Labeled NFS [v5]

Labeled NFS [v5]

[David Quigley]

The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
specification and it has been decided that a reposting of the Labeled NFS code
for inclusion into mainline was a good idea. The patches have been rebased onto
v3.7-rc2 and have been tested against the SELinux testsuite with the only
failures being for features not supported by NFS.

Labeled NFS [v5]

[David Quigley]

The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
specification and it has been decided that a reposting of the Labeled NFS code
for inclusion into mainline was a good idea. The patches have been rebased onto
v3.7-rc2 and have been tested against the SELinux testsuite with the only
failures being for features not supported by NFS.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 01/13] Security: Add hook to calculate context based on a negative dentry.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There is a time where we need to calculate a context without the
inode having been created yet. To do this we take the negative dentry and
calculate a context based on the process and the parent directory contexts.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h | 27 +++++++++++++++++++++++++++
 security/capability.c    |  8 ++++++++
 security/security.c      | 10 ++++++++++
 security/selinux/hooks.c | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 80 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 05e88bd..c9f5eec 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -26,6 +26,7 @@
 #include <linux/capability.h>
 #include <linux/slab.h>
 #include <linux/err.h>
+#include <linux/string.h>
 
 struct linux_binprm;
 struct cred;
@@ -306,6 +307,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	Parse a string of security data filling in the opts structure
  *	@options string containing all mount options known by the LSM
  *	@opts binary data structure usable by the LSM
+ * @dentry_init_security:
+ *	Compute a context for a dentry as the inode is not yet available
+ *	since NFSv4 has no label backed by an EA anyway.
+ *	@dentry dentry to use in calculating the context.
+ *	@mode mode used to determine resource type.
+ *	@name name of the last path component used to create file
+ *	@ctx pointer to place the pointer to the resulting context in.
+ *	@ctxlen point to place the length of the resulting context.
+ *
  *
  * Security hooks for inode operations.
  *
@@ -1421,6 +1431,10 @@ struct security_operations {
 	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
 				   struct super_block *newsb);
 	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
+	int (*dentry_init_security) (struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen);
+
 
 #ifdef CONFIG_SECURITY_PATH
 	int (*path_unlink) (struct path *dir, struct dentry *dentry);
@@ -1702,6 +1716,9 @@ int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *o
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
 				struct super_block *newsb);
 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+int security_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen);
 
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
@@ -2005,6 +2022,16 @@ static inline int security_inode_alloc(struct inode *inode)
 static inline void security_inode_free(struct inode *inode)
 { }
 
+static inline int security_dentry_init_security(struct dentry *dentry,
+						 int mode,
+						 struct qstr *name,
+						 void **ctx,
+						 u32 *ctxlen)
+{
+	return -EOPNOTSUPP;
+}
+
+
 static inline int security_inode_init_security(struct inode *inode,
 						struct inode *dir,
 						const struct qstr *qstr,
diff --git a/security/capability.c b/security/capability.c
index b14a30c..f1eb284 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -108,6 +108,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
 	return 0;
 }
 
+static int cap_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	return 0;
+}
+
 static int cap_inode_alloc_security(struct inode *inode)
 {
 	return 0;
@@ -905,6 +912,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, sb_set_mnt_opts);
 	set_to_cap_if_null(ops, sb_clone_mnt_opts);
 	set_to_cap_if_null(ops, sb_parse_opts_str);
+	set_to_cap_if_null(ops, dentry_init_security);
 	set_to_cap_if_null(ops, inode_alloc_security);
 	set_to_cap_if_null(ops, inode_free_security);
 	set_to_cap_if_null(ops, inode_init_security);
diff --git a/security/security.c b/security/security.c
index 8dcd4ae..b4b2017 100644
--- a/security/security.c
+++ b/security/security.c
@@ -12,6 +12,7 @@
  */
 
 #include <linux/capability.h>
+#include <linux/dcache.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
@@ -324,6 +325,15 @@ void security_inode_free(struct inode *inode)
 	security_ops->inode_free_security(inode);
 }
 
+int security_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	return security_ops->dentry_init_security(dentry, mode, name,
+							ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_dentry_init_security);
+
 int security_inode_init_security(struct inode *inode, struct inode *dir,
 				 const struct qstr *qstr,
 				 const initxattrs initxattrs, void *fs_data)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61a5336..22d9adf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2483,6 +2483,40 @@ static void selinux_inode_free_security(struct inode *inode)
 	inode_free_security(inode);
 }
 
+static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	struct cred *cred = current_cred();
+	struct task_security_struct *tsec;
+	struct inode_security_struct *dsec;
+	struct superblock_security_struct *sbsec;
+	struct inode *dir = dentry->d_parent->d_inode;
+	u32 newsid;
+	int rc;
+
+	tsec = cred->security;
+	dsec = dir->i_security;
+	sbsec = dir->i_sb->s_security;
+
+	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+		newsid = tsec->create_sid;
+	} else {
+		rc = security_transition_sid(tsec->sid, dsec->sid,
+					     inode_mode_to_security_class(mode),
+					     name,
+					     &newsid);
+		if (rc) {
+			printk(KERN_WARNING
+				"%s: security_transition_sid failed, rc=%d\n",
+			       __func__, -rc);
+			return rc;
+		}
+	}
+
+	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+}
+
 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 				       const struct qstr *qstr, char **name,
 				       void **value, size_t *len)
@@ -5509,6 +5543,7 @@ static struct security_operations selinux_ops = {
 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
 	.sb_parse_opts_str = 		selinux_parse_opts_str,
 
+	.dentry_init_security =		selinux_dentry_init_security,
 
 	.inode_alloc_security =		selinux_inode_alloc_security,
 	.inode_free_security =		selinux_inode_free_security,
-- 
1.7.11.7

[PATCH 01/13] Security: Add hook to calculate context based on a negative dentry.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There is a time where we need to calculate a context without the
inode having been created yet. To do this we take the negative dentry and
calculate a context based on the process and the parent directory contexts.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h | 27 +++++++++++++++++++++++++++
 security/capability.c    |  8 ++++++++
 security/security.c      | 10 ++++++++++
 security/selinux/hooks.c | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 80 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 05e88bd..c9f5eec 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -26,6 +26,7 @@
 #include <linux/capability.h>
 #include <linux/slab.h>
 #include <linux/err.h>
+#include <linux/string.h>
 
 struct linux_binprm;
 struct cred;
@@ -306,6 +307,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	Parse a string of security data filling in the opts structure
  *	@options string containing all mount options known by the LSM
  *	@opts binary data structure usable by the LSM
+ * @dentry_init_security:
+ *	Compute a context for a dentry as the inode is not yet available
+ *	since NFSv4 has no label backed by an EA anyway.
+ *	@dentry dentry to use in calculating the context.
+ *	@mode mode used to determine resource type.
+ *	@name name of the last path component used to create file
+ *	@ctx pointer to place the pointer to the resulting context in.
+ *	@ctxlen point to place the length of the resulting context.
+ *
  *
  * Security hooks for inode operations.
  *
@@ -1421,6 +1431,10 @@ struct security_operations {
 	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
 				   struct super_block *newsb);
 	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
+	int (*dentry_init_security) (struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen);
+
 
 #ifdef CONFIG_SECURITY_PATH
 	int (*path_unlink) (struct path *dir, struct dentry *dentry);
@@ -1702,6 +1716,9 @@ int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *o
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
 				struct super_block *newsb);
 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+int security_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen);
 
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
@@ -2005,6 +2022,16 @@ static inline int security_inode_alloc(struct inode *inode)
 static inline void security_inode_free(struct inode *inode)
 { }
 
+static inline int security_dentry_init_security(struct dentry *dentry,
+						 int mode,
+						 struct qstr *name,
+						 void **ctx,
+						 u32 *ctxlen)
+{
+	return -EOPNOTSUPP;
+}
+
+
 static inline int security_inode_init_security(struct inode *inode,
 						struct inode *dir,
 						const struct qstr *qstr,
diff --git a/security/capability.c b/security/capability.c
index b14a30c..f1eb284 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -108,6 +108,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
 	return 0;
 }
 
+static int cap_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	return 0;
+}
+
 static int cap_inode_alloc_security(struct inode *inode)
 {
 	return 0;
@@ -905,6 +912,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, sb_set_mnt_opts);
 	set_to_cap_if_null(ops, sb_clone_mnt_opts);
 	set_to_cap_if_null(ops, sb_parse_opts_str);
+	set_to_cap_if_null(ops, dentry_init_security);
 	set_to_cap_if_null(ops, inode_alloc_security);
 	set_to_cap_if_null(ops, inode_free_security);
 	set_to_cap_if_null(ops, inode_init_security);
diff --git a/security/security.c b/security/security.c
index 8dcd4ae..b4b2017 100644
--- a/security/security.c
+++ b/security/security.c
@@ -12,6 +12,7 @@
  */
 
 #include <linux/capability.h>
+#include <linux/dcache.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
@@ -324,6 +325,15 @@ void security_inode_free(struct inode *inode)
 	security_ops->inode_free_security(inode);
 }
 
+int security_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	return security_ops->dentry_init_security(dentry, mode, name,
+							ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_dentry_init_security);
+
 int security_inode_init_security(struct inode *inode, struct inode *dir,
 				 const struct qstr *qstr,
 				 const initxattrs initxattrs, void *fs_data)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61a5336..22d9adf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2483,6 +2483,40 @@ static void selinux_inode_free_security(struct inode *inode)
 	inode_free_security(inode);
 }
 
+static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+					struct qstr *name, void **ctx,
+					u32 *ctxlen)
+{
+	struct cred *cred = current_cred();
+	struct task_security_struct *tsec;
+	struct inode_security_struct *dsec;
+	struct superblock_security_struct *sbsec;
+	struct inode *dir = dentry->d_parent->d_inode;
+	u32 newsid;
+	int rc;
+
+	tsec = cred->security;
+	dsec = dir->i_security;
+	sbsec = dir->i_sb->s_security;
+
+	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+		newsid = tsec->create_sid;
+	} else {
+		rc = security_transition_sid(tsec->sid, dsec->sid,
+					     inode_mode_to_security_class(mode),
+					     name,
+					     &newsid);
+		if (rc) {
+			printk(KERN_WARNING
+				"%s: security_transition_sid failed, rc=%d\n",
+			       __func__, -rc);
+			return rc;
+		}
+	}
+
+	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+}
+
 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 				       const struct qstr *qstr, char **name,
 				       void **value, size_t *len)
@@ -5509,6 +5543,7 @@ static struct security_operations selinux_ops = {
 	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
 	.sb_parse_opts_str = 		selinux_parse_opts_str,
 
+	.dentry_init_security =		selinux_dentry_init_security,
 
 	.inode_alloc_security =		selinux_inode_alloc_security,
 	.inode_free_security =		selinux_inode_free_security,
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry.

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:35AM -0500, David Quigley wrote:
> From: David Quigley <dpquigl@davequigley.com>
> 
> There is a time where we need to calculate a context without the
> inode having been created yet. To do this we take the negative dentry and
> calculate a context based on the process and the parent directory contexts.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  include/linux/security.h | 27 +++++++++++++++++++++++++++
>  security/capability.c    |  8 ++++++++
>  security/security.c      | 10 ++++++++++
>  security/selinux/hooks.c | 35 +++++++++++++++++++++++++++++++++++
>  4 files changed, 80 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 05e88bd..c9f5eec 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -26,6 +26,7 @@
>  #include <linux/capability.h>
>  #include <linux/slab.h>
>  #include <linux/err.h>
> +#include <linux/string.h>
>  
>  struct linux_binprm;
>  struct cred;
> @@ -306,6 +307,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>   *	Parse a string of security data filling in the opts structure
>   *	@options string containing all mount options known by the LSM
>   *	@opts binary data structure usable by the LSM
> + * @dentry_init_security:
> + *	Compute a context for a dentry as the inode is not yet available
> + *	since NFSv4 has no label backed by an EA anyway.

I don't understand this comment.  Why exactly is NFSv4 the first user
that needs this?

--b.

> + *	@dentry dentry to use in calculating the context.
> + *	@mode mode used to determine resource type.
> + *	@name name of the last path component used to create file
> + *	@ctx pointer to place the pointer to the resulting context in.
> + *	@ctxlen point to place the length of the resulting context.
> + *
>   *
>   * Security hooks for inode operations.
>   *
> @@ -1421,6 +1431,10 @@ struct security_operations {
>  	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
>  				   struct super_block *newsb);
>  	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
> +	int (*dentry_init_security) (struct dentry *dentry, int mode,
> +					struct qstr *name, void **ctx,
> +					u32 *ctxlen);
> +
>  
>  #ifdef CONFIG_SECURITY_PATH
>  	int (*path_unlink) (struct path *dir, struct dentry *dentry);
> @@ -1702,6 +1716,9 @@ int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *o
>  void security_sb_clone_mnt_opts(const struct super_block *oldsb,
>  				struct super_block *newsb);
>  int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
> +int security_dentry_init_security(struct dentry *dentry, int mode,
> +					struct qstr *name, void **ctx,
> +					u32 *ctxlen);
>  
>  int security_inode_alloc(struct inode *inode);
>  void security_inode_free(struct inode *inode);
> @@ -2005,6 +2022,16 @@ static inline int security_inode_alloc(struct inode *inode)
>  static inline void security_inode_free(struct inode *inode)
>  { }
>  
> +static inline int security_dentry_init_security(struct dentry *dentry,
> +						 int mode,
> +						 struct qstr *name,
> +						 void **ctx,
> +						 u32 *ctxlen)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +
>  static inline int security_inode_init_security(struct inode *inode,
>  						struct inode *dir,
>  						const struct qstr *qstr,
> diff --git a/security/capability.c b/security/capability.c
> index b14a30c..f1eb284 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -108,6 +108,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
>  	return 0;
>  }
>  
> +static int cap_dentry_init_security(struct dentry *dentry, int mode,
> +					struct qstr *name, void **ctx,
> +					u32 *ctxlen)
> +{
> +	return 0;
> +}
> +
>  static int cap_inode_alloc_security(struct inode *inode)
>  {
>  	return 0;
> @@ -905,6 +912,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>  	set_to_cap_if_null(ops, sb_set_mnt_opts);
>  	set_to_cap_if_null(ops, sb_clone_mnt_opts);
>  	set_to_cap_if_null(ops, sb_parse_opts_str);
> +	set_to_cap_if_null(ops, dentry_init_security);
>  	set_to_cap_if_null(ops, inode_alloc_security);
>  	set_to_cap_if_null(ops, inode_free_security);
>  	set_to_cap_if_null(ops, inode_init_security);
> diff --git a/security/security.c b/security/security.c
> index 8dcd4ae..b4b2017 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -12,6 +12,7 @@
>   */
>  
>  #include <linux/capability.h>
> +#include <linux/dcache.h>
>  #include <linux/module.h>
>  #include <linux/init.h>
>  #include <linux/kernel.h>
> @@ -324,6 +325,15 @@ void security_inode_free(struct inode *inode)
>  	security_ops->inode_free_security(inode);
>  }
>  
> +int security_dentry_init_security(struct dentry *dentry, int mode,
> +					struct qstr *name, void **ctx,
> +					u32 *ctxlen)
> +{
> +	return security_ops->dentry_init_security(dentry, mode, name,
> +							ctx, ctxlen);
> +}
> +EXPORT_SYMBOL(security_dentry_init_security);
> +
>  int security_inode_init_security(struct inode *inode, struct inode *dir,
>  				 const struct qstr *qstr,
>  				 const initxattrs initxattrs, void *fs_data)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 61a5336..22d9adf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2483,6 +2483,40 @@ static void selinux_inode_free_security(struct inode *inode)
>  	inode_free_security(inode);
>  }
>  
> +static int selinux_dentry_init_security(struct dentry *dentry, int mode,
> +					struct qstr *name, void **ctx,
> +					u32 *ctxlen)
> +{
> +	struct cred *cred = current_cred();
> +	struct task_security_struct *tsec;
> +	struct inode_security_struct *dsec;
> +	struct superblock_security_struct *sbsec;
> +	struct inode *dir = dentry->d_parent->d_inode;
> +	u32 newsid;
> +	int rc;
> +
> +	tsec = cred->security;
> +	dsec = dir->i_security;
> +	sbsec = dir->i_sb->s_security;
> +
> +	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
> +		newsid = tsec->create_sid;
> +	} else {
> +		rc = security_transition_sid(tsec->sid, dsec->sid,
> +					     inode_mode_to_security_class(mode),
> +					     name,
> +					     &newsid);
> +		if (rc) {
> +			printk(KERN_WARNING
> +				"%s: security_transition_sid failed, rc=%d\n",
> +			       __func__, -rc);
> +			return rc;
> +		}
> +	}
> +
> +	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
> +}
> +
>  static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
>  				       const struct qstr *qstr, char **name,
>  				       void **value, size_t *len)
> @@ -5509,6 +5543,7 @@ static struct security_operations selinux_ops = {
>  	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
>  	.sb_parse_opts_str = 		selinux_parse_opts_str,
>  
> +	.dentry_init_security =		selinux_dentry_init_security,
>  
>  	.inode_alloc_security =		selinux_inode_alloc_security,
>  	.inode_free_security =		selinux_inode_free_security,
> -- 
> 1.7.11.7
> 

Re: [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry.

[Dave Quigley]

On 11/12/2012 7:13 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:35AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> There is a time where we need to calculate a context without the
>> inode having been created yet. To do this we take the negative dentry and
>> calculate a context based on the process and the parent directory contexts.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   include/linux/security.h | 27 +++++++++++++++++++++++++++
>>   security/capability.c    |  8 ++++++++
>>   security/security.c      | 10 ++++++++++
>>   security/selinux/hooks.c | 35 +++++++++++++++++++++++++++++++++++
>>   4 files changed, 80 insertions(+)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 05e88bd..c9f5eec 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -26,6 +26,7 @@
>>   #include <linux/capability.h>
>>   #include <linux/slab.h>
>>   #include <linux/err.h>
>> +#include <linux/string.h>
>>
>>   struct linux_binprm;
>>   struct cred;
>> @@ -306,6 +307,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>    *	Parse a string of security data filling in the opts structure
>>    *	@options string containing all mount options known by the LSM
>>    *	@opts binary data structure usable by the LSM
>> + * @dentry_init_security:
>> + *	Compute a context for a dentry as the inode is not yet available
>> + *	since NFSv4 has no label backed by an EA anyway.
>
> I don't understand this comment.  Why exactly is NFSv4 the first user
> that needs this?
>
> --b.
>

Normally the calculation of a label for an inode is based on the inode 
and the parent directory. We unfortunately don't have all of that 
information available in NFSv4 where we need it so instead we base the 
calculation off of the dentry instead. That is the best I can remember 
for why we do it. Unfortunately that decision was made so long ago its 
hard to remember the fine details.

>> + *	@dentry dentry to use in calculating the context.
>> + *	@mode mode used to determine resource type.
>> + *	@name name of the last path component used to create file
>> + *	@ctx pointer to place the pointer to the resulting context in.
>> + *	@ctxlen point to place the length of the resulting context.
>> + *
>>    *
>>    * Security hooks for inode operations.
>>    *
>> @@ -1421,6 +1431,10 @@ struct security_operations {
>>   	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
>>   				   struct super_block *newsb);
>>   	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
>> +	int (*dentry_init_security) (struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen);
>> +
>>
>>   #ifdef CONFIG_SECURITY_PATH
>>   	int (*path_unlink) (struct path *dir, struct dentry *dentry);
>> @@ -1702,6 +1716,9 @@ int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *o
>>   void security_sb_clone_mnt_opts(const struct super_block *oldsb,
>>   				struct super_block *newsb);
>>   int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
>> +int security_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen);
>>
>>   int security_inode_alloc(struct inode *inode);
>>   void security_inode_free(struct inode *inode);
>> @@ -2005,6 +2022,16 @@ static inline int security_inode_alloc(struct inode *inode)
>>   static inline void security_inode_free(struct inode *inode)
>>   { }
>>
>> +static inline int security_dentry_init_security(struct dentry *dentry,
>> +						 int mode,
>> +						 struct qstr *name,
>> +						 void **ctx,
>> +						 u32 *ctxlen)
>> +{
>> +	return -EOPNOTSUPP;
>> +}
>> +
>> +
>>   static inline int security_inode_init_security(struct inode *inode,
>>   						struct inode *dir,
>>   						const struct qstr *qstr,
>> diff --git a/security/capability.c b/security/capability.c
>> index b14a30c..f1eb284 100644
>> --- a/security/capability.c
>> +++ b/security/capability.c
>> @@ -108,6 +108,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
>>   	return 0;
>>   }
>>
>> +static int cap_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	return 0;
>> +}
>> +
>>   static int cap_inode_alloc_security(struct inode *inode)
>>   {
>>   	return 0;
>> @@ -905,6 +912,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>   	set_to_cap_if_null(ops, sb_set_mnt_opts);
>>   	set_to_cap_if_null(ops, sb_clone_mnt_opts);
>>   	set_to_cap_if_null(ops, sb_parse_opts_str);
>> +	set_to_cap_if_null(ops, dentry_init_security);
>>   	set_to_cap_if_null(ops, inode_alloc_security);
>>   	set_to_cap_if_null(ops, inode_free_security);
>>   	set_to_cap_if_null(ops, inode_init_security);
>> diff --git a/security/security.c b/security/security.c
>> index 8dcd4ae..b4b2017 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -12,6 +12,7 @@
>>    */
>>
>>   #include <linux/capability.h>
>> +#include <linux/dcache.h>
>>   #include <linux/module.h>
>>   #include <linux/init.h>
>>   #include <linux/kernel.h>
>> @@ -324,6 +325,15 @@ void security_inode_free(struct inode *inode)
>>   	security_ops->inode_free_security(inode);
>>   }
>>
>> +int security_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	return security_ops->dentry_init_security(dentry, mode, name,
>> +							ctx, ctxlen);
>> +}
>> +EXPORT_SYMBOL(security_dentry_init_security);
>> +
>>   int security_inode_init_security(struct inode *inode, struct inode *dir,
>>   				 const struct qstr *qstr,
>>   				 const initxattrs initxattrs, void *fs_data)
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 61a5336..22d9adf 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -2483,6 +2483,40 @@ static void selinux_inode_free_security(struct inode *inode)
>>   	inode_free_security(inode);
>>   }
>>
>> +static int selinux_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	struct cred *cred = current_cred();
>> +	struct task_security_struct *tsec;
>> +	struct inode_security_struct *dsec;
>> +	struct superblock_security_struct *sbsec;
>> +	struct inode *dir = dentry->d_parent->d_inode;
>> +	u32 newsid;
>> +	int rc;
>> +
>> +	tsec = cred->security;
>> +	dsec = dir->i_security;
>> +	sbsec = dir->i_sb->s_security;
>> +
>> +	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
>> +		newsid = tsec->create_sid;
>> +	} else {
>> +		rc = security_transition_sid(tsec->sid, dsec->sid,
>> +					     inode_mode_to_security_class(mode),
>> +					     name,
>> +					     &newsid);
>> +		if (rc) {
>> +			printk(KERN_WARNING
>> +				"%s: security_transition_sid failed, rc=%d\n",
>> +			       __func__, -rc);
>> +			return rc;
>> +		}
>> +	}
>> +
>> +	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
>> +}
>> +
>>   static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
>>   				       const struct qstr *qstr, char **name,
>>   				       void **value, size_t *len)
>> @@ -5509,6 +5543,7 @@ static struct security_operations selinux_ops = {
>>   	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
>>   	.sb_parse_opts_str = 		selinux_parse_opts_str,
>>
>> +	.dentry_init_security =		selinux_dentry_init_security,
>>
>>   	.inode_alloc_security =		selinux_inode_alloc_security,
>>   	.inode_free_security =		selinux_inode_free_security,
>> --
>> 1.7.11.7
>>
>

Re: [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry.

[Dave Quigley]

On 11/12/2012 7:13 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:35AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> There is a time where we need to calculate a context without the
>> inode having been created yet. To do this we take the negative dentry and
>> calculate a context based on the process and the parent directory contexts.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   include/linux/security.h | 27 +++++++++++++++++++++++++++
>>   security/capability.c    |  8 ++++++++
>>   security/security.c      | 10 ++++++++++
>>   security/selinux/hooks.c | 35 +++++++++++++++++++++++++++++++++++
>>   4 files changed, 80 insertions(+)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 05e88bd..c9f5eec 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -26,6 +26,7 @@
>>   #include <linux/capability.h>
>>   #include <linux/slab.h>
>>   #include <linux/err.h>
>> +#include <linux/string.h>
>>
>>   struct linux_binprm;
>>   struct cred;
>> @@ -306,6 +307,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>    *	Parse a string of security data filling in the opts structure
>>    *	@options string containing all mount options known by the LSM
>>    *	@opts binary data structure usable by the LSM
>> + * @dentry_init_security:
>> + *	Compute a context for a dentry as the inode is not yet available
>> + *	since NFSv4 has no label backed by an EA anyway.
>
> I don't understand this comment.  Why exactly is NFSv4 the first user
> that needs this?
>
> --b.
>

Normally the calculation of a label for an inode is based on the inode 
and the parent directory. We unfortunately don't have all of that 
information available in NFSv4 where we need it so instead we base the 
calculation off of the dentry instead. That is the best I can remember 
for why we do it. Unfortunately that decision was made so long ago its 
hard to remember the fine details.

>> + *	@dentry dentry to use in calculating the context.
>> + *	@mode mode used to determine resource type.
>> + *	@name name of the last path component used to create file
>> + *	@ctx pointer to place the pointer to the resulting context in.
>> + *	@ctxlen point to place the length of the resulting context.
>> + *
>>    *
>>    * Security hooks for inode operations.
>>    *
>> @@ -1421,6 +1431,10 @@ struct security_operations {
>>   	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
>>   				   struct super_block *newsb);
>>   	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
>> +	int (*dentry_init_security) (struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen);
>> +
>>
>>   #ifdef CONFIG_SECURITY_PATH
>>   	int (*path_unlink) (struct path *dir, struct dentry *dentry);
>> @@ -1702,6 +1716,9 @@ int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *o
>>   void security_sb_clone_mnt_opts(const struct super_block *oldsb,
>>   				struct super_block *newsb);
>>   int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
>> +int security_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen);
>>
>>   int security_inode_alloc(struct inode *inode);
>>   void security_inode_free(struct inode *inode);
>> @@ -2005,6 +2022,16 @@ static inline int security_inode_alloc(struct inode *inode)
>>   static inline void security_inode_free(struct inode *inode)
>>   { }
>>
>> +static inline int security_dentry_init_security(struct dentry *dentry,
>> +						 int mode,
>> +						 struct qstr *name,
>> +						 void **ctx,
>> +						 u32 *ctxlen)
>> +{
>> +	return -EOPNOTSUPP;
>> +}
>> +
>> +
>>   static inline int security_inode_init_security(struct inode *inode,
>>   						struct inode *dir,
>>   						const struct qstr *qstr,
>> diff --git a/security/capability.c b/security/capability.c
>> index b14a30c..f1eb284 100644
>> --- a/security/capability.c
>> +++ b/security/capability.c
>> @@ -108,6 +108,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
>>   	return 0;
>>   }
>>
>> +static int cap_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	return 0;
>> +}
>> +
>>   static int cap_inode_alloc_security(struct inode *inode)
>>   {
>>   	return 0;
>> @@ -905,6 +912,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>   	set_to_cap_if_null(ops, sb_set_mnt_opts);
>>   	set_to_cap_if_null(ops, sb_clone_mnt_opts);
>>   	set_to_cap_if_null(ops, sb_parse_opts_str);
>> +	set_to_cap_if_null(ops, dentry_init_security);
>>   	set_to_cap_if_null(ops, inode_alloc_security);
>>   	set_to_cap_if_null(ops, inode_free_security);
>>   	set_to_cap_if_null(ops, inode_init_security);
>> diff --git a/security/security.c b/security/security.c
>> index 8dcd4ae..b4b2017 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -12,6 +12,7 @@
>>    */
>>
>>   #include <linux/capability.h>
>> +#include <linux/dcache.h>
>>   #include <linux/module.h>
>>   #include <linux/init.h>
>>   #include <linux/kernel.h>
>> @@ -324,6 +325,15 @@ void security_inode_free(struct inode *inode)
>>   	security_ops->inode_free_security(inode);
>>   }
>>
>> +int security_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	return security_ops->dentry_init_security(dentry, mode, name,
>> +							ctx, ctxlen);
>> +}
>> +EXPORT_SYMBOL(security_dentry_init_security);
>> +
>>   int security_inode_init_security(struct inode *inode, struct inode *dir,
>>   				 const struct qstr *qstr,
>>   				 const initxattrs initxattrs, void *fs_data)
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 61a5336..22d9adf 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -2483,6 +2483,40 @@ static void selinux_inode_free_security(struct inode *inode)
>>   	inode_free_security(inode);
>>   }
>>
>> +static int selinux_dentry_init_security(struct dentry *dentry, int mode,
>> +					struct qstr *name, void **ctx,
>> +					u32 *ctxlen)
>> +{
>> +	struct cred *cred = current_cred();
>> +	struct task_security_struct *tsec;
>> +	struct inode_security_struct *dsec;
>> +	struct superblock_security_struct *sbsec;
>> +	struct inode *dir = dentry->d_parent->d_inode;
>> +	u32 newsid;
>> +	int rc;
>> +
>> +	tsec = cred->security;
>> +	dsec = dir->i_security;
>> +	sbsec = dir->i_sb->s_security;
>> +
>> +	if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
>> +		newsid = tsec->create_sid;
>> +	} else {
>> +		rc = security_transition_sid(tsec->sid, dsec->sid,
>> +					     inode_mode_to_security_class(mode),
>> +					     name,
>> +					     &newsid);
>> +		if (rc) {
>> +			printk(KERN_WARNING
>> +				"%s: security_transition_sid failed, rc=%d\n",
>> +			       __func__, -rc);
>> +			return rc;
>> +		}
>> +	}
>> +
>> +	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
>> +}
>> +
>>   static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
>>   				       const struct qstr *qstr, char **name,
>>   				       void **value, size_t *len)
>> @@ -5509,6 +5543,7 @@ static struct security_operations selinux_ops = {
>>   	.sb_clone_mnt_opts =		selinux_sb_clone_mnt_opts,
>>   	.sb_parse_opts_str = 		selinux_parse_opts_str,
>>
>> +	.dentry_init_security =		selinux_dentry_init_security,
>>
>>   	.inode_alloc_security =		selinux_inode_alloc_security,
>>   	.inode_free_security =		selinux_inode_free_security,
>> --
>> 1.7.11.7
>>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The interface to request security labels from user space is the xattr
interface. When requesting the security label from an NFS server it is
important to make sure the requested xattr actually is a MAC label. This allows
us to make sure that we get the desired semantics from the attribute instead of
something else such as capabilities or a time based LSM.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h   | 14 ++++++++++++++
 security/capability.c      |  6 ++++++
 security/security.c        |  6 ++++++
 security/selinux/hooks.c   |  6 ++++++
 security/smack/smack_lsm.c | 11 +++++++++++
 5 files changed, 43 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index c9f5eec..167bdd5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	@pages contains the number of pages.
  *	Return 0 if permission is granted.
  *
+ * @ismaclabel:
+ *	Check if the extended attribute specified by @name
+ *	represents a MAC label. Returns 0 if name is a MAC
+ *	attribute otherwise returns non-zero.
+ *	@name full extended attribute name to check against
+ *	LSM as a MAC label.
+ *
  * @secid_to_secctx:
  *	Convert secid to security context.  If secdata is NULL the length of
  *	the result will be returned in seclen, but no secdata will be returned.
@@ -1581,6 +1588,7 @@ struct security_operations {
 
 	int (*getprocattr) (struct task_struct *p, char *name, char **value);
 	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
+	int (*ismaclabel) (const char *name);
 	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
 	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
 	void (*release_secctx) (char *secdata, u32 seclen);
@@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
 int security_getprocattr(struct task_struct *p, char *name, char **value);
 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
 	return cap_netlink_send(sk, skb);
 }
 
+static inline int security_ismaclabel(const char *name)
+{
+	return 0;
+}
+
 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
diff --git a/security/capability.c b/security/capability.c
index f1eb284..9071447 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
 	return -EINVAL;
 }
 
+static int cap_ismaclabel(const char *name)
+{
+	return 0;
+}
+
 static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, d_instantiate);
 	set_to_cap_if_null(ops, getprocattr);
 	set_to_cap_if_null(ops, setprocattr);
+	set_to_cap_if_null(ops, ismaclabel);
 	set_to_cap_if_null(ops, secid_to_secctx);
 	set_to_cap_if_null(ops, secctx_to_secid);
 	set_to_cap_if_null(ops, release_secctx);
diff --git a/security/security.c b/security/security.c
index b4b2017..a7bee7b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
 	return security_ops->netlink_send(sk, skb);
 }
 
+int security_ismaclabel(const char *name)
+{
+	return security_ops->ismaclabel(name);
+}
+EXPORT_SYMBOL(security_ismaclabel);
+
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return security_ops->secid_to_secctx(secid, secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 22d9adf..f7c4899 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5401,6 +5401,11 @@ abort_change:
 	return error;
 }
 
+static int selinux_ismaclabel(const char *name)
+{
+	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
+}
+
 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return security_sid_to_context(secid, secdata, seclen);
@@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
 	.getprocattr =			selinux_getprocattr,
 	.setprocattr =			selinux_setprocattr,
 
+	.ismaclabel =			selinux_ismaclabel,
 	.secid_to_secctx =		selinux_secid_to_secctx,
 	.secctx_to_secid =		selinux_secctx_to_secid,
 	.release_secctx =		selinux_release_secctx,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38be92c..82c3c72 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
 #endif /* CONFIG_AUDIT */
 
 /**
+ * smack_ismaclabel - check if xattr @name references a smack MAC label
+ * @name: Full xattr name to check.
+ */
+static int smack_ismaclabel(const char *name)
+{
+	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
+}
+
+
+/**
  * smack_secid_to_secctx - return the smack label for a secid
  * @secid: incoming integer
  * @secdata: destination
@@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
 	.audit_rule_free =		smack_audit_rule_free,
 #endif /* CONFIG_AUDIT */
 
+	.ismaclabel =			smack_ismaclabel,
 	.secid_to_secctx = 		smack_secid_to_secctx,
 	.secctx_to_secid = 		smack_secctx_to_secid,
 	.release_secctx = 		smack_release_secctx,
-- 
1.7.11.7

[PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The interface to request security labels from user space is the xattr
interface. When requesting the security label from an NFS server it is
important to make sure the requested xattr actually is a MAC label. This allows
us to make sure that we get the desired semantics from the attribute instead of
something else such as capabilities or a time based LSM.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h   | 14 ++++++++++++++
 security/capability.c      |  6 ++++++
 security/security.c        |  6 ++++++
 security/selinux/hooks.c   |  6 ++++++
 security/smack/smack_lsm.c | 11 +++++++++++
 5 files changed, 43 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index c9f5eec..167bdd5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	@pages contains the number of pages.
  *	Return 0 if permission is granted.
  *
+ * @ismaclabel:
+ *	Check if the extended attribute specified by @name
+ *	represents a MAC label. Returns 0 if name is a MAC
+ *	attribute otherwise returns non-zero.
+ *	@name full extended attribute name to check against
+ *	LSM as a MAC label.
+ *
  * @secid_to_secctx:
  *	Convert secid to security context.  If secdata is NULL the length of
  *	the result will be returned in seclen, but no secdata will be returned.
@@ -1581,6 +1588,7 @@ struct security_operations {
 
 	int (*getprocattr) (struct task_struct *p, char *name, char **value);
 	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
+	int (*ismaclabel) (const char *name);
 	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
 	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
 	void (*release_secctx) (char *secdata, u32 seclen);
@@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
 int security_getprocattr(struct task_struct *p, char *name, char **value);
 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
 	return cap_netlink_send(sk, skb);
 }
 
+static inline int security_ismaclabel(const char *name)
+{
+	return 0;
+}
+
 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
diff --git a/security/capability.c b/security/capability.c
index f1eb284..9071447 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
 	return -EINVAL;
 }
 
+static int cap_ismaclabel(const char *name)
+{
+	return 0;
+}
+
 static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, d_instantiate);
 	set_to_cap_if_null(ops, getprocattr);
 	set_to_cap_if_null(ops, setprocattr);
+	set_to_cap_if_null(ops, ismaclabel);
 	set_to_cap_if_null(ops, secid_to_secctx);
 	set_to_cap_if_null(ops, secctx_to_secid);
 	set_to_cap_if_null(ops, release_secctx);
diff --git a/security/security.c b/security/security.c
index b4b2017..a7bee7b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
 	return security_ops->netlink_send(sk, skb);
 }
 
+int security_ismaclabel(const char *name)
+{
+	return security_ops->ismaclabel(name);
+}
+EXPORT_SYMBOL(security_ismaclabel);
+
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return security_ops->secid_to_secctx(secid, secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 22d9adf..f7c4899 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5401,6 +5401,11 @@ abort_change:
 	return error;
 }
 
+static int selinux_ismaclabel(const char *name)
+{
+	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
+}
+
 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return security_sid_to_context(secid, secdata, seclen);
@@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
 	.getprocattr =			selinux_getprocattr,
 	.setprocattr =			selinux_setprocattr,
 
+	.ismaclabel =			selinux_ismaclabel,
 	.secid_to_secctx =		selinux_secid_to_secctx,
 	.secctx_to_secid =		selinux_secctx_to_secid,
 	.release_secctx =		selinux_release_secctx,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38be92c..82c3c72 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
 #endif /* CONFIG_AUDIT */
 
 /**
+ * smack_ismaclabel - check if xattr @name references a smack MAC label
+ * @name: Full xattr name to check.
+ */
+static int smack_ismaclabel(const char *name)
+{
+	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
+}
+
+
+/**
  * smack_secid_to_secctx - return the smack label for a secid
  * @secid: incoming integer
  * @secdata: destination
@@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
 	.audit_rule_free =		smack_audit_rule_free,
 #endif /* CONFIG_AUDIT */
 
+	.ismaclabel =			smack_ismaclabel,
 	.secid_to_secctx = 		smack_secid_to_secctx,
 	.secctx_to_secid = 		smack_secctx_to_secid,
 	.release_secctx = 		smack_release_secctx,
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
> From: David Quigley <dpquigl@davequigley.com>
> 
> The interface to request security labels from user space is the xattr
> interface. When requesting the security label from an NFS server it is
> important to make sure the requested xattr

I'm confused--clients can't request xattrs from NFS servers.  I must be
reading this wrong, but I'm not sure what you meant.

--b.

> actually is a MAC label. This allows
> us to make sure that we get the desired semantics from the attribute instead of
> something else such as capabilities or a time based LSM.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  include/linux/security.h   | 14 ++++++++++++++
>  security/capability.c      |  6 ++++++
>  security/security.c        |  6 ++++++
>  security/selinux/hooks.c   |  6 ++++++
>  security/smack/smack_lsm.c | 11 +++++++++++
>  5 files changed, 43 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c9f5eec..167bdd5 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>   *	@pages contains the number of pages.
>   *	Return 0 if permission is granted.
>   *
> + * @ismaclabel:
> + *	Check if the extended attribute specified by @name
> + *	represents a MAC label. Returns 0 if name is a MAC
> + *	attribute otherwise returns non-zero.
> + *	@name full extended attribute name to check against
> + *	LSM as a MAC label.
> + *
>   * @secid_to_secctx:
>   *	Convert secid to security context.  If secdata is NULL the length of
>   *	the result will be returned in seclen, but no secdata will be returned.
> @@ -1581,6 +1588,7 @@ struct security_operations {
>  
>  	int (*getprocattr) (struct task_struct *p, char *name, char **value);
>  	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
> +	int (*ismaclabel) (const char *name);
>  	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>  	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>  	void (*release_secctx) (char *secdata, u32 seclen);
> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>  int security_getprocattr(struct task_struct *p, char *name, char **value);
>  int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> +int security_ismaclabel(const char *name);
>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>  void security_release_secctx(char *secdata, u32 seclen);
> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>  	return cap_netlink_send(sk, skb);
>  }
>  
> +static inline int security_ismaclabel(const char *name)
> +{
> +	return 0;
> +}
> +
>  static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>  {
>  	return -EOPNOTSUPP;
> diff --git a/security/capability.c b/security/capability.c
> index f1eb284..9071447 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>  	return -EINVAL;
>  }
>  
> +static int cap_ismaclabel(const char *name)
> +{
> +	return 0;
> +}
> +
>  static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>  {
>  	return -EOPNOTSUPP;
> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>  	set_to_cap_if_null(ops, d_instantiate);
>  	set_to_cap_if_null(ops, getprocattr);
>  	set_to_cap_if_null(ops, setprocattr);
> +	set_to_cap_if_null(ops, ismaclabel);
>  	set_to_cap_if_null(ops, secid_to_secctx);
>  	set_to_cap_if_null(ops, secctx_to_secid);
>  	set_to_cap_if_null(ops, release_secctx);
> diff --git a/security/security.c b/security/security.c
> index b4b2017..a7bee7b 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>  	return security_ops->netlink_send(sk, skb);
>  }
>  
> +int security_ismaclabel(const char *name)
> +{
> +	return security_ops->ismaclabel(name);
> +}
> +EXPORT_SYMBOL(security_ismaclabel);
> +
>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>  {
>  	return security_ops->secid_to_secctx(secid, secdata, seclen);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 22d9adf..f7c4899 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5401,6 +5401,11 @@ abort_change:
>  	return error;
>  }
>  
> +static int selinux_ismaclabel(const char *name)
> +{
> +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
> +}
> +
>  static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>  {
>  	return security_sid_to_context(secid, secdata, seclen);
> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>  	.getprocattr =			selinux_getprocattr,
>  	.setprocattr =			selinux_setprocattr,
>  
> +	.ismaclabel =			selinux_ismaclabel,
>  	.secid_to_secctx =		selinux_secid_to_secctx,
>  	.secctx_to_secid =		selinux_secctx_to_secid,
>  	.release_secctx =		selinux_release_secctx,
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 38be92c..82c3c72 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>  #endif /* CONFIG_AUDIT */
>  
>  /**
> + * smack_ismaclabel - check if xattr @name references a smack MAC label
> + * @name: Full xattr name to check.
> + */
> +static int smack_ismaclabel(const char *name)
> +{
> +	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
> +}
> +
> +
> +/**
>   * smack_secid_to_secctx - return the smack label for a secid
>   * @secid: incoming integer
>   * @secdata: destination
> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>  	.audit_rule_free =		smack_audit_rule_free,
>  #endif /* CONFIG_AUDIT */
>  
> +	.ismaclabel =			smack_ismaclabel,
>  	.secid_to_secctx = 		smack_secid_to_secctx,
>  	.secctx_to_secid = 		smack_secctx_to_secid,
>  	.release_secctx = 		smack_release_secctx,
> -- 
> 1.7.11.7
> 

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[Dave Quigley]

On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> The interface to request security labels from user space is the xattr
>> interface. When requesting the security label from an NFS server it is
>> important to make sure the requested xattr
>
> I'm confused--clients can't request xattrs from NFS servers.  I must be
> reading this wrong, but I'm not sure what you meant.
>
> --b.
>

Generically clients can't use xattrs from NFS servers but the LSM method 
for getting labels is through the xattr interface. THe point of this is 
if someone selects security.capability that we don't translate that into 
a call in labeled nfs to get the security label. We only want label 
based LSMs to cause a getfattr on the server to grab the label and 
populate the inode with that information. Currently if you use 
security.selinux or security.smack then labeled nfs will handle the 
translation of that into a get/setfattr on the security_label attribute 
in NFSv4.


>> actually is a MAC label. This allows
>> us to make sure that we get the desired semantics from the attribute instead of
>> something else such as capabilities or a time based LSM.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   include/linux/security.h   | 14 ++++++++++++++
>>   security/capability.c      |  6 ++++++
>>   security/security.c        |  6 ++++++
>>   security/selinux/hooks.c   |  6 ++++++
>>   security/smack/smack_lsm.c | 11 +++++++++++
>>   5 files changed, 43 insertions(+)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index c9f5eec..167bdd5 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>    *	@pages contains the number of pages.
>>    *	Return 0 if permission is granted.
>>    *
>> + * @ismaclabel:
>> + *	Check if the extended attribute specified by @name
>> + *	represents a MAC label. Returns 0 if name is a MAC
>> + *	attribute otherwise returns non-zero.
>> + *	@name full extended attribute name to check against
>> + *	LSM as a MAC label.
>> + *
>>    * @secid_to_secctx:
>>    *	Convert secid to security context.  If secdata is NULL the length of
>>    *	the result will be returned in seclen, but no secdata will be returned.
>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>
>>   	int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>   	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>> +	int (*ismaclabel) (const char *name);
>>   	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>   	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>   	void (*release_secctx) (char *secdata, u32 seclen);
>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>   int security_getprocattr(struct task_struct *p, char *name, char **value);
>>   int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>   int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>> +int security_ismaclabel(const char *name);
>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>   int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>   void security_release_secctx(char *secdata, u32 seclen);
>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>   	return cap_netlink_send(sk, skb);
>>   }
>>
>> +static inline int security_ismaclabel(const char *name)
>> +{
>> +	return 0;
>> +}
>> +
>>   static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return -EOPNOTSUPP;
>> diff --git a/security/capability.c b/security/capability.c
>> index f1eb284..9071447 100644
>> --- a/security/capability.c
>> +++ b/security/capability.c
>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>   	return -EINVAL;
>>   }
>>
>> +static int cap_ismaclabel(const char *name)
>> +{
>> +	return 0;
>> +}
>> +
>>   static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return -EOPNOTSUPP;
>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>   	set_to_cap_if_null(ops, d_instantiate);
>>   	set_to_cap_if_null(ops, getprocattr);
>>   	set_to_cap_if_null(ops, setprocattr);
>> +	set_to_cap_if_null(ops, ismaclabel);
>>   	set_to_cap_if_null(ops, secid_to_secctx);
>>   	set_to_cap_if_null(ops, secctx_to_secid);
>>   	set_to_cap_if_null(ops, release_secctx);
>> diff --git a/security/security.c b/security/security.c
>> index b4b2017..a7bee7b 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>   	return security_ops->netlink_send(sk, skb);
>>   }
>>
>> +int security_ismaclabel(const char *name)
>> +{
>> +	return security_ops->ismaclabel(name);
>> +}
>> +EXPORT_SYMBOL(security_ismaclabel);
>> +
>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return security_ops->secid_to_secctx(secid, secdata, seclen);
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 22d9adf..f7c4899 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -5401,6 +5401,11 @@ abort_change:
>>   	return error;
>>   }
>>
>> +static int selinux_ismaclabel(const char *name)
>> +{
>> +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>> +}
>> +
>>   static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return security_sid_to_context(secid, secdata, seclen);
>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>   	.getprocattr =			selinux_getprocattr,
>>   	.setprocattr =			selinux_setprocattr,
>>
>> +	.ismaclabel =			selinux_ismaclabel,
>>   	.secid_to_secctx =		selinux_secid_to_secctx,
>>   	.secctx_to_secid =		selinux_secctx_to_secid,
>>   	.release_secctx =		selinux_release_secctx,
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 38be92c..82c3c72 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>   #endif /* CONFIG_AUDIT */
>>
>>   /**
>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>> + * @name: Full xattr name to check.
>> + */
>> +static int smack_ismaclabel(const char *name)
>> +{
>> +	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>> +}
>> +
>> +
>> +/**
>>    * smack_secid_to_secctx - return the smack label for a secid
>>    * @secid: incoming integer
>>    * @secdata: destination
>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>   	.audit_rule_free =		smack_audit_rule_free,
>>   #endif /* CONFIG_AUDIT */
>>
>> +	.ismaclabel =			smack_ismaclabel,
>>   	.secid_to_secctx = 		smack_secid_to_secctx,
>>   	.secctx_to_secid = 		smack_secctx_to_secid,
>>   	.release_secctx = 		smack_release_secctx,
>> --
>> 1.7.11.7
>>
>

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[Dave Quigley]

On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> The interface to request security labels from user space is the xattr
>> interface. When requesting the security label from an NFS server it is
>> important to make sure the requested xattr
>
> I'm confused--clients can't request xattrs from NFS servers.  I must be
> reading this wrong, but I'm not sure what you meant.
>
> --b.
>

Generically clients can't use xattrs from NFS servers but the LSM method 
for getting labels is through the xattr interface. THe point of this is 
if someone selects security.capability that we don't translate that into 
a call in labeled nfs to get the security label. We only want label 
based LSMs to cause a getfattr on the server to grab the label and 
populate the inode with that information. Currently if you use 
security.selinux or security.smack then labeled nfs will handle the 
translation of that into a get/setfattr on the security_label attribute 
in NFSv4.


>> actually is a MAC label. This allows
>> us to make sure that we get the desired semantics from the attribute instead of
>> something else such as capabilities or a time based LSM.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   include/linux/security.h   | 14 ++++++++++++++
>>   security/capability.c      |  6 ++++++
>>   security/security.c        |  6 ++++++
>>   security/selinux/hooks.c   |  6 ++++++
>>   security/smack/smack_lsm.c | 11 +++++++++++
>>   5 files changed, 43 insertions(+)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index c9f5eec..167bdd5 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>    *	@pages contains the number of pages.
>>    *	Return 0 if permission is granted.
>>    *
>> + * @ismaclabel:
>> + *	Check if the extended attribute specified by @name
>> + *	represents a MAC label. Returns 0 if name is a MAC
>> + *	attribute otherwise returns non-zero.
>> + *	@name full extended attribute name to check against
>> + *	LSM as a MAC label.
>> + *
>>    * @secid_to_secctx:
>>    *	Convert secid to security context.  If secdata is NULL the length of
>>    *	the result will be returned in seclen, but no secdata will be returned.
>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>
>>   	int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>   	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>> +	int (*ismaclabel) (const char *name);
>>   	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>   	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>   	void (*release_secctx) (char *secdata, u32 seclen);
>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>   int security_getprocattr(struct task_struct *p, char *name, char **value);
>>   int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>   int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>> +int security_ismaclabel(const char *name);
>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>   int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>   void security_release_secctx(char *secdata, u32 seclen);
>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>   	return cap_netlink_send(sk, skb);
>>   }
>>
>> +static inline int security_ismaclabel(const char *name)
>> +{
>> +	return 0;
>> +}
>> +
>>   static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return -EOPNOTSUPP;
>> diff --git a/security/capability.c b/security/capability.c
>> index f1eb284..9071447 100644
>> --- a/security/capability.c
>> +++ b/security/capability.c
>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>   	return -EINVAL;
>>   }
>>
>> +static int cap_ismaclabel(const char *name)
>> +{
>> +	return 0;
>> +}
>> +
>>   static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return -EOPNOTSUPP;
>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>   	set_to_cap_if_null(ops, d_instantiate);
>>   	set_to_cap_if_null(ops, getprocattr);
>>   	set_to_cap_if_null(ops, setprocattr);
>> +	set_to_cap_if_null(ops, ismaclabel);
>>   	set_to_cap_if_null(ops, secid_to_secctx);
>>   	set_to_cap_if_null(ops, secctx_to_secid);
>>   	set_to_cap_if_null(ops, release_secctx);
>> diff --git a/security/security.c b/security/security.c
>> index b4b2017..a7bee7b 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>   	return security_ops->netlink_send(sk, skb);
>>   }
>>
>> +int security_ismaclabel(const char *name)
>> +{
>> +	return security_ops->ismaclabel(name);
>> +}
>> +EXPORT_SYMBOL(security_ismaclabel);
>> +
>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return security_ops->secid_to_secctx(secid, secdata, seclen);
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 22d9adf..f7c4899 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -5401,6 +5401,11 @@ abort_change:
>>   	return error;
>>   }
>>
>> +static int selinux_ismaclabel(const char *name)
>> +{
>> +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>> +}
>> +
>>   static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>   {
>>   	return security_sid_to_context(secid, secdata, seclen);
>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>   	.getprocattr =			selinux_getprocattr,
>>   	.setprocattr =			selinux_setprocattr,
>>
>> +	.ismaclabel =			selinux_ismaclabel,
>>   	.secid_to_secctx =		selinux_secid_to_secctx,
>>   	.secctx_to_secid =		selinux_secctx_to_secid,
>>   	.release_secctx =		selinux_release_secctx,
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 38be92c..82c3c72 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>   #endif /* CONFIG_AUDIT */
>>
>>   /**
>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>> + * @name: Full xattr name to check.
>> + */
>> +static int smack_ismaclabel(const char *name)
>> +{
>> +	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>> +}
>> +
>> +
>> +/**
>>    * smack_secid_to_secctx - return the smack label for a secid
>>    * @secid: incoming integer
>>    * @secdata: destination
>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>   	.audit_rule_free =		smack_audit_rule_free,
>>   #endif /* CONFIG_AUDIT */
>>
>> +	.ismaclabel =			smack_ismaclabel,
>>   	.secid_to_secctx = 		smack_secid_to_secctx,
>>   	.secctx_to_secid = 		smack_secctx_to_secid,
>>   	.release_secctx = 		smack_release_secctx,
>> --
>> 1.7.11.7
>>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
> >On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
> >>From: David Quigley <dpquigl@davequigley.com>
> >>
> >>The interface to request security labels from user space is the xattr
> >>interface. When requesting the security label from an NFS server it is
> >>important to make sure the requested xattr
> >
> >I'm confused--clients can't request xattrs from NFS servers.  I must be
> >reading this wrong, but I'm not sure what you meant.
> >
> >--b.
> >
> 
> Generically clients can't use xattrs from NFS servers but the LSM
> method for getting labels is through the xattr interface. THe point
> of this is if someone selects security.capability that we don't
> translate that into a call in labeled nfs to get the security label.
> We only want label based LSMs to cause a getfattr on the server to
> grab the label and populate the inode with that information.
> Currently if you use security.selinux or security.smack then labeled
> nfs will handle the translation of that into a get/setfattr on the
> security_label attribute in NFSv4.

OK, I think I understand: so this is to help the NFS client implement
the necessary xattr interface for userspace that get and sets security
labels on NFS filesystems?

--b.

> 
> 
> >>actually is a MAC label. This allows
> >>us to make sure that we get the desired semantics from the attribute instead of
> >>something else such as capabilities or a time based LSM.
> >>
> >>Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> >>Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> >>Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> >>Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> >>Signed-off-by: David Quigley <dpquigl@davequigley.com>
> >>---
> >>  include/linux/security.h   | 14 ++++++++++++++
> >>  security/capability.c      |  6 ++++++
> >>  security/security.c        |  6 ++++++
> >>  security/selinux/hooks.c   |  6 ++++++
> >>  security/smack/smack_lsm.c | 11 +++++++++++
> >>  5 files changed, 43 insertions(+)
> >>
> >>diff --git a/include/linux/security.h b/include/linux/security.h
> >>index c9f5eec..167bdd5 100644
> >>--- a/include/linux/security.h
> >>+++ b/include/linux/security.h
> >>@@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> >>   *	@pages contains the number of pages.
> >>   *	Return 0 if permission is granted.
> >>   *
> >>+ * @ismaclabel:
> >>+ *	Check if the extended attribute specified by @name
> >>+ *	represents a MAC label. Returns 0 if name is a MAC
> >>+ *	attribute otherwise returns non-zero.
> >>+ *	@name full extended attribute name to check against
> >>+ *	LSM as a MAC label.
> >>+ *
> >>   * @secid_to_secctx:
> >>   *	Convert secid to security context.  If secdata is NULL the length of
> >>   *	the result will be returned in seclen, but no secdata will be returned.
> >>@@ -1581,6 +1588,7 @@ struct security_operations {
> >>
> >>  	int (*getprocattr) (struct task_struct *p, char *name, char **value);
> >>  	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
> >>+	int (*ismaclabel) (const char *name);
> >>  	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
> >>  	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
> >>  	void (*release_secctx) (char *secdata, u32 seclen);
> >>@@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
> >>  int security_getprocattr(struct task_struct *p, char *name, char **value);
> >>  int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
> >>  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> >>+int security_ismaclabel(const char *name);
> >>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> >>  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> >>  void security_release_secctx(char *secdata, u32 seclen);
> >>@@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
> >>  	return cap_netlink_send(sk, skb);
> >>  }
> >>
> >>+static inline int security_ismaclabel(const char *name)
> >>+{
> >>+	return 0;
> >>+}
> >>+
> >>  static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>  {
> >>  	return -EOPNOTSUPP;
> >>diff --git a/security/capability.c b/security/capability.c
> >>index f1eb284..9071447 100644
> >>--- a/security/capability.c
> >>+++ b/security/capability.c
> >>@@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
> >>  	return -EINVAL;
> >>  }
> >>
> >>+static int cap_ismaclabel(const char *name)
> >>+{
> >>+	return 0;
> >>+}
> >>+
> >>  static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>  {
> >>  	return -EOPNOTSUPP;
> >>@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
> >>  	set_to_cap_if_null(ops, d_instantiate);
> >>  	set_to_cap_if_null(ops, getprocattr);
> >>  	set_to_cap_if_null(ops, setprocattr);
> >>+	set_to_cap_if_null(ops, ismaclabel);
> >>  	set_to_cap_if_null(ops, secid_to_secctx);
> >>  	set_to_cap_if_null(ops, secctx_to_secid);
> >>  	set_to_cap_if_null(ops, release_secctx);
> >>diff --git a/security/security.c b/security/security.c
> >>index b4b2017..a7bee7b 100644
> >>--- a/security/security.c
> >>+++ b/security/security.c
> >>@@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
> >>  	return security_ops->netlink_send(sk, skb);
> >>  }
> >>
> >>+int security_ismaclabel(const char *name)
> >>+{
> >>+	return security_ops->ismaclabel(name);
> >>+}
> >>+EXPORT_SYMBOL(security_ismaclabel);
> >>+
> >>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>  {
> >>  	return security_ops->secid_to_secctx(secid, secdata, seclen);
> >>diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >>index 22d9adf..f7c4899 100644
> >>--- a/security/selinux/hooks.c
> >>+++ b/security/selinux/hooks.c
> >>@@ -5401,6 +5401,11 @@ abort_change:
> >>  	return error;
> >>  }
> >>
> >>+static int selinux_ismaclabel(const char *name)
> >>+{
> >>+	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
> >>+}
> >>+
> >>  static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>  {
> >>  	return security_sid_to_context(secid, secdata, seclen);
> >>@@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
> >>  	.getprocattr =			selinux_getprocattr,
> >>  	.setprocattr =			selinux_setprocattr,
> >>
> >>+	.ismaclabel =			selinux_ismaclabel,
> >>  	.secid_to_secctx =		selinux_secid_to_secctx,
> >>  	.secctx_to_secid =		selinux_secctx_to_secid,
> >>  	.release_secctx =		selinux_release_secctx,
> >>diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> >>index 38be92c..82c3c72 100644
> >>--- a/security/smack/smack_lsm.c
> >>+++ b/security/smack/smack_lsm.c
> >>@@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
> >>  #endif /* CONFIG_AUDIT */
> >>
> >>  /**
> >>+ * smack_ismaclabel - check if xattr @name references a smack MAC label
> >>+ * @name: Full xattr name to check.
> >>+ */
> >>+static int smack_ismaclabel(const char *name)
> >>+{
> >>+	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
> >>+}
> >>+
> >>+
> >>+/**
> >>   * smack_secid_to_secctx - return the smack label for a secid
> >>   * @secid: incoming integer
> >>   * @secdata: destination
> >>@@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
> >>  	.audit_rule_free =		smack_audit_rule_free,
> >>  #endif /* CONFIG_AUDIT */
> >>
> >>+	.ismaclabel =			smack_ismaclabel,
> >>  	.secid_to_secctx = 		smack_secid_to_secctx,
> >>  	.secctx_to_secid = 		smack_secctx_to_secid,
> >>  	.release_secctx = 		smack_release_secctx,
> >>--
> >>1.7.11.7
> >>
> >
> 

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[David P. Quigley]

On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> The interface to request security labels from user space is the xattr
>>>> interface. When requesting the security label from an NFS server it is
>>>> important to make sure the requested xattr
>>> I'm confused--clients can't request xattrs from NFS servers.  I must be
>>> reading this wrong, but I'm not sure what you meant.
>>>
>>> --b.
>>>
>> Generically clients can't use xattrs from NFS servers but the LSM
>> method for getting labels is through the xattr interface. THe point
>> of this is if someone selects security.capability that we don't
>> translate that into a call in labeled nfs to get the security label.
>> We only want label based LSMs to cause a getfattr on the server to
>> grab the label and populate the inode with that information.
>> Currently if you use security.selinux or security.smack then labeled
>> nfs will handle the translation of that into a get/setfattr on the
>> security_label attribute in NFSv4.
> OK, I think I understand: so this is to help the NFS client implement
> the necessary xattr interface for userspace that get and sets security
> labels on NFS filesystems?
>
> --b.

Exactly. The problem is we don't want to have LSM specific logic in so 
the best we can do is ask if the security.* xattr being accessed has the 
proper semantics to be used with Labeled NFS.

>
>>
>>>> actually is a MAC label. This allows
>>>> us to make sure that we get the desired semantics from the attribute instead of
>>>> something else such as capabilities or a time based LSM.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>>   include/linux/security.h   | 14 ++++++++++++++
>>>>   security/capability.c      |  6 ++++++
>>>>   security/security.c        |  6 ++++++
>>>>   security/selinux/hooks.c   |  6 ++++++
>>>>   security/smack/smack_lsm.c | 11 +++++++++++
>>>>   5 files changed, 43 insertions(+)
>>>>
>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>> index c9f5eec..167bdd5 100644
>>>> --- a/include/linux/security.h
>>>> +++ b/include/linux/security.h
>>>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>>>    *	@pages contains the number of pages.
>>>>    *	Return 0 if permission is granted.
>>>>    *
>>>> + * @ismaclabel:
>>>> + *	Check if the extended attribute specified by @name
>>>> + *	represents a MAC label. Returns 0 if name is a MAC
>>>> + *	attribute otherwise returns non-zero.
>>>> + *	@name full extended attribute name to check against
>>>> + *	LSM as a MAC label.
>>>> + *
>>>>    * @secid_to_secctx:
>>>>    *	Convert secid to security context.  If secdata is NULL the length of
>>>>    *	the result will be returned in seclen, but no secdata will be returned.
>>>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>>>
>>>>   	int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>>>   	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>>>> +	int (*ismaclabel) (const char *name);
>>>>   	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>>>   	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>>>   	void (*release_secctx) (char *secdata, u32 seclen);
>>>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>>>   int security_getprocattr(struct task_struct *p, char *name, char **value);
>>>>   int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>>>   int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>>>> +int security_ismaclabel(const char *name);
>>>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>>>   int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>>>   void security_release_secctx(char *secdata, u32 seclen);
>>>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>>   	return cap_netlink_send(sk, skb);
>>>>   }
>>>>
>>>> +static inline int security_ismaclabel(const char *name)
>>>> +{
>>>> +	return 0;
>>>> +}
>>>> +
>>>>   static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return -EOPNOTSUPP;
>>>> diff --git a/security/capability.c b/security/capability.c
>>>> index f1eb284..9071447 100644
>>>> --- a/security/capability.c
>>>> +++ b/security/capability.c
>>>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>>>   	return -EINVAL;
>>>>   }
>>>>
>>>> +static int cap_ismaclabel(const char *name)
>>>> +{
>>>> +	return 0;
>>>> +}
>>>> +
>>>>   static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return -EOPNOTSUPP;
>>>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>>>   	set_to_cap_if_null(ops, d_instantiate);
>>>>   	set_to_cap_if_null(ops, getprocattr);
>>>>   	set_to_cap_if_null(ops, setprocattr);
>>>> +	set_to_cap_if_null(ops, ismaclabel);
>>>>   	set_to_cap_if_null(ops, secid_to_secctx);
>>>>   	set_to_cap_if_null(ops, secctx_to_secid);
>>>>   	set_to_cap_if_null(ops, release_secctx);
>>>> diff --git a/security/security.c b/security/security.c
>>>> index b4b2017..a7bee7b 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>>   	return security_ops->netlink_send(sk, skb);
>>>>   }
>>>>
>>>> +int security_ismaclabel(const char *name)
>>>> +{
>>>> +	return security_ops->ismaclabel(name);
>>>> +}
>>>> +EXPORT_SYMBOL(security_ismaclabel);
>>>> +
>>>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return security_ops->secid_to_secctx(secid, secdata, seclen);
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 22d9adf..f7c4899 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -5401,6 +5401,11 @@ abort_change:
>>>>   	return error;
>>>>   }
>>>>
>>>> +static int selinux_ismaclabel(const char *name)
>>>> +{
>>>> +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>>>> +}
>>>> +
>>>>   static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return security_sid_to_context(secid, secdata, seclen);
>>>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>>>   	.getprocattr =			selinux_getprocattr,
>>>>   	.setprocattr =			selinux_setprocattr,
>>>>
>>>> +	.ismaclabel =			selinux_ismaclabel,
>>>>   	.secid_to_secctx =		selinux_secid_to_secctx,
>>>>   	.secctx_to_secid =		selinux_secctx_to_secid,
>>>>   	.release_secctx =		selinux_release_secctx,
>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>> index 38be92c..82c3c72 100644
>>>> --- a/security/smack/smack_lsm.c
>>>> +++ b/security/smack/smack_lsm.c
>>>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>>>   #endif /* CONFIG_AUDIT */
>>>>
>>>>   /**
>>>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>>>> + * @name: Full xattr name to check.
>>>> + */
>>>> +static int smack_ismaclabel(const char *name)
>>>> +{
>>>> +	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> +
>>>> +/**
>>>>    * smack_secid_to_secctx - return the smack label for a secid
>>>>    * @secid: incoming integer
>>>>    * @secdata: destination
>>>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>>>   	.audit_rule_free =		smack_audit_rule_free,
>>>>   #endif /* CONFIG_AUDIT */
>>>>
>>>> +	.ismaclabel =			smack_ismaclabel,
>>>>   	.secid_to_secctx = 		smack_secid_to_secctx,
>>>>   	.secctx_to_secid = 		smack_secctx_to_secid,
>>>>   	.release_secctx = 		smack_release_secctx,
>>>> --
>>>> 1.7.11.7
>>>>

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[David P. Quigley]

On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> The interface to request security labels from user space is the xattr
>>>> interface. When requesting the security label from an NFS server it is
>>>> important to make sure the requested xattr
>>> I'm confused--clients can't request xattrs from NFS servers.  I must be
>>> reading this wrong, but I'm not sure what you meant.
>>>
>>> --b.
>>>
>> Generically clients can't use xattrs from NFS servers but the LSM
>> method for getting labels is through the xattr interface. THe point
>> of this is if someone selects security.capability that we don't
>> translate that into a call in labeled nfs to get the security label.
>> We only want label based LSMs to cause a getfattr on the server to
>> grab the label and populate the inode with that information.
>> Currently if you use security.selinux or security.smack then labeled
>> nfs will handle the translation of that into a get/setfattr on the
>> security_label attribute in NFSv4.
> OK, I think I understand: so this is to help the NFS client implement
> the necessary xattr interface for userspace that get and sets security
> labels on NFS filesystems?
>
> --b.

Exactly. The problem is we don't want to have LSM specific logic in so 
the best we can do is ask if the security.* xattr being accessed has the 
proper semantics to be used with Labeled NFS.

>
>>
>>>> actually is a MAC label. This allows
>>>> us to make sure that we get the desired semantics from the attribute instead of
>>>> something else such as capabilities or a time based LSM.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>>   include/linux/security.h   | 14 ++++++++++++++
>>>>   security/capability.c      |  6 ++++++
>>>>   security/security.c        |  6 ++++++
>>>>   security/selinux/hooks.c   |  6 ++++++
>>>>   security/smack/smack_lsm.c | 11 +++++++++++
>>>>   5 files changed, 43 insertions(+)
>>>>
>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>> index c9f5eec..167bdd5 100644
>>>> --- a/include/linux/security.h
>>>> +++ b/include/linux/security.h
>>>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>>>    *	@pages contains the number of pages.
>>>>    *	Return 0 if permission is granted.
>>>>    *
>>>> + * @ismaclabel:
>>>> + *	Check if the extended attribute specified by @name
>>>> + *	represents a MAC label. Returns 0 if name is a MAC
>>>> + *	attribute otherwise returns non-zero.
>>>> + *	@name full extended attribute name to check against
>>>> + *	LSM as a MAC label.
>>>> + *
>>>>    * @secid_to_secctx:
>>>>    *	Convert secid to security context.  If secdata is NULL the length of
>>>>    *	the result will be returned in seclen, but no secdata will be returned.
>>>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>>>
>>>>   	int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>>>   	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>>>> +	int (*ismaclabel) (const char *name);
>>>>   	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>>>   	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>>>   	void (*release_secctx) (char *secdata, u32 seclen);
>>>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>>>   int security_getprocattr(struct task_struct *p, char *name, char **value);
>>>>   int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>>>   int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>>>> +int security_ismaclabel(const char *name);
>>>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>>>   int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>>>   void security_release_secctx(char *secdata, u32 seclen);
>>>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>>   	return cap_netlink_send(sk, skb);
>>>>   }
>>>>
>>>> +static inline int security_ismaclabel(const char *name)
>>>> +{
>>>> +	return 0;
>>>> +}
>>>> +
>>>>   static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return -EOPNOTSUPP;
>>>> diff --git a/security/capability.c b/security/capability.c
>>>> index f1eb284..9071447 100644
>>>> --- a/security/capability.c
>>>> +++ b/security/capability.c
>>>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>>>   	return -EINVAL;
>>>>   }
>>>>
>>>> +static int cap_ismaclabel(const char *name)
>>>> +{
>>>> +	return 0;
>>>> +}
>>>> +
>>>>   static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return -EOPNOTSUPP;
>>>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>>>   	set_to_cap_if_null(ops, d_instantiate);
>>>>   	set_to_cap_if_null(ops, getprocattr);
>>>>   	set_to_cap_if_null(ops, setprocattr);
>>>> +	set_to_cap_if_null(ops, ismaclabel);
>>>>   	set_to_cap_if_null(ops, secid_to_secctx);
>>>>   	set_to_cap_if_null(ops, secctx_to_secid);
>>>>   	set_to_cap_if_null(ops, release_secctx);
>>>> diff --git a/security/security.c b/security/security.c
>>>> index b4b2017..a7bee7b 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>>   	return security_ops->netlink_send(sk, skb);
>>>>   }
>>>>
>>>> +int security_ismaclabel(const char *name)
>>>> +{
>>>> +	return security_ops->ismaclabel(name);
>>>> +}
>>>> +EXPORT_SYMBOL(security_ismaclabel);
>>>> +
>>>>   int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return security_ops->secid_to_secctx(secid, secdata, seclen);
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 22d9adf..f7c4899 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -5401,6 +5401,11 @@ abort_change:
>>>>   	return error;
>>>>   }
>>>>
>>>> +static int selinux_ismaclabel(const char *name)
>>>> +{
>>>> +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>>>> +}
>>>> +
>>>>   static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>>   {
>>>>   	return security_sid_to_context(secid, secdata, seclen);
>>>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>>>   	.getprocattr =			selinux_getprocattr,
>>>>   	.setprocattr =			selinux_setprocattr,
>>>>
>>>> +	.ismaclabel =			selinux_ismaclabel,
>>>>   	.secid_to_secctx =		selinux_secid_to_secctx,
>>>>   	.secctx_to_secid =		selinux_secctx_to_secid,
>>>>   	.release_secctx =		selinux_release_secctx,
>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>> index 38be92c..82c3c72 100644
>>>> --- a/security/smack/smack_lsm.c
>>>> +++ b/security/smack/smack_lsm.c
>>>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>>>   #endif /* CONFIG_AUDIT */
>>>>
>>>>   /**
>>>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>>>> + * @name: Full xattr name to check.
>>>> + */
>>>> +static int smack_ismaclabel(const char *name)
>>>> +{
>>>> +	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> +
>>>> +/**
>>>>    * smack_secid_to_secctx - return the smack label for a secid
>>>>    * @secid: incoming integer
>>>>    * @secdata: destination
>>>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>>>   	.audit_rule_free =		smack_audit_rule_free,
>>>>   #endif /* CONFIG_AUDIT */
>>>>
>>>> +	.ismaclabel =			smack_ismaclabel,
>>>>   	.secid_to_secctx = 		smack_secid_to_secctx,
>>>>   	.secctx_to_secid = 		smack_secctx_to_secid,
>>>>   	.release_secctx = 		smack_release_secctx,
>>>> --
>>>> 1.7.11.7
>>>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 02:36:09PM -0500, David P. Quigley wrote:
> On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
> >On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
> >>On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
> >>>On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
> >>>>From: David Quigley<dpquigl@davequigley.com>
> >>>>
> >>>>The interface to request security labels from user space is the xattr
> >>>>interface. When requesting the security label from an NFS server it is
> >>>>important to make sure the requested xattr
> >>>I'm confused--clients can't request xattrs from NFS servers.  I must be
> >>>reading this wrong, but I'm not sure what you meant.
> >>>
> >>>--b.
> >>>
> >>Generically clients can't use xattrs from NFS servers but the LSM
> >>method for getting labels is through the xattr interface. THe point
> >>of this is if someone selects security.capability that we don't
> >>translate that into a call in labeled nfs to get the security label.
> >>We only want label based LSMs to cause a getfattr on the server to
> >>grab the label and populate the inode with that information.
> >>Currently if you use security.selinux or security.smack then labeled
> >>nfs will handle the translation of that into a get/setfattr on the
> >>security_label attribute in NFSv4.
> >OK, I think I understand: so this is to help the NFS client implement
> >the necessary xattr interface for userspace that get and sets security
> >labels on NFS filesystems?
> >
> >--b.
> 
> Exactly. The problem is we don't want to have LSM specific logic in
> so the best we can do is ask if the security.* xattr being accessed
> has the proper semantics to be used with Labeled NFS.

