OSDN > Finden Software > System > Operating System Kernels > Linux > CaitSith > SCM > SVN > Commit

CaitSith

R/O
SSH
HTTPS

caitsith: Commit

Commit MetaInfo

Revision	368 (tree)
Zeit	2022-05-25 22:51:00
Autor	kumaneko

Log Message

(empty log message)

Ändern Zusammenfassung

modified: trunk/caitsith-patch/caitsith/lsm-4.12.c (diff)
modified: trunk/caitsith-patch/include/linux/caitsith.h (diff)
modified: trunk/caitsith-patch/include/linux/lsm2caitsith.h (diff)
added: trunk/caitsith-patch/patches/ccs-patch-5.19.diff (diff)
modified: trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (diff)
modified: trunk/caitsith-patch/security/caitsith/permission.c (diff)

Diff

--- trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 367)

+++ trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 368)

		@@ -479,6 +479,7 @@
479	479	return cs_symlink_permission(&path, old_name);
480	480	}
481	481
	482	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
482	483	/**
483	484	* cs_path_rename - Check permission for rename().
484	485	*

		@@ -486,6 +487,7 @@
486	487	* @old_dentry: Pointer to "struct dentry".
487	488	* @new_dir: Pointer to "struct path".
488	489	* @new_dentry: Pointer to "struct dentry".
	490	+ * @flags: Rename flags.
489	491	*
490	492	* Returns 0 on success, negative value otherwise.
491	493	*/

		@@ -492,6 +494,34 @@
492	494	static int cs_path_rename(const struct path *old_dir,
493	495	struct dentry *old_dentry,
494	496	const struct path *new_dir,
	497	+ struct dentry *new_dentry,
	498	+ const unsigned int flags)
	499	+{
	500	+ struct path old = { .mnt = old_dir->mnt, .dentry = old_dentry };
	501	+ struct path new = { .mnt = new_dir->mnt, .dentry = new_dentry };
	502	+
	503	+ if (flags & RENAME_EXCHANGE) {
	504	+ const int err = cs_rename_permission(&new, &old);
	505	+
	506	+ if (err)
	507	+ return err;
	508	+ }
	509	+ return cs_rename_permission(&old, &new);
	510	+}
	511	+#else
	512	+/**
	513	+ * cs_path_rename - Check permission for rename().
	514	+ *
	515	+ * @old_dir: Pointer to "struct path".
	516	+ * @old_dentry: Pointer to "struct dentry".
	517	+ * @new_dir: Pointer to "struct path".
	518	+ * @new_dentry: Pointer to "struct dentry".
	519	+ *
	520	+ * Returns 0 on success, negative value otherwise.
	521	+ */
	522	+static int cs_path_rename(const struct path *old_dir,
	523	+ struct dentry *old_dentry,
	524	+ const struct path *new_dir,
495	525	struct dentry *new_dentry)
496	526	{
497	527	struct path old = { .mnt = old_dir->mnt, .dentry = old_dentry };

		@@ -499,6 +529,7 @@
499	529
500	530	return cs_rename_permission(&old, &new);
501	531	}
	532	+#endif
502	533
503	534	/**
504	535	* cs_path_link - Check permission for link().

--- trunk/caitsith-patch/include/linux/caitsith.h (revision 367)

+++ trunk/caitsith-patch/include/linux/caitsith.h (revision 368)

		@@ -69,7 +69,7 @@
69	69	#endif
70	70	struct task_struct * (*find_task_by_vpid)(pid_t nr);
71	71	struct task_struct * (*find_task_by_pid_ns)(pid_t nr,
72		- struct pid_namespace *ns);
	72	+ struct pid_namespace *ns);
73	73	#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)
74	74	size_t (ksize)(const void objp);
75	75	#endif

		@@ -80,54 +80,60 @@
80	80	void (*check_profile)(void);
81	81	int (chroot_permission)(const struct path path);
82	82	int (pivot_root_permission)(const struct path old_path,
83		- const struct path *new_path);
	83	+ const struct path *new_path);
84	84	int (mount_permission)(const char dev_name, const struct path *path,
85		- const char *type, unsigned long flags,
86		- void *data_page);
	85	+ const char *type, unsigned long flags,
	86	+ void *data_page);
87	87	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
88	88	int (move_mount_permission) (const struct path from_path,
89	89	const struct path *to_path);
90	90	#endif
91	91	int (umount_permission)(struct vfsmount mnt, int flags);
92		-
93	92	_Bool(lport_reserved) (const u16 port); / Not implemented. */
94	93	#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
95	94	void (*save_open_mode)(int mode);
96	95	void (*clear_open_mode)(void);
97	96	int (open_permission)(struct dentry dentry, struct vfsmount *mnt,
98		- const int flag);
	97	+ const int flag);
99	98	#else
100	99	int (open_permission)(struct file file);
101	100	#endif
102	101	int (*ptrace_permission)(long request, long pid);
103	102	int (ioctl_permission)(struct file filp, unsigned int cmd,
104		- unsigned long arg);
	103	+ unsigned long arg);
105	104	int (parse_table)(int __user name, int nlen, void __user *oldval,
106		- void __user newval, struct ctl_table table);
	105	+ void __user newval, struct ctl_table table);
107	106	_Bool(*capable) (const u8 operation);
108	107	int (mknod_permission)(struct dentry dentry, struct vfsmount *mnt,
109		- unsigned int mode, unsigned int dev);
	108	+ unsigned int mode, unsigned int dev);
110	109	int (mkdir_permission)(struct dentry dentry, struct vfsmount *mnt,
111		- unsigned int mode);
	110	+ unsigned int mode);
112	111	int (rmdir_permission)(struct dentry dentry, struct vfsmount *mnt);
113	112	int (unlink_permission)(struct dentry dentry, struct vfsmount *mnt);
114	113	int (symlink_permission)(struct dentry dentry, struct vfsmount *mnt,
115		- const char *from);
	114	+ const char *from);
116	115	int (truncate_permission)(struct dentry dentry,
117		- struct vfsmount *mnt);
	116	+ struct vfsmount *mnt);
	117	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
118	118	int (rename_permission)(struct dentry old_dentry,
119		- struct dentry *new_dentry,
120		- struct vfsmount *mnt);
	119	+ struct dentry *new_dentry,
	120	+ struct vfsmount *mnt,
	121	+ const unsigned int flags);
	122	+#else
	123	+ int (rename_permission)(struct dentry old_dentry,
	124	+ struct dentry *new_dentry,
	125	+ struct vfsmount *mnt);
	126	+#endif
121	127	int (link_permission)(struct dentry old_dentry,
122		- struct dentry *new_dentry,
123		- struct vfsmount *mnt);
	128	+ struct dentry *new_dentry,
	129	+ struct vfsmount *mnt);
124	130	#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30)
125	131	int (open_exec_permission)(struct dentry dentry,
126		- struct vfsmount *mnt);
	132	+ struct vfsmount *mnt);
127	133	int (uselib_permission)(struct dentry dentry, struct vfsmount *mnt);
128	134	#endif
129	135	int (fcntl_permission)(struct file file, unsigned int cmd,
130		- unsigned long arg);
	136	+ unsigned long arg);
131	137	int (*kill_permission)(pid_t pid, int sig);
132	138	int (*tgkill_permission)(pid_t tgid, pid_t pid, int sig);
133	139	int (*tkill_permission)(pid_t pid, int sig);

