[PATCH] Pass nameidata to security_inode_permission hook

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch changes the security_inode_permission hook to also take a
nameidata parameter in addition to the existing inode and mask parameters. 

A nameidata is already passed (although sometimes NULL) to
fs/namei.c:permission(), and the patch changes exec_permission_lite() to
also take a nameidata parameter so that it can pass it along to the
security hook.

The patch includes corresponding changes to the SELinux module to use the
nameidata information when it is available; this allows SELinux to include
pathname information in audit messages when a nameidata structure was
supplied.

2 files changed, 7 insertions, 2 deletions

diff --git a/security/dummy.c b/security/dummy.c
index 76c6560a76c253..336e92cce44e18 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -364,7 +364,7 @@ static int dummy_inode_follow_link (struct dentry *dentry,
 	return 0;
 }
 
-static int dummy_inode_permission (struct inode *inode, int mask)
+static int dummy_inode_permission (struct inode *inode, int mask, struct nameidata *nd)
 {
 	return 0;
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d39090fea44872..e9301f2b0dca77 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1730,13 +1730,18 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
 	return dentry_has_perm(current, NULL, dentry, FILE__READ);
 }
 
-static int selinux_inode_permission(struct inode *inode, int mask)
+static int selinux_inode_permission(struct inode *inode, int mask,
+				    struct nameidata *nd)
 {
 	if (!mask) {
 		/* No permission to check.  Existence test. */
 		return 0;
 	}
 
+	if (nd && nd->dentry)
+		return dentry_has_perm(current, nd->mnt, nd->dentry,
+				       file_mask_to_av(inode->i_mode, mask));
+
 	return inode_has_perm(current, inode,
 			       file_mask_to_av(inode->i_mode, mask), NULL, NULL);
 }