* [PATCH] export xattr_resolve_name_sns [1/4]
@ 2007-06-21 16:02 Alexander Wuerstlein
0 siblings, 0 replies; 2+ messages in thread
From: Alexander Wuerstlein @ 2007-06-21 16:02 UTC (permalink / raw)
To: linux-kernel; +Cc: Johannes Schlumberger
From: Johannes Schlumberger <spjsschl@cip.informatik.uni-erlangen.de>
Makes it possible to get extended attributes for a given inode. We need this
for cases where we no longer have the corresponding direntry.
Signed-off-by: Johannes Schlumberger <spjsschl@cip.informatik.uni-erlangen.de>
---
fs/xattr.c | 18 ++++++++++++++++++
include/linux/xattr.h | 1 +
2 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 4523aca..467417f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -538,6 +538,24 @@ xattr_resolve_name(struct xattr_handler **handlers, const char **name)
return handler;
}
+struct xattr_handler *
+xattr_resolve_name_sns(struct xattr_handler **handlers, const char **name)
+{
+ struct xattr_handler *handler;
+
+ if (!*name)
+ return NULL;
+
+ for_each_xattr_handler(handlers, handler) {
+ const char *n = strcmp_prefix(*name, handler->prefix);
+ if (n) {
+ *name = n;
+ break;
+ }
+ }
+ return handler;
+}
+
/*
* Find the handler for the prefix and dispatch its get() operation.
*/
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index def131a..5653508 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -46,6 +46,7 @@ struct xattr_handler {
size_t size, int flags);
};
+struct xattr_handler * xattr_resolve_name_sns(struct xattr_handler **, const char **);
ssize_t vfs_getxattr(struct dentry *, char *, void *, size_t);
ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
int vfs_setxattr(struct dentry *, char *, void *, size_t, int);
--
1.5.2.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* [PATCH] signed binaries support [0/4]
@ 2007-06-21 15:55 Johannes Schlumberger
2007-06-22 18:25 ` [PATCH] export xattr_resolve_name_sns [1/4] Alexander Wuerstlein
0 siblings, 1 reply; 2+ messages in thread
From: Johannes Schlumberger @ 2007-06-21 15:55 UTC (permalink / raw)
To: linux-kernel
Hi,
We (two students of CS) built a system for signing binaries and verifying them
before executing. Our main focus was to implement a way to inhibit execution
of suid-binaries, which are not trustworthy (i.e. not signed). Of course this
can also be used to grant other access rights, capabilities, etc.
The signature (e.g. HMAC-SHA1 with a shared secret) is stored in extended
filesystem attributes (userland-signing-tool provided) [1]. Depending on the
outcome of our check (performed during exec) a newly introduced flag in
the task_struct is set. To be able to also check libraries, we introduced a
similar flag in the vm_area struct. Depending on the state of the flag, the
suid/sgid bit on the file is honored or ignored. If a process behaves badly
(e.g mapping executable memory writable or loading an untrusted library) it
is handled appropriately (killed in our current implementation).
In the current state our code is of course very expermimental and should be
handled with care.
We mainly seek comments, suggestions and wisdom before we tackle the more
difficult tasks, like proper signatures (public-key-systems, etc.).
regards,
Johannes
[1] http://git.informatik.uni-erlangen.de/?p=ssuid-userland&a=snapshot;h=HEAD
--
Johannes Schlumberger Department of Computer Science IV
Martensstrasse 1 D-91058 Erlangen Germany University of Erlangen-Nuremberg
http://wwwcip.informatik.uni-erlangen.de/~spjsschl
^ permalink raw reply [flat|nested] 2+ messages in thread* [PATCH] export xattr_resolve_name_sns [1/4]
2007-06-21 15:55 [PATCH] signed binaries support [0/4] Johannes Schlumberger
@ 2007-06-22 18:25 ` Alexander Wuerstlein
0 siblings, 0 replies; 2+ messages in thread
From: Alexander Wuerstlein @ 2007-06-22 18:25 UTC (permalink / raw)
To: linux-kernel; +Cc: Johannes Schlumberger
From: Johannes Schlumberger <spjsschl@cip.informatik.uni-erlangen.de>
Makes it possible to get extended attributes for a given inode. We need this
for cases where we no longer have the corresponding direntry.
Signed-off-by: Johannes Schlumberger <spjsschl@cip.informatik.uni-erlangen.de>
---
fs/xattr.c | 18 ++++++++++++++++++
include/linux/xattr.h | 1 +
2 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 4523aca..467417f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -538,6 +538,24 @@ xattr_resolve_name(struct xattr_handler **handlers, const char **name)
return handler;
}
+struct xattr_handler *
+xattr_resolve_name_sns(struct xattr_handler **handlers, const char **name)
+{
+ struct xattr_handler *handler;
+
+ if (!*name)
+ return NULL;
+
+ for_each_xattr_handler(handlers, handler) {
+ const char *n = strcmp_prefix(*name, handler->prefix);
+ if (n) {
+ *name = n;
+ break;
+ }
+ }
+ return handler;
+}
+
/*
* Find the handler for the prefix and dispatch its get() operation.
*/
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index def131a..5653508 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -46,6 +46,7 @@ struct xattr_handler {
size_t size, int flags);
};
+struct xattr_handler * xattr_resolve_name_sns(struct xattr_handler **, const char **);
ssize_t vfs_getxattr(struct dentry *, char *, void *, size_t);
ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
int vfs_setxattr(struct dentry *, char *, void *, size_t, int);
--
1.5.2.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-06-22 18:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-21 16:02 [PATCH] export xattr_resolve_name_sns [1/4] Alexander Wuerstlein
-- strict thread matches above, loose matches on Subject: below --
2007-06-21 15:55 [PATCH] signed binaries support [0/4] Johannes Schlumberger
2007-06-22 18:25 ` [PATCH] export xattr_resolve_name_sns [1/4] Alexander Wuerstlein
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.