lsm/stable-6.7 PR 20231030

-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmVAJpsUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOvghAAzzIu0KzvcDci1AkEvS/6MD0ChS/K
 d6cJPnf65bJ98M8PSIJz5bik2t6TYGDJZqAXTqyb6Bb7XM0ITVY5vPgLKWy1VXCr
 xHBQOSFzYWMV+cqo+17l55iRKPFQb+2rNHfIqKfwxrAWhLL0zeZR4M7AQQVMrT5Q
 WZXleW5xwvMA9My7ny+n3jTqxaiDIZTYyi0noF89j7NNfteehaKAkwZ6Phkdx5cM
 UeSTkv9fO2/O80UcBs63h2rAhBM7BAvSDV8PicDN6VyWWdE3njQUBkWK+aGt4Ab+
 KW2S1su0cPc636cmRyFqUvAdHNaJb2Uh+0OWRYWPd0fhAxI9kzYVQaMvl84ngwQZ
 g2z8VHaCE8pO4zCuBVmxOBhl0pVoQfSXOG1wXPvEw4Me5hEudda3Fa3SjCeD1u2j
 vEi/w2yl7Rb0oMg7MlpCZLSnH1fhwPxmnn+SJD1C0lCuINsB04sTuO0YbwJOcoUc
 30bbzZt4oNJmTeNfuDiYDeQQExdIaOhACEnJ0c4TiMU26FfoAWnQVnz2KSqWvy+g
 EKcQvqQD0Jl1e6adqyNDA7cexPkcC26KkUBJzK8g7pI6YqOG/Ev3dwygcM6Nesi8
 iSxfnjixU84hHRq+u/7wQ72ga5oRw0qwL6iXLyFlV/O6vuvlFRtGSofluXkZ2LNL
 m82igNveVpd9/Mc=
 =a9QY
 -----END PGP SIGNATURE-----

Merge tag 'lsm-pr-20231030' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Pull LSM updates from Paul Moore:

 - Add new credential functions, get_cred_many() and put_cred_many() to
   save some atomic_t operations for a few operations.

   While not strictly LSM related, this patchset had been rotting on the
   mailing lists for some time and since the LSMs do care a lot about
   credentials I thought it reasonable to give this patch a home.

 - Five patches to constify different LSM hook parameters.

 - Fix a spelling mistake.

* tag 'lsm-pr-20231030' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  lsm: fix a spelling mistake
  cred: add get_cred_many and put_cred_many
  lsm: constify 'sb' parameter in security_sb_kern_mount()
  lsm: constify 'bprm' parameter in security_bprm_committed_creds()
  lsm: constify 'bprm' parameter in security_bprm_committing_creds()
  lsm: constify 'file' parameter in security_bprm_creds_from_file()
  lsm: constify 'sb' parameter in security_quotactl()
This commit is contained in:
Linus Torvalds 2023-10-30 20:13:17 -10:00
commit 2b93c2c3c0
10 changed files with 97 additions and 52 deletions