OK, thanks.  The changelog could probably be clarified (at least make it
clear that this is for the client side.)

Delaying this patch till right before the patch that actually uses it
might also help (and/or even combining those two patches).

--b.

> 
> >
> >>
> >>>>actually is a MAC label. This allows
> >>>>us to make sure that we get the desired semantics from the attribute instead of
> >>>>something else such as capabilities or a time based LSM.
> >>>>
> >>>>Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
> >>>>Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
> >>>>Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
> >>>>Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
> >>>>Signed-off-by: David Quigley<dpquigl@davequigley.com>
> >>>>---
> >>>>  include/linux/security.h   | 14 ++++++++++++++
> >>>>  security/capability.c      |  6 ++++++
> >>>>  security/security.c        |  6 ++++++
> >>>>  security/selinux/hooks.c   |  6 ++++++
> >>>>  security/smack/smack_lsm.c | 11 +++++++++++
> >>>>  5 files changed, 43 insertions(+)
> >>>>
> >>>>diff --git a/include/linux/security.h b/include/linux/security.h
> >>>>index c9f5eec..167bdd5 100644
> >>>>--- a/include/linux/security.h
> >>>>+++ b/include/linux/security.h
> >>>>@@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> >>>>   *	@pages contains the number of pages.
> >>>>   *	Return 0 if permission is granted.
> >>>>   *
> >>>>+ * @ismaclabel:
> >>>>+ *	Check if the extended attribute specified by @name
> >>>>+ *	represents a MAC label. Returns 0 if name is a MAC
> >>>>+ *	attribute otherwise returns non-zero.
> >>>>+ *	@name full extended attribute name to check against
> >>>>+ *	LSM as a MAC label.
> >>>>+ *
> >>>>   * @secid_to_secctx:
> >>>>   *	Convert secid to security context.  If secdata is NULL the length of
> >>>>   *	the result will be returned in seclen, but no secdata will be returned.
> >>>>@@ -1581,6 +1588,7 @@ struct security_operations {
> >>>>
> >>>>  	int (*getprocattr) (struct task_struct *p, char *name, char **value);
> >>>>  	int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
> >>>>+	int (*ismaclabel) (const char *name);
> >>>>  	int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
> >>>>  	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
> >>>>  	void (*release_secctx) (char *secdata, u32 seclen);
> >>>>@@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
> >>>>  int security_getprocattr(struct task_struct *p, char *name, char **value);
> >>>>  int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
> >>>>  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> >>>>+int security_ismaclabel(const char *name);
> >>>>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> >>>>  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> >>>>  void security_release_secctx(char *secdata, u32 seclen);
> >>>>@@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
> >>>>  	return cap_netlink_send(sk, skb);
> >>>>  }
> >>>>
> >>>>+static inline int security_ismaclabel(const char *name)
> >>>>+{
> >>>>+	return 0;
> >>>>+}
> >>>>+
> >>>>  static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>>>  {
> >>>>  	return -EOPNOTSUPP;
> >>>>diff --git a/security/capability.c b/security/capability.c
> >>>>index f1eb284..9071447 100644
> >>>>--- a/security/capability.c
> >>>>+++ b/security/capability.c
> >>>>@@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
> >>>>  	return -EINVAL;
> >>>>  }
> >>>>
> >>>>+static int cap_ismaclabel(const char *name)
> >>>>+{
> >>>>+	return 0;
> >>>>+}
> >>>>+
> >>>>  static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>>>  {
> >>>>  	return -EOPNOTSUPP;
> >>>>@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
> >>>>  	set_to_cap_if_null(ops, d_instantiate);
> >>>>  	set_to_cap_if_null(ops, getprocattr);
> >>>>  	set_to_cap_if_null(ops, setprocattr);
> >>>>+	set_to_cap_if_null(ops, ismaclabel);
> >>>>  	set_to_cap_if_null(ops, secid_to_secctx);
> >>>>  	set_to_cap_if_null(ops, secctx_to_secid);
> >>>>  	set_to_cap_if_null(ops, release_secctx);
> >>>>diff --git a/security/security.c b/security/security.c
> >>>>index b4b2017..a7bee7b 100644
> >>>>--- a/security/security.c
> >>>>+++ b/security/security.c
> >>>>@@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
> >>>>  	return security_ops->netlink_send(sk, skb);
> >>>>  }
> >>>>
> >>>>+int security_ismaclabel(const char *name)
> >>>>+{
> >>>>+	return security_ops->ismaclabel(name);
> >>>>+}
> >>>>+EXPORT_SYMBOL(security_ismaclabel);
> >>>>+
> >>>>  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>>>  {
> >>>>  	return security_ops->secid_to_secctx(secid, secdata, seclen);
> >>>>diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >>>>index 22d9adf..f7c4899 100644
> >>>>--- a/security/selinux/hooks.c
> >>>>+++ b/security/selinux/hooks.c
> >>>>@@ -5401,6 +5401,11 @@ abort_change:
> >>>>  	return error;
> >>>>  }
> >>>>
> >>>>+static int selinux_ismaclabel(const char *name)
> >>>>+{
> >>>>+	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
> >>>>+}
> >>>>+
> >>>>  static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> >>>>  {
> >>>>  	return security_sid_to_context(secid, secdata, seclen);
> >>>>@@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
> >>>>  	.getprocattr =			selinux_getprocattr,
> >>>>  	.setprocattr =			selinux_setprocattr,
> >>>>
> >>>>+	.ismaclabel =			selinux_ismaclabel,
> >>>>  	.secid_to_secctx =		selinux_secid_to_secctx,
> >>>>  	.secctx_to_secid =		selinux_secctx_to_secid,
> >>>>  	.release_secctx =		selinux_release_secctx,
> >>>>diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> >>>>index 38be92c..82c3c72 100644
> >>>>--- a/security/smack/smack_lsm.c
> >>>>+++ b/security/smack/smack_lsm.c
> >>>>@@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
> >>>>  #endif /* CONFIG_AUDIT */
> >>>>
> >>>>  /**
> >>>>+ * smack_ismaclabel - check if xattr @name references a smack MAC label
> >>>>+ * @name: Full xattr name to check.
> >>>>+ */
> >>>>+static int smack_ismaclabel(const char *name)
> >>>>+{
> >>>>+	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
> >>>>+}
> >>>>+
> >>>>+
> >>>>+/**
> >>>>   * smack_secid_to_secctx - return the smack label for a secid
> >>>>   * @secid: incoming integer
> >>>>   * @secdata: destination
> >>>>@@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
> >>>>  	.audit_rule_free =		smack_audit_rule_free,
> >>>>  #endif /* CONFIG_AUDIT */
> >>>>
> >>>>+	.ismaclabel =			smack_ismaclabel,
> >>>>  	.secid_to_secctx = 		smack_secid_to_secctx,
> >>>>  	.secctx_to_secid = 		smack_secctx_to_secid,
> >>>>  	.release_secctx = 		smack_release_secctx,
> >>>>--
> >>>>1.7.11.7
> >>>>
> 

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[Dave Quigley]

On 11/12/2012 4:43 PM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 02:36:09PM -0500, David P. Quigley wrote:
>> On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>>>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>>>
>>>>>> The interface to request security labels from user space is the xattr
>>>>>> interface. When requesting the security label from an NFS server it is
>>>>>> important to make sure the requested xattr
>>>>> I'm confused--clients can't request xattrs from NFS servers.  I must be
>>>>> reading this wrong, but I'm not sure what you meant.
>>>>>
>>>>> --b.
>>>>>
>>>> Generically clients can't use xattrs from NFS servers but the LSM
>>>> method for getting labels is through the xattr interface. THe point
>>>> of this is if someone selects security.capability that we don't
>>>> translate that into a call in labeled nfs to get the security label.
>>>> We only want label based LSMs to cause a getfattr on the server to
>>>> grab the label and populate the inode with that information.
>>>> Currently if you use security.selinux or security.smack then labeled
>>>> nfs will handle the translation of that into a get/setfattr on the
>>>> security_label attribute in NFSv4.
>>> OK, I think I understand: so this is to help the NFS client implement
>>> the necessary xattr interface for userspace that get and sets security
>>> labels on NFS filesystems?
>>>
>>> --b.
>>
>> Exactly. The problem is we don't want to have LSM specific logic in
>> so the best we can do is ask if the security.* xattr being accessed
>> has the proper semantics to be used with Labeled NFS.
>
> OK, thanks.  The changelog could probably be clarified (at least make it
> clear that this is for the client side.)
>
> Delaying this patch till right before the patch that actually uses it
> might also help (and/or even combining those two patches).
>
> --b.
>

I should be able to rearrange them and change the patch text. Merging 
probably isn't a good idea since all of this code is in LSMs so it seems 
weird to put it in with the NFS code.

Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.

[Dave Quigley]

On 11/12/2012 4:43 PM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 02:36:09PM -0500, David P. Quigley wrote:
>> On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>>>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>>>
>>>>>> The interface to request security labels from user space is the xattr
>>>>>> interface. When requesting the security label from an NFS server it is
>>>>>> important to make sure the requested xattr
>>>>> I'm confused--clients can't request xattrs from NFS servers.  I must be
>>>>> reading this wrong, but I'm not sure what you meant.
>>>>>
>>>>> --b.
>>>>>
>>>> Generically clients can't use xattrs from NFS servers but the LSM
>>>> method for getting labels is through the xattr interface. THe point
>>>> of this is if someone selects security.capability that we don't
>>>> translate that into a call in labeled nfs to get the security label.
>>>> We only want label based LSMs to cause a getfattr on the server to
>>>> grab the label and populate the inode with that information.
>>>> Currently if you use security.selinux or security.smack then labeled
>>>> nfs will handle the translation of that into a get/setfattr on the
>>>> security_label attribute in NFSv4.
>>> OK, I think I understand: so this is to help the NFS client implement
>>> the necessary xattr interface for userspace that get and sets security
>>> labels on NFS filesystems?
>>>
>>> --b.
>>
>> Exactly. The problem is we don't want to have LSM specific logic in
>> so the best we can do is ask if the security.* xattr being accessed
>> has the proper semantics to be used with Labeled NFS.
>
> OK, thanks.  The changelog could probably be clarified (at least make it
> clear that this is for the client side.)
>
> Delaying this patch till right before the patch that actually uses it
> might also help (and/or even combining those two patches).
>
> --b.
>

I should be able to rearrange them and change the patch text. Merging 
probably isn't a good idea since all of this code is in LSMs so it seems 
weird to put it in with the NFS code.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There is no way to differentiate if a text mount option is passed from user
space or the kernel. A flags field is being added to the
security_sb_set_mnt_opts hook to allow for in kernel security flags to be sent
to the LSM for processing in addition to the text options received from mount.
This patch also updated existing code to fix compilation errors.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/super.c           |  3 ++-
 include/linux/security.h | 13 ++++++++++---
 security/capability.c    |  5 ++++-
 security/security.c      |  7 +++++--
 security/selinux/hooks.c | 12 ++++++++++--
 5 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index e831bce..ee07a08 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2356,7 +2356,8 @@ static int nfs_bdi_register(struct nfs_server *server)
 int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot,
 			struct nfs_mount_info *mount_info)
 {
-	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts);
+	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
+								0, NULL);
 }
 EXPORT_SYMBOL_GPL(nfs_set_sb_security);
 
diff --git a/include/linux/security.h b/include/linux/security.h
index 167bdd5..c94bcf5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1434,7 +1434,9 @@ struct security_operations {
 	int (*sb_pivotroot) (struct path *old_path,
 			     struct path *new_path);
 	int (*sb_set_mnt_opts) (struct super_block *sb,
-				struct security_mnt_opts *opts);
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags);
 	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
 				   struct super_block *newsb);
 	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
@@ -1720,7 +1722,10 @@ int security_sb_mount(const char *dev_name, struct path *path,
 		      const char *type, unsigned long flags, void *data);
 int security_sb_umount(struct vfsmount *mnt, int flags);
 int security_sb_pivotroot(struct path *old_path, struct path *new_path);
-int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
+int security_sb_set_mnt_opts(struct super_block *sb,
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags);
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
 				struct super_block *newsb);
 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
@@ -2009,7 +2014,9 @@ static inline int security_sb_pivotroot(struct path *old_path,
 }
 
 static inline int security_sb_set_mnt_opts(struct super_block *sb,
-					   struct security_mnt_opts *opts)
+					   struct security_mnt_opts *opts,
+					   unsigned long kern_flags,
+					   unsigned long *set_kern_flags)
 {
 	return 0;
 }
diff --git a/security/capability.c b/security/capability.c
index 9071447..cf9f511 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -91,7 +91,10 @@ static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 static int cap_sb_set_mnt_opts(struct super_block *sb,
-			       struct security_mnt_opts *opts)
+			       struct security_mnt_opts *opts,
+			       unsigned long kern_flags,
+			       unsigned long *set_kern_flags)
+
 {
 	if (unlikely(opts->num_mnt_opts))
 		return -EOPNOTSUPP;
diff --git a/security/security.c b/security/security.c
index a7bee7b..60a6017 100644
--- a/security/security.c
+++ b/security/security.c
@@ -294,9 +294,12 @@ int security_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 int security_sb_set_mnt_opts(struct super_block *sb,
-				struct security_mnt_opts *opts)
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags)
 {
-	return security_ops->sb_set_mnt_opts(sb, opts);
+	return security_ops->sb_set_mnt_opts(sb, opts, kern_flags,
+						set_kern_flags);
 }
 EXPORT_SYMBOL(security_sb_set_mnt_opts);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f7c4899..4e7e7c2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -551,7 +551,9 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
  * labeling information.
  */
 static int selinux_set_mnt_opts(struct super_block *sb,
-				struct security_mnt_opts *opts)
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags)
 {
 	const struct cred *cred = current_cred();
 	int rc = 0, i;
@@ -579,6 +581,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			"before the security server is initialized\n");
 		goto out;
 	}
+	if (kern_flags && !set_kern_flags) {
+		/* Specifying internal flags without providing a place to
+		 * place the results is not allowed */
+		rc = -EINVAL;
+		goto out;
+	}
 
 	/*
 	 * Binary mount data FS will come through this function twice.  Once
@@ -948,7 +956,7 @@ static int superblock_doinit(struct super_block *sb, void *data)
 		goto out_err;
 
 out:
-	rc = selinux_set_mnt_opts(sb, &opts);
+	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
 
 out_err:
 	security_free_mnt_opts(&opts);
-- 
1.7.11.7

[PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data.

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There is no way to differentiate if a text mount option is passed from user
space or the kernel. A flags field is being added to the
security_sb_set_mnt_opts hook to allow for in kernel security flags to be sent
to the LSM for processing in addition to the text options received from mount.
This patch also updated existing code to fix compilation errors.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/super.c           |  3 ++-
 include/linux/security.h | 13 ++++++++++---
 security/capability.c    |  5 ++++-
 security/security.c      |  7 +++++--
 security/selinux/hooks.c | 12 ++++++++++--
 5 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index e831bce..ee07a08 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2356,7 +2356,8 @@ static int nfs_bdi_register(struct nfs_server *server)
 int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot,
 			struct nfs_mount_info *mount_info)
 {
-	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts);
+	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
+								0, NULL);
 }
 EXPORT_SYMBOL_GPL(nfs_set_sb_security);
 
diff --git a/include/linux/security.h b/include/linux/security.h
index 167bdd5..c94bcf5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1434,7 +1434,9 @@ struct security_operations {
 	int (*sb_pivotroot) (struct path *old_path,
 			     struct path *new_path);
 	int (*sb_set_mnt_opts) (struct super_block *sb,
-				struct security_mnt_opts *opts);
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags);
 	void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
 				   struct super_block *newsb);
 	int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
@@ -1720,7 +1722,10 @@ int security_sb_mount(const char *dev_name, struct path *path,
 		      const char *type, unsigned long flags, void *data);
 int security_sb_umount(struct vfsmount *mnt, int flags);
 int security_sb_pivotroot(struct path *old_path, struct path *new_path);
-int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
+int security_sb_set_mnt_opts(struct super_block *sb,
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags);
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
 				struct super_block *newsb);
 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
@@ -2009,7 +2014,9 @@ static inline int security_sb_pivotroot(struct path *old_path,
 }
 
 static inline int security_sb_set_mnt_opts(struct super_block *sb,
-					   struct security_mnt_opts *opts)
+					   struct security_mnt_opts *opts,
+					   unsigned long kern_flags,
+					   unsigned long *set_kern_flags)
 {
 	return 0;
 }
diff --git a/security/capability.c b/security/capability.c
index 9071447..cf9f511 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -91,7 +91,10 @@ static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 static int cap_sb_set_mnt_opts(struct super_block *sb,
-			       struct security_mnt_opts *opts)
+			       struct security_mnt_opts *opts,
+			       unsigned long kern_flags,
+			       unsigned long *set_kern_flags)
+
 {
 	if (unlikely(opts->num_mnt_opts))
 		return -EOPNOTSUPP;
diff --git a/security/security.c b/security/security.c
index a7bee7b..60a6017 100644
--- a/security/security.c
+++ b/security/security.c
@@ -294,9 +294,12 @@ int security_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 int security_sb_set_mnt_opts(struct super_block *sb,
-				struct security_mnt_opts *opts)
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags)
 {
-	return security_ops->sb_set_mnt_opts(sb, opts);
+	return security_ops->sb_set_mnt_opts(sb, opts, kern_flags,
+						set_kern_flags);
 }
 EXPORT_SYMBOL(security_sb_set_mnt_opts);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f7c4899..4e7e7c2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -551,7 +551,9 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
  * labeling information.
  */
 static int selinux_set_mnt_opts(struct super_block *sb,
-				struct security_mnt_opts *opts)
+				struct security_mnt_opts *opts,
+				unsigned long kern_flags,
+				unsigned long *set_kern_flags)
 {
 	const struct cred *cred = current_cred();
 	int rc = 0, i;
@@ -579,6 +581,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 			"before the security server is initialized\n");
 		goto out;
 	}
+	if (kern_flags && !set_kern_flags) {
+		/* Specifying internal flags without providing a place to
+		 * place the results is not allowed */
+		rc = -EINVAL;
+		goto out;
+	}
 
 	/*
 	 * Binary mount data FS will come through this function twice.  Once
@@ -948,7 +956,7 @@ static int superblock_doinit(struct super_block *sb, void *data)
 		goto out_err;
 
 out:
-	rc = selinux_set_mnt_opts(sb, &opts);
+	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
 
 out_err:
 	security_free_mnt_opts(&opts);
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 04/13] SELinux: Add new labeling type native labels

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There currently doesn't exist a labeling type that is adequate for use with
labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr
labeling behavior. For this we developed a new labeling type. The native
labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime
by the NFS code instead of relying on the SELinux security server on the client
end.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h            |  3 +++
 security/selinux/hooks.c            | 35 ++++++++++++++++++++++++++---------
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/policydb.c      |  5 ++++-
 4 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index c94bcf5..afddfec 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -61,6 +61,9 @@ struct mm_struct;
 #define SECURITY_CAP_NOAUDIT 0
 #define SECURITY_CAP_AUDIT 1
 
+/* LSM Agnostic defines for sb_set_mnt_opts */
+#define SECURITY_LSM_NATIVE_LABELS	1
+
 struct ctl_table;
 struct audit_krule;
 struct user_namespace;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4e7e7c2..8f233ff 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -80,6 +80,7 @@
 #include <linux/syslog.h>
 #include <linux/user_namespace.h>
 #include <linux/export.h>
+#include <linux/security.h>
 #include <linux/msg.h>
 #include <linux/shm.h>
 
@@ -283,13 +284,14 @@ static void superblock_free_security(struct super_block *sb)
 
 /* The file system's label must be initialized prior to use. */
 
-static const char *labeling_behaviors[6] = {
+static const char *labeling_behaviors[7] = {
 	"uses xattr",
 	"uses transition SIDs",
 	"uses task SIDs",
 	"uses genfs_contexts",
 	"not configured for labeling",
 	"uses mountpoint labeling",
+	"uses native labeling",
 };
 
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
@@ -677,14 +679,21 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	if (strcmp(sb->s_type->name, "proc") == 0)
 		sbsec->flags |= SE_SBPROC;
 
-	/* Determine the labeling behavior to use for this filesystem type. */
-	rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
-	if (rc) {
-		printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
-		       __func__, sb->s_type->name, rc);
-		goto out;
+	if (!sbsec->behavior) {
+		/*
+		 * Determine the labeling behavior to use for this
+		 * filesystem type.
+		 */
+		rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
+					"proc" : sb->s_type->name,
+					&sbsec->behavior, &sbsec->sid);
+		if (rc) {
+			printk(KERN_WARNING
+				"%s: security_fs_use(%s) returned %d\n",
+					__func__, sb->s_type->name, rc);
+			goto out;
+		}
 	}
-
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -699,6 +708,11 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	 * sets the label used on all file below the mountpoint, and will set
 	 * the superblock context if not already set.
 	 */
+	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
+		sbsec->behavior = SECURITY_FS_USE_NATIVE;
+		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
+	}
+
 	if (context_sid) {
 		if (!fscontext_sid) {
 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
@@ -730,7 +744,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	}
 
 	if (defcontext_sid) {
-		if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
+		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
+			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 			rc = -EINVAL;
 			printk(KERN_WARNING "SELinux: defcontext option is "
 			       "invalid for this filesystem type\n");
@@ -1198,6 +1213,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 	}
 
 	switch (sbsec->behavior) {
+	case SECURITY_FS_USE_NATIVE:
+		break;
 	case SECURITY_FS_USE_XATTR:
 		if (!inode->i_op->getxattr) {
 			isec->sid = sbsec->def_sid;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 6d38851..8fd8e18 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -169,6 +169,8 @@ int security_get_allow_unknown(void);
 #define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
 #define SECURITY_FS_USE_NONE		5 /* no labeling support */
 #define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
+#define SECURITY_FS_USE_NATIVE		7 /* use native label support */
+#define SECURITY_FS_USE_MAX		7 /* Highest SECURITY_FS_USE_XXX */
 
 int security_fs_use(const char *fstype, unsigned int *behavior,
 	u32 *sid);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9cd9b7c..c8adde3 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
 
 				rc = -EINVAL;
 				c->v.behavior = le32_to_cpu(buf[0]);
-				if (c->v.behavior > SECURITY_FS_USE_NONE)
+				/* Determined at runtime, not in policy DB. */
+				if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
+					goto out;
+				if (c->v.behavior > SECURITY_FS_USE_MAX)
 					goto out;
 
 				rc = -ENOMEM;
-- 
1.7.11.7

[PATCH 04/13] SELinux: Add new labeling type native labels

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

There currently doesn't exist a labeling type that is adequate for use with
labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr
labeling behavior. For this we developed a new labeling type. The native
labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime
by the NFS code instead of relying on the SELinux security server on the client
end.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 include/linux/security.h            |  3 +++
 security/selinux/hooks.c            | 35 ++++++++++++++++++++++++++---------
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/policydb.c      |  5 ++++-
 4 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index c94bcf5..afddfec 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -61,6 +61,9 @@ struct mm_struct;
 #define SECURITY_CAP_NOAUDIT 0
 #define SECURITY_CAP_AUDIT 1
 
+/* LSM Agnostic defines for sb_set_mnt_opts */
+#define SECURITY_LSM_NATIVE_LABELS	1
+
 struct ctl_table;
 struct audit_krule;
 struct user_namespace;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4e7e7c2..8f233ff 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -80,6 +80,7 @@
 #include <linux/syslog.h>
 #include <linux/user_namespace.h>
 #include <linux/export.h>
+#include <linux/security.h>
 #include <linux/msg.h>
 #include <linux/shm.h>
 
@@ -283,13 +284,14 @@ static void superblock_free_security(struct super_block *sb)
 
 /* The file system's label must be initialized prior to use. */
 
-static const char *labeling_behaviors[6] = {
+static const char *labeling_behaviors[7] = {
 	"uses xattr",
 	"uses transition SIDs",
 	"uses task SIDs",
 	"uses genfs_contexts",
 	"not configured for labeling",
 	"uses mountpoint labeling",
+	"uses native labeling",
 };
 
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
@@ -677,14 +679,21 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	if (strcmp(sb->s_type->name, "proc") == 0)
 		sbsec->flags |= SE_SBPROC;
 
-	/* Determine the labeling behavior to use for this filesystem type. */
-	rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
-	if (rc) {
-		printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
-		       __func__, sb->s_type->name, rc);
-		goto out;
+	if (!sbsec->behavior) {
+		/*
+		 * Determine the labeling behavior to use for this
+		 * filesystem type.
+		 */
+		rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
+					"proc" : sb->s_type->name,
+					&sbsec->behavior, &sbsec->sid);
+		if (rc) {
+			printk(KERN_WARNING
+				"%s: security_fs_use(%s) returned %d\n",
+					__func__, sb->s_type->name, rc);
+			goto out;
+		}
 	}
-
 	/* sets the context of the superblock for the fs being mounted. */
 	if (fscontext_sid) {
 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -699,6 +708,11 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	 * sets the label used on all file below the mountpoint, and will set
 	 * the superblock context if not already set.
 	 */
+	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
+		sbsec->behavior = SECURITY_FS_USE_NATIVE;
+		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
+	}
+
 	if (context_sid) {
 		if (!fscontext_sid) {
 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
@@ -730,7 +744,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	}
 
 	if (defcontext_sid) {
-		if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
+		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
+			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 			rc = -EINVAL;
 			printk(KERN_WARNING "SELinux: defcontext option is "
 			       "invalid for this filesystem type\n");
@@ -1198,6 +1213,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 	}
 
 	switch (sbsec->behavior) {
+	case SECURITY_FS_USE_NATIVE:
+		break;
 	case SECURITY_FS_USE_XATTR:
 		if (!inode->i_op->getxattr) {
 			isec->sid = sbsec->def_sid;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 6d38851..8fd8e18 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -169,6 +169,8 @@ int security_get_allow_unknown(void);
 #define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
 #define SECURITY_FS_USE_NONE		5 /* no labeling support */
 #define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
+#define SECURITY_FS_USE_NATIVE		7 /* use native label support */
+#define SECURITY_FS_USE_MAX		7 /* Highest SECURITY_FS_USE_XXX */
 
 int security_fs_use(const char *fstype, unsigned int *behavior,
 	u32 *sid);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9cd9b7c..c8adde3 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
 
 				rc = -EINVAL;
 				c->v.behavior = le32_to_cpu(buf[0]);
-				if (c->v.behavior > SECURITY_FS_USE_NONE)
+				/* Determined at runtime, not in policy DB. */
+				if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
+					goto out;
+				if (c->v.behavior > SECURITY_FS_USE_MAX)
 					goto out;
 
 				rc = -ENOMEM;
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds two entries into the fs/KConfig file. The first entry
NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
the server side.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/Kconfig  | 16 ++++++++++++++++
 fs/nfsd/Kconfig | 13 +++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 13ca196..0077197 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
 	  If the NFS client is unchanged from the upstream kernel, this
 	  option should be set to the default "kernel.org".
 
+config NFS_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 client"
+	depends on NFS_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
+
+	  If unsure, say N.
+
 config ROOT_NFS
 	bool "Root file system on NFS"
 	depends on NFS_FS=y && IP_PNP
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 8df1ea4..75ba894 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -81,6 +81,19 @@ config NFSD_V4
 
 	  If unsure, say N.
 
+config NFSD_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 server"
+	depends on NFSD_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
 config NFSD_FAULT_INJECTION
 	bool "NFS server manual fault injection"
 	depends on NFSD_V4 && DEBUG_KERNEL
-- 
1.7.11.7

[PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds two entries into the fs/KConfig file. The first entry
NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
the server side.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/Kconfig  | 16 ++++++++++++++++
 fs/nfsd/Kconfig | 13 +++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 13ca196..0077197 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
 	  If the NFS client is unchanged from the upstream kernel, this
 	  option should be set to the default "kernel.org".
 
+config NFS_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 client"
+	depends on NFS_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
+
+	  If unsure, say N.
+
 config ROOT_NFS
 	bool "Root file system on NFS"
 	depends on NFS_FS=y && IP_PNP
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 8df1ea4..75ba894 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -81,6 +81,19 @@ config NFSD_V4
 
 	  If unsure, say N.
 
+config NFSD_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 server"
+	depends on NFSD_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
 config NFSD_FAULT_INJECTION
 	bool "NFS server manual fault injection"
 	depends on NFSD_V4 && DEBUG_KERNEL
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:39AM -0500, David Quigley wrote:
> From: David Quigley <dpquigl@davequigley.com>
> 
> This patch adds two entries into the fs/KConfig file. The first entry
> NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
> the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
> the server side.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  fs/nfs/Kconfig  | 16 ++++++++++++++++
>  fs/nfsd/Kconfig | 13 +++++++++++++
>  2 files changed, 29 insertions(+)
> 
> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
> index 13ca196..0077197 100644
> --- a/fs/nfs/Kconfig
> +++ b/fs/nfs/Kconfig
> @@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
>  	  If the NFS client is unchanged from the upstream kernel, this
>  	  option should be set to the default "kernel.org".
>  
> +config NFS_V4_SECURITY_LABEL
> +	bool "Provide Security Label support for NFSv4 client"
> +	depends on NFS_V4 && SECURITY
> +	help
> +
> +	Say Y here if you want enable fine-grained security label attribute
> +	support for NFS version 4.  Security labels allow security modules like
> +	SELinux and Smack to label files to facilitate enforcement of their policies.
> +	Without this an NFSv4 mount will have the same label on each file.
> +
> +	If you do not wish to enable fine-grained security labels SELinux or
> +	Smack policies on NFSv4 files, say N.

Here and below we also need some warning abouot the current state of
this: we definitely want to warn any distro that might be tempted to
turn this on by default that there's still a chance of
backwards-incompatible protocol changes.

--b.

> +
> +
> +	  If unsure, say N.
> +
>  config ROOT_NFS
>  	bool "Root file system on NFS"
>  	depends on NFS_FS=y && IP_PNP
> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
> index 8df1ea4..75ba894 100644
> --- a/fs/nfsd/Kconfig
> +++ b/fs/nfsd/Kconfig
> @@ -81,6 +81,19 @@ config NFSD_V4
>  
>  	  If unsure, say N.
>  
> +config NFSD_V4_SECURITY_LABEL
> +	bool "Provide Security Label support for NFSv4 server"
> +	depends on NFSD_V4 && SECURITY
> +	help
> +
> +	Say Y here if you want enable fine-grained security label attribute
> +	support for NFS version 4.  Security labels allow security modules like
> +	SELinux and Smack to label files to facilitate enforcement of their policies.
> +	Without this an NFSv4 mount will have the same label on each file.
> +
> +	If you do not wish to enable fine-grained security labels SELinux or
> +	Smack policies on NFSv4 files, say N.
> +
>  config NFSD_FAULT_INJECTION
>  	bool "NFS server manual fault injection"
>  	depends on NFSD_V4 && DEBUG_KERNEL
> -- 
> 1.7.11.7
> 

Re: [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[Dave Quigley]

On 11/12/2012 9:45 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:39AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> This patch adds two entries into the fs/KConfig file. The first entry
>> NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
>> the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
>> the server side.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   fs/nfs/Kconfig  | 16 ++++++++++++++++
>>   fs/nfsd/Kconfig | 13 +++++++++++++
>>   2 files changed, 29 insertions(+)
>>
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index 13ca196..0077197 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
>>   	  If the NFS client is unchanged from the upstream kernel, this
>>   	  option should be set to the default "kernel.org".
>>
>> +config NFS_V4_SECURITY_LABEL
>> +	bool "Provide Security Label support for NFSv4 client"
>> +	depends on NFS_V4 && SECURITY
>> +	help
>> +
>> +	Say Y here if you want enable fine-grained security label attribute
>> +	support for NFS version 4.  Security labels allow security modules like
>> +	SELinux and Smack to label files to facilitate enforcement of their policies.
>> +	Without this an NFSv4 mount will have the same label on each file.
>> +
>> +	If you do not wish to enable fine-grained security labels SELinux or
>> +	Smack policies on NFSv4 files, say N.
>
> Here and below we also need some warning abouot the current state of
> this: we definitely want to warn any distro that might be tempted to
> turn this on by default that there's still a chance of
> backwards-incompatible protocol changes.
>
> --b.
>

Sounds good to me I'll make sure to include that.

>> +
>> +
>> +	  If unsure, say N.
>> +
>>   config ROOT_NFS
>>   	bool "Root file system on NFS"
>>   	depends on NFS_FS=y && IP_PNP
>> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
>> index 8df1ea4..75ba894 100644
>> --- a/fs/nfsd/Kconfig
>> +++ b/fs/nfsd/Kconfig
>> @@ -81,6 +81,19 @@ config NFSD_V4
>>
>>   	  If unsure, say N.
>>
>> +config NFSD_V4_SECURITY_LABEL
>> +	bool "Provide Security Label support for NFSv4 server"
>> +	depends on NFSD_V4 && SECURITY
>> +	help
>> +
>> +	Say Y here if you want enable fine-grained security label attribute
>> +	support for NFS version 4.  Security labels allow security modules like
>> +	SELinux and Smack to label files to facilitate enforcement of their policies.
>> +	Without this an NFSv4 mount will have the same label on each file.
>> +
>> +	If you do not wish to enable fine-grained security labels SELinux or
>> +	Smack policies on NFSv4 files, say N.
>> +
>>   config NFSD_FAULT_INJECTION
>>   	bool "NFS server manual fault injection"
>>   	depends on NFSD_V4 && DEBUG_KERNEL
>> --
>> 1.7.11.7
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[Dave Quigley]

On 11/12/2012 9:45 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:39AM -0500, David Quigley wrote:
>> From: David Quigley <dpquigl@davequigley.com>
>>
>> This patch adds two entries into the fs/KConfig file. The first entry
>> NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
>> the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
>> the server side.
>>
>> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley <dpquigl@davequigley.com>
>> ---
>>   fs/nfs/Kconfig  | 16 ++++++++++++++++
>>   fs/nfsd/Kconfig | 13 +++++++++++++
>>   2 files changed, 29 insertions(+)
>>
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index 13ca196..0077197 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
>>   	  If the NFS client is unchanged from the upstream kernel, this
>>   	  option should be set to the default "kernel.org".
>>
>> +config NFS_V4_SECURITY_LABEL
>> +	bool "Provide Security Label support for NFSv4 client"
>> +	depends on NFS_V4 && SECURITY
>> +	help
>> +
>> +	Say Y here if you want enable fine-grained security label attribute
>> +	support for NFS version 4.  Security labels allow security modules like
>> +	SELinux and Smack to label files to facilitate enforcement of their policies.
>> +	Without this an NFSv4 mount will have the same label on each file.
>> +
>> +	If you do not wish to enable fine-grained security labels SELinux or
>> +	Smack policies on NFSv4 files, say N.
>
> Here and below we also need some warning abouot the current state of
> this: we definitely want to warn any distro that might be tempted to
> turn this on by default that there's still a chance of
> backwards-incompatible protocol changes.
>
> --b.
>

Sounds good to me I'll make sure to include that.

>> +
>> +
>> +	  If unsure, say N.
>> +
>>   config ROOT_NFS
>>   	bool "Root file system on NFS"
>>   	depends on NFS_FS=y && IP_PNP
>> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
>> index 8df1ea4..75ba894 100644
>> --- a/fs/nfsd/Kconfig
>> +++ b/fs/nfsd/Kconfig
>> @@ -81,6 +81,19 @@ config NFSD_V4
>>
>>   	  If unsure, say N.
>>
>> +config NFSD_V4_SECURITY_LABEL
>> +	bool "Provide Security Label support for NFSv4 server"
>> +	depends on NFSD_V4 && SECURITY
>> +	help
>> +
>> +	Say Y here if you want enable fine-grained security label attribute
>> +	support for NFS version 4.  Security labels allow security modules like
>> +	SELinux and Smack to label files to facilitate enforcement of their policies.
>> +	Without this an NFSv4 mount will have the same label on each file.
>> +
>> +	If you do not wish to enable fine-grained security labels SELinux or
>> +	Smack policies on NFSv4 files, say N.
>> +
>>   config NFSD_FAULT_INJECTION
>>   	bool "NFS server manual fault injection"
>>   	depends on NFSD_V4 && DEBUG_KERNEL
>> --
>> 1.7.11.7
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds several new flags to allow the NFS client and server to
determine if this attribute is supported and if it is being sent over the wire.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfsd/nfsd.h                   | 8 ++++----
 include/linux/nfs4.h             | 1 +
 include/linux/nfs_fs_sb.h        | 1 +
 include/linux/nfs_xdr.h          | 5 ++++-
 include/uapi/linux/nfs4.h        | 1 +
 include/uapi/linux/nfsd/export.h | 5 +++--
 6 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
index 80d5ce4..3a87cbb 100644
--- a/fs/nfsd/nfsd.h
+++ b/fs/nfsd/nfsd.h
@@ -322,10 +322,10 @@ extern time_t nfsd4_grace;
  | FATTR4_WORD1_OWNER	        | FATTR4_WORD1_OWNER_GROUP  | FATTR4_WORD1_RAWDEV           \
  | FATTR4_WORD1_SPACE_AVAIL     | FATTR4_WORD1_SPACE_FREE   | FATTR4_WORD1_SPACE_TOTAL      \
  | FATTR4_WORD1_SPACE_USED      | FATTR4_WORD1_TIME_ACCESS  | FATTR4_WORD1_TIME_ACCESS_SET  \
- | FATTR4_WORD1_TIME_DELTA   | FATTR4_WORD1_TIME_METADATA    \
- | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MOUNTED_ON_FILEID)
+ | FATTR4_WORD1_TIME_DELTA	| FATTR4_WORD1_TIME_METADATA | FATTR4_WORD1_TIME_MODIFY     \
+ | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MOUNTED_ON_FILEID)
 
-#define NFSD4_SUPPORTED_ATTRS_WORD2 0
+#define NFSD4_SUPPORTED_ATTRS_WORD2 FATTR4_WORD2_SECURITY_LABEL
 
 #define NFSD4_1_SUPPORTED_ATTRS_WORD0 \
 	NFSD4_SUPPORTED_ATTRS_WORD0
@@ -364,7 +364,7 @@ static inline u32 nfsd_suppattrs2(u32 minorversion)
 #define NFSD_WRITEABLE_ATTRS_WORD1 \
 	(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER | FATTR4_WORD1_OWNER_GROUP \
 	| FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_MODIFY_SET)
-#define NFSD_WRITEABLE_ATTRS_WORD2 0
+#define NFSD_WRITEABLE_ATTRS_WORD2 FATTR4_WORD2_SECURITY_LABEL
 
 #define NFSD_SUPPATTR_EXCLCREAT_WORD0 \
 	NFSD_WRITEABLE_ATTRS_WORD0
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index e111fa4..f9235b4 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -373,6 +373,7 @@ enum lock_type4 {
 #define FATTR4_WORD1_MOUNTED_ON_FILEID  (1UL << 23)
 #define FATTR4_WORD1_FS_LAYOUT_TYPES    (1UL << 30)
 #define FATTR4_WORD2_LAYOUT_BLKSIZE     (1UL << 1)
+#define FATTR4_WORD2_SECURITY_LABEL     (1UL << 17)
 #define FATTR4_WORD2_MDSTHRESHOLD       (1UL << 4)
 
 /* MDS threshold bitmap bits */
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index a9e76ee..a794715 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -197,6 +197,7 @@ struct nfs_server {
 #define NFS_CAP_MTIME		(1U << 13)
 #define NFS_CAP_POSIX_LOCK	(1U << 14)
 #define NFS_CAP_UIDGID_NOMAP	(1U << 15)
+#define NFS_CAP_SECURITY_LABEL	(1U << 16)
 
 
 /* maximum number of slots to use */
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index a73ea89..a0669d3 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -104,6 +104,7 @@ struct nfs_fattr {
 #define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22)
 #define NFS_ATTR_FATTR_OWNER_NAME	(1U << 23)
 #define NFS_ATTR_FATTR_GROUP_NAME	(1U << 24)
+#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25)
 
 #define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \
 		| NFS_ATTR_FATTR_MODE \
@@ -123,7 +124,8 @@ struct nfs_fattr {
 #define NFS_ATTR_FATTR_V3 (NFS_ATTR_FATTR \
 		| NFS_ATTR_FATTR_SPACE_USED)
 #define NFS_ATTR_FATTR_V4 (NFS_ATTR_FATTR \
-		| NFS_ATTR_FATTR_SPACE_USED)
+		| NFS_ATTR_FATTR_SPACE_USED \
+		| NFS_ATTR_FATTR_V4_SECURITY_LABEL)
 
 /*
  * Info on the file system
@@ -600,6 +602,7 @@ struct nfs_entry {
 	int			eof;
 	struct nfs_fh *		fh;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	unsigned char		d_type;
 	struct nfs_server *	server;
 };
diff --git a/include/uapi/linux/nfs4.h b/include/uapi/linux/nfs4.h
index 788128e..dcc8582 100644
--- a/include/uapi/linux/nfs4.h
+++ b/include/uapi/linux/nfs4.h
@@ -25,6 +25,7 @@
 #define NFS4_MAXNAMLEN		NAME_MAX
 #define NFS4_OPAQUE_LIMIT	1024
 #define NFS4_MAX_SESSIONID_LEN	16
+#define NFS4_MAXLABELLEN	4096
 
 #define NFS4_ACCESS_READ        0x0001
 #define NFS4_ACCESS_LOOKUP      0x0002
diff --git a/include/uapi/linux/nfsd/export.h b/include/uapi/linux/nfsd/export.h
index cf47c31..e6c76d9 100644
--- a/include/uapi/linux/nfsd/export.h
+++ b/include/uapi/linux/nfsd/export.h
@@ -28,7 +28,8 @@
 #define NFSEXP_ALLSQUASH	0x0008
 #define NFSEXP_ASYNC		0x0010
 #define NFSEXP_GATHERED_WRITES	0x0020
-/* 40 80 100 currently unused */
+#define NFSEXP_SECURITY_LABEL	0x0040  /* Support security label fattr4 */
+/* 80 100 currently unused */
 #define NFSEXP_NOHIDE		0x0200
 #define NFSEXP_NOSUBTREECHECK	0x0400
 #define	NFSEXP_NOAUTHNLM	0x0800		/* Don't authenticate NLM requests - just trust */
@@ -47,7 +48,7 @@
  */
 #define	NFSEXP_V4ROOT		0x10000
 /* All flags that we claim to support.  (Note we don't support NOACL.) */
-#define NFSEXP_ALLFLAGS		0x17E3F
+#define NFSEXP_ALLFLAGS		0x17E7F
 
 /* The flags that may vary depending on security flavor: */
 #define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
-- 
1.7.11.7

[PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds several new flags to allow the NFS client and server to
determine if this attribute is supported and if it is being sent over the wire.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfsd/nfsd.h                   | 8 ++++----
 include/linux/nfs4.h             | 1 +
 include/linux/nfs_fs_sb.h        | 1 +
 include/linux/nfs_xdr.h          | 5 ++++-
 include/uapi/linux/nfs4.h        | 1 +
 include/uapi/linux/nfsd/export.h | 5 +++--
 6 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
index 80d5ce4..3a87cbb 100644
--- a/fs/nfsd/nfsd.h
+++ b/fs/nfsd/nfsd.h
@@ -322,10 +322,10 @@ extern time_t nfsd4_grace;
  | FATTR4_WORD1_OWNER	        | FATTR4_WORD1_OWNER_GROUP  | FATTR4_WORD1_RAWDEV           \
  | FATTR4_WORD1_SPACE_AVAIL     | FATTR4_WORD1_SPACE_FREE   | FATTR4_WORD1_SPACE_TOTAL      \
  | FATTR4_WORD1_SPACE_USED      | FATTR4_WORD1_TIME_ACCESS  | FATTR4_WORD1_TIME_ACCESS_SET  \
- | FATTR4_WORD1_TIME_DELTA   | FATTR4_WORD1_TIME_METADATA    \
- | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MOUNTED_ON_FILEID)
+ | FATTR4_WORD1_TIME_DELTA	| FATTR4_WORD1_TIME_METADATA | FATTR4_WORD1_TIME_MODIFY     \
+ | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MOUNTED_ON_FILEID)
 
-#define NFSD4_SUPPORTED_ATTRS_WORD2 0
+#define NFSD4_SUPPORTED_ATTRS_WORD2 FATTR4_WORD2_SECURITY_LABEL
 
 #define NFSD4_1_SUPPORTED_ATTRS_WORD0 \
 	NFSD4_SUPPORTED_ATTRS_WORD0
@@ -364,7 +364,7 @@ static inline u32 nfsd_suppattrs2(u32 minorversion)
 #define NFSD_WRITEABLE_ATTRS_WORD1 \
 	(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER | FATTR4_WORD1_OWNER_GROUP \
 	| FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_MODIFY_SET)
-#define NFSD_WRITEABLE_ATTRS_WORD2 0
+#define NFSD_WRITEABLE_ATTRS_WORD2 FATTR4_WORD2_SECURITY_LABEL
 
 #define NFSD_SUPPATTR_EXCLCREAT_WORD0 \
 	NFSD_WRITEABLE_ATTRS_WORD0
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index e111fa4..f9235b4 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -373,6 +373,7 @@ enum lock_type4 {
 #define FATTR4_WORD1_MOUNTED_ON_FILEID  (1UL << 23)
 #define FATTR4_WORD1_FS_LAYOUT_TYPES    (1UL << 30)
 #define FATTR4_WORD2_LAYOUT_BLKSIZE     (1UL << 1)
+#define FATTR4_WORD2_SECURITY_LABEL     (1UL << 17)
 #define FATTR4_WORD2_MDSTHRESHOLD       (1UL << 4)
 
 /* MDS threshold bitmap bits */
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index a9e76ee..a794715 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -197,6 +197,7 @@ struct nfs_server {
 #define NFS_CAP_MTIME		(1U << 13)
 #define NFS_CAP_POSIX_LOCK	(1U << 14)
 #define NFS_CAP_UIDGID_NOMAP	(1U << 15)
+#define NFS_CAP_SECURITY_LABEL	(1U << 16)
 
 
 /* maximum number of slots to use */
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index a73ea89..a0669d3 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -104,6 +104,7 @@ struct nfs_fattr {
 #define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22)
 #define NFS_ATTR_FATTR_OWNER_NAME	(1U << 23)
 #define NFS_ATTR_FATTR_GROUP_NAME	(1U << 24)
+#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25)
 
 #define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \
 		| NFS_ATTR_FATTR_MODE \
@@ -123,7 +124,8 @@ struct nfs_fattr {
 #define NFS_ATTR_FATTR_V3 (NFS_ATTR_FATTR \
 		| NFS_ATTR_FATTR_SPACE_USED)
 #define NFS_ATTR_FATTR_V4 (NFS_ATTR_FATTR \
-		| NFS_ATTR_FATTR_SPACE_USED)
+		| NFS_ATTR_FATTR_SPACE_USED \
+		| NFS_ATTR_FATTR_V4_SECURITY_LABEL)
 
 /*
  * Info on the file system
@@ -600,6 +602,7 @@ struct nfs_entry {
 	int			eof;
 	struct nfs_fh *		fh;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	unsigned char		d_type;
 	struct nfs_server *	server;
 };
diff --git a/include/uapi/linux/nfs4.h b/include/uapi/linux/nfs4.h
index 788128e..dcc8582 100644
--- a/include/uapi/linux/nfs4.h
+++ b/include/uapi/linux/nfs4.h
@@ -25,6 +25,7 @@
 #define NFS4_MAXNAMLEN		NAME_MAX
 #define NFS4_OPAQUE_LIMIT	1024
 #define NFS4_MAX_SESSIONID_LEN	16
+#define NFS4_MAXLABELLEN	4096
 
 #define NFS4_ACCESS_READ        0x0001
 #define NFS4_ACCESS_LOOKUP      0x0002
diff --git a/include/uapi/linux/nfsd/export.h b/include/uapi/linux/nfsd/export.h
index cf47c31..e6c76d9 100644
--- a/include/uapi/linux/nfsd/export.h
+++ b/include/uapi/linux/nfsd/export.h
@@ -28,7 +28,8 @@
 #define NFSEXP_ALLSQUASH	0x0008
 #define NFSEXP_ASYNC		0x0010
 #define NFSEXP_GATHERED_WRITES	0x0020
-/* 40 80 100 currently unused */
+#define NFSEXP_SECURITY_LABEL	0x0040  /* Support security label fattr4 */
+/* 80 100 currently unused */
 #define NFSEXP_NOHIDE		0x0200
 #define NFSEXP_NOSUBTREECHECK	0x0400
 #define	NFSEXP_NOAUTHNLM	0x0800		/* Don't authenticate NLM requests - just trust */
@@ -47,7 +48,7 @@
  */
 #define	NFSEXP_V4ROOT		0x10000
 /* All flags that we claim to support.  (Note we don't support NOACL.) */
-#define NFSEXP_ALLFLAGS		0x17E3F
+#define NFSEXP_ALLFLAGS		0x17E7F
 
 /* The flags that may vary depending on security flavor: */
 #define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 07/13] NFSv4: Introduce new label structure

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

In order to mimic the way that NFSv4 ACLs are implemented we have created a
structure to be used to pass label data up and down the call chain. This patch
adds the new structure and new members to the required NFSv4 call structures.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
 fs/nfsd/xdr4.h          |  3 +++
 include/linux/nfs4.h    |  8 ++++++++
 include/linux/nfs_fs.h  | 14 ++++++++++++++
 include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
 5 files changed, 85 insertions(+)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 5c7325c..0963ad9 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
 	return 0;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+struct nfs4_label *nfs4_label_alloc(gfp_t flags)
+{
+	struct nfs4_label *label = NULL;
+
+	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
+	if (label == NULL)
+		return NULL;
+
+	label->label = (void *)(label + 1);
+	label->len = NFS4_MAXLABELLEN;
+	/* 0 is the null format meaning that the data is not to be translated */
+	label->lfs = 0;
+	label->pi = 0;
+	return label;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_alloc);
+
+void nfs4_label_init(struct nfs4_label *label)
+{
+	if (label && label->label) {
+		*(unsigned char *)label->label = 0;
+		label->len = NFS4_MAXLABELLEN;
+		/* 0 is the null format meaning that the data is not
+		to be translated */
+		label->lfs = 0;
+		label->pi = 0;
+	}
+	return;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_init);
+
+void nfs4_label_free(struct nfs4_label *label)
+{
+	kfree(label);
+	return;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_free);
+#endif
+
 /*
  * This is our front-end to iget that looks up inodes by file handle
  * instead of inode number.
diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
index acd127d..ca8f30b 100644
--- a/fs/nfsd/xdr4.h
+++ b/fs/nfsd/xdr4.h
@@ -118,6 +118,7 @@ struct nfsd4_create {
 	struct iattr	cr_iattr;           /* request */
 	struct nfsd4_change_info  cr_cinfo; /* response */
 	struct nfs4_acl *cr_acl;
+	struct nfs4_label *cr_label;
 };
 #define cr_linklen	u.link.namelen
 #define cr_linkname	u.link.name
@@ -246,6 +247,7 @@ struct nfsd4_open {
 	struct nfs4_file *op_file;          /* used during processing */
 	struct nfs4_ol_stateid *op_stp;	    /* used during processing */
 	struct nfs4_acl *op_acl;
+	struct nfs4_label *op_label;
 };
 #define op_iattr	iattr
 
@@ -330,6 +332,7 @@ struct nfsd4_setattr {
 	u32		sa_bmval[3];        /* request */
 	struct iattr	sa_iattr;           /* request */
 	struct nfs4_acl *sa_acl;
+	struct nfs4_label *sa_label;
 };
 
 struct nfsd4_setclientid {
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index f9235b4..862471f 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -28,6 +28,14 @@ struct nfs4_acl {
 	struct nfs4_ace	aces[0];
 };
 
+struct nfs4_label {
+	uint32_t	lfs;
+	uint32_t	pi;
+	u32		len;
+	void		*label;
+};
+
+
 typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
 
 struct nfs_stateid4 {
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 1cc2568..37a862c 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -489,6 +489,20 @@ extern int nfs_mountpoint_expiry_timeout;
 extern void nfs_release_automount_timer(void);
 
 /*
+ * linux/fs/nfs/nfs4proc.c
+ */
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+extern struct nfs4_label *nfs4_label_alloc(gfp_t flags);
+extern void nfs4_label_init(struct nfs4_label *);
+extern void nfs4_label_free(struct nfs4_label *);
+#else
+static inline struct nfs4_label *nfs4_label_alloc(gfp_t flags) { return NULL; }
+static inline void nfs4_label_init(struct nfs4_label *) {}
+static inline void nfs4_label_free(struct nfs4_label *label) {}
+#endif
+
+/*
  * linux/fs/nfs/unlink.c
  */
 extern void nfs_complete_unlink(struct dentry *dentry, struct inode *);
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index a0669d3..7e9347a 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -352,6 +352,7 @@ struct nfs_openargs {
 	const u32 *		bitmask;
 	const u32 *		open_bitmap;
 	__u32			claim;
+	const struct nfs4_label *label;
 	struct nfs4_sequence_args	seq_args;
 };
 
@@ -361,6 +362,7 @@ struct nfs_openres {
 	struct nfs4_change_info	cinfo;
 	__u32                   rflags;
 	struct nfs_fattr *      f_attr;
+	struct nfs4_label	*f_label;
 	struct nfs_seqid *	seqid;
 	const struct nfs_server *server;
 	fmode_t			delegation_type;
@@ -405,6 +407,7 @@ struct nfs_closeargs {
 struct nfs_closeres {
 	nfs4_stateid            stateid;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	struct nfs_seqid *	seqid;
 	const struct nfs_server *server;
 	struct nfs4_sequence_res	seq_res;
@@ -478,6 +481,7 @@ struct nfs4_delegreturnargs {
 
 struct nfs4_delegreturnres {
 	struct nfs_fattr * fattr;
+	struct nfs4_label	*label;
 	const struct nfs_server *server;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -498,6 +502,7 @@ struct nfs_readargs {
 
 struct nfs_readres {
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	__u32			count;
 	int                     eof;
 	struct nfs4_sequence_res	seq_res;
@@ -566,6 +571,7 @@ struct nfs_removeargs {
 struct nfs_removeres {
 	const struct nfs_server *server;
 	struct nfs_fattr	*dir_attr;
+	struct nfs4_label	*dir_label;
 	struct nfs4_change_info	cinfo;
 	struct nfs4_sequence_res 	seq_res;
 };
@@ -578,6 +584,8 @@ struct nfs_renameargs {
 	const struct nfs_fh		*new_dir;
 	const struct qstr		*old_name;
 	const struct qstr		*new_name;
+	const struct nfs4_label		*old_label;
+	const struct nfs4_label		*new_label;
 	struct nfs4_sequence_args	seq_args;
 };
 
@@ -585,8 +593,10 @@ struct nfs_renameres {
 	const struct nfs_server		*server;
 	struct nfs4_change_info		old_cinfo;
 	struct nfs_fattr		*old_fattr;
+	struct nfs4_label		*old_label;
 	struct nfs4_change_info		new_cinfo;
 	struct nfs_fattr		*new_fattr;
+	struct nfs4_label		*new_label;
 	struct nfs4_sequence_res	seq_res;
 };
 
@@ -634,6 +644,7 @@ struct nfs_setattrargs {
 	struct iattr *                  iap;
 	const struct nfs_server *	server; /* Needed for name mapping */
 	const u32 *			bitmask;
+	const struct nfs4_label		*label;
 	struct nfs4_sequence_args 	seq_args;
 };
 
@@ -669,6 +680,7 @@ struct nfs_getaclres {
 
 struct nfs_setattrres {
 	struct nfs_fattr *              fattr;
+	struct nfs4_label		*label;
 	const struct nfs_server *	server;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -715,6 +727,7 @@ struct nfs3_setaclargs {
 struct nfs_diropok {
 	struct nfs_fh *		fh;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 };
 
 struct nfs_readlinkargs {
@@ -844,6 +857,7 @@ struct nfs4_accessargs {
 struct nfs4_accessres {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	u32				supported;
 	u32				access;
 	struct nfs4_sequence_res	seq_res;
@@ -866,6 +880,7 @@ struct nfs4_create_arg {
 	const struct iattr *		attrs;
 	const struct nfs_fh *		dir_fh;
 	const u32 *			bitmask;
+	const struct nfs4_label		*label;
 	struct nfs4_sequence_args 	seq_args;
 };
 
@@ -873,6 +888,7 @@ struct nfs4_create_res {
 	const struct nfs_server *	server;
 	struct nfs_fh *			fh;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	struct nfs4_change_info		dir_cinfo;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -898,6 +914,7 @@ struct nfs4_getattr_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
 	struct nfs4_sequence_res	seq_res;
+	struct nfs4_label		*label;
 };
 
 struct nfs4_link_arg {
@@ -911,8 +928,10 @@ struct nfs4_link_arg {
 struct nfs4_link_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	struct nfs4_change_info		cinfo;
 	struct nfs_fattr *		dir_attr;
+	struct nfs4_label		*dir_label;
 	struct nfs4_sequence_res	seq_res;
 };
 
@@ -928,6 +947,7 @@ struct nfs4_lookup_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
 	struct nfs_fh *			fh;
+	struct nfs4_label		*label;
 	struct nfs4_sequence_res	seq_res;
 };
 
-- 
1.7.11.7

[PATCH 07/13] NFSv4: Introduce new label structure

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

In order to mimic the way that NFSv4 ACLs are implemented we have created a
structure to be used to pass label data up and down the call chain. This patch
adds the new structure and new members to the required NFSv4 call structures.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
 fs/nfsd/xdr4.h          |  3 +++
 include/linux/nfs4.h    |  8 ++++++++
 include/linux/nfs_fs.h  | 14 ++++++++++++++
 include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
 5 files changed, 85 insertions(+)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 5c7325c..0963ad9 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
 	return 0;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+struct nfs4_label *nfs4_label_alloc(gfp_t flags)
+{
+	struct nfs4_label *label = NULL;
+
+	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
+	if (label == NULL)
+		return NULL;
+
+	label->label = (void *)(label + 1);
+	label->len = NFS4_MAXLABELLEN;
+	/* 0 is the null format meaning that the data is not to be translated */
+	label->lfs = 0;
+	label->pi = 0;
+	return label;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_alloc);
+
+void nfs4_label_init(struct nfs4_label *label)
+{
+	if (label && label->label) {
+		*(unsigned char *)label->label = 0;
+		label->len = NFS4_MAXLABELLEN;
+		/* 0 is the null format meaning that the data is not
+		to be translated */
+		label->lfs = 0;
+		label->pi = 0;
+	}
+	return;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_init);
+
+void nfs4_label_free(struct nfs4_label *label)
+{
+	kfree(label);
+	return;
+}
+EXPORT_SYMBOL_GPL(nfs4_label_free);
+#endif
+
 /*
  * This is our front-end to iget that looks up inodes by file handle
  * instead of inode number.
diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
index acd127d..ca8f30b 100644
--- a/fs/nfsd/xdr4.h
+++ b/fs/nfsd/xdr4.h
@@ -118,6 +118,7 @@ struct nfsd4_create {
 	struct iattr	cr_iattr;           /* request */
 	struct nfsd4_change_info  cr_cinfo; /* response */
 	struct nfs4_acl *cr_acl;
+	struct nfs4_label *cr_label;
 };
 #define cr_linklen	u.link.namelen
 #define cr_linkname	u.link.name
@@ -246,6 +247,7 @@ struct nfsd4_open {
 	struct nfs4_file *op_file;          /* used during processing */
 	struct nfs4_ol_stateid *op_stp;	    /* used during processing */
 	struct nfs4_acl *op_acl;
+	struct nfs4_label *op_label;
 };
 #define op_iattr	iattr
 
@@ -330,6 +332,7 @@ struct nfsd4_setattr {
 	u32		sa_bmval[3];        /* request */
 	struct iattr	sa_iattr;           /* request */
 	struct nfs4_acl *sa_acl;
+	struct nfs4_label *sa_label;
 };
 
 struct nfsd4_setclientid {
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index f9235b4..862471f 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -28,6 +28,14 @@ struct nfs4_acl {
 	struct nfs4_ace	aces[0];
 };
 
+struct nfs4_label {
+	uint32_t	lfs;
+	uint32_t	pi;
+	u32		len;
+	void		*label;
+};
+
+
 typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
 
 struct nfs_stateid4 {
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 1cc2568..37a862c 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -489,6 +489,20 @@ extern int nfs_mountpoint_expiry_timeout;
 extern void nfs_release_automount_timer(void);
 
 /*
+ * linux/fs/nfs/nfs4proc.c
+ */
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+extern struct nfs4_label *nfs4_label_alloc(gfp_t flags);
+extern void nfs4_label_init(struct nfs4_label *);
+extern void nfs4_label_free(struct nfs4_label *);
+#else
+static inline struct nfs4_label *nfs4_label_alloc(gfp_t flags) { return NULL; }
+static inline void nfs4_label_init(struct nfs4_label *) {}
+static inline void nfs4_label_free(struct nfs4_label *label) {}
+#endif
+
+/*
  * linux/fs/nfs/unlink.c
  */
 extern void nfs_complete_unlink(struct dentry *dentry, struct inode *);
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index a0669d3..7e9347a 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -352,6 +352,7 @@ struct nfs_openargs {
 	const u32 *		bitmask;
 	const u32 *		open_bitmap;
 	__u32			claim;
+	const struct nfs4_label *label;
 	struct nfs4_sequence_args	seq_args;
 };
 
@@ -361,6 +362,7 @@ struct nfs_openres {
 	struct nfs4_change_info	cinfo;
 	__u32                   rflags;
 	struct nfs_fattr *      f_attr;
+	struct nfs4_label	*f_label;
 	struct nfs_seqid *	seqid;
 	const struct nfs_server *server;
 	fmode_t			delegation_type;
@@ -405,6 +407,7 @@ struct nfs_closeargs {
 struct nfs_closeres {
 	nfs4_stateid            stateid;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	struct nfs_seqid *	seqid;
 	const struct nfs_server *server;
 	struct nfs4_sequence_res	seq_res;
@@ -478,6 +481,7 @@ struct nfs4_delegreturnargs {
 
 struct nfs4_delegreturnres {
 	struct nfs_fattr * fattr;
+	struct nfs4_label	*label;
 	const struct nfs_server *server;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -498,6 +502,7 @@ struct nfs_readargs {
 
 struct nfs_readres {
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 	__u32			count;
 	int                     eof;
 	struct nfs4_sequence_res	seq_res;
@@ -566,6 +571,7 @@ struct nfs_removeargs {
 struct nfs_removeres {
 	const struct nfs_server *server;
 	struct nfs_fattr	*dir_attr;
+	struct nfs4_label	*dir_label;
 	struct nfs4_change_info	cinfo;
 	struct nfs4_sequence_res 	seq_res;
 };
@@ -578,6 +584,8 @@ struct nfs_renameargs {
 	const struct nfs_fh		*new_dir;
 	const struct qstr		*old_name;
 	const struct qstr		*new_name;
+	const struct nfs4_label		*old_label;
+	const struct nfs4_label		*new_label;
 	struct nfs4_sequence_args	seq_args;
 };
 
@@ -585,8 +593,10 @@ struct nfs_renameres {
 	const struct nfs_server		*server;
 	struct nfs4_change_info		old_cinfo;
 	struct nfs_fattr		*old_fattr;
+	struct nfs4_label		*old_label;
 	struct nfs4_change_info		new_cinfo;
 	struct nfs_fattr		*new_fattr;
+	struct nfs4_label		*new_label;
 	struct nfs4_sequence_res	seq_res;
 };
 
@@ -634,6 +644,7 @@ struct nfs_setattrargs {
 	struct iattr *                  iap;
 	const struct nfs_server *	server; /* Needed for name mapping */
 	const u32 *			bitmask;
+	const struct nfs4_label		*label;
 	struct nfs4_sequence_args 	seq_args;
 };
 
@@ -669,6 +680,7 @@ struct nfs_getaclres {
 
 struct nfs_setattrres {
 	struct nfs_fattr *              fattr;
+	struct nfs4_label		*label;
 	const struct nfs_server *	server;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -715,6 +727,7 @@ struct nfs3_setaclargs {
 struct nfs_diropok {
 	struct nfs_fh *		fh;
 	struct nfs_fattr *	fattr;
+	struct nfs4_label	*label;
 };
 
 struct nfs_readlinkargs {
@@ -844,6 +857,7 @@ struct nfs4_accessargs {
 struct nfs4_accessres {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	u32				supported;
 	u32				access;
 	struct nfs4_sequence_res	seq_res;
@@ -866,6 +880,7 @@ struct nfs4_create_arg {
 	const struct iattr *		attrs;
 	const struct nfs_fh *		dir_fh;
 	const u32 *			bitmask;
+	const struct nfs4_label		*label;
 	struct nfs4_sequence_args 	seq_args;
 };
 
@@ -873,6 +888,7 @@ struct nfs4_create_res {
 	const struct nfs_server *	server;
 	struct nfs_fh *			fh;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	struct nfs4_change_info		dir_cinfo;
 	struct nfs4_sequence_res	seq_res;
 };
@@ -898,6 +914,7 @@ struct nfs4_getattr_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
 	struct nfs4_sequence_res	seq_res;
+	struct nfs4_label		*label;
 };
 
 struct nfs4_link_arg {
@@ -911,8 +928,10 @@ struct nfs4_link_arg {
 struct nfs4_link_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
+	struct nfs4_label		*label;
 	struct nfs4_change_info		cinfo;
 	struct nfs_fattr *		dir_attr;
+	struct nfs4_label		*dir_label;
 	struct nfs4_sequence_res	seq_res;
 };
 
@@ -928,6 +947,7 @@ struct nfs4_lookup_res {
 	const struct nfs_server *	server;
 	struct nfs_fattr *		fattr;
 	struct nfs_fh *			fh;
+	struct nfs4_label		*label;
 	struct nfs4_sequence_res	seq_res;
 };
 
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
> From: David Quigley <dpquigl@davequigley.com>
> 
> In order to mimic the way that NFSv4 ACLs are implemented we have created a
> structure to be used to pass label data up and down the call chain. This patch
> adds the new structure and new members to the required NFSv4 call structures.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
>  fs/nfsd/xdr4.h          |  3 +++
>  include/linux/nfs4.h    |  8 ++++++++
>  include/linux/nfs_fs.h  | 14 ++++++++++++++
>  include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>  5 files changed, 85 insertions(+)
> 
> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> index 5c7325c..0963ad9 100644
> --- a/fs/nfs/inode.c
> +++ b/fs/nfs/inode.c
> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>  	return 0;
>  }
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
> +{
> +	struct nfs4_label *label = NULL;
> +
> +	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);

NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
than that in a single allocation.

> +	if (label == NULL)
> +		return NULL;
> +
> +	label->label = (void *)(label + 1);
> +	label->len = NFS4_MAXLABELLEN;
> +	/* 0 is the null format meaning that the data is not to be translated */
> +	label->lfs = 0;
> +	label->pi = 0;

What's "pi"?

--b.

> +	return label;
> +}
> +EXPORT_SYMBOL_GPL(nfs4_label_alloc);
> +
> +void nfs4_label_init(struct nfs4_label *label)
> +{
> +	if (label && label->label) {
> +		*(unsigned char *)label->label = 0;
> +		label->len = NFS4_MAXLABELLEN;
> +		/* 0 is the null format meaning that the data is not
> +		to be translated */
> +		label->lfs = 0;
> +		label->pi = 0;
> +	}
> +	return;
> +}
> +EXPORT_SYMBOL_GPL(nfs4_label_init);
> +
> +void nfs4_label_free(struct nfs4_label *label)
> +{
> +	kfree(label);
> +	return;
> +}
> +EXPORT_SYMBOL_GPL(nfs4_label_free);
> +#endif
> +
>  /*
>   * This is our front-end to iget that looks up inodes by file handle
>   * instead of inode number.
> diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
> index acd127d..ca8f30b 100644
> --- a/fs/nfsd/xdr4.h
> +++ b/fs/nfsd/xdr4.h
> @@ -118,6 +118,7 @@ struct nfsd4_create {
>  	struct iattr	cr_iattr;           /* request */
>  	struct nfsd4_change_info  cr_cinfo; /* response */
>  	struct nfs4_acl *cr_acl;
> +	struct nfs4_label *cr_label;
>  };
>  #define cr_linklen	u.link.namelen
>  #define cr_linkname	u.link.name
> @@ -246,6 +247,7 @@ struct nfsd4_open {
>  	struct nfs4_file *op_file;          /* used during processing */
>  	struct nfs4_ol_stateid *op_stp;	    /* used during processing */
>  	struct nfs4_acl *op_acl;
> +	struct nfs4_label *op_label;
>  };
>  #define op_iattr	iattr
>  
> @@ -330,6 +332,7 @@ struct nfsd4_setattr {
>  	u32		sa_bmval[3];        /* request */
>  	struct iattr	sa_iattr;           /* request */
>  	struct nfs4_acl *sa_acl;
> +	struct nfs4_label *sa_label;
>  };
>  
>  struct nfsd4_setclientid {
> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
> index f9235b4..862471f 100644
> --- a/include/linux/nfs4.h
> +++ b/include/linux/nfs4.h
> @@ -28,6 +28,14 @@ struct nfs4_acl {
>  	struct nfs4_ace	aces[0];
>  };
>  
> +struct nfs4_label {
> +	uint32_t	lfs;
> +	uint32_t	pi;
> +	u32		len;
> +	void		*label;
> +};
> +
> +
>  typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
>  
>  struct nfs_stateid4 {
> diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
> index 1cc2568..37a862c 100644
> --- a/include/linux/nfs_fs.h
> +++ b/include/linux/nfs_fs.h
> @@ -489,6 +489,20 @@ extern int nfs_mountpoint_expiry_timeout;
>  extern void nfs_release_automount_timer(void);
>  
>  /*
> + * linux/fs/nfs/nfs4proc.c
> + */
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +extern struct nfs4_label *nfs4_label_alloc(gfp_t flags);
> +extern void nfs4_label_init(struct nfs4_label *);
> +extern void nfs4_label_free(struct nfs4_label *);
> +#else
> +static inline struct nfs4_label *nfs4_label_alloc(gfp_t flags) { return NULL; }
> +static inline void nfs4_label_init(struct nfs4_label *) {}
> +static inline void nfs4_label_free(struct nfs4_label *label) {}
> +#endif
> +
> +/*
>   * linux/fs/nfs/unlink.c
>   */
>  extern void nfs_complete_unlink(struct dentry *dentry, struct inode *);
> diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
> index a0669d3..7e9347a 100644
> --- a/include/linux/nfs_xdr.h
> +++ b/include/linux/nfs_xdr.h
> @@ -352,6 +352,7 @@ struct nfs_openargs {
>  	const u32 *		bitmask;
>  	const u32 *		open_bitmap;
>  	__u32			claim;
> +	const struct nfs4_label *label;
>  	struct nfs4_sequence_args	seq_args;
>  };
>  
> @@ -361,6 +362,7 @@ struct nfs_openres {
>  	struct nfs4_change_info	cinfo;
>  	__u32                   rflags;
>  	struct nfs_fattr *      f_attr;
> +	struct nfs4_label	*f_label;
>  	struct nfs_seqid *	seqid;
>  	const struct nfs_server *server;
>  	fmode_t			delegation_type;
> @@ -405,6 +407,7 @@ struct nfs_closeargs {
>  struct nfs_closeres {
>  	nfs4_stateid            stateid;
>  	struct nfs_fattr *	fattr;
> +	struct nfs4_label	*label;
>  	struct nfs_seqid *	seqid;
>  	const struct nfs_server *server;
>  	struct nfs4_sequence_res	seq_res;
> @@ -478,6 +481,7 @@ struct nfs4_delegreturnargs {
>  
>  struct nfs4_delegreturnres {
>  	struct nfs_fattr * fattr;
> +	struct nfs4_label	*label;
>  	const struct nfs_server *server;
>  	struct nfs4_sequence_res	seq_res;
>  };
> @@ -498,6 +502,7 @@ struct nfs_readargs {
>  
>  struct nfs_readres {
>  	struct nfs_fattr *	fattr;
> +	struct nfs4_label	*label;
>  	__u32			count;
>  	int                     eof;
>  	struct nfs4_sequence_res	seq_res;
> @@ -566,6 +571,7 @@ struct nfs_removeargs {
>  struct nfs_removeres {
>  	const struct nfs_server *server;
>  	struct nfs_fattr	*dir_attr;
> +	struct nfs4_label	*dir_label;
>  	struct nfs4_change_info	cinfo;
>  	struct nfs4_sequence_res 	seq_res;
>  };
> @@ -578,6 +584,8 @@ struct nfs_renameargs {
>  	const struct nfs_fh		*new_dir;
>  	const struct qstr		*old_name;
>  	const struct qstr		*new_name;
> +	const struct nfs4_label		*old_label;
> +	const struct nfs4_label		*new_label;
>  	struct nfs4_sequence_args	seq_args;
>  };
>  
> @@ -585,8 +593,10 @@ struct nfs_renameres {
>  	const struct nfs_server		*server;
>  	struct nfs4_change_info		old_cinfo;
>  	struct nfs_fattr		*old_fattr;
> +	struct nfs4_label		*old_label;
>  	struct nfs4_change_info		new_cinfo;
>  	struct nfs_fattr		*new_fattr;
> +	struct nfs4_label		*new_label;
>  	struct nfs4_sequence_res	seq_res;
>  };
>  
> @@ -634,6 +644,7 @@ struct nfs_setattrargs {
>  	struct iattr *                  iap;
>  	const struct nfs_server *	server; /* Needed for name mapping */
>  	const u32 *			bitmask;
> +	const struct nfs4_label		*label;
>  	struct nfs4_sequence_args 	seq_args;
>  };
>  
> @@ -669,6 +680,7 @@ struct nfs_getaclres {
>  
>  struct nfs_setattrres {
>  	struct nfs_fattr *              fattr;
> +	struct nfs4_label		*label;
>  	const struct nfs_server *	server;
>  	struct nfs4_sequence_res	seq_res;
>  };
> @@ -715,6 +727,7 @@ struct nfs3_setaclargs {
>  struct nfs_diropok {
>  	struct nfs_fh *		fh;
>  	struct nfs_fattr *	fattr;
> +	struct nfs4_label	*label;
>  };
>  
>  struct nfs_readlinkargs {
> @@ -844,6 +857,7 @@ struct nfs4_accessargs {
>  struct nfs4_accessres {
>  	const struct nfs_server *	server;
>  	struct nfs_fattr *		fattr;
> +	struct nfs4_label		*label;
>  	u32				supported;
>  	u32				access;
>  	struct nfs4_sequence_res	seq_res;
> @@ -866,6 +880,7 @@ struct nfs4_create_arg {
>  	const struct iattr *		attrs;
>  	const struct nfs_fh *		dir_fh;
>  	const u32 *			bitmask;
> +	const struct nfs4_label		*label;
>  	struct nfs4_sequence_args 	seq_args;
>  };
>  
> @@ -873,6 +888,7 @@ struct nfs4_create_res {
>  	const struct nfs_server *	server;
>  	struct nfs_fh *			fh;
>  	struct nfs_fattr *		fattr;
> +	struct nfs4_label		*label;
>  	struct nfs4_change_info		dir_cinfo;
>  	struct nfs4_sequence_res	seq_res;
>  };
> @@ -898,6 +914,7 @@ struct nfs4_getattr_res {
>  	const struct nfs_server *	server;
>  	struct nfs_fattr *		fattr;
>  	struct nfs4_sequence_res	seq_res;
> +	struct nfs4_label		*label;
>  };
>  
>  struct nfs4_link_arg {
> @@ -911,8 +928,10 @@ struct nfs4_link_arg {
>  struct nfs4_link_res {
>  	const struct nfs_server *	server;
>  	struct nfs_fattr *		fattr;
> +	struct nfs4_label		*label;
>  	struct nfs4_change_info		cinfo;
>  	struct nfs_fattr *		dir_attr;
> +	struct nfs4_label		*dir_label;
>  	struct nfs4_sequence_res	seq_res;
>  };
>  
> @@ -928,6 +947,7 @@ struct nfs4_lookup_res {
>  	const struct nfs_server *	server;
>  	struct nfs_fattr *		fattr;
>  	struct nfs_fh *			fh;
> +	struct nfs4_label		*label;
>  	struct nfs4_sequence_res	seq_res;
>  };
>  
> -- 
> 1.7.11.7
> 

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[David P. Quigley]

On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
>> From: David Quigley<dpquigl@davequigley.com>
>>
>> In order to mimic the way that NFSv4 ACLs are implemented we have created a
>> structure to be used to pass label data up and down the call chain. This patch
>> adds the new structure and new members to the required NFSv4 call structures.
>>
>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>> ---
>>   fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
>>   fs/nfsd/xdr4.h          |  3 +++
>>   include/linux/nfs4.h    |  8 ++++++++
>>   include/linux/nfs_fs.h  | 14 ++++++++++++++
>>   include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>>   5 files changed, 85 insertions(+)
>>
>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>> index 5c7325c..0963ad9 100644
>> --- a/fs/nfs/inode.c
>> +++ b/fs/nfs/inode.c
>> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>>   	return 0;
>>   }
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
>> +{
>> +	struct nfs4_label *label = NULL;
>> +
>> +	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
> NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
> than that in a single allocation.

