CRED: Pass credentials through dentry_open()
Pass credentials through dentry_open() so that the COW creds patch can have
SELinux's flush_unauthorized_files() pass the appropriate creds back to itself
when it opens its null chardev.
The security_dentry_open() call also now takes a creds pointer, as does the
dentry_open hook in struct security_operations.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/capability.c b/security/capability.c
index 6c4b513..fac2f61 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -330,7 +330,7 @@
return 0;
}
-static int cap_dentry_open(struct file *file)
+static int cap_dentry_open(struct file *file, const struct cred *cred)
{
return 0;
}
diff --git a/security/security.c b/security/security.c
index d058f7d..f40a0a0 100644
--- a/security/security.c
+++ b/security/security.c
@@ -606,9 +606,9 @@
return security_ops->file_receive(file);
}
-int security_dentry_open(struct file *file)
+int security_dentry_open(struct file *file, const struct cred *cred)
{
- return security_ops->dentry_open(file);
+ return security_ops->dentry_open(file, cred);
}
int security_task_create(unsigned long clone_flags)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cc6e5a3..f20cbd6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2150,9 +2150,9 @@
extern struct dentry *selinux_null;
/* Derived from fs/exec.c:flush_old_files. */
-static inline void flush_unauthorized_files(struct files_struct *files)
+static inline void flush_unauthorized_files(const struct cred *cred,
+ struct files_struct *files)
{
- const struct cred *cred = current_cred();
struct avc_audit_data ad;
struct file *file, *devnull = NULL;
struct tty_struct *tty;
@@ -2222,7 +2222,10 @@
if (devnull) {
get_file(devnull);
} else {
- devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
+ devnull = dentry_open(
+ dget(selinux_null),
+ mntget(selinuxfs_mount),
+ O_RDWR, cred);
if (IS_ERR(devnull)) {
devnull = NULL;
put_unused_fd(fd);
@@ -2302,6 +2305,7 @@
*/
static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
{
+ const struct cred *cred = current_cred();
struct task_security_struct *tsec;
struct rlimit *rlim, *initrlim;
struct itimerval itimer;
@@ -2321,7 +2325,7 @@
return;
/* Close files for which the new task SID is not authorized. */
- flush_unauthorized_files(current->files);
+ flush_unauthorized_files(cred, current->files);
/* Check whether the new SID can inherit signal state
from the old SID. If not, clear itimers to avoid
@@ -3202,9 +3206,8 @@
return file_has_perm(cred, file, file_to_av(file));
}
-static int selinux_dentry_open(struct file *file)
+static int selinux_dentry_open(struct file *file, const struct cred *cred)
{
- const struct cred *cred = current_cred();
struct file_security_struct *fsec;
struct inode *inode;
struct inode_security_struct *isec;