		@@ -134,26 +140,26 @@
134	140	int (*socket_create_permission)(int family, int type, int protocol);
135	141	int (socket_listen_permission)(struct socket sock);
136	142	int (socket_connect_permission)(struct socket sock,
137		- struct sockaddr *addr, int addr_len);
	143	+ struct sockaddr *addr, int addr_len);
138	144	int (socket_bind_permission)(struct socket sock,
139		- struct sockaddr *addr, int addr_len);
	145	+ struct sockaddr *addr, int addr_len);
140	146	int (socket_post_accept_permission)(struct socket sock,
141		- struct socket *newsock);
	147	+ struct socket *newsock);
142	148	int (socket_sendmsg_permission)(struct socket sock,
143		- struct msghdr *msg, int size);
	149	+ struct msghdr *msg, int size);
144	150	int (socket_post_recvmsg_permission)(struct sock sk,
145		- struct sk_buff *skb, int flags);
	151	+ struct sk_buff *skb, int flags);
146	152	#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
147	153	int (chown_permission)(struct dentry dentry, struct vfsmount *mnt,
148		- kuid_t user, kgid_t group);
	154	+ kuid_t user, kgid_t group);
149	155	#else
150	156	int (chown_permission)(struct dentry dentry, struct vfsmount *mnt,
151		- uid_t user, gid_t group);
	157	+ uid_t user, gid_t group);
152	158	#endif
153	159	int (chmod_permission)(struct dentry dentry, struct vfsmount *mnt,
154		- mode_t mode);
	160	+ mode_t mode);
155	161	int (getattr_permission)(struct vfsmount mnt,
156		- struct dentry *dentry);
	162	+ struct dentry *dentry);
157	163	int (*sigqueue_permission)(pid_t pid, int sig);
158	164	int (*tgsigqueue_permission)(pid_t tgid, pid_t pid, int sig);
159	165	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)

		@@ -163,7 +169,7 @@
163	169	int (search_binary_handler)(struct linux_binprm bprm);
164	170	#else
165	171	int (search_binary_handler)(struct linux_binprm bprm,
166		- struct pt_regs *regs);
	172	+ struct pt_regs *regs);
167	173	#endif
168	174	#ifdef CONFIG_CAITSITH_USE_EXTERNAL_TASK_SECURITY
169	175	int (alloc_task_security)(const struct task_struct task);

		@@ -328,8 +334,19 @@
328	334	return func ? func(dentry, mnt) : 0;
329	335	}
330	336
	337	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
331	338	static inline int ccs_rename_permission(struct dentry *old_dentry,
332	339	struct dentry *new_dentry,
	340	+ struct vfsmount *mnt,
	341	+ const unsigned int flags)
	342	+{
	343	+ int (func)(struct dentry , struct dentry , struct vfsmount ,
	344	+ const unsigned int) = caitsith_ops.rename_permission;
	345	+ return func ? func(old_dentry, new_dentry, mnt, flags) : 0;
	346	+}
	347	+#else
	348	+static inline int ccs_rename_permission(struct dentry *old_dentry,
	349	+ struct dentry *new_dentry,
333	350	struct vfsmount *mnt)
334	351	{
335	352	int (func)(struct dentry , struct dentry , struct vfsmount )

		@@ -336,6 +353,7 @@
336	353	= caitsith_ops.rename_permission;
337	354	return func ? func(old_dentry, new_dentry, mnt) : 0;
338	355	}
	356	+#endif
339	357
340	358	static inline int ccs_link_permission(struct dentry *old_dentry,
341	359	struct dentry *new_dentry,

