[PATCH][RFC] Remove inode_permission_lite hook

From: Chris Wright (chrisat_private)
Date: Wed Mar 26 2003 - 00:16:46 PST

  • Next message: Chris Wright: "[PATCH] Remove extra call to security_sock_rcv_skb()"

    The dcache rcu patch removed the most of the fast_walk patch, and
    consequently, exec_permission_lite is no longer called with the dcache
    lock held.  Standard inode_permission hook is sufficient, and capable no
    longer needs to be concerned with that lock being held when it's called.
    Noted by Stephen Smalley.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    
    ===== fs/namei.c 1.56 vs edited =====
    --- 1.56/fs/namei.c	Mon Mar 17 16:23:41 2003
    +++ edited/fs/namei.c	Tue Mar 25 23:55:00 2003
    @@ -319,7 +319,7 @@
     
     	return -EACCES;
     ok:
    -	return security_inode_permission_lite(inode, MAY_EXEC);
    +	return security_inode_permission(inode, MAY_EXEC);
     }
     
     /*
    ===== include/linux/security.h 1.29 vs edited =====
    --- 1.29/include/linux/security.h	Tue Mar 25 23:51:38 2003
    +++ edited/include/linux/security.h	Tue Mar 25 23:54:29 2003
    @@ -338,16 +338,6 @@
      *	@inode contains the inode structure to check.
      *	@mask contains the permission mask.
      *	Return 0 if permission is granted.
    - * @inode_permission_lite:
    - * 	Check permission before accessing an inode.  This hook is
    - * 	currently only called when checking MAY_EXEC access during
    - * 	pathname resolution.  The dcache lock is held and thus modules
    - * 	that could sleep or contend the lock should return -EAGAIN to
    - * 	inform the kernel to drop the lock and try again calling the
    - * 	full permission hook.
    - * 	@inode contains the inode structure to check.
    - * 	@mask contains the permission mask.
    - * 	Return 0 if permission is granted.
      * @inode_setattr:
      *	Check permission before setting file attributes.  Note that the kernel
      *	call to notify_change is performed from several locations, whenever
    @@ -1249,7 +1239,6 @@
     	int (*inode_readlink) (struct dentry *dentry);
     	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
     	int (*inode_permission) (struct inode *inode, int mask);
    -	int (*inode_permission_lite) (struct inode *inode, int mask);
     	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
     	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
             void (*inode_delete) (struct inode *inode);
    @@ -1729,12 +1718,6 @@
     	return security_ops->inode_permission (inode, mask);
     }
     
    -static inline int security_inode_permission_lite (struct inode *inode,
    -						  int mask)
    -{
    -	return security_ops->inode_permission_lite (inode, mask);
    -}
    -
     static inline int security_inode_setattr (struct dentry *dentry,
     					  struct iattr *attr)
     {
    @@ -2372,12 +2355,6 @@
     }
     
     static inline int security_inode_permission (struct inode *inode, int mask)
    -{
    -	return 0;
    -}
    -
    -static inline int security_inode_permission_lite (struct inode *inode,
    -						  int mask)
     {
     	return 0;
     }
    ===== security/dummy.c 1.32 vs edited =====
    --- 1.32/security/dummy.c	Tue Mar 25 23:51:38 2003
    +++ edited/security/dummy.c	Wed Mar 26 00:00:40 2003
    @@ -349,11 +349,6 @@
     	return 0;
     }
     
