On Tue, May 3, 2022 at 2:38 PM Guowei Du <duguoweisz@xxxxxxxxx> wrote: > > From: duguowei <duguowei@xxxxxxxxxx> > > For now, there have been open/access/open_exec perms for file operation, > so we add new perms check with unlink/rmdir syscall. if one app deletes > any file/dir within pubic area, fsnotify can sends fsnotify_event to > listener to deny that, even if the app have right dac/mac permissions. > > Signed-off-by: duguowei <duguowei@xxxxxxxxxx> > --- > fs/notify/fsnotify.c | 2 +- > include/linux/fs.h | 2 ++ > include/linux/fsnotify.h | 16 ++++++++++++++++ > include/linux/fsnotify_backend.h | 6 +++++- > security/security.c | 12 ++++++++++-- > security/selinux/hooks.c | 4 ++++ > 6 files changed, 38 insertions(+), 4 deletions(-) ... > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e9e959343de9..f0780f0eb903 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1801,8 +1801,12 @@ static int may_create(struct inode *dir, > } > > #define MAY_LINK 0 > +#ifndef MAY_UNLINK > #define MAY_UNLINK 1 > +#endif > +#ifndef MAY_RMDIR > #define MAY_RMDIR 2 > +#endif In the future if you run into a symbol collision here I would prefer if you renamed the SELinux constants to something like SEL_MAY_LINK, etc. -- paul-moore.com
