[PATCH] vfs: new FROM_ACCESS flag
From: Eric Paris
Date: Sun Sep 20 2009 - 21:31:03 EST
This new acc_mode flag is just to tell the security system this inode
permission check is from the access system call. The security system can
use this information as it finds appropriete. In particular SELinux plans to
use this flag to alter what we choose to audit and what we do not choose to
audit.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
fs/open.c | 2 +-
include/linux/fs.h | 5 +++++
2 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index 1940498..ad9e17f 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -495,7 +495,7 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
goto out_path_release;
}
- res = inode_permission(inode, mode | MAY_ACCESS);
+ res = inode_permission(inode, mode | MAY_ACCESS | FROM_ACCESS);
/* SuS v2 requires we report a read only fs too */
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
goto out_path_release;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 5df69f0..7ff00dc 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -60,6 +60,11 @@ struct inodes_stat_t {
*/
#define MAY_ACCESS 16
#define MAY_OPEN 32
+/*
+ * This flag is only set in the access() and accessat() syscalls and can
+ * be used by the security system as it deems reasonable.
+ */
+#define FROM_ACCESS 64
/*
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/