		@@ -541,12 +559,22 @@
541	559	return 0;
542	560	}
543	561
	562	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
544	563	static inline int ccs_rename_permission(struct dentry *old_dentry,
545	564	struct dentry *new_dentry,
	565	+ struct vfsmount *mnt,
	566	+ const unsigned int flags)
	567	+{
	568	+ return 0;
	569	+}
	570	+#else
	571	+static inline int ccs_rename_permission(struct dentry *old_dentry,
	572	+ struct dentry *new_dentry,
546	573	struct vfsmount *mnt)
547	574	{
548	575	return 0;
549	576	}
	577	+#endif
550	578
551	579	static inline int ccs_link_permission(struct dentry *old_dentry,
552	580	struct dentry *new_dentry,

--- trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 367)

+++ trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 368)

		@@ -50,8 +50,14 @@
50	50	umode_t mode);
51	51	int ccs_path_mknod(const struct path dir, struct dentry dentry, umode_t mode,
52	52	unsigned int dev);
	53	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
53	54	int ccs_path_rename(const struct path old_dir, struct dentry old_dentry,
	55	+ const struct path new_dir, struct dentry new_dentry,
	56	+ const unsigned int flags);
	57	+#else
	58	+int ccs_path_rename(const struct path old_dir, struct dentry old_dentry,
54	59	const struct path new_dir, struct dentry new_dentry);
	60	+#endif
55	61	int ccs_path_rmdir(const struct path dir, struct dentry dentry);
56	62	int ccs_path_symlink(const struct path dir, struct dentry dentry,
57	63	const char *old_name);

		@@ -209,13 +215,24 @@
209	215	{
210	216	return 0;
211	217	}
	218	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
212	219	static inline int ccs_path_rename(const struct path *old_dir,
213	220	struct dentry *old_dentry,
214	221	const struct path *new_dir,
	222	+ struct dentry *new_dentry,
	223	+ const unsigned int flags)
	224	+{
	225	+ return 0;
	226	+}
	227	+#else
	228	+static inline int ccs_path_rename(const struct path *old_dir,
	229	+ struct dentry *old_dentry,
	230	+ const struct path *new_dir,
215	231	struct dentry *new_dentry)
216	232	{
217	233	return 0;
218	234	}
	235	+#endif
219	236	static inline int ccs_path_chmod(const struct path *path, umode_t mode)
220	237	{
221	238	return 0;

--- trunk/caitsith-patch/patches/ccs-patch-5.19.diff (nonexistent)

+++ trunk/caitsith-patch/patches/ccs-patch-5.19.diff (revision 368)

