[PATCH] [RFC] security: add hook inode_post_removexattr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add hook inode_post_removexattr for updating inode security field after successful removexattr operation.

Signed-off-by: Hawk Xu <[email protected]>
---


 fs/xattr.c               |    7 +++++--
 include/linux/security.h |   19 +++++++++++++++++++
 security/dummy.c         |    6 ++++++
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/fs/xattr.c b/fs/xattr.c
index 4523aca..22c2438 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -180,10 +180,13 @@ vfs_removexattr(struct dentry *dentry, char *name)

 	mutex_lock(&inode->i_mutex);
 	error = inode->i_op->removexattr(dentry, name);
+	if (!error) {
+		fsnotify_xattr(dentry);
+		security_inode_post_removexattr(dentry, name, value,
+						size, flags);
+	}
 	mutex_unlock(&inode->i_mutex);

-	if (!error)
-		fsnotify_xattr(dentry);
 	return error;
 }
 EXPORT_SYMBOL_GPL(vfs_removexattr);
diff --git a/include/linux/security.h b/include/linux/security.h
index 1a362c8..5100b23 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -393,6 +393,9 @@ struct request_sock;
  * 	Check permission before removing the extended attribute
  * 	identified by @name for @dentry.
  * 	Return 0 if permission is granted.
+ * @inode_post_removexattr:
+ * 	Update inode security field after successful removexattr operation.
+ * 	@value identified by @name for @dentry.
  * @inode_getsecurity:
  *	Copy the extended attribute representation of the security label
  *	associated with @name for @inode into @buffer.  @buffer may be
@@ -1234,6 +1237,8 @@ struct security_operations {
 	int (*inode_getxattr) (struct dentry *dentry, char *name);
 	int (*inode_listxattr) (struct dentry *dentry);
 	int (*inode_removexattr) (struct dentry *dentry, char *name);
+	void (*inode_post_removexattr) (struct dentry *dentry, char *name,
+					void *value, size_t size, int flags);
 	const char *(*inode_xattr_getsuffix) (void);
   	int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
   	int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
@@ -1769,6 +1774,15 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
 	return security_ops->inode_removexattr (dentry, name);
 }

+static inline void security_inode_post_removexattr (struct dentry *dentry,
+						char *name, void *value,
+						size_t size, int flags)
+{
+	if (unlikely (IS_PRIVATE (dentry->d_inode)))
+		return;
+	security_ops->inode_post_removexattr (dentry, name, value, size, flags);
+}
+
 static inline const char *security_inode_xattr_getsuffix(void)
 {
 	return security_ops->inode_xattr_getsuffix();
@@ -2452,6 +2466,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
 	return cap_inode_removexattr(dentry, name);
 }

+static inline void security_inode_post_removexattr (struct dentry *dentry,
+						char *name, void *value,
+						size_t size, int flags)
+{ }
+
 static inline const char *security_inode_xattr_getsuffix (void)
 {
 	return NULL ;
diff --git a/security/dummy.c b/security/dummy.c
index bdd0d70..4953f06 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -377,6 +377,11 @@ static int dummy_inode_removexattr (struct dentry *dentry, char *name)
 	return 0;
 }

+static void dummy_inode_post_removexattr (struct dentry *dentry, char *name,
+					void *value, size_t size, int flags)
+{
+}
+
 static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
 {
 	return -EOPNOTSUPP;
@@ -1014,6 +1019,7 @@ void security_fixup_ops (struct security_operations *ops)
 	set_to_dummy_if_null(ops, inode_getxattr);
 	set_to_dummy_if_null(ops, inode_listxattr);
 	set_to_dummy_if_null(ops, inode_removexattr);
+	set_to_dummy_if_null(ops, inode_post_removexattr);
 	set_to_dummy_if_null(ops, inode_xattr_getsuffix);
 	set_to_dummy_if_null(ops, inode_getsecurity);
 	set_to_dummy_if_null(ops, inode_setsecurity);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux