Hello.
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry)
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
return security_ops->inode_rename(old_dir, old_dentry,
new_dir, new_dentry);
}
int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
struct path *new_dir, struct dentry *new_dentry)
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
return security_ops->path_rename(old_dir, old_dentry, new_dir,
new_dentry);
}
I just come to wonder why the condition is "||".
If source inode is private, destination inode (which is not always private)
will be deleted without LSM's permission check.
If destination inode is private, source inode (which is not always private)
will be renamed without LSM's permission check.
I think it is not good to grant deleting/renaming !IS_PRIVATE(inode) without
LSM's permission check.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