Should we make this smaller? I figured a page would be a good upper bound.

>> +	if (label == NULL)
>> +		return NULL;
>> +
>> +	label->label = (void *)(label + 1);
>> +	label->len = NFS4_MAXLABELLEN;
>> +	/* 0 is the null format meaning that the data is not to be translated */
>> +	label->lfs = 0;
>> +	label->pi = 0;
> What's "pi"?
>
> --b.

In the LFS document we talk about how a policy identifier is a 
recommended field. It isn't implemented yet as we're setting both the 
LFS and the PI to 0 but I added it for when we put the LFS mapping 
daemon in next. The idea is that even though we have a label and we 
specify the format with the LFS we need to identify what version of 
policy it is so we can ensure that the actual meaning of a value is correct.

>
>> +	return label;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_alloc);
>> +
>> +void nfs4_label_init(struct nfs4_label *label)
>> +{
>> +	if (label&&  label->label) {
>> +		*(unsigned char *)label->label = 0;
>> +		label->len = NFS4_MAXLABELLEN;
>> +		/* 0 is the null format meaning that the data is not
>> +		to be translated */
>> +		label->lfs = 0;
>> +		label->pi = 0;
>> +	}
>> +	return;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_init);
>> +
>> +void nfs4_label_free(struct nfs4_label *label)
>> +{
>> +	kfree(label);
>> +	return;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_free);
>> +#endif
>> +
>>   /*
>>    * This is our front-end to iget that looks up inodes by file handle
>>    * instead of inode number.
>> diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
>> index acd127d..ca8f30b 100644
>> --- a/fs/nfsd/xdr4.h
>> +++ b/fs/nfsd/xdr4.h
>> @@ -118,6 +118,7 @@ struct nfsd4_create {
>>   	struct iattr	cr_iattr;           /* request */
>>   	struct nfsd4_change_info  cr_cinfo; /* response */
>>   	struct nfs4_acl *cr_acl;
>> +	struct nfs4_label *cr_label;
>>   };
>>   #define cr_linklen	u.link.namelen
>>   #define cr_linkname	u.link.name
>> @@ -246,6 +247,7 @@ struct nfsd4_open {
>>   	struct nfs4_file *op_file;          /* used during processing */
>>   	struct nfs4_ol_stateid *op_stp;	    /* used during processing */
>>   	struct nfs4_acl *op_acl;
>> +	struct nfs4_label *op_label;
>>   };
>>   #define op_iattr	iattr
>>
>> @@ -330,6 +332,7 @@ struct nfsd4_setattr {
>>   	u32		sa_bmval[3];        /* request */
>>   	struct iattr	sa_iattr;           /* request */
>>   	struct nfs4_acl *sa_acl;
>> +	struct nfs4_label *sa_label;
>>   };
>>
>>   struct nfsd4_setclientid {
>> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
>> index f9235b4..862471f 100644
>> --- a/include/linux/nfs4.h
>> +++ b/include/linux/nfs4.h
>> @@ -28,6 +28,14 @@ struct nfs4_acl {
>>   	struct nfs4_ace	aces[0];
>>   };
>>
>> +struct nfs4_label {
>> +	uint32_t	lfs;
>> +	uint32_t	pi;
>> +	u32		len;
>> +	void		*label;
>> +};
>> +
>> +
>>   typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
>>
>>   struct nfs_stateid4 {
>> diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
>> index 1cc2568..37a862c 100644
>> --- a/include/linux/nfs_fs.h
>> +++ b/include/linux/nfs_fs.h
>> @@ -489,6 +489,20 @@ extern int nfs_mountpoint_expiry_timeout;
>>   extern void nfs_release_automount_timer(void);
>>
>>   /*
>> + * linux/fs/nfs/nfs4proc.c
>> + */
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +extern struct nfs4_label *nfs4_label_alloc(gfp_t flags);
>> +extern void nfs4_label_init(struct nfs4_label *);
>> +extern void nfs4_label_free(struct nfs4_label *);
>> +#else
>> +static inline struct nfs4_label *nfs4_label_alloc(gfp_t flags) { return NULL; }
>> +static inline void nfs4_label_init(struct nfs4_label *) {}
>> +static inline void nfs4_label_free(struct nfs4_label *label) {}
>> +#endif
>> +
>> +/*
>>    * linux/fs/nfs/unlink.c
>>    */
>>   extern void nfs_complete_unlink(struct dentry *dentry, struct inode *);
>> diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
>> index a0669d3..7e9347a 100644
>> --- a/include/linux/nfs_xdr.h
>> +++ b/include/linux/nfs_xdr.h
>> @@ -352,6 +352,7 @@ struct nfs_openargs {
>>   	const u32 *		bitmask;
>>   	const u32 *		open_bitmap;
>>   	__u32			claim;
>> +	const struct nfs4_label *label;
>>   	struct nfs4_sequence_args	seq_args;
>>   };
>>
>> @@ -361,6 +362,7 @@ struct nfs_openres {
>>   	struct nfs4_change_info	cinfo;
>>   	__u32                   rflags;
>>   	struct nfs_fattr *      f_attr;
>> +	struct nfs4_label	*f_label;
>>   	struct nfs_seqid *	seqid;
>>   	const struct nfs_server *server;
>>   	fmode_t			delegation_type;
>> @@ -405,6 +407,7 @@ struct nfs_closeargs {
>>   struct nfs_closeres {
>>   	nfs4_stateid            stateid;
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   	struct nfs_seqid *	seqid;
>>   	const struct nfs_server *server;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -478,6 +481,7 @@ struct nfs4_delegreturnargs {
>>
>>   struct nfs4_delegreturnres {
>>   	struct nfs_fattr * fattr;
>> +	struct nfs4_label	*label;
>>   	const struct nfs_server *server;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -498,6 +502,7 @@ struct nfs_readargs {
>>
>>   struct nfs_readres {
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   	__u32			count;
>>   	int                     eof;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -566,6 +571,7 @@ struct nfs_removeargs {
>>   struct nfs_removeres {
>>   	const struct nfs_server *server;
>>   	struct nfs_fattr	*dir_attr;
>> +	struct nfs4_label	*dir_label;
>>   	struct nfs4_change_info	cinfo;
>>   	struct nfs4_sequence_res 	seq_res;
>>   };
>> @@ -578,6 +584,8 @@ struct nfs_renameargs {
>>   	const struct nfs_fh		*new_dir;
>>   	const struct qstr		*old_name;
>>   	const struct qstr		*new_name;
>> +	const struct nfs4_label		*old_label;
>> +	const struct nfs4_label		*new_label;
>>   	struct nfs4_sequence_args	seq_args;
>>   };
>>
>> @@ -585,8 +593,10 @@ struct nfs_renameres {
>>   	const struct nfs_server		*server;
>>   	struct nfs4_change_info		old_cinfo;
>>   	struct nfs_fattr		*old_fattr;
>> +	struct nfs4_label		*old_label;
>>   	struct nfs4_change_info		new_cinfo;
>>   	struct nfs_fattr		*new_fattr;
>> +	struct nfs4_label		*new_label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> @@ -634,6 +644,7 @@ struct nfs_setattrargs {
>>   	struct iattr *                  iap;
>>   	const struct nfs_server *	server; /* Needed for name mapping */
>>   	const u32 *			bitmask;
>> +	const struct nfs4_label		*label;
>>   	struct nfs4_sequence_args 	seq_args;
>>   };
>>
>> @@ -669,6 +680,7 @@ struct nfs_getaclres {
>>
>>   struct nfs_setattrres {
>>   	struct nfs_fattr *              fattr;
>> +	struct nfs4_label		*label;
>>   	const struct nfs_server *	server;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -715,6 +727,7 @@ struct nfs3_setaclargs {
>>   struct nfs_diropok {
>>   	struct nfs_fh *		fh;
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   };
>>
>>   struct nfs_readlinkargs {
>> @@ -844,6 +857,7 @@ struct nfs4_accessargs {
>>   struct nfs4_accessres {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	u32				supported;
>>   	u32				access;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -866,6 +880,7 @@ struct nfs4_create_arg {
>>   	const struct iattr *		attrs;
>>   	const struct nfs_fh *		dir_fh;
>>   	const u32 *			bitmask;
>> +	const struct nfs4_label		*label;
>>   	struct nfs4_sequence_args 	seq_args;
>>   };
>>
>> @@ -873,6 +888,7 @@ struct nfs4_create_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fh *			fh;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_change_info		dir_cinfo;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -898,6 +914,7 @@ struct nfs4_getattr_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>>   	struct nfs4_sequence_res	seq_res;
>> +	struct nfs4_label		*label;
>>   };
>>
>>   struct nfs4_link_arg {
>> @@ -911,8 +928,10 @@ struct nfs4_link_arg {
>>   struct nfs4_link_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_change_info		cinfo;
>>   	struct nfs_fattr *		dir_attr;
>> +	struct nfs4_label		*dir_label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> @@ -928,6 +947,7 @@ struct nfs4_lookup_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>>   	struct nfs_fh *			fh;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> -- 
>> 1.7.11.7
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[David P. Quigley]

On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
>> From: David Quigley<dpquigl@davequigley.com>
>>
>> In order to mimic the way that NFSv4 ACLs are implemented we have created a
>> structure to be used to pass label data up and down the call chain. This patch
>> adds the new structure and new members to the required NFSv4 call structures.
>>
>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>> ---
>>   fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
>>   fs/nfsd/xdr4.h          |  3 +++
>>   include/linux/nfs4.h    |  8 ++++++++
>>   include/linux/nfs_fs.h  | 14 ++++++++++++++
>>   include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>>   5 files changed, 85 insertions(+)
>>
>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>> index 5c7325c..0963ad9 100644
>> --- a/fs/nfs/inode.c
>> +++ b/fs/nfs/inode.c
>> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>>   	return 0;
>>   }
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
>> +{
>> +	struct nfs4_label *label = NULL;
>> +
>> +	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
> NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
> than that in a single allocation.

Should we make this smaller? I figured a page would be a good upper bound.

>> +	if (label == NULL)
>> +		return NULL;
>> +
>> +	label->label = (void *)(label + 1);
>> +	label->len = NFS4_MAXLABELLEN;
>> +	/* 0 is the null format meaning that the data is not to be translated */
>> +	label->lfs = 0;
>> +	label->pi = 0;
> What's "pi"?
>
> --b.

In the LFS document we talk about how a policy identifier is a 
recommended field. It isn't implemented yet as we're setting both the 
LFS and the PI to 0 but I added it for when we put the LFS mapping 
daemon in next. The idea is that even though we have a label and we 
specify the format with the LFS we need to identify what version of 
policy it is so we can ensure that the actual meaning of a value is correct.

>
>> +	return label;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_alloc);
>> +
>> +void nfs4_label_init(struct nfs4_label *label)
>> +{
>> +	if (label&&  label->label) {
>> +		*(unsigned char *)label->label = 0;
>> +		label->len = NFS4_MAXLABELLEN;
>> +		/* 0 is the null format meaning that the data is not
>> +		to be translated */
>> +		label->lfs = 0;
>> +		label->pi = 0;
>> +	}
>> +	return;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_init);
>> +
>> +void nfs4_label_free(struct nfs4_label *label)
>> +{
>> +	kfree(label);
>> +	return;
>> +}
>> +EXPORT_SYMBOL_GPL(nfs4_label_free);
>> +#endif
>> +
>>   /*
>>    * This is our front-end to iget that looks up inodes by file handle
>>    * instead of inode number.
>> diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
>> index acd127d..ca8f30b 100644
>> --- a/fs/nfsd/xdr4.h
>> +++ b/fs/nfsd/xdr4.h
>> @@ -118,6 +118,7 @@ struct nfsd4_create {
>>   	struct iattr	cr_iattr;           /* request */
>>   	struct nfsd4_change_info  cr_cinfo; /* response */
>>   	struct nfs4_acl *cr_acl;
>> +	struct nfs4_label *cr_label;
>>   };
>>   #define cr_linklen	u.link.namelen
>>   #define cr_linkname	u.link.name
>> @@ -246,6 +247,7 @@ struct nfsd4_open {
>>   	struct nfs4_file *op_file;          /* used during processing */
>>   	struct nfs4_ol_stateid *op_stp;	    /* used during processing */
>>   	struct nfs4_acl *op_acl;
>> +	struct nfs4_label *op_label;
>>   };
>>   #define op_iattr	iattr
>>
>> @@ -330,6 +332,7 @@ struct nfsd4_setattr {
>>   	u32		sa_bmval[3];        /* request */
>>   	struct iattr	sa_iattr;           /* request */
>>   	struct nfs4_acl *sa_acl;
>> +	struct nfs4_label *sa_label;
>>   };
>>
>>   struct nfsd4_setclientid {
>> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
>> index f9235b4..862471f 100644
>> --- a/include/linux/nfs4.h
>> +++ b/include/linux/nfs4.h
>> @@ -28,6 +28,14 @@ struct nfs4_acl {
>>   	struct nfs4_ace	aces[0];
>>   };
>>
>> +struct nfs4_label {
>> +	uint32_t	lfs;
>> +	uint32_t	pi;
>> +	u32		len;
>> +	void		*label;
>> +};
>> +
>> +
>>   typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
>>
>>   struct nfs_stateid4 {
>> diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
>> index 1cc2568..37a862c 100644
>> --- a/include/linux/nfs_fs.h
>> +++ b/include/linux/nfs_fs.h
>> @@ -489,6 +489,20 @@ extern int nfs_mountpoint_expiry_timeout;
>>   extern void nfs_release_automount_timer(void);
>>
>>   /*
>> + * linux/fs/nfs/nfs4proc.c
>> + */
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +extern struct nfs4_label *nfs4_label_alloc(gfp_t flags);
>> +extern void nfs4_label_init(struct nfs4_label *);
>> +extern void nfs4_label_free(struct nfs4_label *);
>> +#else
>> +static inline struct nfs4_label *nfs4_label_alloc(gfp_t flags) { return NULL; }
>> +static inline void nfs4_label_init(struct nfs4_label *) {}
>> +static inline void nfs4_label_free(struct nfs4_label *label) {}
>> +#endif
>> +
>> +/*
>>    * linux/fs/nfs/unlink.c
>>    */
>>   extern void nfs_complete_unlink(struct dentry *dentry, struct inode *);
>> diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
>> index a0669d3..7e9347a 100644
>> --- a/include/linux/nfs_xdr.h
>> +++ b/include/linux/nfs_xdr.h
>> @@ -352,6 +352,7 @@ struct nfs_openargs {
>>   	const u32 *		bitmask;
>>   	const u32 *		open_bitmap;
>>   	__u32			claim;
>> +	const struct nfs4_label *label;
>>   	struct nfs4_sequence_args	seq_args;
>>   };
>>
>> @@ -361,6 +362,7 @@ struct nfs_openres {
>>   	struct nfs4_change_info	cinfo;
>>   	__u32                   rflags;
>>   	struct nfs_fattr *      f_attr;
>> +	struct nfs4_label	*f_label;
>>   	struct nfs_seqid *	seqid;
>>   	const struct nfs_server *server;
>>   	fmode_t			delegation_type;
>> @@ -405,6 +407,7 @@ struct nfs_closeargs {
>>   struct nfs_closeres {
>>   	nfs4_stateid            stateid;
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   	struct nfs_seqid *	seqid;
>>   	const struct nfs_server *server;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -478,6 +481,7 @@ struct nfs4_delegreturnargs {
>>
>>   struct nfs4_delegreturnres {
>>   	struct nfs_fattr * fattr;
>> +	struct nfs4_label	*label;
>>   	const struct nfs_server *server;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -498,6 +502,7 @@ struct nfs_readargs {
>>
>>   struct nfs_readres {
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   	__u32			count;
>>   	int                     eof;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -566,6 +571,7 @@ struct nfs_removeargs {
>>   struct nfs_removeres {
>>   	const struct nfs_server *server;
>>   	struct nfs_fattr	*dir_attr;
>> +	struct nfs4_label	*dir_label;
>>   	struct nfs4_change_info	cinfo;
>>   	struct nfs4_sequence_res 	seq_res;
>>   };
>> @@ -578,6 +584,8 @@ struct nfs_renameargs {
>>   	const struct nfs_fh		*new_dir;
>>   	const struct qstr		*old_name;
>>   	const struct qstr		*new_name;
>> +	const struct nfs4_label		*old_label;
>> +	const struct nfs4_label		*new_label;
>>   	struct nfs4_sequence_args	seq_args;
>>   };
>>
>> @@ -585,8 +593,10 @@ struct nfs_renameres {
>>   	const struct nfs_server		*server;
>>   	struct nfs4_change_info		old_cinfo;
>>   	struct nfs_fattr		*old_fattr;
>> +	struct nfs4_label		*old_label;
>>   	struct nfs4_change_info		new_cinfo;
>>   	struct nfs_fattr		*new_fattr;
>> +	struct nfs4_label		*new_label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> @@ -634,6 +644,7 @@ struct nfs_setattrargs {
>>   	struct iattr *                  iap;
>>   	const struct nfs_server *	server; /* Needed for name mapping */
>>   	const u32 *			bitmask;
>> +	const struct nfs4_label		*label;
>>   	struct nfs4_sequence_args 	seq_args;
>>   };
>>
>> @@ -669,6 +680,7 @@ struct nfs_getaclres {
>>
>>   struct nfs_setattrres {
>>   	struct nfs_fattr *              fattr;
>> +	struct nfs4_label		*label;
>>   	const struct nfs_server *	server;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -715,6 +727,7 @@ struct nfs3_setaclargs {
>>   struct nfs_diropok {
>>   	struct nfs_fh *		fh;
>>   	struct nfs_fattr *	fattr;
>> +	struct nfs4_label	*label;
>>   };
>>
>>   struct nfs_readlinkargs {
>> @@ -844,6 +857,7 @@ struct nfs4_accessargs {
>>   struct nfs4_accessres {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	u32				supported;
>>   	u32				access;
>>   	struct nfs4_sequence_res	seq_res;
>> @@ -866,6 +880,7 @@ struct nfs4_create_arg {
>>   	const struct iattr *		attrs;
>>   	const struct nfs_fh *		dir_fh;
>>   	const u32 *			bitmask;
>> +	const struct nfs4_label		*label;
>>   	struct nfs4_sequence_args 	seq_args;
>>   };
>>
>> @@ -873,6 +888,7 @@ struct nfs4_create_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fh *			fh;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_change_info		dir_cinfo;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>> @@ -898,6 +914,7 @@ struct nfs4_getattr_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>>   	struct nfs4_sequence_res	seq_res;
>> +	struct nfs4_label		*label;
>>   };
>>
>>   struct nfs4_link_arg {
>> @@ -911,8 +928,10 @@ struct nfs4_link_arg {
>>   struct nfs4_link_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_change_info		cinfo;
>>   	struct nfs_fattr *		dir_attr;
>> +	struct nfs4_label		*dir_label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> @@ -928,6 +947,7 @@ struct nfs4_lookup_res {
>>   	const struct nfs_server *	server;
>>   	struct nfs_fattr *		fattr;
>>   	struct nfs_fh *			fh;
>> +	struct nfs4_label		*label;
>>   	struct nfs4_sequence_res	seq_res;
>>   };
>>
>> -- 
>> 1.7.11.7
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 10:32:56AM -0500, David P. Quigley wrote:
> On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
> >On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
> >>From: David Quigley<dpquigl@davequigley.com>
> >>
> >>In order to mimic the way that NFSv4 ACLs are implemented we have created a
> >>structure to be used to pass label data up and down the call chain. This patch
> >>adds the new structure and new members to the required NFSv4 call structures.
> >>
> >>Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
> >>Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
> >>Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
> >>Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
> >>Signed-off-by: David Quigley<dpquigl@davequigley.com>
> >>---
> >>  fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
> >>  fs/nfsd/xdr4.h          |  3 +++
> >>  include/linux/nfs4.h    |  8 ++++++++
> >>  include/linux/nfs_fs.h  | 14 ++++++++++++++
> >>  include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
> >>  5 files changed, 85 insertions(+)
> >>
> >>diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> >>index 5c7325c..0963ad9 100644
> >>--- a/fs/nfs/inode.c
> >>+++ b/fs/nfs/inode.c
> >>@@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
> >>  	return 0;
> >>  }
> >>
> >>+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> >>+struct nfs4_label *nfs4_label_alloc(gfp_t flags)
> >>+{
> >>+	struct nfs4_label *label = NULL;
> >>+
> >>+	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
> >NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
> >than that in a single allocation.
> 
> Should we make this smaller? I figured a page would be a good upper bound.

If we could make it small enough so that the above fits in 4096 bytes
that would be easier.

(What does the protocol say?  On a quick glance it doesn't seem to
impose a limit.)

> >>+	label->label = (void *)(label + 1);
> >>+	label->len = NFS4_MAXLABELLEN;
> >>+	/* 0 is the null format meaning that the data is not to be translated */
> >>+	label->lfs = 0;
> >>+	label->pi = 0;
> >What's "pi"?
> >
> >--b.
> 
> In the LFS document we talk about how a policy identifier is a
> recommended field. It isn't implemented yet as we're setting both
> the LFS and the PI to 0 but I added it for when we put the LFS
> mapping daemon in next. The idea is that even though we have a label
> and we specify the format with the LFS we need to identify what
> version of policy it is so we can ensure that the actual meaning of
> a value is correct.

And, my bad, this is in the spec--sorry, I need to go study it.

--b.

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[David P. Quigley]

On 11/12/2012 11:05 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 10:32:56AM -0500, David P. Quigley wrote:
>> On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> In order to mimic the way that NFSv4 ACLs are implemented we have created a
>>>> structure to be used to pass label data up and down the call chain. This patch
>>>> adds the new structure and new members to the required NFSv4 call structures.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>>   fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
>>>>   fs/nfsd/xdr4.h          |  3 +++
>>>>   include/linux/nfs4.h    |  8 ++++++++
>>>>   include/linux/nfs_fs.h  | 14 ++++++++++++++
>>>>   include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>>>>   5 files changed, 85 insertions(+)
>>>>
>>>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>>>> index 5c7325c..0963ad9 100644
>>>> --- a/fs/nfs/inode.c
>>>> +++ b/fs/nfs/inode.c
>>>> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>>>>   	return 0;
>>>>   }
>>>>
>>>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>>>> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
>>>> +{
>>>> +	struct nfs4_label *label = NULL;
>>>> +
>>>> +	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
>>> NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
>>> than that in a single allocation.
>> Should we make this smaller? I figured a page would be a good upper bound.
> If we could make it small enough so that the above fits in 4096 bytes
> that would be easier.
>
> (What does the protocol say?  On a quick glance it doesn't seem to
> impose a limit.)

The spec doesn't limit the size of a label but we thought that a page 
would be good. We can make it 4095 to ensure that it will always be in a 
page incase a null terminator is added. I believe someone mentioned this 
in the past I'm not sure why it didn't make its way in. We initially had 
something much larger but Trond chimed in and said that if its larger 
than a page something is wrong so we lowered it.

>
>>>> +	label->label = (void *)(label + 1);
>>>> +	label->len = NFS4_MAXLABELLEN;
>>>> +	/* 0 is the null format meaning that the data is not to be translated */
>>>> +	label->lfs = 0;
>>>> +	label->pi = 0;
>>> What's "pi"?
>>>
>>> --b.
>> In the LFS document we talk about how a policy identifier is a
>> recommended field. It isn't implemented yet as we're setting both
>> the LFS and the PI to 0 but I added it for when we put the LFS
>> mapping daemon in next. The idea is that even though we have a label
>> and we specify the format with the LFS we need to identify what
>> version of policy it is so we can ensure that the actual meaning of
>> a value is correct.
> And, my bad, this is in the spec--sorry, I need to go study it.
>
> --b.
>

Its ok. It's been in the works so long its hard to keep track of it all.

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[David P. Quigley]

On 11/12/2012 11:05 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 10:32:56AM -0500, David P. Quigley wrote:
>> On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> In order to mimic the way that NFSv4 ACLs are implemented we have created a
>>>> structure to be used to pass label data up and down the call chain. This patch
>>>> adds the new structure and new members to the required NFSv4 call structures.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>>   fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
>>>>   fs/nfsd/xdr4.h          |  3 +++
>>>>   include/linux/nfs4.h    |  8 ++++++++
>>>>   include/linux/nfs_fs.h  | 14 ++++++++++++++
>>>>   include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>>>>   5 files changed, 85 insertions(+)
>>>>
>>>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>>>> index 5c7325c..0963ad9 100644
>>>> --- a/fs/nfs/inode.c
>>>> +++ b/fs/nfs/inode.c
>>>> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>>>>   	return 0;
>>>>   }
>>>>
>>>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>>>> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
>>>> +{
>>>> +	struct nfs4_label *label = NULL;
>>>> +
>>>> +	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
>>> NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
>>> than that in a single allocation.
>> Should we make this smaller? I figured a page would be a good upper bound.
> If we could make it small enough so that the above fits in 4096 bytes
> that would be easier.
>
> (What does the protocol say?  On a quick glance it doesn't seem to
> impose a limit.)

The spec doesn't limit the size of a label but we thought that a page 
would be good. We can make it 4095 to ensure that it will always be in a 
page incase a null terminator is added. I believe someone mentioned this 
in the past I'm not sure why it didn't make its way in. We initially had 
something much larger but Trond chimed in and said that if its larger 
than a page something is wrong so we lowered it.

>
>>>> +	label->label = (void *)(label + 1);
>>>> +	label->len = NFS4_MAXLABELLEN;
>>>> +	/* 0 is the null format meaning that the data is not to be translated */
>>>> +	label->lfs = 0;
>>>> +	label->pi = 0;
>>> What's "pi"?
>>>
>>> --b.
>> In the LFS document we talk about how a policy identifier is a
>> recommended field. It isn't implemented yet as we're setting both
>> the LFS and the PI to 0 but I added it for when we put the LFS
>> mapping daemon in next. The idea is that even though we have a label
>> and we specify the format with the LFS we need to identify what
>> version of policy it is so we can ensure that the actual meaning of
>> a value is correct.
> And, my bad, this is in the spec--sorry, I need to go study it.
>
> --b.
>

Its ok. It's been in the works so long its hard to keep track of it all.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 07/13] NFSv4: Introduce new label structure

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 11:53:13AM -0500, David P. Quigley wrote:
> On 11/12/2012 11:05 AM, J. Bruce Fields wrote:
> >On Mon, Nov 12, 2012 at 10:32:56AM -0500, David P. Quigley wrote:
> >>On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
> >>>On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
> >>>>From: David Quigley<dpquigl@davequigley.com>
> >>>>
> >>>>In order to mimic the way that NFSv4 ACLs are implemented we have created a
> >>>>structure to be used to pass label data up and down the call chain. This patch
> >>>>adds the new structure and new members to the required NFSv4 call structures.
> >>>>
> >>>>Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
> >>>>Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
> >>>>Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
> >>>>Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
> >>>>Signed-off-by: David Quigley<dpquigl@davequigley.com>
> >>>>---
> >>>>  fs/nfs/inode.c          | 40 ++++++++++++++++++++++++++++++++++++++++
> >>>>  fs/nfsd/xdr4.h          |  3 +++
> >>>>  include/linux/nfs4.h    |  8 ++++++++
> >>>>  include/linux/nfs_fs.h  | 14 ++++++++++++++
> >>>>  include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
> >>>>  5 files changed, 85 insertions(+)
> >>>>
> >>>>diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> >>>>index 5c7325c..0963ad9 100644
> >>>>--- a/fs/nfs/inode.c
> >>>>+++ b/fs/nfs/inode.c
> >>>>@@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
> >>>>  	return 0;
> >>>>  }
> >>>>
> >>>>+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> >>>>+struct nfs4_label *nfs4_label_alloc(gfp_t flags)
> >>>>+{
> >>>>+	struct nfs4_label *label = NULL;
> >>>>+
> >>>>+	label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
> >>>NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
> >>>than that in a single allocation.
> >>Should we make this smaller? I figured a page would be a good upper bound.
> >If we could make it small enough so that the above fits in 4096 bytes
> >that would be easier.
> >
> >(What does the protocol say?  On a quick glance it doesn't seem to
> >impose a limit.)
> 
> The spec doesn't limit the size of a label but we thought that a
> page would be good. We can make it 4095 to ensure that it will
> always be in a page incase a null terminator is added. I believe
> someone mentioned this in the past I'm not sure why it didn't make
> its way in. We initially had something much larger but Trond chimed
> in and said that if its larger than a page something is wrong so we
> lowered it.

Note that sizeof(struct nfs4_label) in there too.  So maybe subtract the
maximum possible size of that thing, then round down to something nice?

--b.

[PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The fattr handling bitmap code only uses the first two fattr words sofar. This
patch adds the 3rd word to being sent but doesn't populate it yet.

Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/nfs4_fs.h          |  6 +++---
 fs/nfs/nfs4proc.c         | 20 +++++++++++++-------
 fs/nfs/nfs4xdr.c          | 20 ++++++++++++--------
 fs/nfs/super.c            |  1 +
 include/linux/nfs_fs_sb.h |  2 +-
 5 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index a525fde..f15015a 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -304,10 +304,10 @@ is_ds_client(struct nfs_client *clp)
 extern const struct nfs4_minor_version_ops *nfs_v4_minor_ops[];
 
 extern const u32 nfs4_fattr_bitmap[3];
-extern const u32 nfs4_statfs_bitmap[2];
-extern const u32 nfs4_pathconf_bitmap[2];
+extern const u32 nfs4_statfs_bitmap[3];
+extern const u32 nfs4_pathconf_bitmap[3];
 extern const u32 nfs4_fsinfo_bitmap[3];
-extern const u32 nfs4_fs_locations_bitmap[2];
+extern const u32 nfs4_fs_locations_bitmap[3];
 
 void nfs4_free_client(struct nfs_client *);
 
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 68b21d8..3c49f3e 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -131,7 +131,8 @@ const u32 nfs4_fattr_bitmap[3] = {
 	| FATTR4_WORD1_SPACE_USED
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
-	| FATTR4_WORD1_TIME_MODIFY
+	| FATTR4_WORD1_TIME_MODIFY,
+	0
 };
 
 static const u32 nfs4_pnfs_open_bitmap[3] = {
@@ -158,18 +159,20 @@ static const u32 nfs4_open_noattr_bitmap[3] = {
 	| FATTR4_WORD0_FILEID,
 };
 
-const u32 nfs4_statfs_bitmap[2] = {
+const u32 nfs4_statfs_bitmap[3] = {
 	FATTR4_WORD0_FILES_AVAIL
 	| FATTR4_WORD0_FILES_FREE
 	| FATTR4_WORD0_FILES_TOTAL,
 	FATTR4_WORD1_SPACE_AVAIL
 	| FATTR4_WORD1_SPACE_FREE
-	| FATTR4_WORD1_SPACE_TOTAL
+	| FATTR4_WORD1_SPACE_TOTAL,
+	0
 };
 
-const u32 nfs4_pathconf_bitmap[2] = {
+const u32 nfs4_pathconf_bitmap[3] = {
 	FATTR4_WORD0_MAXLINK
 	| FATTR4_WORD0_MAXNAME,
+	0,
 	0
 };
 
@@ -182,7 +185,7 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATTR4_WORD0_MAXFILESIZE
 			FATTR4_WORD2_LAYOUT_BLKSIZE
 };
 
-const u32 nfs4_fs_locations_bitmap[2] = {
+const u32 nfs4_fs_locations_bitmap[3] = {
 	FATTR4_WORD0_TYPE
 	| FATTR4_WORD0_CHANGE
 	| FATTR4_WORD0_SIZE
@@ -198,7 +201,8 @@ const u32 nfs4_fs_locations_bitmap[2] = {
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
 	| FATTR4_WORD1_TIME_MODIFY
-	| FATTR4_WORD1_MOUNTED_ON_FILEID
+	| FATTR4_WORD1_MOUNTED_ON_FILEID,
+	0
 };
 
 static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry,
@@ -5211,8 +5215,10 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,
 				   struct page *page)
 {
 	struct nfs_server *server = NFS_SERVER(dir);
-	u32 bitmask[2] = {
+	u32 bitmask[3] = {
 		[0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+		[1] = 0,
+		[2] = 0
 	};
 	struct nfs4_fs_locations_arg args = {
 		.dir_fh = NFS_FH(dir),
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 40836ee..146d4d3 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -980,15 +980,16 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 	int len;
 	uint32_t bmval0 = 0;
 	uint32_t bmval1 = 0;
+	uint32_t bmval2 = 0;
 
 	/*
 	 * We reserve enough space to write the entire attribute buffer at once.
 	 * In the worst-case, this would be
-	 *   12(bitmap) + 4(attrlen) + 8(size) + 4(mode) + 4(atime) + 4(mtime)
-	 *          = 36 bytes, plus any contribution from variable-length fields
+	 * 16(bitmap) + 4(attrlen) + 8(size) + 4(mode) + 4(atime) + 4(mtime)
+	 * = 40 bytes, plus any contribution from variable-length fields
 	 *            such as owner/group.
 	 */
-	len = 16;
+	len = 20;
 
 	/* Sigh */
 	if (iap->ia_valid & ATTR_SIZE)
@@ -1032,9 +1033,9 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 	 * We write the bitmap length now, but leave the bitmap and the attribute
 	 * buffer length to be backfilled at the end of this routine.
 	 */
-	*p++ = cpu_to_be32(2);
+	*p++ = cpu_to_be32(3);
 	q = p;
-	p += 3;
+	p += 4;
 
 	if (iap->ia_valid & ATTR_SIZE) {
 		bmval0 |= FATTR4_WORD0_SIZE;
@@ -1083,9 +1084,10 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 				len, ((char *)p - (char *)q) + 4);
 		BUG();
 	}
-	len = (char *)p - (char *)q - 12;
+	len = (char *)p - (char *)q - 16;
 	*q++ = htonl(bmval0);
 	*q++ = htonl(bmval1);
+	*q++ = htonl(bmval2);
 	*q = htonl(len);
 
 /* out: */
@@ -1191,8 +1193,10 @@ encode_getattr_three(struct xdr_stream *xdr,
 
 static void encode_getfattr(struct xdr_stream *xdr, const u32* bitmask, struct compound_hdr *hdr)
 {
-	encode_getattr_two(xdr, bitmask[0] & nfs4_fattr_bitmap[0],
-			   bitmask[1] & nfs4_fattr_bitmap[1], hdr);
+	encode_getattr_three(xdr, bitmask[0] & nfs4_fattr_bitmap[0],
+			   bitmask[1] & nfs4_fattr_bitmap[1],
+			   bitmask[2] & nfs4_fattr_bitmap[2],
+			   hdr);
 }
 
 static void encode_getfattr_open(struct xdr_stream *xdr, const u32 *bitmask,
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index ee07a08..f4e13c3 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -826,6 +826,7 @@ int nfs_show_stats(struct seq_file *m, struct dentry *root)
 		seq_printf(m, "\n\tnfsv4:\t");
 		seq_printf(m, "bm0=0x%x", nfss->attr_bitmask[0]);
 		seq_printf(m, ",bm1=0x%x", nfss->attr_bitmask[1]);
+		seq_printf(m, ",bm2=0x%x", nfss->attr_bitmask[2]);
 		seq_printf(m, ",acl=0x%x", nfss->acl_bitmask);
 		show_sessions(m, nfss);
 		show_pnfs(m, nfss);
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index a794715..383fe9c 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -145,7 +145,7 @@ struct nfs_server {
 	u32			attr_bitmask[3];/* V4 bitmask representing the set
 						   of attributes supported on this
 						   filesystem */
-	u32			cache_consistency_bitmask[2];
+	u32			cache_consistency_bitmask[3];
 						/* V4 bitmask representing the subset
 						   of change attribute, size, ctime
 						   and mtime attributes supported by
-- 
1.7.11.7

[PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The fattr handling bitmap code only uses the first two fattr words sofar. This
patch adds the 3rd word to being sent but doesn't populate it yet.

Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/nfs4_fs.h          |  6 +++---
 fs/nfs/nfs4proc.c         | 20 +++++++++++++-------
 fs/nfs/nfs4xdr.c          | 20 ++++++++++++--------
 fs/nfs/super.c            |  1 +
 include/linux/nfs_fs_sb.h |  2 +-
 5 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index a525fde..f15015a 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -304,10 +304,10 @@ is_ds_client(struct nfs_client *clp)
 extern const struct nfs4_minor_version_ops *nfs_v4_minor_ops[];
 
 extern const u32 nfs4_fattr_bitmap[3];
-extern const u32 nfs4_statfs_bitmap[2];
-extern const u32 nfs4_pathconf_bitmap[2];
+extern const u32 nfs4_statfs_bitmap[3];
+extern const u32 nfs4_pathconf_bitmap[3];
 extern const u32 nfs4_fsinfo_bitmap[3];
-extern const u32 nfs4_fs_locations_bitmap[2];
+extern const u32 nfs4_fs_locations_bitmap[3];
 
 void nfs4_free_client(struct nfs_client *);
 
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 68b21d8..3c49f3e 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -131,7 +131,8 @@ const u32 nfs4_fattr_bitmap[3] = {
 	| FATTR4_WORD1_SPACE_USED
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
-	| FATTR4_WORD1_TIME_MODIFY
+	| FATTR4_WORD1_TIME_MODIFY,
+	0
 };
 
 static const u32 nfs4_pnfs_open_bitmap[3] = {
@@ -158,18 +159,20 @@ static const u32 nfs4_open_noattr_bitmap[3] = {
 	| FATTR4_WORD0_FILEID,
 };
 
-const u32 nfs4_statfs_bitmap[2] = {
+const u32 nfs4_statfs_bitmap[3] = {
 	FATTR4_WORD0_FILES_AVAIL
 	| FATTR4_WORD0_FILES_FREE
 	| FATTR4_WORD0_FILES_TOTAL,
 	FATTR4_WORD1_SPACE_AVAIL
 	| FATTR4_WORD1_SPACE_FREE
-	| FATTR4_WORD1_SPACE_TOTAL
+	| FATTR4_WORD1_SPACE_TOTAL,
+	0
 };
 
-const u32 nfs4_pathconf_bitmap[2] = {
+const u32 nfs4_pathconf_bitmap[3] = {
 	FATTR4_WORD0_MAXLINK
 	| FATTR4_WORD0_MAXNAME,
+	0,
 	0
 };
 
@@ -182,7 +185,7 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATTR4_WORD0_MAXFILESIZE
 			FATTR4_WORD2_LAYOUT_BLKSIZE
 };
 
-const u32 nfs4_fs_locations_bitmap[2] = {
+const u32 nfs4_fs_locations_bitmap[3] = {
 	FATTR4_WORD0_TYPE
 	| FATTR4_WORD0_CHANGE
 	| FATTR4_WORD0_SIZE
@@ -198,7 +201,8 @@ const u32 nfs4_fs_locations_bitmap[2] = {
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
 	| FATTR4_WORD1_TIME_MODIFY
-	| FATTR4_WORD1_MOUNTED_ON_FILEID
+	| FATTR4_WORD1_MOUNTED_ON_FILEID,
+	0
 };
 
 static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry,
@@ -5211,8 +5215,10 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,
 				   struct page *page)
 {
 	struct nfs_server *server = NFS_SERVER(dir);
-	u32 bitmask[2] = {
+	u32 bitmask[3] = {
 		[0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+		[1] = 0,
+		[2] = 0
 	};
 	struct nfs4_fs_locations_arg args = {
 		.dir_fh = NFS_FH(dir),
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 40836ee..146d4d3 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -980,15 +980,16 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 	int len;
 	uint32_t bmval0 = 0;
 	uint32_t bmval1 = 0;
+	uint32_t bmval2 = 0;
 
 	/*
 	 * We reserve enough space to write the entire attribute buffer at once.
 	 * In the worst-case, this would be
-	 *   12(bitmap) + 4(attrlen) + 8(size) + 4(mode) + 4(atime) + 4(mtime)
-	 *          = 36 bytes, plus any contribution from variable-length fields
+	 * 16(bitmap) + 4(attrlen) + 8(size) + 4(mode) + 4(atime) + 4(mtime)
+	 * = 40 bytes, plus any contribution from variable-length fields
 	 *            such as owner/group.
 	 */
-	len = 16;
+	len = 20;
 
 	/* Sigh */
 	if (iap->ia_valid & ATTR_SIZE)
@@ -1032,9 +1033,9 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 	 * We write the bitmap length now, but leave the bitmap and the attribute
 	 * buffer length to be backfilled at the end of this routine.
 	 */
-	*p++ = cpu_to_be32(2);
+	*p++ = cpu_to_be32(3);
 	q = p;
-	p += 3;
+	p += 4;
 
 	if (iap->ia_valid & ATTR_SIZE) {
 		bmval0 |= FATTR4_WORD0_SIZE;
@@ -1083,9 +1084,10 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 				len, ((char *)p - (char *)q) + 4);
 		BUG();
 	}
-	len = (char *)p - (char *)q - 12;
+	len = (char *)p - (char *)q - 16;
 	*q++ = htonl(bmval0);
 	*q++ = htonl(bmval1);
+	*q++ = htonl(bmval2);
 	*q = htonl(len);
 
 /* out: */
@@ -1191,8 +1193,10 @@ encode_getattr_three(struct xdr_stream *xdr,
 
 static void encode_getfattr(struct xdr_stream *xdr, const u32* bitmask, struct compound_hdr *hdr)
 {
-	encode_getattr_two(xdr, bitmask[0] & nfs4_fattr_bitmap[0],
-			   bitmask[1] & nfs4_fattr_bitmap[1], hdr);
+	encode_getattr_three(xdr, bitmask[0] & nfs4_fattr_bitmap[0],
+			   bitmask[1] & nfs4_fattr_bitmap[1],
+			   bitmask[2] & nfs4_fattr_bitmap[2],
+			   hdr);
 }
 
 static void encode_getfattr_open(struct xdr_stream *xdr, const u32 *bitmask,
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index ee07a08..f4e13c3 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -826,6 +826,7 @@ int nfs_show_stats(struct seq_file *m, struct dentry *root)
 		seq_printf(m, "\n\tnfsv4:\t");
 		seq_printf(m, "bm0=0x%x", nfss->attr_bitmask[0]);
 		seq_printf(m, ",bm1=0x%x", nfss->attr_bitmask[1]);
+		seq_printf(m, ",bm2=0x%x", nfss->attr_bitmask[2]);
 		seq_printf(m, ",acl=0x%x", nfss->acl_bitmask);
 		show_sessions(m, nfss);
 		show_pnfs(m, nfss);
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index a794715..383fe9c 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -145,7 +145,7 @@ struct nfs_server {
 	u32			attr_bitmask[3];/* V4 bitmask representing the set
 						   of attributes supported on this
 						   filesystem */
-	u32			cache_consistency_bitmask[2];
+	u32			cache_consistency_bitmask[3];
 						/* V4 bitmask representing the subset
 						   of change attribute, size, ctime
 						   and mtime attributes supported by
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 09/13] NFS:Add labels to client function prototypes

[David Quigley]

>From David Quigley <dpquigl@davequigley.com>

After looking at all of the nfsv4 operations the label structure has been added
to the prototypes of the functions which can transmit label data.


Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/client.c         |   2 +-
 fs/nfs/dir.c            |  23 ++++++----
 fs/nfs/getroot.c        |   3 +-
 fs/nfs/inode.c          |  33 +++++++-------
 fs/nfs/namespace.c      |   2 +-
 fs/nfs/nfs3acl.c        |   4 +-
 fs/nfs/nfs3proc.c       |  41 +++++++++--------
 fs/nfs/nfs4_fs.h        |   2 +-
 fs/nfs/nfs4namespace.c  |   2 +-
 fs/nfs/nfs4proc.c       | 118 +++++++++++++++++++++++++++++++-----------------
 fs/nfs/proc.c           |  15 +++---
 include/linux/nfs_fs.h  |   9 ++--
 include/linux/nfs_xdr.h |   5 +-
 13 files changed, 151 insertions(+), 108 deletions(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8b39a42..ecc7419 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1080,7 +1080,7 @@ struct nfs_server *nfs_create_server(struct nfs_mount_info *mount_info,
 	}
 
 	if (!(fattr->valid & NFS_ATTR_FATTR)) {
-		error = nfs_mod->rpc_ops->getattr(server, mount_info->mntfh, fattr);
+		error = nfs_mod->rpc_ops->getattr(server, mount_info->mntfh, fattr, NULL);
 		if (error < 0) {
 			dprintk("nfs_create_server: getattr error = %d\n", -error);
 			goto error;
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index ce8cb92..1339e44 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -447,7 +447,7 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry)
 	dentry = d_lookup(parent, &filename);
 	if (dentry != NULL) {
 		if (nfs_same_file(dentry, entry)) {
-			nfs_refresh_inode(dentry->d_inode, entry->fattr);
+			nfs_refresh_inode(dentry->d_inode, entry->fattr, entry->label);
 			goto out;
 		} else {
 			d_drop(dentry);
@@ -459,7 +459,7 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry)
 	if (dentry == NULL)
 		return;
 
-	inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr);
+	inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr, entry->label);
 	if (IS_ERR(inode))
 		goto out;
 
@@ -1034,6 +1034,7 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	struct dentry *parent;
 	struct nfs_fh *fhandle = NULL;
 	struct nfs_fattr *fattr = NULL;
+	struct nfs4_label *label = NULL;
 	int error;
 
 	if (flags & LOOKUP_RCU)
@@ -1076,12 +1077,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	if (fhandle == NULL || fattr == NULL)
 		goto out_error;
 
-	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error)
 		goto out_bad;
 	if (nfs_compare_fh(NFS_FH(inode), fhandle))
 		goto out_bad;
-	if ((error = nfs_refresh_inode(inode, fattr)) != 0)
+	if ((error = nfs_refresh_inode(inode, fattr, label)) != 0)
 		goto out_bad;
 
 	nfs_free_fattr(fattr);
@@ -1207,6 +1208,7 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	struct inode *inode = NULL;
 	struct nfs_fh *fhandle = NULL;
 	struct nfs_fattr *fattr = NULL;
+	struct nfs4_label *label = NULL;
 	int error;
 
 	dfprintk(VFS, "NFS: lookup(%s/%s)\n",
@@ -1236,14 +1238,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	parent = dentry->d_parent;
 	/* Protect against concurrent sillydeletes */
 	nfs_block_sillyrename(parent);
-	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error == -ENOENT)
 		goto no_entry;
 	if (error < 0) {
 		res = ERR_PTR(error);
 		goto out_unblock_sillyrename;
 	}
-	inode = nfs_fhget(dentry->d_sb, fhandle, fattr);
+	inode = nfs_fhget(dentry->d_sb, fhandle, fattr, label);
 	res = ERR_CAST(inode);
 	if (IS_ERR(res))
 		goto out_unblock_sillyrename;
@@ -1477,7 +1479,8 @@ no_open:
  * Code common to create, mkdir, and mknod.
  */
 int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fhandle,
-				struct nfs_fattr *fattr)
+				struct nfs_fattr *fattr,
+				struct nfs4_label *label)
 {
 	struct dentry *parent = dget_parent(dentry);
 	struct inode *dir = parent->d_inode;
@@ -1490,18 +1493,18 @@ int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fhandle,
 	if (dentry->d_inode)
 		goto out;
 	if (fhandle->size == 0) {
-		error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+		error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, NULL);
 		if (error)
 			goto out_error;
 	}
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 	if (!(fattr->valid & NFS_ATTR_FATTR)) {
 		struct nfs_server *server = NFS_SB(dentry->d_sb);
-		error = server->nfs_client->rpc_ops->getattr(server, fhandle, fattr);
+		error = server->nfs_client->rpc_ops->getattr(server, fhandle, fattr, NULL);
 		if (error < 0)
 			goto out_error;
 	}
-	inode = nfs_fhget(dentry->d_sb, fhandle, fattr);
+	inode = nfs_fhget(dentry->d_sb, fhandle, fattr, label);
 	error = PTR_ERR(inode);
 	if (IS_ERR(inode))
 		goto out_error;
diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
index 033803c..3b68bb6 100644
--- a/fs/nfs/getroot.c
+++ b/fs/nfs/getroot.c
@@ -75,6 +75,7 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 	struct nfs_fsinfo fsinfo;
 	struct dentry *ret;
 	struct inode *inode;
+	struct nfs4_label *label = NULL;
 	void *name = kstrdup(devname, GFP_KERNEL);
 	int error;
 
@@ -95,7 +96,7 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 		goto out;
 	}
 
-	inode = nfs_fhget(sb, mntfh, fsinfo.fattr);
+	inode = nfs_fhget(sb, mntfh, fsinfo.fattr, NULL);
 	if (IS_ERR(inode)) {
 		dprintk("nfs_get_root: get root inode failed\n");
 		ret = ERR_CAST(inode);
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 0963ad9..daca08c 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -61,7 +61,7 @@
 static bool enable_ino64 = NFS_64_BIT_INODE_NUMBERS_ENABLED;
 
 static void nfs_invalidate_inode(struct inode *);
-static int nfs_update_inode(struct inode *, struct nfs_fattr *);
+static int nfs_update_inode(struct inode *, struct nfs_fattr *, struct nfs4_label *);
 
 static struct kmem_cache * nfs_inode_cachep;
 
@@ -291,7 +291,7 @@ EXPORT_SYMBOL_GPL(nfs4_label_free);
  * instead of inode number.
  */
 struct inode *
-nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
+nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_find_desc desc = {
 		.fh	= fh,
@@ -421,7 +421,7 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
 
 		unlock_new_inode(inode);
 	} else
-		nfs_refresh_inode(inode, fattr);
+		nfs_refresh_inode(inode, fattr, label);
 	dprintk("NFS: nfs_fhget(%s/%Ld fh_crc=0x%08x ct=%d)\n",
 		inode->i_sb->s_id,
 		(long long)NFS_FILEID(inode),
@@ -478,7 +478,7 @@ nfs_setattr(struct dentry *dentry, struct iattr *attr)
 		NFS_PROTO(inode)->return_delegation(inode);
 	error = NFS_PROTO(inode)->setattr(dentry, fattr, attr);
 	if (error == 0)
-		nfs_refresh_inode(inode, fattr);
+		nfs_refresh_inode(inode, fattr, NULL);
 	nfs_free_fattr(fattr);
 out:
 	return error;
@@ -817,6 +817,7 @@ int
 __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 {
 	int		 status = -ESTALE;
+	struct nfs4_label *label = NULL;
 	struct nfs_fattr *fattr = NULL;
 	struct nfs_inode *nfsi = NFS_I(inode);
 
@@ -834,7 +835,7 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 
 	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
-	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr);
+	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
 	if (status != 0) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
 			 inode->i_sb->s_id,
@@ -847,7 +848,7 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 	}
 
-	status = nfs_refresh_inode(inode, fattr);
+	status = nfs_refresh_inode(inode, fattr, label);
 	if (status) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) refresh failed, error=%d\n",
 			 inode->i_sb->s_id,
@@ -1200,10 +1201,10 @@ static int nfs_inode_attrs_need_update(const struct inode *inode, const struct n
 		((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
 }
 
-static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	if (nfs_inode_attrs_need_update(inode, fattr))
-		return nfs_update_inode(inode, fattr);
+		return nfs_update_inode(inode, fattr, label);
 	return nfs_check_inode_attributes(inode, fattr);
 }
 
@@ -1217,21 +1218,21 @@ static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr
  * safe to do a full update of the inode attributes, or whether just to
  * call nfs_check_inode_attributes.
  */
-int nfs_refresh_inode(struct inode *inode, struct nfs_fattr *fattr)
+int nfs_refresh_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	int status;
 
 	if ((fattr->valid & NFS_ATTR_FATTR) == 0)
 		return 0;
 	spin_lock(&inode->i_lock);
-	status = nfs_refresh_inode_locked(inode, fattr);
+	status = nfs_refresh_inode_locked(inode, fattr, label);
 	spin_unlock(&inode->i_lock);
 
 	return status;
 }
 EXPORT_SYMBOL_GPL(nfs_refresh_inode);
 
-static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_inode *nfsi = NFS_I(inode);
 
@@ -1240,7 +1241,7 @@ static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr
 		nfsi->cache_validity |= NFS_INO_INVALID_DATA;
 	if ((fattr->valid & NFS_ATTR_FATTR) == 0)
 		return 0;
-	return nfs_refresh_inode_locked(inode, fattr);
+	return nfs_refresh_inode_locked(inode, fattr, label);
 }
 
 /**
@@ -1257,12 +1258,12 @@ static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr
  * are expected to change one or more attributes, to avoid
  * unnecessary NFS requests and trips through nfs_update_inode().
  */
-int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	int status;
 
 	spin_lock(&inode->i_lock);
-	status = nfs_post_op_update_inode_locked(inode, fattr);
+	status = nfs_post_op_update_inode_locked(inode, fattr, label);
 	spin_unlock(&inode->i_lock);
 	return status;
 }
@@ -1314,7 +1315,7 @@ int nfs_post_op_update_inode_force_wcc(struct inode *inode, struct nfs_fattr *fa
 		fattr->valid |= NFS_ATTR_FATTR_PRESIZE;
 	}
 out_noforce:
-	status = nfs_post_op_update_inode_locked(inode, fattr);
+	status = nfs_post_op_update_inode_locked(inode, fattr, NULL);
 	spin_unlock(&inode->i_lock);
 	return status;
 }
@@ -1332,7 +1333,7 @@ EXPORT_SYMBOL_GPL(nfs_post_op_update_inode_force_wcc);
  *
  * A very similar scenario holds for the dir cache.
  */
-static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_server *server;
 	struct nfs_inode *nfsi = NFS_I(inode);
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 6559253..25747d2 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -251,7 +251,7 @@ struct vfsmount *nfs_submount(struct nfs_server *server, struct dentry *dentry,
 	struct dentry *parent = dget_parent(dentry);
 
 	/* Look it up again to get its attributes */
-	err = server->nfs_client->rpc_ops->lookup(parent->d_inode, &dentry->d_name, fh, fattr);
+	err = server->nfs_client->rpc_ops->lookup(parent->d_inode, &dentry->d_name, fh, fattr, NULL);
 	dput(parent);
 	if (err != 0)
 		return ERR_PTR(err);
diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
index 4a1aafb..1a2f11b 100644
--- a/fs/nfs/nfs3acl.c
+++ b/fs/nfs/nfs3acl.c
@@ -240,7 +240,7 @@ struct posix_acl *nfs3_proc_getacl(struct inode *inode, int type)
 
 	switch (status) {
 		case 0:
-			status = nfs_refresh_inode(inode, res.fattr);
+			status = nfs_refresh_inode(inode, res.fattr, NULL);
 			break;
 		case -EPFNOSUPPORT:
 		case -EPROTONOSUPPORT:
@@ -352,7 +352,7 @@ static int nfs3_proc_setacls(struct inode *inode, struct posix_acl *acl,
 
 	switch (status) {
 		case 0:
-			status = nfs_refresh_inode(inode, fattr);
+			status = nfs_refresh_inode(inode, fattr, NULL);
 			nfs3_cache_acls(inode, acl, dfacl);
 			break;
 		case -EPFNOSUPPORT:
diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
index 6932209..c2aaca7 100644
--- a/fs/nfs/nfs3proc.c
+++ b/fs/nfs/nfs3proc.c
@@ -98,7 +98,7 @@ nfs3_proc_get_root(struct nfs_server *server, struct nfs_fh *fhandle,
  */
 static int
 nfs3_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct rpc_message msg = {
 		.rpc_proc	= &nfs3_procedures[NFS3PROC_GETATTR],
@@ -143,7 +143,8 @@ nfs3_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int
 nfs3_proc_lookup(struct inode *dir, struct qstr *name,
-		 struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+		 struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+		 struct nfs4_label *label)
 {
 	struct nfs3_diropargs	arg = {
 		.fh		= NFS_FH(dir),
@@ -168,7 +169,7 @@ nfs3_proc_lookup(struct inode *dir, struct qstr *name,
 
 	nfs_fattr_init(fattr);
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_refresh_inode(dir, res.dir_attr);
+	nfs_refresh_inode(dir, res.dir_attr, NULL);
 	if (status >= 0 && !(fattr->valid & NFS_ATTR_FATTR)) {
 		msg.rpc_proc = &nfs3_procedures[NFS3PROC_GETATTR];
 		msg.rpc_argp = fhandle;
@@ -216,7 +217,7 @@ static int nfs3_proc_access(struct inode *inode, struct nfs_access_entry *entry)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_refresh_inode(inode, res.fattr);
+	nfs_refresh_inode(inode, res.fattr, NULL);
 	if (status == 0) {
 		entry->mask = 0;
 		if (res.access & NFS3_ACCESS_READ)
@@ -255,7 +256,7 @@ static int nfs3_proc_readlink(struct inode *inode, struct page *page,
 	msg.rpc_resp = fattr;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_refresh_inode(inode, fattr);
+	nfs_refresh_inode(inode, fattr, NULL);
 	nfs_free_fattr(fattr);
 out:
 	dprintk("NFS reply readlink: %d\n", status);
@@ -298,9 +299,9 @@ static int nfs3_do_create(struct inode *dir, struct dentry *dentry, struct nfs3_
 	int status;
 
 	status = rpc_call_sync(NFS_CLIENT(dir), &data->msg, 0);
-	nfs_post_op_update_inode(dir, data->res.dir_attr);
+	nfs_post_op_update_inode(dir, data->res.dir_attr, NULL);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	return status;
 }
 
@@ -381,7 +382,7 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		 * not sure this buys us anything (and I'd have
 		 * to revamp the NFSv3 XDR code) */
 		status = nfs3_proc_setattr(dentry, data->res.fattr, sattr);
-		nfs_post_op_update_inode(dentry->d_inode, data->res.fattr);
+		nfs_post_op_update_inode(dentry->d_inode, data->res.fattr, NULL);
 		dprintk("NFS reply setattr (post-create): %d\n", status);
 		if (status != 0)
 			goto out;
@@ -414,7 +415,7 @@ nfs3_proc_remove(struct inode *dir, struct qstr *name)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_post_op_update_inode(dir, res.dir_attr);
+	nfs_post_op_update_inode(dir, res.dir_attr, NULL);
 	nfs_free_fattr(res.dir_attr);
 out:
 	dprintk("NFS reply remove: %d\n", status);
@@ -439,7 +440,7 @@ nfs3_proc_unlink_done(struct rpc_task *task, struct inode *dir)
 	if (nfs3_async_handle_jukebox(task, dir))
 		return 0;
 	res = task->tk_msg.rpc_resp;
-	nfs_post_op_update_inode(dir, res->dir_attr);
+	nfs_post_op_update_inode(dir, res->dir_attr, NULL);
 	return 1;
 }
 
@@ -464,8 +465,8 @@ nfs3_proc_rename_done(struct rpc_task *task, struct inode *old_dir,
 		return 0;
 	res = task->tk_msg.rpc_resp;
 
-	nfs_post_op_update_inode(old_dir, res->old_fattr);
-	nfs_post_op_update_inode(new_dir, res->new_fattr);
+	nfs_post_op_update_inode(old_dir, res->old_fattr, NULL);
+	nfs_post_op_update_inode(new_dir, res->new_fattr, NULL);
 	return 1;
 }
 
@@ -495,8 +496,8 @@ nfs3_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(old_dir), &msg, 0);
-	nfs_post_op_update_inode(old_dir, res.old_fattr);
-	nfs_post_op_update_inode(new_dir, res.new_fattr);
+	nfs_post_op_update_inode(old_dir, res.old_fattr, NULL);
+	nfs_post_op_update_inode(new_dir, res.new_fattr, NULL);
 out:
 	nfs_free_fattr(res.old_fattr);
 	nfs_free_fattr(res.new_fattr);
@@ -528,8 +529,8 @@ nfs3_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_post_op_update_inode(dir, res.dir_attr);
-	nfs_post_op_update_inode(inode, res.fattr);
+	nfs_post_op_update_inode(dir, res.dir_attr, NULL);
+	nfs_post_op_update_inode(inode, res.fattr, NULL);
 out:
 	nfs_free_fattr(res.dir_attr);
 	nfs_free_fattr(res.fattr);
@@ -622,7 +623,7 @@ nfs3_proc_rmdir(struct inode *dir, struct qstr *name)
 
 	msg.rpc_resp = dir_attr;
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_post_op_update_inode(dir, dir_attr);
+	nfs_post_op_update_inode(dir, dir_attr, NULL);
 	nfs_free_fattr(dir_attr);
 out:
 	dprintk("NFS reply rmdir: %d\n", status);
@@ -677,7 +678,7 @@ nfs3_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 
 	nfs_invalidate_atime(dir);
-	nfs_refresh_inode(dir, res.dir_attr);
+	nfs_refresh_inode(dir, res.dir_attr, NULL);
 
 	nfs_free_fattr(res.dir_attr);
 out:
@@ -816,7 +817,7 @@ static int nfs3_read_done(struct rpc_task *task, struct nfs_read_data *data)
 		return -EAGAIN;
 
 	nfs_invalidate_atime(inode);
-	nfs_refresh_inode(inode, &data->fattr);
+	nfs_refresh_inode(inode, &data->fattr, NULL);
 	return 0;
 }
 
@@ -860,7 +861,7 @@ static int nfs3_commit_done(struct rpc_task *task, struct nfs_commit_data *data)
 {
 	if (nfs3_async_handle_jukebox(task, data->inode))
 		return -EAGAIN;
-	nfs_refresh_inode(data->inode, data->res.fattr);
+	nfs_refresh_inode(data->inode, data->res.fattr, NULL);
 	return 0;
 }
 
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index f15015a..c97c6837 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -230,7 +230,7 @@ extern int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fh
 extern int nfs4_proc_fs_locations(struct rpc_clnt *, struct inode *, const struct qstr *,
 				  struct nfs4_fs_locations *, struct page *);
 extern struct rpc_clnt *nfs4_proc_lookup_mountpoint(struct inode *, struct qstr *,
-			    struct nfs_fh *, struct nfs_fattr *);
+			    struct nfs_fh *, struct nfs_fattr *, struct nfs4_label *);
 extern int nfs4_proc_secinfo(struct inode *, const struct qstr *, struct nfs4_secinfo_flavors *);
 extern int nfs4_release_lockowner(struct nfs4_lock_state *);
 extern const struct xattr_handler *nfs4_xattr_handlers[];
diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
index 79fbb61..f40cf63 100644
--- a/fs/nfs/nfs4namespace.c
+++ b/fs/nfs/nfs4namespace.c
@@ -367,7 +367,7 @@ struct vfsmount *nfs4_submount(struct nfs_server *server, struct dentry *dentry,
 	struct vfsmount *mnt;
 
 	/* Look it up again to get its attributes and sec flavor */
-	client = nfs4_proc_lookup_mountpoint(parent->d_inode, &dentry->d_name, fh, fattr);
+	client = nfs4_proc_lookup_mountpoint(parent->d_inode, &dentry->d_name, fh, fattr, NULL);
 	dput(parent);
 	if (IS_ERR(client))
 		return ERR_CAST(client);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 3c49f3e..8e0378c 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -78,11 +78,12 @@ static int _nfs4_recover_proc_open(struct nfs4_opendata *data);
 static int nfs4_do_fsinfo(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *);
 static int nfs4_async_handle_error(struct rpc_task *, const struct nfs_server *, struct nfs4_state *);
 static void nfs_fixup_referral_attributes(struct nfs_fattr *fattr);
-static int nfs4_proc_getattr(struct nfs_server *, struct nfs_fh *, struct nfs_fattr *);
-static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr);
+static int nfs4_proc_getattr(struct nfs_server *, struct nfs_fh *, struct nfs_fattr *, struct nfs4_label *label);
+static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr, struct nfs4_label *label);
 static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			    struct nfs_fattr *fattr, struct iattr *sattr,
-			    struct nfs4_state *state);
+			    struct nfs4_state *state, struct nfs4_label *ilabel,
+			    struct nfs4_label *olabel);
 #ifdef CONFIG_NFS_V4_1
 static int nfs41_test_stateid(struct nfs_server *, nfs4_stateid *);
 static int nfs41_free_stateid(struct nfs_server *, nfs4_stateid *);
@@ -826,6 +827,7 @@ struct nfs4_opendata {
 	struct nfs4_string owner_name;
 	struct nfs4_string group_name;
 	struct nfs_fattr f_attr;
+	struct nfs4_label *f_label;
 	struct dentry *dir;
 	struct dentry *dentry;
 	struct nfs4_state_owner *owner;
@@ -841,6 +843,7 @@ struct nfs4_opendata {
 static void nfs4_init_opendata_res(struct nfs4_opendata *p)
 {
 	p->o_res.f_attr = &p->f_attr;
+	p->o_res.f_label = p->f_label;
 	p->o_res.seqid = p->o_arg.seqid;
 	p->c_res.seqid = p->c_arg.seqid;
 	p->o_res.server = p->o_arg.server;
@@ -851,7 +854,7 @@ static void nfs4_init_opendata_res(struct nfs4_opendata *p)
 
 static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 		struct nfs4_state_owner *sp, fmode_t fmode, int flags,
-		const struct iattr *attrs,
+		const struct iattr *attrs, struct nfs4_label *label,
 		gfp_t gfp_mask)
 {
 	struct dentry *parent = dget_parent(dentry);
@@ -889,6 +892,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	p->o_arg.bitmask = server->attr_bitmask;
 	p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
 	p->o_arg.claim = NFS4_OPEN_CLAIM_NULL;
+	p->o_arg.label = label;
 	if (attrs != NULL && attrs->ia_valid != 0) {
 		__be32 verf[2];
 
@@ -1190,7 +1194,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(struct nfs4_opendata *data)
 	if (state == NULL)
 		goto err;
 
-	ret = nfs_refresh_inode(inode, &data->f_attr);
+	ret = nfs_refresh_inode(inode, &data->f_attr, data->f_label);
 	if (ret)
 		goto err;
 
@@ -1220,7 +1224,7 @@ _nfs4_opendata_to_nfs4_state(struct nfs4_opendata *data)
 	ret = -EAGAIN;
 	if (!(data->f_attr.valid & NFS_ATTR_FATTR))
 		goto err;
-	inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, &data->f_attr);
+	inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, &data->f_attr, data->f_label);
 	ret = PTR_ERR(inode);
 	if (IS_ERR(inode))
 		goto err;
@@ -1270,7 +1274,7 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context
 {
 	struct nfs4_opendata *opendata;
 
-	opendata = nfs4_opendata_alloc(ctx->dentry, state->owner, 0, 0, NULL, GFP_NOFS);
+	opendata = nfs4_opendata_alloc(ctx->dentry, state->owner, 0, 0, NULL, NULL, GFP_NOFS);
 	if (opendata == NULL)
 		return ERR_PTR(-ENOMEM);
 	opendata->state = state;
@@ -1788,7 +1792,7 @@ static int _nfs4_proc_open(struct nfs4_opendata *data)
 			return status;
 	}
 	if (!(o_res->f_attr->valid & NFS_ATTR_FATTR))
-		_nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr);
+		_nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr, o_res->f_label);
 	return 0;
 }
 
@@ -1965,6 +1969,7 @@ static int _nfs4_do_open(struct inode *dir,
 			fmode_t fmode,
 			int flags,
 			struct iattr *sattr,
+			struct nfs4_label *label,
 			struct rpc_cred *cred,
 			struct nfs4_state **res,
 			struct nfs4_threshold **ctx_th)
@@ -1973,6 +1978,7 @@ static int _nfs4_do_open(struct inode *dir,
 	struct nfs4_state     *state = NULL;
 	struct nfs_server       *server = NFS_SERVER(dir);
 	struct nfs4_opendata *opendata;
+	struct nfs4_label *olabel = NULL;
 	int status;
 
 	/* Protect against reboot recovery conflicts */
@@ -1988,7 +1994,7 @@ static int _nfs4_do_open(struct inode *dir,
 	if (dentry->d_inode != NULL)
 		nfs4_return_incompatible_delegation(dentry->d_inode, fmode);
 	status = -ENOMEM;
-	opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, sattr, GFP_KERNEL);
+	opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, sattr, label, GFP_KERNEL);
 	if (opendata == NULL)
 		goto err_put_state_owner;
 
@@ -2022,10 +2028,11 @@ static int _nfs4_do_open(struct inode *dir,
 		nfs_fattr_init(opendata->o_res.f_attr);
 		status = nfs4_do_setattr(state->inode, cred,
 				opendata->o_res.f_attr, sattr,
-				state);
-		if (status == 0)
+				state, label, olabel);
+		if (status == 0) {
 			nfs_setattr_update_inode(state->inode, sattr);
-		nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr);
+			nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr, olabel);
+		}
 	}
 
 	if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server))
@@ -2054,6 +2061,7 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 					fmode_t fmode,
 					int flags,
 					struct iattr *sattr,
+					struct nfs4_label *label,
 					struct rpc_cred *cred,
 					struct nfs4_threshold **ctx_th)
 {
@@ -2063,7 +2071,7 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 
 	fmode &= FMODE_READ|FMODE_WRITE|FMODE_EXEC;
 	do {
-		status = _nfs4_do_open(dir, dentry, fmode, flags, sattr, cred,
+		status = _nfs4_do_open(dir, dentry, fmode, flags, sattr, label, cred,
 				       &res, ctx_th);
 		if (status == 0)
 			break;
@@ -2108,7 +2116,8 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 
 static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			    struct nfs_fattr *fattr, struct iattr *sattr,
-			    struct nfs4_state *state)
+			    struct nfs4_state *state, struct nfs4_label *ilabel,
+			    struct nfs4_label *olabel)
 {
 	struct nfs_server *server = NFS_SERVER(inode);
         struct nfs_setattrargs  arg = {
@@ -2116,9 +2125,11 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
                 .iap            = sattr,
 		.server		= server,
 		.bitmask = server->attr_bitmask,
+		.label		= ilabel,
         };
         struct nfs_setattrres  res = {
 		.fattr		= fattr,
+		.label		= olabel,
 		.server		= server,
         };
         struct rpc_message msg = {
@@ -2153,7 +2164,8 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 
 static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			   struct nfs_fattr *fattr, struct iattr *sattr,
-			   struct nfs4_state *state)
+			   struct nfs4_state *state, struct nfs4_label *ilabel,
+			   struct nfs4_label *olabel)
 {
 	struct nfs_server *server = NFS_SERVER(inode);
 	struct nfs4_exception exception = {
@@ -2162,7 +2174,7 @@ static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 	};
 	int err;
 	do {
-		err = _nfs4_do_setattr(inode, cred, fattr, sattr, state);
+		err = _nfs4_do_setattr(inode, cred, fattr, sattr, state, ilabel, olabel);
 		switch (err) {
 		case -NFS4ERR_OPENMODE:
 			if (state && !(state->state & FMODE_WRITE)) {
@@ -2249,7 +2261,7 @@ static void nfs4_close_done(struct rpc_task *task, void *data)
 				rpc_restart_call_prepare(task);
 	}
 	nfs_release_seqid(calldata->arg.seqid);
-	nfs_refresh_inode(calldata->inode, calldata->res.fattr);
+	nfs_refresh_inode(calldata->inode, calldata->res.fattr, NULL);
 	dprintk("%s: done, ret = %d!\n", __func__, task->tk_status);
 }
 
@@ -2386,9 +2398,10 @@ static struct inode *
 nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, int open_flags, struct iattr *attr)
 {
 	struct nfs4_state *state;
+	struct nfs4_label l, *label = NULL;
 
 	/* Protect against concurrent sillydeletes */
-	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr,
+	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr, label,
 			     ctx->cred, &ctx->mdsthreshold);
 	if (IS_ERR(state))
 		return ERR_CAST(state);
@@ -2586,6 +2599,7 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 {
 	int error;
 	struct nfs_fattr *fattr = info->fattr;
+	struct nfs4_label *label = NULL;
 
 	error = nfs4_server_capabilities(server, mntfh);
 	if (error < 0) {
@@ -2593,7 +2607,7 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 		return error;
 	}
 
-	error = nfs4_proc_getattr(server, mntfh, fattr);
+	error = nfs4_proc_getattr(server, mntfh, fattr, label);
 	if (error < 0) {
 		dprintk("nfs4_get_root: getattr error = %d\n", -error);
 		return error;
@@ -2649,7 +2663,8 @@ out:
 	return status;
 }
 
-static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
+				struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_getattr_arg args = {
 		.fh = fhandle,
@@ -2657,6 +2672,7 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 	};
 	struct nfs4_getattr_res res = {
 		.fattr = fattr,
+		.label = label,
 		.server = server,
 	};
 	struct rpc_message msg = {
@@ -2669,13 +2685,14 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
 
-static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
+				struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_exception exception = { };
 	int err;
 	do {
 		err = nfs4_handle_exception(server,
-				_nfs4_proc_getattr(server, fhandle, fattr),
+				_nfs4_proc_getattr(server, fhandle, fattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -2705,6 +2722,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 	struct inode *inode = dentry->d_inode;
 	struct rpc_cred *cred = NULL;
 	struct nfs4_state *state = NULL;
+	struct nfs4_label *olabel = NULL;
 	int status;
 
 	if (pnfs_ld_layoutret_on_setattr(inode))
@@ -2731,7 +2749,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 		}
 	}
 
-	status = nfs4_do_setattr(inode, cred, fattr, sattr, state);
+	status = nfs4_do_setattr(inode, cred, fattr, sattr, state, NULL, NULL);
 	if (status == 0)
 		nfs_setattr_update_inode(inode, sattr);
 	return status;
@@ -2739,7 +2757,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 		const struct qstr *name, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_server *server = NFS_SERVER(dir);
 	int		       status;
@@ -2777,13 +2795,13 @@ static void nfs_fixup_secinfo_attributes(struct nfs_fattr *fattr)
 
 static int nfs4_proc_lookup_common(struct rpc_clnt **clnt, struct inode *dir,
 				   struct qstr *name, struct nfs_fh *fhandle,
-				   struct nfs_fattr *fattr)
+				   struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_exception exception = { };
 	struct rpc_clnt *client = *clnt;
 	int err;
 	do {
-		err = _nfs4_proc_lookup(client, dir, name, fhandle, fattr);
+		err = _nfs4_proc_lookup(client, dir, name, fhandle, fattr, label);
 		switch (err) {
 		case -NFS4ERR_BADNAME:
 			err = -ENOENT;
@@ -2817,12 +2835,13 @@ out:
 }
 
 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name,
-			    struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+			    struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+			    struct nfs4_label *label)
 {
 	int status;
 	struct rpc_clnt *client = NFS_CLIENT(dir);
 
-	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr);
+	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr, label);
 	if (client != NFS_CLIENT(dir)) {
 		rpc_shutdown_client(client);
 		nfs_fixup_secinfo_attributes(fattr);
@@ -2832,12 +2851,13 @@ static int nfs4_proc_lookup(struct inode *dir, struct qstr *name,
 
 struct rpc_clnt *
 nfs4_proc_lookup_mountpoint(struct inode *dir, struct qstr *name,
-			    struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+			    struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+			    struct nfs4_label *label)
 {
 	int status;
 	struct rpc_clnt *client = rpc_clone_client(NFS_CLIENT(dir));
 
-	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr);
+	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr, label);
 	if (status < 0) {
 		rpc_shutdown_client(client);
 		return ERR_PTR(status);
@@ -2854,6 +2874,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	};
 	struct nfs4_accessres res = {
 		.server = server,
+		.label = NULL,
 	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ACCESS],
@@ -2888,7 +2909,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 	if (!status) {
 		nfs_access_set_mask(entry, res.access);
-		nfs_refresh_inode(inode, res.fattr);
+		nfs_refresh_inode(inode, res.fattr, res.label);
 	}
 	nfs_free_fattr(res.fattr);
 	return status;
@@ -2967,6 +2988,7 @@ static int
 nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		 int flags)
 {
+	struct nfs4_label l, *ilabel = NULL;
 	struct nfs_open_context *ctx;
 	struct nfs4_state *state;
 	int status = 0;
@@ -2977,7 +2999,7 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 
 	sattr->ia_mode &= ~current_umask();
 	state = nfs4_do_open(dir, dentry, ctx->mode,
-			flags, sattr, ctx->cred,
+			flags, sattr, ilabel, ctx->cred,
 			&ctx->mdsthreshold);
 	d_drop(dentry);
 	if (IS_ERR(state)) {
@@ -3105,6 +3127,8 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		.new_dir = NFS_FH(new_dir),
 		.old_name = old_name,
 		.new_name = new_name,
+		.old_label = NULL,
+		.new_label = NULL,
 	};
 	struct nfs_renameres res = {
 		.server = server,
@@ -3149,6 +3173,7 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	};
 	struct nfs4_link_res res = {
 		.server = server,
+		.label = NULL,
 	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LINK],
@@ -3164,7 +3189,7 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(dir, &res.cinfo);
-		nfs_post_op_update_inode(inode, res.fattr);
+		nfs_post_op_update_inode(inode, res.fattr, res.label);
 	}
 out:
 	nfs_free_fattr(res.fattr);
@@ -3189,6 +3214,7 @@ struct nfs4_createdata {
 	struct nfs4_create_res res;
 	struct nfs_fh fh;
 	struct nfs_fattr fattr;
+	struct nfs4_label *label;
 };
 
 static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
@@ -3212,6 +3238,7 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 		data->res.server = server;
 		data->res.fh = &data->fh;
 		data->res.fattr = &data->fattr;
+		data->res.label = data->label;
 		nfs_fattr_init(data->res.fattr);
 	}
 	return data;
@@ -3223,7 +3250,7 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
 				    &data->arg.seq_args, &data->res.seq_res, 1);
 	if (status == 0) {
 		update_changeattr(dir, &data->res.dir_cinfo);
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, data->res.label);
 	}
 	return status;
 }
@@ -3234,7 +3261,8 @@ static void nfs4_free_createdata(struct nfs4_createdata *data)
 }
 
 static int _nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
-		struct page *page, unsigned int len, struct iattr *sattr)
+		struct page *page, unsigned int len, struct iattr *sattr,
+		struct nfs4_label *label)
 {
 	struct nfs4_createdata *data;
 	int status = -ENAMETOOLONG;
@@ -3250,6 +3278,7 @@ static int _nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 	data->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SYMLINK];
 	data->arg.u.symlink.pages = &page;
 	data->arg.u.symlink.len = len;
+	data->arg.label = label;
 	
 	status = nfs4_do_create(dir, dentry, data);
 
@@ -3262,18 +3291,19 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 		struct page *page, unsigned int len, struct iattr *sattr)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_symlink(dir, dentry, page,
-							len, sattr),
+							len, sattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
 }
 
 static int _nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
-		struct iattr *sattr)
+		struct iattr *sattr, struct nfs4_label *label)
 {
 	struct nfs4_createdata *data;
 	int status = -ENOMEM;
@@ -3282,6 +3312,7 @@ static int _nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 	if (data == NULL)
 		goto out;
 
+	data->arg.label = label;
 	status = nfs4_do_create(dir, dentry, data);
 
 	nfs4_free_createdata(data);
@@ -3293,12 +3324,13 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 		struct iattr *sattr)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
-				_nfs4_proc_mkdir(dir, dentry, sattr),
+				_nfs4_proc_mkdir(dir, dentry, sattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -3358,7 +3390,7 @@ static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 }
 
 static int _nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
-		struct iattr *sattr, dev_t rdev)
+		struct iattr *sattr, struct nfs4_label *label, dev_t rdev)
 {
 	struct nfs4_createdata *data;
 	int mode = sattr->ia_mode;
@@ -3383,7 +3415,8 @@ static int _nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 		data->arg.u.device.specdata1 = MAJOR(rdev);
 		data->arg.u.device.specdata2 = MINOR(rdev);
 	}
-	
+
+	data->arg.label = label;	
 	status = nfs4_do_create(dir, dentry, data);
 
 	nfs4_free_createdata(data);
@@ -3395,12 +3428,13 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 		struct iattr *sattr, dev_t rdev)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
-				_nfs4_proc_mknod(dir, dentry, sattr, rdev),
+				_nfs4_proc_mknod(dir, dentry, sattr, label, rdev),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -4358,7 +4392,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, co
 	if (status == 0)
 		nfs_post_op_update_inode_force_wcc(inode, &data->fattr);
 	else
-		nfs_refresh_inode(inode, &data->fattr);
+		nfs_refresh_inode(inode, &data->fattr, NULL);
 out:
 	rpc_put_task(task);
 	return status;
diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c
index 50a88c3..b4ae668 100644
--- a/fs/nfs/proc.c
+++ b/fs/nfs/proc.c
@@ -131,7 +131,7 @@ nfs_proc_get_root(struct nfs_server *server, struct nfs_fh *fhandle,
  */
 static int
 nfs_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct rpc_message msg = {
 		.rpc_proc	= &nfs_procedures[NFSPROC_GETATTR],
@@ -179,7 +179,8 @@ nfs_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int
 nfs_proc_lookup(struct inode *dir, struct qstr *name,
-		struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+		struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+		struct nfs4_label *label)
 {
 	struct nfs_diropargs	arg = {
 		.fh		= NFS_FH(dir),
@@ -276,7 +277,7 @@ nfs_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	nfs_mark_for_revalidate(dir);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply create: %d\n", status);
@@ -323,7 +324,7 @@ nfs_proc_mknod(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	}
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply mknod: %d\n", status);
@@ -479,7 +480,7 @@ nfs_proc_symlink(struct inode *dir, struct dentry *dentry, struct page *page,
 	 * should fill in the data with a LOOKUP call on the wire.
 	 */
 	if (status == 0)
-		status = nfs_instantiate(dentry, fh, fattr);
+		status = nfs_instantiate(dentry, fh, fattr, NULL);
 
 out_free:
 	nfs_free_fattr(fattr);
@@ -508,7 +509,7 @@ nfs_proc_mkdir(struct inode *dir, struct dentry *dentry, struct iattr *sattr)
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	nfs_mark_for_revalidate(dir);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply mkdir: %d\n", status);
@@ -647,7 +648,7 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_read_data *data)
 
 	nfs_invalidate_atime(inode);
 	if (task->tk_status >= 0) {
-		nfs_refresh_inode(inode, data->res.fattr);
+		nfs_refresh_inode(inode, data->res.fattr, data->res.label);
 		/* Emulate the eof flag, which isn't normally needed in NFSv2
 		 * as it is guaranteed to always return the file attributes
 		 */
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 37a862c..c8ace0d 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -328,9 +328,9 @@ extern void nfs_zap_mapping(struct inode *inode, struct address_space *mapping);
 extern void nfs_zap_caches(struct inode *);
 extern void nfs_invalidate_atime(struct inode *);
 extern struct inode *nfs_fhget(struct super_block *, struct nfs_fh *,
-				struct nfs_fattr *);
-extern int nfs_refresh_inode(struct inode *, struct nfs_fattr *);
-extern int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr);
+				struct nfs_fattr *, struct nfs4_label *);
+extern int nfs_refresh_inode(struct inode *, struct nfs_fattr *, struct nfs4_label *);
+extern int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *);
 extern int nfs_post_op_update_inode_force_wcc(struct inode *inode, struct nfs_fattr *fattr);
 extern int nfs_getattr(struct vfsmount *, struct dentry *, struct kstat *);
 extern void nfs_access_add_cache(struct inode *, struct nfs_access_entry *);
@@ -460,7 +460,8 @@ extern const struct file_operations nfs_dir_operations;
 extern const struct dentry_operations nfs_dentry_operations;
 
 extern void nfs_force_lookup_revalidate(struct inode *dir);
-extern int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fh, struct nfs_fattr *fattr);
+extern int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fh,
+			struct nfs_fattr *fattr, struct nfs4_label *label);
 extern int nfs_may_open(struct inode *inode, struct rpc_cred *cred, int openflags);
 extern void nfs_access_zap_cache(struct inode *inode);
 
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 7e9347a..31268c0 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -1402,11 +1402,12 @@ struct nfs_rpc_ops {
 	struct dentry *(*try_mount) (int, const char *, struct nfs_mount_info *,
 				     struct nfs_subversion *);
 	int	(*getattr) (struct nfs_server *, struct nfs_fh *,
-			    struct nfs_fattr *);
+			    struct nfs_fattr *, struct nfs4_label *);
 	int	(*setattr) (struct dentry *, struct nfs_fattr *,
 			    struct iattr *);
 	int	(*lookup)  (struct inode *, struct qstr *,
-			    struct nfs_fh *, struct nfs_fattr *);
+			    struct nfs_fh *, struct nfs_fattr *,
+			    struct nfs4_label *);
 	int	(*access)  (struct inode *, struct nfs_access_entry *);
 	int	(*readlink)(struct inode *, struct page *, unsigned int,
 			    unsigned int);
-- 
1.7.11.7

[PATCH 09/13] NFS:Add labels to client function prototypes

[David Quigley]

>From David Quigley <dpquigl@davequigley.com>

After looking at all of the nfsv4 operations the label structure has been added
to the prototypes of the functions which can transmit label data.


Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/client.c         |   2 +-
 fs/nfs/dir.c            |  23 ++++++----
 fs/nfs/getroot.c        |   3 +-
 fs/nfs/inode.c          |  33 +++++++-------
 fs/nfs/namespace.c      |   2 +-
 fs/nfs/nfs3acl.c        |   4 +-
 fs/nfs/nfs3proc.c       |  41 +++++++++--------
 fs/nfs/nfs4_fs.h        |   2 +-
 fs/nfs/nfs4namespace.c  |   2 +-
 fs/nfs/nfs4proc.c       | 118 +++++++++++++++++++++++++++++++-----------------
 fs/nfs/proc.c           |  15 +++---
 include/linux/nfs_fs.h  |   9 ++--
 include/linux/nfs_xdr.h |   5 +-
 13 files changed, 151 insertions(+), 108 deletions(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8b39a42..ecc7419 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1080,7 +1080,7 @@ struct nfs_server *nfs_create_server(struct nfs_mount_info *mount_info,
 	}
 
 	if (!(fattr->valid & NFS_ATTR_FATTR)) {
-		error = nfs_mod->rpc_ops->getattr(server, mount_info->mntfh, fattr);
+		error = nfs_mod->rpc_ops->getattr(server, mount_info->mntfh, fattr, NULL);
 		if (error < 0) {
 			dprintk("nfs_create_server: getattr error = %d\n", -error);
 			goto error;
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index ce8cb92..1339e44 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -447,7 +447,7 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry)
 	dentry = d_lookup(parent, &filename);
 	if (dentry != NULL) {
 		if (nfs_same_file(dentry, entry)) {
-			nfs_refresh_inode(dentry->d_inode, entry->fattr);
+			nfs_refresh_inode(dentry->d_inode, entry->fattr, entry->label);
 			goto out;
 		} else {
 			d_drop(dentry);
@@ -459,7 +459,7 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry)
 	if (dentry == NULL)
 		return;
 
-	inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr);
+	inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr, entry->label);
 	if (IS_ERR(inode))
 		goto out;
 
@@ -1034,6 +1034,7 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	struct dentry *parent;
 	struct nfs_fh *fhandle = NULL;
 	struct nfs_fattr *fattr = NULL;
+	struct nfs4_label *label = NULL;
 	int error;
 
 	if (flags & LOOKUP_RCU)
@@ -1076,12 +1077,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	if (fhandle == NULL || fattr == NULL)
 		goto out_error;
 
-	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error)
 		goto out_bad;
 	if (nfs_compare_fh(NFS_FH(inode), fhandle))
 		goto out_bad;
-	if ((error = nfs_refresh_inode(inode, fattr)) != 0)
+	if ((error = nfs_refresh_inode(inode, fattr, label)) != 0)
 		goto out_bad;
 
 	nfs_free_fattr(fattr);
@@ -1207,6 +1208,7 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	struct inode *inode = NULL;
 	struct nfs_fh *fhandle = NULL;
 	struct nfs_fattr *fattr = NULL;
+	struct nfs4_label *label = NULL;
 	int error;
 
 	dfprintk(VFS, "NFS: lookup(%s/%s)\n",
@@ -1236,14 +1238,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	parent = dentry->d_parent;
 	/* Protect against concurrent sillydeletes */
 	nfs_block_sillyrename(parent);
-	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error == -ENOENT)
 		goto no_entry;
 	if (error < 0) {
 		res = ERR_PTR(error);
 		goto out_unblock_sillyrename;
 	}
-	inode = nfs_fhget(dentry->d_sb, fhandle, fattr);
+	inode = nfs_fhget(dentry->d_sb, fhandle, fattr, label);
 	res = ERR_CAST(inode);
 	if (IS_ERR(res))
 		goto out_unblock_sillyrename;
@@ -1477,7 +1479,8 @@ no_open:
  * Code common to create, mkdir, and mknod.
  */
 int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fhandle,
-				struct nfs_fattr *fattr)
+				struct nfs_fattr *fattr,
+				struct nfs4_label *label)
 {
 	struct dentry *parent = dget_parent(dentry);
 	struct inode *dir = parent->d_inode;
@@ -1490,18 +1493,18 @@ int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fhandle,
 	if (dentry->d_inode)
 		goto out;
 	if (fhandle->size == 0) {
-		error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr);
+		error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, NULL);
 		if (error)
 			goto out_error;
 	}
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 	if (!(fattr->valid & NFS_ATTR_FATTR)) {
 		struct nfs_server *server = NFS_SB(dentry->d_sb);
-		error = server->nfs_client->rpc_ops->getattr(server, fhandle, fattr);
+		error = server->nfs_client->rpc_ops->getattr(server, fhandle, fattr, NULL);
 		if (error < 0)
 			goto out_error;
 	}
-	inode = nfs_fhget(dentry->d_sb, fhandle, fattr);
+	inode = nfs_fhget(dentry->d_sb, fhandle, fattr, label);
 	error = PTR_ERR(inode);
 	if (IS_ERR(inode))
 		goto out_error;
diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
index 033803c..3b68bb6 100644
--- a/fs/nfs/getroot.c
+++ b/fs/nfs/getroot.c
@@ -75,6 +75,7 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 	struct nfs_fsinfo fsinfo;
 	struct dentry *ret;
 	struct inode *inode;
+	struct nfs4_label *label = NULL;
 	void *name = kstrdup(devname, GFP_KERNEL);
 	int error;
 
@@ -95,7 +96,7 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 		goto out;
 	}
 
-	inode = nfs_fhget(sb, mntfh, fsinfo.fattr);
+	inode = nfs_fhget(sb, mntfh, fsinfo.fattr, NULL);
 	if (IS_ERR(inode)) {
 		dprintk("nfs_get_root: get root inode failed\n");
 		ret = ERR_CAST(inode);
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 0963ad9..daca08c 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -61,7 +61,7 @@
 static bool enable_ino64 = NFS_64_BIT_INODE_NUMBERS_ENABLED;
 
 static void nfs_invalidate_inode(struct inode *);
-static int nfs_update_inode(struct inode *, struct nfs_fattr *);
+static int nfs_update_inode(struct inode *, struct nfs_fattr *, struct nfs4_label *);
 
 static struct kmem_cache * nfs_inode_cachep;
 
@@ -291,7 +291,7 @@ EXPORT_SYMBOL_GPL(nfs4_label_free);
  * instead of inode number.
  */
 struct inode *
-nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
+nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_find_desc desc = {
 		.fh	= fh,
@@ -421,7 +421,7 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
 
 		unlock_new_inode(inode);
 	} else
-		nfs_refresh_inode(inode, fattr);
+		nfs_refresh_inode(inode, fattr, label);
 	dprintk("NFS: nfs_fhget(%s/%Ld fh_crc=0x%08x ct=%d)\n",
 		inode->i_sb->s_id,
 		(long long)NFS_FILEID(inode),
@@ -478,7 +478,7 @@ nfs_setattr(struct dentry *dentry, struct iattr *attr)
 		NFS_PROTO(inode)->return_delegation(inode);
 	error = NFS_PROTO(inode)->setattr(dentry, fattr, attr);
 	if (error == 0)
-		nfs_refresh_inode(inode, fattr);
+		nfs_refresh_inode(inode, fattr, NULL);
 	nfs_free_fattr(fattr);
 out:
 	return error;
@@ -817,6 +817,7 @@ int
 __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 {
 	int		 status = -ESTALE;
+	struct nfs4_label *label = NULL;
 	struct nfs_fattr *fattr = NULL;
 	struct nfs_inode *nfsi = NFS_I(inode);
 
@@ -834,7 +835,7 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 
 	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
-	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr);
+	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
 	if (status != 0) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
 			 inode->i_sb->s_id,
@@ -847,7 +848,7 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 	}
 
-	status = nfs_refresh_inode(inode, fattr);
+	status = nfs_refresh_inode(inode, fattr, label);
 	if (status) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) refresh failed, error=%d\n",
 			 inode->i_sb->s_id,
@@ -1200,10 +1201,10 @@ static int nfs_inode_attrs_need_update(const struct inode *inode, const struct n
 		((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
 }
 
-static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	if (nfs_inode_attrs_need_update(inode, fattr))
-		return nfs_update_inode(inode, fattr);
+		return nfs_update_inode(inode, fattr, label);
 	return nfs_check_inode_attributes(inode, fattr);
 }
 
@@ -1217,21 +1218,21 @@ static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr
  * safe to do a full update of the inode attributes, or whether just to
  * call nfs_check_inode_attributes.
  */
-int nfs_refresh_inode(struct inode *inode, struct nfs_fattr *fattr)
+int nfs_refresh_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	int status;
 
 	if ((fattr->valid & NFS_ATTR_FATTR) == 0)
 		return 0;
 	spin_lock(&inode->i_lock);
-	status = nfs_refresh_inode_locked(inode, fattr);
+	status = nfs_refresh_inode_locked(inode, fattr, label);
 	spin_unlock(&inode->i_lock);
 
 	return status;
 }
 EXPORT_SYMBOL_GPL(nfs_refresh_inode);
 
-static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_inode *nfsi = NFS_I(inode);
 
@@ -1240,7 +1241,7 @@ static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr
 		nfsi->cache_validity |= NFS_INO_INVALID_DATA;
 	if ((fattr->valid & NFS_ATTR_FATTR) == 0)
 		return 0;
-	return nfs_refresh_inode_locked(inode, fattr);
+	return nfs_refresh_inode_locked(inode, fattr, label);
 }
 
 /**
@@ -1257,12 +1258,12 @@ static int nfs_post_op_update_inode_locked(struct inode *inode, struct nfs_fattr
  * are expected to change one or more attributes, to avoid
  * unnecessary NFS requests and trips through nfs_update_inode().
  */
-int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	int status;
 
 	spin_lock(&inode->i_lock);
-	status = nfs_post_op_update_inode_locked(inode, fattr);
+	status = nfs_post_op_update_inode_locked(inode, fattr, label);
 	spin_unlock(&inode->i_lock);
 	return status;
 }
@@ -1314,7 +1315,7 @@ int nfs_post_op_update_inode_force_wcc(struct inode *inode, struct nfs_fattr *fa
 		fattr->valid |= NFS_ATTR_FATTR_PRESIZE;
 	}
 out_noforce:
-	status = nfs_post_op_update_inode_locked(inode, fattr);
+	status = nfs_post_op_update_inode_locked(inode, fattr, NULL);
 	spin_unlock(&inode->i_lock);
 	return status;
 }
@@ -1332,7 +1333,7 @@ EXPORT_SYMBOL_GPL(nfs_post_op_update_inode_force_wcc);
  *
  * A very similar scenario holds for the dir cache.
  */
-static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_server *server;
 	struct nfs_inode *nfsi = NFS_I(inode);
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 6559253..25747d2 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -251,7 +251,7 @@ struct vfsmount *nfs_submount(struct nfs_server *server, struct dentry *dentry,
 	struct dentry *parent = dget_parent(dentry);
 
 	/* Look it up again to get its attributes */
-	err = server->nfs_client->rpc_ops->lookup(parent->d_inode, &dentry->d_name, fh, fattr);
+	err = server->nfs_client->rpc_ops->lookup(parent->d_inode, &dentry->d_name, fh, fattr, NULL);
 	dput(parent);
 	if (err != 0)
 		return ERR_PTR(err);
diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
index 4a1aafb..1a2f11b 100644
--- a/fs/nfs/nfs3acl.c
+++ b/fs/nfs/nfs3acl.c
@@ -240,7 +240,7 @@ struct posix_acl *nfs3_proc_getacl(struct inode *inode, int type)
 
 	switch (status) {
 		case 0:
-			status = nfs_refresh_inode(inode, res.fattr);
+			status = nfs_refresh_inode(inode, res.fattr, NULL);
 			break;
 		case -EPFNOSUPPORT:
 		case -EPROTONOSUPPORT:
@@ -352,7 +352,7 @@ static int nfs3_proc_setacls(struct inode *inode, struct posix_acl *acl,
 
 	switch (status) {
 		case 0:
-			status = nfs_refresh_inode(inode, fattr);
+			status = nfs_refresh_inode(inode, fattr, NULL);
 			nfs3_cache_acls(inode, acl, dfacl);
 			break;
 		case -EPFNOSUPPORT:
diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
index 6932209..c2aaca7 100644
--- a/fs/nfs/nfs3proc.c
+++ b/fs/nfs/nfs3proc.c
@@ -98,7 +98,7 @@ nfs3_proc_get_root(struct nfs_server *server, struct nfs_fh *fhandle,
  */
 static int
 nfs3_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct rpc_message msg = {
 		.rpc_proc	= &nfs3_procedures[NFS3PROC_GETATTR],
@@ -143,7 +143,8 @@ nfs3_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int
 nfs3_proc_lookup(struct inode *dir, struct qstr *name,
-		 struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+		 struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+		 struct nfs4_label *label)
 {
 	struct nfs3_diropargs	arg = {
 		.fh		= NFS_FH(dir),
@@ -168,7 +169,7 @@ nfs3_proc_lookup(struct inode *dir, struct qstr *name,
 
 	nfs_fattr_init(fattr);
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_refresh_inode(dir, res.dir_attr);
+	nfs_refresh_inode(dir, res.dir_attr, NULL);
 	if (status >= 0 && !(fattr->valid & NFS_ATTR_FATTR)) {
 		msg.rpc_proc = &nfs3_procedures[NFS3PROC_GETATTR];
 		msg.rpc_argp = fhandle;
@@ -216,7 +217,7 @@ static int nfs3_proc_access(struct inode *inode, struct nfs_access_entry *entry)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_refresh_inode(inode, res.fattr);
+	nfs_refresh_inode(inode, res.fattr, NULL);
 	if (status == 0) {
 		entry->mask = 0;
 		if (res.access & NFS3_ACCESS_READ)
@@ -255,7 +256,7 @@ static int nfs3_proc_readlink(struct inode *inode, struct page *page,
 	msg.rpc_resp = fattr;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_refresh_inode(inode, fattr);
+	nfs_refresh_inode(inode, fattr, NULL);
 	nfs_free_fattr(fattr);
 out:
 	dprintk("NFS reply readlink: %d\n", status);
@@ -298,9 +299,9 @@ static int nfs3_do_create(struct inode *dir, struct dentry *dentry, struct nfs3_
 	int status;
 
 	status = rpc_call_sync(NFS_CLIENT(dir), &data->msg, 0);
-	nfs_post_op_update_inode(dir, data->res.dir_attr);
+	nfs_post_op_update_inode(dir, data->res.dir_attr, NULL);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	return status;
 }
 
@@ -381,7 +382,7 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		 * not sure this buys us anything (and I'd have
 		 * to revamp the NFSv3 XDR code) */
 		status = nfs3_proc_setattr(dentry, data->res.fattr, sattr);
-		nfs_post_op_update_inode(dentry->d_inode, data->res.fattr);
+		nfs_post_op_update_inode(dentry->d_inode, data->res.fattr, NULL);
 		dprintk("NFS reply setattr (post-create): %d\n", status);
 		if (status != 0)
 			goto out;
@@ -414,7 +415,7 @@ nfs3_proc_remove(struct inode *dir, struct qstr *name)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_post_op_update_inode(dir, res.dir_attr);
+	nfs_post_op_update_inode(dir, res.dir_attr, NULL);
 	nfs_free_fattr(res.dir_attr);
 out:
 	dprintk("NFS reply remove: %d\n", status);
@@ -439,7 +440,7 @@ nfs3_proc_unlink_done(struct rpc_task *task, struct inode *dir)
 	if (nfs3_async_handle_jukebox(task, dir))
 		return 0;
 	res = task->tk_msg.rpc_resp;
-	nfs_post_op_update_inode(dir, res->dir_attr);
+	nfs_post_op_update_inode(dir, res->dir_attr, NULL);
 	return 1;
 }
 
@@ -464,8 +465,8 @@ nfs3_proc_rename_done(struct rpc_task *task, struct inode *old_dir,
 		return 0;
 	res = task->tk_msg.rpc_resp;
 
-	nfs_post_op_update_inode(old_dir, res->old_fattr);
-	nfs_post_op_update_inode(new_dir, res->new_fattr);
+	nfs_post_op_update_inode(old_dir, res->old_fattr, NULL);
+	nfs_post_op_update_inode(new_dir, res->new_fattr, NULL);
 	return 1;
 }
 
@@ -495,8 +496,8 @@ nfs3_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(old_dir), &msg, 0);
-	nfs_post_op_update_inode(old_dir, res.old_fattr);
-	nfs_post_op_update_inode(new_dir, res.new_fattr);
+	nfs_post_op_update_inode(old_dir, res.old_fattr, NULL);
+	nfs_post_op_update_inode(new_dir, res.new_fattr, NULL);
 out:
 	nfs_free_fattr(res.old_fattr);
 	nfs_free_fattr(res.new_fattr);
@@ -528,8 +529,8 @@ nfs3_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
 		goto out;
 
 	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
-	nfs_post_op_update_inode(dir, res.dir_attr);
-	nfs_post_op_update_inode(inode, res.fattr);
+	nfs_post_op_update_inode(dir, res.dir_attr, NULL);
+	nfs_post_op_update_inode(inode, res.fattr, NULL);
 out:
 	nfs_free_fattr(res.dir_attr);
 	nfs_free_fattr(res.fattr);
@@ -622,7 +623,7 @@ nfs3_proc_rmdir(struct inode *dir, struct qstr *name)
 
 	msg.rpc_resp = dir_attr;
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
-	nfs_post_op_update_inode(dir, dir_attr);
+	nfs_post_op_update_inode(dir, dir_attr, NULL);
 	nfs_free_fattr(dir_attr);
 out:
 	dprintk("NFS reply rmdir: %d\n", status);
@@ -677,7 +678,7 @@ nfs3_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 
 	nfs_invalidate_atime(dir);
-	nfs_refresh_inode(dir, res.dir_attr);
+	nfs_refresh_inode(dir, res.dir_attr, NULL);
 
 	nfs_free_fattr(res.dir_attr);
 out:
@@ -816,7 +817,7 @@ static int nfs3_read_done(struct rpc_task *task, struct nfs_read_data *data)
 		return -EAGAIN;
 
 	nfs_invalidate_atime(inode);
-	nfs_refresh_inode(inode, &data->fattr);
+	nfs_refresh_inode(inode, &data->fattr, NULL);
 	return 0;
 }
 
@@ -860,7 +861,7 @@ static int nfs3_commit_done(struct rpc_task *task, struct nfs_commit_data *data)
 {
 	if (nfs3_async_handle_jukebox(task, data->inode))
 		return -EAGAIN;
-	nfs_refresh_inode(data->inode, data->res.fattr);
+	nfs_refresh_inode(data->inode, data->res.fattr, NULL);
 	return 0;
 }
 
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index f15015a..c97c6837 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -230,7 +230,7 @@ extern int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fh
 extern int nfs4_proc_fs_locations(struct rpc_clnt *, struct inode *, const struct qstr *,
 				  struct nfs4_fs_locations *, struct page *);
 extern struct rpc_clnt *nfs4_proc_lookup_mountpoint(struct inode *, struct qstr *,
-			    struct nfs_fh *, struct nfs_fattr *);
+			    struct nfs_fh *, struct nfs_fattr *, struct nfs4_label *);
 extern int nfs4_proc_secinfo(struct inode *, const struct qstr *, struct nfs4_secinfo_flavors *);
 extern int nfs4_release_lockowner(struct nfs4_lock_state *);
 extern const struct xattr_handler *nfs4_xattr_handlers[];
diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
index 79fbb61..f40cf63 100644
--- a/fs/nfs/nfs4namespace.c
+++ b/fs/nfs/nfs4namespace.c
@@ -367,7 +367,7 @@ struct vfsmount *nfs4_submount(struct nfs_server *server, struct dentry *dentry,
 	struct vfsmount *mnt;
 
 	/* Look it up again to get its attributes and sec flavor */
-	client = nfs4_proc_lookup_mountpoint(parent->d_inode, &dentry->d_name, fh, fattr);
+	client = nfs4_proc_lookup_mountpoint(parent->d_inode, &dentry->d_name, fh, fattr, NULL);
 	dput(parent);
 	if (IS_ERR(client))
 		return ERR_CAST(client);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 3c49f3e..8e0378c 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -78,11 +78,12 @@ static int _nfs4_recover_proc_open(struct nfs4_opendata *data);
 static int nfs4_do_fsinfo(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *);
 static int nfs4_async_handle_error(struct rpc_task *, const struct nfs_server *, struct nfs4_state *);
 static void nfs_fixup_referral_attributes(struct nfs_fattr *fattr);
-static int nfs4_proc_getattr(struct nfs_server *, struct nfs_fh *, struct nfs_fattr *);
-static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr);
+static int nfs4_proc_getattr(struct nfs_server *, struct nfs_fh *, struct nfs_fattr *, struct nfs4_label *label);
+static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr, struct nfs4_label *label);
 static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			    struct nfs_fattr *fattr, struct iattr *sattr,
-			    struct nfs4_state *state);
+			    struct nfs4_state *state, struct nfs4_label *ilabel,
+			    struct nfs4_label *olabel);
 #ifdef CONFIG_NFS_V4_1
 static int nfs41_test_stateid(struct nfs_server *, nfs4_stateid *);
 static int nfs41_free_stateid(struct nfs_server *, nfs4_stateid *);
@@ -826,6 +827,7 @@ struct nfs4_opendata {
 	struct nfs4_string owner_name;
 	struct nfs4_string group_name;
 	struct nfs_fattr f_attr;
+	struct nfs4_label *f_label;
 	struct dentry *dir;
 	struct dentry *dentry;
 	struct nfs4_state_owner *owner;
@@ -841,6 +843,7 @@ struct nfs4_opendata {
 static void nfs4_init_opendata_res(struct nfs4_opendata *p)
 {
 	p->o_res.f_attr = &p->f_attr;
+	p->o_res.f_label = p->f_label;
 	p->o_res.seqid = p->o_arg.seqid;
 	p->c_res.seqid = p->c_arg.seqid;
 	p->o_res.server = p->o_arg.server;
@@ -851,7 +854,7 @@ static void nfs4_init_opendata_res(struct nfs4_opendata *p)
 
 static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 		struct nfs4_state_owner *sp, fmode_t fmode, int flags,
-		const struct iattr *attrs,
+		const struct iattr *attrs, struct nfs4_label *label,
 		gfp_t gfp_mask)
 {
 	struct dentry *parent = dget_parent(dentry);
@@ -889,6 +892,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	p->o_arg.bitmask = server->attr_bitmask;
 	p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
 	p->o_arg.claim = NFS4_OPEN_CLAIM_NULL;
+	p->o_arg.label = label;
 	if (attrs != NULL && attrs->ia_valid != 0) {
 		__be32 verf[2];
 
@@ -1190,7 +1194,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(struct nfs4_opendata *data)
 	if (state == NULL)
 		goto err;
 
-	ret = nfs_refresh_inode(inode, &data->f_attr);
+	ret = nfs_refresh_inode(inode, &data->f_attr, data->f_label);
 	if (ret)
 		goto err;
 
@@ -1220,7 +1224,7 @@ _nfs4_opendata_to_nfs4_state(struct nfs4_opendata *data)
 	ret = -EAGAIN;
 	if (!(data->f_attr.valid & NFS_ATTR_FATTR))
 		goto err;
-	inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, &data->f_attr);
+	inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, &data->f_attr, data->f_label);
 	ret = PTR_ERR(inode);
 	if (IS_ERR(inode))
 		goto err;
@@ -1270,7 +1274,7 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context
 {
 	struct nfs4_opendata *opendata;
 
-	opendata = nfs4_opendata_alloc(ctx->dentry, state->owner, 0, 0, NULL, GFP_NOFS);
+	opendata = nfs4_opendata_alloc(ctx->dentry, state->owner, 0, 0, NULL, NULL, GFP_NOFS);
 	if (opendata == NULL)
 		return ERR_PTR(-ENOMEM);
 	opendata->state = state;
@@ -1788,7 +1792,7 @@ static int _nfs4_proc_open(struct nfs4_opendata *data)
 			return status;
 	}
 	if (!(o_res->f_attr->valid & NFS_ATTR_FATTR))
-		_nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr);
+		_nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr, o_res->f_label);
 	return 0;
 }
 
@@ -1965,6 +1969,7 @@ static int _nfs4_do_open(struct inode *dir,
 			fmode_t fmode,
 			int flags,
 			struct iattr *sattr,
+			struct nfs4_label *label,
 			struct rpc_cred *cred,
 			struct nfs4_state **res,
 			struct nfs4_threshold **ctx_th)
@@ -1973,6 +1978,7 @@ static int _nfs4_do_open(struct inode *dir,
 	struct nfs4_state     *state = NULL;
 	struct nfs_server       *server = NFS_SERVER(dir);
 	struct nfs4_opendata *opendata;
+	struct nfs4_label *olabel = NULL;
 	int status;
 
 	/* Protect against reboot recovery conflicts */
@@ -1988,7 +1994,7 @@ static int _nfs4_do_open(struct inode *dir,
 	if (dentry->d_inode != NULL)
 		nfs4_return_incompatible_delegation(dentry->d_inode, fmode);
 	status = -ENOMEM;
-	opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, sattr, GFP_KERNEL);
+	opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, sattr, label, GFP_KERNEL);
 	if (opendata == NULL)
 		goto err_put_state_owner;
 
@@ -2022,10 +2028,11 @@ static int _nfs4_do_open(struct inode *dir,
 		nfs_fattr_init(opendata->o_res.f_attr);
 		status = nfs4_do_setattr(state->inode, cred,
 				opendata->o_res.f_attr, sattr,
-				state);
-		if (status == 0)
+				state, label, olabel);
+		if (status == 0) {
 			nfs_setattr_update_inode(state->inode, sattr);
-		nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr);
+			nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr, olabel);
+		}
 	}
 
 	if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server))
@@ -2054,6 +2061,7 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 					fmode_t fmode,
 					int flags,
 					struct iattr *sattr,
+					struct nfs4_label *label,
 					struct rpc_cred *cred,
 					struct nfs4_threshold **ctx_th)
 {
@@ -2063,7 +2071,7 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 
 	fmode &= FMODE_READ|FMODE_WRITE|FMODE_EXEC;
 	do {
-		status = _nfs4_do_open(dir, dentry, fmode, flags, sattr, cred,
+		status = _nfs4_do_open(dir, dentry, fmode, flags, sattr, label, cred,
 				       &res, ctx_th);
 		if (status == 0)
 			break;
@@ -2108,7 +2116,8 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir,
 
 static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			    struct nfs_fattr *fattr, struct iattr *sattr,
-			    struct nfs4_state *state)
+			    struct nfs4_state *state, struct nfs4_label *ilabel,
+			    struct nfs4_label *olabel)
 {
 	struct nfs_server *server = NFS_SERVER(inode);
         struct nfs_setattrargs  arg = {
@@ -2116,9 +2125,11 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
                 .iap            = sattr,
 		.server		= server,
 		.bitmask = server->attr_bitmask,
+		.label		= ilabel,
         };
         struct nfs_setattrres  res = {
 		.fattr		= fattr,
+		.label		= olabel,
 		.server		= server,
         };
         struct rpc_message msg = {
@@ -2153,7 +2164,8 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 
 static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 			   struct nfs_fattr *fattr, struct iattr *sattr,
-			   struct nfs4_state *state)
+			   struct nfs4_state *state, struct nfs4_label *ilabel,
+			   struct nfs4_label *olabel)
 {
 	struct nfs_server *server = NFS_SERVER(inode);
 	struct nfs4_exception exception = {
@@ -2162,7 +2174,7 @@ static int nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 	};
 	int err;
 	do {
-		err = _nfs4_do_setattr(inode, cred, fattr, sattr, state);
+		err = _nfs4_do_setattr(inode, cred, fattr, sattr, state, ilabel, olabel);
 		switch (err) {
 		case -NFS4ERR_OPENMODE:
 			if (state && !(state->state & FMODE_WRITE)) {
@@ -2249,7 +2261,7 @@ static void nfs4_close_done(struct rpc_task *task, void *data)
 				rpc_restart_call_prepare(task);
 	}
 	nfs_release_seqid(calldata->arg.seqid);
-	nfs_refresh_inode(calldata->inode, calldata->res.fattr);
+	nfs_refresh_inode(calldata->inode, calldata->res.fattr, NULL);
 	dprintk("%s: done, ret = %d!\n", __func__, task->tk_status);
 }
 
@@ -2386,9 +2398,10 @@ static struct inode *
 nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, int open_flags, struct iattr *attr)
 {
 	struct nfs4_state *state;
+	struct nfs4_label l, *label = NULL;
 
 	/* Protect against concurrent sillydeletes */
-	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr,
+	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr, label,
 			     ctx->cred, &ctx->mdsthreshold);
 	if (IS_ERR(state))
 		return ERR_CAST(state);
@@ -2586,6 +2599,7 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 {
 	int error;
 	struct nfs_fattr *fattr = info->fattr;
+	struct nfs4_label *label = NULL;
 
 	error = nfs4_server_capabilities(server, mntfh);
 	if (error < 0) {
@@ -2593,7 +2607,7 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 		return error;
 	}
 
-	error = nfs4_proc_getattr(server, mntfh, fattr);
+	error = nfs4_proc_getattr(server, mntfh, fattr, label);
 	if (error < 0) {
 		dprintk("nfs4_get_root: getattr error = %d\n", -error);
 		return error;
@@ -2649,7 +2663,8 @@ out:
 	return status;
 }
 
-static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
+				struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_getattr_arg args = {
 		.fh = fhandle,
@@ -2657,6 +2672,7 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 	};
 	struct nfs4_getattr_res res = {
 		.fattr = fattr,
+		.label = label,
 		.server = server,
 	};
 	struct rpc_message msg = {
@@ -2669,13 +2685,14 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
 
-static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
+				struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_exception exception = { };
 	int err;
 	do {
 		err = nfs4_handle_exception(server,
-				_nfs4_proc_getattr(server, fhandle, fattr),
+				_nfs4_proc_getattr(server, fhandle, fattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -2705,6 +2722,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 	struct inode *inode = dentry->d_inode;
 	struct rpc_cred *cred = NULL;
 	struct nfs4_state *state = NULL;
+	struct nfs4_label *olabel = NULL;
 	int status;
 
 	if (pnfs_ld_layoutret_on_setattr(inode))
@@ -2731,7 +2749,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 		}
 	}
 
-	status = nfs4_do_setattr(inode, cred, fattr, sattr, state);
+	status = nfs4_do_setattr(inode, cred, fattr, sattr, state, NULL, NULL);
 	if (status == 0)
 		nfs_setattr_update_inode(inode, sattr);
 	return status;
@@ -2739,7 +2757,7 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 		const struct qstr *name, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs_server *server = NFS_SERVER(dir);
 	int		       status;
@@ -2777,13 +2795,13 @@ static void nfs_fixup_secinfo_attributes(struct nfs_fattr *fattr)
 
 static int nfs4_proc_lookup_common(struct rpc_clnt **clnt, struct inode *dir,
 				   struct qstr *name, struct nfs_fh *fhandle,
-				   struct nfs_fattr *fattr)
+				   struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct nfs4_exception exception = { };
 	struct rpc_clnt *client = *clnt;
 	int err;
 	do {
-		err = _nfs4_proc_lookup(client, dir, name, fhandle, fattr);
+		err = _nfs4_proc_lookup(client, dir, name, fhandle, fattr, label);
 		switch (err) {
 		case -NFS4ERR_BADNAME:
 			err = -ENOENT;
@@ -2817,12 +2835,13 @@ out:
 }
 
 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name,
-			    struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+			    struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+			    struct nfs4_label *label)
 {
 	int status;
 	struct rpc_clnt *client = NFS_CLIENT(dir);
 
-	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr);
+	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr, label);
 	if (client != NFS_CLIENT(dir)) {
 		rpc_shutdown_client(client);
 		nfs_fixup_secinfo_attributes(fattr);
@@ -2832,12 +2851,13 @@ static int nfs4_proc_lookup(struct inode *dir, struct qstr *name,
 
 struct rpc_clnt *
 nfs4_proc_lookup_mountpoint(struct inode *dir, struct qstr *name,
-			    struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+			    struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+			    struct nfs4_label *label)
 {
 	int status;
 	struct rpc_clnt *client = rpc_clone_client(NFS_CLIENT(dir));
 
-	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr);
+	status = nfs4_proc_lookup_common(&client, dir, name, fhandle, fattr, label);
 	if (status < 0) {
 		rpc_shutdown_client(client);
 		return ERR_PTR(status);
@@ -2854,6 +2874,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	};
 	struct nfs4_accessres res = {
 		.server = server,
+		.label = NULL,
 	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ACCESS],
@@ -2888,7 +2909,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 	if (!status) {
 		nfs_access_set_mask(entry, res.access);
-		nfs_refresh_inode(inode, res.fattr);
+		nfs_refresh_inode(inode, res.fattr, res.label);
 	}
 	nfs_free_fattr(res.fattr);
 	return status;
@@ -2967,6 +2988,7 @@ static int
 nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		 int flags)
 {
+	struct nfs4_label l, *ilabel = NULL;
 	struct nfs_open_context *ctx;
 	struct nfs4_state *state;
 	int status = 0;
@@ -2977,7 +2999,7 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 
 	sattr->ia_mode &= ~current_umask();
 	state = nfs4_do_open(dir, dentry, ctx->mode,
-			flags, sattr, ctx->cred,
+			flags, sattr, ilabel, ctx->cred,
 			&ctx->mdsthreshold);
 	d_drop(dentry);
 	if (IS_ERR(state)) {
@@ -3105,6 +3127,8 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		.new_dir = NFS_FH(new_dir),
 		.old_name = old_name,
 		.new_name = new_name,
+		.old_label = NULL,
+		.new_label = NULL,
 	};
 	struct nfs_renameres res = {
 		.server = server,
@@ -3149,6 +3173,7 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	};
 	struct nfs4_link_res res = {
 		.server = server,
+		.label = NULL,
 	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_LINK],
@@ -3164,7 +3189,7 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(dir, &res.cinfo);
-		nfs_post_op_update_inode(inode, res.fattr);
+		nfs_post_op_update_inode(inode, res.fattr, res.label);
 	}
 out:
 	nfs_free_fattr(res.fattr);
@@ -3189,6 +3214,7 @@ struct nfs4_createdata {
 	struct nfs4_create_res res;
 	struct nfs_fh fh;
 	struct nfs_fattr fattr;
+	struct nfs4_label *label;
 };
 
 static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
@@ -3212,6 +3238,7 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 		data->res.server = server;
 		data->res.fh = &data->fh;
 		data->res.fattr = &data->fattr;
+		data->res.label = data->label;
 		nfs_fattr_init(data->res.fattr);
 	}
 	return data;
@@ -3223,7 +3250,7 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
 				    &data->arg.seq_args, &data->res.seq_res, 1);
 	if (status == 0) {
 		update_changeattr(dir, &data->res.dir_cinfo);
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, data->res.label);
 	}
 	return status;
 }
@@ -3234,7 +3261,8 @@ static void nfs4_free_createdata(struct nfs4_createdata *data)
 }
 
 static int _nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
-		struct page *page, unsigned int len, struct iattr *sattr)
+		struct page *page, unsigned int len, struct iattr *sattr,
+		struct nfs4_label *label)
 {
 	struct nfs4_createdata *data;
 	int status = -ENAMETOOLONG;
@@ -3250,6 +3278,7 @@ static int _nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 	data->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SYMLINK];
 	data->arg.u.symlink.pages = &page;
 	data->arg.u.symlink.len = len;
+	data->arg.label = label;
 	
 	status = nfs4_do_create(dir, dentry, data);
 
@@ -3262,18 +3291,19 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 		struct page *page, unsigned int len, struct iattr *sattr)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_symlink(dir, dentry, page,
-							len, sattr),
+							len, sattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
 }
 
 static int _nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
-		struct iattr *sattr)
+		struct iattr *sattr, struct nfs4_label *label)
 {
 	struct nfs4_createdata *data;
 	int status = -ENOMEM;
@@ -3282,6 +3312,7 @@ static int _nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 	if (data == NULL)
 		goto out;
 
+	data->arg.label = label;
 	status = nfs4_do_create(dir, dentry, data);
 
 	nfs4_free_createdata(data);
@@ -3293,12 +3324,13 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 		struct iattr *sattr)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
-				_nfs4_proc_mkdir(dir, dentry, sattr),
+				_nfs4_proc_mkdir(dir, dentry, sattr, label),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -3358,7 +3390,7 @@ static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 }
 
 static int _nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
-		struct iattr *sattr, dev_t rdev)
+		struct iattr *sattr, struct nfs4_label *label, dev_t rdev)
 {
 	struct nfs4_createdata *data;
 	int mode = sattr->ia_mode;
@@ -3383,7 +3415,8 @@ static int _nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 		data->arg.u.device.specdata1 = MAJOR(rdev);
 		data->arg.u.device.specdata2 = MINOR(rdev);
 	}
-	
+
+	data->arg.label = label;	
 	status = nfs4_do_create(dir, dentry, data);
 
 	nfs4_free_createdata(data);
@@ -3395,12 +3428,13 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 		struct iattr *sattr, dev_t rdev)
 {
 	struct nfs4_exception exception = { };
+	struct nfs4_label l, *label = NULL;
 	int err;
 
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
-				_nfs4_proc_mknod(dir, dentry, sattr, rdev),
+				_nfs4_proc_mknod(dir, dentry, sattr, label, rdev),
 				&exception);
 	} while (exception.retry);
 	return err;
@@ -4358,7 +4392,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, co
 	if (status == 0)
 		nfs_post_op_update_inode_force_wcc(inode, &data->fattr);
 	else
-		nfs_refresh_inode(inode, &data->fattr);
+		nfs_refresh_inode(inode, &data->fattr, NULL);
 out:
 	rpc_put_task(task);
 	return status;
diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c
index 50a88c3..b4ae668 100644
--- a/fs/nfs/proc.c
+++ b/fs/nfs/proc.c
@@ -131,7 +131,7 @@ nfs_proc_get_root(struct nfs_server *server, struct nfs_fh *fhandle,
  */
 static int
 nfs_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
-		struct nfs_fattr *fattr)
+		struct nfs_fattr *fattr, struct nfs4_label *label)
 {
 	struct rpc_message msg = {
 		.rpc_proc	= &nfs_procedures[NFSPROC_GETATTR],
@@ -179,7 +179,8 @@ nfs_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 
 static int
 nfs_proc_lookup(struct inode *dir, struct qstr *name,
-		struct nfs_fh *fhandle, struct nfs_fattr *fattr)
+		struct nfs_fh *fhandle, struct nfs_fattr *fattr,
+		struct nfs4_label *label)
 {
 	struct nfs_diropargs	arg = {
 		.fh		= NFS_FH(dir),
@@ -276,7 +277,7 @@ nfs_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	nfs_mark_for_revalidate(dir);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply create: %d\n", status);
@@ -323,7 +324,7 @@ nfs_proc_mknod(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	}
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply mknod: %d\n", status);
@@ -479,7 +480,7 @@ nfs_proc_symlink(struct inode *dir, struct dentry *dentry, struct page *page,
 	 * should fill in the data with a LOOKUP call on the wire.
 	 */
 	if (status == 0)
-		status = nfs_instantiate(dentry, fh, fattr);
+		status = nfs_instantiate(dentry, fh, fattr, NULL);
 
 out_free:
 	nfs_free_fattr(fattr);
@@ -508,7 +509,7 @@ nfs_proc_mkdir(struct inode *dir, struct dentry *dentry, struct iattr *sattr)
 	status = rpc_call_sync(NFS_CLIENT(dir), &msg, 0);
 	nfs_mark_for_revalidate(dir);
 	if (status == 0)
-		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr);
+		status = nfs_instantiate(dentry, data->res.fh, data->res.fattr, NULL);
 	nfs_free_createdata(data);
 out:
 	dprintk("NFS reply mkdir: %d\n", status);
@@ -647,7 +648,7 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_read_data *data)
 
 	nfs_invalidate_atime(inode);
 	if (task->tk_status >= 0) {
-		nfs_refresh_inode(inode, data->res.fattr);
+		nfs_refresh_inode(inode, data->res.fattr, data->res.label);
 		/* Emulate the eof flag, which isn't normally needed in NFSv2
 		 * as it is guaranteed to always return the file attributes
 		 */
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 37a862c..c8ace0d 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -328,9 +328,9 @@ extern void nfs_zap_mapping(struct inode *inode, struct address_space *mapping);
 extern void nfs_zap_caches(struct inode *);
 extern void nfs_invalidate_atime(struct inode *);
 extern struct inode *nfs_fhget(struct super_block *, struct nfs_fh *,
-				struct nfs_fattr *);
-extern int nfs_refresh_inode(struct inode *, struct nfs_fattr *);
-extern int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr);
+				struct nfs_fattr *, struct nfs4_label *);
+extern int nfs_refresh_inode(struct inode *, struct nfs_fattr *, struct nfs4_label *);
+extern int nfs_post_op_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct nfs4_label *);
 extern int nfs_post_op_update_inode_force_wcc(struct inode *inode, struct nfs_fattr *fattr);
 extern int nfs_getattr(struct vfsmount *, struct dentry *, struct kstat *);
 extern void nfs_access_add_cache(struct inode *, struct nfs_access_entry *);
@@ -460,7 +460,8 @@ extern const struct file_operations nfs_dir_operations;
 extern const struct dentry_operations nfs_dentry_operations;
 
 extern void nfs_force_lookup_revalidate(struct inode *dir);
-extern int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fh, struct nfs_fattr *fattr);
+extern int nfs_instantiate(struct dentry *dentry, struct nfs_fh *fh,
+			struct nfs_fattr *fattr, struct nfs4_label *label);
 extern int nfs_may_open(struct inode *inode, struct rpc_cred *cred, int openflags);
 extern void nfs_access_zap_cache(struct inode *inode);
 
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 7e9347a..31268c0 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -1402,11 +1402,12 @@ struct nfs_rpc_ops {
 	struct dentry *(*try_mount) (int, const char *, struct nfs_mount_info *,
 				     struct nfs_subversion *);
 	int	(*getattr) (struct nfs_server *, struct nfs_fh *,
-			    struct nfs_fattr *);
+			    struct nfs_fattr *, struct nfs4_label *);
 	int	(*setattr) (struct dentry *, struct nfs_fattr *,
 			    struct iattr *);
 	int	(*lookup)  (struct inode *, struct qstr *,
-			    struct nfs_fh *, struct nfs_fattr *);
+			    struct nfs_fh *, struct nfs_fattr *,
+			    struct nfs4_label *);
 	int	(*access)  (struct inode *, struct nfs_access_entry *);
 	int	(*readlink)(struct inode *, struct page *, unsigned int,
 			    unsigned int);
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 10/13] NFS: Add label lifecycle management

[David Quigley]

>From David Quigley <dpquigl@davequigley.com>

This patch adds the lifecycle management for the security label structure
introduced in an earlier patch. The label is not used yet but allocations and
freeing of the structure is handled.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/dir.c      |  30 +++++++++++++-
 fs/nfs/getroot.c  |   1 -
 fs/nfs/inode.c    |  13 ++++++
 fs/nfs/nfs4proc.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 156 insertions(+), 4 deletions(-)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 1339e44..561d2fb 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -581,7 +581,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
 	entry.fh = nfs_alloc_fhandle();
 	entry.fattr = nfs_alloc_fattr();
 	entry.server = NFS_SERVER(inode);
-	if (entry.fh == NULL || entry.fattr == NULL)
+	entry.label = nfs4_label_alloc(GFP_NOWAIT);
+	if (entry.fh == NULL || entry.fattr == NULL || entry.label == NULL)
 		goto out;
 
 	array = nfs_readdir_get_array(page);
@@ -616,6 +617,7 @@ out_release_array:
 out:
 	nfs_free_fattr(entry.fattr);
 	nfs_free_fhandle(entry.fh);
+	nfs4_label_free(entry.label);
 	return status;
 }
 
@@ -1077,6 +1079,14 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	if (fhandle == NULL || fattr == NULL)
 		goto out_error;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_NOWAIT);
+		if (label == NULL)
+			goto out_error;
+	}
+#endif
+
 	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error)
 		goto out_bad;
@@ -1087,6 +1097,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
+
 out_set_verifier:
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
  out_valid:
@@ -1123,6 +1139,7 @@ out_zap_parent:
 out_error:
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
+	nfs4_label_free(label);
 	dput(parent);
 	dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) lookup returned error %d\n",
 			__func__, dentry->d_parent->d_name.name,
@@ -1235,6 +1252,13 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	if (fhandle == NULL || fattr == NULL)
 		goto out;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_NOWAIT);
+		if (label == NULL)
+			goto out;
+	}
+#endif
 	parent = dentry->d_parent;
 	/* Protect against concurrent sillydeletes */
 	nfs_block_sillyrename(parent);
@@ -1264,6 +1288,10 @@ no_entry:
 out_unblock_sillyrename:
 	nfs_unblock_sillyrename(parent);
 out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
 	return res;
diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
index 3b68bb6..14bd667 100644
--- a/fs/nfs/getroot.c
+++ b/fs/nfs/getroot.c
@@ -75,7 +75,6 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 	struct nfs_fsinfo fsinfo;
 	struct dentry *ret;
 	struct inode *inode;
-	struct nfs4_label *label = NULL;
 	void *name = kstrdup(devname, GFP_KERNEL);
 	int error;
 
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index daca08c..ab08d0d 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -835,6 +835,15 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 
 	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_KERNEL);
+		if (label == NULL) {
+			status = -ENOMEM;
+			goto out;
+		}
+	}
+#endif
 	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
 	if (status != 0) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
@@ -864,6 +873,10 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		(long long)NFS_FILEID(inode));
 
  out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
 	nfs_free_fattr(fattr);
 	return status;
 }
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 8e0378c..4ab2738 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -865,9 +865,16 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	p = kzalloc(sizeof(*p), gfp_mask);
 	if (p == NULL)
 		goto err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		p->f_label = nfs4_label_alloc(gfp_mask);
+		if (p->f_label == NULL)
+			goto err_free_p;
+	}
+#endif
 	p->o_arg.seqid = nfs_alloc_seqid(&sp->so_seqid, gfp_mask);
 	if (p->o_arg.seqid == NULL)
-		goto err_free;
+		goto err_free_label;
 	nfs_sb_active(dentry->d_sb);
 	p->dentry = dget(dentry);
 	p->dir = parent;
@@ -910,7 +917,13 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	nfs4_init_opendata_res(p);
 	kref_init(&p->kref);
 	return p;
-err_free:
+
+err_free_label:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(p->f_label);
+#endif
+err_free_p:
 	kfree(p);
 err:
 	dput(parent);
@@ -927,6 +940,10 @@ static void nfs4_opendata_free(struct kref *kref)
 	if (p->state != NULL)
 		nfs4_put_open_state(p->state);
 	nfs4_put_state_owner(p->owner);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (p->o_arg.server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(p->f_label);
+#endif
 	dput(p->dir);
 	dput(p->dentry);
 	nfs_sb_deactive(sb);
@@ -1998,6 +2015,16 @@ static int _nfs4_do_open(struct inode *dir,
 	if (opendata == NULL)
 		goto err_put_state_owner;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label && nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		olabel = nfs4_label_alloc(GFP_KERNEL);
+		if (olabel == NULL) {
+			status = -ENOMEM;
+			goto err_opendata_put;
+		}
+	}
+#endif
+
 	if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {
 		opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
 		if (!opendata->f_attr.mdsthreshold)
@@ -2041,6 +2068,10 @@ static int _nfs4_do_open(struct inode *dir,
 		kfree(opendata->f_attr.mdsthreshold);
 	opendata->f_attr.mdsthreshold = NULL;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(olabel);
+#endif
 	nfs4_opendata_put(opendata);
 	nfs4_put_state_owner(sp);
 	*res = state;
@@ -2607,6 +2638,12 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 		return error;
 	}
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	label = nfs4_label_alloc(GFP_KERNEL);
+	if (label == NULL)
+		return -ENOMEM;
+#endif
+
 	error = nfs4_proc_getattr(server, mntfh, fattr, label);
 	if (error < 0) {
 		dprintk("nfs4_get_root: getattr error = %d\n", -error);
@@ -2617,6 +2654,11 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 	    !nfs_fsid_equal(&server->fsid, &fattr->fsid))
 		memcpy(&server->fsid, &fattr->fsid, sizeof(server->fsid));
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(label);
+#endif
+
 	return error;
 }
 
@@ -2728,6 +2770,10 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 	if (pnfs_ld_layoutret_on_setattr(inode))
 		pnfs_return_layout(inode);
 
+	olabel = nfs4_label_alloc(GFP_KERNEL);
+	if (olabel == NULL)
+		return -ENOMEM;
+
 	nfs_fattr_init(fattr);
 	
 	/* Deal with open(O_TRUNC) */
@@ -2905,12 +2951,27 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	res.fattr = nfs_alloc_fattr();
 	if (res.fattr == NULL)
 		return -ENOMEM;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.label = nfs4_label_alloc(GFP_KERNEL);
+		if (res.label == NULL) {
+			status = -ENOMEM;
+			goto out;
+		}
+	}
+#endif
 
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 	if (!status) {
 		nfs_access_set_mask(entry, res.access);
 		nfs_refresh_inode(inode, res.fattr, res.label);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(res.label);
+#endif
+out:
 	nfs_free_fattr(res.fattr);
 	return status;
 }
@@ -3034,6 +3095,7 @@ static int _nfs4_proc_remove(struct inode *dir, struct qstr *name)
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 1);
 	if (status == 0)
 		update_changeattr(dir, &res.cinfo);
+
 	return status;
 }
 
@@ -3079,6 +3141,7 @@ static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)
 	if (nfs4_async_handle_error(task, res->server, NULL) == -EAGAIN)
 		return 0;
 	update_changeattr(dir, &res->cinfo);
+
 	return 1;
 }
 
@@ -3139,12 +3202,33 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		.rpc_resp = &res,
 	};
 	int status = -ENOMEM;
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.old_label = nfs4_label_alloc(GFP_NOWAIT);
+		if (res.old_label == NULL)
+			goto out;
+		res.new_label = nfs4_label_alloc(GFP_NOWAIT);
+		if (res.new_label == NULL) {
+			nfs4_label_free(res.old_label);
+			goto out;
+		}
+	}
+#endif
 	
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(old_dir, &res.old_cinfo);
 		update_changeattr(new_dir, &res.new_cinfo);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		nfs4_label_free(res.old_label);
+		nfs4_label_free(res.new_label);
+	}
+#endif
+out:
 	return status;
 }
 
@@ -3186,11 +3270,25 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	if (res.fattr == NULL)
 		goto out;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.label = nfs4_label_alloc(GFP_KERNEL);
+		if (res.label == NULL)
+			goto out;
+	}
+#endif
+
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(dir, &res.cinfo);
 		nfs_post_op_update_inode(inode, res.fattr, res.label);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(res.label);
+#endif
+
 out:
 	nfs_free_fattr(res.fattr);
 	return status;
@@ -3226,6 +3324,13 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 	if (data != NULL) {
 		struct nfs_server *server = NFS_SERVER(dir);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		if (server->caps & NFS_CAP_SECURITY_LABEL) {
+			data->label = nfs4_label_alloc(GFP_KERNEL);
+			if (data->label == NULL)
+				goto out_free;
+		}
+#endif
 		data->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CREATE];
 		data->msg.rpc_argp = &data->arg;
 		data->msg.rpc_resp = &data->res;
@@ -3242,6 +3347,9 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 		nfs_fattr_init(data->res.fattr);
 	}
 	return data;
+out_free:
+	kfree(data);
+	return NULL;
 }
 
 static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)
@@ -3257,6 +3365,10 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
 
 static void nfs4_free_createdata(struct nfs4_createdata *data)
 {
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (data->arg.server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(data->label);
+#endif
 	kfree(data);
 }
 
-- 
1.7.11.7

[PATCH 10/13] NFS: Add label lifecycle management

[David Quigley]

>From David Quigley <dpquigl@davequigley.com>

This patch adds the lifecycle management for the security label structure
introduced in an earlier patch. The label is not used yet but allocations and
freeing of the structure is handled.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/dir.c      |  30 +++++++++++++-
 fs/nfs/getroot.c  |   1 -
 fs/nfs/inode.c    |  13 ++++++
 fs/nfs/nfs4proc.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 156 insertions(+), 4 deletions(-)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 1339e44..561d2fb 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -581,7 +581,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
 	entry.fh = nfs_alloc_fhandle();
 	entry.fattr = nfs_alloc_fattr();
 	entry.server = NFS_SERVER(inode);
-	if (entry.fh == NULL || entry.fattr == NULL)
+	entry.label = nfs4_label_alloc(GFP_NOWAIT);
+	if (entry.fh == NULL || entry.fattr == NULL || entry.label == NULL)
 		goto out;
 
 	array = nfs_readdir_get_array(page);
@@ -616,6 +617,7 @@ out_release_array:
 out:
 	nfs_free_fattr(entry.fattr);
 	nfs_free_fhandle(entry.fh);
+	nfs4_label_free(entry.label);
 	return status;
 }
 
@@ -1077,6 +1079,14 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 	if (fhandle == NULL || fattr == NULL)
 		goto out_error;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_NOWAIT);
+		if (label == NULL)
+			goto out_error;
+	}
+#endif
+
 	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
 	if (error)
 		goto out_bad;
@@ -1087,6 +1097,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
 
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
+
 out_set_verifier:
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
  out_valid:
@@ -1123,6 +1139,7 @@ out_zap_parent:
 out_error:
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
+	nfs4_label_free(label);
 	dput(parent);
 	dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) lookup returned error %d\n",
 			__func__, dentry->d_parent->d_name.name,
@@ -1235,6 +1252,13 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
 	if (fhandle == NULL || fattr == NULL)
 		goto out;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_NOWAIT);
+		if (label == NULL)
+			goto out;
+	}
+#endif
 	parent = dentry->d_parent;
 	/* Protect against concurrent sillydeletes */
 	nfs_block_sillyrename(parent);
@@ -1264,6 +1288,10 @@ no_entry:
 out_unblock_sillyrename:
 	nfs_unblock_sillyrename(parent);
 out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
 	nfs_free_fattr(fattr);
 	nfs_free_fhandle(fhandle);
 	return res;
diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
index 3b68bb6..14bd667 100644
--- a/fs/nfs/getroot.c
+++ b/fs/nfs/getroot.c
@@ -75,7 +75,6 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
 	struct nfs_fsinfo fsinfo;
 	struct dentry *ret;
 	struct inode *inode;
-	struct nfs4_label *label = NULL;
 	void *name = kstrdup(devname, GFP_KERNEL);
 	int error;
 
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index daca08c..ab08d0d 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -835,6 +835,15 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		goto out;
 
 	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
+		label = nfs4_label_alloc(GFP_KERNEL);
+		if (label == NULL) {
+			status = -ENOMEM;
+			goto out;
+		}
+	}
+#endif
 	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
 	if (status != 0) {
 		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
@@ -864,6 +873,10 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 		(long long)NFS_FILEID(inode));
 
  out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(label);
+#endif
 	nfs_free_fattr(fattr);
 	return status;
 }
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 8e0378c..4ab2738 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -865,9 +865,16 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	p = kzalloc(sizeof(*p), gfp_mask);
 	if (p == NULL)
 		goto err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		p->f_label = nfs4_label_alloc(gfp_mask);
+		if (p->f_label == NULL)
+			goto err_free_p;
+	}
+#endif
 	p->o_arg.seqid = nfs_alloc_seqid(&sp->so_seqid, gfp_mask);
 	if (p->o_arg.seqid == NULL)
-		goto err_free;
+		goto err_free_label;
 	nfs_sb_active(dentry->d_sb);
 	p->dentry = dget(dentry);
 	p->dir = parent;
@@ -910,7 +917,13 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
 	nfs4_init_opendata_res(p);
 	kref_init(&p->kref);
 	return p;
-err_free:
+
+err_free_label:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(p->f_label);
+#endif
+err_free_p:
 	kfree(p);
 err:
 	dput(parent);
@@ -927,6 +940,10 @@ static void nfs4_opendata_free(struct kref *kref)
 	if (p->state != NULL)
 		nfs4_put_open_state(p->state);
 	nfs4_put_state_owner(p->owner);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (p->o_arg.server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(p->f_label);
+#endif
 	dput(p->dir);
 	dput(p->dentry);
 	nfs_sb_deactive(sb);
@@ -1998,6 +2015,16 @@ static int _nfs4_do_open(struct inode *dir,
 	if (opendata == NULL)
 		goto err_put_state_owner;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label && nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		olabel = nfs4_label_alloc(GFP_KERNEL);
+		if (olabel == NULL) {
+			status = -ENOMEM;
+			goto err_opendata_put;
+		}
+	}
+#endif
+
 	if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {
 		opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
 		if (!opendata->f_attr.mdsthreshold)
@@ -2041,6 +2068,10 @@ static int _nfs4_do_open(struct inode *dir,
 		kfree(opendata->f_attr.mdsthreshold);
 	opendata->f_attr.mdsthreshold = NULL;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
+		nfs4_label_free(olabel);
+#endif
 	nfs4_opendata_put(opendata);
 	nfs4_put_state_owner(sp);
 	*res = state;
@@ -2607,6 +2638,12 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 		return error;
 	}
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	label = nfs4_label_alloc(GFP_KERNEL);
+	if (label == NULL)
+		return -ENOMEM;
+#endif
+
 	error = nfs4_proc_getattr(server, mntfh, fattr, label);
 	if (error < 0) {
 		dprintk("nfs4_get_root: getattr error = %d\n", -error);
@@ -2617,6 +2654,11 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
 	    !nfs_fsid_equal(&server->fsid, &fattr->fsid))
 		memcpy(&server->fsid, &fattr->fsid, sizeof(server->fsid));
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(label);
+#endif
+
 	return error;
 }
 
@@ -2728,6 +2770,10 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
 	if (pnfs_ld_layoutret_on_setattr(inode))
 		pnfs_return_layout(inode);
 
+	olabel = nfs4_label_alloc(GFP_KERNEL);
+	if (olabel == NULL)
+		return -ENOMEM;
+
 	nfs_fattr_init(fattr);
 	
 	/* Deal with open(O_TRUNC) */
@@ -2905,12 +2951,27 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 	res.fattr = nfs_alloc_fattr();
 	if (res.fattr == NULL)
 		return -ENOMEM;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.label = nfs4_label_alloc(GFP_KERNEL);
+		if (res.label == NULL) {
+			status = -ENOMEM;
+			goto out;
+		}
+	}
+#endif
 
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 	if (!status) {
 		nfs_access_set_mask(entry, res.access);
 		nfs_refresh_inode(inode, res.fattr, res.label);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(res.label);
+#endif
+out:
 	nfs_free_fattr(res.fattr);
 	return status;
 }
@@ -3034,6 +3095,7 @@ static int _nfs4_proc_remove(struct inode *dir, struct qstr *name)
 	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 1);
 	if (status == 0)
 		update_changeattr(dir, &res.cinfo);
+
 	return status;
 }
 
@@ -3079,6 +3141,7 @@ static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)
 	if (nfs4_async_handle_error(task, res->server, NULL) == -EAGAIN)
 		return 0;
 	update_changeattr(dir, &res->cinfo);
+
 	return 1;
 }
 
@@ -3139,12 +3202,33 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
 		.rpc_resp = &res,
 	};
 	int status = -ENOMEM;
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.old_label = nfs4_label_alloc(GFP_NOWAIT);
+		if (res.old_label == NULL)
+			goto out;
+		res.new_label = nfs4_label_alloc(GFP_NOWAIT);
+		if (res.new_label == NULL) {
+			nfs4_label_free(res.old_label);
+			goto out;
+		}
+	}
+#endif
 	
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(old_dir, &res.old_cinfo);
 		update_changeattr(new_dir, &res.new_cinfo);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		nfs4_label_free(res.old_label);
+		nfs4_label_free(res.new_label);
+	}
+#endif
+out:
 	return status;
 }
 
@@ -3186,11 +3270,25 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
 	if (res.fattr == NULL)
 		goto out;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL) {
+		res.label = nfs4_label_alloc(GFP_KERNEL);
+		if (res.label == NULL)
+			goto out;
+	}
+#endif
+
 	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
 	if (!status) {
 		update_changeattr(dir, &res.cinfo);
 		nfs_post_op_update_inode(inode, res.fattr, res.label);
 	}
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(res.label);
+#endif
+
 out:
 	nfs_free_fattr(res.fattr);
 	return status;
@@ -3226,6 +3324,13 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 	if (data != NULL) {
 		struct nfs_server *server = NFS_SERVER(dir);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		if (server->caps & NFS_CAP_SECURITY_LABEL) {
+			data->label = nfs4_label_alloc(GFP_KERNEL);
+			if (data->label == NULL)
+				goto out_free;
+		}
+#endif
 		data->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CREATE];
 		data->msg.rpc_argp = &data->arg;
 		data->msg.rpc_resp = &data->res;
@@ -3242,6 +3347,9 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
 		nfs_fattr_init(data->res.fattr);
 	}
 	return data;
+out_free:
+	kfree(data);
+	return NULL;
 }
 
 static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)
@@ -3257,6 +3365,10 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
 
 static void nfs4_free_createdata(struct nfs4_createdata *data)
 {
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (data->arg.server->caps & NFS_CAP_SECURITY_LABEL)
+		nfs4_label_free(data->label);
+#endif
 	kfree(data);
 }
 
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 10/13] NFS: Add label lifecycle management

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:44AM -0500, David Quigley wrote:
> >From David Quigley <dpquigl@davequigley.com>
> 
> This patch adds the lifecycle management for the security label structure
> introduced in an earlier patch. The label is not used yet but allocations and
> freeing of the structure is handled.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  fs/nfs/dir.c      |  30 +++++++++++++-
>  fs/nfs/getroot.c  |   1 -
>  fs/nfs/inode.c    |  13 ++++++
>  fs/nfs/nfs4proc.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  4 files changed, 156 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
> index 1339e44..561d2fb 100644
> --- a/fs/nfs/dir.c
> +++ b/fs/nfs/dir.c
> @@ -581,7 +581,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
>  	entry.fh = nfs_alloc_fhandle();
>  	entry.fattr = nfs_alloc_fattr();
>  	entry.server = NFS_SERVER(inode);
> -	if (entry.fh == NULL || entry.fattr == NULL)
> +	entry.label = nfs4_label_alloc(GFP_NOWAIT);
> +	if (entry.fh == NULL || entry.fattr == NULL || entry.label == NULL)
>  		goto out;
>  
>  	array = nfs_readdir_get_array(page);
> @@ -616,6 +617,7 @@ out_release_array:
>  out:
>  	nfs_free_fattr(entry.fattr);
>  	nfs_free_fhandle(entry.fh);
> +	nfs4_label_free(entry.label);
>  	return status;
>  }
>  
> @@ -1077,6 +1079,14 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>  	if (fhandle == NULL || fattr == NULL)
>  		goto out_error;
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
> +		label = nfs4_label_alloc(GFP_NOWAIT);
> +		if (label == NULL)
> +			goto out_error;
> +	}
> +#endif

We usually try to avoid sprinkling too many #ifdef's around the code.
Do we really need these?  (E.g. can't we ensure that
nfs_server_capable() will return the right thing when labelled NFS is
compiled out?)

