fsnotify, lsm: Decouple fsnotify from lsm

Currently, fsnotify_open_perm() is called from security_file_open().
This is a a bit unexpected and creates otherwise unnecessary dependency
of CONFIG_FANOTIFY_ACCESS_PERMISSIONS on CONFIG_SECURITY. Fix this by
calling fsnotify_open_perm() directly.

Signed-off-by: Song Liu <[email protected]>
Acked-by: Paul Moore <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Link: https://patch.msgid.link/[email protected]

diff --git a/fs/notify/fanotify/Kconfig b/fs/notify/fanotify/Kconfig
index a511f9d8677ba02076e5a71a755b77e87db2d843..0e36aaf379b7369843422d359506f3862a8abbd6 100644 (file)
--- a/fs/notify/fanotify/Kconfig
+++ b/fs/notify/fanotify/Kconfig
@@ -15,7 +15,6 @@ config FANOTIFY
 config FANOTIFY_ACCESS_PERMISSIONS
        bool "fanotify permissions checking"
        depends on FANOTIFY
-       depends on SECURITY
        default n
        help
           Say Y here is you want fanotify listeners to be able to make permissions

diff --git a/fs/open.c b/fs/open.c
index acaeb3e25c88ecdd635619872eea8ebe23622349..6c4950f19cfba78fa1840a528a127d77c32157e5 100644 (file)
--- a/fs/open.c
+++ b/fs/open.c
@@ -946,6 +946,10 @@ static int do_dentry_open(struct file *f,
        if (error)
                goto cleanup_all;
 
+       error = fsnotify_open_perm(f);
+       if (error)
+               goto cleanup_all;
+
        error = break_lease(file_inode(f), f->f_flags);
        if (error)
                goto cleanup_all;

diff --git a/security/security.c b/security/security.c
index c5981e558bc2643b485778edf5c5c20f725ccb00..19e87a1593032caa7899f14f1ac9b1669e078ff8 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -19,7 +19,6 @@
 #include <linux/kernel.h>
 #include <linux/kernel_read_file.h>
 #include <linux/lsm_hooks.h>
-#include <linux/fsnotify.h>
 #include <linux/mman.h>
 #include <linux/mount.h>
 #include <linux/personality.h>
@@ -3104,13 +3103,7 @@ int security_file_receive(struct file *file)
  */
 int security_file_open(struct file *file)
 {
-       int ret;
-
-       ret = call_int_hook(file_open, file);
-       if (ret)
-               return ret;
-
-       return fsnotify_open_perm(file);
+       return call_int_hook(file_open, file);
 }
 
 /**