View File

@ -219,6 +219,20 @@ static inline bool cap_ambient_invariant_ok(const struct cred *cred)
cred->cap_inheritable)); cred->cap_inheritable));
} }
/**
* get_new_cred_many - Get references on a new set of credentials
* @cred: The new credentials to reference
* @nr: Number of references to acquire
*
* Get references on the specified set of new credentials. The caller must
* release all acquired references.
*/
static inline struct cred *get_new_cred_many(struct cred *cred, int nr)
{
atomic_add(nr, &cred->usage);
return cred;
}
/** /**
* get_new_cred - Get a reference on a new set of credentials * get_new_cred - Get a reference on a new set of credentials
* @cred: The new credentials to reference * @cred: The new credentials to reference
@ -228,16 +242,16 @@ static inline bool cap_ambient_invariant_ok(const struct cred *cred)
*/ */
static inline struct cred *get_new_cred(struct cred *cred) static inline struct cred *get_new_cred(struct cred *cred)
{ {
atomic_inc(&cred->usage); return get_new_cred_many(cred, 1);
return cred;
} }
/** /**
* get_cred - Get a reference on a set of credentials * get_cred_many - Get references on a set of credentials
* @cred: The credentials to reference * @cred: The credentials to reference
* @nr: Number of references to acquire
* *
* Get a reference on the specified set of credentials. The caller must * Get references on the specified set of credentials. The caller must release
* release the reference. If %NULL is passed, it is returned with no action. * all acquired reference. If %NULL is passed, it is returned with no action.
* *
* This is used to deal with a committed set of credentials. Although the * This is used to deal with a committed set of credentials. Although the
* pointer is const, this will temporarily discard the const and increment the * pointer is const, this will temporarily discard the const and increment the
@ -245,14 +259,28 @@ static inline struct cred *get_new_cred(struct cred *cred)
* accidental alteration of a set of credentials that should be considered * accidental alteration of a set of credentials that should be considered
* immutable. * immutable.
*/ */
static inline const struct cred *get_cred(const struct cred *cred) static inline const struct cred *get_cred_many(const struct cred *cred, int nr)
{ {
struct cred *nonconst_cred = (struct cred *) cred; struct cred *nonconst_cred = (struct cred *) cred;
if (!cred) if (!cred)
return cred; return cred;
validate_creds(cred); validate_creds(cred);
nonconst_cred->non_rcu = 0; nonconst_cred->non_rcu = 0;
return get_new_cred(nonconst_cred); return get_new_cred_many(nonconst_cred, nr);
}
/*
* get_cred - Get a reference on a set of credentials
* @cred: The credentials to reference
*
* Get a reference on the specified set of credentials. The caller must
* release the reference. If %NULL is passed, it is returned with no action.
*
* This is used to deal with a committed set of credentials.
*/
static inline const struct cred *get_cred(const struct cred *cred)
{
return get_cred_many(cred, 1);
} }
static inline const struct cred *get_cred_rcu(const struct cred *cred) static inline const struct cred *get_cred_rcu(const struct cred *cred)
@ -270,6 +298,7 @@ static inline const struct cred *get_cred_rcu(const struct cred *cred)
/** /**
* put_cred - Release a reference to a set of credentials * put_cred - Release a reference to a set of credentials
* @cred: The credentials to release * @cred: The credentials to release
* @nr: Number of references to release
* *
* Release a reference to a set of credentials, deleting them when the last ref * Release a reference to a set of credentials, deleting them when the last ref
* is released. If %NULL is passed, nothing is done. * is released. If %NULL is passed, nothing is done.
@ -278,17 +307,29 @@ static inline const struct cred *get_cred_rcu(const struct cred *cred)
* on task_struct are attached by const pointers to prevent accidental * on task_struct are attached by const pointers to prevent accidental
* alteration of otherwise immutable credential sets. * alteration of otherwise immutable credential sets.
*/ */
static inline void put_cred(const struct cred *_cred) static inline void put_cred_many(const struct cred *_cred, int nr)
{ {
struct cred *cred = (struct cred *) _cred; struct cred *cred = (struct cred *) _cred;
if (cred) { if (cred) {
validate_creds(cred); validate_creds(cred);
if (atomic_dec_and_test(&(cred)->usage)) if (atomic_sub_and_test(nr, &cred->usage))
__put_cred(cred); __put_cred(cred);
} }
} }
/*
* put_cred - Release a reference to a set of credentials
* @cred: The credentials to release
*
* Release a reference to a set of credentials, deleting them when the last ref
* is released. If %NULL is passed, nothing is done.
*/
static inline void put_cred(const struct cred *cred)
{
put_cred_many(cred, 1);
}
/** /**
* current_cred - Access the current task's subjective credentials * current_cred - Access the current task's subjective credentials
* *