--b.

> +
>  	error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label);
>  	if (error)
>  		goto out_bad;
> @@ -1087,6 +1097,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>  
>  	nfs_free_fattr(fattr);
>  	nfs_free_fhandle(fhandle);
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
> +		nfs4_label_free(label);
> +#endif
> +
>  out_set_verifier:
>  	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
>   out_valid:
> @@ -1123,6 +1139,7 @@ out_zap_parent:
>  out_error:
>  	nfs_free_fattr(fattr);
>  	nfs_free_fhandle(fhandle);
> +	nfs4_label_free(label);
>  	dput(parent);
>  	dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) lookup returned error %d\n",
>  			__func__, dentry->d_parent->d_name.name,
> @@ -1235,6 +1252,13 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
>  	if (fhandle == NULL || fattr == NULL)
>  		goto out;
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
> +		label = nfs4_label_alloc(GFP_NOWAIT);
> +		if (label == NULL)
> +			goto out;
> +	}
> +#endif
>  	parent = dentry->d_parent;
>  	/* Protect against concurrent sillydeletes */
>  	nfs_block_sillyrename(parent);
> @@ -1264,6 +1288,10 @@ no_entry:
>  out_unblock_sillyrename:
>  	nfs_unblock_sillyrename(parent);
>  out:
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
> +		nfs4_label_free(label);
> +#endif
>  	nfs_free_fattr(fattr);
>  	nfs_free_fhandle(fhandle);
>  	return res;
> diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
> index 3b68bb6..14bd667 100644
> --- a/fs/nfs/getroot.c
> +++ b/fs/nfs/getroot.c
> @@ -75,7 +75,6 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
>  	struct nfs_fsinfo fsinfo;
>  	struct dentry *ret;
>  	struct inode *inode;
> -	struct nfs4_label *label = NULL;
>  	void *name = kstrdup(devname, GFP_KERNEL);
>  	int error;
>  
> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> index daca08c..ab08d0d 100644
> --- a/fs/nfs/inode.c
> +++ b/fs/nfs/inode.c
> @@ -835,6 +835,15 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>  		goto out;
>  
>  	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
> +		label = nfs4_label_alloc(GFP_KERNEL);
> +		if (label == NULL) {
> +			status = -ENOMEM;
> +			goto out;
> +		}
> +	}
> +#endif
>  	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
>  	if (status != 0) {
>  		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
> @@ -864,6 +873,10 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>  		(long long)NFS_FILEID(inode));
>  
>   out:
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
> +		nfs4_label_free(label);
> +#endif
>  	nfs_free_fattr(fattr);
>  	return status;
>  }
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 8e0378c..4ab2738 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -865,9 +865,16 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>  	p = kzalloc(sizeof(*p), gfp_mask);
>  	if (p == NULL)
>  		goto err;
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +		p->f_label = nfs4_label_alloc(gfp_mask);
> +		if (p->f_label == NULL)
> +			goto err_free_p;
> +	}
> +#endif
>  	p->o_arg.seqid = nfs_alloc_seqid(&sp->so_seqid, gfp_mask);
>  	if (p->o_arg.seqid == NULL)
> -		goto err_free;
> +		goto err_free_label;
>  	nfs_sb_active(dentry->d_sb);
>  	p->dentry = dget(dentry);
>  	p->dir = parent;
> @@ -910,7 +917,13 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>  	nfs4_init_opendata_res(p);
>  	kref_init(&p->kref);
>  	return p;
> -err_free:
> +
> +err_free_label:
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(p->f_label);
> +#endif
> +err_free_p:
>  	kfree(p);
>  err:
>  	dput(parent);
> @@ -927,6 +940,10 @@ static void nfs4_opendata_free(struct kref *kref)
>  	if (p->state != NULL)
>  		nfs4_put_open_state(p->state);
>  	nfs4_put_state_owner(p->owner);
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (p->o_arg.server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(p->f_label);
> +#endif
>  	dput(p->dir);
>  	dput(p->dentry);
>  	nfs_sb_deactive(sb);
> @@ -1998,6 +2015,16 @@ static int _nfs4_do_open(struct inode *dir,
>  	if (opendata == NULL)
>  		goto err_put_state_owner;
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (label && nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
> +		olabel = nfs4_label_alloc(GFP_KERNEL);
> +		if (olabel == NULL) {
> +			status = -ENOMEM;
> +			goto err_opendata_put;
> +		}
> +	}
> +#endif
> +
>  	if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {
>  		opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
>  		if (!opendata->f_attr.mdsthreshold)
> @@ -2041,6 +2068,10 @@ static int _nfs4_do_open(struct inode *dir,
>  		kfree(opendata->f_attr.mdsthreshold);
>  	opendata->f_attr.mdsthreshold = NULL;
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
> +		nfs4_label_free(olabel);
> +#endif
>  	nfs4_opendata_put(opendata);
>  	nfs4_put_state_owner(sp);
>  	*res = state;
> @@ -2607,6 +2638,12 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>  		return error;
>  	}
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	label = nfs4_label_alloc(GFP_KERNEL);
> +	if (label == NULL)
> +		return -ENOMEM;
> +#endif
> +
>  	error = nfs4_proc_getattr(server, mntfh, fattr, label);
>  	if (error < 0) {
>  		dprintk("nfs4_get_root: getattr error = %d\n", -error);
> @@ -2617,6 +2654,11 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>  	    !nfs_fsid_equal(&server->fsid, &fattr->fsid))
>  		memcpy(&server->fsid, &fattr->fsid, sizeof(server->fsid));
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(label);
> +#endif
> +
>  	return error;
>  }
>  
> @@ -2728,6 +2770,10 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
>  	if (pnfs_ld_layoutret_on_setattr(inode))
>  		pnfs_return_layout(inode);
>  
> +	olabel = nfs4_label_alloc(GFP_KERNEL);
> +	if (olabel == NULL)
> +		return -ENOMEM;
> +
>  	nfs_fattr_init(fattr);
>  	
>  	/* Deal with open(O_TRUNC) */
> @@ -2905,12 +2951,27 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
>  	res.fattr = nfs_alloc_fattr();
>  	if (res.fattr == NULL)
>  		return -ENOMEM;
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +		res.label = nfs4_label_alloc(GFP_KERNEL);
> +		if (res.label == NULL) {
> +			status = -ENOMEM;
> +			goto out;
> +		}
> +	}
> +#endif
>  
>  	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
>  	if (!status) {
>  		nfs_access_set_mask(entry, res.access);
>  		nfs_refresh_inode(inode, res.fattr, res.label);
>  	}
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(res.label);
> +#endif
> +out:
>  	nfs_free_fattr(res.fattr);
>  	return status;
>  }
> @@ -3034,6 +3095,7 @@ static int _nfs4_proc_remove(struct inode *dir, struct qstr *name)
>  	status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 1);
>  	if (status == 0)
>  		update_changeattr(dir, &res.cinfo);
> +
>  	return status;
>  }
>  
> @@ -3079,6 +3141,7 @@ static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)
>  	if (nfs4_async_handle_error(task, res->server, NULL) == -EAGAIN)
>  		return 0;
>  	update_changeattr(dir, &res->cinfo);
> +
>  	return 1;
>  }
>  
> @@ -3139,12 +3202,33 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
>  		.rpc_resp = &res,
>  	};
>  	int status = -ENOMEM;
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +		res.old_label = nfs4_label_alloc(GFP_NOWAIT);
> +		if (res.old_label == NULL)
> +			goto out;
> +		res.new_label = nfs4_label_alloc(GFP_NOWAIT);
> +		if (res.new_label == NULL) {
> +			nfs4_label_free(res.old_label);
> +			goto out;
> +		}
> +	}
> +#endif
>  	
>  	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
>  	if (!status) {
>  		update_changeattr(old_dir, &res.old_cinfo);
>  		update_changeattr(new_dir, &res.new_cinfo);
>  	}
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +		nfs4_label_free(res.old_label);
> +		nfs4_label_free(res.new_label);
> +	}
> +#endif
> +out:
>  	return status;
>  }
>  
> @@ -3186,11 +3270,25 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
>  	if (res.fattr == NULL)
>  		goto out;
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +		res.label = nfs4_label_alloc(GFP_KERNEL);
> +		if (res.label == NULL)
> +			goto out;
> +	}
> +#endif
> +
>  	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
>  	if (!status) {
>  		update_changeattr(dir, &res.cinfo);
>  		nfs_post_op_update_inode(inode, res.fattr, res.label);
>  	}
> +
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(res.label);
> +#endif
> +
>  out:
>  	nfs_free_fattr(res.fattr);
>  	return status;
> @@ -3226,6 +3324,13 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>  	if (data != NULL) {
>  		struct nfs_server *server = NFS_SERVER(dir);
>  
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +		if (server->caps & NFS_CAP_SECURITY_LABEL) {
> +			data->label = nfs4_label_alloc(GFP_KERNEL);
> +			if (data->label == NULL)
> +				goto out_free;
> +		}
> +#endif
>  		data->msg.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_CREATE];
>  		data->msg.rpc_argp = &data->arg;
>  		data->msg.rpc_resp = &data->res;
> @@ -3242,6 +3347,9 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>  		nfs_fattr_init(data->res.fattr);
>  	}
>  	return data;
> +out_free:
> +	kfree(data);
> +	return NULL;
>  }
>  
>  static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)
> @@ -3257,6 +3365,10 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
>  
>  static void nfs4_free_createdata(struct nfs4_createdata *data)
>  {
> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
> +	if (data->arg.server->caps & NFS_CAP_SECURITY_LABEL)
> +		nfs4_label_free(data->label);
> +#endif
>  	kfree(data);
>  }
>  
> -- 
> 1.7.11.7
> 

Re: [PATCH 10/13] NFS: Add label lifecycle management

[David P. Quigley]

On 11/12/2012 10:33 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:44AM -0500, David Quigley wrote:
>> > From David Quigley<dpquigl@davequigley.com>
>>
>> This patch adds the lifecycle management for the security label structure
>> introduced in an earlier patch. The label is not used yet but allocations and
>> freeing of the structure is handled.
>>
>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>> ---
>>   fs/nfs/dir.c      |  30 +++++++++++++-
>>   fs/nfs/getroot.c  |   1 -
>>   fs/nfs/inode.c    |  13 ++++++
>>   fs/nfs/nfs4proc.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>   4 files changed, 156 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
>> index 1339e44..561d2fb 100644
>> --- a/fs/nfs/dir.c
>> +++ b/fs/nfs/dir.c
>> @@ -581,7 +581,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
>>   	entry.fh = nfs_alloc_fhandle();
>>   	entry.fattr = nfs_alloc_fattr();
>>   	entry.server = NFS_SERVER(inode);
>> -	if (entry.fh == NULL || entry.fattr == NULL)
>> +	entry.label = nfs4_label_alloc(GFP_NOWAIT);
>> +	if (entry.fh == NULL || entry.fattr == NULL || entry.label == NULL)
>>   		goto out;
>>
>>   	array = nfs_readdir_get_array(page);
>> @@ -616,6 +617,7 @@ out_release_array:
>>   out:
>>   	nfs_free_fattr(entry.fattr);
>>   	nfs_free_fhandle(entry.fh);
>> +	nfs4_label_free(entry.label);
>>   	return status;
>>   }
>>
>> @@ -1077,6 +1079,14 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>>   	if (fhandle == NULL || fattr == NULL)
>>   		goto out_error;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (label == NULL)
>> +			goto out_error;
>> +	}
>> +#endif
> We usually try to avoid sprinkling too many #ifdef's around the code.
> Do we really need these?  (E.g. can't we ensure that
> nfs_server_capable() will return the right thing when labelled NFS is
> compiled out?)
>
> --b.

That is probably a better way of handling this. We'll look into putting 
the check into nfs_server_capable instead.


>> +
>>   	error = NFS_PROTO(dir)->lookup(dir,&dentry->d_name, fhandle, fattr, label);
>>   	if (error)
>>   		goto out_bad;
>> @@ -1087,6 +1097,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>>
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>> +
>>   out_set_verifier:
>>   	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
>>    out_valid:
>> @@ -1123,6 +1139,7 @@ out_zap_parent:
>>   out_error:
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>> +	nfs4_label_free(label);
>>   	dput(parent);
>>   	dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) lookup returned error %d\n",
>>   			__func__, dentry->d_parent->d_name.name,
>> @@ -1235,6 +1252,13 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
>>   	if (fhandle == NULL || fattr == NULL)
>>   		goto out;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (label == NULL)
>> +			goto out;
>> +	}
>> +#endif
>>   	parent = dentry->d_parent;
>>   	/* Protect against concurrent sillydeletes */
>>   	nfs_block_sillyrename(parent);
>> @@ -1264,6 +1288,10 @@ no_entry:
>>   out_unblock_sillyrename:
>>   	nfs_unblock_sillyrename(parent);
>>   out:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>>   	return res;
>> diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
>> index 3b68bb6..14bd667 100644
>> --- a/fs/nfs/getroot.c
>> +++ b/fs/nfs/getroot.c
>> @@ -75,7 +75,6 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
>>   	struct nfs_fsinfo fsinfo;
>>   	struct dentry *ret;
>>   	struct inode *inode;
>> -	struct nfs4_label *label = NULL;
>>   	void *name = kstrdup(devname, GFP_KERNEL);
>>   	int error;
>>
>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>> index daca08c..ab08d0d 100644
>> --- a/fs/nfs/inode.c
>> +++ b/fs/nfs/inode.c
>> @@ -835,6 +835,15 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>>   		goto out;
>>
>>   	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (label == NULL) {
>> +			status = -ENOMEM;
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>   	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
>>   	if (status != 0) {
>>   		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
>> @@ -864,6 +873,10 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>>   		(long long)NFS_FILEID(inode));
>>
>>    out:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>>   	nfs_free_fattr(fattr);
>>   	return status;
>>   }
>> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
>> index 8e0378c..4ab2738 100644
>> --- a/fs/nfs/nfs4proc.c
>> +++ b/fs/nfs/nfs4proc.c
>> @@ -865,9 +865,16 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>>   	p = kzalloc(sizeof(*p), gfp_mask);
>>   	if (p == NULL)
>>   		goto err;
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		p->f_label = nfs4_label_alloc(gfp_mask);
>> +		if (p->f_label == NULL)
>> +			goto err_free_p;
>> +	}
>> +#endif
>>   	p->o_arg.seqid = nfs_alloc_seqid(&sp->so_seqid, gfp_mask);
>>   	if (p->o_arg.seqid == NULL)
>> -		goto err_free;
>> +		goto err_free_label;
>>   	nfs_sb_active(dentry->d_sb);
>>   	p->dentry = dget(dentry);
>>   	p->dir = parent;
>> @@ -910,7 +917,13 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>>   	nfs4_init_opendata_res(p);
>>   	kref_init(&p->kref);
>>   	return p;
>> -err_free:
>> +
>> +err_free_label:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(p->f_label);
>> +#endif
>> +err_free_p:
>>   	kfree(p);
>>   err:
>>   	dput(parent);
>> @@ -927,6 +940,10 @@ static void nfs4_opendata_free(struct kref *kref)
>>   	if (p->state != NULL)
>>   		nfs4_put_open_state(p->state);
>>   	nfs4_put_state_owner(p->owner);
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (p->o_arg.server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(p->f_label);
>> +#endif
>>   	dput(p->dir);
>>   	dput(p->dentry);
>>   	nfs_sb_deactive(sb);
>> @@ -1998,6 +2015,16 @@ static int _nfs4_do_open(struct inode *dir,
>>   	if (opendata == NULL)
>>   		goto err_put_state_owner;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (label&&  nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		olabel = nfs4_label_alloc(GFP_KERNEL);
>> +		if (olabel == NULL) {
>> +			status = -ENOMEM;
>> +			goto err_opendata_put;
>> +		}
>> +	}
>> +#endif
>> +
>>   	if (ctx_th&&  server->attr_bitmask[2]&  FATTR4_WORD2_MDSTHRESHOLD) {
>>   		opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
>>   		if (!opendata->f_attr.mdsthreshold)
>> @@ -2041,6 +2068,10 @@ static int _nfs4_do_open(struct inode *dir,
>>   		kfree(opendata->f_attr.mdsthreshold);
>>   	opendata->f_attr.mdsthreshold = NULL;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(olabel);
>> +#endif
>>   	nfs4_opendata_put(opendata);
>>   	nfs4_put_state_owner(sp);
>>   	*res = state;
>> @@ -2607,6 +2638,12 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>>   		return error;
>>   	}
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	label = nfs4_label_alloc(GFP_KERNEL);
>> +	if (label == NULL)
>> +		return -ENOMEM;
>> +#endif
>> +
>>   	error = nfs4_proc_getattr(server, mntfh, fattr, label);
>>   	if (error<  0) {
>>   		dprintk("nfs4_get_root: getattr error = %d\n", -error);
>> @@ -2617,6 +2654,11 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>>   	    !nfs_fsid_equal(&server->fsid,&fattr->fsid))
>>   		memcpy(&server->fsid,&fattr->fsid, sizeof(server->fsid));
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(label);
>> +#endif
>> +
>>   	return error;
>>   }
>>
>> @@ -2728,6 +2770,10 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
>>   	if (pnfs_ld_layoutret_on_setattr(inode))
>>   		pnfs_return_layout(inode);
>>
>> +	olabel = nfs4_label_alloc(GFP_KERNEL);
>> +	if (olabel == NULL)
>> +		return -ENOMEM;
>> +
>>   	nfs_fattr_init(fattr);
>>   	
>>   	/* Deal with open(O_TRUNC) */
>> @@ -2905,12 +2951,27 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
>>   	res.fattr = nfs_alloc_fattr();
>>   	if (res.fattr == NULL)
>>   		return -ENOMEM;
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (res.label == NULL) {
>> +			status = -ENOMEM;
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>
>>   	status = nfs4_call_sync(server->client, server,&msg,&args.seq_args,&res.seq_res, 0);
>>   	if (!status) {
>>   		nfs_access_set_mask(entry, res.access);
>>   		nfs_refresh_inode(inode, res.fattr, res.label);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(res.label);
>> +#endif
>> +out:
>>   	nfs_free_fattr(res.fattr);
>>   	return status;
>>   }
>> @@ -3034,6 +3095,7 @@ static int _nfs4_proc_remove(struct inode *dir, struct qstr *name)
>>   	status = nfs4_call_sync(server->client, server,&msg,&args.seq_args,&res.seq_res, 1);
>>   	if (status == 0)
>>   		update_changeattr(dir,&res.cinfo);
>> +
>>   	return status;
>>   }
>>
>> @@ -3079,6 +3141,7 @@ static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)
>>   	if (nfs4_async_handle_error(task, res->server, NULL) == -EAGAIN)
>>   		return 0;
>>   	update_changeattr(dir,&res->cinfo);
>> +
>>   	return 1;
>>   }
>>
>> @@ -3139,12 +3202,33 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
>>   		.rpc_resp =&res,
>>   	};
>>   	int status = -ENOMEM;
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.old_label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (res.old_label == NULL)
>> +			goto out;
>> +		res.new_label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (res.new_label == NULL) {
>> +			nfs4_label_free(res.old_label);
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>   	
>>   	status = nfs4_call_sync(server->client, server,&msg,&arg.seq_args,&res.seq_res, 1);
>>   	if (!status) {
>>   		update_changeattr(old_dir,&res.old_cinfo);
>>   		update_changeattr(new_dir,&res.new_cinfo);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		nfs4_label_free(res.old_label);
>> +		nfs4_label_free(res.new_label);
>> +	}
>> +#endif
>> +out:
>>   	return status;
>>   }
>>
>> @@ -3186,11 +3270,25 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
>>   	if (res.fattr == NULL)
>>   		goto out;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (res.label == NULL)
>> +			goto out;
>> +	}
>> +#endif
>> +
>>   	status = nfs4_call_sync(server->client, server,&msg,&arg.seq_args,&res.seq_res, 1);
>>   	if (!status) {
>>   		update_changeattr(dir,&res.cinfo);
>>   		nfs_post_op_update_inode(inode, res.fattr, res.label);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(res.label);
>> +#endif
>> +
>>   out:
>>   	nfs_free_fattr(res.fattr);
>>   	return status;
>> @@ -3226,6 +3324,13 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>>   	if (data != NULL) {
>>   		struct nfs_server *server = NFS_SERVER(dir);
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +		if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +			data->label = nfs4_label_alloc(GFP_KERNEL);
>> +			if (data->label == NULL)
>> +				goto out_free;
>> +		}
>> +#endif
>>   		data->msg.rpc_proc =&nfs4_procedures[NFSPROC4_CLNT_CREATE];
>>   		data->msg.rpc_argp =&data->arg;
>>   		data->msg.rpc_resp =&data->res;
>> @@ -3242,6 +3347,9 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>>   		nfs_fattr_init(data->res.fattr);
>>   	}
>>   	return data;
>> +out_free:
>> +	kfree(data);
>> +	return NULL;
>>   }
>>
>>   static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)
>> @@ -3257,6 +3365,10 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
>>
>>   static void nfs4_free_createdata(struct nfs4_createdata *data)
>>   {
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (data->arg.server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(data->label);
>> +#endif
>>   	kfree(data);
>>   }
>>
>> -- 
>> 1.7.11.7
>>

Re: [PATCH 10/13] NFS: Add label lifecycle management

[David P. Quigley]

On 11/12/2012 10:33 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:44AM -0500, David Quigley wrote:
>> > From David Quigley<dpquigl@davequigley.com>
>>
>> This patch adds the lifecycle management for the security label structure
>> introduced in an earlier patch. The label is not used yet but allocations and
>> freeing of the structure is handled.
>>
>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>> ---
>>   fs/nfs/dir.c      |  30 +++++++++++++-
>>   fs/nfs/getroot.c  |   1 -
>>   fs/nfs/inode.c    |  13 ++++++
>>   fs/nfs/nfs4proc.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>   4 files changed, 156 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
>> index 1339e44..561d2fb 100644
>> --- a/fs/nfs/dir.c
>> +++ b/fs/nfs/dir.c
>> @@ -581,7 +581,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
>>   	entry.fh = nfs_alloc_fhandle();
>>   	entry.fattr = nfs_alloc_fattr();
>>   	entry.server = NFS_SERVER(inode);
>> -	if (entry.fh == NULL || entry.fattr == NULL)
>> +	entry.label = nfs4_label_alloc(GFP_NOWAIT);
>> +	if (entry.fh == NULL || entry.fattr == NULL || entry.label == NULL)
>>   		goto out;
>>
>>   	array = nfs_readdir_get_array(page);
>> @@ -616,6 +617,7 @@ out_release_array:
>>   out:
>>   	nfs_free_fattr(entry.fattr);
>>   	nfs_free_fhandle(entry.fh);
>> +	nfs4_label_free(entry.label);
>>   	return status;
>>   }
>>
>> @@ -1077,6 +1079,14 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>>   	if (fhandle == NULL || fattr == NULL)
>>   		goto out_error;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (label == NULL)
>> +			goto out_error;
>> +	}
>> +#endif
> We usually try to avoid sprinkling too many #ifdef's around the code.
> Do we really need these?  (E.g. can't we ensure that
> nfs_server_capable() will return the right thing when labelled NFS is
> compiled out?)
>
> --b.

That is probably a better way of handling this. We'll look into putting 
the check into nfs_server_capable instead.


>> +
>>   	error = NFS_PROTO(dir)->lookup(dir,&dentry->d_name, fhandle, fattr, label);
>>   	if (error)
>>   		goto out_bad;
>> @@ -1087,6 +1097,12 @@ static int nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags)
>>
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>> +
>>   out_set_verifier:
>>   	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
>>    out_valid:
>> @@ -1123,6 +1139,7 @@ out_zap_parent:
>>   out_error:
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>> +	nfs4_label_free(label);
>>   	dput(parent);
>>   	dfprintk(LOOKUPCACHE, "NFS: %s(%s/%s) lookup returned error %d\n",
>>   			__func__, dentry->d_parent->d_name.name,
>> @@ -1235,6 +1252,13 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
>>   	if (fhandle == NULL || fattr == NULL)
>>   		goto out;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (label == NULL)
>> +			goto out;
>> +	}
>> +#endif
>>   	parent = dentry->d_parent;
>>   	/* Protect against concurrent sillydeletes */
>>   	nfs_block_sillyrename(parent);
>> @@ -1264,6 +1288,10 @@ no_entry:
>>   out_unblock_sillyrename:
>>   	nfs_unblock_sillyrename(parent);
>>   out:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>>   	nfs_free_fattr(fattr);
>>   	nfs_free_fhandle(fhandle);
>>   	return res;
>> diff --git a/fs/nfs/getroot.c b/fs/nfs/getroot.c
>> index 3b68bb6..14bd667 100644
>> --- a/fs/nfs/getroot.c
>> +++ b/fs/nfs/getroot.c
>> @@ -75,7 +75,6 @@ struct dentry *nfs_get_root(struct super_block *sb, struct nfs_fh *mntfh,
>>   	struct nfs_fsinfo fsinfo;
>>   	struct dentry *ret;
>>   	struct inode *inode;
>> -	struct nfs4_label *label = NULL;
>>   	void *name = kstrdup(devname, GFP_KERNEL);
>>   	int error;
>>
>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>> index daca08c..ab08d0d 100644
>> --- a/fs/nfs/inode.c
>> +++ b/fs/nfs/inode.c
>> @@ -835,6 +835,15 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>>   		goto out;
>>
>>   	nfs_inc_stats(inode, NFSIOS_INODEREVALIDATE);
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
>> +		label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (label == NULL) {
>> +			status = -ENOMEM;
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>   	status = NFS_PROTO(inode)->getattr(server, NFS_FH(inode), fattr, label);
>>   	if (status != 0) {
>>   		dfprintk(PAGECACHE, "nfs_revalidate_inode: (%s/%Ld) getattr failed, error=%d\n",
>> @@ -864,6 +873,10 @@ __nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
>>   		(long long)NFS_FILEID(inode));
>>
>>    out:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(label);
>> +#endif
>>   	nfs_free_fattr(fattr);
>>   	return status;
>>   }
>> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
>> index 8e0378c..4ab2738 100644
>> --- a/fs/nfs/nfs4proc.c
>> +++ b/fs/nfs/nfs4proc.c
>> @@ -865,9 +865,16 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>>   	p = kzalloc(sizeof(*p), gfp_mask);
>>   	if (p == NULL)
>>   		goto err;
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		p->f_label = nfs4_label_alloc(gfp_mask);
>> +		if (p->f_label == NULL)
>> +			goto err_free_p;
>> +	}
>> +#endif
>>   	p->o_arg.seqid = nfs_alloc_seqid(&sp->so_seqid, gfp_mask);
>>   	if (p->o_arg.seqid == NULL)
>> -		goto err_free;
>> +		goto err_free_label;
>>   	nfs_sb_active(dentry->d_sb);
>>   	p->dentry = dget(dentry);
>>   	p->dir = parent;
>> @@ -910,7 +917,13 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
>>   	nfs4_init_opendata_res(p);
>>   	kref_init(&p->kref);
>>   	return p;
>> -err_free:
>> +
>> +err_free_label:
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(p->f_label);
>> +#endif
>> +err_free_p:
>>   	kfree(p);
>>   err:
>>   	dput(parent);
>> @@ -927,6 +940,10 @@ static void nfs4_opendata_free(struct kref *kref)
>>   	if (p->state != NULL)
>>   		nfs4_put_open_state(p->state);
>>   	nfs4_put_state_owner(p->owner);
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (p->o_arg.server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(p->f_label);
>> +#endif
>>   	dput(p->dir);
>>   	dput(p->dentry);
>>   	nfs_sb_deactive(sb);
>> @@ -1998,6 +2015,16 @@ static int _nfs4_do_open(struct inode *dir,
>>   	if (opendata == NULL)
>>   		goto err_put_state_owner;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (label&&  nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
>> +		olabel = nfs4_label_alloc(GFP_KERNEL);
>> +		if (olabel == NULL) {
>> +			status = -ENOMEM;
>> +			goto err_opendata_put;
>> +		}
>> +	}
>> +#endif
>> +
>>   	if (ctx_th&&  server->attr_bitmask[2]&  FATTR4_WORD2_MDSTHRESHOLD) {
>>   		opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
>>   		if (!opendata->f_attr.mdsthreshold)
>> @@ -2041,6 +2068,10 @@ static int _nfs4_do_open(struct inode *dir,
>>   		kfree(opendata->f_attr.mdsthreshold);
>>   	opendata->f_attr.mdsthreshold = NULL;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL))
>> +		nfs4_label_free(olabel);
>> +#endif
>>   	nfs4_opendata_put(opendata);
>>   	nfs4_put_state_owner(sp);
>>   	*res = state;
>> @@ -2607,6 +2638,12 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>>   		return error;
>>   	}
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	label = nfs4_label_alloc(GFP_KERNEL);
>> +	if (label == NULL)
>> +		return -ENOMEM;
>> +#endif
>> +
>>   	error = nfs4_proc_getattr(server, mntfh, fattr, label);
>>   	if (error<  0) {
>>   		dprintk("nfs4_get_root: getattr error = %d\n", -error);
>> @@ -2617,6 +2654,11 @@ static int nfs4_proc_get_root(struct nfs_server *server, struct nfs_fh *mntfh,
>>   	    !nfs_fsid_equal(&server->fsid,&fattr->fsid))
>>   		memcpy(&server->fsid,&fattr->fsid, sizeof(server->fsid));
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(label);
>> +#endif
>> +
>>   	return error;
>>   }
>>
>> @@ -2728,6 +2770,10 @@ nfs4_proc_setattr(struct dentry *dentry, struct nfs_fattr *fattr,
>>   	if (pnfs_ld_layoutret_on_setattr(inode))
>>   		pnfs_return_layout(inode);
>>
>> +	olabel = nfs4_label_alloc(GFP_KERNEL);
>> +	if (olabel == NULL)
>> +		return -ENOMEM;
>> +
>>   	nfs_fattr_init(fattr);
>>   	
>>   	/* Deal with open(O_TRUNC) */
>> @@ -2905,12 +2951,27 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
>>   	res.fattr = nfs_alloc_fattr();
>>   	if (res.fattr == NULL)
>>   		return -ENOMEM;
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (res.label == NULL) {
>> +			status = -ENOMEM;
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>
>>   	status = nfs4_call_sync(server->client, server,&msg,&args.seq_args,&res.seq_res, 0);
>>   	if (!status) {
>>   		nfs_access_set_mask(entry, res.access);
>>   		nfs_refresh_inode(inode, res.fattr, res.label);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(res.label);
>> +#endif
>> +out:
>>   	nfs_free_fattr(res.fattr);
>>   	return status;
>>   }
>> @@ -3034,6 +3095,7 @@ static int _nfs4_proc_remove(struct inode *dir, struct qstr *name)
>>   	status = nfs4_call_sync(server->client, server,&msg,&args.seq_args,&res.seq_res, 1);
>>   	if (status == 0)
>>   		update_changeattr(dir,&res.cinfo);
>> +
>>   	return status;
>>   }
>>
>> @@ -3079,6 +3141,7 @@ static int nfs4_proc_unlink_done(struct rpc_task *task, struct inode *dir)
>>   	if (nfs4_async_handle_error(task, res->server, NULL) == -EAGAIN)
>>   		return 0;
>>   	update_changeattr(dir,&res->cinfo);
>> +
>>   	return 1;
>>   }
>>
>> @@ -3139,12 +3202,33 @@ static int _nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
>>   		.rpc_resp =&res,
>>   	};
>>   	int status = -ENOMEM;
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.old_label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (res.old_label == NULL)
>> +			goto out;
>> +		res.new_label = nfs4_label_alloc(GFP_NOWAIT);
>> +		if (res.new_label == NULL) {
>> +			nfs4_label_free(res.old_label);
>> +			goto out;
>> +		}
>> +	}
>> +#endif
>>   	
>>   	status = nfs4_call_sync(server->client, server,&msg,&arg.seq_args,&res.seq_res, 1);
>>   	if (!status) {
>>   		update_changeattr(old_dir,&res.old_cinfo);
>>   		update_changeattr(new_dir,&res.new_cinfo);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		nfs4_label_free(res.old_label);
>> +		nfs4_label_free(res.new_label);
>> +	}
>> +#endif
>> +out:
>>   	return status;
>>   }
>>
>> @@ -3186,11 +3270,25 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
>>   	if (res.fattr == NULL)
>>   		goto out;
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +		res.label = nfs4_label_alloc(GFP_KERNEL);
>> +		if (res.label == NULL)
>> +			goto out;
>> +	}
>> +#endif
>> +
>>   	status = nfs4_call_sync(server->client, server,&msg,&arg.seq_args,&res.seq_res, 1);
>>   	if (!status) {
>>   		update_changeattr(dir,&res.cinfo);
>>   		nfs_post_op_update_inode(inode, res.fattr, res.label);
>>   	}
>> +
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(res.label);
>> +#endif
>> +
>>   out:
>>   	nfs_free_fattr(res.fattr);
>>   	return status;
>> @@ -3226,6 +3324,13 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>>   	if (data != NULL) {
>>   		struct nfs_server *server = NFS_SERVER(dir);
>>
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +		if (server->caps&  NFS_CAP_SECURITY_LABEL) {
>> +			data->label = nfs4_label_alloc(GFP_KERNEL);
>> +			if (data->label == NULL)
>> +				goto out_free;
>> +		}
>> +#endif
>>   		data->msg.rpc_proc =&nfs4_procedures[NFSPROC4_CLNT_CREATE];
>>   		data->msg.rpc_argp =&data->arg;
>>   		data->msg.rpc_resp =&data->res;
>> @@ -3242,6 +3347,9 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
>>   		nfs_fattr_init(data->res.fattr);
>>   	}
>>   	return data;
>> +out_free:
>> +	kfree(data);
>> +	return NULL;
>>   }
>>
>>   static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_createdata *data)
>> @@ -3257,6 +3365,10 @@ static int nfs4_do_create(struct inode *dir, struct dentry *dentry, struct nfs4_
>>
>>   static void nfs4_free_createdata(struct nfs4_createdata *data)
>>   {
>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>> +	if (data->arg.server->caps&  NFS_CAP_SECURITY_LABEL)
>> +		nfs4_label_free(data->label);
>> +#endif
>>   	kfree(data);
>>   }
>>
>> -- 
>> 1.7.11.7
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 11/13] NFS: Client implementation of Labeled-NFS

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch implements the client transport and handling support for labeled
NFS. The patch adds two functions to encode and decode the security label
recommended attribute which makes use of the LSM hooks added earlier. It also
adds code to grab the label from the file attribute structures and encode the
label to be sent back to the server.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/inode.c            |  52 +++++++-
 fs/nfs/nfs4proc.c         | 310 ++++++++++++++++++++++++++++++++++++++++++++--
 fs/nfs/nfs4xdr.c          | 182 ++++++++++++++++++++++-----
 fs/nfs/super.c            |  19 ++-
 include/linux/nfs_fs.h    |   3 +
 include/linux/nfs_fs_sb.h |   7 ++
 security/selinux/hooks.c  |   4 +
 7 files changed, 531 insertions(+), 46 deletions(-)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index ab08d0d..ac29093 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -156,9 +156,18 @@ static void nfs_zap_caches_locked(struct inode *inode)
 
 	memset(NFS_I(inode)->cookieverf, 0, sizeof(NFS_I(inode)->cookieverf));
 	if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
-		nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
+		nfsi->cache_validity |= NFS_INO_INVALID_ATTR
+					| NFS_INO_INVALID_LABEL
+					| NFS_INO_INVALID_DATA
+					| NFS_INO_INVALID_ACCESS
+					| NFS_INO_INVALID_ACL
+					| NFS_INO_REVAL_PAGECACHE;
 	else
-		nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
+		nfsi->cache_validity |= NFS_INO_INVALID_ATTR
+					| NFS_INO_INVALID_LABEL
+					| NFS_INO_INVALID_ACCESS
+					| NFS_INO_INVALID_ACL
+					| NFS_INO_REVAL_PAGECACHE;
 }
 
 void nfs_zap_caches(struct inode *inode)
@@ -247,6 +256,24 @@ nfs_init_locked(struct inode *inode, void *opaque)
 }
 
 #ifdef CONFIG_NFS_V4_SECURITY_LABEL
+void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+					struct nfs4_label *label)
+{
+	int error;
+
+	if ((fattr->valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL) &&
+			label && inode->i_security) {
+		error = security_inode_notifysecctx(inode, label->label,
+				label->len);
+		if (error)
+			printk(KERN_ERR "%s() %s %d "
+					"security_inode_notifysecctx() %d\n",
+					__func__,
+					(char *)label->label,
+					label->len, error);
+	}
+}
+
 struct nfs4_label *nfs4_label_alloc(gfp_t flags)
 {
 	struct nfs4_label *label = NULL;
@@ -284,7 +311,14 @@ void nfs4_label_free(struct nfs4_label *label)
 	return;
 }
 EXPORT_SYMBOL_GPL(nfs4_label_free);
+
+#else
+void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+					struct nfs4_label *label)
+{
+}
 #endif
+EXPORT_SYMBOL_GPL(nfs_setsecurity);
 
 /*
  * This is our front-end to iget that looks up inodes by file handle
@@ -413,6 +447,9 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr, st
 			 */
 			inode->i_blocks = nfs_calc_block_size(fattr->du.nfs3.used);
 		}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		nfs_setsecurity(inode, fattr, label);
+#endif
 		nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
 		nfsi->attrtimeo_timestamp = now;
 		nfsi->access_cache = RB_ROOT;
@@ -772,6 +809,7 @@ struct nfs_open_context *nfs_find_open_context(struct inode *inode, struct rpc_c
 	spin_unlock(&inode->i_lock);
 	return ctx;
 }
+EXPORT_SYMBOL_GPL(nfs_find_open_context);
 
 static void nfs_file_clear_open_context(struct file *filp)
 {
@@ -904,7 +942,8 @@ static int nfs_attribute_cache_expired(struct inode *inode)
  */
 int nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 {
-	if (!(NFS_I(inode)->cache_validity & NFS_INO_INVALID_ATTR)
+	if (!(NFS_I(inode)->cache_validity &
+			(NFS_INO_INVALID_ATTR|NFS_INO_INVALID_LABEL))
 			&& !nfs_attribute_cache_expired(inode))
 		return NFS_STALE(inode) ? -ESTALE : 0;
 	return __nfs_revalidate_inode(server, inode);
@@ -1497,6 +1536,10 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 				| NFS_INO_INVALID_ACL
 				| NFS_INO_REVAL_FORCED);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		nfs_setsecurity(inode, fattr, label);
+#endif
 	if (fattr->valid & NFS_ATTR_FATTR_NLINK) {
 		if (inode->i_nlink != fattr->nlink) {
 			invalid |= NFS_INO_INVALID_ATTR;
@@ -1518,7 +1561,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 		inode->i_blocks = fattr->du.nfs2.blocks;
 
 	/* Update attrtimeo value if we're out of the unstable period */
-	if (invalid & NFS_INO_INVALID_ATTR) {
+	if (invalid & (NFS_INO_INVALID_ATTR|NFS_INO_INVALID_LABEL)) {
 		nfs_inc_stats(inode, NFSIOS_ATTRINVALIDATE);
 		nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
 		nfsi->attrtimeo_timestamp = now;
@@ -1531,6 +1574,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 		}
 	}
 	invalid &= ~NFS_INO_INVALID_ATTR;
+	invalid &= ~NFS_INO_INVALID_LABEL;
 	/* Don't invalidate the data if we were to blame */
 	if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
 				|| S_ISLNK(inode->i_mode)))
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 4ab2738..77d1a29 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -133,7 +133,11 @@ const u32 nfs4_fattr_bitmap[3] = {
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
 	| FATTR4_WORD1_TIME_MODIFY,
-	0
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	FATTR4_WORD2_SECURITY_LABEL
+#else
+		0
+#endif
 };
 
 static const u32 nfs4_pnfs_open_bitmap[3] = {
@@ -2059,6 +2063,7 @@ static int _nfs4_do_open(struct inode *dir,
 		if (status == 0) {
 			nfs_setattr_update_inode(state->inode, sattr);
 			nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr, olabel);
+			nfs_setsecurity(state->inode, opendata->o_res.f_attr, olabel);
 		}
 	}
 
@@ -2172,6 +2177,10 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 	unsigned long timestamp = jiffies;
 	int status;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (ilabel == NULL || olabel == NULL)
+		arg.bitmask = server->attr_bitmask_nl;
+#endif
 	nfs_fattr_init(fattr);
 
 	if (state != NULL) {
@@ -2399,7 +2408,7 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait)
 	if (calldata->arg.seqid == NULL)
 		goto out_free_calldata;
 	calldata->arg.fmode = 0;
-	calldata->arg.bitmask = server->cache_consistency_bitmask;
+	calldata->arg.bitmask = server->cache_consistency_bitmask_nl;
 	calldata->res.fattr = &calldata->fattr;
 	calldata->res.seqid = calldata->arg.seqid;
 	calldata->res.server = server;
@@ -2431,9 +2440,24 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, int open_flags
 	struct nfs4_state *state;
 	struct nfs4_label l, *label = NULL;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		struct dentry *dentry = ctx->dentry;
+		int error;
+		error = security_dentry_init_security(dentry, attr->ia_mode,
+				&dentry->d_name, &l.label, &l.len);
+		if (error == 0)
+			label = &l;
+	}
+#endif
+
 	/* Protect against concurrent sillydeletes */
 	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr, label,
 			     ctx->cred, &ctx->mdsthreshold);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	if (IS_ERR(state))
 		return ERR_CAST(state);
 	ctx->state = state;
@@ -2493,10 +2517,26 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
 			server->caps |= NFS_CAP_CTIME;
 		if (res.attr_bitmask[1] & FATTR4_WORD1_TIME_MODIFY)
 			server->caps |= NFS_CAP_MTIME;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		if (res.attr_bitmask[2] & FATTR4_WORD2_SECURITY_LABEL) {
+			server->caps |= NFS_CAP_SECURITY_LABEL;
+		} else
+#endif
+		server->attr_bitmask[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		memcpy(server->attr_bitmask_nl, res.attr_bitmask, sizeof(server->attr_bitmask));
+		server->attr_bitmask_nl[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+#endif
 
 		memcpy(server->cache_consistency_bitmask, res.attr_bitmask, sizeof(server->cache_consistency_bitmask));
 		server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;
-		server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;
+		server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA |
+							FATTR4_WORD1_TIME_MODIFY;
+		server->cache_consistency_bitmask[2] &= FATTR4_WORD2_SECURITY_LABEL;
+		memcpy(server->cache_consistency_bitmask_nl, server->cache_consistency_bitmask,
+							sizeof(server->cache_consistency_bitmask_nl));
+		server->cache_consistency_bitmask_nl[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
 		server->acl_bitmask = res.acl_bitmask;
 		server->fh_expire_type = res.fh_expire_type;
 	}
@@ -2519,8 +2559,9 @@ int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
 static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
 		struct nfs_fsinfo *info)
 {
+	u32 bitmask[3];
 	struct nfs4_lookup_root_arg args = {
-		.bitmask = nfs4_fattr_bitmap,
+		.bitmask = bitmask,
 	};
 	struct nfs4_lookup_res res = {
 		.server = server,
@@ -2533,6 +2574,10 @@ static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
 		.rpc_resp = &res,
 	};
 
+	bitmask[0] = nfs4_fattr_bitmap[0];
+	bitmask[1] = nfs4_fattr_bitmap[1];
+	bitmask[2] = nfs4_fattr_bitmap[2] & ~FATTR4_WORD2_SECURITY_LABEL;
+
 	nfs_fattr_init(info->fattr);
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
@@ -2722,7 +2767,12 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 		.rpc_argp = &args,
 		.rpc_resp = &res,
 	};
-	
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (!label)
+		args.bitmask = server->attr_bitmask_nl;
+#endif
+
 	nfs_fattr_init(fattr);
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
@@ -2815,6 +2865,7 @@ static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 	struct nfs4_lookup_res res = {
 		.server = server,
 		.fattr = fattr,
+		.label = label,
 		.fh = fhandle,
 	};
 	struct rpc_message msg = {
@@ -2823,6 +2874,11 @@ static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 		.rpc_resp = &res,
 	};
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label == NULL)
+		args.bitmask = server->attr_bitmask_nl;
+#endif
+
 	nfs_fattr_init(fattr);
 
 	dprintk("NFS call  lookup %s\n", name->name);
@@ -2929,7 +2985,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 		.rpc_cred = entry->cred,
 	};
 	int mode = entry->mask;
-	int status;
+	int status = 0;
 
 	/*
 	 * Determine which access bits we want to ask for...
@@ -3058,6 +3114,15 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		status = security_dentry_init_security(dentry, sattr->ia_mode,
+						&dentry->d_name, &l.label, &l.len);
+		if (status == 0)
+			ilabel = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	state = nfs4_do_open(dir, dentry, ctx->mode,
 			flags, sattr, ilabel, ctx->cred,
@@ -3071,6 +3136,10 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 	ctx->state = state;
 out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (ilabel)
+		security_release_secctx(ilabel->label, ilabel->len);
+#endif
 	put_nfs_open_context(ctx);
 	return status;
 }
@@ -3120,6 +3189,8 @@ static void nfs4_proc_unlink_setup(struct rpc_message *msg, struct inode *dir)
 	res->server = server;
 	msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_REMOVE];
 	nfs41_init_sequence(&args->seq_args, &res->seq_res, 1);
+
+	nfs_fattr_init(res->dir_attr);
 }
 
 static void nfs4_proc_unlink_rpc_prepare(struct rpc_task *task, struct nfs_unlinkdata *data)
@@ -3405,12 +3476,27 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 	struct nfs4_exception exception = { };
 	struct nfs4_label l, *label = NULL;
 	int err;
+
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_symlink(dir, dentry, page,
 							len, sattr, label),
 				&exception);
 	} while (exception.retry);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	return err;
 }
 
@@ -3439,6 +3525,15 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 	struct nfs4_label l, *label = NULL;
 	int err;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
@@ -3446,6 +3541,10 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 				&exception);
 	} while (exception.retry);
 	return err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 }
 
 static int _nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
@@ -3460,7 +3559,9 @@ static int _nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 		.bitmask = NFS_SERVER(dentry->d_inode)->attr_bitmask,
 		.plus = plus,
 	};
-	struct nfs4_readdir_res res;
+	struct nfs4_readdir_res res = {
+		.pgbase = 0,
+	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READDIR],
 		.rpc_argp = &args,
@@ -3543,12 +3644,25 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 	struct nfs4_label l, *label = NULL;
 	int err;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_mknod(dir, dentry, sattr, label, rdev),
 				&exception);
 	} while (exception.retry);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	return err;
 }
 
@@ -3766,7 +3880,11 @@ static void nfs4_proc_write_setup(struct nfs_write_data *data, struct rpc_messag
 		data->args.bitmask = NULL;
 		data->res.fattr = NULL;
 	} else
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		data->args.bitmask = server->cache_consistency_bitmask_nl;
+#else
 		data->args.bitmask = server->cache_consistency_bitmask;
+#endif
 
 	if (!data->write_done_cb)
 		data->write_done_cb = nfs4_write_done_cb;
@@ -4190,6 +4308,182 @@ static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen
 	return err;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+static int _nfs4_get_security_label(struct inode *inode, void *buf,
+					size_t buflen)
+{
+	struct nfs_server *server = NFS_SERVER(inode);
+	struct nfs_fattr fattr;
+	struct nfs4_label label;
+	u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
+	struct nfs4_getattr_arg args = {
+		.fh		= NFS_FH(inode),
+		.bitmask	= bitmask,
+	};
+	struct nfs4_getattr_res res = {
+		.fattr		= &fattr,
+		.label		= &label,
+		.server		= server,
+	};
+	struct rpc_message msg = {
+		.rpc_proc	= &nfs4_procedures[NFSPROC4_CLNT_GETATTR],
+		.rpc_argp	= &args,
+		.rpc_resp	= &res,
+	};
+	int ret;
+
+	label.label = buf;
+	label.len = buflen;
+	nfs_fattr_init(&fattr);
+
+	ret = rpc_call_sync(server->client, &msg, 0);
+	if (ret)
+		return ret;
+	if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
+		return -ENOENT;
+	if (buflen < label.len)
+		return -ERANGE;
+	return 0;
+}
+
+static int nfs4_get_security_label(struct inode *inode, void *buf,
+					size_t buflen)
+{
+	struct nfs4_exception exception = { };
+	int err;
+
+	if (!nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		return -EOPNOTSUPP;
+
+	do {
+		err = nfs4_handle_exception(NFS_SERVER(inode),
+				_nfs4_get_security_label(inode, buf, buflen),
+				&exception);
+	} while (exception.retry);
+	return err;
+}
+
+static int _nfs4_do_set_security_label(struct inode *inode,
+		struct nfs4_label *ilabel,
+		struct nfs_fattr *fattr,
+		struct nfs4_label *olabel,
+		struct nfs4_state *state)
+{
+
+	struct iattr sattr;
+	struct nfs_server *server = NFS_SERVER(inode);
+	const u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
+	struct nfs_setattrargs args = {
+		.fh             = NFS_FH(inode),
+		.iap            = &sattr,
+		.server		= server,
+		.bitmask	= bitmask,
+		.label		= ilabel,
+	};
+	struct nfs_setattrres res = {
+		.fattr		= fattr,
+		.label		= olabel,
+		.server		= server,
+	};
+	struct rpc_message msg = {
+		.rpc_proc       = &nfs4_procedures[NFSPROC4_CLNT_SETATTR],
+		.rpc_argp       = &args,
+		.rpc_resp       = &res,
+	};
+	unsigned long timestamp = jiffies;
+	int status;
+
+	memset(&sattr, 0, sizeof(struct iattr));
+
+	if (state != NULL) {
+		struct nfs_lockowner lockowner = {
+			.l_owner = current->files,
+			.l_pid = current->tgid,
+		};
+
+		msg.rpc_cred = state->owner->so_cred;
+		nfs4_select_rw_stateid(&args.stateid, state, FMODE_WRITE,
+				&lockowner);
+	} else if (nfs4_copy_delegation_stateid(&args.stateid, inode,
+				FMODE_WRITE)) {
+		/* Use that stateid */
+	} else
+		nfs4_stateid_copy(&args.stateid, &zero_stateid);
+
+	status = rpc_call_sync(server->client, &msg, 0);
+	if (status == 0 && state != NULL)
+		renew_lease(server, timestamp);
+	return status;
+}
+
+static int nfs4_do_set_security_label(struct inode *inode,
+		struct nfs4_label *ilabel,
+		struct nfs_fattr *fattr,
+		struct nfs4_label *olabel,
+		struct nfs4_state *state)
+{
+	struct nfs4_exception exception = { };
+	int err;
+
+	do {
+		err = nfs4_handle_exception(NFS_SERVER(inode),
+				_nfs4_do_set_security_label(inode, ilabel,
+				fattr, olabel, state),
+				&exception);
+	} while (exception.retry);
+	return err;
+}
+
+	static int
+nfs4_set_security_label(struct dentry *dentry, const void *buf, size_t buflen)
+{
+	struct nfs4_label ilabel, *olabel = NULL;
+	struct nfs_fattr fattr;
+	struct rpc_cred *cred;
+	struct nfs_open_context *ctx;
+	struct nfs4_state *state = NULL;
+	struct inode *inode = dentry->d_inode;
+	int status;
+
+	if (!nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		return -EOPNOTSUPP;
+
+	nfs_fattr_init(&fattr);
+
+	ilabel.pi = 0;
+	ilabel.lfs = 0;
+	ilabel.label = (char *)buf;
+	ilabel.len = buflen;
+
+	cred = rpc_lookup_cred();
+	if (IS_ERR(cred))
+		return PTR_ERR(cred);
+
+	olabel = nfs4_label_alloc(GFP_KERNEL);
+	if (olabel == NULL) {
+		status = -ENOMEM;
+		goto out;
+	}
+
+	/* Search for an existing open(O_WRITE) file */
+	ctx = nfs_find_open_context(inode, cred, FMODE_WRITE);
+	if (ctx != NULL)
+		state = ctx->state;
+
+	status = nfs4_do_set_security_label(inode, &ilabel, &fattr, olabel,
+						state);
+	if (status == 0)
+		nfs_setsecurity(inode, &fattr, olabel);
+	if (ctx != NULL)
+		put_nfs_open_context(ctx);
+	nfs4_label_free(olabel);
+out:
+	put_rpccred(cred);
+	return status;
+}
+#endif	/* CONFIG_NFS_V4_SECURITY_LABEL */
+
+
 static int
 nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server, struct nfs4_state *state)
 {
@@ -4480,7 +4774,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, co
 	nfs41_init_sequence(&data->args.seq_args, &data->res.seq_res, 1);
 	data->args.fhandle = &data->fh;
 	data->args.stateid = &data->stateid;
-	data->args.bitmask = server->cache_consistency_bitmask;
+	data->args.bitmask = server->cache_consistency_bitmask_nl;
 	nfs_copy_fh(&data->fh, NFS_FH(inode));
 	nfs4_stateid_copy(&data->stateid, stateid);
 	data->res.fattr = &data->fattr;
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 146d4d3..db57d72 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -101,12 +101,19 @@ static int nfs4_stat_to_errno(int);
 #define nfs4_path_maxsz		(1 + ((3 + NFS4_MAXPATHLEN) >> 2))
 #define nfs4_owner_maxsz	(1 + XDR_QUADLEN(IDMAP_NAMESZ))
 #define nfs4_group_maxsz	(1 + XDR_QUADLEN(IDMAP_NAMESZ))
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+/* PI(4 bytes) + LFS(4 bytes) + 1(for null terminator?) + MAXLABELLEN */
+#define	nfs4_label_maxsz	(4 + 4 + 1 + XDR_QUADLEN(NFS4_MAXLABELLEN))
+#else
+#define	nfs4_label_maxsz	0
+#endif
 /* We support only one layout type per file system */
 #define decode_mdsthreshold_maxsz (1 + 1 + nfs4_fattr_bitmap_maxsz + 1 + 8)
 /* This is based on getfattr, which uses the most attributes: */
 #define nfs4_fattr_value_maxsz	(1 + (1 + 2 + 2 + 4 + 2 + 1 + 1 + 2 + 2 + \
 				3 + 3 + 3 + nfs4_owner_maxsz + \
-				nfs4_group_maxsz + decode_mdsthreshold_maxsz))
+				nfs4_group_maxsz + nfs4_label_maxsz + \
+				 decode_mdsthreshold_maxsz))
 #define nfs4_fattr_maxsz	(nfs4_fattr_bitmap_maxsz + \
 				nfs4_fattr_value_maxsz)
 #define decode_getattr_maxsz    (op_decode_hdr_maxsz + nfs4_fattr_maxsz)
@@ -114,6 +121,7 @@ static int nfs4_stat_to_errno(int);
 				 1 + 2 + 1 + \
 				nfs4_owner_maxsz + \
 				nfs4_group_maxsz + \
+				nfs4_label_maxsz + \
 				4 + 4)
 #define encode_savefh_maxsz     (op_encode_hdr_maxsz)
 #define decode_savefh_maxsz     (op_decode_hdr_maxsz)
@@ -191,9 +199,11 @@ static int nfs4_stat_to_errno(int);
 				 encode_stateid_maxsz + 3)
 #define decode_read_maxsz	(op_decode_hdr_maxsz + 2)
 #define encode_readdir_maxsz	(op_encode_hdr_maxsz + \
-				 2 + encode_verifier_maxsz + 5)
+				 2 + encode_verifier_maxsz + 5 + \
+				nfs4_label_maxsz)
 #define decode_readdir_maxsz	(op_decode_hdr_maxsz + \
-				 decode_verifier_maxsz)
+				 decode_verifier_maxsz + \
+				nfs4_label_maxsz + nfs4_fattr_maxsz)
 #define encode_readlink_maxsz	(op_encode_hdr_maxsz)
 #define decode_readlink_maxsz	(op_decode_hdr_maxsz + 1)
 #define encode_write_maxsz	(op_encode_hdr_maxsz + \
@@ -969,7 +979,9 @@ static void encode_nfs4_verifier(struct xdr_stream *xdr, const nfs4_verifier *ve
 	encode_opaque_fixed(xdr, verf->data, NFS4_VERIFIER_SIZE);
 }
 
-static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const struct nfs_server *server)
+static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
+				const struct nfs4_label *label,
+				const struct nfs_server *server)
 {
 	char owner_name[IDMAP_NAMESZ];
 	char owner_group[IDMAP_NAMESZ];
@@ -1019,6 +1031,10 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 		}
 		len += 4 + (XDR_QUADLEN(owner_grouplen) << 2);
 	}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		len += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2);
+#endif
 	if (iap->ia_valid & ATTR_ATIME_SET)
 		len += 16;
 	else if (iap->ia_valid & ATTR_ATIME)
@@ -1075,6 +1091,15 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 		bmval1 |= FATTR4_WORD1_TIME_MODIFY_SET;
 		*p++ = cpu_to_be32(NFS4_SET_TO_SERVER_TIME);
 	}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label) {
+		bmval2 |= FATTR4_WORD2_SECURITY_LABEL;
+		*p++ = cpu_to_be32(label->lfs);
+		*p++ = cpu_to_be32(label->pi);
+		*p++ = cpu_to_be32(label->len);
+		p = xdr_encode_opaque_fixed(p, label->label, label->len);
+	}
+#endif
 
 	/*
 	 * Now we backfill the bitmap and the attribute buffer length.
@@ -1141,7 +1166,7 @@ static void encode_create(struct xdr_stream *xdr, const struct nfs4_create_arg *
 	}
 
 	encode_string(xdr, create->name->len, create->name->name);
-	encode_attrs(xdr, create->attrs, create->server);
+	encode_attrs(xdr, create->attrs, create->label, create->server);
 }
 
 static void encode_getattr_one(struct xdr_stream *xdr, uint32_t bitmap, struct compound_hdr *hdr)
@@ -1374,21 +1399,23 @@ static inline void encode_createmode(struct xdr_stream *xdr, const struct nfs_op
 	switch(arg->open_flags & O_EXCL) {
 	case 0:
 		*p = cpu_to_be32(NFS4_CREATE_UNCHECKED);
-		encode_attrs(xdr, arg->u.attrs, arg->server);
+		encode_attrs(xdr, arg->u.attrs, arg->label, arg->server);
 		break;
 	default:
 		clp = arg->server->nfs_client;
 		if (clp->cl_mvops->minor_version > 0) {
 			if (nfs4_has_persistent_session(clp)) {
 				*p = cpu_to_be32(NFS4_CREATE_GUARDED);
-				encode_attrs(xdr, arg->u.attrs, arg->server);
+				encode_attrs(xdr, arg->u.attrs, arg->label,
+						arg->server);
 			} else {
 				struct iattr dummy;
 
 				*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE4_1);
 				encode_nfs4_verifier(xdr, &arg->u.verifier);
 				dummy.ia_valid = 0;
-				encode_attrs(xdr, &dummy, arg->server);
+				encode_attrs(xdr, &dummy, arg->label,
+						arg->server);
 			}
 		} else {
 			*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE);
@@ -1568,20 +1595,43 @@ static void encode_readdir(struct xdr_stream *xdr, const struct nfs4_readdir_arg
 	encode_op_hdr(xdr, OP_READDIR, decode_readdir_maxsz, hdr);
 	encode_uint64(xdr, readdir->cookie);
 	encode_nfs4_verifier(xdr, &readdir->verifier);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	p = reserve_space(xdr, 24);
+#else
 	p = reserve_space(xdr, 20);
+#endif
 	*p++ = cpu_to_be32(dircount);
 	*p++ = cpu_to_be32(readdir->count);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	*p++ = cpu_to_be32(3);
+#else
 	*p++ = cpu_to_be32(2);
-
+#endif
 	*p++ = cpu_to_be32(attrs[0] & readdir->bitmask[0]);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	*p++ = cpu_to_be32(attrs[1] & readdir->bitmask[1]);
+	*p = cpu_to_be32(readdir->bitmask[2]);
+#else
 	*p = cpu_to_be32(attrs[1] & readdir->bitmask[1]);
+#endif
 	memcpy(verf, readdir->verifier.data, sizeof(verf));
-	dprintk("%s: cookie = %Lu, verifier = %08x:%08x, bitmap = %08x:%08x\n",
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	dprintk("%s: cookie = %llu, verifier = %08x:%08x, bitmap = %08x:%08x:%08x\n",
+			__func__,
+			(unsigned long long)readdir->cookie,
+			verf[0], verf[1],
+			attrs[0] & readdir->bitmask[0],
+			attrs[1] & readdir->bitmask[1],
+			readdir->bitmask[2]);
+#else
+	dprintk("%s: cookie = %llu, verifier = %08x:%08x, bitmap = %08x:%08x\n",
 			__func__,
 			(unsigned long long)readdir->cookie,
 			verf[0], verf[1],
 			attrs[0] & readdir->bitmask[0],
 			attrs[1] & readdir->bitmask[1]);
+#endif
+
 }
 
 static void encode_readlink(struct xdr_stream *xdr, const struct nfs4_readlink *readlink, struct rpc_rqst *req, struct compound_hdr *hdr)
@@ -1641,7 +1691,7 @@ static void encode_setattr(struct xdr_stream *xdr, const struct nfs_setattrargs
 {
 	encode_op_hdr(xdr, OP_SETATTR, decode_setattr_maxsz, hdr);
 	encode_nfs4_stateid(xdr, &arg->stateid);
-	encode_attrs(xdr, arg->iap, server);
+	encode_attrs(xdr, arg->iap, arg->label, server);
 }
 
 static void encode_setclientid(struct xdr_stream *xdr, const struct nfs4_setclientid *setclientid, struct compound_hdr *hdr)
@@ -4060,6 +4110,67 @@ static int decode_attr_time_delta(struct xdr_stream *xdr, uint32_t *bitmap,
 	return status;
 }
 
+static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+					struct nfs4_label *label)
+{
+	uint32_t pi = 0;
+	uint32_t lfs = 0;
+	__u32 len;
+	__be32 *p;
+	int status = 0;
+
+	if (unlikely(bitmap[2] & (FATTR4_WORD2_SECURITY_LABEL - 1U)))
+		return -EIO;
+	if (likely(bitmap[2] & FATTR4_WORD2_SECURITY_LABEL)) {
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		lfs = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		pi = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		len = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, len);
+		if (unlikely(!p))
+			goto out_overflow;
+		if (len < XDR_MAX_NETOBJ) {
+			if (label) {
+				nfs4_label_init(label);
+				if (label->len < len) {
+					printk(KERN_ERR
+						"%s(): label->len %d < len %d\n",
+						__func__, label->len, len);
+				} else {
+					memcpy(label->label, p, len);
+					label->len = len;
+					label->pi = pi;
+					label->lfs = lfs;
+					status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
+				}
+			} else {
+				printk("%s(): NULL label.\n", __func__);
+				dump_stack();
+				goto out_overflow;
+			}
+			bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+		} else
+			printk(KERN_WARNING "%s: label too long (%u)!\n",
+					__func__, len);
+	}
+	if (label && label->label)
+		dprintk("%s: label=%s, len=%d, PI=%d, LFS=%d\n", __func__,
+			label->label, label->len, label->pi, label->lfs);
+	return status;
+
+out_overflow:
+	print_overflow_msg(__func__, xdr);
+	return -EIO;
+}
+
 static int decode_attr_time_modify(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec *time)
 {
 	int status = 0;
@@ -4402,7 +4513,7 @@ out_overflow:
 
 static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,
 		struct nfs_fattr *fattr, struct nfs_fh *fh,
-		struct nfs4_fs_locations *fs_loc,
+		struct nfs4_fs_locations *fs_loc, struct nfs4_label *label,
 		const struct nfs_server *server)
 {
 	int status;
@@ -4510,6 +4621,11 @@ static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,
 	if (status < 0)
 		goto xdr_error;
 
+	status = decode_attr_security_label(xdr, bitmap, label);
+	if (status < 0)
+		goto xdr_error;
+	fattr->valid |= status;
+
 xdr_error:
 	dprintk("%s: xdr returned %d\n", __func__, -status);
 	return status;
@@ -4517,7 +4633,7 @@ xdr_error:
 
 static int decode_getfattr_generic(struct xdr_stream *xdr, struct nfs_fattr *fattr,
 		struct nfs_fh *fh, struct nfs4_fs_locations *fs_loc,
-		const struct nfs_server *server)
+		struct nfs4_label *label, const struct nfs_server *server)
 {
 	unsigned int savep;
 	uint32_t attrlen,
@@ -4536,7 +4652,8 @@ static int decode_getfattr_generic(struct xdr_stream *xdr, struct nfs_fattr *fat
 	if (status < 0)
 		goto xdr_error;
 
-	status = decode_getfattr_attrs(xdr, bitmap, fattr, fh, fs_loc, server);
+	status = decode_getfattr_attrs(xdr, bitmap, fattr, fh, fs_loc,
+					label, server);
 	if (status < 0)
 		goto xdr_error;
 
@@ -4547,9 +4664,9 @@ xdr_error:
 }
 
 static int decode_getfattr(struct xdr_stream *xdr, struct nfs_fattr *fattr,
-		const struct nfs_server *server)
+		struct nfs4_label *label, const struct nfs_server *server)
 {
-	return decode_getfattr_generic(xdr, fattr, NULL, NULL, server);
+	return decode_getfattr_generic(xdr, fattr, NULL, NULL, label, server);
 }
 
 /*
@@ -5881,7 +5998,7 @@ static int nfs4_xdr_dec_open_downgrade(struct rpc_rqst *rqstp,
 	status = decode_open_downgrade(xdr, res);
 	if (status != 0)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5907,7 +6024,7 @@ static int nfs4_xdr_dec_access(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_access(xdr, &res->supported, &res->access);
 	if (status != 0)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5936,7 +6053,7 @@ static int nfs4_xdr_dec_lookup(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_getfh(xdr, res->fh);
 	if (status)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5962,7 +6079,8 @@ static int nfs4_xdr_dec_lookup_root(struct rpc_rqst *rqstp,
 		goto out;
 	status = decode_getfh(xdr, res->fh);
 	if (status == 0)
-		status = decode_getfattr(xdr, res->fattr, res->server);
+		status = decode_getfattr(xdr, res->fattr,
+						res->label, res->server);
 out:
 	return status;
 }
@@ -6053,7 +6171,7 @@ static int nfs4_xdr_dec_link(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_restorefh(xdr);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6082,7 +6200,7 @@ static int nfs4_xdr_dec_create(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_getfh(xdr, res->fh);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6114,7 +6232,7 @@ static int nfs4_xdr_dec_getattr(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_putfh(xdr);
 	if (status)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6216,7 +6334,7 @@ static int nfs4_xdr_dec_close(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	 * 	an ESTALE error. Shouldn't be a problem,
 	 * 	though, since fattr->valid will remain unset.
 	 */
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6247,7 +6365,7 @@ static int nfs4_xdr_dec_open(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 		goto out;
 	if (res->access_request)
 		decode_access(xdr, &res->access_supported, &res->access_result);
-	decode_getfattr(xdr, res->f_attr, res->server);
+	decode_getfattr(xdr, res->f_attr, res->f_label, res->server);
 out:
 	return status;
 }
@@ -6297,7 +6415,7 @@ static int nfs4_xdr_dec_open_noattr(struct rpc_rqst *rqstp,
 		goto out;
 	if (res->access_request)
 		decode_access(xdr, &res->access_supported, &res->access_result);
-	decode_getfattr(xdr, res->f_attr, res->server);
+	decode_getfattr(xdr, res->f_attr, NULL, res->server);
 out:
 	return status;
 }
@@ -6324,7 +6442,7 @@ static int nfs4_xdr_dec_setattr(struct rpc_rqst *rqstp,
 	status = decode_setattr(xdr);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6504,7 +6622,7 @@ static int nfs4_xdr_dec_write(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	if (status)
 		goto out;
 	if (res->fattr)
-		decode_getfattr(xdr, res->fattr, res->server);
+		decode_getfattr(xdr, res->fattr, NULL, res->server);
 	if (!status)
 		status = res->count;
 out:
@@ -6685,7 +6803,7 @@ static int nfs4_xdr_dec_delegreturn(struct rpc_rqst *rqstp,
 	status = decode_putfh(xdr);
 	if (status != 0)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 	if (status != 0)
 		goto out;
 	status = decode_delegreturn(xdr);
@@ -6718,7 +6836,7 @@ static int nfs4_xdr_dec_fs_locations(struct rpc_rqst *req,
 	xdr_enter_page(xdr, PAGE_SIZE);
 	status = decode_getfattr_generic(xdr, &res->fs_locations->fattr,
 					 NULL, res->fs_locations,
-					 res->fs_locations->server);
+					 NULL, res->fs_locations->server);
 out:
 	return status;
 }
@@ -6999,7 +7117,7 @@ static int nfs4_xdr_dec_layoutcommit(struct rpc_rqst *rqstp,
 	status = decode_layoutcommit(xdr, rqstp, res);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, NULL, res->server);
 out:
 	return status;
 }
@@ -7131,7 +7249,7 @@ int nfs4_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry,
 		goto out_overflow;
 
 	if (decode_getfattr_attrs(xdr, bitmap, entry->fattr, entry->fh,
-				  NULL, entry->server) < 0)
+			NULL, entry->label, entry->server) < 0)
 		goto out_overflow;
 	if (entry->fattr->valid & NFS_ATTR_FATTR_MOUNTED_ON_FILEID)
 		entry->ino = entry->fattr->mounted_on_fileid;
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index f4e13c3..3828ba6 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2357,8 +2357,23 @@ static int nfs_bdi_register(struct nfs_server *server)
 int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot,
 			struct nfs_mount_info *mount_info)
 {
-	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
-								0, NULL);
+	int error;
+	unsigned long kflags = 0, kflags_out = 0;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL)
+		kflags |= SECURITY_LSM_NATIVE_LABELS;
+#endif
+	error = security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
+						kflags, &kflags_out);
+	if (error)
+		goto err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
+		!(kflags_out & SECURITY_LSM_NATIVE_LABELS))
+		NFS_SB(s)->caps &= ~NFS_CAP_SECURITY_LABEL;
+#endif
+err:
+	return error;
 }
 EXPORT_SYMBOL_GPL(nfs_set_sb_security);
 
