security: add LSM file pre-free hook to be compatible with 4.19
security_file_free moved to after the deallocation of the file's dentry
which is needed by our LSM. Add a new hook always called before dentry
is freed.
BUG=b:148390640
TEST=Ran all internal testing.
SOURCE=KTD
Signed-off-by: John Davis <kyuzo@google.com>
Change-Id: I6a7b316564d3e2231501f8925ba129257f460f23
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/lakitu-kernel/+/2062509
Commit-Queue: Thomas Garnier <thgarnie@chromium.org>
Commit-Queue: Vaibhav Rustagi <vaibhavrustagi@google.com>
Reviewed-by: Thomas Garnier <thgarnie@chromium.org>
Reviewed-by: Peter Martincic <martincic@google.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
diff --git a/fs/file_table.c b/fs/file_table.c
index e49af4c..023fd1e 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -276,6 +276,9 @@
}
if (file->f_op->release)
file->f_op->release(inode, file);
+
+ security_file_pre_free(file);
+
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL &&
!(file->f_mode & FMODE_PATH))) {
cdev_put(inode->i_cdev);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index b095525..66489b4 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -457,6 +457,10 @@
* @file_free_security:
* Deallocate and free any security structures stored in file->f_security.
* @file contains the file structure being modified.
+ * @file_pre_free_security:
+ * Perform any logging or LSM state updates for a file being deleted
+ * using fields of the file before they have been cleared.
+ * @file contains the file structure being freed
* @file_ioctl:
* @file contains the file structure.
* @cmd contains the operation to perform.
@@ -1568,6 +1572,7 @@
int (*file_permission)(struct file *file, int mask);
int (*file_alloc_security)(struct file *file);
void (*file_free_security)(struct file *file);
+ void (*file_pre_free_security)(struct file *file);
int (*file_ioctl)(struct file *file, unsigned int cmd,
unsigned long arg);
int (*mmap_addr)(unsigned long addr);
@@ -1869,6 +1874,7 @@
struct hlist_head file_permission;
struct hlist_head file_alloc_security;
struct hlist_head file_free_security;
+ struct hlist_head file_pre_free_security;
struct hlist_head file_ioctl;
struct hlist_head mmap_addr;
struct hlist_head mmap_file;
diff --git a/include/linux/security.h b/include/linux/security.h
index 577b5ae..ded314a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -321,6 +321,7 @@
int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
+void security_file_pre_free(struct file *file);
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags);
@@ -830,6 +831,9 @@
static inline void security_file_free(struct file *file)
{ }
+static inline void security_file_pre_free(struct file *file)
+{ }
+
static inline int security_file_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
diff --git a/security/security.c b/security/security.c
index 9211786..82dcca2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -885,6 +885,11 @@
call_void_hook(file_free_security, file);
}
+void security_file_pre_free(struct file *file)
+{
+ call_void_hook(file_pre_free_security, file);
+}
+
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
return call_int_hook(file_ioctl, 0, file, cmd, arg);