    -static int dummy_inode_permission_lite (struct inode *inode, int mask)
    -{
    -	return 0;
    -}
    -
     static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr)
     {
     	return 0;
    @@ -955,7 +950,6 @@
     	set_to_dummy_if_null(ops, inode_readlink);
     	set_to_dummy_if_null(ops, inode_follow_link);
     	set_to_dummy_if_null(ops, inode_permission);
    -	set_to_dummy_if_null(ops, inode_permission_lite);
     	set_to_dummy_if_null(ops, inode_setattr);
     	set_to_dummy_if_null(ops, inode_getattr);
     	set_to_dummy_if_null(ops, inode_delete);
    ===== security/dte/dte.c 1.42 vs edited =====
    --- 1.42/security/dte/dte.c	Tue Mar 25 23:51:38 2003
    +++ edited/security/dte/dte.c	Tue Mar 25 23:58:21 2003
    @@ -52,7 +52,6 @@
     extern void dte_inode_free_security	(struct inode *inode);
     extern void dte_inode_post_create (struct inode *inode, struct dentry *dentry, int mask);
     extern int dte_inode_permission (struct inode *inode, int mask);
    -extern int dte_inode_permission_lite(struct inode *inode, int mask);
     extern int dte_task_alloc_security (struct task_struct *p);
     extern void dte_task_free_security (struct task_struct *p);
     extern int dte_sb_alloc_security (struct super_block *sb);
    @@ -784,7 +783,6 @@
     	inode_readlink:			dte_inode_readlink,
     	inode_follow_link:		dte_inode_follow_link,
     	inode_permission:		dte_inode_permission,
    -	inode_permission_lite:		dte_inode_permission_lite,
     	inode_setattr:			dte_inode_setattr,
     	inode_getattr:			dte_inode_getattr,
     	inode_delete:			dte_delete,
    ===== security/dte/inode.c 1.5 vs edited =====
    --- 1.5/security/dte/inode.c	Mon Jan  6 23:31:09 2003
    +++ edited/security/dte/inode.c	Tue Mar 25 23:59:13 2003
    @@ -500,39 +500,3 @@
     	else
     		return dte_real_inode_permission(inode, mask);
     }
    -
    -/* 
    - * At the moment, permission_lite is only called for directory x perm
    - * optimze for that.
    - */
    -int dte_inode_permission_lite(struct inode *inode, int mask)
    -{
    -	struct dte_inode_sec *s = inode->i_security;
    -	struct dte_task_sec *ts = current->security;
    -	struct dte_domain_t *d;
    -	struct dte_ta *ta;
    -	int h;
    -
    -	if (!dte_initialized) return 0;  /* only during setup, particularly 
    -							dte.conf and dteeaf */
    -	if (!s || !s->etype) {
    -		return 0;
    -	}
    -	if (!ts) {
    -		return 0;
    -	}
    -	d = ts->dte_domain;
    -	if (!d) {
    -		return 0;
    -	}
    -	h = dte_hash(s->etype, ts->dte_domain->num_ta);
    -	ta = &d->ta[h];
    -	while (ta && ta->type != s->etype)
    -		ta = ta->hash_next;
    -	if (!ta) {
    -		return -EACCES;
    -	}
    -	if (!dte_descend_access(ta->access))
    -		return -EACCES;
    -	return 0;
    -}
    ===== security/lids/lids_lsm.c 1.37 vs edited =====
    --- 1.37/security/lids/lids_lsm.c	Tue Mar 25 23:51:38 2003
    +++ edited/security/lids/lids_lsm.c	Tue Mar 25 23:59:34 2003
    @@ -434,11 +434,6 @@
     	return error;
     }
     
    -static int lids_inode_permission_lite (struct inode *inode, int mask)
    -{
    -	return 0;
    -}
    -
     static int lids_inode_setattr (struct dentry *dentry, struct iattr *iattr)
     {
             if( lids_load && lids_local_load) {
    @@ -761,7 +756,6 @@
     	.inode_readlink =		lids_inode_readlink,
     	.inode_follow_link =		lids_inode_follow_link,
     	.inode_permission =		lids_inode_permission,
    -	.inode_permission_lite =	lids_inode_permission_lite,
     	.inode_setattr =		lids_inode_setattr,
     	.inode_getattr =		lids_inode_getattr,
     	.inode_delete =			lids_delete,
    ===== security/selinux/hooks.c 1.82 vs edited =====
    --- 1.82/security/selinux/hooks.c	Tue Mar 25 23:51:38 2003
    +++ edited/security/selinux/hooks.c	Tue Mar 25 23:59:46 2003
    @@ -4011,7 +4011,6 @@
     	inode_readlink:			selinux_inode_readlink,
     	inode_follow_link:		selinux_inode_follow_link,
     	inode_permission:		selinux_inode_permission,
    -	inode_permission_lite:		selinux_inode_permission,
     	inode_setattr:			selinux_inode_setattr,
     	inode_getattr:			selinux_inode_getattr,
     	inode_delete:			selinux_inode_delete,
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 00:19:07 PST