[apparmor] [PATCH 1/4] security: add security_path_chdir hook

John Johansen john.johansen at canonical.com
Tue Nov 5 13:34:58 UTC 2013 

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 fs/open.c                |  8 ++++++++
 include/linux/security.h | 11 +++++++++++
 security/security.c      |  7 +++++++
 3 files changed, 26 insertions(+)

diff --git a/fs/open.c b/fs/open.c
index d420331..9505fc5 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -387,6 +387,10 @@ retry:
 	if (error)
 		goto out;
 
+	error = security_path_chdir(&path);
+	if (error)
+		goto dput_and_out;
+
 	error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
 	if (error)
 		goto dput_and_out;
@@ -419,6 +423,10 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
 	if (!S_ISDIR(inode->i_mode))
 		goto out_putf;
 
+	error = security_path_chdir(&f.file->f_path);
+	if (error)
+		goto out_putf;
+
 	error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
 	if (!error)
 		set_fs_pwd(current->fs, &f.file->f_path);
diff --git a/include/linux/security.h b/include/linux/security.h
index 9d37e2b..ed693ff 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -466,6 +466,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	@uid contains new owner's ID.
  *	@gid contains new group's ID.
  *	Return 0 if permission is granted.
+ * @path_chdir:
+ *	Check for permission to change working directory to @path.
+ *	@path contains the path structure.
+ *	Return 0 if permission is granted.
  * @path_chroot:
  *	Check for permission to change root directory.
  *	@path contains the path structure.
@@ -1486,6 +1490,7 @@ struct security_operations {
 			    struct path *new_dir, struct dentry *new_dentry);
 	int (*path_chmod) (struct path *path, umode_t mode);
 	int (*path_chown) (struct path *path, kuid_t uid, kgid_t gid);
+	int (*path_chdir) (struct path *path);
 	int (*path_chroot) (struct path *path);
 #endif
 
@@ -2944,6 +2949,7 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
 			 struct path *new_dir, struct dentry *new_dentry);
 int security_path_chmod(struct path *path, umode_t mode);
 int security_path_chown(struct path *path, kuid_t uid, kgid_t gid);
+int security_path_chdir(struct path *path);
 int security_path_chroot(struct path *path);
 #else	/* CONFIG_SECURITY_PATH */
 static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
@@ -3004,6 +3010,11 @@ static inline int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 	return 0;
 }
 
+static inline int security_path_chdir(struct path *path)
+{
+	return 0;
+}
+
 static inline int security_path_chroot(struct path *path)
 {
 	return 0;
diff --git a/security/security.c b/security/security.c
index 4dc31f4..ca57c35 100644
--- a/security/security.c
+++ b/security/security.c
@@ -464,6 +464,13 @@ int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 	return security_ops->path_chown(path, uid, gid);
 }
 
+int security_path_chdir(struct path *path)
+{
+	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+		return 0;
+	return security_ops->path_chdir(path);
+}
+
 int security_path_chroot(struct path *path)
 {
 	return security_ops->path_chroot(path);
-- 
1.8.3.2

More information about the AppArmor mailing list