View File

@ -2478,7 +2478,7 @@ struct filename {
}; };
static_assert(offsetof(struct filename, iname) % sizeof(long) == 0); static_assert(offsetof(struct filename, iname) % sizeof(long) == 0);
static inline struct mnt_idmap *file_mnt_idmap(struct file *file) static inline struct mnt_idmap *file_mnt_idmap(const struct file *file)
{ {
return mnt_idmap(file->f_path.mnt); return mnt_idmap(file->f_path.mnt);
} }

View File

@ -43,17 +43,17 @@ LSM_HOOK(int, 0, capset, struct cred *new, const struct cred *old,
const kernel_cap_t *permitted) const kernel_cap_t *permitted)
LSM_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns, LSM_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts) int cap, unsigned int opts)
LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, struct super_block *sb) LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, const struct super_block *sb)
LSM_HOOK(int, 0, quota_on, struct dentry *dentry) LSM_HOOK(int, 0, quota_on, struct dentry *dentry)
LSM_HOOK(int, 0, syslog, int type) LSM_HOOK(int, 0, syslog, int type)
LSM_HOOK(int, 0, settime, const struct timespec64 *ts, LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
const struct timezone *tz) const struct timezone *tz)
LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages) LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file) LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file)
LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm) LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm)
LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm) LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm)
LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference) LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference)
LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc, LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc,
struct fs_context *src_sc) struct fs_context *src_sc)
@ -66,7 +66,7 @@ LSM_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts)
LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts) LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts)
LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts) LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts)
LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts) LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts)
LSM_HOOK(int, 0, sb_kern_mount, struct super_block *sb) LSM_HOOK(int, 0, sb_kern_mount, const struct super_block *sb)
LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb) LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb)
LSM_HOOK(int, 0, sb_statfs, struct dentry *dentry) LSM_HOOK(int, 0, sb_statfs, struct dentry *dentry)
LSM_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path, LSM_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path,

View File

@ -151,7 +151,7 @@ extern int cap_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *effective, const kernel_cap_t *effective,
const kernel_cap_t *inheritable, const kernel_cap_t *inheritable,
const kernel_cap_t *permitted); const kernel_cap_t *permitted);
extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file); extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file);
int cap_inode_setxattr(struct dentry *dentry, const char *name, int cap_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags); const void *value, size_t size, int flags);
int cap_inode_removexattr(struct mnt_idmap *idmap, int cap_inode_removexattr(struct mnt_idmap *idmap,
@ -284,16 +284,16 @@ int security_capable(const struct cred *cred,
struct user_namespace *ns, struct user_namespace *ns,
int cap, int cap,
unsigned int opts); unsigned int opts);
int security_quotactl(int cmds, int type, int id, struct super_block *sb); int security_quotactl(int cmds, int type, int id, const struct super_block *sb);
int security_quota_on(struct dentry *dentry); int security_quota_on(struct dentry *dentry);
int security_syslog(int type); int security_syslog(int type);
int security_settime64(const struct timespec64 *ts, const struct timezone *tz); int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
int security_bprm_creds_for_exec(struct linux_binprm *bprm); int security_bprm_creds_for_exec(struct linux_binprm *bprm);
int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file); int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file);
int security_bprm_check(struct linux_binprm *bprm); int security_bprm_check(struct linux_binprm *bprm);
void security_bprm_committing_creds(struct linux_binprm *bprm); void security_bprm_committing_creds(const struct linux_binprm *bprm);
void security_bprm_committed_creds(struct linux_binprm *bprm); void security_bprm_committed_creds(const struct linux_binprm *bprm);
int security_fs_context_submount(struct fs_context *fc, struct super_block *reference); int security_fs_context_submount(struct fs_context *fc, struct super_block *reference);
int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc); int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc);
int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param); int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param);
@ -304,7 +304,7 @@ void security_free_mnt_opts(void **mnt_opts);
int security_sb_eat_lsm_opts(char *options, void **mnt_opts); int security_sb_eat_lsm_opts(char *options, void **mnt_opts);
int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts); int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts);
int security_sb_remount(struct super_block *sb, void *mnt_opts); int security_sb_remount(struct super_block *sb, void *mnt_opts);
int security_sb_kern_mount(struct super_block *sb); int security_sb_kern_mount(const struct super_block *sb);
int security_sb_show_options(struct seq_file *m, struct super_block *sb); int security_sb_show_options(struct seq_file *m, struct super_block *sb);
int security_sb_statfs(struct dentry *dentry); int security_sb_statfs(struct dentry *dentry);
int security_sb_mount(const char *dev_name, const struct path *path, int security_sb_mount(const char *dev_name, const struct path *path,
@ -581,7 +581,7 @@ static inline int security_capable(const struct cred *cred,
} }
static inline int security_quotactl(int cmds, int type, int id, static inline int security_quotactl(int cmds, int type, int id,
struct super_block *sb) const struct super_block *sb)
{ {
return 0; return 0;
} }
@ -613,7 +613,7 @@ static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm)
} }
static inline int security_bprm_creds_from_file(struct linux_binprm *bprm, static inline int security_bprm_creds_from_file(struct linux_binprm *bprm,
struct file *file) const struct file *file)
{ {
return cap_bprm_creds_from_file(bprm, file); return cap_bprm_creds_from_file(bprm, file);
} }
@ -623,11 +623,11 @@ static inline int security_bprm_check(struct linux_binprm *bprm)
return 0; return 0;
} }
static inline void security_bprm_committing_creds(struct linux_binprm *bprm) static inline void security_bprm_committing_creds(const struct linux_binprm *bprm)
{ {
} }
static inline void security_bprm_committed_creds(struct linux_binprm *bprm) static inline void security_bprm_committed_creds(const struct linux_binprm *bprm)
{ {
} }

