From 3ba6fffc406b92307a1a84533e6c3ed8d0e5e26a Mon Sep 17 00:00:00 2001 From: Andrew Morton Date: Tue, 20 Jan 2004 03:13:29 -0800 Subject: [PATCH] Default hooks protecting the XATTR_SECURITY_PREFIX namespace From: Chris Wright Add default hooks for both the dummy and capability code to protect the XATTR_SECURITY_PREFIX namespace. These EAs were fully accessible to unauthorized users, so a user that rebooted from an SELinux kernel to a default kernel would leave those critical EAs unprotected. (Acked by Stephen Smalley) --- include/linux/security.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'include/linux') diff --git a/include/linux/security.h b/include/linux/security.h index 06b2c60a48f8..92786e0700c3 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -46,6 +46,8 @@ extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, extern int cap_bprm_set_security (struct linux_binprm *bprm); extern void cap_bprm_compute_creds (struct linux_binprm *bprm); extern int cap_bprm_secureexec(struct linux_binprm *bprm); +extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); +extern int cap_inode_removexattr(struct dentry *dentry, char *name); extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); extern void cap_task_reparent_to_init (struct task_struct *p); extern int cap_syslog (int type); @@ -2155,7 +2157,7 @@ static inline void security_inode_delete (struct inode *inode) static inline int security_inode_setxattr (struct dentry *dentry, char *name, void *value, size_t size, int flags) { - return 0; + return cap_inode_setxattr(dentry, name, value, size, flags); } static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, @@ -2174,7 +2176,7 @@ static inline int security_inode_listxattr (struct dentry *dentry) static inline int security_inode_removexattr (struct dentry *dentry, char *name) { - return 0; + return cap_inode_removexattr(dentry, name); } static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) -- cgit v1.2.3