diff options
author | Khadija Kamran <kamrankhadijadj@gmail.com> | 2023-08-12 20:31:08 +0500 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2023-08-15 16:04:34 -0400 |
commit | 8e4672d6f902d5c4db1e87e8aa9f530149d85bc6 (patch) | |
tree | 8b2450fcb8a618c672456e1b90801b3f8ebf1e09 | |
parent | 6672efbb685f7c9c9df005beb839e1942fd6b34e (diff) | |
download | lwn-8e4672d6f902d5c4db1e87e8aa9f530149d85bc6.tar.gz lwn-8e4672d6f902d5c4db1e87e8aa9f530149d85bc6.zip |
lsm: constify the 'file' parameter in security_binder_transfer_file()
SELinux registers the implementation for the "binder_transfer_file"
hook. Looking at the function implementation we observe that the
parameter "file" is not changing.
Mark the "file" parameter of LSM hook security_binder_transfer_file() as
"const" since it will not be changing in the LSM hook.
Signed-off-by: Khadija Kamran <kamrankhadijadj@gmail.com>
[PM: subject line whitespace fix]
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | include/linux/lsm_hook_defs.h | 2 | ||||
-rw-r--r-- | include/linux/security.h | 4 | ||||
-rw-r--r-- | security/security.c | 2 | ||||
-rw-r--r-- | security/selinux/hooks.c | 8 |
4 files changed, 8 insertions, 8 deletions
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 540caa703573..4bdddb52a8fe 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -32,7 +32,7 @@ LSM_HOOK(int, 0, binder_transaction, const struct cred *from, LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from, const struct cred *to) LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from, - const struct cred *to, struct file *file) + const struct cred *to, const struct file *file) LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child, unsigned int mode) LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) diff --git a/include/linux/security.h b/include/linux/security.h index 7665f56d920a..dcb3604ffab8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -269,7 +269,7 @@ int security_binder_transaction(const struct cred *from, int security_binder_transfer_binder(const struct cred *from, const struct cred *to); int security_binder_transfer_file(const struct cred *from, - const struct cred *to, struct file *file); + const struct cred *to, const struct file *file); int security_ptrace_access_check(struct task_struct *child, unsigned int mode); int security_ptrace_traceme(struct task_struct *parent); int security_capget(const struct task_struct *target, @@ -538,7 +538,7 @@ static inline int security_binder_transfer_binder(const struct cred *from, static inline int security_binder_transfer_file(const struct cred *from, const struct cred *to, - struct file *file) + const struct file *file) { return 0; } diff --git a/security/security.c b/security/security.c index 6962ea38a98f..96f2c68a1571 100644 --- a/security/security.c +++ b/security/security.c @@ -841,7 +841,7 @@ int security_binder_transfer_binder(const struct cred *from, * Return: Returns 0 if permission is granted. */ int security_binder_transfer_file(const struct cred *from, - const struct cred *to, struct file *file) + const struct cred *to, const struct file *file) { return call_int_hook(binder_transfer_file, 0, from, to, file); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c816dc5de627..ee7c49c2cfd3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1691,7 +1691,7 @@ static inline int file_path_has_perm(const struct cred *cred, } #ifdef CONFIG_BPF_SYSCALL -static int bpf_fd_pass(struct file *file, u32 sid); +static int bpf_fd_pass(const struct file *file, u32 sid); #endif /* Check whether a task can use an open file descriptor to @@ -1952,7 +1952,7 @@ static inline u32 file_mask_to_av(int mode, int mask) } /* Convert a Linux file to an access vector. */ -static inline u32 file_to_av(struct file *file) +static inline u32 file_to_av(const struct file *file) { u32 av = 0; @@ -2027,7 +2027,7 @@ static int selinux_binder_transfer_binder(const struct cred *from, static int selinux_binder_transfer_file(const struct cred *from, const struct cred *to, - struct file *file) + const struct file *file) { u32 sid = cred_sid(to); struct file_security_struct *fsec = selinux_file(file); @@ -6718,7 +6718,7 @@ static u32 bpf_map_fmode_to_av(fmode_t fmode) * access the bpf object and that's why we have to add this additional check in * selinux_file_receive and selinux_binder_transfer_files. */ -static int bpf_fd_pass(struct file *file, u32 sid) +static int bpf_fd_pass(const struct file *file, u32 sid) { struct bpf_security_struct *bpfsec; struct bpf_prog *prog; |