View File

@ -162,23 +162,29 @@ EXPORT_SYMBOL(__put_cred);
*/ */
void exit_creds(struct task_struct *tsk) void exit_creds(struct task_struct *tsk)
{ {
struct cred *cred; struct cred *real_cred, *cred;
kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred, kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
atomic_read(&tsk->cred->usage), atomic_read(&tsk->cred->usage),
read_cred_subscribers(tsk->cred)); read_cred_subscribers(tsk->cred));
cred = (struct cred *) tsk->real_cred; real_cred = (struct cred *) tsk->real_cred;
tsk->real_cred = NULL; tsk->real_cred = NULL;
validate_creds(cred);
alter_cred_subscribers(cred, -1);
put_cred(cred);
cred = (struct cred *) tsk->cred; cred = (struct cred *) tsk->cred;
tsk->cred = NULL; tsk->cred = NULL;
validate_creds(cred); validate_creds(cred);
alter_cred_subscribers(cred, -1); if (real_cred == cred) {
put_cred(cred); alter_cred_subscribers(cred, -2);
put_cred_many(cred, 2);
} else {
validate_creds(real_cred);
alter_cred_subscribers(real_cred, -1);
put_cred(real_cred);
alter_cred_subscribers(cred, -1);
put_cred(cred);
}
#ifdef CONFIG_KEYS_REQUEST_CACHE #ifdef CONFIG_KEYS_REQUEST_CACHE
key_put(tsk->cached_requested_key); key_put(tsk->cached_requested_key);
@ -355,8 +361,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
#endif #endif
clone_flags & CLONE_THREAD clone_flags & CLONE_THREAD
) { ) {
p->real_cred = get_cred(p->cred); p->real_cred = get_cred_many(p->cred, 2);
get_cred(p->cred);
alter_cred_subscribers(p->cred, 2); alter_cred_subscribers(p->cred, 2);
kdebug("share_creds(%p{%d,%d})", kdebug("share_creds(%p{%d,%d})",
p->cred, atomic_read(&p->cred->usage), p->cred, atomic_read(&p->cred->usage),
@ -520,8 +525,7 @@ int commit_creds(struct cred *new)
proc_id_connector(task, PROC_EVENT_GID); proc_id_connector(task, PROC_EVENT_GID);
/* release the old obj and subj refs both */ /* release the old obj and subj refs both */
put_cred(old); put_cred_many(old, 2);
put_cred(old);
return 0; return 0;
} }
EXPORT_SYMBOL(commit_creds); EXPORT_SYMBOL(commit_creds);

