mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

remove_suid.diff rediff. fold fix_leaf.diff into leaf.diff.

Browse Source
This commit is contained in:
Andreas Gruenbacher
2007-05-03 20:16:34 +00:00
parent 142cd5ea0c
commit 83f12d961c
3 changed files with 32 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
kernel-patches/for-mainline/leaf.diff
View File

@@ -1,15 +1,13 @@
--- ---
fs/namei.c | 6 ++++++ fs/namei.c | 6 ++++++
security/apparmor/apparmor.h | 7 +++---- security/apparmor/apparmor.h | 7 +++----
security/apparmor/lsm.c | 17 ++++++++--------- security/apparmor/lsm.c | 25 +++++++++++++------------
security/apparmor/main.c | 14 +------------- security/apparmor/main.c | 14 +-------------
4 files changed, 18 insertions(+), 26 deletions(-) 4 files changed, 23 insertions(+), 29 deletions(-)
Index: b/fs/namei.c
===================================================================
--- a/fs/namei.c --- a/fs/namei.c
+++ b/fs/namei.c +++ b/fs/namei.c
@@ -1428,6 +1428,10 @@ static int may_delete(struct inode *dir, @@ -1396,6 +1396,10 @@ static int may_delete(struct inode *dir,
BUG_ON(victim->d_parent->d_inode != dir); BUG_ON(victim->d_parent->d_inode != dir);
audit_inode_child(victim->d_name.name, victim->d_inode, dir); audit_inode_child(victim->d_name.name, victim->d_inode, dir);
@@ -20,7 +18,7 @@ Index: b/fs/namei.c
error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); error = permission(dir,MAY_WRITE | MAY_EXEC, NULL);
if (error) if (error)
return error; return error;
@@ -1465,6 +1469,8 @@ static inline int may_create(struct inod @@ -1433,6 +1437,8 @@ static inline int may_create(struct inod
return -EEXIST; return -EEXIST;
if (IS_DEADDIR(dir)) if (IS_DEADDIR(dir))
return -ENOENT; return -ENOENT;
@@ -29,8 +27,6 @@ Index: b/fs/namei.c
return permission(dir,MAY_WRITE | MAY_EXEC, nd); return permission(dir,MAY_WRITE | MAY_EXEC, nd);
} }
Index: b/security/apparmor/apparmor.h
===================================================================
--- a/security/apparmor/apparmor.h --- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h +++ b/security/apparmor/apparmor.h
@@ -181,10 +181,9 @@ struct aa_audit { @@ -181,10 +181,9 @@ struct aa_audit {
@@ -47,8 +43,6 @@ Index: b/security/apparmor/apparmor.h
/* main.c */ /* main.c */
extern int alloc_null_complain_profile(void); extern int alloc_null_complain_profile(void);
Index: b/security/apparmor/lsm.c
===================================================================
--- a/security/apparmor/lsm.c --- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c
@@ -291,7 +291,7 @@ static int aa_permission(struct inode *i @@ -291,7 +291,7 @@ static int aa_permission(struct inode *i
@@ -94,22 +88,27 @@ Index: b/security/apparmor/lsm.c
if (inode && S_ISDIR(inode->i_mode)) if (inode && S_ISDIR(inode->i_mode))
check |= AA_CHECK_DIR; check |= AA_CHECK_DIR;
@@ -381,13 +381,12 @@ static int apparmor_inode_permission(str @@ -381,13 +381,14 @@ static int apparmor_inode_permission(str
{ {
int check = 0; int check = 0;
- if (!nd) - if (!nd)
+ if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE)) + if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
return 0; return 0;
if (S_ISDIR(inode->i_mode)) - if (S_ISDIR(inode->i_mode))
check |= AA_CHECK_DIR; - check |= AA_CHECK_DIR;
mask &= (MAY_READ | MAY_WRITE | MAY_EXEC); mask &= (MAY_READ | MAY_WRITE | MAY_EXEC);
-
- /* Assume we are not checking a leaf directory. */ - /* Assume we are not checking a leaf directory. */
+ if (S_ISDIR(inode->i_mode)) {
+ check |= AA_CHECK_DIR;
+ /* allow traverse accesses to directories */
+ mask &= ~MAY_EXEC;
+ }
return aa_permission(inode, nd->dentry, nd->mnt, mask, check); return aa_permission(inode, nd->dentry, nd->mnt, mask, check);
} }
@@ -481,7 +480,7 @@ static int apparmor_file_permission(stru @@ -481,7 +482,7 @@ static int apparmor_file_permission(stru
struct dentry *dentry = file->f_dentry; struct dentry *dentry = file->f_dentry;
struct vfsmount *mnt = file->f_vfsmnt; struct vfsmount *mnt = file->f_vfsmnt;
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
@@ -118,7 +117,7 @@ Index: b/security/apparmor/lsm.c
/* /*
* FIXME: We should remember which profiles we revalidated * FIXME: We should remember which profiles we revalidated
@@ -536,7 +535,7 @@ static inline int aa_mmap(struct file *f @@ -536,7 +537,7 @@ static inline int aa_mmap(struct file *f
dentry = file->f_dentry; dentry = file->f_dentry;
return aa_permission(dentry->d_inode, dentry, file->f_vfsmnt, mask, return aa_permission(dentry->d_inode, dentry, file->f_vfsmnt, mask,
@@ -127,8 +126,6 @@ Index: b/security/apparmor/lsm.c
} }
static int apparmor_file_mmap(struct file *file, unsigned long reqprot, static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
Index: b/security/apparmor/main.c
===================================================================
--- a/security/apparmor/main.c --- a/security/apparmor/main.c
+++ b/security/apparmor/main.c +++ b/security/apparmor/main.c
@@ -656,17 +656,6 @@ int aa_perm(struct aa_profile *profile, @@ -656,17 +656,6 @@ int aa_perm(struct aa_profile *profile,