		@@ -0,0 +1,701 @@
	1	+This is TOMOYO Linux patch for kernel 5.19-rc1.
	2	+
	3	+Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.19-rc1.tar.gz
	4	+---
	5	+ fs/exec.c \| 2 -
	6	+ fs/open.c \| 2 +
	7	+ fs/proc/version.c \| 7 +++++
	8	+ include/linux/sched.h \| 5 +++
	9	+ include/linux/security.h \| 60 +++++++++++++++++++++++++---------------------
	10	+ include/net/ip.h \| 4 +++
	11	+ init/init_task.c \| 4 +++
	12	+ kernel/kexec.c \| 4 ++-
	13	+ kernel/module.c \| 5 +++
	14	+ kernel/ptrace.c \| 10 +++++++
	15	+ kernel/reboot.c \| 3 ++
	16	+ kernel/sched/core.c \| 2 +
	17	+ kernel/signal.c \| 25 +++++++++++++++++++
	18	+ kernel/sys.c \| 8 ++++++
	19	+ kernel/time/timekeeping.c \| 8 ++++++
	20	+ net/ipv4/raw.c \| 4 +++
	21	+ net/ipv4/udp.c \| 2 +
	22	+ net/ipv6/raw.c \| 4 +++
	23	+ net/ipv6/udp.c \| 2 +
	24	+ net/socket.c \| 4 +++
	25	+ net/unix/af_unix.c \| 5 +++
	26	+ security/Kconfig \| 2 +
	27	+ security/Makefile \| 3 ++
	28	+ security/security.c \| 5 +++
	29	+ 24 files changed, 150 insertions(+), 30 deletions(-)
	30	+
	31	+--- linux.orig/fs/exec.c
	32	++++ linux/fs/exec.c
	33	+@@ -1833,7 +1833,7 @@ static int bprm_execve(struct linux_binp
	34	+ if (retval)
	35	+ goto out;
	36	+
	37	+- retval = exec_binprm(bprm);
	38	++ retval = ccs_exec_binprm(bprm);
	39	+ if (retval < 0)
	40	+ goto out;
	41	+
	42	+--- linux.orig/fs/open.c
	43	++++ linux/fs/open.c
	44	+@@ -1374,6 +1374,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
	45	+ */
	46	+ SYSCALL_DEFINE0(vhangup)
	47	+ {
	48	++ if (!ccs_capable(CCS_SYS_VHANGUP))
	49	++ return -EPERM;
	50	+ if (capable(CAP_SYS_TTY_CONFIG)) {
	51	+ tty_vhangup_self();
	52	+ return 0;
	53	+--- linux.orig/fs/proc/version.c
	54	++++ linux/fs/proc/version.c
	55	+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
	56	+ return 0;
	57	+ }
	58	+ fs_initcall(proc_version_init);
	59	++
	60	++static int __init ccs_show_version(void)
	61	++{
	62	++ printk(KERN_INFO "Hook version: 5.18+ 2022/05/25\n");
	63	++ return 0;
	64	++}
	65	++fs_initcall(ccs_show_version);
	66	+--- linux.orig/include/linux/sched.h
	67	++++ linux/include/linux/sched.h
	68	+@@ -44,6 +44,7 @@ struct blk_plug;
	69	+ struct bpf_local_storage;
	70	+ struct bpf_run_ctx;
	71	+ struct capture_control;
	72	++struct ccs_domain_info;
	73	+ struct cfs_rq;
	74	+ struct fs_struct;
	75	+ struct futex_pi_state;
	76	+@@ -1379,6 +1380,10 @@ struct task_struct {
	77	+ /* Pause tracing: */
	78	+ atomic_t tracing_graph_pause;
	79	+ #endif
	80	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	81	++ struct ccs_domain_info *ccs_domain_info;
	82	++ u32 ccs_flags;
	83	++#endif
	84	+
	85	+ #ifdef CONFIG_TRACING
	86	+ /* State flags for use by tracers: */
	87	+--- linux.orig/include/linux/security.h
	88	++++ linux/include/linux/security.h
	89	+@@ -59,6 +59,7 @@ struct fs_parameter;
	90	+ enum fs_value_type;
	91	+ struct watch;
	92	+ struct watch_notification;
	93	++#include <linux/ccsecurity.h>
	94	+
	95	+ /* Default (no) options for the capable function */
	96	+ #define CAP_OPT_NONE 0x0
	97	+@@ -588,7 +589,10 @@ static inline int security_syslog(int ty
	98	+ static inline int security_settime64(const struct timespec64 *ts,
	99	+ const struct timezone *tz)
	100	+ {
	101	+- return cap_settime(ts, tz);
	102	++ int error = cap_settime(ts, tz);
	103	++ if (!error)
	104	++ error = ccs_settime(ts, tz);
	105	++ return error;
	106	+ }
	107	+
	108	+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
	109	+@@ -681,18 +685,18 @@ static inline int security_sb_mount(cons
	110	+ const char *type, unsigned long flags,
	111	+ void *data)
	112	+ {
	113	+- return 0;
	114	++ return ccs_sb_mount(dev_name, path, type, flags, data);
	115	+ }
	116	+
	117	+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
	118	+ {
	119	+- return 0;
	120	++ return ccs_sb_umount(mnt, flags);
	121	+ }
	122	+
	123	+ static inline int security_sb_pivotroot(const struct path *old_path,
	124	+ const struct path *new_path)
	125	+ {
	126	+- return 0;
	127	++ return ccs_sb_pivotroot(old_path, new_path);
	128	+ }
	129	+
	130	+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
	131	+@@ -714,7 +718,7 @@ static inline int security_sb_clone_mnt_
	132	+ static inline int security_move_mount(const struct path *from_path,
	133	+ const struct path *to_path)
	134	+ {
	135	+- return 0;
	136	++ return ccs_move_mount_permission(from_path, to_path);
	137	+ }
	138	+
	139	+ static inline int security_path_notify(const struct path *path, u64 mask,
	140	+@@ -856,7 +860,7 @@ static inline int security_inode_setattr
	141	+
	142	+ static inline int security_inode_getattr(const struct path *path)
	143	+ {
	144	+- return 0;
	145	++ return ccs_inode_getattr(path);
	146	+ }
	147	+
	148	+ static inline int security_inode_setxattr(struct user_namespace *mnt_userns,
	149	+@@ -954,7 +958,7 @@ static inline void security_file_free(st
	150	+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
	151	+ unsigned long arg)
	152	+ {
	153	+- return 0;
	154	++ return ccs_file_ioctl(file, cmd, arg);
	155	+ }
	156	+
	157	+ static inline int security_mmap_file(struct file *file, unsigned long prot,
	158	+@@ -983,7 +987,7 @@ static inline int security_file_lock(str
	159	+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
	160	+ unsigned long arg)
	161	+ {
	162	+- return 0;
	163	++ return ccs_file_fcntl(file, cmd, arg);
	164	+ }
	165	+
	166	+ static inline void security_file_set_fowner(struct file *file)
	167	+@@ -1005,17 +1009,19 @@ static inline int security_file_receive(
	168	+
	169	+ static inline int security_file_open(struct file *file)
	170	+ {
	171	+- return 0;
	172	++ return ccs_file_open(file);
	173	+ }
	174	+
	175	+ static inline int security_task_alloc(struct task_struct *task,
	176	+ unsigned long clone_flags)
	177	+ {