View File

@ -734,7 +734,7 @@ fail:
* apparmor_bprm_committing_creds - do task cleanup on committing new creds * apparmor_bprm_committing_creds - do task cleanup on committing new creds
* @bprm: binprm for the exec (NOT NULL) * @bprm: binprm for the exec (NOT NULL)
*/ */
static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) static void apparmor_bprm_committing_creds(const struct linux_binprm *bprm)
{ {
struct aa_label *label = aa_current_raw_label(); struct aa_label *label = aa_current_raw_label();
struct aa_label *new_label = cred_label(bprm->cred); struct aa_label *new_label = cred_label(bprm->cred);
@ -756,7 +756,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
* apparmor_bprm_committed_creds() - do cleanup after new creds committed * apparmor_bprm_committed_creds() - do cleanup after new creds committed
* @bprm: binprm for the exec (NOT NULL) * @bprm: binprm for the exec (NOT NULL)
*/ */
static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm)
{ {
/* clear out temporary/transitional state from the context */ /* clear out temporary/transitional state from the context */
aa_clear_task_ctx_trans(task_ctx(current)); aa_clear_task_ctx_trans(task_ctx(current));

View File

@ -720,7 +720,7 @@ int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
* its xattrs and, if present, apply them to the proposed credentials being * its xattrs and, if present, apply them to the proposed credentials being
* constructed by execve(). * constructed by execve().
*/ */
static int get_file_caps(struct linux_binprm *bprm, struct file *file, static int get_file_caps(struct linux_binprm *bprm, const struct file *file,
bool *effective, bool *has_fcap) bool *effective, bool *has_fcap)
{ {
int rc = 0; int rc = 0;
@ -882,7 +882,7 @@ static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
* *
* Return: 0 if successful, -ve on error. * Return: 0 if successful, -ve on error.
*/ */
int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
{ {
/* Process setpcap binaries and capabilities for uid 0 */ /* Process setpcap binaries and capabilities for uid 0 */
const struct cred *old = current_cred(); const struct cred *old = current_cred();