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index c8ace0d..2ef01f8 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -199,6 +199,7 @@ struct nfs_inode {
 #define NFS_INO_INVALID_ACL	0x0010		/* cached acls are invalid */
 #define NFS_INO_REVAL_PAGECACHE	0x0020		/* must revalidate pagecache */
 #define NFS_INO_REVAL_FORCED	0x0040		/* force revalidation ignoring a delegation */
+#define NFS_INO_INVALID_LABEL	0x0080		/* cached label is invalid */
 
 /*
  * Bit offsets in flags field
@@ -344,6 +345,8 @@ extern int __nfs_revalidate_inode(struct nfs_server *, struct inode *);
 extern int nfs_revalidate_mapping(struct inode *inode, struct address_space *mapping);
 extern int nfs_setattr(struct dentry *, struct iattr *);
 extern void nfs_setattr_update_inode(struct inode *inode, struct iattr *attr);
+extern void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+				struct nfs4_label *label);
 extern struct nfs_open_context *get_nfs_open_context(struct nfs_open_context *ctx);
 extern void put_nfs_open_context(struct nfs_open_context *ctx);
 extern struct nfs_open_context *nfs_find_open_context(struct inode *inode, struct rpc_cred *cred, fmode_t mode);
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 383fe9c..ac07d98 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -145,11 +145,18 @@ struct nfs_server {
 	u32			attr_bitmask[3];/* V4 bitmask representing the set
 						   of attributes supported on this
 						   filesystem */
+	u32			attr_bitmask_nl[3];
+						/* V4 bitmask representing the
+						   set of attributes supported
+						   on this filesystem excluding
+						   the label support bit. */
 	u32			cache_consistency_bitmask[3];
 						/* V4 bitmask representing the subset
 						   of change attribute, size, ctime
 						   and mtime attributes supported by
 						   the server */
+	u32			cache_consistency_bitmask_nl[3];
+						/* As above, excluding label. */
 	u32			acl_bitmask;	/* V4 bitmask representing the ACEs
 						   that are supported on this
 						   filesystem */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8f233ff..3e1b84d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2876,7 +2876,10 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 		return;
 	}
 
+	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
+	isec->initialized = 1;
+
 	return;
 }
 
@@ -2964,6 +2967,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 	if (rc)
 		return rc;
 
+	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = 1;
 	return 0;
-- 
1.7.11.7

[PATCH 11/13] NFS: Client implementation of Labeled-NFS

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch implements the client transport and handling support for labeled
NFS. The patch adds two functions to encode and decode the security label
recommended attribute which makes use of the LSM hooks added earlier. It also
adds code to grab the label from the file attribute structures and encode the
label to be sent back to the server.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/inode.c            |  52 +++++++-
 fs/nfs/nfs4proc.c         | 310 ++++++++++++++++++++++++++++++++++++++++++++--
 fs/nfs/nfs4xdr.c          | 182 ++++++++++++++++++++++-----
 fs/nfs/super.c            |  19 ++-
 include/linux/nfs_fs.h    |   3 +
 include/linux/nfs_fs_sb.h |   7 ++
 security/selinux/hooks.c  |   4 +
 7 files changed, 531 insertions(+), 46 deletions(-)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index ab08d0d..ac29093 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -156,9 +156,18 @@ static void nfs_zap_caches_locked(struct inode *inode)
 
 	memset(NFS_I(inode)->cookieverf, 0, sizeof(NFS_I(inode)->cookieverf));
 	if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
-		nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
+		nfsi->cache_validity |= NFS_INO_INVALID_ATTR
+					| NFS_INO_INVALID_LABEL
+					| NFS_INO_INVALID_DATA
+					| NFS_INO_INVALID_ACCESS
+					| NFS_INO_INVALID_ACL
+					| NFS_INO_REVAL_PAGECACHE;
 	else
-		nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
+		nfsi->cache_validity |= NFS_INO_INVALID_ATTR
+					| NFS_INO_INVALID_LABEL
+					| NFS_INO_INVALID_ACCESS
+					| NFS_INO_INVALID_ACL
+					| NFS_INO_REVAL_PAGECACHE;
 }
 
 void nfs_zap_caches(struct inode *inode)
@@ -247,6 +256,24 @@ nfs_init_locked(struct inode *inode, void *opaque)
 }
 
 #ifdef CONFIG_NFS_V4_SECURITY_LABEL
+void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+					struct nfs4_label *label)
+{
+	int error;
+
+	if ((fattr->valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL) &&
+			label && inode->i_security) {
+		error = security_inode_notifysecctx(inode, label->label,
+				label->len);
+		if (error)
+			printk(KERN_ERR "%s() %s %d "
+					"security_inode_notifysecctx() %d\n",
+					__func__,
+					(char *)label->label,
+					label->len, error);
+	}
+}
+
 struct nfs4_label *nfs4_label_alloc(gfp_t flags)
 {
 	struct nfs4_label *label = NULL;
@@ -284,7 +311,14 @@ void nfs4_label_free(struct nfs4_label *label)
 	return;
 }
 EXPORT_SYMBOL_GPL(nfs4_label_free);
+
+#else
+void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+					struct nfs4_label *label)
+{
+}
 #endif
+EXPORT_SYMBOL_GPL(nfs_setsecurity);
 
 /*
  * This is our front-end to iget that looks up inodes by file handle
@@ -413,6 +447,9 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr, st
 			 */
 			inode->i_blocks = nfs_calc_block_size(fattr->du.nfs3.used);
 		}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		nfs_setsecurity(inode, fattr, label);
+#endif
 		nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
 		nfsi->attrtimeo_timestamp = now;
 		nfsi->access_cache = RB_ROOT;
@@ -772,6 +809,7 @@ struct nfs_open_context *nfs_find_open_context(struct inode *inode, struct rpc_c
 	spin_unlock(&inode->i_lock);
 	return ctx;
 }
+EXPORT_SYMBOL_GPL(nfs_find_open_context);
 
 static void nfs_file_clear_open_context(struct file *filp)
 {
@@ -904,7 +942,8 @@ static int nfs_attribute_cache_expired(struct inode *inode)
  */
 int nfs_revalidate_inode(struct nfs_server *server, struct inode *inode)
 {
-	if (!(NFS_I(inode)->cache_validity & NFS_INO_INVALID_ATTR)
+	if (!(NFS_I(inode)->cache_validity &
+			(NFS_INO_INVALID_ATTR|NFS_INO_INVALID_LABEL))
 			&& !nfs_attribute_cache_expired(inode))
 		return NFS_STALE(inode) ? -ESTALE : 0;
 	return __nfs_revalidate_inode(server, inode);
@@ -1497,6 +1536,10 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 				| NFS_INO_INVALID_ACL
 				| NFS_INO_REVAL_FORCED);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		nfs_setsecurity(inode, fattr, label);
+#endif
 	if (fattr->valid & NFS_ATTR_FATTR_NLINK) {
 		if (inode->i_nlink != fattr->nlink) {
 			invalid |= NFS_INO_INVALID_ATTR;
@@ -1518,7 +1561,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 		inode->i_blocks = fattr->du.nfs2.blocks;
 
 	/* Update attrtimeo value if we're out of the unstable period */
-	if (invalid & NFS_INO_INVALID_ATTR) {
+	if (invalid & (NFS_INO_INVALID_ATTR|NFS_INO_INVALID_LABEL)) {
 		nfs_inc_stats(inode, NFSIOS_ATTRINVALIDATE);
 		nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
 		nfsi->attrtimeo_timestamp = now;
@@ -1531,6 +1574,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr, struct
 		}
 	}
 	invalid &= ~NFS_INO_INVALID_ATTR;
+	invalid &= ~NFS_INO_INVALID_LABEL;
 	/* Don't invalidate the data if we were to blame */
 	if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
 				|| S_ISLNK(inode->i_mode)))
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 4ab2738..77d1a29 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -133,7 +133,11 @@ const u32 nfs4_fattr_bitmap[3] = {
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
 	| FATTR4_WORD1_TIME_MODIFY,
-	0
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	FATTR4_WORD2_SECURITY_LABEL
+#else
+		0
+#endif
 };
 
 static const u32 nfs4_pnfs_open_bitmap[3] = {
@@ -2059,6 +2063,7 @@ static int _nfs4_do_open(struct inode *dir,
 		if (status == 0) {
 			nfs_setattr_update_inode(state->inode, sattr);
 			nfs_post_op_update_inode(state->inode, opendata->o_res.f_attr, olabel);
+			nfs_setsecurity(state->inode, opendata->o_res.f_attr, olabel);
 		}
 	}
 
@@ -2172,6 +2177,10 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
 	unsigned long timestamp = jiffies;
 	int status;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (ilabel == NULL || olabel == NULL)
+		arg.bitmask = server->attr_bitmask_nl;
+#endif
 	nfs_fattr_init(fattr);
 
 	if (state != NULL) {
@@ -2399,7 +2408,7 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait)
 	if (calldata->arg.seqid == NULL)
 		goto out_free_calldata;
 	calldata->arg.fmode = 0;
-	calldata->arg.bitmask = server->cache_consistency_bitmask;
+	calldata->arg.bitmask = server->cache_consistency_bitmask_nl;
 	calldata->res.fattr = &calldata->fattr;
 	calldata->res.seqid = calldata->arg.seqid;
 	calldata->res.server = server;
@@ -2431,9 +2440,24 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, int open_flags
 	struct nfs4_state *state;
 	struct nfs4_label l, *label = NULL;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		struct dentry *dentry = ctx->dentry;
+		int error;
+		error = security_dentry_init_security(dentry, attr->ia_mode,
+				&dentry->d_name, &l.label, &l.len);
+		if (error == 0)
+			label = &l;
+	}
+#endif
+
 	/* Protect against concurrent sillydeletes */
 	state = nfs4_do_open(dir, ctx->dentry, ctx->mode, open_flags, attr, label,
 			     ctx->cred, &ctx->mdsthreshold);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	if (IS_ERR(state))
 		return ERR_CAST(state);
 	ctx->state = state;
@@ -2493,10 +2517,26 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
 			server->caps |= NFS_CAP_CTIME;
 		if (res.attr_bitmask[1] & FATTR4_WORD1_TIME_MODIFY)
 			server->caps |= NFS_CAP_MTIME;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		if (res.attr_bitmask[2] & FATTR4_WORD2_SECURITY_LABEL) {
+			server->caps |= NFS_CAP_SECURITY_LABEL;
+		} else
+#endif
+		server->attr_bitmask[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		memcpy(server->attr_bitmask_nl, res.attr_bitmask, sizeof(server->attr_bitmask));
+		server->attr_bitmask_nl[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+#endif
 
 		memcpy(server->cache_consistency_bitmask, res.attr_bitmask, sizeof(server->cache_consistency_bitmask));
 		server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;
-		server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;
+		server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA |
+							FATTR4_WORD1_TIME_MODIFY;
+		server->cache_consistency_bitmask[2] &= FATTR4_WORD2_SECURITY_LABEL;
+		memcpy(server->cache_consistency_bitmask_nl, server->cache_consistency_bitmask,
+							sizeof(server->cache_consistency_bitmask_nl));
+		server->cache_consistency_bitmask_nl[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
 		server->acl_bitmask = res.acl_bitmask;
 		server->fh_expire_type = res.fh_expire_type;
 	}
@@ -2519,8 +2559,9 @@ int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
 static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
 		struct nfs_fsinfo *info)
 {
+	u32 bitmask[3];
 	struct nfs4_lookup_root_arg args = {
-		.bitmask = nfs4_fattr_bitmap,
+		.bitmask = bitmask,
 	};
 	struct nfs4_lookup_res res = {
 		.server = server,
@@ -2533,6 +2574,10 @@ static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
 		.rpc_resp = &res,
 	};
 
+	bitmask[0] = nfs4_fattr_bitmap[0];
+	bitmask[1] = nfs4_fattr_bitmap[1];
+	bitmask[2] = nfs4_fattr_bitmap[2] & ~FATTR4_WORD2_SECURITY_LABEL;
+
 	nfs_fattr_init(info->fattr);
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
@@ -2722,7 +2767,12 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
 		.rpc_argp = &args,
 		.rpc_resp = &res,
 	};
-	
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (!label)
+		args.bitmask = server->attr_bitmask_nl;
+#endif
+
 	nfs_fattr_init(fattr);
 	return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
 }
@@ -2815,6 +2865,7 @@ static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 	struct nfs4_lookup_res res = {
 		.server = server,
 		.fattr = fattr,
+		.label = label,
 		.fh = fhandle,
 	};
 	struct rpc_message msg = {
@@ -2823,6 +2874,11 @@ static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
 		.rpc_resp = &res,
 	};
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label == NULL)
+		args.bitmask = server->attr_bitmask_nl;
+#endif
+
 	nfs_fattr_init(fattr);
 
 	dprintk("NFS call  lookup %s\n", name->name);
@@ -2929,7 +2985,7 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
 		.rpc_cred = entry->cred,
 	};
 	int mode = entry->mask;
-	int status;
+	int status = 0;
 
 	/*
 	 * Determine which access bits we want to ask for...
@@ -3058,6 +3114,15 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		status = security_dentry_init_security(dentry, sattr->ia_mode,
+						&dentry->d_name, &l.label, &l.len);
+		if (status == 0)
+			ilabel = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	state = nfs4_do_open(dir, dentry, ctx->mode,
 			flags, sattr, ilabel, ctx->cred,
@@ -3071,6 +3136,10 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 	nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 	ctx->state = state;
 out:
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (ilabel)
+		security_release_secctx(ilabel->label, ilabel->len);
+#endif
 	put_nfs_open_context(ctx);
 	return status;
 }
@@ -3120,6 +3189,8 @@ static void nfs4_proc_unlink_setup(struct rpc_message *msg, struct inode *dir)
 	res->server = server;
 	msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_REMOVE];
 	nfs41_init_sequence(&args->seq_args, &res->seq_res, 1);
+
+	nfs_fattr_init(res->dir_attr);
 }
 
 static void nfs4_proc_unlink_rpc_prepare(struct rpc_task *task, struct nfs_unlinkdata *data)
@@ -3405,12 +3476,27 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 	struct nfs4_exception exception = { };
 	struct nfs4_label l, *label = NULL;
 	int err;
+
+
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_symlink(dir, dentry, page,
 							len, sattr, label),
 				&exception);
 	} while (exception.retry);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	return err;
 }
 
@@ -3439,6 +3525,15 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 	struct nfs4_label l, *label = NULL;
 	int err;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
@@ -3446,6 +3541,10 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 				&exception);
 	} while (exception.retry);
 	return err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 }
 
 static int _nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
@@ -3460,7 +3559,9 @@ static int _nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
 		.bitmask = NFS_SERVER(dentry->d_inode)->attr_bitmask,
 		.plus = plus,
 	};
-	struct nfs4_readdir_res res;
+	struct nfs4_readdir_res res = {
+		.pgbase = 0,
+	};
 	struct rpc_message msg = {
 		.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READDIR],
 		.rpc_argp = &args,
@@ -3543,12 +3644,25 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 	struct nfs4_label l, *label = NULL;
 	int err;
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL)) {
+		err = security_dentry_init_security(dentry, sattr->ia_mode,
+					&dentry->d_name, &l.label, &l.len);
+		if (err == 0)
+			label = &l;
+	}
+#endif
+
 	sattr->ia_mode &= ~current_umask();
 	do {
 		err = nfs4_handle_exception(NFS_SERVER(dir),
 				_nfs4_proc_mknod(dir, dentry, sattr, label, rdev),
 				&exception);
 	} while (exception.retry);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		security_release_secctx(l.label, l.len);
+#endif
 	return err;
 }
 
@@ -3766,7 +3880,11 @@ static void nfs4_proc_write_setup(struct nfs_write_data *data, struct rpc_messag
 		data->args.bitmask = NULL;
 		data->res.fattr = NULL;
 	} else
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+		data->args.bitmask = server->cache_consistency_bitmask_nl;
+#else
 		data->args.bitmask = server->cache_consistency_bitmask;
+#endif
 
 	if (!data->write_done_cb)
 		data->write_done_cb = nfs4_write_done_cb;
@@ -4190,6 +4308,182 @@ static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen
 	return err;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+static int _nfs4_get_security_label(struct inode *inode, void *buf,
+					size_t buflen)
+{
+	struct nfs_server *server = NFS_SERVER(inode);
+	struct nfs_fattr fattr;
+	struct nfs4_label label;
+	u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
+	struct nfs4_getattr_arg args = {
+		.fh		= NFS_FH(inode),
+		.bitmask	= bitmask,
+	};
+	struct nfs4_getattr_res res = {
+		.fattr		= &fattr,
+		.label		= &label,
+		.server		= server,
+	};
+	struct rpc_message msg = {
+		.rpc_proc	= &nfs4_procedures[NFSPROC4_CLNT_GETATTR],
+		.rpc_argp	= &args,
+		.rpc_resp	= &res,
+	};
+	int ret;
+
+	label.label = buf;
+	label.len = buflen;
+	nfs_fattr_init(&fattr);
+
+	ret = rpc_call_sync(server->client, &msg, 0);
+	if (ret)
+		return ret;
+	if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
+		return -ENOENT;
+	if (buflen < label.len)
+		return -ERANGE;
+	return 0;
+}
+
+static int nfs4_get_security_label(struct inode *inode, void *buf,
+					size_t buflen)
+{
+	struct nfs4_exception exception = { };
+	int err;
+
+	if (!nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		return -EOPNOTSUPP;
+
+	do {
+		err = nfs4_handle_exception(NFS_SERVER(inode),
+				_nfs4_get_security_label(inode, buf, buflen),
+				&exception);
+	} while (exception.retry);
+	return err;
+}
+
+static int _nfs4_do_set_security_label(struct inode *inode,
+		struct nfs4_label *ilabel,
+		struct nfs_fattr *fattr,
+		struct nfs4_label *olabel,
+		struct nfs4_state *state)
+{
+
+	struct iattr sattr;
+	struct nfs_server *server = NFS_SERVER(inode);
+	const u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
+	struct nfs_setattrargs args = {
+		.fh             = NFS_FH(inode),
+		.iap            = &sattr,
+		.server		= server,
+		.bitmask	= bitmask,
+		.label		= ilabel,
+	};
+	struct nfs_setattrres res = {
+		.fattr		= fattr,
+		.label		= olabel,
+		.server		= server,
+	};
+	struct rpc_message msg = {
+		.rpc_proc       = &nfs4_procedures[NFSPROC4_CLNT_SETATTR],
+		.rpc_argp       = &args,
+		.rpc_resp       = &res,
+	};
+	unsigned long timestamp = jiffies;
+	int status;
+
+	memset(&sattr, 0, sizeof(struct iattr));
+
+	if (state != NULL) {
+		struct nfs_lockowner lockowner = {
+			.l_owner = current->files,
+			.l_pid = current->tgid,
+		};
+
+		msg.rpc_cred = state->owner->so_cred;
+		nfs4_select_rw_stateid(&args.stateid, state, FMODE_WRITE,
+				&lockowner);
+	} else if (nfs4_copy_delegation_stateid(&args.stateid, inode,
+				FMODE_WRITE)) {
+		/* Use that stateid */
+	} else
+		nfs4_stateid_copy(&args.stateid, &zero_stateid);
+
+	status = rpc_call_sync(server->client, &msg, 0);
+	if (status == 0 && state != NULL)
+		renew_lease(server, timestamp);
+	return status;
+}
+
+static int nfs4_do_set_security_label(struct inode *inode,
+		struct nfs4_label *ilabel,
+		struct nfs_fattr *fattr,
+		struct nfs4_label *olabel,
+		struct nfs4_state *state)
+{
+	struct nfs4_exception exception = { };
+	int err;
+
+	do {
+		err = nfs4_handle_exception(NFS_SERVER(inode),
+				_nfs4_do_set_security_label(inode, ilabel,
+				fattr, olabel, state),
+				&exception);
+	} while (exception.retry);
+	return err;
+}
+
+	static int
+nfs4_set_security_label(struct dentry *dentry, const void *buf, size_t buflen)
+{
+	struct nfs4_label ilabel, *olabel = NULL;
+	struct nfs_fattr fattr;
+	struct rpc_cred *cred;
+	struct nfs_open_context *ctx;
+	struct nfs4_state *state = NULL;
+	struct inode *inode = dentry->d_inode;
+	int status;
+
+	if (!nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL))
+		return -EOPNOTSUPP;
+
+	nfs_fattr_init(&fattr);
+
+	ilabel.pi = 0;
+	ilabel.lfs = 0;
+	ilabel.label = (char *)buf;
+	ilabel.len = buflen;
+
+	cred = rpc_lookup_cred();
+	if (IS_ERR(cred))
+		return PTR_ERR(cred);
+
+	olabel = nfs4_label_alloc(GFP_KERNEL);
+	if (olabel == NULL) {
+		status = -ENOMEM;
+		goto out;
+	}
+
+	/* Search for an existing open(O_WRITE) file */
+	ctx = nfs_find_open_context(inode, cred, FMODE_WRITE);
+	if (ctx != NULL)
+		state = ctx->state;
+
+	status = nfs4_do_set_security_label(inode, &ilabel, &fattr, olabel,
+						state);
+	if (status == 0)
+		nfs_setsecurity(inode, &fattr, olabel);
+	if (ctx != NULL)
+		put_nfs_open_context(ctx);
+	nfs4_label_free(olabel);
+out:
+	put_rpccred(cred);
+	return status;
+}
+#endif	/* CONFIG_NFS_V4_SECURITY_LABEL */
+
+
 static int
 nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server, struct nfs4_state *state)
 {
@@ -4480,7 +4774,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, co
 	nfs41_init_sequence(&data->args.seq_args, &data->res.seq_res, 1);
 	data->args.fhandle = &data->fh;
 	data->args.stateid = &data->stateid;
-	data->args.bitmask = server->cache_consistency_bitmask;
+	data->args.bitmask = server->cache_consistency_bitmask_nl;
 	nfs_copy_fh(&data->fh, NFS_FH(inode));
 	nfs4_stateid_copy(&data->stateid, stateid);
 	data->res.fattr = &data->fattr;
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 146d4d3..db57d72 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -101,12 +101,19 @@ static int nfs4_stat_to_errno(int);
 #define nfs4_path_maxsz		(1 + ((3 + NFS4_MAXPATHLEN) >> 2))
 #define nfs4_owner_maxsz	(1 + XDR_QUADLEN(IDMAP_NAMESZ))
 #define nfs4_group_maxsz	(1 + XDR_QUADLEN(IDMAP_NAMESZ))
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+/* PI(4 bytes) + LFS(4 bytes) + 1(for null terminator?) + MAXLABELLEN */
+#define	nfs4_label_maxsz	(4 + 4 + 1 + XDR_QUADLEN(NFS4_MAXLABELLEN))
+#else
+#define	nfs4_label_maxsz	0
+#endif
 /* We support only one layout type per file system */
 #define decode_mdsthreshold_maxsz (1 + 1 + nfs4_fattr_bitmap_maxsz + 1 + 8)
 /* This is based on getfattr, which uses the most attributes: */
 #define nfs4_fattr_value_maxsz	(1 + (1 + 2 + 2 + 4 + 2 + 1 + 1 + 2 + 2 + \
 				3 + 3 + 3 + nfs4_owner_maxsz + \
-				nfs4_group_maxsz + decode_mdsthreshold_maxsz))
+				nfs4_group_maxsz + nfs4_label_maxsz + \
+				 decode_mdsthreshold_maxsz))
 #define nfs4_fattr_maxsz	(nfs4_fattr_bitmap_maxsz + \
 				nfs4_fattr_value_maxsz)
 #define decode_getattr_maxsz    (op_decode_hdr_maxsz + nfs4_fattr_maxsz)
@@ -114,6 +121,7 @@ static int nfs4_stat_to_errno(int);
 				 1 + 2 + 1 + \
 				nfs4_owner_maxsz + \
 				nfs4_group_maxsz + \
+				nfs4_label_maxsz + \
 				4 + 4)
 #define encode_savefh_maxsz     (op_encode_hdr_maxsz)
 #define decode_savefh_maxsz     (op_decode_hdr_maxsz)
@@ -191,9 +199,11 @@ static int nfs4_stat_to_errno(int);
 				 encode_stateid_maxsz + 3)
 #define decode_read_maxsz	(op_decode_hdr_maxsz + 2)
 #define encode_readdir_maxsz	(op_encode_hdr_maxsz + \
-				 2 + encode_verifier_maxsz + 5)
+				 2 + encode_verifier_maxsz + 5 + \
+				nfs4_label_maxsz)
 #define decode_readdir_maxsz	(op_decode_hdr_maxsz + \
-				 decode_verifier_maxsz)
+				 decode_verifier_maxsz + \
+				nfs4_label_maxsz + nfs4_fattr_maxsz)
 #define encode_readlink_maxsz	(op_encode_hdr_maxsz)
 #define decode_readlink_maxsz	(op_decode_hdr_maxsz + 1)
 #define encode_write_maxsz	(op_encode_hdr_maxsz + \
@@ -969,7 +979,9 @@ static void encode_nfs4_verifier(struct xdr_stream *xdr, const nfs4_verifier *ve
 	encode_opaque_fixed(xdr, verf->data, NFS4_VERIFIER_SIZE);
 }
 
-static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const struct nfs_server *server)
+static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
+				const struct nfs4_label *label,
+				const struct nfs_server *server)
 {
 	char owner_name[IDMAP_NAMESZ];
 	char owner_group[IDMAP_NAMESZ];
@@ -1019,6 +1031,10 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 		}
 		len += 4 + (XDR_QUADLEN(owner_grouplen) << 2);
 	}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label)
+		len += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2);
+#endif
 	if (iap->ia_valid & ATTR_ATIME_SET)
 		len += 16;
 	else if (iap->ia_valid & ATTR_ATIME)
@@ -1075,6 +1091,15 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const
 		bmval1 |= FATTR4_WORD1_TIME_MODIFY_SET;
 		*p++ = cpu_to_be32(NFS4_SET_TO_SERVER_TIME);
 	}
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (label) {
+		bmval2 |= FATTR4_WORD2_SECURITY_LABEL;
+		*p++ = cpu_to_be32(label->lfs);
+		*p++ = cpu_to_be32(label->pi);
+		*p++ = cpu_to_be32(label->len);
+		p = xdr_encode_opaque_fixed(p, label->label, label->len);
+	}
+#endif
 
 	/*
 	 * Now we backfill the bitmap and the attribute buffer length.
@@ -1141,7 +1166,7 @@ static void encode_create(struct xdr_stream *xdr, const struct nfs4_create_arg *
 	}
 
 	encode_string(xdr, create->name->len, create->name->name);
-	encode_attrs(xdr, create->attrs, create->server);
+	encode_attrs(xdr, create->attrs, create->label, create->server);
 }
 
 static void encode_getattr_one(struct xdr_stream *xdr, uint32_t bitmap, struct compound_hdr *hdr)
@@ -1374,21 +1399,23 @@ static inline void encode_createmode(struct xdr_stream *xdr, const struct nfs_op
 	switch(arg->open_flags & O_EXCL) {
 	case 0:
 		*p = cpu_to_be32(NFS4_CREATE_UNCHECKED);
-		encode_attrs(xdr, arg->u.attrs, arg->server);
+		encode_attrs(xdr, arg->u.attrs, arg->label, arg->server);
 		break;
 	default:
 		clp = arg->server->nfs_client;
 		if (clp->cl_mvops->minor_version > 0) {
 			if (nfs4_has_persistent_session(clp)) {
 				*p = cpu_to_be32(NFS4_CREATE_GUARDED);
-				encode_attrs(xdr, arg->u.attrs, arg->server);
+				encode_attrs(xdr, arg->u.attrs, arg->label,
+						arg->server);
 			} else {
 				struct iattr dummy;
 
 				*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE4_1);
 				encode_nfs4_verifier(xdr, &arg->u.verifier);
 				dummy.ia_valid = 0;
-				encode_attrs(xdr, &dummy, arg->server);
+				encode_attrs(xdr, &dummy, arg->label,
+						arg->server);
 			}
 		} else {
 			*p = cpu_to_be32(NFS4_CREATE_EXCLUSIVE);
@@ -1568,20 +1595,43 @@ static void encode_readdir(struct xdr_stream *xdr, const struct nfs4_readdir_arg
 	encode_op_hdr(xdr, OP_READDIR, decode_readdir_maxsz, hdr);
 	encode_uint64(xdr, readdir->cookie);
 	encode_nfs4_verifier(xdr, &readdir->verifier);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	p = reserve_space(xdr, 24);
+#else
 	p = reserve_space(xdr, 20);
+#endif
 	*p++ = cpu_to_be32(dircount);
 	*p++ = cpu_to_be32(readdir->count);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	*p++ = cpu_to_be32(3);
+#else
 	*p++ = cpu_to_be32(2);
-
+#endif
 	*p++ = cpu_to_be32(attrs[0] & readdir->bitmask[0]);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	*p++ = cpu_to_be32(attrs[1] & readdir->bitmask[1]);
+	*p = cpu_to_be32(readdir->bitmask[2]);
+#else
 	*p = cpu_to_be32(attrs[1] & readdir->bitmask[1]);
+#endif
 	memcpy(verf, readdir->verifier.data, sizeof(verf));
-	dprintk("%s: cookie = %Lu, verifier = %08x:%08x, bitmap = %08x:%08x\n",
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	dprintk("%s: cookie = %llu, verifier = %08x:%08x, bitmap = %08x:%08x:%08x\n",
+			__func__,
+			(unsigned long long)readdir->cookie,
+			verf[0], verf[1],
+			attrs[0] & readdir->bitmask[0],
+			attrs[1] & readdir->bitmask[1],
+			readdir->bitmask[2]);
+#else
+	dprintk("%s: cookie = %llu, verifier = %08x:%08x, bitmap = %08x:%08x\n",
 			__func__,
 			(unsigned long long)readdir->cookie,
 			verf[0], verf[1],
 			attrs[0] & readdir->bitmask[0],
 			attrs[1] & readdir->bitmask[1]);
+#endif
+
 }
 
 static void encode_readlink(struct xdr_stream *xdr, const struct nfs4_readlink *readlink, struct rpc_rqst *req, struct compound_hdr *hdr)
@@ -1641,7 +1691,7 @@ static void encode_setattr(struct xdr_stream *xdr, const struct nfs_setattrargs
 {
 	encode_op_hdr(xdr, OP_SETATTR, decode_setattr_maxsz, hdr);
 	encode_nfs4_stateid(xdr, &arg->stateid);
-	encode_attrs(xdr, arg->iap, server);
+	encode_attrs(xdr, arg->iap, arg->label, server);
 }
 
 static void encode_setclientid(struct xdr_stream *xdr, const struct nfs4_setclientid *setclientid, struct compound_hdr *hdr)
@@ -4060,6 +4110,67 @@ static int decode_attr_time_delta(struct xdr_stream *xdr, uint32_t *bitmap,
 	return status;
 }
 
+static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+					struct nfs4_label *label)
+{
+	uint32_t pi = 0;
+	uint32_t lfs = 0;
+	__u32 len;
+	__be32 *p;
+	int status = 0;
+
+	if (unlikely(bitmap[2] & (FATTR4_WORD2_SECURITY_LABEL - 1U)))
+		return -EIO;
+	if (likely(bitmap[2] & FATTR4_WORD2_SECURITY_LABEL)) {
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		lfs = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		pi = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(!p))
+			goto out_overflow;
+		len = be32_to_cpup(p++);
+		p = xdr_inline_decode(xdr, len);
+		if (unlikely(!p))
+			goto out_overflow;
+		if (len < XDR_MAX_NETOBJ) {
+			if (label) {
+				nfs4_label_init(label);
+				if (label->len < len) {
+					printk(KERN_ERR
+						"%s(): label->len %d < len %d\n",
+						__func__, label->len, len);
+				} else {
+					memcpy(label->label, p, len);
+					label->len = len;
+					label->pi = pi;
+					label->lfs = lfs;
+					status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
+				}
+			} else {
+				printk("%s(): NULL label.\n", __func__);
+				dump_stack();
+				goto out_overflow;
+			}
+			bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+		} else
+			printk(KERN_WARNING "%s: label too long (%u)!\n",
+					__func__, len);
+	}
+	if (label && label->label)
+		dprintk("%s: label=%s, len=%d, PI=%d, LFS=%d\n", __func__,
+			label->label, label->len, label->pi, label->lfs);
+	return status;
+
+out_overflow:
+	print_overflow_msg(__func__, xdr);
+	return -EIO;
+}
+
 static int decode_attr_time_modify(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec *time)
 {
 	int status = 0;
@@ -4402,7 +4513,7 @@ out_overflow:
 
 static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,
 		struct nfs_fattr *fattr, struct nfs_fh *fh,
-		struct nfs4_fs_locations *fs_loc,
+		struct nfs4_fs_locations *fs_loc, struct nfs4_label *label,
 		const struct nfs_server *server)
 {
 	int status;
@@ -4510,6 +4621,11 @@ static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,
 	if (status < 0)
 		goto xdr_error;
 
+	status = decode_attr_security_label(xdr, bitmap, label);
+	if (status < 0)
+		goto xdr_error;
+	fattr->valid |= status;
+
 xdr_error:
 	dprintk("%s: xdr returned %d\n", __func__, -status);
 	return status;
@@ -4517,7 +4633,7 @@ xdr_error:
 
 static int decode_getfattr_generic(struct xdr_stream *xdr, struct nfs_fattr *fattr,
 		struct nfs_fh *fh, struct nfs4_fs_locations *fs_loc,
-		const struct nfs_server *server)
+		struct nfs4_label *label, const struct nfs_server *server)
 {
 	unsigned int savep;
 	uint32_t attrlen,
@@ -4536,7 +4652,8 @@ static int decode_getfattr_generic(struct xdr_stream *xdr, struct nfs_fattr *fat
 	if (status < 0)
 		goto xdr_error;
 
-	status = decode_getfattr_attrs(xdr, bitmap, fattr, fh, fs_loc, server);
+	status = decode_getfattr_attrs(xdr, bitmap, fattr, fh, fs_loc,
+					label, server);
 	if (status < 0)
 		goto xdr_error;
 
@@ -4547,9 +4664,9 @@ xdr_error:
 }
 
 static int decode_getfattr(struct xdr_stream *xdr, struct nfs_fattr *fattr,
-		const struct nfs_server *server)
+		struct nfs4_label *label, const struct nfs_server *server)
 {
-	return decode_getfattr_generic(xdr, fattr, NULL, NULL, server);
+	return decode_getfattr_generic(xdr, fattr, NULL, NULL, label, server);
 }
 
 /*
@@ -5881,7 +5998,7 @@ static int nfs4_xdr_dec_open_downgrade(struct rpc_rqst *rqstp,
 	status = decode_open_downgrade(xdr, res);
 	if (status != 0)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5907,7 +6024,7 @@ static int nfs4_xdr_dec_access(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_access(xdr, &res->supported, &res->access);
 	if (status != 0)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5936,7 +6053,7 @@ static int nfs4_xdr_dec_lookup(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_getfh(xdr, res->fh);
 	if (status)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -5962,7 +6079,8 @@ static int nfs4_xdr_dec_lookup_root(struct rpc_rqst *rqstp,
 		goto out;
 	status = decode_getfh(xdr, res->fh);
 	if (status == 0)
-		status = decode_getfattr(xdr, res->fattr, res->server);
+		status = decode_getfattr(xdr, res->fattr,
+						res->label, res->server);
 out:
 	return status;
 }
@@ -6053,7 +6171,7 @@ static int nfs4_xdr_dec_link(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_restorefh(xdr);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6082,7 +6200,7 @@ static int nfs4_xdr_dec_create(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_getfh(xdr, res->fh);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6114,7 +6232,7 @@ static int nfs4_xdr_dec_getattr(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	status = decode_putfh(xdr);
 	if (status)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6216,7 +6334,7 @@ static int nfs4_xdr_dec_close(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	 * 	an ESTALE error. Shouldn't be a problem,
 	 * 	though, since fattr->valid will remain unset.
 	 */
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6247,7 +6365,7 @@ static int nfs4_xdr_dec_open(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 		goto out;
 	if (res->access_request)
 		decode_access(xdr, &res->access_supported, &res->access_result);
-	decode_getfattr(xdr, res->f_attr, res->server);
+	decode_getfattr(xdr, res->f_attr, res->f_label, res->server);
 out:
 	return status;
 }
@@ -6297,7 +6415,7 @@ static int nfs4_xdr_dec_open_noattr(struct rpc_rqst *rqstp,
 		goto out;
 	if (res->access_request)
 		decode_access(xdr, &res->access_supported, &res->access_result);
-	decode_getfattr(xdr, res->f_attr, res->server);
+	decode_getfattr(xdr, res->f_attr, NULL, res->server);
 out:
 	return status;
 }
@@ -6324,7 +6442,7 @@ static int nfs4_xdr_dec_setattr(struct rpc_rqst *rqstp,
 	status = decode_setattr(xdr);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, res->label, res->server);
 out:
 	return status;
 }
@@ -6504,7 +6622,7 @@ static int nfs4_xdr_dec_write(struct rpc_rqst *rqstp, struct xdr_stream *xdr,
 	if (status)
 		goto out;
 	if (res->fattr)
-		decode_getfattr(xdr, res->fattr, res->server);
+		decode_getfattr(xdr, res->fattr, NULL, res->server);
 	if (!status)
 		status = res->count;
 out:
@@ -6685,7 +6803,7 @@ static int nfs4_xdr_dec_delegreturn(struct rpc_rqst *rqstp,
 	status = decode_putfh(xdr);
 	if (status != 0)
 		goto out;
-	status = decode_getfattr(xdr, res->fattr, res->server);
+	status = decode_getfattr(xdr, res->fattr, res->label, res->server);
 	if (status != 0)
 		goto out;
 	status = decode_delegreturn(xdr);
@@ -6718,7 +6836,7 @@ static int nfs4_xdr_dec_fs_locations(struct rpc_rqst *req,
 	xdr_enter_page(xdr, PAGE_SIZE);
 	status = decode_getfattr_generic(xdr, &res->fs_locations->fattr,
 					 NULL, res->fs_locations,
-					 res->fs_locations->server);
+					 NULL, res->fs_locations->server);
 out:
 	return status;
 }
@@ -6999,7 +7117,7 @@ static int nfs4_xdr_dec_layoutcommit(struct rpc_rqst *rqstp,
 	status = decode_layoutcommit(xdr, rqstp, res);
 	if (status)
 		goto out;
-	decode_getfattr(xdr, res->fattr, res->server);
+	decode_getfattr(xdr, res->fattr, NULL, res->server);
 out:
 	return status;
 }
@@ -7131,7 +7249,7 @@ int nfs4_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry,
 		goto out_overflow;
 
 	if (decode_getfattr_attrs(xdr, bitmap, entry->fattr, entry->fh,
-				  NULL, entry->server) < 0)
+			NULL, entry->label, entry->server) < 0)
 		goto out_overflow;
 	if (entry->fattr->valid & NFS_ATTR_FATTR_MOUNTED_ON_FILEID)
 		entry->ino = entry->fattr->mounted_on_fileid;
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index f4e13c3..3828ba6 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2357,8 +2357,23 @@ static int nfs_bdi_register(struct nfs_server *server)
 int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot,
 			struct nfs_mount_info *mount_info)
 {
-	return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
-								0, NULL);
+	int error;
+	unsigned long kflags = 0, kflags_out = 0;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL)
+		kflags |= SECURITY_LSM_NATIVE_LABELS;
+#endif
+	error = security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
+						kflags, &kflags_out);
+	if (error)
+		goto err;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
+		!(kflags_out & SECURITY_LSM_NATIVE_LABELS))
+		NFS_SB(s)->caps &= ~NFS_CAP_SECURITY_LABEL;
+#endif
+err:
+	return error;
 }
 EXPORT_SYMBOL_GPL(nfs_set_sb_security);
 
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index c8ace0d..2ef01f8 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -199,6 +199,7 @@ struct nfs_inode {
 #define NFS_INO_INVALID_ACL	0x0010		/* cached acls are invalid */
 #define NFS_INO_REVAL_PAGECACHE	0x0020		/* must revalidate pagecache */
 #define NFS_INO_REVAL_FORCED	0x0040		/* force revalidation ignoring a delegation */
+#define NFS_INO_INVALID_LABEL	0x0080		/* cached label is invalid */
 
 /*
  * Bit offsets in flags field
@@ -344,6 +345,8 @@ extern int __nfs_revalidate_inode(struct nfs_server *, struct inode *);
 extern int nfs_revalidate_mapping(struct inode *inode, struct address_space *mapping);
 extern int nfs_setattr(struct dentry *, struct iattr *);
 extern void nfs_setattr_update_inode(struct inode *inode, struct iattr *attr);
+extern void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr,
+				struct nfs4_label *label);
 extern struct nfs_open_context *get_nfs_open_context(struct nfs_open_context *ctx);
 extern void put_nfs_open_context(struct nfs_open_context *ctx);
 extern struct nfs_open_context *nfs_find_open_context(struct inode *inode, struct rpc_cred *cred, fmode_t mode);
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 383fe9c..ac07d98 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -145,11 +145,18 @@ struct nfs_server {
 	u32			attr_bitmask[3];/* V4 bitmask representing the set
 						   of attributes supported on this
 						   filesystem */
+	u32			attr_bitmask_nl[3];
+						/* V4 bitmask representing the
+						   set of attributes supported
+						   on this filesystem excluding
+						   the label support bit. */
 	u32			cache_consistency_bitmask[3];
 						/* V4 bitmask representing the subset
 						   of change attribute, size, ctime
 						   and mtime attributes supported by
 						   the server */
+	u32			cache_consistency_bitmask_nl[3];
+						/* As above, excluding label. */
 	u32			acl_bitmask;	/* V4 bitmask representing the ACEs
 						   that are supported on this
 						   filesystem */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8f233ff..3e1b84d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2876,7 +2876,10 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 		return;
 	}
 
+	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
+	isec->initialized = 1;
+
 	return;
 }
 
@@ -2964,6 +2967,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 	if (rc)
 		return rc;
 
+	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = 1;
 	return 0;
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The existing NFSv4 xattr handlers do not accept xattr calls to the security
namespace. This patch extends these handlers to accept xattrs from the security
namespace in addition to the default NFSv4 ACL namespace.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/nfs4proc.c   | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 security/security.c |  1 +
 2 files changed, 51 insertions(+)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 77d1a29..2c8dd55 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5632,6 +5632,53 @@ static size_t nfs4_xattr_list_nfs4_acl(struct dentry *dentry, char *list,
 	return len;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+static inline int nfs4_server_supports_labels(struct nfs_server *server)
+{
+	return server->caps & NFS_CAP_SECURITY_LABEL;
+}
+
+static int nfs4_xattr_set_nfs4_label(struct dentry *dentry, const char *key,
+				   const void *buf, size_t buflen,
+				   int flags, int type)
+{
+	if (security_ismaclabel(key))
+		return nfs4_set_security_label(dentry, buf, buflen);
+
+	return -EOPNOTSUPP;
+}
+
+static int nfs4_xattr_get_nfs4_label(struct dentry *dentry, const char *key,
+				   void *buf, size_t buflen, int type)
+{
+	if (security_ismaclabel(key))
+		return nfs4_get_security_label(dentry->d_inode, buf, buflen);
+	return -EOPNOTSUPP;
+}
+
+static size_t nfs4_xattr_list_nfs4_label(struct dentry *dentry, char *list,
+				       size_t list_len, const char *name,
+				       size_t name_len, int type)
+{
+	size_t len = 0;
+
+	if (nfs_server_capable(dentry->d_inode, NFS_CAP_SECURITY_LABEL)) {
+		len = security_inode_listsecurity(dentry->d_inode, NULL, 0);
+		if (list && len <= list_len)
+			security_inode_listsecurity(dentry->d_inode, list, len);
+	}
+	return len;
+}
+
+static const struct xattr_handler nfs4_xattr_nfs4_label_handler = {
+	.prefix = XATTR_SECURITY_PREFIX,
+	.list	= nfs4_xattr_list_nfs4_label,
+	.get	= nfs4_xattr_get_nfs4_label,
+	.set	= nfs4_xattr_set_nfs4_label,
+};
+#endif
+
+
 /*
  * nfs_fhget will use either the mounted_on_fileid or the fileid
  */
@@ -7590,6 +7637,9 @@ static const struct xattr_handler nfs4_xattr_nfs4_acl_handler = {
 
 const struct xattr_handler *nfs4_xattr_handlers[] = {
 	&nfs4_xattr_nfs4_acl_handler,
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	&nfs4_xattr_nfs4_label_handler,
+#endif
 	NULL
 };
 
diff --git a/security/security.c b/security/security.c
index 60a6017..310362b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -660,6 +660,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
 		return 0;
 	return security_ops->inode_listsecurity(inode, buffer, buffer_size);
 }
+EXPORT_SYMBOL(security_inode_listsecurity);
 
 void security_inode_getsecid(const struct inode *inode, u32 *secid)
 {
-- 
1.7.11.7

[PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

The existing NFSv4 xattr handlers do not accept xattr calls to the security
namespace. This patch extends these handlers to accept xattrs from the security
namespace in addition to the default NFSv4 ACL namespace.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfs/nfs4proc.c   | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 security/security.c |  1 +
 2 files changed, 51 insertions(+)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 77d1a29..2c8dd55 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5632,6 +5632,53 @@ static size_t nfs4_xattr_list_nfs4_acl(struct dentry *dentry, char *list,
 	return len;
 }
 
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+static inline int nfs4_server_supports_labels(struct nfs_server *server)
+{
+	return server->caps & NFS_CAP_SECURITY_LABEL;
+}
+
+static int nfs4_xattr_set_nfs4_label(struct dentry *dentry, const char *key,
+				   const void *buf, size_t buflen,
+				   int flags, int type)
+{
+	if (security_ismaclabel(key))
+		return nfs4_set_security_label(dentry, buf, buflen);
+
+	return -EOPNOTSUPP;
+}
+
+static int nfs4_xattr_get_nfs4_label(struct dentry *dentry, const char *key,
+				   void *buf, size_t buflen, int type)
+{
+	if (security_ismaclabel(key))
+		return nfs4_get_security_label(dentry->d_inode, buf, buflen);
+	return -EOPNOTSUPP;
+}
+
+static size_t nfs4_xattr_list_nfs4_label(struct dentry *dentry, char *list,
+				       size_t list_len, const char *name,
+				       size_t name_len, int type)
+{
+	size_t len = 0;
+
+	if (nfs_server_capable(dentry->d_inode, NFS_CAP_SECURITY_LABEL)) {
+		len = security_inode_listsecurity(dentry->d_inode, NULL, 0);
+		if (list && len <= list_len)
+			security_inode_listsecurity(dentry->d_inode, list, len);
+	}
+	return len;
+}
+
+static const struct xattr_handler nfs4_xattr_nfs4_label_handler = {
+	.prefix = XATTR_SECURITY_PREFIX,
+	.list	= nfs4_xattr_list_nfs4_label,
+	.get	= nfs4_xattr_get_nfs4_label,
+	.set	= nfs4_xattr_set_nfs4_label,
+};
+#endif
+
+
 /*
  * nfs_fhget will use either the mounted_on_fileid or the fileid
  */
@@ -7590,6 +7637,9 @@ static const struct xattr_handler nfs4_xattr_nfs4_acl_handler = {
 
 const struct xattr_handler *nfs4_xattr_handlers[] = {
 	&nfs4_xattr_nfs4_acl_handler,
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+	&nfs4_xattr_nfs4_label_handler,
+#endif
 	NULL
 };
 
diff --git a/security/security.c b/security/security.c
index 60a6017..310362b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -660,6 +660,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
 		return 0;
 	return security_ops->inode_listsecurity(inode, buffer, buffer_size);
 }
+EXPORT_SYMBOL(security_inode_listsecurity);
 
 void security_inode_getsecid(const struct inode *inode, u32 *secid)
 {
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 13/13] NFSD: Server implementation of MAC Labeling

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds the ability to encode and decode file labels on the server for
the purpose of sending them to the client and also to process label change
requests from the client.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfsd/export.c   |   3 ++
 fs/nfsd/nfs4proc.c |  33 +++++++++++++++
 fs/nfsd/nfs4xdr.c  | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 fs/nfsd/vfs.c      |  31 ++++++++++++++
 fs/nfsd/vfs.h      |   2 +
 5 files changed, 184 insertions(+), 6 deletions(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index a3946cf..251eca7 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1112,6 +1112,9 @@ static struct flags {
 	{ NFSEXP_ASYNC, {"async", "sync"}},
 	{ NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}},
 	{ NFSEXP_NOHIDE, {"nohide", ""}},
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	{ NFSEXP_SECURITY_LABEL, {"security_label", ""}},
+#endif
 	{ NFSEXP_CROSSMOUNT, {"crossmnt", ""}},
 	{ NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}},
 	{ NFSEXP_NOAUTHNLM, {"insecure_locks", ""}},
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 6c9a4b2..8e9c17c 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -41,6 +41,10 @@
 #include "vfs.h"
 #include "current_stateid.h"
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+#include <linux/security.h>
+#endif
+
 #define NFSDDBG_FACILITY		NFSDDBG_PROC
 
 static u32 nfsd_attrmask[] = {
@@ -228,6 +232,18 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o
 					(u32 *)open->op_verf.data,
 					&open->op_truncate, &open->op_created);
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+		if (!status && open->op_label != NULL) {
+			struct inode *inode = resfh->fh_dentry->d_inode;
+
+			mutex_lock(&inode->i_mutex);
+			/* Is it appropriate to just kick back an error? */
+			status = security_inode_setsecctx(resfh->fh_dentry,
+					open->op_label->label, open->op_label->len);
+			mutex_unlock(&inode->i_mutex);
+		}
+#endif
+
 		/*
 		 * Following rfc 3530 14.2.16, use the returned bitmask
 		 * to indicate which attributes we used to store the
@@ -588,6 +604,18 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 		status = nfserr_badtype;
 	}
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (!status && create->cr_label != NULL) {
+		struct inode *inode = resfh.fh_dentry->d_inode;
+
+		mutex_lock(&inode->i_mutex);
+		/* Is it appropriate to just kick back an error? */
+		status = security_inode_setsecctx(resfh.fh_dentry,
+				create->cr_label->label, create->cr_label->len);
+		mutex_unlock(&inode->i_mutex);
+	}
+#endif
+
 	if (status)
 		goto out;
 
@@ -869,6 +897,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 					    setattr->sa_acl);
 	if (status)
 		goto out;
+	if (setattr->sa_label != NULL)
+		status = nfsd4_set_nfs4_label(rqstp, &cstate->current_fh,
+				setattr->sa_label);
+	if (status)
+		goto out;
 	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,
 				0, (time_t)0);
 out:
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index fd548d1..58e205c 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -54,6 +54,11 @@
 #include "state.h"
 #include "cache.h"
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+#include <linux/security.h>
+#endif
+
+
 #define NFSDDBG_FACILITY		NFSDDBG_XDR
 
 /*
@@ -241,7 +246,8 @@ nfsd4_decode_bitmap(struct nfsd4_compoundargs *argp, u32 *bmval)
 
 static __be32
 nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
-		   struct iattr *iattr, struct nfs4_acl **acl)
+		   struct iattr *iattr, struct nfs4_acl **acl,
+		   struct nfs4_label **label)
 {
 	int expected_len, len = 0;
 	u32 dummy32;
@@ -385,6 +391,50 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
 			goto xdr_error;
 		}
 	}
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (bmval[2] & FATTR4_WORD2_SECURITY_LABEL) {
+		uint32_t pi;
+		uint32_t lfs;
+
+		READ_BUF(4);
+		len += 4;
+		READ32(lfs);
+		READ_BUF(4);
+		len += 4;
+		READ32(pi);
+		READ_BUF(4);
+		len += 4;
+		READ32(dummy32);
+		READ_BUF(dummy32);
+		len += (XDR_QUADLEN(dummy32) << 2);
+		READMEM(buf, dummy32);
+
+		if (dummy32 > NFS4_MAXLABELLEN)
+			return nfserr_resource;
+
+		*label = kzalloc(sizeof(struct nfs4_label), GFP_KERNEL);
+		if (*label == NULL) {
+			host_err = -ENOMEM;
+			goto out_nfserr;
+		}
+
+		(*label)->label = kmalloc(dummy32 + 1, GFP_KERNEL);
+		if ((*label)->label == NULL) {
+			host_err = -ENOMEM;
+			kfree(*label);
+			goto out_nfserr;
+		}
+
+		(*label)->len = dummy32;
+		memcpy((*label)->label, buf, dummy32);
+		((char *)(*label)->label)[dummy32] = '\0';
+		(*label)->pi = pi;
+		(*label)->lfs = lfs;
+
+		defer_free(argp, kfree, (*label)->label);
+		defer_free(argp, kfree, *label);
+	}
+#endif
 	if (bmval[0] & ~NFSD_WRITEABLE_ATTRS_WORD0
 	    || bmval[1] & ~NFSD_WRITEABLE_ATTRS_WORD1
 	    || bmval[2] & ~NFSD_WRITEABLE_ATTRS_WORD2)
@@ -494,7 +544,7 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
 		return status;
 
 	status = nfsd4_decode_fattr(argp, create->cr_bmval, &create->cr_iattr,
-				    &create->cr_acl);
+				    &create->cr_acl, &create->cr_label);
 	if (status)
 		goto out;
 
@@ -744,7 +794,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
 		case NFS4_CREATE_UNCHECKED:
 		case NFS4_CREATE_GUARDED:
 			status = nfsd4_decode_fattr(argp, open->op_bmval,
-				&open->op_iattr, &open->op_acl);
+				&open->op_iattr, &open->op_acl, &open->op_label);
 			if (status)
 				goto out;
 			break;
@@ -758,7 +808,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
 			READ_BUF(NFS4_VERIFIER_SIZE);
 			COPYMEM(open->op_verf.data, NFS4_VERIFIER_SIZE);
 			status = nfsd4_decode_fattr(argp, open->op_bmval,
-				&open->op_iattr, &open->op_acl);
+				&open->op_iattr, &open->op_acl, &open->op_label);
 			if (status)
 				goto out;
 			break;
@@ -981,7 +1031,7 @@ nfsd4_decode_setattr(struct nfsd4_compoundargs *argp, struct nfsd4_setattr *seta
 	if (status)
 		return status;
 	return nfsd4_decode_fattr(argp, setattr->sa_bmval, &setattr->sa_iattr,
-				  &setattr->sa_acl);
+				  &setattr->sa_acl, &setattr->sa_label);
 }
 
 static __be32
@@ -1045,7 +1095,7 @@ nfsd4_decode_verify(struct nfsd4_compoundargs *argp, struct nfsd4_verify *verify
 	 * nfsd4_proc_verify; however we still decode here just to return
 	 * correct error in case of bad xdr. */
 #if 0
-	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl);
+	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl, &ve_label);
 	if (status == nfserr_inval) {
 		status = nfserrno(status);
 		goto out;
@@ -1998,6 +2048,47 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int whotype, uid_t id, int group,
 			      FATTR4_WORD0_RDATTR_ERROR)
 #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	static inline __be32
+nfsd4_encode_security_label(struct svc_rqst *rqstp, struct dentry *dentry, __be32 **pp, int *buflen)
+{
+	void *context;
+	int err;
+	int len;
+	uint32_t pi = 0;
+	uint32_t lfs = 0;
+	__be32 *p = *pp;
+
+	err = 0;
+	(void)security_inode_getsecctx(dentry->d_inode, &context, &len);
+	if (len < 0)
+		return nfserrno(len);
+
+	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) {
+		err = nfserr_resource;
+		goto out;
+	}
+
+	/* XXX: A call to the translation code should be placed here
+	 * for now send 0  until we have that to indicate the null
+	 * translation */ 
+
+	if ((*buflen -= 4) < 0)
+		return nfserr_resource;
+
+	WRITE32(lfs);	
+	WRITE32(pi);
+	p = xdr_encode_opaque(p, context, len);
+	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
+	BUG_ON(*buflen < 0);
+
+	*pp = p;
+out:
+	security_release_secctx(context, len);
+	return err;
+}
+#endif
+
 static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
 {
 	/* As per referral draft:  */
@@ -2122,6 +2213,14 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
 
 		if (!aclsupport)
 			word0 &= ~FATTR4_WORD0_ACL;
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+		if (exp->ex_flags & NFSEXP_SECURITY_LABEL)
+			word2 |= FATTR4_WORD2_SECURITY_LABEL;
+		else
+			word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
+#else
+		word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
+#endif
 		if (!word2) {
 			if ((buflen -= 12) < 0)
 				goto out_resource;
@@ -2444,6 +2543,16 @@ out_acl:
 		}
 		WRITE64(stat.ino);
 	}
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) {
+		status = nfsd4_encode_security_label(rqstp, dentry,
+				&p, &buflen);
+		if (status == nfserr_resource)
+			goto out_resource;
+		if (status)
+			goto out;
+	}
+#endif
 	if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
 		WRITE32(3);
 		WRITE32(NFSD_SUPPATTR_EXCLCREAT_WORD0);
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index c120b48..717fb60 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -28,6 +28,7 @@
 #include <asm/uaccess.h>
 #include <linux/exportfs.h>
 #include <linux/writeback.h>
+#include <linux/security.h>
 
 #ifdef CONFIG_NFSD_V3
 #include "xdr3.h"
@@ -621,6 +622,36 @@ int nfsd4_is_junction(struct dentry *dentry)
 		return 0;
 	return 1;
 }
+
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
+		struct nfs4_label *label)
+{
+	__be32 error;
+	int host_error;
+	struct dentry *dentry;
+
+	/* Get inode */
+	/* XXX: should we have a MAY_SSECCTX? */
+	error = fh_verify(rqstp, fhp, 0 /* S_IFREG */, NFSD_MAY_SATTR);
+	if (error)
+		return error;
+
+	dentry = fhp->fh_dentry;
+
+	mutex_lock(&dentry->d_inode->i_mutex);
+	host_error = security_inode_setsecctx(dentry, label->label, label->len);
+	mutex_unlock(&dentry->d_inode->i_mutex);
+	return nfserrno(host_error);
+}
+#else
+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
+		struct nfs4_label *label)
+{
+	return -EOPNOTSUPP;
+}
+#endif
+
 #endif /* defined(CONFIG_NFSD_V4) */
 
 #ifdef CONFIG_NFSD_V3
diff --git a/fs/nfsd/vfs.h b/fs/nfsd/vfs.h
index 359594c..49c6cc0 100644
--- a/fs/nfsd/vfs.h
+++ b/fs/nfsd/vfs.h
@@ -55,6 +55,8 @@ int nfsd_mountpoint(struct dentry *, struct svc_export *);
 __be32          nfsd4_set_nfs4_acl(struct svc_rqst *, struct svc_fh *,
                     struct nfs4_acl *);
 int             nfsd4_get_nfs4_acl(struct svc_rqst *, struct dentry *, struct nfs4_acl **);
+__be32          nfsd4_set_nfs4_label(struct svc_rqst *, struct svc_fh *,
+		    struct nfs4_label *);
 #endif /* CONFIG_NFSD_V4 */
 __be32		nfsd_create(struct svc_rqst *, struct svc_fh *,
 				char *name, int len, struct iattr *attrs,
-- 
1.7.11.7

[PATCH 13/13] NFSD: Server implementation of MAC Labeling

[David Quigley]

From: David Quigley <dpquigl@davequigley.com>

This patch adds the ability to encode and decode file labels on the server for
the purpose of sending them to the client and also to process label change
requests from the client.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: David Quigley <dpquigl@davequigley.com>
---
 fs/nfsd/export.c   |   3 ++
 fs/nfsd/nfs4proc.c |  33 +++++++++++++++
 fs/nfsd/nfs4xdr.c  | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 fs/nfsd/vfs.c      |  31 ++++++++++++++
 fs/nfsd/vfs.h      |   2 +
 5 files changed, 184 insertions(+), 6 deletions(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index a3946cf..251eca7 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1112,6 +1112,9 @@ static struct flags {
 	{ NFSEXP_ASYNC, {"async", "sync"}},
 	{ NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}},
 	{ NFSEXP_NOHIDE, {"nohide", ""}},
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	{ NFSEXP_SECURITY_LABEL, {"security_label", ""}},
+#endif
 	{ NFSEXP_CROSSMOUNT, {"crossmnt", ""}},
 	{ NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}},
 	{ NFSEXP_NOAUTHNLM, {"insecure_locks", ""}},
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 6c9a4b2..8e9c17c 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -41,6 +41,10 @@
 #include "vfs.h"
 #include "current_stateid.h"
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+#include <linux/security.h>
+#endif
+
 #define NFSDDBG_FACILITY		NFSDDBG_PROC
 
 static u32 nfsd_attrmask[] = {
@@ -228,6 +232,18 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o
 					(u32 *)open->op_verf.data,
 					&open->op_truncate, &open->op_created);
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+		if (!status && open->op_label != NULL) {
+			struct inode *inode = resfh->fh_dentry->d_inode;
+
+			mutex_lock(&inode->i_mutex);
+			/* Is it appropriate to just kick back an error? */
+			status = security_inode_setsecctx(resfh->fh_dentry,
+					open->op_label->label, open->op_label->len);
+			mutex_unlock(&inode->i_mutex);
+		}
+#endif
+
 		/*
 		 * Following rfc 3530 14.2.16, use the returned bitmask
 		 * to indicate which attributes we used to store the
@@ -588,6 +604,18 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 		status = nfserr_badtype;
 	}
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (!status && create->cr_label != NULL) {
+		struct inode *inode = resfh.fh_dentry->d_inode;
+
+		mutex_lock(&inode->i_mutex);
+		/* Is it appropriate to just kick back an error? */
+		status = security_inode_setsecctx(resfh.fh_dentry,
+				create->cr_label->label, create->cr_label->len);
+		mutex_unlock(&inode->i_mutex);
+	}
+#endif
+
 	if (status)
 		goto out;
 
@@ -869,6 +897,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 					    setattr->sa_acl);
 	if (status)
 		goto out;
+	if (setattr->sa_label != NULL)
+		status = nfsd4_set_nfs4_label(rqstp, &cstate->current_fh,
+				setattr->sa_label);
+	if (status)
+		goto out;
 	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,
 				0, (time_t)0);
 out:
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index fd548d1..58e205c 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -54,6 +54,11 @@
 #include "state.h"
 #include "cache.h"
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+#include <linux/security.h>
+#endif
+
+
 #define NFSDDBG_FACILITY		NFSDDBG_XDR
 
 /*
@@ -241,7 +246,8 @@ nfsd4_decode_bitmap(struct nfsd4_compoundargs *argp, u32 *bmval)
 
 static __be32
 nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
-		   struct iattr *iattr, struct nfs4_acl **acl)
+		   struct iattr *iattr, struct nfs4_acl **acl,
+		   struct nfs4_label **label)
 {
 	int expected_len, len = 0;
 	u32 dummy32;
@@ -385,6 +391,50 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
 			goto xdr_error;
 		}
 	}
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (bmval[2] & FATTR4_WORD2_SECURITY_LABEL) {
+		uint32_t pi;
+		uint32_t lfs;
+
+		READ_BUF(4);
+		len += 4;
+		READ32(lfs);
+		READ_BUF(4);
+		len += 4;
+		READ32(pi);
+		READ_BUF(4);
+		len += 4;
+		READ32(dummy32);
+		READ_BUF(dummy32);
+		len += (XDR_QUADLEN(dummy32) << 2);
+		READMEM(buf, dummy32);
+
+		if (dummy32 > NFS4_MAXLABELLEN)
+			return nfserr_resource;
+
+		*label = kzalloc(sizeof(struct nfs4_label), GFP_KERNEL);
+		if (*label == NULL) {
+			host_err = -ENOMEM;
+			goto out_nfserr;
+		}
+
+		(*label)->label = kmalloc(dummy32 + 1, GFP_KERNEL);
+		if ((*label)->label == NULL) {
+			host_err = -ENOMEM;
+			kfree(*label);
+			goto out_nfserr;
+		}
+
+		(*label)->len = dummy32;
+		memcpy((*label)->label, buf, dummy32);
+		((char *)(*label)->label)[dummy32] = '\0';
+		(*label)->pi = pi;
+		(*label)->lfs = lfs;
+
+		defer_free(argp, kfree, (*label)->label);
+		defer_free(argp, kfree, *label);
+	}
+#endif
 	if (bmval[0] & ~NFSD_WRITEABLE_ATTRS_WORD0
 	    || bmval[1] & ~NFSD_WRITEABLE_ATTRS_WORD1
 	    || bmval[2] & ~NFSD_WRITEABLE_ATTRS_WORD2)
@@ -494,7 +544,7 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
 		return status;
 
 	status = nfsd4_decode_fattr(argp, create->cr_bmval, &create->cr_iattr,
-				    &create->cr_acl);
+				    &create->cr_acl, &create->cr_label);
 	if (status)
 		goto out;
 
@@ -744,7 +794,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
 		case NFS4_CREATE_UNCHECKED:
 		case NFS4_CREATE_GUARDED:
 			status = nfsd4_decode_fattr(argp, open->op_bmval,
-				&open->op_iattr, &open->op_acl);
+				&open->op_iattr, &open->op_acl, &open->op_label);
 			if (status)
 				goto out;
 			break;
@@ -758,7 +808,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
 			READ_BUF(NFS4_VERIFIER_SIZE);
 			COPYMEM(open->op_verf.data, NFS4_VERIFIER_SIZE);
 			status = nfsd4_decode_fattr(argp, open->op_bmval,
-				&open->op_iattr, &open->op_acl);
+				&open->op_iattr, &open->op_acl, &open->op_label);
 			if (status)
 				goto out;
 			break;
@@ -981,7 +1031,7 @@ nfsd4_decode_setattr(struct nfsd4_compoundargs *argp, struct nfsd4_setattr *seta
 	if (status)
 		return status;
 	return nfsd4_decode_fattr(argp, setattr->sa_bmval, &setattr->sa_iattr,
-				  &setattr->sa_acl);
+				  &setattr->sa_acl, &setattr->sa_label);
 }
 
 static __be32
@@ -1045,7 +1095,7 @@ nfsd4_decode_verify(struct nfsd4_compoundargs *argp, struct nfsd4_verify *verify
 	 * nfsd4_proc_verify; however we still decode here just to return
 	 * correct error in case of bad xdr. */
 #if 0
-	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl);
+	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl, &ve_label);
 	if (status == nfserr_inval) {
 		status = nfserrno(status);
 		goto out;
@@ -1998,6 +2048,47 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int whotype, uid_t id, int group,
 			      FATTR4_WORD0_RDATTR_ERROR)
 #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
 
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	static inline __be32
+nfsd4_encode_security_label(struct svc_rqst *rqstp, struct dentry *dentry, __be32 **pp, int *buflen)
+{
+	void *context;
+	int err;
+	int len;
+	uint32_t pi = 0;
+	uint32_t lfs = 0;
+	__be32 *p = *pp;
+
+	err = 0;
+	(void)security_inode_getsecctx(dentry->d_inode, &context, &len);
+	if (len < 0)
+		return nfserrno(len);
+
+	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) {
+		err = nfserr_resource;
+		goto out;
+	}
+
+	/* XXX: A call to the translation code should be placed here
+	 * for now send 0  until we have that to indicate the null
+	 * translation */ 
+
+	if ((*buflen -= 4) < 0)
+		return nfserr_resource;
+
+	WRITE32(lfs);	
+	WRITE32(pi);
+	p = xdr_encode_opaque(p, context, len);
+	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
+	BUG_ON(*buflen < 0);
+
+	*pp = p;
+out:
+	security_release_secctx(context, len);
+	return err;
+}
+#endif
+
 static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
 {
 	/* As per referral draft:  */
@@ -2122,6 +2213,14 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
 
 		if (!aclsupport)
 			word0 &= ~FATTR4_WORD0_ACL;
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+		if (exp->ex_flags & NFSEXP_SECURITY_LABEL)
+			word2 |= FATTR4_WORD2_SECURITY_LABEL;
+		else
+			word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
+#else
+		word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
+#endif
 		if (!word2) {
 			if ((buflen -= 12) < 0)
 				goto out_resource;
@@ -2444,6 +2543,16 @@ out_acl:
 		}
 		WRITE64(stat.ino);
 	}
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) {
+		status = nfsd4_encode_security_label(rqstp, dentry,
+				&p, &buflen);
+		if (status == nfserr_resource)
+			goto out_resource;
+		if (status)
+			goto out;
+	}
+#endif
 	if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
 		WRITE32(3);
 		WRITE32(NFSD_SUPPATTR_EXCLCREAT_WORD0);
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index c120b48..717fb60 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -28,6 +28,7 @@
 #include <asm/uaccess.h>
 #include <linux/exportfs.h>
 #include <linux/writeback.h>
+#include <linux/security.h>
 
 #ifdef CONFIG_NFSD_V3
 #include "xdr3.h"
@@ -621,6 +622,36 @@ int nfsd4_is_junction(struct dentry *dentry)
 		return 0;
 	return 1;
 }
+
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
+		struct nfs4_label *label)
+{
+	__be32 error;
+	int host_error;
+	struct dentry *dentry;
+
+	/* Get inode */
+	/* XXX: should we have a MAY_SSECCTX? */
+	error = fh_verify(rqstp, fhp, 0 /* S_IFREG */, NFSD_MAY_SATTR);
+	if (error)
+		return error;
+
+	dentry = fhp->fh_dentry;
+
+	mutex_lock(&dentry->d_inode->i_mutex);
+	host_error = security_inode_setsecctx(dentry, label->label, label->len);
+	mutex_unlock(&dentry->d_inode->i_mutex);
+	return nfserrno(host_error);
+}
+#else
+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
+		struct nfs4_label *label)
+{
+	return -EOPNOTSUPP;
+}
+#endif
+
 #endif /* defined(CONFIG_NFSD_V4) */
 
 #ifdef CONFIG_NFSD_V3
diff --git a/fs/nfsd/vfs.h b/fs/nfsd/vfs.h
index 359594c..49c6cc0 100644
--- a/fs/nfsd/vfs.h
+++ b/fs/nfsd/vfs.h
@@ -55,6 +55,8 @@ int nfsd_mountpoint(struct dentry *, struct svc_export *);
 __be32          nfsd4_set_nfs4_acl(struct svc_rqst *, struct svc_fh *,
                     struct nfs4_acl *);
 int             nfsd4_get_nfs4_acl(struct svc_rqst *, struct dentry *, struct nfs4_acl **);
+__be32          nfsd4_set_nfs4_label(struct svc_rqst *, struct svc_fh *,
+		    struct nfs4_label *);
 #endif /* CONFIG_NFSD_V4 */
 __be32		nfsd_create(struct svc_rqst *, struct svc_fh *,
 				char *name, int len, struct iattr *attrs,
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 13/13] NFSD: Server implementation of MAC Labeling

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:47AM -0500, David Quigley wrote:
> From: David Quigley <dpquigl@davequigley.com>
> 
> This patch adds the ability to encode and decode file labels on the server for
> the purpose of sending them to the client and also to process label change
> requests from the client.

I started to compose a response to this one and then lost it; apologies
if I repeat myself anywhere:

> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
> Signed-off-by: David Quigley <dpquigl@davequigley.com>
> ---
>  fs/nfsd/export.c   |   3 ++
>  fs/nfsd/nfs4proc.c |  33 +++++++++++++++
>  fs/nfsd/nfs4xdr.c  | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++---
>  fs/nfsd/vfs.c      |  31 ++++++++++++++
>  fs/nfsd/vfs.h      |   2 +
>  5 files changed, 184 insertions(+), 6 deletions(-)
> 
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index a3946cf..251eca7 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -1112,6 +1112,9 @@ static struct flags {
>  	{ NFSEXP_ASYNC, {"async", "sync"}},
>  	{ NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}},
>  	{ NFSEXP_NOHIDE, {"nohide", ""}},
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +	{ NFSEXP_SECURITY_LABEL, {"security_label", ""}},
> +#endif
>  	{ NFSEXP_CROSSMOUNT, {"crossmnt", ""}},
>  	{ NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}},
>  	{ NFSEXP_NOAUTHNLM, {"insecure_locks", ""}},
> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> index 6c9a4b2..8e9c17c 100644
> --- a/fs/nfsd/nfs4proc.c
> +++ b/fs/nfsd/nfs4proc.c
> @@ -41,6 +41,10 @@
>  #include "vfs.h"
>  #include "current_stateid.h"
>  
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +#include <linux/security.h>
> +#endif
> +
>  #define NFSDDBG_FACILITY		NFSDDBG_PROC
>  
>  static u32 nfsd_attrmask[] = {
> @@ -228,6 +232,18 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o
>  					(u32 *)open->op_verf.data,
>  					&open->op_truncate, &open->op_created);
>  
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL

As before: could you grep for your new ifdef's and work out if they
could be removed or hidden away somehow?