	178	+- return 0;
	179	++ return ccs_alloc_task_security(task);
	180	+ }
	181	+
	182	+ static inline void security_task_free(struct task_struct *task)
	183	+-{ }
	184	++{
	185	++ ccs_free_task_security(task);
	186	++}
	187	+
	188	+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
	189	+ {
	190	+@@ -1444,7 +1450,7 @@ static inline int security_unix_may_send
	191	+ static inline int security_socket_create(int family, int type,
	192	+ int protocol, int kern)
	193	+ {
	194	+- return 0;
	195	++ return ccs_socket_create(family, type, protocol, kern);
	196	+ }
	197	+
	198	+ static inline int security_socket_post_create(struct socket *sock,
	199	+@@ -1465,19 +1471,19 @@ static inline int security_socket_bind(s
	200	+ struct sockaddr *address,
	201	+ int addrlen)
	202	+ {
	203	+- return 0;
	204	++ return ccs_socket_bind(sock, address, addrlen);
	205	+ }
	206	+
	207	+ static inline int security_socket_connect(struct socket *sock,
	208	+ struct sockaddr *address,
	209	+ int addrlen)
	210	+ {
	211	+- return 0;
	212	++ return ccs_socket_connect(sock, address, addrlen);
	213	+ }
	214	+
	215	+ static inline int security_socket_listen(struct socket *sock, int backlog)
	216	+ {
	217	+- return 0;
	218	++ return ccs_socket_listen(sock, backlog);
	219	+ }
	220	+
	221	+ static inline int security_socket_accept(struct socket *sock,
	222	+@@ -1489,7 +1495,7 @@ static inline int security_socket_accept
	223	+ static inline int security_socket_sendmsg(struct socket *sock,
	224	+ struct msghdr *msg, int size)
	225	+ {
	226	+- return 0;
	227	++ return ccs_socket_sendmsg(sock, msg, size);
	228	+ }
	229	+
	230	+ static inline int security_socket_recvmsg(struct socket *sock,
	231	+@@ -1786,42 +1792,42 @@ int security_path_chroot(const struct pa
	232	+ #else /* CONFIG_SECURITY_PATH */
	233	+ static inline int security_path_unlink(const struct path dir, struct dentry dentry)
	234	+ {
	235	+- return 0;
	236	++ return ccs_path_unlink(dir, dentry);
	237	+ }
	238	+
	239	+ static inline int security_path_mkdir(const struct path dir, struct dentry dentry,
	240	+ umode_t mode)
	241	+ {
	242	+- return 0;
	243	++ return ccs_path_mkdir(dir, dentry, mode);
	244	+ }
	245	+
	246	+ static inline int security_path_rmdir(const struct path dir, struct dentry dentry)
	247	+ {
	248	+- return 0;
	249	++ return ccs_path_rmdir(dir, dentry);
	250	+ }
	251	+
	252	+ static inline int security_path_mknod(const struct path dir, struct dentry dentry,
	253	+ umode_t mode, unsigned int dev)
	254	+ {
	255	+- return 0;
	256	++ return ccs_path_mknod(dir, dentry, mode, dev);
	257	+ }
	258	+
	259	+ static inline int security_path_truncate(const struct path *path)
	260	+ {
	261	+- return 0;
	262	++ return ccs_path_truncate(path);
	263	+ }
	264	+
	265	+ static inline int security_path_symlink(const struct path dir, struct dentry dentry,
	266	+ const char *old_name)
	267	+ {
	268	+- return 0;
	269	++ return ccs_path_symlink(dir, dentry, old_name);
	270	+ }
	271	+
	272	+ static inline int security_path_link(struct dentry *old_dentry,
	273	+ const struct path *new_dir,
	274	+ struct dentry *new_dentry)
	275	+ {
	276	+- return 0;
	277	++ return ccs_path_link(old_dentry, new_dir, new_dentry);
	278	+ }
	279	+
	280	+ static inline int security_path_rename(const struct path *old_dir,
	281	+@@ -1830,22 +1836,22 @@ static inline int security_path_rename(c
	282	+ struct dentry *new_dentry,
	283	+ unsigned int flags)
	284	+ {
	285	+- return 0;
	286	++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
	287	+ }
	288	+
	289	+ static inline int security_path_chmod(const struct path *path, umode_t mode)
	290	+ {
	291	+- return 0;
	292	++ return ccs_path_chmod(path, mode);
	293	+ }
	294	+
	295	+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
	296	+ {
	297	+- return 0;
	298	++ return ccs_path_chown(path, uid, gid);
	299	+ }
	300	+
	301	+ static inline int security_path_chroot(const struct path *path)
	302	+ {
	303	+- return 0;
	304	++ return ccs_path_chroot(path);
	305	+ }
	306	+ #endif /* CONFIG_SECURITY_PATH */
	307	+
	308	+--- linux.orig/include/net/ip.h
	309	++++ linux/include/net/ip.h
	310	+@@ -345,6 +345,8 @@ void inet_get_local_port_range(struct ne
	311	+ #ifdef CONFIG_SYSCTL
	312	+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
	313	+ {
	314	++ if (ccs_lport_reserved(port))
	315	++ return true;
	316	+ if (!net->ipv4.sysctl_local_reserved_ports)
	317	+ return false;
	318	+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
	319	+@@ -363,6 +365,8 @@ static inline bool inet_port_requires_bi
	320	+ #else
	321	+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
	322	+ {
	323	++ if (ccs_lport_reserved(port))
	324	++ return true;
	325	+ return false;
	326	+ }
	327	+
	328	+--- linux.orig/init/init_task.c
	329	++++ linux/init/init_task.c
	330	+@@ -209,6 +209,10 @@ struct task_struct init_task
	331	+ #ifdef CONFIG_SECCOMP_FILTER
	332	+ .seccomp = { .filter_count = ATOMIC_INIT(0) },
	333	+ #endif
	334	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	335	++ .ccs_domain_info = NULL,
	336	++ .ccs_flags = 0,
	337	++#endif
	338	+ };
	339	+ EXPORT_SYMBOL(init_task);
	340	+
	341	+--- linux.orig/kernel/kexec.c
	342	++++ linux/kernel/kexec.c
	343	+@@ -16,7 +16,7 @@
	344	+ #include <linux/syscalls.h>
	345	+ #include <linux/vmalloc.h>
	346	+ #include <linux/slab.h>
	347	+-
	348	++#include <linux/ccsecurity.h>
	349	+ #include "kexec_internal.h"
	350	+
	351	+ static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
	352	+@@ -198,6 +198,8 @@ static inline int kexec_load_check(unsig
	353	+ /* We only trust the superuser with rebooting the system. */
	354	+ if (!capable(CAP_SYS_BOOT) \|\| kexec_load_disabled)
	355	+ return -EPERM;
	356	++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
