From 30524472c2f728c20d6bf35191042a5d455c0a64 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 22 Jul 2008 00:02:33 -0400 Subject: [PATCH] take noexec checks to very few callers that care Signed-off-by: Al Viro --- fs/exec.c | 7 +++++++ fs/namei.c | 9 --------- fs/open.c | 10 ++++++++++ 3 files changed, 17 insertions(+), 9 deletions(-) (limited to 'fs') diff --git a/fs/exec.c b/fs/exec.c index 346e3f69c6e0..eca58c29eded 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -118,6 +118,10 @@ asmlinkage long sys_uselib(const char __user * library) if (!S_ISREG(nd.path.dentry->d_inode->i_mode)) goto exit; + error = -EACCES; + if (nd.path.mnt->mnt_flags & MNT_NOEXEC) + goto exit; + error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN); if (error) goto exit; @@ -668,6 +672,9 @@ struct file *open_exec(const char *name) if (!S_ISREG(nd.path.dentry->d_inode->i_mode)) goto out_path_put; + if (nd.path.mnt->mnt_flags & MNT_NOEXEC) + goto out_path_put; + err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN); if (err) goto out_path_put; diff --git a/fs/namei.c b/fs/namei.c index 6d75430358ac..396cb3e5c364 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -252,15 +252,6 @@ int permission(struct inode *inode, int mask, struct nameidata *nd) return -EACCES; } - if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode)) { - /* - * MAY_EXEC on regular files is denied if the fs is mounted - * with the "noexec" flag. - */ - if (mnt && (mnt->mnt_flags & MNT_NOEXEC)) - return -EACCES; - } - /* Ordinary permission routines do not understand MAY_APPEND. */ if (inode->i_op && inode->i_op->permission) { retval = inode->i_op->permission(inode, mask); diff --git a/fs/open.c b/fs/open.c index 3b3c43674be3..d5e421ad0cf6 100644 --- a/fs/open.c +++ b/fs/open.c @@ -461,6 +461,16 @@ asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode) if (res) goto out; + if ((mode & MAY_EXEC) && S_ISREG(nd.path.dentry->d_inode->i_mode)) { + /* + * MAY_EXEC on regular files is denied if the fs is mounted + * with the "noexec" flag. + */ + res = -EACCES; + if (nd.path.mnt->mnt_flags & MNT_NOEXEC) + goto out_path_release; + } + res = vfs_permission(&nd, mode | MAY_ACCESS); /* SuS v2 requires we report a read only fs too */ if(res || !(mode & S_IWOTH) || -- cgit v1.2.3