> +		if (!status && open->op_label != NULL) {
> +			struct inode *inode = resfh->fh_dentry->d_inode;
> +
> +			mutex_lock(&inode->i_mutex);
> +			/* Is it appropriate to just kick back an error? */
> +			status = security_inode_setsecctx(resfh->fh_dentry,
> +					open->op_label->label, open->op_label->len);

Yes, it can cause problems if we fail the open *after* creating the
file.  Is this avoidable?  What would cause this call to fail?

> +			mutex_unlock(&inode->i_mutex);
> +		}
> +#endif
> +
>  		/*
>  		 * Following rfc 3530 14.2.16, use the returned bitmask
>  		 * to indicate which attributes we used to store the
> @@ -588,6 +604,18 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
>  		status = nfserr_badtype;
>  	}
>  
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +	if (!status && create->cr_label != NULL) {
> +		struct inode *inode = resfh.fh_dentry->d_inode;
> +
> +		mutex_lock(&inode->i_mutex);
> +		/* Is it appropriate to just kick back an error? */
> +		status = security_inode_setsecctx(resfh.fh_dentry,
> +				create->cr_label->label, create->cr_label->len);
> +		mutex_unlock(&inode->i_mutex);
> +	}
> +#endif
> +
>  	if (status)
>  		goto out;
>  
> @@ -869,6 +897,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
>  					    setattr->sa_acl);
>  	if (status)
>  		goto out;
> +	if (setattr->sa_label != NULL)
> +		status = nfsd4_set_nfs4_label(rqstp, &cstate->current_fh,
> +				setattr->sa_label);
> +	if (status)
> +		goto out;
>  	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,
>  				0, (time_t)0);
>  out:
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index fd548d1..58e205c 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -54,6 +54,11 @@
>  #include "state.h"
>  #include "cache.h"
>  
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +#include <linux/security.h>
> +#endif
> +
> +
>  #define NFSDDBG_FACILITY		NFSDDBG_XDR
>  
>  /*
> @@ -241,7 +246,8 @@ nfsd4_decode_bitmap(struct nfsd4_compoundargs *argp, u32 *bmval)
>  
>  static __be32
>  nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
> -		   struct iattr *iattr, struct nfs4_acl **acl)
> +		   struct iattr *iattr, struct nfs4_acl **acl,
> +		   struct nfs4_label **label)
>  {
>  	int expected_len, len = 0;
>  	u32 dummy32;
> @@ -385,6 +391,50 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
>  			goto xdr_error;
>  		}
>  	}
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +	if (bmval[2] & FATTR4_WORD2_SECURITY_LABEL) {
> +		uint32_t pi;
> +		uint32_t lfs;
> +
> +		READ_BUF(4);
> +		len += 4;
> +		READ32(lfs);
> +		READ_BUF(4);
> +		len += 4;
> +		READ32(pi);
> +		READ_BUF(4);
> +		len += 4;
> +		READ32(dummy32);
> +		READ_BUF(dummy32);
> +		len += (XDR_QUADLEN(dummy32) << 2);
> +		READMEM(buf, dummy32);
> +
> +		if (dummy32 > NFS4_MAXLABELLEN)
> +			return nfserr_resource;
> +
> +		*label = kzalloc(sizeof(struct nfs4_label), GFP_KERNEL);
> +		if (*label == NULL) {
> +			host_err = -ENOMEM;
> +			goto out_nfserr;
> +		}
> +
> +		(*label)->label = kmalloc(dummy32 + 1, GFP_KERNEL);
> +		if ((*label)->label == NULL) {
> +			host_err = -ENOMEM;
> +			kfree(*label);
> +			goto out_nfserr;
> +		}
> +
> +		(*label)->len = dummy32;
> +		memcpy((*label)->label, buf, dummy32);
> +		((char *)(*label)->label)[dummy32] = '\0';
> +		(*label)->pi = pi;
> +		(*label)->lfs = lfs;
> +
> +		defer_free(argp, kfree, (*label)->label);
> +		defer_free(argp, kfree, *label);
> +	}
> +#endif
>  	if (bmval[0] & ~NFSD_WRITEABLE_ATTRS_WORD0
>  	    || bmval[1] & ~NFSD_WRITEABLE_ATTRS_WORD1
>  	    || bmval[2] & ~NFSD_WRITEABLE_ATTRS_WORD2)
> @@ -494,7 +544,7 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
>  		return status;
>  
>  	status = nfsd4_decode_fattr(argp, create->cr_bmval, &create->cr_iattr,
> -				    &create->cr_acl);
> +				    &create->cr_acl, &create->cr_label);
>  	if (status)
>  		goto out;
>  
> @@ -744,7 +794,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
>  		case NFS4_CREATE_UNCHECKED:
>  		case NFS4_CREATE_GUARDED:
>  			status = nfsd4_decode_fattr(argp, open->op_bmval,
> -				&open->op_iattr, &open->op_acl);
> +				&open->op_iattr, &open->op_acl, &open->op_label);
>  			if (status)
>  				goto out;
>  			break;
> @@ -758,7 +808,7 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
>  			READ_BUF(NFS4_VERIFIER_SIZE);
>  			COPYMEM(open->op_verf.data, NFS4_VERIFIER_SIZE);
>  			status = nfsd4_decode_fattr(argp, open->op_bmval,
> -				&open->op_iattr, &open->op_acl);
> +				&open->op_iattr, &open->op_acl, &open->op_label);
>  			if (status)
>  				goto out;
>  			break;
> @@ -981,7 +1031,7 @@ nfsd4_decode_setattr(struct nfsd4_compoundargs *argp, struct nfsd4_setattr *seta
>  	if (status)
>  		return status;
>  	return nfsd4_decode_fattr(argp, setattr->sa_bmval, &setattr->sa_iattr,
> -				  &setattr->sa_acl);
> +				  &setattr->sa_acl, &setattr->sa_label);
>  }
>  
>  static __be32
> @@ -1045,7 +1095,7 @@ nfsd4_decode_verify(struct nfsd4_compoundargs *argp, struct nfsd4_verify *verify
>  	 * nfsd4_proc_verify; however we still decode here just to return
>  	 * correct error in case of bad xdr. */
>  #if 0
> -	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl);
> +	status = nfsd4_decode_fattr(ve_bmval, &ve_iattr, &ve_acl, &ve_label);
>  	if (status == nfserr_inval) {
>  		status = nfserrno(status);
>  		goto out;
> @@ -1998,6 +2048,47 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int whotype, uid_t id, int group,
>  			      FATTR4_WORD0_RDATTR_ERROR)
>  #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
>  
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +	static inline __be32
> +nfsd4_encode_security_label(struct svc_rqst *rqstp, struct dentry *dentry, __be32 **pp, int *buflen)
> +{
> +	void *context;
> +	int err;
> +	int len;
> +	uint32_t pi = 0;
> +	uint32_t lfs = 0;
> +	__be32 *p = *pp;
> +
> +	err = 0;
> +	(void)security_inode_getsecctx(dentry->d_inode, &context, &len);
> +	if (len < 0)
> +		return nfserrno(len);
> +
> +	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) {
> +		err = nfserr_resource;
> +		goto out;
> +	}
> +
> +	/* XXX: A call to the translation code should be placed here
> +	 * for now send 0  until we have that to indicate the null
> +	 * translation */ 
> +
> +	if ((*buflen -= 4) < 0)
> +		return nfserr_resource;
> +
> +	WRITE32(lfs);	

Watch for odd whitespace.

> +	WRITE32(pi);
> +	p = xdr_encode_opaque(p, context, len);
> +	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
> +	BUG_ON(*buflen < 0);

I'd rather lose the BUG_ON before we merge.

> +
> +	*pp = p;
> +out:
> +	security_release_secctx(context, len);
> +	return err;
> +}
> +#endif
> +
>  static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
>  {
>  	/* As per referral draft:  */
> @@ -2122,6 +2213,14 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
>  
>  		if (!aclsupport)
>  			word0 &= ~FATTR4_WORD0_ACL;
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +		if (exp->ex_flags & NFSEXP_SECURITY_LABEL)
> +			word2 |= FATTR4_WORD2_SECURITY_LABEL;
> +		else
> +			word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
> +#else
> +		word2 &= ~FATTR4_WORD2_SECURITY_LABEL;
> +#endif
>  		if (!word2) {
>  			if ((buflen -= 12) < 0)
>  				goto out_resource;
> @@ -2444,6 +2543,16 @@ out_acl:
>  		}
>  		WRITE64(stat.ino);
>  	}
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +	if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) {
> +		status = nfsd4_encode_security_label(rqstp, dentry,
> +				&p, &buflen);
> +		if (status == nfserr_resource)
> +			goto out_resource;
> +		if (status)
> +			goto out;
> +	}
> +#endif
>  	if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
>  		WRITE32(3);
>  		WRITE32(NFSD_SUPPATTR_EXCLCREAT_WORD0);
> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> index c120b48..717fb60 100644
> --- a/fs/nfsd/vfs.c
> +++ b/fs/nfsd/vfs.c
> @@ -28,6 +28,7 @@
>  #include <asm/uaccess.h>
>  #include <linux/exportfs.h>
>  #include <linux/writeback.h>
> +#include <linux/security.h>
>  
>  #ifdef CONFIG_NFSD_V3
>  #include "xdr3.h"
> @@ -621,6 +622,36 @@ int nfsd4_is_junction(struct dentry *dentry)
>  		return 0;
>  	return 1;
>  }
> +
> +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> +__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
> +		struct nfs4_label *label)
> +{
> +	__be32 error;
> +	int host_error;
> +	struct dentry *dentry;
> +
> +	/* Get inode */
> +	/* XXX: should we have a MAY_SSECCTX? */

Should we?

> +	error = fh_verify(rqstp, fhp, 0 /* S_IFREG */, NFSD_MAY_SATTR);
> +	if (error)
> +		return error;
> +
> +	dentry = fhp->fh_dentry;
> +
> +	mutex_lock(&dentry->d_inode->i_mutex);
> +	host_error = security_inode_setsecctx(dentry, label->label, label->len);
> +	mutex_unlock(&dentry->d_inode->i_mutex);
> +	return nfserrno(host_error);
> +}
> +#else
> +__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
> +		struct nfs4_label *label)
> +{
> +	return -EOPNOTSUPP;
> +}
> +#endif
> +
>  #endif /* defined(CONFIG_NFSD_V4) */
>  
>  #ifdef CONFIG_NFSD_V3
> diff --git a/fs/nfsd/vfs.h b/fs/nfsd/vfs.h
> index 359594c..49c6cc0 100644
> --- a/fs/nfsd/vfs.h
> +++ b/fs/nfsd/vfs.h
> @@ -55,6 +55,8 @@ int nfsd_mountpoint(struct dentry *, struct svc_export *);
>  __be32          nfsd4_set_nfs4_acl(struct svc_rqst *, struct svc_fh *,
>                      struct nfs4_acl *);
>  int             nfsd4_get_nfs4_acl(struct svc_rqst *, struct dentry *, struct nfs4_acl **);
> +__be32          nfsd4_set_nfs4_label(struct svc_rqst *, struct svc_fh *,
> +		    struct nfs4_label *);
>  #endif /* CONFIG_NFSD_V4 */
>  __be32		nfsd_create(struct svc_rqst *, struct svc_fh *,
>  				char *name, int len, struct iattr *attrs,
> -- 
> 1.7.11.7
> 

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

By the way, is there wireshark support anywhere for the labeled NFS
protocol?

--b.

Re: Labeled NFS [v5]

[David P. Quigley]

On 11/12/2012 10:23 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
> By the way, is there wireshark support anywhere for the labeled NFS
> protocol?
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Unfortunately I never got a chance to add it. You can see the label 
pretty clearly in wireshark but it comes up as an unknown attribute in 
the fattr decomposition. If someone knows how to do it I'd be glad to help.

Re: Labeled NFS [v5]

[David P. Quigley]

On 11/12/2012 10:23 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
> By the way, is there wireshark support anywhere for the labeled NFS
> protocol?
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Unfortunately I never got a chance to add it. You can see the label 
pretty clearly in wireshark but it comes up as an unknown attribute in 
the fattr decomposition. If someone knows how to do it I'd be glad to help.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 10:34:08AM -0500, David P. Quigley wrote:
> On 11/12/2012 10:23 AM, J. Bruce Fields wrote:
> >On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
> >>The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> >>specification and it has been decided that a reposting of the Labeled NFS code
> >>for inclusion into mainline was a good idea. The patches have been rebased onto
> >>v3.7-rc2 and have been tested against the SELinux testsuite with the only
> >>failures being for features not supported by NFS.
> >By the way, is there wireshark support anywhere for the labeled NFS
> >protocol?
> >
> >--b.
> >--
> >To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> >the body of a message to majordomo@vger.kernel.org
> >More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 
> Unfortunately I never got a chance to add it. You can see the label
> pretty clearly in wireshark but it comes up as an unknown attribute
> in the fattr decomposition. If someone knows how to do it I'd be
> glad to help.

It's usually not too hard: last time I needed something I did a

	git clone http://code.wireshark.org/git/wireshark

then grepped through epan/dissectors/packet-nfs.c for something similar
to imitate.  It wa easy to build and run the result from the build
directory.  Then I submitted a patch following:

	http://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html#ChSrcSend

and the response was quick and helpful.

(But yeah I don't have time to volunteer right now either.)

--b.

Re: Labeled NFS [v5]

[Steve Dickson]

On 12/11/12 11:09, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 10:34:08AM -0500, David P. Quigley wrote:
>> On 11/12/2012 10:23 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
>>>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>>>> specification and it has been decided that a reposting of the Labeled NFS code
>>>> for inclusion into mainline was a good idea. The patches have been rebased onto
>>>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>>>> failures being for features not supported by NFS.
>>> By the way, is there wireshark support anywhere for the labeled NFS
>>> protocol?
>>>
>>> --b.
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>> Unfortunately I never got a chance to add it. You can see the label
>> pretty clearly in wireshark but it comes up as an unknown attribute
>> in the fattr decomposition. If someone knows how to do it I'd be
>> glad to help.
> 
> It's usually not too hard: last time I needed something I did a
> 
> 	git clone http://code.wireshark.org/git/wireshark
> 
> then grepped through epan/dissectors/packet-nfs.c for something similar
> to imitate.  It wa easy to build and run the result from the build
> directory.  Then I submitted a patch following:
> 
> 	http://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html#ChSrcSend
> 
> and the response was quick and helpful.
> 
> (But yeah I don't have time to volunteer right now either.)
Maybe I could take a look into helping out... If you guys can point
me a some binary traces or a boot-able kernel I can take a crack
at coming up with some dissectors... 

Connectathon is 3.5 months out so hopefully we can come up with
something by then.... 

steved.

Re: Labeled NFS [v5]

[Dave Quigley]

If you're ok with non Fedora kernel images I can try to put up a tree 
either tonight or tomorrow with the patches that you just need to build 
and install. That plus the one patch for nfs-utils should make 
everything work.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

If you're ok with non Fedora kernel images I can try to put up a tree 
either tonight or tomorrow with the patches that you just need to build 
and install. That plus the one patch for nfs-utils should make 
everything work.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Steve Dickson]

On 12/11/12 20:39, Dave Quigley wrote:
> If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
I'm good with that....

steved.

Re: Labeled NFS [v5]

[Dave Quigley]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

On 11/13/2012 7:55 AM, Steve Dickson wrote:
>
>
> On 12/11/12 20:39, Dave Quigley wrote:
>> If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> I'm good with that....
>
> steved.
>

Ok so if you go to http://www.selinuxproject.org/git you will see a repo 
for lnfs and lnfs-patchset. The instructions at 
http://www.selinuxproject.org/page/Labeled_NFS give you a better 
indication on how to pull the trees. I've attached a patch for NFS utils 
which gives support for security_label/nosecurity_label in your 
/etc/exports file. I've also attached a script called setup which should 
build a test directory called /export with a copy of /var/www under it 
which should be labeled properly. It does all the proper SELinux 
commands to make sure labeling is correct. Once you have that setup just 
mount -t nfs localhost:/ /mnt/lnfs (or wherever you want) and you should 
be good to go. Just ls -Z in /mnt/lnfs/var and check to make sure the 
labels are the same as /export/var. It should have the labels showing up 
in the network transfer. If you have any problems just let me know and I 
can try to help figure them out.

Dave

[-- Attachment #2: 0001-Add-support-to-specify-which-exports-will-provide-La.patch --]
[-- Type: text/plain, Size: 2397 bytes --]

>From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 2001
From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
Date: Fri, 18 Sep 2009 08:53:58 -0700
Subject: [PATCH] Add support to specify which exports will provide Labeled NFS support.

diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h
index 1547a87..b8e2fb0 100644
--- a/support/include/nfs/export.h
+++ b/support/include/nfs/export.h
@@ -17,7 +17,8 @@
 #define NFSEXP_ALLSQUASH	0x0008
 #define NFSEXP_ASYNC		0x0010
 #define NFSEXP_GATHERED_WRITES	0x0020
-/* 40, 80, 100 unused */
+#define NFSEXP_SECURITY_LABEL	0x0040	/* Support MAC attribute */
+/* 80, 100 unused */
 #define NFSEXP_NOHIDE		0x0200
 #define NFSEXP_NOSUBTREECHECK	0x0400
 #define NFSEXP_NOAUTHNLM	0x0800
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index a93941c..8965c8d 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
 	fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
 	fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
 				"" : "no_");
+	fprintf(fp, "%ssecurity_label,", (ep->e_flags & NFSEXP_SECURITY_LABEL)?
+				"" : "no");
 	fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
 				"no" : "");
 	fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
@@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
 			setflags(NFSEXP_GATHERED_WRITES, active, ep);
 		else if (!strcmp(opt, "no_wdelay"))
 			clearflags(NFSEXP_GATHERED_WRITES, active, ep);
+		else if (strcmp(opt, "security_label") == 0)
+			ep->e_flags |= NFSEXP_SECURITY_LABEL;
+		else if (strcmp(opt, "nosecurity_label") == 0)
+			ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
 		else if (strcmp(opt, "root_squash") == 0)
 			setflags(NFSEXP_ROOTSQUASH, active, ep);
 		else if (!strcmp(opt, "no_root_squash"))
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index b78957f..6434825 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -531,6 +531,8 @@ dump(int verbose)
 				c = dumpopt(c, "async");
 			if (ep->e_flags & NFSEXP_GATHERED_WRITES)
 				c = dumpopt(c, "wdelay");
+			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+				c = dumpopt(c, "security_label");
 			if (ep->e_flags & NFSEXP_NOHIDE)
 				c = dumpopt(c, "nohide");
 			if (ep->e_flags & NFSEXP_CROSSMOUNT)

[-- Attachment #3: setup.sh --]
[-- Type: text/plain, Size: 324 bytes --]

#!/bin/bash
mkdir /export
semanage fcontext -a -t mnt_t /export
mkdir /export/var
cp -R /var/www /export/var
semanage fcontext -ae /var /export/var
restorecon -R /export

echo "/export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, no_root_squash)" >> /etc/exports
systemctl restart nfs-server.service 

Re: Labeled NFS [v5]

[Dave Quigley]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

On 11/13/2012 7:55 AM, Steve Dickson wrote:
>
>
> On 12/11/12 20:39, Dave Quigley wrote:
>> If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> I'm good with that....
>
> steved.
>

Ok so if you go to http://www.selinuxproject.org/git you will see a repo 
for lnfs and lnfs-patchset. The instructions at 
http://www.selinuxproject.org/page/Labeled_NFS give you a better 
indication on how to pull the trees. I've attached a patch for NFS utils 
which gives support for security_label/nosecurity_label in your 
/etc/exports file. I've also attached a script called setup which should 
build a test directory called /export with a copy of /var/www under it 
which should be labeled properly. It does all the proper SELinux 
commands to make sure labeling is correct. Once you have that setup just 
mount -t nfs localhost:/ /mnt/lnfs (or wherever you want) and you should 
be good to go. Just ls -Z in /mnt/lnfs/var and check to make sure the 
labels are the same as /export/var. It should have the labels showing up 
in the network transfer. If you have any problems just let me know and I 
can try to help figure them out.

Dave

[-- Attachment #2: 0001-Add-support-to-specify-which-exports-will-provide-La.patch --]
[-- Type: text/plain, Size: 0 bytes --]

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
> On 11/13/2012 7:55 AM, Steve Dickson wrote:
> >
> >
> >On 12/11/12 20:39, Dave Quigley wrote:
> >>If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> >I'm good with that....
> >
> >steved.
> >
> 
> Ok so if you go to http://www.selinuxproject.org/git you will see a
> repo for lnfs and lnfs-patchset. The instructions at
> http://www.selinuxproject.org/page/Labeled_NFS give you a better
> indication on how to pull the trees. I've attached a patch for NFS
> utils which gives support for security_label/nosecurity_label in
> your /etc/exports file.

Do we need an export option?  Is there any reason not to make the
feature available whenever there's support available for it?

--b.

> I've also attached a script called setup
> which should build a test directory called /export with a copy of
> /var/www under it which should be labeled properly. It does all the
> proper SELinux commands to make sure labeling is correct. Once you
> have that setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever
> you want) and you should be good to go. Just ls -Z in /mnt/lnfs/var
> and check to make sure the labels are the same as /export/var. It
> should have the labels showing up in the network transfer. If you
> have any problems just let me know and I can try to help figure them
> out.
> 
> Dave

> >From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 2001
> From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
> Date: Fri, 18 Sep 2009 08:53:58 -0700
> Subject: [PATCH] Add support to specify which exports will provide Labeled NFS support.
> 
> diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h
> index 1547a87..b8e2fb0 100644
> --- a/support/include/nfs/export.h
> +++ b/support/include/nfs/export.h
> @@ -17,7 +17,8 @@
>  #define NFSEXP_ALLSQUASH	0x0008
>  #define NFSEXP_ASYNC		0x0010
>  #define NFSEXP_GATHERED_WRITES	0x0020
> -/* 40, 80, 100 unused */
> +#define NFSEXP_SECURITY_LABEL	0x0040	/* Support MAC attribute */
> +/* 80, 100 unused */
>  #define NFSEXP_NOHIDE		0x0200
>  #define NFSEXP_NOSUBTREECHECK	0x0400
>  #define NFSEXP_NOAUTHNLM	0x0800
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index a93941c..8965c8d 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
>  	fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
>  	fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
>  				"" : "no_");
> +	fprintf(fp, "%ssecurity_label,", (ep->e_flags & NFSEXP_SECURITY_LABEL)?
> +				"" : "no");
>  	fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
>  				"no" : "");
>  	fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
> @@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
>  			setflags(NFSEXP_GATHERED_WRITES, active, ep);
>  		else if (!strcmp(opt, "no_wdelay"))
>  			clearflags(NFSEXP_GATHERED_WRITES, active, ep);
> +		else if (strcmp(opt, "security_label") == 0)
> +			ep->e_flags |= NFSEXP_SECURITY_LABEL;
> +		else if (strcmp(opt, "nosecurity_label") == 0)
> +			ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
>  		else if (strcmp(opt, "root_squash") == 0)
>  			setflags(NFSEXP_ROOTSQUASH, active, ep);
>  		else if (!strcmp(opt, "no_root_squash"))
> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
> index b78957f..6434825 100644
> --- a/utils/exportfs/exportfs.c
> +++ b/utils/exportfs/exportfs.c
> @@ -531,6 +531,8 @@ dump(int verbose)
>  				c = dumpopt(c, "async");
>  			if (ep->e_flags & NFSEXP_GATHERED_WRITES)
>  				c = dumpopt(c, "wdelay");
> +			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
> +				c = dumpopt(c, "security_label");
>  			if (ep->e_flags & NFSEXP_NOHIDE)
>  				c = dumpopt(c, "nohide");
>  			if (ep->e_flags & NFSEXP_CROSSMOUNT)

> #!/bin/bash
> mkdir /export
> semanage fcontext -a -t mnt_t /export
> mkdir /export/var
> cp -R /var/www /export/var
> semanage fcontext -ae /var /export/var
> restorecon -R /export
> 
> echo "/export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, no_root_squash)" >> /etc/exports
> systemctl restart nfs-server.service 

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:45, J. Bruce Fields wrote:
> On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> On 11/13/2012 7:55 AM, Steve Dickson wrote:
>> >
>> >
>> >On 12/11/12 20:39, Dave Quigley wrote:
>> >>If you're ok with non Fedora kernel images I can try to put up a 
>> tree either tonight or tomorrow with the patches that you just need to 
>> build and install. That plus the one patch for nfs-utils should make 
>> everything work.
>> >I'm good with that....
>> >
>> >steved.
>> >
>>
>> Ok so if you go to http://www.selinuxproject.org/git you will see a
>> repo for lnfs and lnfs-patchset. The instructions at
>> http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> indication on how to pull the trees. I've attached a patch for NFS
>> utils which gives support for security_label/nosecurity_label in
>> your /etc/exports file.
>
> Do we need an export option?  Is there any reason not to make the
> feature available whenever there's support available for it?
>
> --b.
>
>> I've also attached a script called setup
>> which should build a test directory called /export with a copy of
>> /var/www under it which should be labeled properly. It does all the
>> proper SELinux commands to make sure labeling is correct. Once you
>> have that setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever
>> you want) and you should be good to go. Just ls -Z in /mnt/lnfs/var
>> and check to make sure the labels are the same as /export/var. It
>> should have the labels showing up in the network transfer. If you
>> have any problems just let me know and I can try to help figure them
>> out.
>>
>> Dave
>
>> >From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 
>> 2001
>> From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
>> Date: Fri, 18 Sep 2009 08:53:58 -0700
>> Subject: [PATCH] Add support to specify which exports will provide 
>> Labeled NFS support.
>>
>> diff --git a/support/include/nfs/export.h 
>> b/support/include/nfs/export.h
>> index 1547a87..b8e2fb0 100644
>> --- a/support/include/nfs/export.h
>> +++ b/support/include/nfs/export.h
>> @@ -17,7 +17,8 @@
>>  #define NFSEXP_ALLSQUASH	0x0008
>>  #define NFSEXP_ASYNC		0x0010
>>  #define NFSEXP_GATHERED_WRITES	0x0020
>> -/* 40, 80, 100 unused */
>> +#define NFSEXP_SECURITY_LABEL	0x0040	/* Support MAC attribute */
>> +/* 80, 100 unused */
>>  #define NFSEXP_NOHIDE		0x0200
>>  #define NFSEXP_NOSUBTREECHECK	0x0400
>>  #define NFSEXP_NOAUTHNLM	0x0800
>> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
>> index a93941c..8965c8d 100644
>> --- a/support/nfs/exports.c
>> +++ b/support/nfs/exports.c
>> @@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
>>  	fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
>>  	fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
>>  				"" : "no_");
>> +	fprintf(fp, "%ssecurity_label,", (ep->e_flags & 
>> NFSEXP_SECURITY_LABEL)?
>> +				"" : "no");
>>  	fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
>>  				"no" : "");
>>  	fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
>> @@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int 
>> warn, int *had_subtree_opt_ptr)
>>  			setflags(NFSEXP_GATHERED_WRITES, active, ep);
>>  		else if (!strcmp(opt, "no_wdelay"))
>>  			clearflags(NFSEXP_GATHERED_WRITES, active, ep);
>> +		else if (strcmp(opt, "security_label") == 0)
>> +			ep->e_flags |= NFSEXP_SECURITY_LABEL;
>> +		else if (strcmp(opt, "nosecurity_label") == 0)
>> +			ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
>>  		else if (strcmp(opt, "root_squash") == 0)
>>  			setflags(NFSEXP_ROOTSQUASH, active, ep);
>>  		else if (!strcmp(opt, "no_root_squash"))
>> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
>> index b78957f..6434825 100644
>> --- a/utils/exportfs/exportfs.c
>> +++ b/utils/exportfs/exportfs.c
>> @@ -531,6 +531,8 @@ dump(int verbose)
>>  				c = dumpopt(c, "async");
>>  			if (ep->e_flags & NFSEXP_GATHERED_WRITES)
>>  				c = dumpopt(c, "wdelay");
>> +			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
>> +				c = dumpopt(c, "security_label");
>>  			if (ep->e_flags & NFSEXP_NOHIDE)
>>  				c = dumpopt(c, "nohide");
>>  			if (ep->e_flags & NFSEXP_CROSSMOUNT)
>
>> #!/bin/bash
>> mkdir /export
>> semanage fcontext -a -t mnt_t /export
>> mkdir /export/var
>> cp -R /var/www /export/var
>> semanage fcontext -ae /var /export/var
>> restorecon -R /export
>>
>> echo "/export 
>> *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, 
>> no_root_squash)" >> /etc/exports
>> systemctl restart nfs-server.service

I guess we could build it in but I figured an export option allowed 
someone to turn off security labeling support if they didn't want it on 
that export. What happens to clients when the server returns a cap that 
they don't support? Do they mask the bits out?

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:45, J. Bruce Fields wrote:
> On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> On 11/13/2012 7:55 AM, Steve Dickson wrote:
>> >
>> >
>> >On 12/11/12 20:39, Dave Quigley wrote:
>> >>If you're ok with non Fedora kernel images I can try to put up a 
>> tree either tonight or tomorrow with the patches that you just need to 
>> build and install. That plus the one patch for nfs-utils should make 
>> everything work.
>> >I'm good with that....
>> >
>> >steved.
>> >
>>
>> Ok so if you go to http://www.selinuxproject.org/git you will see a
>> repo for lnfs and lnfs-patchset. The instructions at
>> http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> indication on how to pull the trees. I've attached a patch for NFS
>> utils which gives support for security_label/nosecurity_label in
>> your /etc/exports file.
>
> Do we need an export option?  Is there any reason not to make the
> feature available whenever there's support available for it?
>
> --b.
>
>> I've also attached a script called setup
>> which should build a test directory called /export with a copy of
>> /var/www under it which should be labeled properly. It does all the
>> proper SELinux commands to make sure labeling is correct. Once you
>> have that setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever
>> you want) and you should be good to go. Just ls -Z in /mnt/lnfs/var
>> and check to make sure the labels are the same as /export/var. It
>> should have the labels showing up in the network transfer. If you
>> have any problems just let me know and I can try to help figure them
>> out.
>>
>> Dave
>
>> >From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 
>> 2001
>> From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
>> Date: Fri, 18 Sep 2009 08:53:58 -0700
>> Subject: [PATCH] Add support to specify which exports will provide 
>> Labeled NFS support.
>>
>> diff --git a/support/include/nfs/export.h 
>> b/support/include/nfs/export.h
>> index 1547a87..b8e2fb0 100644
>> --- a/support/include/nfs/export.h
>> +++ b/support/include/nfs/export.h
>> @@ -17,7 +17,8 @@
>>  #define NFSEXP_ALLSQUASH	0x0008
>>  #define NFSEXP_ASYNC		0x0010
>>  #define NFSEXP_GATHERED_WRITES	0x0020
>> -/* 40, 80, 100 unused */
>> +#define NFSEXP_SECURITY_LABEL	0x0040	/* Support MAC attribute */
>> +/* 80, 100 unused */
>>  #define NFSEXP_NOHIDE		0x0200
>>  #define NFSEXP_NOSUBTREECHECK	0x0400
>>  #define NFSEXP_NOAUTHNLM	0x0800
>> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
>> index a93941c..8965c8d 100644
>> --- a/support/nfs/exports.c
>> +++ b/support/nfs/exports.c
>> @@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
>>  	fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
>>  	fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
>>  				"" : "no_");
>> +	fprintf(fp, "%ssecurity_label,", (ep->e_flags & 
>> NFSEXP_SECURITY_LABEL)?
>> +				"" : "no");
>>  	fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
>>  				"no" : "");
>>  	fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
>> @@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int 
>> warn, int *had_subtree_opt_ptr)
>>  			setflags(NFSEXP_GATHERED_WRITES, active, ep);
>>  		else if (!strcmp(opt, "no_wdelay"))
>>  			clearflags(NFSEXP_GATHERED_WRITES, active, ep);
>> +		else if (strcmp(opt, "security_label") == 0)
>> +			ep->e_flags |= NFSEXP_SECURITY_LABEL;
>> +		else if (strcmp(opt, "nosecurity_label") == 0)
>> +			ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
>>  		else if (strcmp(opt, "root_squash") == 0)
>>  			setflags(NFSEXP_ROOTSQUASH, active, ep);
>>  		else if (!strcmp(opt, "no_root_squash"))
>> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
>> index b78957f..6434825 100644
>> --- a/utils/exportfs/exportfs.c
>> +++ b/utils/exportfs/exportfs.c
>> @@ -531,6 +531,8 @@ dump(int verbose)
>>  				c = dumpopt(c, "async");
>>  			if (ep->e_flags & NFSEXP_GATHERED_WRITES)
>>  				c = dumpopt(c, "wdelay");
>> +			if (ep->e_flags & NFSEXP_SECURITY_LABEL)
>> +				c = dumpopt(c, "security_label");
>>  			if (ep->e_flags & NFSEXP_NOHIDE)
>>  				c = dumpopt(c, "nohide");
>>  			if (ep->e_flags & NFSEXP_CROSSMOUNT)
>
>> #!/bin/bash
>> mkdir /export
>> semanage fcontext -a -t mnt_t /export
>> mkdir /export/var
>> cp -R /var/www /export/var
>> semanage fcontext -ae /var /export/var
>> restorecon -R /export
>>
>> echo "/export 
>> *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, 
>> no_root_squash)" >> /etc/exports
>> systemctl restart nfs-server.service

I guess we could build it in but I figured an export option allowed 
someone to turn off security labeling support if they didn't want it on 
that export. What happens to clients when the server returns a cap that 
they don't support? Do they mask the bits out?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
> On 11/14/2012 08:45, J. Bruce Fields wrote:
> >On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
> >>Ok so if you go to http://www.selinuxproject.org/git you will see a
> >>repo for lnfs and lnfs-patchset. The instructions at
> >>http://www.selinuxproject.org/page/Labeled_NFS give you a better
> >>indication on how to pull the trees. I've attached a patch for NFS
> >>utils which gives support for security_label/nosecurity_label in
> >>your /etc/exports file.
> >
> >Do we need an export option?  Is there any reason not to make the
> >feature available whenever there's support available for it?
> 
> I guess we could build it in but I figured an export option allowed
> someone to turn off security labeling support if they didn't want it
> on that export. What happens to clients when the server returns a
> cap that they don't support? Do they mask the bits out?

Yeah, they should just ignore it.

While this is still experimental it's still nice to have a way to turn
this on and off at runtime so people can experiment without having to
have it on for everyone all the time.  But nfsd_supported_minorversion
should be sufficient for that.

(I don't think your patches actually dealt yet with the fact that this
is part of minor version 2?  Another for the todo list.)

--b.

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:59, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>Ok so if you go to http://www.selinuxproject.org/git you will see 
>> a
>> >>repo for lnfs and lnfs-patchset. The instructions at
>> >>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>indication on how to pull the trees. I've attached a patch for NFS
>> >>utils which gives support for security_label/nosecurity_label in
>> >>your /etc/exports file.
>> >
>> >Do we need an export option?  Is there any reason not to make the
>> >feature available whenever there's support available for it?
>>
>> I guess we could build it in but I figured an export option allowed
>> someone to turn off security labeling support if they didn't want it
>> on that export. What happens to clients when the server returns a
>> cap that they don't support? Do they mask the bits out?
>
> Yeah, they should just ignore it.
>
> While this is still experimental it's still nice to have a way to 
> turn
> this on and off at runtime so people can experiment without having to
> have it on for everyone all the time.  But 
> nfsd_supported_minorversion
> should be sufficient for that.
>
> (I don't think your patches actually dealt yet with the fact that 
> this
> is part of minor version 2?  Another for the todo list.)
>
> --b.

Hmm... I'll have to look at the patches again to find out. Its been so 
long since I worked on these full time that I have to go back and check 
quite a bit. Luckily since i put the tree up for Trond last night I 
should be able to look at them while at work.

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:59, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>Ok so if you go to http://www.selinuxproject.org/git you will see 
>> a
>> >>repo for lnfs and lnfs-patchset. The instructions at
>> >>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>indication on how to pull the trees. I've attached a patch for NFS
>> >>utils which gives support for security_label/nosecurity_label in
>> >>your /etc/exports file.
>> >
>> >Do we need an export option?  Is there any reason not to make the
>> >feature available whenever there's support available for it?
>>
>> I guess we could build it in but I figured an export option allowed
>> someone to turn off security labeling support if they didn't want it
>> on that export. What happens to clients when the server returns a
>> cap that they don't support? Do they mask the bits out?
>
> Yeah, they should just ignore it.
>
> While this is still experimental it's still nice to have a way to 
> turn
> this on and off at runtime so people can experiment without having to
> have it on for everyone all the time.  But 
> nfsd_supported_minorversion
> should be sufficient for that.
>
> (I don't think your patches actually dealt yet with the fact that 
> this
> is part of minor version 2?  Another for the todo list.)
>
> --b.

Hmm... I'll have to look at the patches again to find out. Its been so 
long since I worked on these full time that I have to go back and check 
quite a bit. Luckily since i put the tree up for Trond last night I 
should be able to look at them while at work.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:59, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>Ok so if you go to http://www.selinuxproject.org/git you will see 
>> a
>> >>repo for lnfs and lnfs-patchset. The instructions at
>> >>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>indication on how to pull the trees. I've attached a patch for NFS
>> >>utils which gives support for security_label/nosecurity_label in
>> >>your /etc/exports file.
>> >
>> >Do we need an export option?  Is there any reason not to make the
>> >feature available whenever there's support available for it?
>>
>> I guess we could build it in but I figured an export option allowed
>> someone to turn off security labeling support if they didn't want it
>> on that export. What happens to clients when the server returns a
>> cap that they don't support? Do they mask the bits out?
>
> Yeah, they should just ignore it.
>
> While this is still experimental it's still nice to have a way to 
> turn
> this on and off at runtime so people can experiment without having to
> have it on for everyone all the time.  But 
> nfsd_supported_minorversion
> should be sufficient for that.
>
> (I don't think your patches actually dealt yet with the fact that 
> this
> is part of minor version 2?  Another for the todo list.)
>
> --b.

If we use nfsd_supported_minorversion which I'm guessing is an export 
option what happens if someone wants to use other 4.2 features but not 
labeling? I'll switch it over if you guys want it done that way, I think 
though that this provides more flexibility. Although anything that makes 
me carry around fewer patches is good in my book.

Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 08:59, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>Ok so if you go to http://www.selinuxproject.org/git you will see 
>> a
>> >>repo for lnfs and lnfs-patchset. The instructions at
>> >>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>indication on how to pull the trees. I've attached a patch for NFS
>> >>utils which gives support for security_label/nosecurity_label in
>> >>your /etc/exports file.
>> >
>> >Do we need an export option?  Is there any reason not to make the
>> >feature available whenever there's support available for it?
>>
>> I guess we could build it in but I figured an export option allowed
>> someone to turn off security labeling support if they didn't want it
>> on that export. What happens to clients when the server returns a
>> cap that they don't support? Do they mask the bits out?
>
> Yeah, they should just ignore it.
>
> While this is still experimental it's still nice to have a way to 
> turn
> this on and off at runtime so people can experiment without having to
> have it on for everyone all the time.  But 
> nfsd_supported_minorversion
> should be sufficient for that.
>
> (I don't think your patches actually dealt yet with the fact that 
> this
> is part of minor version 2?  Another for the todo list.)
>
> --b.

If we use nfsd_supported_minorversion which I'm guessing is an export 
option what happens if someone wants to use other 4.2 features but not 
labeling? I'll switch it over if you guys want it done that way, I think 
though that this provides more flexibility. Although anything that makes 
me carry around fewer patches is good in my book.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
> On 11/14/2012 08:59, J. Bruce Fields wrote:
> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
> >>see a
> >>>>repo for lnfs and lnfs-patchset. The instructions at
> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
> >>>>indication on how to pull the trees. I've attached a patch for NFS
> >>>>utils which gives support for security_label/nosecurity_label in
> >>>>your /etc/exports file.
> >>>
> >>>Do we need an export option?  Is there any reason not to make the
> >>>feature available whenever there's support available for it?
> >>
> >>I guess we could build it in but I figured an export option allowed
> >>someone to turn off security labeling support if they didn't want it
> >>on that export. What happens to clients when the server returns a
> >>cap that they don't support? Do they mask the bits out?
> >
> >Yeah, they should just ignore it.
> >
> >While this is still experimental it's still nice to have a way to
> >turn
> >this on and off at runtime so people can experiment without having to
> >have it on for everyone all the time.  But
> >nfsd_supported_minorversion
> >should be sufficient for that.
> >
> >(I don't think your patches actually dealt yet with the fact that
> >this
> >is part of minor version 2?  Another for the todo list.)
> >
> >--b.
> 
> If we use nfsd_supported_minorversion which I'm guessing is an
> export option

That's just a variable in the code.  It's controlled by
/proc/fs/nfsd/versions.

> what happens if someone wants to use other 4.2
> features but not labeling?

We'll cross that bridge when we come to it, maybe by adding some new
global paramater.

There's no reason this really needs to be per-export, is there?

--b.

> I'll switch it over if you guys want it
> done that way, I think though that this provides more flexibility.
> Although anything that makes me carry around fewer patches is good
> in my book.
> 
> Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 09:24, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>> >>see a
>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>>>indication on how to pull the trees. I've attached a patch for 
>> NFS
>> >>>>utils which gives support for security_label/nosecurity_label in
>> >>>>your /etc/exports file.
>> >>>
>> >>>Do we need an export option?  Is there any reason not to make the
>> >>>feature available whenever there's support available for it?
>> >>
>> >>I guess we could build it in but I figured an export option 
>> allowed
>> >>someone to turn off security labeling support if they didn't want 
>> it
>> >>on that export. What happens to clients when the server returns a
>> >>cap that they don't support? Do they mask the bits out?
>> >
>> >Yeah, they should just ignore it.
>> >
>> >While this is still experimental it's still nice to have a way to
>> >turn
>> >this on and off at runtime so people can experiment without having 
>> to
>> >have it on for everyone all the time.  But
>> >nfsd_supported_minorversion
>> >should be sufficient for that.
>> >
>> >(I don't think your patches actually dealt yet with the fact that
>> >this
>> >is part of minor version 2?  Another for the todo list.)
>> >
>> >--b.
>>
>> If we use nfsd_supported_minorversion which I'm guessing is an
>> export option
>
> That's just a variable in the code.  It's controlled by
> /proc/fs/nfsd/versions.
>
>> what happens if someone wants to use other 4.2
>> features but not labeling?
>
> We'll cross that bridge when we come to it, maybe by adding some new
> global paramater.
>
> There's no reason this really needs to be per-export, is there?
>
> --b.

At the moment I can't really think of a reason to have it be 
per-export. I think we need a new LSM patch though to determine if the 
LSM supports labeling over NFS unless Steve can think of a better way to 
tell if the LSM supports labeling.


>
>> I'll switch it over if you guys want it
>> done that way, I think though that this provides more flexibility.
>> Although anything that makes me carry around fewer patches is good
>> in my book.
>>
>> Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/14/2012 09:24, J. Bruce Fields wrote:
> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>> >>see a
>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>> >>>>indication on how to pull the trees. I've attached a patch for 
>> NFS
>> >>>>utils which gives support for security_label/nosecurity_label in
>> >>>>your /etc/exports file.
>> >>>
>> >>>Do we need an export option?  Is there any reason not to make the
>> >>>feature available whenever there's support available for it?
>> >>
>> >>I guess we could build it in but I figured an export option 
>> allowed
>> >>someone to turn off security labeling support if they didn't want 
>> it
>> >>on that export. What happens to clients when the server returns a
>> >>cap that they don't support? Do they mask the bits out?
>> >
>> >Yeah, they should just ignore it.
>> >
>> >While this is still experimental it's still nice to have a way to
>> >turn
>> >this on and off at runtime so people can experiment without having 
>> to
>> >have it on for everyone all the time.  But
>> >nfsd_supported_minorversion
>> >should be sufficient for that.
>> >
>> >(I don't think your patches actually dealt yet with the fact that
>> >this
>> >is part of minor version 2?  Another for the todo list.)
>> >
>> >--b.
>>
>> If we use nfsd_supported_minorversion which I'm guessing is an
>> export option
>
> That's just a variable in the code.  It's controlled by
> /proc/fs/nfsd/versions.
>
>> what happens if someone wants to use other 4.2
>> features but not labeling?
>
> We'll cross that bridge when we come to it, maybe by adding some new
> global paramater.
>
> There's no reason this really needs to be per-export, is there?
>
> --b.

At the moment I can't really think of a reason to have it be 
per-export. I think we need a new LSM patch though to determine if the 
LSM supports labeling over NFS unless Steve can think of a better way to 
tell if the LSM supports labeling.


>
>> I'll switch it over if you guys want it
>> done that way, I think though that this provides more flexibility.
>> Although anything that makes me carry around fewer patches is good
>> in my book.
>>
>> Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/14/2012 6:30 AM, David Quigley wrote:
> On 11/14/2012 09:24, J. Bruce Fields wrote:
>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>> >>see a
>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>>> >>>>indication on how to pull the trees. I've attached a patch for NFS
>>> >>>>utils which gives support for security_label/nosecurity_label in
>>> >>>>your /etc/exports file.
>>> >>>
>>> >>>Do we need an export option?  Is there any reason not to make the
>>> >>>feature available whenever there's support available for it?
>>> >>
>>> >>I guess we could build it in but I figured an export option allowed
>>> >>someone to turn off security labeling support if they didn't want it
>>> >>on that export. What happens to clients when the server returns a
>>> >>cap that they don't support? Do they mask the bits out?
>>> >
>>> >Yeah, they should just ignore it.
>>> >
>>> >While this is still experimental it's still nice to have a way to
>>> >turn
>>> >this on and off at runtime so people can experiment without having to
>>> >have it on for everyone all the time.  But
>>> >nfsd_supported_minorversion
>>> >should be sufficient for that.
>>> >
>>> >(I don't think your patches actually dealt yet with the fact that
>>> >this
>>> >is part of minor version 2?  Another for the todo list.)
>>> >
>>> >--b.
>>>
>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>> export option
>>
>> That's just a variable in the code.  It's controlled by
>> /proc/fs/nfsd/versions.
>>
>>> what happens if someone wants to use other 4.2
>>> features but not labeling?
>>
>> We'll cross that bridge when we come to it, maybe by adding some new
>> global paramater.
>>
>> There's no reason this really needs to be per-export, is there?
>>
>> --b.
>
> At the moment I can't really think of a reason to have it be
> per-export. I think we need a new LSM patch though to determine if the
> LSM supports labeling over NFS unless Steve can think of a better way
> to tell if the LSM supports labeling.

If the LSM has a secid_to_secctx hook it supports labeling.
Today that's SELinux and Smack. You already have support in
for SELinux, and providing Smack's review and possibly updates
is #2 on my gotta do list. On the whole, I think that, except
for the fundamental philosophical difference between label
support and xattr support, it should be a simple matter to
get support in for any LSM that has secid_to_secctx.

But I'm still working on the review.

>
>
>>
>>> I'll switch it over if you guys want it
>>> done that way, I think though that this provides more flexibility.
>>> Although anything that makes me carry around fewer patches is good
>>> in my book.
>>>
>>> Dave
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/14/2012 6:30 AM, David Quigley wrote:
> On 11/14/2012 09:24, J. Bruce Fields wrote:
>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>> >>see a
>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>>> >>>>indication on how to pull the trees. I've attached a patch for NFS
>>> >>>>utils which gives support for security_label/nosecurity_label in
>>> >>>>your /etc/exports file.
>>> >>>
>>> >>>Do we need an export option?  Is there any reason not to make the
>>> >>>feature available whenever there's support available for it?
>>> >>
>>> >>I guess we could build it in but I figured an export option allowed
>>> >>someone to turn off security labeling support if they didn't want it
>>> >>on that export. What happens to clients when the server returns a
>>> >>cap that they don't support? Do they mask the bits out?
>>> >
>>> >Yeah, they should just ignore it.
>>> >
>>> >While this is still experimental it's still nice to have a way to
>>> >turn
>>> >this on and off at runtime so people can experiment without having to
>>> >have it on for everyone all the time.  But
>>> >nfsd_supported_minorversion
>>> >should be sufficient for that.
>>> >
>>> >(I don't think your patches actually dealt yet with the fact that
>>> >this
>>> >is part of minor version 2?  Another for the todo list.)
>>> >
>>> >--b.
>>>
>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>> export option
>>
>> That's just a variable in the code.  It's controlled by
>> /proc/fs/nfsd/versions.
>>
>>> what happens if someone wants to use other 4.2
>>> features but not labeling?
>>
>> We'll cross that bridge when we come to it, maybe by adding some new
>> global paramater.
>>
>> There's no reason this really needs to be per-export, is there?
>>
>> --b.
>
> At the moment I can't really think of a reason to have it be
> per-export. I think we need a new LSM patch though to determine if the
> LSM supports labeling over NFS unless Steve can think of a better way
> to tell if the LSM supports labeling.

If the LSM has a secid_to_secctx hook it supports labeling.
Today that's SELinux and Smack. You already have support in
for SELinux, and providing Smack's review and possibly updates
is #2 on my gotta do list. On the whole, I think that, except
for the fundamental philosophical difference between label
support and xattr support, it should be a simple matter to
get support in for any LSM that has secid_to_secctx.

But I'm still working on the review.

>
>
>>
>>> I'll switch it over if you guys want it
>>> done that way, I think though that this provides more flexibility.
>>> Although anything that makes me carry around fewer patches is good
>>> in my book.
>>>
>>> Dave
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/15/2012 11:00, Casey Schaufler wrote:
> On 11/14/2012 6:30 AM, David Quigley wrote:
>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>>> >>see a
>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a 
>>>> better
>>>> >>>>indication on how to pull the trees. I've attached a patch for 
>>>> NFS
>>>> >>>>utils which gives support for security_label/nosecurity_label 
>>>> in
>>>> >>>>your /etc/exports file.
>>>> >>>
>>>> >>>Do we need an export option?  Is there any reason not to make 
>>>> the
>>>> >>>feature available whenever there's support available for it?
>>>> >>
>>>> >>I guess we could build it in but I figured an export option 
>>>> allowed
>>>> >>someone to turn off security labeling support if they didn't 
>>>> want it
>>>> >>on that export. What happens to clients when the server returns 
>>>> a
>>>> >>cap that they don't support? Do they mask the bits out?
>>>> >
>>>> >Yeah, they should just ignore it.
>>>> >
>>>> >While this is still experimental it's still nice to have a way to
>>>> >turn
>>>> >this on and off at runtime so people can experiment without 
>>>> having to
>>>> >have it on for everyone all the time.  But
>>>> >nfsd_supported_minorversion
>>>> >should be sufficient for that.
>>>> >
>>>> >(I don't think your patches actually dealt yet with the fact that
>>>> >this
>>>> >is part of minor version 2?  Another for the todo list.)
>>>> >
>>>> >--b.
>>>>
>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>> export option
>>>
>>> That's just a variable in the code.  It's controlled by
>>> /proc/fs/nfsd/versions.
>>>
>>>> what happens if someone wants to use other 4.2
>>>> features but not labeling?
>>>
>>> We'll cross that bridge when we come to it, maybe by adding some 
>>> new
>>> global paramater.
>>>
>>> There's no reason this really needs to be per-export, is there?
>>>
>>> --b.
>>
>> At the moment I can't really think of a reason to have it be
>> per-export. I think we need a new LSM patch though to determine if 
>> the
>> LSM supports labeling over NFS unless Steve can think of a better 
>> way
>> to tell if the LSM supports labeling.
>
> If the LSM has a secid_to_secctx hook it supports labeling.
> Today that's SELinux and Smack. You already have support in
> for SELinux, and providing Smack's review and possibly updates
> is #2 on my gotta do list. On the whole, I think that, except
> for the fundamental philosophical difference between label
> support and xattr support, it should be a simple matter to
> get support in for any LSM that has secid_to_secctx.
>
> But I'm still working on the review.
>

I believe SMACK already works out of the box since we abstracted the 
call to obtain labels and your implementation currently works. The call 
that is needed is not secid_to_secctx but inode_getsecctx. You asked for 
this because SMACK labels can span multiple xattrs. I don't think its 
right to expect NFS to poke around the security structure to check if 
there is a valid hook(and it isn't really possible either). Maybe we can 
have an LSM hook where the LSM categorizes itself and returns a value 
and if the value it returns is label based then NFS can use it.

>>
>>
>>>
>>>> I'll switch it over if you guys want it
>>>> done that way, I think though that this provides more flexibility.
>>>> Although anything that makes me carry around fewer patches is good
>>>> in my book.
>>>>
>>>> Dave
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-security-module" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/15/2012 11:00, Casey Schaufler wrote:
> On 11/14/2012 6:30 AM, David Quigley wrote:
>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>>> >>see a
>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a 
>>>> better
>>>> >>>>indication on how to pull the trees. I've attached a patch for 
>>>> NFS
>>>> >>>>utils which gives support for security_label/nosecurity_label 
>>>> in
>>>> >>>>your /etc/exports file.
>>>> >>>
>>>> >>>Do we need an export option?  Is there any reason not to make 
>>>> the
>>>> >>>feature available whenever there's support available for it?
>>>> >>
>>>> >>I guess we could build it in but I figured an export option 
>>>> allowed
>>>> >>someone to turn off security labeling support if they didn't 
>>>> want it
>>>> >>on that export. What happens to clients when the server returns 
>>>> a
>>>> >>cap that they don't support? Do they mask the bits out?
>>>> >
>>>> >Yeah, they should just ignore it.
>>>> >
>>>> >While this is still experimental it's still nice to have a way to
>>>> >turn
>>>> >this on and off at runtime so people can experiment without 
>>>> having to
>>>> >have it on for everyone all the time.  But
>>>> >nfsd_supported_minorversion
>>>> >should be sufficient for that.
>>>> >
>>>> >(I don't think your patches actually dealt yet with the fact that
>>>> >this
>>>> >is part of minor version 2?  Another for the todo list.)
>>>> >
>>>> >--b.
>>>>
>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>> export option
>>>
>>> That's just a variable in the code.  It's controlled by
>>> /proc/fs/nfsd/versions.
>>>
>>>> what happens if someone wants to use other 4.2
>>>> features but not labeling?
>>>
>>> We'll cross that bridge when we come to it, maybe by adding some 
>>> new
>>> global paramater.
>>>
>>> There's no reason this really needs to be per-export, is there?
>>>
>>> --b.
>>
>> At the moment I can't really think of a reason to have it be
>> per-export. I think we need a new LSM patch though to determine if 
>> the
>> LSM supports labeling over NFS unless Steve can think of a better 
>> way
>> to tell if the LSM supports labeling.
>
> If the LSM has a secid_to_secctx hook it supports labeling.
> Today that's SELinux and Smack. You already have support in
> for SELinux, and providing Smack's review and possibly updates
> is #2 on my gotta do list. On the whole, I think that, except
> for the fundamental philosophical difference between label
> support and xattr support, it should be a simple matter to
> get support in for any LSM that has secid_to_secctx.
>
> But I'm still working on the review.
>

I believe SMACK already works out of the box since we abstracted the 
call to obtain labels and your implementation currently works. The call 
that is needed is not secid_to_secctx but inode_getsecctx. You asked for 
this because SMACK labels can span multiple xattrs. I don't think its 
right to expect NFS to poke around the security structure to check if 
there is a valid hook(and it isn't really possible either). Maybe we can 
have an LSM hook where the LSM categorizes itself and returns a value 
and if the value it returns is label based then NFS can use it.

>>
>>
>>>
>>>> I'll switch it over if you guys want it
>>>> done that way, I think though that this provides more flexibility.
>>>> Although anything that makes me carry around fewer patches is good
>>>> in my book.
>>>>
>>>> Dave
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-security-module" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/15/2012 12:28 PM, David Quigley wrote:
> On 11/15/2012 11:00, Casey Schaufler wrote:
>> On 11/14/2012 6:30 AM, David Quigley wrote:
>>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>>>> >>see a
>>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>>>>> >>>>indication on how to pull the trees. I've attached a patch for
>>>>> NFS
>>>>> >>>>utils which gives support for security_label/nosecurity_label in
>>>>> >>>>your /etc/exports file.
>>>>> >>>
>>>>> >>>Do we need an export option?  Is there any reason not to make the
>>>>> >>>feature available whenever there's support available for it?
>>>>> >>
>>>>> >>I guess we could build it in but I figured an export option allowed
>>>>> >>someone to turn off security labeling support if they didn't
>>>>> want it
>>>>> >>on that export. What happens to clients when the server returns a
>>>>> >>cap that they don't support? Do they mask the bits out?
>>>>> >
>>>>> >Yeah, they should just ignore it.
>>>>> >
>>>>> >While this is still experimental it's still nice to have a way to
>>>>> >turn
>>>>> >this on and off at runtime so people can experiment without
>>>>> having to
>>>>> >have it on for everyone all the time.  But
>>>>> >nfsd_supported_minorversion
>>>>> >should be sufficient for that.
>>>>> >
>>>>> >(I don't think your patches actually dealt yet with the fact that
>>>>> >this
>>>>> >is part of minor version 2?  Another for the todo list.)
>>>>> >
>>>>> >--b.
>>>>>
>>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>>> export option
>>>>
>>>> That's just a variable in the code.  It's controlled by
>>>> /proc/fs/nfsd/versions.
>>>>
>>>>> what happens if someone wants to use other 4.2
>>>>> features but not labeling?
>>>>
>>>> We'll cross that bridge when we come to it, maybe by adding some new
>>>> global paramater.
>>>>
>>>> There's no reason this really needs to be per-export, is there?
>>>>
>>>> --b.
>>>
>>> At the moment I can't really think of a reason to have it be
>>> per-export. I think we need a new LSM patch though to determine if the
>>> LSM supports labeling over NFS unless Steve can think of a better way
>>> to tell if the LSM supports labeling.
>>
>> If the LSM has a secid_to_secctx hook it supports labeling.
>> Today that's SELinux and Smack. You already have support in
>> for SELinux, and providing Smack's review and possibly updates
>> is #2 on my gotta do list. On the whole, I think that, except
>> for the fundamental philosophical difference between label
>> support and xattr support, it should be a simple matter to
>> get support in for any LSM that has secid_to_secctx.
>>
>> But I'm still working on the review.
>>
>
> I believe SMACK already works out of the box since we abstracted the
> call to obtain labels and your implementation currently works.

I'm looking to do a little verification. I hate assuming that something
will work only to discover otherwise in the wild.

> The call that is needed is not secid_to_secctx but inode_getsecctx.

I was pointing out that secid_to_secctx pretty well defines that the LSM
is using labels.

> You asked for this because SMACK labels can span multiple xattrs. I
> don't think its right to expect NFS to poke around the security
> structure to check if there is a valid hook(and it isn't really
> possible either).

Yeah, I can see that.

> Maybe we can have an LSM hook where the LSM categorizes itself and
> returns a value and if the value it returns is label based then NFS
> can use it.

I'm not sure what the proposed hook would be for except to identify it
as concerned with nfs. Perhaps the hook could return the names of
attributes that it wants nfs to provide.


>
>>>
>>>
>>>>
>>>>> I'll switch it over if you guys want it
>>>>> done that way, I think though that this provides more flexibility.
>>>>> Although anything that makes me carry around fewer patches is good
>>>>> in my book.
>>>>>
>>>>> Dave
>>>
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe
>>> linux-security-module" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/15/2012 12:28 PM, David Quigley wrote:
> On 11/15/2012 11:00, Casey Schaufler wrote:
>> On 11/14/2012 6:30 AM, David Quigley wrote:
>>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>>>> >>see a
>>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>>>>> >>>>indication on how to pull the trees. I've attached a patch for
>>>>> NFS
>>>>> >>>>utils which gives support for security_label/nosecurity_label in
>>>>> >>>>your /etc/exports file.
>>>>> >>>
>>>>> >>>Do we need an export option?  Is there any reason not to make the
>>>>> >>>feature available whenever there's support available for it?
>>>>> >>
>>>>> >>I guess we could build it in but I figured an export option allowed
>>>>> >>someone to turn off security labeling support if they didn't
>>>>> want it
>>>>> >>on that export. What happens to clients when the server returns a
>>>>> >>cap that they don't support? Do they mask the bits out?
>>>>> >
>>>>> >Yeah, they should just ignore it.
>>>>> >
>>>>> >While this is still experimental it's still nice to have a way to
>>>>> >turn
>>>>> >this on and off at runtime so people can experiment without
>>>>> having to
>>>>> >have it on for everyone all the time.  But
>>>>> >nfsd_supported_minorversion
>>>>> >should be sufficient for that.
>>>>> >
>>>>> >(I don't think your patches actually dealt yet with the fact that
>>>>> >this
>>>>> >is part of minor version 2?  Another for the todo list.)
>>>>> >
>>>>> >--b.
>>>>>
>>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>>> export option
>>>>
>>>> That's just a variable in the code.  It's controlled by
>>>> /proc/fs/nfsd/versions.
>>>>
>>>>> what happens if someone wants to use other 4.2
>>>>> features but not labeling?
>>>>
>>>> We'll cross that bridge when we come to it, maybe by adding some new
>>>> global paramater.
>>>>
>>>> There's no reason this really needs to be per-export, is there?
>>>>
>>>> --b.
>>>
>>> At the moment I can't really think of a reason to have it be
>>> per-export. I think we need a new LSM patch though to determine if the
>>> LSM supports labeling over NFS unless Steve can think of a better way
>>> to tell if the LSM supports labeling.
>>
>> If the LSM has a secid_to_secctx hook it supports labeling.
>> Today that's SELinux and Smack. You already have support in
>> for SELinux, and providing Smack's review and possibly updates
>> is #2 on my gotta do list. On the whole, I think that, except
>> for the fundamental philosophical difference between label
>> support and xattr support, it should be a simple matter to
>> get support in for any LSM that has secid_to_secctx.
>>
>> But I'm still working on the review.
>>
>
> I believe SMACK already works out of the box since we abstracted the
> call to obtain labels and your implementation currently works.

I'm looking to do a little verification. I hate assuming that something
will work only to discover otherwise in the wild.

> The call that is needed is not secid_to_secctx but inode_getsecctx.

I was pointing out that secid_to_secctx pretty well defines that the LSM
is using labels.

> You asked for this because SMACK labels can span multiple xattrs. I
> don't think its right to expect NFS to poke around the security
> structure to check if there is a valid hook(and it isn't really
> possible either).

Yeah, I can see that.

> Maybe we can have an LSM hook where the LSM categorizes itself and
> returns a value and if the value it returns is label based then NFS
> can use it.

I'm not sure what the proposed hook would be for except to identify it
as concerned with nfs. Perhaps the hook could return the names of
attributes that it wants nfs to provide.


>
>>>
>>>
>>>>
>>>>> I'll switch it over if you guys want it
>>>>> done that way, I think though that this provides more flexibility.
>>>>> Although anything that makes me carry around fewer patches is good
>>>>> in my book.
>>>>>
>>>>> Dave
>>>
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe
>>> linux-security-module" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/15/2012 22:34, Casey Schaufler wrote:
> On 11/15/2012 12:28 PM, David Quigley wrote:
>> On 11/15/2012 11:00, Casey Schaufler wrote:
>>> On 11/14/2012 6:30 AM, David Quigley wrote:
>>>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you 
>>>>>> will
>>>>>> >>see a
>>>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a 
>>>>>> better
>>>>>> >>>>indication on how to pull the trees. I've attached a patch 
>>>>>> for
>>>>>> NFS
>>>>>> >>>>utils which gives support for 
>>>>>> security_label/nosecurity_label in
>>>>>> >>>>your /etc/exports file.
>>>>>> >>>
>>>>>> >>>Do we need an export option?  Is there any reason not to make 
>>>>>> the
>>>>>> >>>feature available whenever there's support available for it?
>>>>>> >>
>>>>>> >>I guess we could build it in but I figured an export option 
>>>>>> allowed
>>>>>> >>someone to turn off security labeling support if they didn't
>>>>>> want it
>>>>>> >>on that export. What happens to clients when the server 
>>>>>> returns a
>>>>>> >>cap that they don't support? Do they mask the bits out?
>>>>>> >
>>>>>> >Yeah, they should just ignore it.
>>>>>> >
>>>>>> >While this is still experimental it's still nice to have a way 
>>>>>> to
>>>>>> >turn
>>>>>> >this on and off at runtime so people can experiment without
>>>>>> having to
>>>>>> >have it on for everyone all the time.  But
>>>>>> >nfsd_supported_minorversion
>>>>>> >should be sufficient for that.
>>>>>> >
>>>>>> >(I don't think your patches actually dealt yet with the fact 
>>>>>> that
>>>>>> >this
>>>>>> >is part of minor version 2?  Another for the todo list.)
>>>>>> >
>>>>>> >--b.
>>>>>>
>>>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>>>> export option
>>>>>
>>>>> That's just a variable in the code.  It's controlled by
>>>>> /proc/fs/nfsd/versions.
>>>>>
>>>>>> what happens if someone wants to use other 4.2
>>>>>> features but not labeling?
>>>>>
>>>>> We'll cross that bridge when we come to it, maybe by adding some 
>>>>> new
>>>>> global paramater.
>>>>>
>>>>> There's no reason this really needs to be per-export, is there?
>>>>>
>>>>> --b.
>>>>
>>>> At the moment I can't really think of a reason to have it be
>>>> per-export. I think we need a new LSM patch though to determine if 
>>>> the
>>>> LSM supports labeling over NFS unless Steve can think of a better 
>>>> way
>>>> to tell if the LSM supports labeling.
>>>
>>> If the LSM has a secid_to_secctx hook it supports labeling.
>>> Today that's SELinux and Smack. You already have support in
>>> for SELinux, and providing Smack's review and possibly updates
>>> is #2 on my gotta do list. On the whole, I think that, except
>>> for the fundamental philosophical difference between label
>>> support and xattr support, it should be a simple matter to
>>> get support in for any LSM that has secid_to_secctx.
>>>
>>> But I'm still working on the review.
>>>
>>
>> I believe SMACK already works out of the box since we abstracted the
>> call to obtain labels and your implementation currently works.
>
> I'm looking to do a little verification. I hate assuming that 
> something
> will work only to discover otherwise in the wild.
>
>> The call that is needed is not secid_to_secctx but inode_getsecctx.
>
> I was pointing out that secid_to_secctx pretty well defines that the 
> LSM
> is using labels.
>
>> You asked for this because SMACK labels can span multiple xattrs. I
>> don't think its right to expect NFS to poke around the security
>> structure to check if there is a valid hook(and it isn't really
>> possible either).
>
> Yeah, I can see that.
>
>> Maybe we can have an LSM hook where the LSM categorizes itself and
>> returns a value and if the value it returns is label based then NFS
>> can use it.
>
> I'm not sure what the proposed hook would be for except to identify 
> it
> as concerned with nfs. Perhaps the hook could return the names of
> attributes that it wants nfs to provide.
>

I'm not quite sure what you're proposing? I'm sure someone would find 
another use for this hook though. The inode_getsecctx hook we made for 
Labeled NFS was already merged because it was needed for providing 
"persistent" label support for sysfs (meaning that it persisted inode 
eviction from memory). The problem is that we have no real way to ask in 
the NFS code if this is an LSM that can be used with Labeled NFS. In the 
xattr code we have the new ismaclabel hook we add which allows us to 
verify the xattr used as belonging to a label based LSM however we need 
an xattr from userspace for that. The reason this is required is that 
the server will need to fill out its capability mask to indicate it 
supports security labeling. In addition the client also needs to know if 
its running a security label based LSM because it will need to mask out 
the label fattr bit from its getattr calls if it doesn't support it. We 
can override this in SELinux by giving it a context mount but if we 
don't then it will need to know whether or not to be pulling security 
labels back.

Re: Labeled NFS [v5]

[David Quigley]

On 11/15/2012 22:34, Casey Schaufler wrote:
> On 11/15/2012 12:28 PM, David Quigley wrote:
>> On 11/15/2012 11:00, Casey Schaufler wrote:
>>> On 11/14/2012 6:30 AM, David Quigley wrote:
>>>> On 11/14/2012 09:24, J. Bruce Fields wrote:
>>>>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>>>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>>>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>>>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>>>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>>>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you 
>>>>>> will
>>>>>> >>see a
>>>>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>>>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a 
>>>>>> better
>>>>>> >>>>indication on how to pull the trees. I've attached a patch 
>>>>>> for
>>>>>> NFS
>>>>>> >>>>utils which gives support for 
>>>>>> security_label/nosecurity_label in
>>>>>> >>>>your /etc/exports file.
>>>>>> >>>
>>>>>> >>>Do we need an export option?  Is there any reason not to make 
>>>>>> the
>>>>>> >>>feature available whenever there's support available for it?
>>>>>> >>
>>>>>> >>I guess we could build it in but I figured an export option 
>>>>>> allowed
>>>>>> >>someone to turn off security labeling support if they didn't
>>>>>> want it
>>>>>> >>on that export. What happens to clients when the server 
>>>>>> returns a
>>>>>> >>cap that they don't support? Do they mask the bits out?
>>>>>> >
>>>>>> >Yeah, they should just ignore it.
>>>>>> >
>>>>>> >While this is still experimental it's still nice to have a way 
>>>>>> to
>>>>>> >turn
>>>>>> >this on and off at runtime so people can experiment without
>>>>>> having to
>>>>>> >have it on for everyone all the time.  But
>>>>>> >nfsd_supported_minorversion
>>>>>> >should be sufficient for that.
>>>>>> >
>>>>>> >(I don't think your patches actually dealt yet with the fact 
>>>>>> that
>>>>>> >this
>>>>>> >is part of minor version 2?  Another for the todo list.)
>>>>>> >
>>>>>> >--b.
>>>>>>
>>>>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>>>>> export option
>>>>>
>>>>> That's just a variable in the code.  It's controlled by
>>>>> /proc/fs/nfsd/versions.
>>>>>
>>>>>> what happens if someone wants to use other 4.2
>>>>>> features but not labeling?
>>>>>
>>>>> We'll cross that bridge when we come to it, maybe by adding some 
>>>>> new
>>>>> global paramater.
>>>>>
>>>>> There's no reason this really needs to be per-export, is there?
>>>>>
>>>>> --b.
>>>>
>>>> At the moment I can't really think of a reason to have it be
>>>> per-export. I think we need a new LSM patch though to determine if 
>>>> the
>>>> LSM supports labeling over NFS unless Steve can think of a better 
>>>> way
>>>> to tell if the LSM supports labeling.
>>>
>>> If the LSM has a secid_to_secctx hook it supports labeling.
>>> Today that's SELinux and Smack. You already have support in
>>> for SELinux, and providing Smack's review and possibly updates
>>> is #2 on my gotta do list. On the whole, I think that, except
>>> for the fundamental philosophical difference between label
>>> support and xattr support, it should be a simple matter to
>>> get support in for any LSM that has secid_to_secctx.
>>>
>>> But I'm still working on the review.
>>>
>>
>> I believe SMACK already works out of the box since we abstracted the
>> call to obtain labels and your implementation currently works.
>
> I'm looking to do a little verification. I hate assuming that 
> something
> will work only to discover otherwise in the wild.
>
>> The call that is needed is not secid_to_secctx but inode_getsecctx.
>
> I was pointing out that secid_to_secctx pretty well defines that the 
> LSM
> is using labels.
>
>> You asked for this because SMACK labels can span multiple xattrs. I
>> don't think its right to expect NFS to poke around the security
>> structure to check if there is a valid hook(and it isn't really
>> possible either).
>
> Yeah, I can see that.
>
>> Maybe we can have an LSM hook where the LSM categorizes itself and
>> returns a value and if the value it returns is label based then NFS
>> can use it.
>
> I'm not sure what the proposed hook would be for except to identify 
> it
> as concerned with nfs. Perhaps the hook could return the names of
> attributes that it wants nfs to provide.
>

I'm not quite sure what you're proposing? I'm sure someone would find 
another use for this hook though. The inode_getsecctx hook we made for 
Labeled NFS was already merged because it was needed for providing 
"persistent" label support for sysfs (meaning that it persisted inode 
eviction from memory). The problem is that we have no real way to ask in 
the NFS code if this is an LSM that can be used with Labeled NFS. In the 
xattr code we have the new ismaclabel hook we add which allows us to 
verify the xattr used as belonging to a label based LSM however we need 
an xattr from userspace for that. The reason this is required is that 
the server will need to fill out its capability mask to indicate it 
supports security labeling. In addition the client also needs to know if 
its running a security label based LSM because it will need to mask out 
the label fattr bit from its getattr calls if it doesn't support it. We 
can override this in SELinux by giving it a context mount but if we 
don't then it will need to know whether or not to be pulling security 
labels back.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

>> I'm not sure what the proposed hook would be for except to identify it
>> as concerned with nfs. Perhaps the hook could return the names of
>> attributes that it wants nfs to provide.
>>
>
> I'm not quite sure what you're proposing? I'm sure someone would find
> another use for this hook though. The inode_getsecctx hook we made for
> Labeled NFS was already merged because it was needed for providing
> "persistent" label support for sysfs (meaning that it persisted inode
> eviction from memory). The problem is that we have no real way to ask in
> the NFS code if this is an LSM that can be used with Labeled NFS. In the
> xattr code we have the new ismaclabel hook we add which allows us to
> verify the xattr used as belonging to a label based LSM however we need
> an xattr from userspace for that. The reason this is required is that
> the server will need to fill out its capability mask to indicate it
> supports security labeling. In addition the client also needs to know if
> its running a security label based LSM because it will need to mask out
> the label fattr bit from its getattr calls if it doesn't support it. We
> can override this in SELinux by giving it a context mount but if we
> don't then it will need to know whether or not to be pulling security
> labels back.
>


I think the point I'm trying to make is that we need to define the 
interface which if you implement it you are supported. For label 
import/export we have inode_{get,set,notify}secctx. For checking for 
xattr suitibility we have the new ismaclabel lsm call. Now the final 
thing we need to do is a call to determine if the lsm is suitable for 
Labeled NFS export meaning that it agrees to the semantics. Is 
inode{get,set,notify}_secctx and ismaclabel sufficient? I'm tempted to 
say we can make a call to inode_getsecctx and if it failes with 
EOPNOTSUPP we say we don't support it but then we need an initial file 
to call that on. This is why I'd rather have a LSM call that we can make 
that gives us a yes/no answer.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

>> I'm not sure what the proposed hook would be for except to identify it
>> as concerned with nfs. Perhaps the hook could return the names of
>> attributes that it wants nfs to provide.
>>
>
> I'm not quite sure what you're proposing? I'm sure someone would find
> another use for this hook though. The inode_getsecctx hook we made for
> Labeled NFS was already merged because it was needed for providing
> "persistent" label support for sysfs (meaning that it persisted inode
> eviction from memory). The problem is that we have no real way to ask in
> the NFS code if this is an LSM that can be used with Labeled NFS. In the
> xattr code we have the new ismaclabel hook we add which allows us to
> verify the xattr used as belonging to a label based LSM however we need
> an xattr from userspace for that. The reason this is required is that
> the server will need to fill out its capability mask to indicate it
> supports security labeling. In addition the client also needs to know if
> its running a security label based LSM because it will need to mask out
> the label fattr bit from its getattr calls if it doesn't support it. We
> can override this in SELinux by giving it a context mount but if we
> don't then it will need to know whether or not to be pulling security
> labels back.
>


I think the point I'm trying to make is that we need to define the 
interface which if you implement it you are supported. For label 
import/export we have inode_{get,set,notify}secctx. For checking for 
xattr suitibility we have the new ismaclabel lsm call. Now the final 
thing we need to do is a call to determine if the lsm is suitable for 
Labeled NFS export meaning that it agrees to the semantics. Is 
inode{get,set,notify}_secctx and ismaclabel sufficient? I'm tempted to 
say we can make a call to inode_getsecctx and if it failes with 
EOPNOTSUPP we say we don't support it but then we need an initial file 
to call that on. This is why I'd rather have a LSM call that we can make 
that gives us a yes/no answer.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

 >> I'm not sure what the proposed hook would be for except to identify it
 >> as concerned with nfs. Perhaps the hook could return the names of
 >> attributes that it wants nfs to provide.
 >>
 >
 > I'm not quite sure what you're proposing? I'm sure someone would find
 > another use for this hook though. The inode_getsecctx hook we made for
 > Labeled NFS was already merged because it was needed for providing
 > "persistent" label support for sysfs (meaning that it persisted inode
 > eviction from memory). The problem is that we have no real way to ask in
 > the NFS code if this is an LSM that can be used with Labeled NFS. In the
 > xattr code we have the new ismaclabel hook we add which allows us to
 > verify the xattr used as belonging to a label based LSM however we need
 > an xattr from userspace for that. The reason this is required is that
 > the server will need to fill out its capability mask to indicate it
 > supports security labeling. In addition the client also needs to know if
 > its running a security label based LSM because it will need to mask out
 > the label fattr bit from its getattr calls if it doesn't support it. We
 > can override this in SELinux by giving it a context mount but if we
 > don't then it will need to know whether or not to be pulling security
 > labels back.
 >

[Resending because I sent it from the wrong identity.]