	357	++ return -EPERM;
	358	+
	359	+ /* Permit LSMs and IMA to fail the kexec */
	360	+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
	361	+--- linux.orig/kernel/module.c
	362	++++ linux/kernel/module.c
	363	+@@ -59,6 +59,7 @@
	364	+ #include <linux/audit.h>
	365	+ #include <uapi/linux/module.h>
	366	+ #include "module-internal.h"
	367	++#include <linux/ccsecurity.h>
	368	+
	369	+ #define CREATE_TRACE_POINTS
	370	+ #include <trace/events/module.h>
	371	+@@ -918,6 +919,8 @@ SYSCALL_DEFINE2(delete_module, const cha
	372	+
	373	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	374	+ return -EPERM;
	375	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	376	++ return -EPERM;
	377	+
	378	+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
	379	+ return -EFAULT;
	380	+@@ -3822,6 +3825,8 @@ static int may_init_module(void)
	381	+ {
	382	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	383	+ return -EPERM;
	384	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	385	++ return -EPERM;
	386	+
	387	+ return 0;
	388	+ }
	389	+--- linux.orig/kernel/ptrace.c
	390	++++ linux/kernel/ptrace.c
	391	+@@ -1294,6 +1294,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
	392	+ {
	393	+ struct task_struct *child;
	394	+ long ret;
	395	++ {
	396	++ const int rc = ccs_ptrace_permission(request, pid);
	397	++ if (rc)
	398	++ return rc;
	399	++ }
	400	+
	401	+ if (request == PTRACE_TRACEME) {
	402	+ ret = ptrace_traceme();
	403	+@@ -1441,6 +1446,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
	404	+ {
	405	+ struct task_struct *child;
	406	+ long ret;
	407	++ {
	408	++ const int rc = ccs_ptrace_permission(request, pid);
	409	++ if (rc)
	410	++ return rc;
	411	++ }
	412	+
	413	+ if (request == PTRACE_TRACEME) {
	414	+ ret = ptrace_traceme();
	415	+--- linux.orig/kernel/reboot.c
	416	++++ linux/kernel/reboot.c
	417	+@@ -18,6 +18,7 @@
	418	+ #include <linux/syscalls.h>
	419	+ #include <linux/syscore_ops.h>
	420	+ #include <linux/uaccess.h>
	421	++#include <linux/ccsecurity.h>
	422	+
	423	+ /*
	424	+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
	425	+@@ -327,6 +328,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
	426	+ magic2 != LINUX_REBOOT_MAGIC2B &&
	427	+ magic2 != LINUX_REBOOT_MAGIC2C))
	428	+ return -EINVAL;
	429	++ if (!ccs_capable(CCS_SYS_REBOOT))
	430	++ return -EPERM;
	431	+
	432	+ /*
	433	+ * If pid namespaces are enabled and the current task is in a child
	434	+--- linux.orig/kernel/sched/core.c
	435	++++ linux/kernel/sched/core.c
	436	+@@ -6956,6 +6956,8 @@ int can_nice(const struct task_struct *p
	437	+ SYSCALL_DEFINE1(nice, int, increment)
	438	+ {
	439	+ long nice, retval;
	440	++ if (!ccs_capable(CCS_SYS_NICE))
	441	++ return -EPERM;
	442	+
	443	+ /*
	444	+ * Setpriority might change our priority at the same moment.
	445	+--- linux.orig/kernel/signal.c
	446	++++ linux/kernel/signal.c
	447	+@@ -3788,6 +3788,8 @@ static inline void prepare_kill_siginfo(
	448	+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
	449	+ {
	450	+ struct kernel_siginfo info;
	451	++ if (ccs_kill_permission(pid, sig))
	452	++ return -EPERM;
	453	+
	454	+ prepare_kill_siginfo(sig, &info);
	455	+
	456	+@@ -3887,6 +3889,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
	457	+ if (!access_pidfd_pidns(pid))
	458	+ goto err;
	459	+
	460	++ {
	461	++ struct task_struct *task;
	462	++ int id = 0;
	463	++
	464	++ rcu_read_lock();
	465	++ task = pid_task(pid, PIDTYPE_PID);
	466	++ if (task)
	467	++ id = task_pid_vnr(task);
	468	++ rcu_read_unlock();
	469	++ if (task && ccs_kill_permission(id, sig)) {
	470	++ ret = -EPERM;
	471	++ goto err;
	472	++ }
	473	++ }
	474	++
	475	+ if (info) {
	476	+ ret = copy_siginfo_from_user_any(&kinfo, info);
	477	+ if (unlikely(ret))
	478	+@@ -3971,6 +3988,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
	479	+ /* This is only valid for single tasks */
	480	+ if (pid <= 0 \|\| tgid <= 0)
	481	+ return -EINVAL;
	482	++ if (ccs_tgkill_permission(tgid, pid, sig))
	483	++ return -EPERM;
	484	+
	485	+ return do_tkill(tgid, pid, sig);
	486	+ }
	487	+@@ -3987,6 +4006,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
	488	+ /* This is only valid for single tasks */
	489	+ if (pid <= 0)
	490	+ return -EINVAL;
	491	++ if (ccs_tkill_permission(pid, sig))
	492	++ return -EPERM;
	493	+
	494	+ return do_tkill(0, pid, sig);
	495	+ }
	496	+@@ -3999,6 +4020,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
	497	+ if ((info->si_code >= 0 \|\| info->si_code == SI_TKILL) &&
	498	+ (task_pid_vnr(current) != pid))
	499	+ return -EPERM;
	500	++ if (ccs_sigqueue_permission(pid, sig))
	501	++ return -EPERM;
	502	+
	503	+ /* POSIX.1b doesn't mention process groups. */
	504	+ return kill_proc_info(sig, info, pid);
	505	+@@ -4046,6 +4069,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
	506	+ if ((info->si_code >= 0 \|\| info->si_code == SI_TKILL) &&
	507	+ (task_pid_vnr(current) != pid))
	508	+ return -EPERM;
	509	++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
	510	++ return -EPERM;
	511	+
	512	+ return do_send_specific(tgid, pid, sig, info);
	513	+ }
	514	+--- linux.orig/kernel/sys.c
	515	++++ linux/kernel/sys.c
	516	+@@ -218,6 +218,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
	517	+
	518	+ if (which > PRIO_USER \|\| which < PRIO_PROCESS)
	519	+ goto out;
	520	++ if (!ccs_capable(CCS_SYS_NICE)) {
	521	++ error = -EPERM;
	522	++ goto out;
	523	++ }
	524	+
	525	+ /* normalize: avoid signed division (rounding problems) */
	526	+ error = -ESRCH;
	527	+@@ -1362,6 +1366,8 @@ SYSCALL_DEFINE2(sethostname, char __user
	528	+
	529	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	530	+ return -EINVAL;
	531	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	532	++ return -EPERM;
