Like ->follow_link, inode_follow_link now takes an inode and flags as well as the dentry. inode is used in preference to dentry->d_inode, particularly in RCU-walk mode. selinux_inode_follow_link() gets dentry_has_perm() and inode_has_perm() open-coded into it so that it can call avc_has_perm_flags() in way that is safe if LOOKUP_RCU is set. Calling avc_has_perm_flags() with rcu_read_lock() held means that when avc_has_perm_noaudit calls avc_compute_av(), the attempt to rcu_read_unlock() before calling security_compute_av() will not actually drop the RCU read-lock. However as security_compute_av() is completely in a read_lock()ed region, it should be safe with the RCU read-lock held. Signed-off-by: NeilBrown <neilb@xxxxxxx> --- fs/namei.c | 3 ++- include/linux/security.h | 12 +++++++++--- security/capability.c | 3 ++- security/security.c | 7 ++++--- security/selinux/hooks.c | 19 +++++++++++++++++-- 5 files changed, 34 insertions(+), 10 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 784fca0e6c70..6ac163212429 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -895,7 +895,8 @@ follow_link(struct path *link, struct nameidata *nd, void **p) touch_atime(link); nd_set_link(NULL); - error = security_inode_follow_link(dentry); + error = security_inode_follow_link(dentry, inode, + nd->flags & LOOKUP_RCU); if (error) goto out_put_nd_path; diff --git a/include/linux/security.h b/include/linux/security.h index 237d22bfc642..5a207d110053 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -476,6 +476,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inode_follow_link: * Check permission to follow a symbolic link when looking up a pathname. * @dentry contains the dentry structure for the link. + * @inode contains dentry->d_inode, which itself is not stable in RCU-walk + * @flags contains LOOKUP_RCU if in RCU-walk mode. * Return 0 if permission is granted. * @inode_permission: * Check permission before accessing an inode. This hook is called by the @@ -1551,7 +1553,8 @@ struct security_operations { int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); - int (*inode_follow_link) (struct dentry *dentry); + int (*inode_follow_link) (struct dentry *dentry, struct inode *inode, + int flags); int (*inode_permission) (struct inode *inode, int mask); int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); @@ -1838,7 +1841,8 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry, unsigned int flags); int security_inode_readlink(struct dentry *dentry); -int security_inode_follow_link(struct dentry *dentry); +int security_inode_follow_link(struct dentry *dentry, struct inode *inode, + int flags); int security_inode_permission(struct inode *inode, int mask); int security_inode_setattr(struct dentry *dentry, struct iattr *attr); int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); @@ -2240,7 +2244,9 @@ static inline int security_inode_readlink(struct dentry *dentry) return 0; } -static inline int security_inode_follow_link(struct dentry *dentry) +static inline int security_inode_follow_link(struct dentry *dentry, + struct inode *inode, + int flags) { return 0; } diff --git a/security/capability.c b/security/capability.c index ad8557782e73..f65bf2c26944 100644 --- a/security/capability.c +++ b/security/capability.c @@ -209,7 +209,8 @@ static int cap_inode_readlink(struct dentry *dentry) return 0; } -static int cap_inode_follow_link(struct dentry *dentry) +static int cap_inode_follow_link(struct dentry *dentry, struct inode *inode, + int flags) { return 0; } diff --git a/security/security.c b/security/security.c index 7b4fd199e881..0ff6d38cf1e4 100644 --- a/security/security.c +++ b/security/security.c @@ -581,11 +581,12 @@ int security_inode_readlink(struct dentry *dentry) return security_ops->inode_readlink(dentry); } -int security_inode_follow_link(struct dentry *dentry) +int security_inode_follow_link(struct dentry *dentry, struct inode *inode, + int flags) { - if (unlikely(IS_PRIVATE(dentry->d_inode))) + if (unlikely(IS_PRIVATE(inode))) return 0; - return security_ops->inode_follow_link(dentry); + return security_ops->inode_follow_link(dentry, inode, flags); } int security_inode_permission(struct inode *inode, int mask) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a08b8c04eff..b46382749b33 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2862,11 +2862,26 @@ static int selinux_inode_readlink(struct dentry *dentry) return dentry_has_perm(cred, dentry, FILE__READ); } -static int selinux_inode_follow_link(struct dentry *dentry) +static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, + int flags) { const struct cred *cred = current_cred(); + struct common_audit_data ad; + struct inode_security_struct *isec; + u32 sid; - return dentry_has_perm(cred, dentry, FILE__READ); + if (unlikely(IS_PRIVATE(inode))) + return 0; + + validate_creds(cred); + + ad.type = LSM_AUDIT_DATA_DENTRY; + ad.u.dentry = dentry; + sid = cred_sid(cred); + isec = inode->i_security; + + return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, + flags & LOOKUP_RCU ? MAY_NOT_BLOCK : 0); } static noinline int audit_inode_permission(struct inode *inode, -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html