check, with 470 * implicit read and executable mmap which are required to 471 * actually execute the image. 472 * 473 * Illogically, FMODE_EXEC is in f_flags, not f_mode. 474 */ 475 if (file->f_flags & __FMODE_EXEC) { 476 fctx->allow = MAY_EXEC \| MAY_READ \| AA_EXEC_MMAP; 477 return 0; 478 } 479	465 466 if (!path_mediated_fs(file->f_path.dentry)) 467 return 0; 468 469 /* If in exec, permission is handled by bprm hooks. 470 * Cache permissions granted by the previous exec check, with 471 * implicit read and executable mmap which are required to 472 * actually execute the image. 473 * 474 * Illogically, FMODE_EXEC is in f_flags, not f_mode. 475 */ 476 if (file->f_flags & __FMODE_EXEC) { 477 fctx->allow = MAY_EXEC \| MAY_READ \| AA_EXEC_MMAP; 478 return 0; 479 } 480
480 label = aa_get_newest_cred_label(file->f_cred);	481 label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
481 if (!unconfined(label)) { 482 struct mnt_idmap idmap = file_mnt_idmap(file); 483 struct inode inode = file_inode(file); 484 vfsuid_t vfsuid; 485 struct path_cond cond = { 486 .mode = inode->i_mode, 487 }; 488 vfsuid = i_uid_into_vfsuid(idmap, inode); 489 cond.uid = vfsuid_into_kuid(vfsuid); 490 491 error = aa_path_perm(OP_OPEN, file->f_cred, 492 label, &file->f_path, 0, 493 aa_map_file_to_perms(file), &cond); 494 /* todo cache full allowed permissions set and state */ 495 fctx->allow = aa_map_file_to_perms(file); 496 }	482 if (!unconfined(label)) { 483 struct mnt_idmap idmap = file_mnt_idmap(file); 484 struct inode inode = file_inode(file); 485 vfsuid_t vfsuid; 486 struct path_cond cond = { 487 .mode = inode->i_mode, 488 }; 489 vfsuid = i_uid_into_vfsuid(idmap, inode); 490 cond.uid = vfsuid_into_kuid(vfsuid); 491 492 error = aa_path_perm(OP_OPEN, file->f_cred, 493 label, &file->f_path, 0, 494 aa_map_file_to_perms(file), &cond); 495 /* todo cache full allowed permissions set and state */ 496 fctx->allow = aa_map_file_to_perms(file); 497 }
497 aa_put_label(label);	498 aa_put_label_condref(label, needput);
498 499 return error; 500} 501 502static int apparmor_file_alloc_security(struct file file) 503{ 504 struct aa_file_ctx ctx = file_ctx(file); 505 struct aa_label label = begin_current_label_crit_section(); --- 1785 unchanged lines hidden* ---	499 500 return error; 501} 502 503static int apparmor_file_alloc_security(struct file file) 504{ 505 struct aa_file_ctx ctx = file_ctx(file); 506 struct aa_label label = begin_current_label_crit_section(); --- 1785 unchanged lines hidden* ---