35
kernel-patches/for-mainline/remove_suid.diff
View File

@@ -34,7 +34,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
file_update_time(file); file_update_time(file);
--- a/fs/ocfs2/file.c --- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c
@@ -1157,14 +1157,14 @@ out: @@ -1035,13 +1035,13 @@ out:
return ret; return ret;
} }
@@ -42,8 +42,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+static int ocfs2_prepare_inode_for_write(struct path *path, +static int ocfs2_prepare_inode_for_write(struct path *path,
loff_t *ppos, loff_t *ppos,
size_t count, size_t count,
int appending, int appending)
int *direct_io)
{ {
int ret = 0, meta_level = appending; int ret = 0, meta_level = appending;
- struct inode *inode = dentry->d_inode; - struct inode *inode = dentry->d_inode;
@@ -51,7 +50,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
u32 clusters; u32 clusters;
loff_t newsize, saved_pos; loff_t newsize, saved_pos;
@@ -1190,7 +1190,7 @@ static int ocfs2_prepare_inode_for_write @@ -1067,7 +1067,7 @@ static int ocfs2_prepare_inode_for_write
* inode. There's also the dinode i_size state which * inode. There's also the dinode i_size state which
* can be lost via setattr during extending writes (we * can be lost via setattr during extending writes (we
* set inode->i_size at the end of a write. */ * set inode->i_size at the end of a write. */
@@ -60,24 +59,24 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (meta_level == 0) { if (meta_level == 0) {
ocfs2_meta_unlock(inode, meta_level); ocfs2_meta_unlock(inode, meta_level);
meta_level = 1; meta_level = 1;
@@ -1498,7 +1498,7 @@ relock: @@ -1176,7 +1176,7 @@ static ssize_t ocfs2_file_aio_write(stru
}
can_do_direct = direct_io;
- ret = ocfs2_prepare_inode_for_write(file->f_path.dentry, ppos,
+ ret = ocfs2_prepare_inode_for_write(&file->f_path, ppos,
iocb->ki_left, appending,
&can_do_direct);
if (ret < 0) {
@@ -1703,7 +1703,7 @@ static ssize_t ocfs2_file_splice_write(s
goto out; goto out;
} }
- ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, ppos, len, 0, - ret = ocfs2_prepare_inode_for_write(filp->f_path.dentry, &iocb->ki_pos,
+ ret = ocfs2_prepare_inode_for_write(&out->f_path, ppos, len, 0, + ret = ocfs2_prepare_inode_for_write(&filp->f_path, &iocb->ki_pos,
NULL); iocb->ki_left, appending);
if (ret < 0) { if (ret < 0) {
mlog_errno(ret); mlog_errno(ret);
@@ -1239,7 +1239,7 @@ static ssize_t ocfs2_file_splice_write(s
goto out;
}
- ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, ppos, len, 0);
+ ret = ocfs2_prepare_inode_for_write(&out->f_path, ppos, len, 0);
if (ret < 0) {
mlog_errno(ret);
goto out_unlock;
--- a/fs/reiserfs/file.c --- a/fs/reiserfs/file.c
+++ b/fs/reiserfs/file.c +++ b/fs/reiserfs/file.c
@@ -1353,7 +1353,7 @@ static ssize_t reiserfs_file_write(struc @@ -1353,7 +1353,7 @@ static ssize_t reiserfs_file_write(struc
@@ -126,7 +125,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
goto out_unlock_mutex; goto out_unlock_mutex;
--- a/include/linux/fs.h --- a/include/linux/fs.h
+++ b/include/linux/fs.h +++ b/include/linux/fs.h
@@ -1690,9 +1690,9 @@ extern void __iget(struct inode * inode) @@ -1685,9 +1685,9 @@ extern void __iget(struct inode * inode)
extern void clear_inode(struct inode *); extern void clear_inode(struct inode *);
extern void destroy_inode(struct inode *); extern void destroy_inode(struct inode *);
extern struct inode *new_inode(struct super_block *); extern struct inode *new_inode(struct super_block *);

1
kernel-patches/for-mainline/series
View File

@@ -54,7 +54,6 @@ file_permission-nameidata.diff
apparmorfs_dentry_refcount_fix apparmorfs_dentry_refcount_fix
# NOT YET # NOT YET
leaf.diff leaf.diff
fix_leaf.diff
nfsd_permission-nameidata.diff nfsd_permission-nameidata.diff
ecryptfs-d_revalidate.diff ecryptfs-d_revalidate.diff
# statvfs.diff # statvfs.diff