/* hardlinks require at minimum create permission,
any additional privilege required is based on the
privilege of the file being linked to
*/
__u32
gr_acl_handle_link(const struct dentry * new_dentry,
const struct dentry * parent_dentry,
const struct vfsmount * parent_mnt,
const struct dentry * old_dentry,
const struct vfsmount * old_mnt, const char *to)
{
__u32 mode;
__u32 needmode = GR_CREATE | GR_LINK;
__u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
mode =
gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
old_mnt);
if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
return mode;
} else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
return 0;
} else if (unlikely((mode & needmode) != needmode))
return 0;
return 1;
}
int
gr_acl_handle_rename(struct dentry *new_dentry,
struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
struct dentry *old_dentry,
struct inode *old_parent_inode,
struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags)
{
__u32 comp1, comp2;
int error = 0;
if (unlikely(!gr_acl_is_enabled()))
return 0;
if (flags & RENAME_EXCHANGE) {
comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
GR_AUDIT_READ | GR_AUDIT_WRITE |
GR_SUPPRESS, parent_mnt);
comp2 =
gr_search_file(old_dentry,
GR_READ | GR_WRITE | GR_AUDIT_READ |
GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
} else if (d_is_negative(new_dentry)) {
comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
GR_DELETE | GR_AUDIT_DELETE |
GR_AUDIT_READ | GR_AUDIT_WRITE |
GR_SUPPRESS, old_mnt);
} else {
comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
GR_CREATE | GR_DELETE |
GR_AUDIT_CREATE | GR_AUDIT_DELETE |
GR_AUDIT_READ | GR_AUDIT_WRITE |
GR_SUPPRESS, parent_mnt);
comp2 =
gr_search_file(old_dentry,
GR_READ | GR_WRITE | GR_AUDIT_READ |
GR_DELETE | GR_AUDIT_DELETE |
GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
}
if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
&& !(comp2 & GR_SUPPRESS)) {
gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
error = -EACCES;
} else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
error = -EACCES;
return error;
}