View File

@ -957,7 +957,7 @@ int security_capable(const struct cred *cred,
* *
* Return: Returns 0 if permission is granted. * Return: Returns 0 if permission is granted.
*/ */
int security_quotactl(int cmds, int type, int id, struct super_block *sb) int security_quotactl(int cmds, int type, int id, const struct super_block *sb)
{ {
return call_int_hook(quotactl, 0, cmds, type, id, sb); return call_int_hook(quotactl, 0, cmds, type, id, sb);
} }
@ -1079,7 +1079,7 @@ int security_bprm_creds_for_exec(struct linux_binprm *bprm)
* *
* Return: Returns 0 if the hook is successful and permission is granted. * Return: Returns 0 if the hook is successful and permission is granted.
*/ */
int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
{ {
return call_int_hook(bprm_creds_from_file, 0, bprm, file); return call_int_hook(bprm_creds_from_file, 0, bprm, file);
} }
@ -1118,7 +1118,7 @@ int security_bprm_check(struct linux_binprm *bprm)
* open file descriptors to which access will no longer be granted when the * open file descriptors to which access will no longer be granted when the
* attributes are changed. This is called immediately before commit_creds(). * attributes are changed. This is called immediately before commit_creds().
*/ */
void security_bprm_committing_creds(struct linux_binprm *bprm) void security_bprm_committing_creds(const struct linux_binprm *bprm)
{ {
call_void_hook(bprm_committing_creds, bprm); call_void_hook(bprm_committing_creds, bprm);
} }
@ -1134,7 +1134,7 @@ void security_bprm_committing_creds(struct linux_binprm *bprm)
* process such as clearing out non-inheritable signal state. This is called * process such as clearing out non-inheritable signal state. This is called
* immediately after commit_creds(). * immediately after commit_creds().
*/ */
void security_bprm_committed_creds(struct linux_binprm *bprm) void security_bprm_committed_creds(const struct linux_binprm *bprm)
{ {
call_void_hook(bprm_committed_creds, bprm); call_void_hook(bprm_committed_creds, bprm);
} }
@ -1319,7 +1319,7 @@ EXPORT_SYMBOL(security_sb_remount);
* *
* Return: Returns 0 if permission is granted. * Return: Returns 0 if permission is granted.
*/ */
int security_sb_kern_mount(struct super_block *sb) int security_sb_kern_mount(const struct super_block *sb)
{ {
return call_int_hook(sb_kern_mount, 0, sb); return call_int_hook(sb_kern_mount, 0, sb);
} }
@ -3957,7 +3957,7 @@ void security_inode_invalidate_secctx(struct inode *inode)
EXPORT_SYMBOL(security_inode_invalidate_secctx); EXPORT_SYMBOL(security_inode_invalidate_secctx);
/** /**
* security_inode_notifysecctx() - Nofify the LSM of an inode's security label * security_inode_notifysecctx() - Notify the LSM of an inode's security label
* @inode: inode * @inode: inode
* @ctx: secctx * @ctx: secctx
* @ctxlen: length of secctx * @ctxlen: length of secctx

View File

@ -1937,7 +1937,7 @@ static inline int may_rename(struct inode *old_dir,
/* Check whether a task can perform a filesystem operation. */ /* Check whether a task can perform a filesystem operation. */
static int superblock_has_perm(const struct cred *cred, static int superblock_has_perm(const struct cred *cred,
struct super_block *sb, const struct super_block *sb,
u32 perms, u32 perms,
struct common_audit_data *ad) struct common_audit_data *ad)
{ {
@ -2139,7 +2139,7 @@ static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
return cred_has_capability(cred, cap, opts, ns == &init_user_ns); return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
} }
static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
int rc = 0; int rc = 0;
@ -2455,7 +2455,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
/* /*
* Prepare a process for imminent new credential changes due to exec * Prepare a process for imminent new credential changes due to exec
*/ */
static void selinux_bprm_committing_creds(struct linux_binprm *bprm) static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
{ {
struct task_security_struct *new_tsec; struct task_security_struct *new_tsec;
struct rlimit *rlim, *initrlim; struct rlimit *rlim, *initrlim;
@ -2501,7 +2501,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
* Clean up the process immediately after the installation of new credentials * Clean up the process immediately after the installation of new credentials
* due to exec * due to exec
*/ */
static void selinux_bprm_committed_creds(struct linux_binprm *bprm) static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
{ {
const struct task_security_struct *tsec = selinux_cred(current_cred()); const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 osid, sid; u32 osid, sid;
@ -2721,7 +2721,7 @@ out_bad_option:
return -EINVAL; return -EINVAL;
} }
static int selinux_sb_kern_mount(struct super_block *sb) static int selinux_sb_kern_mount(const struct super_block *sb)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
struct common_audit_data ad; struct common_audit_data ad;

View File

@ -52,7 +52,7 @@ static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
* *
* @bprm: Pointer to "struct linux_binprm". * @bprm: Pointer to "struct linux_binprm".
*/ */
static void tomoyo_bprm_committed_creds(struct linux_binprm *bprm) static void tomoyo_bprm_committed_creds(const struct linux_binprm *bprm)
{ {
/* Clear old_domain_info saved by execve() request. */ /* Clear old_domain_info saved by execve() request. */
struct tomoyo_task *s = tomoyo_task(current); struct tomoyo_task *s = tomoyo_task(current);