	533	+ errno = -EFAULT;
	534	+ if (!copy_from_user(tmp, name, len)) {
	535	+ struct new_utsname *u;
	536	+@@ -1414,6 +1420,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
	537	+ return -EPERM;
	538	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	539	+ return -EINVAL;
	540	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	541	++ return -EPERM;
	542	+
	543	+ errno = -EFAULT;
	544	+ if (!copy_from_user(tmp, name, len)) {
	545	+--- linux.orig/kernel/time/timekeeping.c
	546	++++ linux/kernel/time/timekeeping.c
	547	+@@ -23,6 +23,7 @@
	548	+ #include <linux/pvclock_gtod.h>
	549	+ #include <linux/compiler.h>
	550	+ #include <linux/audit.h>
	551	++#include <linux/ccsecurity.h>
	552	+
	553	+ #include "tick-internal.h"
	554	+ #include "ntp_internal.h"
	555	+@@ -2345,10 +2346,15 @@ static int timekeeping_validate_timex(co
	556	+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	557	+ !capable(CAP_SYS_TIME))
	558	+ return -EPERM;
	559	++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	560	++ !ccs_capable(CCS_SYS_SETTIME))
	561	++ return -EPERM;
	562	+ } else {
	563	+ /* In order to modify anything, you gotta be super-user! */
	564	+ if (txc->modes && !capable(CAP_SYS_TIME))
	565	+ return -EPERM;
	566	++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
	567	++ return -EPERM;
	568	+ /*
	569	+ * if the quartz is off by more than 10% then
	570	+ * something is VERY wrong!
	571	+@@ -2363,6 +2369,8 @@ static int timekeeping_validate_timex(co
	572	+ /* In order to inject time, you gotta be super-user! */
	573	+ if (!capable(CAP_SYS_TIME))
	574	+ return -EPERM;
	575	++ if (!ccs_capable(CCS_SYS_SETTIME))
	576	++ return -EPERM;
	577	+
	578	+ /*
	579	+ * Validate if a timespec/timeval used to inject a time
	580	+--- linux.orig/net/ipv4/raw.c
	581	++++ linux/net/ipv4/raw.c
	582	+@@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
	583	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	584	+ if (!skb)
	585	+ goto out;
	586	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	587	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	588	++ goto out;
	589	++ }
	590	+
	591	+ copied = skb->len;
	592	+ if (len < copied) {
	593	+--- linux.orig/net/ipv4/udp.c
	594	++++ linux/net/ipv4/udp.c
	595	+@@ -1862,6 +1862,8 @@ try_again:
	596	+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
	597	+ if (!skb)
	598	+ return err;
	599	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
	600	++ return -EAGAIN; /* Hope less harmful than -EPERM. */
	601	+
	602	+ ulen = udp_skb_len(skb);
	603	+ copied = len;
	604	+--- linux.orig/net/ipv6/raw.c
	605	++++ linux/net/ipv6/raw.c
	606	+@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
	607	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	608	+ if (!skb)
	609	+ goto out;
	610	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	611	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	612	++ goto out;
	613	++ }
	614	+
	615	+ copied = skb->len;
	616	+ if (copied > len) {
	617	+--- linux.orig/net/ipv6/udp.c
	618	++++ linux/net/ipv6/udp.c
	619	+@@ -345,6 +345,8 @@ try_again:
	620	+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
	621	+ if (!skb)
	622	+ return err;
	623	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
	624	++ return -EAGAIN; /* Hope less harmful than -EPERM. */
	625	+
	626	+ ulen = udp6_skb_len(skb);
	627	+ copied = len;
	628	+--- linux.orig/net/socket.c
	629	++++ linux/net/socket.c
	630	+@@ -1811,6 +1811,10 @@ struct file do_accept(struct file file
	631	+ if (err < 0)
	632	+ goto out_fd;
	633	+
	634	++ if (ccs_socket_post_accept_permission(sock, newsock)) {
	635	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	636	++ goto out_fd;
	637	++ }
	638	+ if (upeer_sockaddr) {
	639	+ len = newsock->ops->getname(newsock,
	640	+ (struct sockaddr *)&address, 2);
	641	+--- linux.orig/net/unix/af_unix.c
	642	++++ linux/net/unix/af_unix.c
	643	+@@ -2417,6 +2417,10 @@ int __unix_dgram_recvmsg(struct sock *sk
	644	+ EPOLLOUT \| EPOLLWRNORM \|
	645	+ EPOLLWRBAND);
	646	+
	647	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	648	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	649	++ goto out_unlock;
	650	++ }
	651	+ if (msg->msg_name)
	652	+ unix_copy_addr(msg, skb->sk);
	653	+
	654	+@@ -2467,6 +2471,7 @@ int __unix_dgram_recvmsg(struct sock *sk
	655	+
	656	+ out_free:
	657	+ skb_free_datagram(sk, skb);
	658	++out_unlock:
	659	+ mutex_unlock(&u->iolock);
	660	+ out:
	661	+ return err;
	662	+--- linux.orig/security/Kconfig
	663	++++ linux/security/Kconfig
	664	+@@ -271,5 +271,7 @@ config LSM
	665	+
	666	+ source "security/Kconfig.hardening"
	667	+
	668	++source "security/ccsecurity/Kconfig"
	669	++
	670	+ endmenu
	671	+
	672	+--- linux.orig/security/Makefile
	673	++++ linux/security/Makefile
	674	+@@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
	675	+
	676	+ # Object integrity file lists
	677	+ obj-$(CONFIG_INTEGRITY) += integrity/
	678	++
	679	++subdir-$(CONFIG_CCSECURITY) += ccsecurity
	680	++obj-$(CONFIG_CCSECURITY) += ccsecurity/
	681	+--- linux.orig/security/security.c
	682	++++ linux/security/security.c
	683	+@@ -1655,7 +1655,9 @@ int security_task_alloc(struct task_stru
	684	+
	685	+ if (rc)
	686	+ return rc;
	687	+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
	688	++ rc = ccs_alloc_task_security(task);
	689	++ if (likely(!rc))
	690	++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
	691	+ if (unlikely(rc))
	692	+ security_task_free(task);
	693	+ return rc;
	694	+@@ -1664,6 +1666,7 @@ int security_task_alloc(struct task_stru
	695	+ void security_task_free(struct task_struct *task)
	696	+ {
	697	+ call_void_hook(task_free, task);
	698	++ ccs_free_task_security(task);
	699	+
	700	+ kfree(task->security);
	701	+ task->security = NULL;

--- trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 367)

+++ trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 368)

		@@ -138,11 +138,20 @@
138	138	return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
139	139	}
140	140
	141	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
141	142	int ccs_path_rename(const struct path old_dir, struct dentry old_dentry,
	143	+ const struct path new_dir, struct dentry new_dentry,
	144	+ const unsigned int flags)
	145	+{
	146	+ return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt, flags);
	147	+}
	148	+#else
	149	+int ccs_path_rename(const struct path old_dir, struct dentry old_dentry,
142	150	const struct path new_dir, struct dentry new_dentry)
143	151	{
144	152	return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
145	153	}
	154	+#endif
146	155
147	156	int ccs_path_chmod(const struct path *path, umode_t mode)
148	157	{

--- trunk/caitsith-patch/security/caitsith/permission.c (revision 367)

+++ trunk/caitsith-patch/security/caitsith/permission.c (revision 368)

		@@ -169,9 +169,16 @@
169	169	#endif
170	170	static int cs_pivot_root_permission(const struct path *old_path,
171	171	const struct path *new_path);
	172	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
172	173	static int cs_rename_permission(struct dentry *old_dentry,
173	174	struct dentry *new_dentry,
	175	+ struct vfsmount *mnt,
	176	+ const unsigned int flags);
	177	+#else
	178	+static int cs_rename_permission(struct dentry *old_dentry,
	179	+ struct dentry *new_dentry,
174	180	struct vfsmount *mnt);
	181	+#endif
175	182	static int cs_rmdir_permission(struct dentry dentry, struct vfsmount mnt);
176	183	#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
177	184	static int cs_search_binary_handler(struct linux_binprm *bprm,

		@@ -1993,6 +2000,7 @@
1993	2000	return cs_path_perm(CS_MAC_TRUNCATE, &path);
1994	2001	}
1995	2002
	2003	+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
1996	2004	/**
1997	2005	* cs_rename_permission - Check permission for vfs_rename().
1998	2006	*

		@@ -1999,11 +2007,38 @@
1999	2007	* @old_dentry: Pointer to "struct dentry".
2000	2008	* @new_dentry: Pointer to "struct dentry".
2001	2009	* @mnt: Pointer to "struct vfsmount". Maybe NULL.
	2010	+ * @flags: Rename flags.
2002	2011	*
2003	2012	* Returns 0 on success, negative value otherwise.
2004	2013	*/
2005	2014	static int cs_rename_permission(struct dentry *old_dentry,
2006	2015	struct dentry *new_dentry,
	2016	+ struct vfsmount *mnt,
	2017	+ const unsigned int flags)
	2018	+{
	2019	+ struct path old = { .mnt = mnt, .dentry = old_dentry };
	2020	+ struct path new = { .mnt = mnt, .dentry = new_dentry };
	2021	+
	2022	+ if (flags & RENAME_EXCHANGE) {
	2023	+ const int err = cs_path2_perm(CS_MAC_RENAME, &new, &old);
	2024	+
	2025	+ if (err)
	2026	+ return err;
	2027	+ }
	2028	+ return cs_path2_perm(CS_MAC_RENAME, &old, &new);
	2029	+}
	2030	+#else
	2031	+/**
	2032	+ * cs_rename_permission - Check permission for vfs_rename().
	2033	+ *
	2034	+ * @old_dentry: Pointer to "struct dentry".
	2035	+ * @new_dentry: Pointer to "struct dentry".
	2036	+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
	2037	+ *
	2038	+ * Returns 0 on success, negative value otherwise.
	2039	+ */
	2040	+static int cs_rename_permission(struct dentry *old_dentry,
	2041	+ struct dentry *new_dentry,
2007	2042	struct vfsmount *mnt)
2008	2043	{
2009	2044	struct path old = { .mnt = mnt, .dentry = old_dentry };

		@@ -2011,6 +2046,7 @@
2011	2046
2012	2047	return cs_path2_perm(CS_MAC_RENAME, &old, &new);
2013	2048	}
	2049	+#endif
2014	2050
2015	2051	/**
2016	2052	* cs_link_permission - Check permission for vfs_link().

Show on old repository browser