I think the point I'm trying to make is that we need to define the 
interface which if you implement it you are supported. For label 
import/export we have inode_{get,set,notify}secctx. For checking for 
xattr suitibility we have the new ismaclabel lsm call. Now the final 
thing we need to do is a call to determine if the lsm is suitable for 
Labeled NFS export meaning that it agrees to the semantics. Is 
inode{get,set,notify}_secctx and ismaclabel sufficient? I'm tempted to 
say we can make a call to inode_getsecctx and if it failes with 
EOPNOTSUPP we say we don't support it but then we need an initial file 
to call that on. This is why I'd rather have a LSM call that we can make 
that gives us a yes/no answer.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

 >> I'm not sure what the proposed hook would be for except to identify it
 >> as concerned with nfs. Perhaps the hook could return the names of
 >> attributes that it wants nfs to provide.
 >>
 >
 > I'm not quite sure what you're proposing? I'm sure someone would find
 > another use for this hook though. The inode_getsecctx hook we made for
 > Labeled NFS was already merged because it was needed for providing
 > "persistent" label support for sysfs (meaning that it persisted inode
 > eviction from memory). The problem is that we have no real way to ask in
 > the NFS code if this is an LSM that can be used with Labeled NFS. In the
 > xattr code we have the new ismaclabel hook we add which allows us to
 > verify the xattr used as belonging to a label based LSM however we need
 > an xattr from userspace for that. The reason this is required is that
 > the server will need to fill out its capability mask to indicate it
 > supports security labeling. In addition the client also needs to know if
 > its running a security label based LSM because it will need to mask out
 > the label fattr bit from its getattr calls if it doesn't support it. We
 > can override this in SELinux by giving it a context mount but if we
 > don't then it will need to know whether or not to be pulling security
 > labels back.
 >

[Resending because I sent it from the wrong identity.]

I think the point I'm trying to make is that we need to define the 
interface which if you implement it you are supported. For label 
import/export we have inode_{get,set,notify}secctx. For checking for 
xattr suitibility we have the new ismaclabel lsm call. Now the final 
thing we need to do is a call to determine if the lsm is suitable for 
Labeled NFS export meaning that it agrees to the semantics. Is 
inode{get,set,notify}_secctx and ismaclabel sufficient? I'm tempted to 
say we can make a call to inode_getsecctx and if it failes with 
EOPNOTSUPP we say we don't support it but then we need an initial file 
to call that on. This is why I'd rather have a LSM call that we can make 
that gives us a yes/no answer.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/13/2012 23:32, Dave Quigley wrote:
> On 11/13/2012 7:55 AM, Steve Dickson wrote:
>>
>>
>> On 12/11/12 20:39, Dave Quigley wrote:
>>> If you're ok with non Fedora kernel images I can try to put up a 
>>> tree either tonight or tomorrow with the patches that you just need 
>>> to build and install. That plus the one patch for nfs-utils should 
>>> make everything work.
>> I'm good with that....
>>
>> steved.
>>
>
> Ok so if you go to http://www.selinuxproject.org/git you will see a
> repo for lnfs and lnfs-patchset. The instructions at
> http://www.selinuxproject.org/page/Labeled_NFS give you a better
> indication on how to pull the trees. I've attached a patch for NFS
> utils which gives support for security_label/nosecurity_label in your
> /etc/exports file. I've also attached a script called setup which
> should build a test directory called /export with a copy of /var/www
> under it which should be labeled properly. It does all the proper
> SELinux commands to make sure labeling is correct. Once you have that
> setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever you want)
> and you should be good to go. Just ls -Z in /mnt/lnfs/var and check 
> to
> make sure the labels are the same as /export/var. It should have the
> labels showing up in the network transfer. If you have any problems
> just let me know and I can try to help figure them out.
>
> Dave

If you want to run the testsuite we used Serge has a repo on the git 
page above for the selinux-testsuite. Just copy it onto the nfs export 
and follow the instructions in the readme.

Re: Labeled NFS [v5]

[David Quigley]

On 11/13/2012 23:32, Dave Quigley wrote:
> On 11/13/2012 7:55 AM, Steve Dickson wrote:
>>
>>
>> On 12/11/12 20:39, Dave Quigley wrote:
>>> If you're ok with non Fedora kernel images I can try to put up a 
>>> tree either tonight or tomorrow with the patches that you just need 
>>> to build and install. That plus the one patch for nfs-utils should 
>>> make everything work.
>> I'm good with that....
>>
>> steved.
>>
>
> Ok so if you go to http://www.selinuxproject.org/git you will see a
> repo for lnfs and lnfs-patchset. The instructions at
> http://www.selinuxproject.org/page/Labeled_NFS give you a better
> indication on how to pull the trees. I've attached a patch for NFS
> utils which gives support for security_label/nosecurity_label in your
> /etc/exports file. I've also attached a script called setup which
> should build a test directory called /export with a copy of /var/www
> under it which should be labeled properly. It does all the proper
> SELinux commands to make sure labeling is correct. Once you have that
> setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever you want)
> and you should be good to go. Just ls -Z in /mnt/lnfs/var and check 
> to
> make sure the labels are the same as /export/var. It should have the
> labels showing up in the network transfer. If you have any problems
> just let me know and I can try to help figure them out.
>
> Dave

If you want to run the testsuite we used Serge has a repo on the git 
page above for the selinux-testsuite. Just copy it onto the nfs export 
and follow the instructions in the readme.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

This will still need support for FATTR4_CHANGE_SEC_LABEL.

--b.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/12/2012 11:33 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> This will still need support for FATTR4_CHANGE_SEC_LABEL.
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

That's true. At the time we didn't have FATTR4_CHANGE_SEC_LABEL so it 
wasn't implemented. This should be a good start at Labeled NFS support 
but will take more work.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/12/2012 11:33 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 01:15:34AM -0500, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> This will still need support for FATTR4_CHANGE_SEC_LABEL.
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

That's true. At the time we didn't have FATTR4_CHANGE_SEC_LABEL so it 
wasn't implemented. This should be a good start at Labeled NFS support 
but will take more work.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/11/2012 10:15 PM, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

It's going to take a few days (I'm traveling among other issues)
before I can have the Smack project comments ready. They are coming.

If you have pointers to test suites you found especially helpful
I could sure use them.

Thank you.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/11/2012 10:15 PM, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

It's going to take a few days (I'm traveling among other issues)
before I can have the Smack project comments ready. They are coming.

If you have pointers to test suites you found especially helpful
I could sure use them.

Thank you.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/12/2012 5:23 PM, Casey Schaufler wrote:
> On 11/11/2012 10:15 PM, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> It's going to take a few days (I'm traveling among other issues)
> before I can have the Smack project comments ready. They are coming.
>
> If you have pointers to test suites you found especially helpful
> I could sure use them.
>
> Thank you.
>

The only testsuite I have is the SELinux one. Unfortunately you're on 
your own for a smack testsuite.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/12/2012 5:23 PM, Casey Schaufler wrote:
> On 11/11/2012 10:15 PM, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> It's going to take a few days (I'm traveling among other issues)
> before I can have the Smack project comments ready. They are coming.
>
> If you have pointers to test suites you found especially helpful
> I could sure use them.
>
> Thank you.
>

The only testsuite I have is the SELinux one. Unfortunately you're on 
your own for a smack testsuite.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/11/2012 10:15 PM, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

I'm trying to get the user space tools built so that I can
do Smack testing. The instructions on selinuxproject.org
seen out of date with regard to the packages required to
build the NFS tools. I have failed to build on Fedora 17
and Ubuntu 12.04. Any pointers beyond what's on the wiki?

Thank you.


 --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/11/2012 10:15 PM, David Quigley wrote:
> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
> specification and it has been decided that a reposting of the Labeled NFS code
> for inclusion into mainline was a good idea. The patches have been rebased onto
> v3.7-rc2 and have been tested against the SELinux testsuite with the only
> failures being for features not supported by NFS.

I'm trying to get the user space tools built so that I can
do Smack testing. The instructions on selinuxproject.org
seen out of date with regard to the packages required to
build the NFS tools. I have failed to build on Fedora 17
and Ubuntu 12.04. Any pointers beyond what's on the wiki?

Thank you.


 --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 4:09 PM, Casey Schaufler wrote:
> On 11/11/2012 10:15 PM, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> I'm trying to get the user space tools built so that I can
> do Smack testing. The instructions on selinuxproject.org
> seen out of date with regard to the packages required to
> build the NFS tools. I have failed to build on Fedora 17
> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>
> Thank you.
>
>
>   --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>

There are a bunch of libs that need to be installed for it to compile 
properly. Unfortunately there are new dependencies which have been added 
since I updated the wiki last. I unfortunately don't remember what they 
are. What I did to build it last time though was to apply the one patch 
onto the latest tag from the nfs-utils tree. Unfortunately I don't have 
a clean vm on hand at the moment so I can't manually go through and list 
all the packages for you. A heavy handed approach that should still work 
is that I can give you my rpm list from my VM and then you can just make 
sure you have all the devel packages installed. Another option would be 
to grab the nfs-utils srpm for fedora 17 and just add the patch into the 
spec file. That would work too and tell you the build dependencies you 
need. I could also just try to make that for you and put the RPM up but 
that wouldn't be for a few days at the earliest.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 4:09 PM, Casey Schaufler wrote:
> On 11/11/2012 10:15 PM, David Quigley wrote:
>> The NFSv4 working group has finally accepted Labeled NFS as part of the NFSv4.2
>> specification and it has been decided that a reposting of the Labeled NFS code
>> for inclusion into mainline was a good idea. The patches have been rebased onto
>> v3.7-rc2 and have been tested against the SELinux testsuite with the only
>> failures being for features not supported by NFS.
>
> I'm trying to get the user space tools built so that I can
> do Smack testing. The instructions on selinuxproject.org
> seen out of date with regard to the packages required to
> build the NFS tools. I have failed to build on Fedora 17
> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>
> Thank you.
>
>
>   --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>

There are a bunch of libs that need to be installed for it to compile 
properly. Unfortunately there are new dependencies which have been added 
since I updated the wiki last. I unfortunately don't remember what they 
are. What I did to build it last time though was to apply the one patch 
onto the latest tag from the nfs-utils tree. Unfortunately I don't have 
a clean vm on hand at the moment so I can't manually go through and list 
all the packages for you. A heavy handed approach that should still work 
is that I can give you my rpm list from my VM and then you can just make 
sure you have all the devel packages installed. Another option would be 
to grab the nfs-utils srpm for fedora 17 and just add the patch into the 
spec file. That would work too and tell you the build dependencies you 
need. I could also just try to make that for you and put the RPM up but 
that wouldn't be for a few days at the earliest.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

 From the spec file these are the BuildRequires statements. I'm trying 
to build an rpm for it right now. Should be done soon.

BuildRequires: libgssglue-devel libevent-devel libcap-devel
BuildRequires: libnfsidmap-devel libtirpc-devel libblkid-devel
BuildRequires: krb5-libs >= 1.4 autoconf >= 2.57 openldap-devel >= 2.2
BuildRequires: automake, libtool, glibc-headers, device-mapper-devel
BuildRequires: krb5-devel, tcp_wrappers-devel, libmount-devel

Re: Labeled NFS [v5]

[Dave Quigley]

 From the spec file these are the BuildRequires statements. I'm trying 
to build an rpm for it right now. Should be done soon.

BuildRequires: libgssglue-devel libevent-devel libcap-devel
BuildRequires: libnfsidmap-devel libtirpc-devel libblkid-devel
BuildRequires: krb5-libs >= 1.4 autoconf >= 2.57 openldap-devel >= 2.2
BuildRequires: automake, libtool, glibc-headers, device-mapper-devel
BuildRequires: krb5-devel, tcp_wrappers-devel, libmount-devel


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/20/2012 4:04 PM, Dave Quigley wrote:
> On 11/20/2012 4:09 PM, Casey Schaufler wrote:
>> On 11/11/2012 10:15 PM, David Quigley wrote:
>>> The NFSv4 working group has finally accepted Labeled NFS as part of
>>> the NFSv4.2
>>> specification and it has been decided that a reposting of the
>>> Labeled NFS code
>>> for inclusion into mainline was a good idea. The patches have been
>>> rebased onto
>>> v3.7-rc2 and have been tested against the SELinux testsuite with the
>>> only
>>> failures being for features not supported by NFS.
>>
>> I'm trying to get the user space tools built so that I can
>> do Smack testing. The instructions on selinuxproject.org
>> seen out of date with regard to the packages required to
>> build the NFS tools. I have failed to build on Fedora 17
>> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>>
>> Thank you.
>>
>>
>>   --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>
> There are a bunch of libs that need to be installed for it to compile
> properly.

Yes, indeed!

> Unfortunately there are new dependencies which have been added since I
> updated the wiki last.

I found that to be the case as well.

> unfortunately don't remember what they are.

And they're not obvious.

> What I did to build it last time though was to apply the one patch
> onto the latest tag from the nfs-utils tree.

Sound simple enough if you're building the nfs-util tree on a daily basis
I suppose. Not something that I do regularly, alas.


> Unfortunately I don't have a clean vm on hand at the moment so I can't
> manually go through and list all the packages for you. A heavy handed
> approach that should still work is that I can give you my rpm list
> from my VM and then you can just make sure you have all the devel
> packages installed.

I'd be up for that.


> Another option would be to grab the nfs-utils srpm for fedora 17 and
> just add the patch into the spec file.

Yeah. Or not.

> That would work too and tell you the build dependencies you need. I
> could also just try to make that for you and put the RPM up but that
> wouldn't be for a few days at the earliest.

That, or I could give you the instructions on how to enable and test
Smack.

Thank you.


>
> Dave
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/20/2012 4:04 PM, Dave Quigley wrote:
> On 11/20/2012 4:09 PM, Casey Schaufler wrote:
>> On 11/11/2012 10:15 PM, David Quigley wrote:
>>> The NFSv4 working group has finally accepted Labeled NFS as part of
>>> the NFSv4.2
>>> specification and it has been decided that a reposting of the
>>> Labeled NFS code
>>> for inclusion into mainline was a good idea. The patches have been
>>> rebased onto
>>> v3.7-rc2 and have been tested against the SELinux testsuite with the
>>> only
>>> failures being for features not supported by NFS.
>>
>> I'm trying to get the user space tools built so that I can
>> do Smack testing. The instructions on selinuxproject.org
>> seen out of date with regard to the packages required to
>> build the NFS tools. I have failed to build on Fedora 17
>> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>>
>> Thank you.
>>
>>
>>   --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>
> There are a bunch of libs that need to be installed for it to compile
> properly.

Yes, indeed!

> Unfortunately there are new dependencies which have been added since I
> updated the wiki last.

I found that to be the case as well.

> unfortunately don't remember what they are.

And they're not obvious.

> What I did to build it last time though was to apply the one patch
> onto the latest tag from the nfs-utils tree.

Sound simple enough if you're building the nfs-util tree on a daily basis
I suppose. Not something that I do regularly, alas.


> Unfortunately I don't have a clean vm on hand at the moment so I can't
> manually go through and list all the packages for you. A heavy handed
> approach that should still work is that I can give you my rpm list
> from my VM and then you can just make sure you have all the devel
> packages installed.

I'd be up for that.


> Another option would be to grab the nfs-utils srpm for fedora 17 and
> just add the patch into the spec file.

Yeah. Or not.

> That would work too and tell you the build dependencies you need. I
> could also just try to make that for you and put the RPM up but that
> wouldn't be for a few days at the earliest.

That, or I could give you the instructions on how to enable and test
Smack.

Thank you.


>
> Dave
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 7:32 PM, Casey Schaufler wrote:
> On 11/20/2012 4:04 PM, Dave Quigley wrote:
>> On 11/20/2012 4:09 PM, Casey Schaufler wrote:
>>> On 11/11/2012 10:15 PM, David Quigley wrote:
>>>> The NFSv4 working group has finally accepted Labeled NFS as part of
>>>> the NFSv4.2
>>>> specification and it has been decided that a reposting of the
>>>> Labeled NFS code
>>>> for inclusion into mainline was a good idea. The patches have been
>>>> rebased onto
>>>> v3.7-rc2 and have been tested against the SELinux testsuite with the
>>>> only
>>>> failures being for features not supported by NFS.
>>>
>>> I'm trying to get the user space tools built so that I can
>>> do Smack testing. The instructions on selinuxproject.org
>>> seen out of date with regard to the packages required to
>>> build the NFS tools. I have failed to build on Fedora 17
>>> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>>>
>>> Thank you.
>>>
>>>
>>>    --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>
>> There are a bunch of libs that need to be installed for it to compile
>> properly.
>
> Yes, indeed!
>
>> Unfortunately there are new dependencies which have been added since I
>> updated the wiki last.
>
> I found that to be the case as well.
>
>> unfortunately don't remember what they are.
>
> And they're not obvious.
>
>> What I did to build it last time though was to apply the one patch
>> onto the latest tag from the nfs-utils tree.
>
> Sound simple enough if you're building the nfs-util tree on a daily basis
> I suppose. Not something that I do regularly, alas.
>
>
>> Unfortunately I don't have a clean vm on hand at the moment so I can't
>> manually go through and list all the packages for you. A heavy handed
>> approach that should still work is that I can give you my rpm list
>> from my VM and then you can just make sure you have all the devel
>> packages installed.
>
> I'd be up for that.
>
>
>> Another option would be to grab the nfs-utils srpm for fedora 17 and
>> just add the patch into the spec file.
>
> Yeah. Or not.
>
>> That would work too and tell you the build dependencies you need. I
>> could also just try to make that for you and put the RPM up but that
>> wouldn't be for a few days at the earliest.
>
> That, or I could give you the instructions on how to enable and test
> Smack.
>
> Thank you.
>
>
>>
>> Dave
>>
>


Or I could just give you this link and you should be good to go ;)

http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/

I haven't tried it but it should work. If it doesn't let me know and 
i'll try to fix it on my end. I'd imagine you might need to yum remove 
nfs-utils first before adding this new one or you could also try an rpm 
with the upgrade flag for this instead. Good luck.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 7:32 PM, Casey Schaufler wrote:
> On 11/20/2012 4:04 PM, Dave Quigley wrote:
>> On 11/20/2012 4:09 PM, Casey Schaufler wrote:
>>> On 11/11/2012 10:15 PM, David Quigley wrote:
>>>> The NFSv4 working group has finally accepted Labeled NFS as part of
>>>> the NFSv4.2
>>>> specification and it has been decided that a reposting of the
>>>> Labeled NFS code
>>>> for inclusion into mainline was a good idea. The patches have been
>>>> rebased onto
>>>> v3.7-rc2 and have been tested against the SELinux testsuite with the
>>>> only
>>>> failures being for features not supported by NFS.
>>>
>>> I'm trying to get the user space tools built so that I can
>>> do Smack testing. The instructions on selinuxproject.org
>>> seen out of date with regard to the packages required to
>>> build the NFS tools. I have failed to build on Fedora 17
>>> and Ubuntu 12.04. Any pointers beyond what's on the wiki?
>>>
>>> Thank you.
>>>
>>>
>>>    --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>
>> There are a bunch of libs that need to be installed for it to compile
>> properly.
>
> Yes, indeed!
>
>> Unfortunately there are new dependencies which have been added since I
>> updated the wiki last.
>
> I found that to be the case as well.
>
>> unfortunately don't remember what they are.
>
> And they're not obvious.
>
>> What I did to build it last time though was to apply the one patch
>> onto the latest tag from the nfs-utils tree.
>
> Sound simple enough if you're building the nfs-util tree on a daily basis
> I suppose. Not something that I do regularly, alas.
>
>
>> Unfortunately I don't have a clean vm on hand at the moment so I can't
>> manually go through and list all the packages for you. A heavy handed
>> approach that should still work is that I can give you my rpm list
>> from my VM and then you can just make sure you have all the devel
>> packages installed.
>
> I'd be up for that.
>
>
>> Another option would be to grab the nfs-utils srpm for fedora 17 and
>> just add the patch into the spec file.
>
> Yeah. Or not.
>
>> That would work too and tell you the build dependencies you need. I
>> could also just try to make that for you and put the RPM up but that
>> wouldn't be for a few days at the earliest.
>
> That, or I could give you the instructions on how to enable and test
> Smack.
>
> Thank you.
>
>
>>
>> Dave
>>
>


Or I could just give you this link and you should be good to go ;)

http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/

I haven't tried it but it should work. If it doesn't let me know and 
i'll try to fix it on my end. I'd imagine you might need to yum remove 
nfs-utils first before adding this new one or you could also try an rpm 
with the upgrade flag for this instead. Good luck.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/20/2012 4:37 PM, Dave Quigley wrote:
> ...
>
>
> Or I could just give you this link and you should be good to go ;)
>
> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>
> I haven't tried it but it should work. If it doesn't let me know and
> i'll try to fix it on my end. I'd imagine you might need to yum remove
> nfs-utils first before adding this new one or you could also try an
> rpm with the upgrade flag for this instead. Good luck.

I don't care what Eric says, you're OK with me.

The behavior is interesting with a Smack kernel:

I create an export using the recommended options (sec=unix,security_label, ...)
of /pub. Then , I create a directory sub with the floor ("_") label and a file
named Pop labeled "Pop". I mount the filesystem at /mnt.

# ls -l /mnt
ls: cannot access /mnt/Pop: Permission Denied
total 4
?????????? ? ?    ?       ?            ? Pop
drwxr-xr-x 2 root root 4096 Nov 20 17:57 sub

which is exactly correct!

Unfortunately, I get the exact same result if the process
is run with the Pop label. A process run with the Pop label
should be able to see the attributes of the file Pop.

It looks as if the basic mechanism is working, but that there
is some detail that is not working right. I will have to dig
deeper to understand what's up. Let me know if you have ideas.


>
> Dave
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/20/2012 4:37 PM, Dave Quigley wrote:
> ...
>
>
> Or I could just give you this link and you should be good to go ;)
>
> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>
> I haven't tried it but it should work. If it doesn't let me know and
> i'll try to fix it on my end. I'd imagine you might need to yum remove
> nfs-utils first before adding this new one or you could also try an
> rpm with the upgrade flag for this instead. Good luck.

I don't care what Eric says, you're OK with me.

The behavior is interesting with a Smack kernel:

I create an export using the recommended options (sec=unix,security_label, ...)
of /pub. Then , I create a directory sub with the floor ("_") label and a file
named Pop labeled "Pop". I mount the filesystem at /mnt.

# ls -l /mnt
ls: cannot access /mnt/Pop: Permission Denied
total 4
?????????? ? ?    ?       ?            ? Pop
drwxr-xr-x 2 root root 4096 Nov 20 17:57 sub

which is exactly correct!

Unfortunately, I get the exact same result if the process
is run with the Pop label. A process run with the Pop label
should be able to see the attributes of the file Pop.

It looks as if the basic mechanism is working, but that there
is some detail that is not working right. I will have to dig
deeper to understand what's up. Let me know if you have ideas.


>
> Dave
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 9:52 PM, Casey Schaufler wrote:
> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>> ...
>>
>>
>> Or I could just give you this link and you should be good to go ;)
>>
>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>
>> I haven't tried it but it should work. If it doesn't let me know and
>> i'll try to fix it on my end. I'd imagine you might need to yum remove
>> nfs-utils first before adding this new one or you could also try an
>> rpm with the upgrade flag for this instead. Good luck.
>
> I don't care what Eric says, you're OK with me.
>
> The behavior is interesting with a Smack kernel:
>
> I create an export using the recommended options (sec=unix,security_label, ...)
> of /pub. Then , I create a directory sub with the floor ("_") label and a file
> named Pop labeled "Pop". I mount the filesystem at /mnt.
>
> # ls -l /mnt
> ls: cannot access /mnt/Pop: Permission Denied
> total 4
> ?????????? ? ?    ?       ?            ? Pop
> drwxr-xr-x 2 root root 4096 Nov 20 17:57 sub
>
> which is exactly correct!
>
> Unfortunately, I get the exact same result if the process
> is run with the Pop label. A process run with the Pop label
> should be able to see the attributes of the file Pop.
>
> It looks as if the basic mechanism is working, but that there
> is some detail that is not working right. I will have to dig
> deeper to understand what's up. Let me know if you have ideas.
>
>
>>
>> Dave
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>

You might want to load up wireshark and see if the getfattr call is what 
is failing. If it is then its an issue with the interaction between 
smack and the server components. Otherwise I'm not sure you'll have to 
look in the NFS debug info to find the call that is failing. ]

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/20/2012 9:52 PM, Casey Schaufler wrote:
> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>> ...
>>
>>
>> Or I could just give you this link and you should be good to go ;)
>>
>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>
>> I haven't tried it but it should work. If it doesn't let me know and
>> i'll try to fix it on my end. I'd imagine you might need to yum remove
>> nfs-utils first before adding this new one or you could also try an
>> rpm with the upgrade flag for this instead. Good luck.
>
> I don't care what Eric says, you're OK with me.
>
> The behavior is interesting with a Smack kernel:
>
> I create an export using the recommended options (sec=unix,security_label, ...)
> of /pub. Then , I create a directory sub with the floor ("_") label and a file
> named Pop labeled "Pop". I mount the filesystem at /mnt.
>
> # ls -l /mnt
> ls: cannot access /mnt/Pop: Permission Denied
> total 4
> ?????????? ? ?    ?       ?            ? Pop
> drwxr-xr-x 2 root root 4096 Nov 20 17:57 sub
>
> which is exactly correct!
>
> Unfortunately, I get the exact same result if the process
> is run with the Pop label. A process run with the Pop label
> should be able to see the attributes of the file Pop.
>
> It looks as if the basic mechanism is working, but that there
> is some detail that is not working right. I will have to dig
> deeper to understand what's up. Let me know if you have ideas.
>
>
>>
>> Dave
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>

You might want to load up wireshark and see if the getfattr call is what 
is failing. If it is then its an issue with the interaction between 
smack and the server components. Otherwise I'm not sure you'll have to 
look in the NFS debug info to find the call that is failing. ]

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

On 11/20/2012 7:28 PM, Dave Quigley wrote:
> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>> ...
>>>
>>>
>>> Or I could just give you this link and you should be good to go ;)
>>>
>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>
>>> I haven't tried it but it should work. If it doesn't let me know and
>>> i'll try to fix it on my end. I'd imagine you might need to yum remove
>>> nfs-utils first before adding this new one or you could also try an
>>> rpm with the upgrade flag for this instead. Good luck.
>>
...


I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
attached stack trace on mount. After mounting I'm getting
denials when I should, but also when I shouldn't.

I've tried tracking down the issue, but there's a lot going on
that I don't find obvious. I added a dentry_init hook just for
grins, but it's not getting called.

.



[-- Attachment #2: nfs-trace-20121128 --]
[-- Type: text/plain, Size: 3768 bytes --]

[ 1318.360964] decode_attr_security_label(): NULL label.
[ 1318.360968] Pid: 2141, comm: mount.nfs4 Not tainted 3.7.0-rc5-nfs-cbs #7
[ 1318.360970] Call Trace:
[ 1318.360985]  [<f877ec53>] decode_getfattr_attrs+0xbb3/0xca0 [nfsv4]
[ 1318.360995]  [<f8778455>] ? decode_attr_length+0x35/0x50 [nfsv4]
[ 1318.361005]  [<f877edc1>] decode_getfattr_generic.constprop.104+0x81/0xb0 [nfsv4]
[ 1318.361033]  [<f877ee9d>] decode_getfattr+0x1d/0x30 [nfsv4]
[ 1318.361044]  [<f877f34a>] nfs4_xdr_dec_access+0x7a/0x80 [nfsv4]
[ 1318.361051]  [<c103cd98>] ? default_spin_lock_flags+0x8/0x10
[ 1318.361060]  [<f877f2d0>] ? nfs4_xdr_dec_getattr+0x60/0x60 [nfsv4]
[ 1318.361079]  [<f86eddbd>] rpcauth_unwrap_resp+0x5d/0x70 [sunrpc]
[ 1318.361084]  [<c15c2993>] ? schedule+0x23/0x60
[ 1318.361094]  [<f877f2d0>] ? nfs4_xdr_dec_getattr+0x60/0x60 [nfsv4]
[ 1318.361106]  [<f86e48e2>] call_decode+0x2c2/0x3b0 [sunrpc]
[ 1318.361116]  [<f877f2d0>] ? nfs4_xdr_dec_getattr+0x60/0x60 [nfsv4]
[ 1318.361129]  [<f86ec727>] __rpc_execute+0x57/0x250 [sunrpc]
[ 1318.361141]  [<f86e4620>] ? call_bc_transmit+0xf0/0xf0 [sunrpc]
[ 1318.361152]  [<f86e4620>] ? call_bc_transmit+0xf0/0xf0 [sunrpc]
[ 1318.361157]  [<c106a5b3>] ? wake_up_bit+0x23/0x30
[ 1318.361170]  [<f86ece84>] rpc_execute+0x34/0x80 [sunrpc]
[ 1318.361174]  [<c15c358d>] ? _raw_spin_lock+0xd/0x10
[ 1318.361186]  [<f86e5f5d>] ? rpc_task_set_client+0x5d/0x90 [sunrpc]
[ 1318.361197]  [<f86e5fe9>] rpc_run_task+0x59/0x70 [sunrpc]
[ 1318.361209]  [<f86e60fc>] rpc_call_sync+0x3c/0x60 [sunrpc]
[ 1318.361218]  [<f876e713>] _nfs4_call_sync+0x33/0x40 [nfsv4]
[ 1318.361226]  [<f87711f3>] nfs4_proc_access+0x123/0x1c0 [nfsv4]
[ 1318.361238]  [<f8717ba3>] nfs_do_access+0x163/0x200 [nfs]
[ 1318.361252]  [<f86ee522>] ? generic_lookup_cred+0x12/0x20 [sunrpc]
[ 1318.361267]  [<f86edc8e>] ? rpcauth_lookupcred+0x4e/0x70 [sunrpc]
[ 1318.361277]  [<f8717cea>] nfs_permission+0xaa/0x160 [nfs]
[ 1318.361283]  [<c1157a04>] __inode_permission+0x64/0xb0
[ 1318.361293]  [<f871aed2>] ? nfs_get_root+0xe2/0x1b0 [nfs]
[ 1318.361302]  [<f8718010>] ? nfs_instantiate+0x170/0x170 [nfs]
[ 1318.361306]  [<c1157a66>] inode_permission+0x16/0x50
[ 1318.361316]  [<f8718010>] ? nfs_instantiate+0x170/0x170 [nfs]
[ 1318.361320]  [<c115842c>] path_init+0x10c/0x3b0
[ 1318.361324]  [<c1158701>] path_lookupat+0x31/0x6a0
[ 1318.361330]  [<c125598b>] ? security_sb_set_mnt_opts+0x1b/0x30
[ 1318.361341]  [<f871fc00>] ? nfs_set_sb_security+0x40/0x70 [nfs]
[ 1318.361346]  [<c1158d9e>] filename_lookup+0x2e/0xc0
[ 1318.361350]  [<c1158ec1>] do_path_lookup+0x31/0x40
[ 1318.361354]  [<c1159071>] vfs_path_lookup+0x31/0x50
[ 1318.361358]  [<c11434ba>] ? kmem_cache_alloc_trace+0x7a/0x140
[ 1318.361361]  [<c11512f2>] ? mount_fs+0xa2/0x180
[ 1318.361366]  [<c1167641>] ? alloc_mnt_ns+0x21/0x80
[ 1318.361370]  [<c116766f>] ? alloc_mnt_ns+0x4f/0x80
[ 1318.361373]  [<c11683f8>] ? create_mnt_ns+0x18/0x60
[ 1318.361377]  [<c116a43f>] mount_subtree+0x3f/0x80
[ 1318.361388]  [<f8782f37>] ? nfs_follow_remote_path+0xc7/0x1a0 [nfsv4]
[ 1318.361398]  [<f8782f49>] nfs_follow_remote_path+0xd9/0x1a0 [nfsv4]
[ 1318.361408]  [<f87830a6>] nfs4_try_mount+0x46/0x50 [nfsv4]
[ 1318.361420]  [<f872073d>] nfs_fs_mount+0x49d/0x920 [nfs]
[ 1318.361431]  [<f8720090>] ? nfs_clone_super+0x160/0x160 [nfs]
[ 1318.361442]  [<f871fbc0>] ? nfs_compare_super+0x1b0/0x1b0 [nfs]
[ 1318.361446]  [<c1151286>] mount_fs+0x36/0x180
[ 1318.361451]  [<c112172f>] ? __alloc_percpu+0xf/0x20
[ 1318.361455]  [<c1167bce>] ? alloc_vfsmnt+0xae/0x130
[ 1318.361458]  [<c1167ce1>] vfs_kern_mount+0x51/0xc0
[ 1318.361462]  [<c116833e>] do_kern_mount+0x3e/0xe0
[ 1318.361466]  [<c11699b9>] do_mount+0x169/0x760
[ 1318.361470]  [<c116a01b>] sys_mount+0x6b/0xa0
[ 1318.361474]  [<c15c3a87>] syscall_call+0x7/0xb

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/28/2012 1:57 PM, Casey Schaufler wrote:
> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>> ...
>>>>
>>>>
>>>> Or I could just give you this link and you should be good to go ;)
>>>>
>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>
>>>> I haven't tried it but it should work. If it doesn't let me know and
>>>> i'll try to fix it on my end. I'd imagine you might need to yum remove
>>>> nfs-utils first before adding this new one or you could also try an
>>>> rpm with the upgrade flag for this instead. Good luck.
>>>
> ...
>
>
> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
> attached stack trace on mount. After mounting I'm getting
> denials when I should, but also when I shouldn't.
>
> I've tried tracking down the issue, but there's a lot going on
> that I don't find obvious. I added a dentry_init hook just for
> grins, but it's not getting called.
>
> .
>
>

Any chance of you throwing a kickstart file my way that's configured 
with SMACK so I can use it for a test box (both server and client)? I 
can have the guys working with me test for SMACK as well if you provide 
an appropriate test harness and image for testing.

Dave

Re: Labeled NFS [v5]

[Dave Quigley]

On 11/28/2012 1:57 PM, Casey Schaufler wrote:
> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>> ...
>>>>
>>>>
>>>> Or I could just give you this link and you should be good to go ;)
>>>>
>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>
>>>> I haven't tried it but it should work. If it doesn't let me know and
>>>> i'll try to fix it on my end. I'd imagine you might need to yum remove
>>>> nfs-utils first before adding this new one or you could also try an
>>>> rpm with the upgrade flag for this instead. Good luck.
>>>
> ...
>
>
> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
> attached stack trace on mount. After mounting I'm getting
> denials when I should, but also when I shouldn't.
>
> I've tried tracking down the issue, but there's a lot going on
> that I don't find obvious. I added a dentry_init hook just for
> grins, but it's not getting called.
>
> .
>
>

Any chance of you throwing a kickstart file my way that's configured 
with SMACK so I can use it for a test box (both server and client)? I 
can have the guys working with me test for SMACK as well if you provide 
an appropriate test harness and image for testing.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

[-- Attachment #1: Type: text/plain, Size: 1770 bytes --]

On 11/28/2012 5:14 PM, Dave Quigley wrote:
> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>> ...
>>>>>
>>>>>
>>>>> Or I could just give you this link and you should be good to go ;)
>>>>>
>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>
>>>>> I haven't tried it but it should work. If it doesn't let me know and
>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>> remove
>>>>> nfs-utils first before adding this new one or you could also try an
>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>
>> ...
>>
>>
>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>> attached stack trace on mount. After mounting I'm getting
>> denials when I should, but also when I shouldn't.
>>
>> I've tried tracking down the issue, but there's a lot going on
>> that I don't find obvious. I added a dentry_init hook just for
>> grins, but it's not getting called.
>>
>> .
>>
>>
>
> Any chance of you throwing a kickstart file my way that's configured
> with SMACK so I can use it for a test box (both server and client)? I
> can have the guys working with me test for SMACK as well if you
> provide an appropriate test harness and image for testing.

I've attached the .config from my Fedora17 machine. Who knows, maybe
I got something wrong there. I get the error doing the test on the
loopback interface (mount -t nfs4 localhist:/ /mnt).

>
> Dave
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


[-- Attachment #2: f17smack.config --]
[-- Type: text/plain, Size: 114157 bytes --]

#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 3.7.0-rc6 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
CONFIG_X86=y
CONFIG_INSTRUCTION_DECODER=y
CONFIG_OUTPUT_FORMAT="elf64-x86-64"
CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_HAVE_LATENCYTOP_SUPPORT=y
CONFIG_MMU=y
CONFIG_NEED_DMA_MAP_STATE=y
CONFIG_NEED_SG_DMA_LENGTH=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_BUG=y
CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
CONFIG_GENERIC_HWEIGHT=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
CONFIG_RWSEM_XCHGADD_ALGORITHM=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_ARCH_HAS_CPU_RELAX=y
CONFIG_ARCH_HAS_DEFAULT_IDLE=y
CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
CONFIG_HAVE_SETUP_PER_CPU_AREA=y
CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
CONFIG_ARCH_HIBERNATION_POSSIBLE=y
CONFIG_ARCH_SUSPEND_POSSIBLE=y
CONFIG_ZONE_DMA32=y
CONFIG_AUDIT_ARCH=y
CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
CONFIG_HAVE_INTEL_TXT=y
CONFIG_X86_64_SMP=y
CONFIG_X86_HT=y
CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
CONFIG_ARCH_CPU_PROBE_RELEASE=y
CONFIG_ARCH_SUPPORTS_UPROBES=y
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
CONFIG_HAVE_IRQ_WORK=y
CONFIG_IRQ_WORK=y
CONFIG_BUILDTIME_EXTABLE_SORT=y

#
# General setup
#
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="lnfs"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
CONFIG_HAVE_KERNEL_LZMA=y
CONFIG_HAVE_KERNEL_XZ=y
CONFIG_HAVE_KERNEL_LZO=y
CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_BZIP2 is not set
# CONFIG_KERNEL_LZMA is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KERNEL_LZO is not set
CONFIG_DEFAULT_HOSTNAME="(none)"
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
CONFIG_POSIX_MQUEUE_SYSCTL=y
CONFIG_FHANDLE=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
CONFIG_HAVE_GENERIC_HARDIRQS=y

#
# IRQ subsystem
#
CONFIG_GENERIC_HARDIRQS=y
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_GENERIC_IRQ_SHOW=y
CONFIG_GENERIC_PENDING_IRQ=y
CONFIG_IRQ_DOMAIN=y
# CONFIG_IRQ_DOMAIN_DEBUG is not set
CONFIG_IRQ_FORCED_THREADING=y
CONFIG_SPARSE_IRQ=y
CONFIG_CLOCKSOURCE_WATCHDOG=y
CONFIG_ARCH_CLOCKSOURCE_DATA=y
CONFIG_GENERIC_TIME_VSYSCALL=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
CONFIG_GENERIC_CMOS_UPDATE=y

#
# Timers subsystem
#
CONFIG_TICK_ONESHOT=y
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y

#
# CPU/Task time and stats accounting
#
# CONFIG_TICK_CPU_ACCOUNTING is not set
CONFIG_IRQ_TIME_ACCOUNTING=y
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y
CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_XACCT=y
CONFIG_TASK_IO_ACCOUNTING=y

#
# RCU Subsystem
#
CONFIG_TREE_RCU=y
# CONFIG_PREEMPT_RCU is not set
# CONFIG_RCU_USER_QS is not set
CONFIG_RCU_FANOUT=64
CONFIG_RCU_FANOUT_LEAF=16
# CONFIG_RCU_FANOUT_EXACT is not set
# CONFIG_RCU_FAST_NO_HZ is not set
# CONFIG_TREE_RCU_TRACE is not set
# CONFIG_IKCONFIG is not set
CONFIG_LOG_BUF_SHIFT=18
CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_RESOURCE_COUNTERS=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
# CONFIG_MEMCG_SWAP_ENABLED is not set
CONFIG_MEMCG_KMEM=y
# CONFIG_CGROUP_HUGETLB is not set
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
# CONFIG_CHECKPOINT_RESTORE is not set
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SCHED_AUTOGROUP=y
CONFIG_MM_OWNER=y
# CONFIG_SYSFS_DEPRECATED is not set
CONFIG_RELAY=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_INITRAMFS_SOURCE=""
CONFIG_RD_GZIP=y
CONFIG_RD_BZIP2=y
CONFIG_RD_LZMA=y
CONFIG_RD_XZ=y
CONFIG_RD_LZO=y
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
CONFIG_SYSCTL=y
CONFIG_ANON_INODES=y
# CONFIG_EXPERT is not set
CONFIG_HAVE_UID16=y
CONFIG_UID16=y
# CONFIG_SYSCTL_SYSCALL is not set
CONFIG_SYSCTL_EXCEPTION_TRACE=y
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_HOTPLUG=y
CONFIG_PRINTK=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_PCSPKR_PLATFORM=y
CONFIG_HAVE_PCSPKR_PLATFORM=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_AIO=y
# CONFIG_EMBEDDED is not set
CONFIG_HAVE_PERF_EVENTS=y

#
# Kernel Performance Events And Counters
#
CONFIG_PERF_EVENTS=y
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
CONFIG_VM_EVENT_COUNTERS=y
CONFIG_PCI_QUIRKS=y
CONFIG_SLUB_DEBUG=y
# CONFIG_COMPAT_BRK is not set
# CONFIG_SLAB is not set
CONFIG_SLUB=y
CONFIG_PROFILING=y
CONFIG_TRACEPOINTS=y
CONFIG_OPROFILE=m
CONFIG_OPROFILE_EVENT_MULTIPLEX=y
CONFIG_HAVE_OPROFILE=y
CONFIG_OPROFILE_NMI_TIMER=y
CONFIG_KPROBES=y
CONFIG_JUMP_LABEL=y
CONFIG_OPTPROBES=y
CONFIG_UPROBES=y
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
CONFIG_KRETPROBES=y
CONFIG_USER_RETURN_NOTIFIER=y
CONFIG_HAVE_IOREMAP_PROT=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
CONFIG_HAVE_OPTPROBES=y
CONFIG_HAVE_ARCH_TRACEHOOK=y
CONFIG_HAVE_DMA_ATTRS=y
CONFIG_USE_GENERIC_SMP_HELPERS=y
CONFIG_GENERIC_SMP_IDLE_THREAD=y
CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
CONFIG_HAVE_DMA_API_DEBUG=y
CONFIG_HAVE_HW_BREAKPOINT=y
CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
CONFIG_HAVE_USER_RETURN_NOTIFIER=y
CONFIG_HAVE_PERF_EVENTS_NMI=y
CONFIG_HAVE_PERF_REGS=y
CONFIG_HAVE_PERF_USER_STACK_DUMP=y
CONFIG_HAVE_ARCH_JUMP_LABEL=y
CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
CONFIG_HAVE_CMPXCHG_LOCAL=y
CONFIG_HAVE_CMPXCHG_DOUBLE=y
CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
CONFIG_GENERIC_KERNEL_THREAD=y
CONFIG_GENERIC_KERNEL_EXECVE=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_HAVE_RCU_USER_QS=y
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
CONFIG_MODULES_USE_ELF_RELA=y

#
# GCOV-based kernel profiling
#
# CONFIG_GCOV_KERNEL is not set
# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
CONFIG_SLABINFO=y
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
CONFIG_MODULES=y
# CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
# CONFIG_MODULE_SIG is not set
CONFIG_STOP_MACHINE=y
CONFIG_BLOCK=y
CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_BSGLIB=y
CONFIG_BLK_DEV_INTEGRITY=y
CONFIG_BLK_DEV_THROTTLING=y

#
# Partition Types
#
CONFIG_PARTITION_ADVANCED=y
# CONFIG_ACORN_PARTITION is not set
CONFIG_OSF_PARTITION=y
CONFIG_AMIGA_PARTITION=y
# CONFIG_ATARI_PARTITION is not set
CONFIG_MAC_PARTITION=y
CONFIG_MSDOS_PARTITION=y
CONFIG_BSD_DISKLABEL=y
CONFIG_MINIX_SUBPARTITION=y
CONFIG_SOLARIS_X86_PARTITION=y
CONFIG_UNIXWARE_DISKLABEL=y
# CONFIG_LDM_PARTITION is not set
CONFIG_SGI_PARTITION=y
# CONFIG_ULTRIX_PARTITION is not set
CONFIG_SUN_PARTITION=y
CONFIG_KARMA_PARTITION=y
CONFIG_EFI_PARTITION=y
# CONFIG_SYSV68_PARTITION is not set
CONFIG_BLOCK_COMPAT=y

#
# IO Schedulers
#
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
CONFIG_CFQ_GROUP_IOSCHED=y
# CONFIG_DEFAULT_DEADLINE is not set
CONFIG_DEFAULT_CFQ=y
# CONFIG_DEFAULT_NOOP is not set
CONFIG_DEFAULT_IOSCHED="cfq"
CONFIG_PREEMPT_NOTIFIERS=y
CONFIG_PADATA=y
CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
CONFIG_INLINE_READ_UNLOCK=y
CONFIG_INLINE_READ_UNLOCK_IRQ=y
CONFIG_INLINE_WRITE_UNLOCK=y
CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
CONFIG_MUTEX_SPIN_ON_OWNER=y
CONFIG_FREEZER=y

#
# Processor type and features
#
CONFIG_ZONE_DMA=y
CONFIG_SMP=y
CONFIG_X86_X2APIC=y
CONFIG_X86_MPPARSE=y
CONFIG_X86_EXTENDED_PLATFORM=y
# CONFIG_X86_NUMACHIP is not set
# CONFIG_X86_VSMP is not set
# CONFIG_X86_UV is not set
CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
CONFIG_SCHED_OMIT_FRAME_POINTER=y
CONFIG_PARAVIRT_GUEST=y
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
CONFIG_XEN=y
CONFIG_XEN_DOM0=y
CONFIG_XEN_PRIVILEGED_GUEST=y
CONFIG_XEN_PVHVM=y
CONFIG_XEN_MAX_DOMAIN_MEMORY=500
CONFIG_XEN_SAVE_RESTORE=y
CONFIG_XEN_DEBUG_FS=y
CONFIG_KVM_GUEST=y
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_SPINLOCKS is not set
CONFIG_PARAVIRT_CLOCK=y
# CONFIG_PARAVIRT_DEBUG is not set
CONFIG_NO_BOOTMEM=y
# CONFIG_MEMTEST is not set
# CONFIG_MK8 is not set
# CONFIG_MPSC is not set
# CONFIG_MCORE2 is not set
# CONFIG_MATOM is not set
CONFIG_GENERIC_CPU=y
CONFIG_X86_INTERNODE_CACHE_SHIFT=6
CONFIG_X86_CMPXCHG=y
CONFIG_X86_L1_CACHE_SHIFT=6
CONFIG_X86_XADD=y
CONFIG_X86_WP_WORKS_OK=y
CONFIG_X86_TSC=y
CONFIG_X86_CMPXCHG64=y
CONFIG_X86_CMOV=y
CONFIG_X86_MINIMUM_CPU_FAMILY=64
CONFIG_X86_DEBUGCTLMSR=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_CPU_SUP_AMD=y
CONFIG_CPU_SUP_CENTAUR=y
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_DMI=y
CONFIG_GART_IOMMU=y
# CONFIG_CALGARY_IOMMU is not set
CONFIG_SWIOTLB=y
CONFIG_IOMMU_HELPER=y
# CONFIG_MAXSMP is not set
CONFIG_NR_CPUS=128
CONFIG_SCHED_SMT=y
CONFIG_SCHED_MC=y
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_INTEL=y
CONFIG_X86_MCE_AMD=y
CONFIG_X86_MCE_THRESHOLD=y
# CONFIG_X86_MCE_INJECT is not set
CONFIG_X86_THERMAL_VECTOR=y
CONFIG_I8K=m
CONFIG_MICROCODE=m
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_OLD_INTERFACE=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
CONFIG_ARCH_DMA_ADDR_T_64BIT=y
CONFIG_DIRECT_GBPAGES=y
CONFIG_NUMA=y
CONFIG_AMD_NUMA=y
CONFIG_X86_64_ACPI_NUMA=y
CONFIG_NODES_SPAN_OTHER_NODES=y
# CONFIG_NUMA_EMU is not set
CONFIG_NODES_SHIFT=9
CONFIG_ARCH_SPARSEMEM_ENABLE=y
CONFIG_ARCH_SPARSEMEM_DEFAULT=y
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
CONFIG_ARCH_PROC_KCORE_TEXT=y
CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_SPARSEMEM_MANUAL=y
CONFIG_SPARSEMEM=y
CONFIG_NEED_MULTIPLE_NODES=y
CONFIG_HAVE_MEMORY_PRESENT=y
CONFIG_SPARSEMEM_EXTREME=y
CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
CONFIG_SPARSEMEM_VMEMMAP=y
CONFIG_HAVE_MEMBLOCK=y
CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
CONFIG_ARCH_DISCARD_MEMBLOCK=y
CONFIG_MEMORY_ISOLATION=y
# CONFIG_MEMORY_HOTPLUG is not set
CONFIG_PAGEFLAGS_EXTENDED=y
CONFIG_SPLIT_PTLOCK_CPUS=4
CONFIG_COMPACTION=y
CONFIG_MIGRATION=y
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_ZONE_DMA_FLAG=1
CONFIG_BOUNCE=y
CONFIG_VIRT_TO_BUS=y
CONFIG_MMU_NOTIFIER=y
CONFIG_KSM=y
CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
CONFIG_MEMORY_FAILURE=y
CONFIG_HWPOISON_INJECT=m
CONFIG_TRANSPARENT_HUGEPAGE=y
CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
CONFIG_CROSS_MEMORY_ATTACH=y
CONFIG_CLEANCACHE=y
CONFIG_FRONTSWAP=y
CONFIG_X86_CHECK_BIOS_CORRUPTION=y
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
CONFIG_X86_RESERVE_LOW=64
CONFIG_MTRR=y
CONFIG_MTRR_SANITIZER=y
CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
CONFIG_X86_PAT=y
CONFIG_ARCH_USES_PG_UNCACHED=y
CONFIG_ARCH_RANDOM=y
CONFIG_X86_SMAP=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_SECCOMP=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
CONFIG_HZ_1000=y
CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
CONFIG_CRASH_DUMP=y
CONFIG_KEXEC_JUMP=y
CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y
CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_HOTPLUG_CPU=y
# CONFIG_COMPAT_VDSO is not set
# CONFIG_CMDLINE_BOOL is not set
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_USE_PERCPU_NUMA_NODE_ID=y

#
# Power management and ACPI options
#
CONFIG_ARCH_HIBERNATION_HEADER=y
CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y
CONFIG_HIBERNATE_CALLBACKS=y
CONFIG_HIBERNATION=y
CONFIG_PM_STD_PARTITION=""
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
# CONFIG_PM_AUTOSLEEP is not set
# CONFIG_PM_WAKELOCKS is not set
CONFIG_PM_RUNTIME=y
CONFIG_PM=y
CONFIG_PM_DEBUG=y
CONFIG_PM_ADVANCED_DEBUG=y
# CONFIG_PM_TEST_SUSPEND is not set
CONFIG_PM_SLEEP_DEBUG=y
CONFIG_PM_TRACE=y
CONFIG_PM_TRACE_RTC=y
CONFIG_ACPI=y
CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_PROCFS=y
# CONFIG_ACPI_PROCFS_POWER is not set
CONFIG_ACPI_EC_DEBUGFS=m
# CONFIG_ACPI_PROC_EVENT is not set
CONFIG_ACPI_AC=y
CONFIG_ACPI_BATTERY=y
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_VIDEO=m
CONFIG_ACPI_FAN=y
CONFIG_ACPI_DOCK=y
CONFIG_ACPI_PROCESSOR=y
CONFIG_ACPI_IPMI=m
CONFIG_ACPI_HOTPLUG_CPU=y
CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
CONFIG_ACPI_THERMAL=y
CONFIG_ACPI_NUMA=y
# CONFIG_ACPI_CUSTOM_DSDT is not set
CONFIG_ACPI_BLACKLIST_YEAR=0
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_PCI_SLOT=y
CONFIG_X86_PM_TIMER=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_SBS=m
CONFIG_ACPI_HED=y
CONFIG_ACPI_CUSTOM_METHOD=m
# CONFIG_ACPI_BGRT is not set
CONFIG_ACPI_APEI=y
CONFIG_ACPI_APEI_GHES=y
CONFIG_ACPI_APEI_PCIEAER=y
CONFIG_ACPI_APEI_MEMORY_FAILURE=y
# CONFIG_ACPI_APEI_EINJ is not set
# CONFIG_ACPI_APEI_ERST_DEBUG is not set
CONFIG_SFI=y

#
# CPU Frequency scaling
#
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_TABLE=y
CONFIG_CPU_FREQ_STAT=m
CONFIG_CPU_FREQ_STAT_DETAILS=y
# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=y
CONFIG_CPU_FREQ_GOV_USERSPACE=y
CONFIG_CPU_FREQ_GOV_ONDEMAND=y
CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y

#
# x86 CPU frequency scaling drivers
#
CONFIG_X86_PCC_CPUFREQ=y
CONFIG_X86_ACPI_CPUFREQ=y
CONFIG_X86_ACPI_CPUFREQ_CPB=y
CONFIG_X86_POWERNOW_K8=y
# CONFIG_X86_SPEEDSTEP_CENTRINO is not set
CONFIG_X86_P4_CLOCKMOD=y

#
# shared options
#
CONFIG_X86_SPEEDSTEP_LIB=y
CONFIG_CPU_IDLE=y
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_CPU_IDLE_GOV_MENU=y
# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
CONFIG_INTEL_IDLE=y

#
# Memory power savings
#
CONFIG_I7300_IDLE_IOAT_CHANNEL=y
CONFIG_I7300_IDLE=m

#
# Bus options (PCI etc.)
#
CONFIG_PCI=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
CONFIG_PCI_XEN=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCIEAER=y
CONFIG_PCIE_ECRC=y
CONFIG_PCIEAER_INJECT=m
CONFIG_PCIEASPM=y
# CONFIG_PCIEASPM_DEBUG is not set
CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_PERFORMANCE is not set
CONFIG_PCIE_PME=y
CONFIG_ARCH_SUPPORTS_MSI=y
CONFIG_PCI_MSI=y
# CONFIG_PCI_DEBUG is not set
# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
CONFIG_PCI_STUB=y
CONFIG_XEN_PCIDEV_FRONTEND=m
CONFIG_HT_IRQ=y
CONFIG_PCI_ATS=y
CONFIG_PCI_IOV=y
CONFIG_PCI_PRI=y
CONFIG_PCI_PASID=y
CONFIG_PCI_IOAPIC=y
CONFIG_PCI_LABEL=y
CONFIG_ISA_DMA_API=y
CONFIG_AMD_NB=y
CONFIG_PCCARD=y
CONFIG_PCMCIA=y
CONFIG_PCMCIA_LOAD_CIS=y
CONFIG_CARDBUS=y

#
# PC-card bridges
#
CONFIG_YENTA=m
CONFIG_YENTA_O2=y
CONFIG_YENTA_RICOH=y
CONFIG_YENTA_TI=y
CONFIG_YENTA_ENE_TUNE=y
CONFIG_YENTA_TOSHIBA=y
CONFIG_PD6729=m
CONFIG_I82092=m
CONFIG_PCCARD_NONSTATIC=y
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y
CONFIG_HOTPLUG_PCI_ACPI_IBM=m
# CONFIG_HOTPLUG_PCI_CPCI is not set
CONFIG_HOTPLUG_PCI_SHPC=m
# CONFIG_RAPIDIO is not set

#
# Executable file formats / Emulations
#
CONFIG_BINFMT_ELF=y
CONFIG_COMPAT_BINFMT_ELF=y
CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
# CONFIG_HAVE_AOUT is not set
CONFIG_BINFMT_MISC=m
CONFIG_COREDUMP=y
CONFIG_IA32_EMULATION=y
# CONFIG_IA32_AOUT is not set
# CONFIG_X86_X32 is not set
CONFIG_COMPAT=y
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
CONFIG_SYSVIPC_COMPAT=y
CONFIG_KEYS_COMPAT=y
CONFIG_HAVE_TEXT_POKE_SMP=y
CONFIG_X86_DEV_DMA_OPS=y
CONFIG_NET=y
CONFIG_COMPAT_NETLINK_MESSAGES=y

#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_DIAG is not set
CONFIG_UNIX=y
CONFIG_UNIX_DIAG=m
CONFIG_XFRM=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_FIB_TRIE_STATS=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_CLASSID=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE_DEMUX=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_ARPD=y
CONFIG_SYN_COOKIES=y
CONFIG_NET_IPVTI=m
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=m
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
CONFIG_TCP_CONG_HSTCP=m
CONFIG_TCP_CONG_HYBLA=m
CONFIG_TCP_CONG_VEGAS=m
CONFIG_TCP_CONG_SCALABLE=m
CONFIG_TCP_CONG_LP=m
CONFIG_TCP_CONG_VENO=m
CONFIG_TCP_CONG_YEAH=m
CONFIG_TCP_CONG_ILLINOIS=m
CONFIG_DEFAULT_CUBIC=y
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_TCP_MD5SIG=y
CONFIG_IPV6=y
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=y
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_GRE is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_NETLABEL=y
CONFIG_NETWORK_SECMARK=y
CONFIG_NETWORK_PHY_TIMESTAMPING=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CT_PROTO_DCCP=m
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_CT_PROTO_UDPLITE=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=y

#
# Xtables combined modules
#
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m

#
# Xtables targets
#
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m

#
# Xtables matches
#
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_IP_SET=m
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m
CONFIG_IP_VS=m
CONFIG_IP_VS_IPV6=y
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12

#
# IPVS transport protocol load balancing support
#
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_AH_ESP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_PROTO_SCTP=y

#
# IPVS scheduler
#
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m

#
# IPVS SH scheduler
#
CONFIG_IP_VS_SH_TAB_BITS=8

#
# IPVS application helper
#
CONFIG_IP_VS_NFCT=y
CONFIG_IP_VS_PE_SIP=m

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_NF_NAT_IPV4 is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

#
# IPv6: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
# CONFIG_NF_NAT_IPV6 is not set
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_802_3=m
CONFIG_BRIDGE_EBT_AMONG=m
CONFIG_BRIDGE_EBT_ARP=m
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_IP6=m
CONFIG_BRIDGE_EBT_LIMIT=m
CONFIG_BRIDGE_EBT_MARK=m
CONFIG_BRIDGE_EBT_PKTTYPE=m
CONFIG_BRIDGE_EBT_STP=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_BRIDGE_EBT_ARPREPLY=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_MARK_T=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_SNAT=m
CONFIG_BRIDGE_EBT_LOG=m
CONFIG_BRIDGE_EBT_ULOG=m
CONFIG_BRIDGE_EBT_NFLOG=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m

#
# DCCP CCIDs Configuration (EXPERIMENTAL)
#
# CONFIG_IP_DCCP_CCID2_DEBUG is not set
CONFIG_IP_DCCP_CCID3=y
# CONFIG_IP_DCCP_CCID3_DEBUG is not set
CONFIG_IP_DCCP_TFRC_LIB=y

#
# DCCP Kernel Hacking
#
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_NET_DCCPPROBE is not set
CONFIG_IP_SCTP=m
CONFIG_NET_SCTPPROBE=m
# CONFIG_SCTP_DBG_MSG is not set
# CONFIG_SCTP_DBG_OBJCNT is not set
# CONFIG_SCTP_HMAC_NONE is not set
CONFIG_SCTP_HMAC_SHA1=y
# CONFIG_SCTP_HMAC_MD5 is not set
CONFIG_RDS=m
CONFIG_RDS_RDMA=m
CONFIG_RDS_TCP=m
# CONFIG_RDS_DEBUG is not set
# CONFIG_TIPC is not set
CONFIG_ATM=m
CONFIG_ATM_CLIP=m
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_ATM_LANE=m
# CONFIG_ATM_MPOA is not set
CONFIG_ATM_BR2684=m
# CONFIG_ATM_BR2684_IPFILTER is not set
CONFIG_L2TP=m
CONFIG_L2TP_DEBUGFS=m
CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m
CONFIG_STP=m
CONFIG_GARP=m
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_NET_DSA=m
CONFIG_NET_DSA_TAG_DSA=y
CONFIG_NET_DSA_TAG_EDSA=y
CONFIG_NET_DSA_TAG_TRAILER=y
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
# CONFIG_DECNET is not set
CONFIG_LLC=m
# CONFIG_LLC2 is not set
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_ATALK=m
CONFIG_DEV_APPLETALK=m
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
CONFIG_WAN_ROUTER=m
# CONFIG_PHONET is not set
CONFIG_IEEE802154=m
CONFIG_IEEE802154_6LOWPAN=m
CONFIG_MAC802154=m
CONFIG_NET_SCHED=y

#
# Queueing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_ATM=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_MULTIQ=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFB=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DRR=m
CONFIG_NET_SCH_MQPRIO=m
CONFIG_NET_SCH_CHOKE=m
CONFIG_NET_SCH_QFQ=m
CONFIG_NET_SCH_CODEL=m
CONFIG_NET_SCH_FQ_CODEL=m
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_SCH_PLUG=m

#
# Classification
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=m
CONFIG_NET_EMATCH_NBYTE=m
CONFIG_NET_EMATCH_U32=m
CONFIG_NET_EMATCH_META=m
CONFIG_NET_EMATCH_TEXT=m
CONFIG_NET_EMATCH_IPSET=m
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=m
CONFIG_GACT_PROB=y
CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_IPT=m
CONFIG_NET_ACT_NAT=m
CONFIG_NET_ACT_PEDIT=m
CONFIG_NET_ACT_SIMP=m
CONFIG_NET_ACT_SKBEDIT=m
CONFIG_NET_ACT_CSUM=m
CONFIG_NET_CLS_IND=y
CONFIG_NET_SCH_FIFO=y
CONFIG_DCB=y
CONFIG_DNS_RESOLVER=y
CONFIG_BATMAN_ADV=m
CONFIG_BATMAN_ADV_BLA=y
# CONFIG_BATMAN_ADV_DEBUG is not set
CONFIG_OPENVSWITCH=m
CONFIG_RPS=y
CONFIG_RFS_ACCEL=y
CONFIG_XPS=y
CONFIG_NETPRIO_CGROUP=m
CONFIG_BQL=y
CONFIG_BPF_JIT=y

#
# Network testing
#
CONFIG_NET_PKTGEN=m
# CONFIG_NET_TCPPROBE is not set
CONFIG_NET_DROP_MONITOR=y
CONFIG_HAMRADIO=y

#
# Packet Radio protocols
#
CONFIG_AX25=m
CONFIG_AX25_DAMA_SLAVE=y
CONFIG_NETROM=m
CONFIG_ROSE=m

#
# AX.25 network device drivers
#
CONFIG_MKISS=m
CONFIG_6PACK=m
CONFIG_BPQETHER=m
CONFIG_BAYCOM_SER_FDX=m
CONFIG_BAYCOM_SER_HDX=m
CONFIG_BAYCOM_PAR=m
CONFIG_YAM=m
# CONFIG_CAN is not set
CONFIG_IRDA=m

#
# IrDA protocols
#
CONFIG_IRLAN=m
CONFIG_IRNET=m
CONFIG_IRCOMM=m
# CONFIG_IRDA_ULTRA is not set

#
# IrDA options
#
CONFIG_IRDA_CACHE_LAST_LSAP=y
CONFIG_IRDA_FAST_RR=y
# CONFIG_IRDA_DEBUG is not set

#
# Infrared-port device drivers
#

#
# SIR device drivers
#
CONFIG_IRTTY_SIR=m

#
# Dongle support
#
CONFIG_DONGLE=y
CONFIG_ESI_DONGLE=m
CONFIG_ACTISYS_DONGLE=m
CONFIG_TEKRAM_DONGLE=m
CONFIG_TOIM3232_DONGLE=m
CONFIG_LITELINK_DONGLE=m
CONFIG_MA600_DONGLE=m
CONFIG_GIRBIL_DONGLE=m
CONFIG_MCP2120_DONGLE=m
CONFIG_OLD_BELKIN_DONGLE=m
CONFIG_ACT200L_DONGLE=m
CONFIG_KINGSUN_DONGLE=m
CONFIG_KSDAZZLE_DONGLE=m
CONFIG_KS959_DONGLE=m

#
# FIR device drivers
#
CONFIG_USB_IRDA=m
CONFIG_SIGMATEL_FIR=m
CONFIG_NSC_FIR=m
CONFIG_WINBOND_FIR=m
CONFIG_SMC_IRCC_FIR=m
CONFIG_ALI_FIR=m
CONFIG_VLSI_FIR=m
CONFIG_VIA_FIR=m
CONFIG_MCS_FIR=m
CONFIG_BT=m
CONFIG_BT_RFCOMM=m
CONFIG_BT_RFCOMM_TTY=y
CONFIG_BT_BNEP=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
CONFIG_BT_CMTP=m
CONFIG_BT_HIDP=m

#
# Bluetooth device drivers
#
CONFIG_BT_HCIBTUSB=m
CONFIG_BT_HCIBTSDIO=m
CONFIG_BT_HCIUART=m
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_BCSP=y
CONFIG_BT_HCIUART_ATH3K=y
CONFIG_BT_HCIUART_LL=y
CONFIG_BT_HCIUART_3WIRE=y
CONFIG_BT_HCIBCM203X=m
CONFIG_BT_HCIBPA10X=m
CONFIG_BT_HCIBFUSB=m
CONFIG_BT_HCIDTL1=m
CONFIG_BT_HCIBT3C=m
CONFIG_BT_HCIBLUECARD=m
CONFIG_BT_HCIBTUART=m
CONFIG_BT_HCIVHCI=m
CONFIG_BT_MRVL=m
CONFIG_BT_MRVL_SDIO=m
CONFIG_BT_ATH3K=m
# CONFIG_AF_RXRPC is not set
CONFIG_FIB_RULES=y
CONFIG_WIRELESS=y
CONFIG_WIRELESS_EXT=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_WEXT_SPY=y
CONFIG_WEXT_PRIV=y
CONFIG_CFG80211=m
# CONFIG_NL80211_TESTMODE is not set
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
# CONFIG_CFG80211_REG_DEBUG is not set
CONFIG_CFG80211_DEFAULT_PS=y
CONFIG_CFG80211_DEBUGFS=y
# CONFIG_CFG80211_INTERNAL_REGDB is not set
CONFIG_CFG80211_WEXT=y
CONFIG_LIB80211=m
CONFIG_LIB80211_CRYPT_WEP=m
CONFIG_LIB80211_CRYPT_CCMP=m
CONFIG_LIB80211_CRYPT_TKIP=m
# CONFIG_LIB80211_DEBUG is not set
CONFIG_MAC80211=m
CONFIG_MAC80211_HAS_RC=y
CONFIG_MAC80211_RC_MINSTREL=y
CONFIG_MAC80211_RC_MINSTREL_HT=y
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
CONFIG_MAC80211_MESH=y
CONFIG_MAC80211_LEDS=y
CONFIG_MAC80211_DEBUGFS=y
# CONFIG_MAC80211_MESSAGE_TRACING is not set
# CONFIG_MAC80211_DEBUG_MENU is not set
CONFIG_WIMAX=m
CONFIG_WIMAX_DEBUG_LEVEL=8
CONFIG_RFKILL=m
CONFIG_RFKILL_LEDS=y
CONFIG_RFKILL_INPUT=y
CONFIG_NET_9P=m
CONFIG_NET_9P_VIRTIO=m
CONFIG_NET_9P_RDMA=m
# CONFIG_NET_9P_DEBUG is not set
# CONFIG_CAIF is not set
CONFIG_CEPH_LIB=m
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
CONFIG_NFC=m
CONFIG_NFC_NCI=m
CONFIG_NFC_HCI=m
CONFIG_NFC_SHDLC=y
CONFIG_NFC_LLCP=y

#
# Near Field Communication (NFC) devices
#
CONFIG_PN544_HCI_NFC=m
CONFIG_NFC_PN533=m
CONFIG_HAVE_BPF_JIT=y

#
# Device Drivers
#

#
# Generic Driver Options
#
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
CONFIG_FW_LOADER=y
# CONFIG_FIRMWARE_IN_KERNEL is not set
CONFIG_EXTRA_FIRMWARE=""
# CONFIG_DEBUG_DRIVER is not set
CONFIG_DEBUG_DEVRES=y
CONFIG_SYS_HYPERVISOR=y
# CONFIG_GENERIC_CPU_DEVICES is not set
CONFIG_REGMAP=y
CONFIG_REGMAP_I2C=m
CONFIG_DMA_SHARED_BUFFER=y

#
# Bus devices
#
# CONFIG_OMAP_OCP2SCP is not set
CONFIG_CONNECTOR=y
CONFIG_PROC_EVENTS=y
CONFIG_MTD=m
# CONFIG_MTD_TESTS is not set
# CONFIG_MTD_REDBOOT_PARTS is not set
# CONFIG_MTD_AR7_PARTS is not set

#
# User Modules And Translation Layers
#
# CONFIG_MTD_CHAR is not set
CONFIG_MTD_BLKDEVS=m
CONFIG_MTD_BLOCK=m
# CONFIG_MTD_BLOCK_RO is not set
# CONFIG_FTL is not set
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set
# CONFIG_RFD_FTL is not set
# CONFIG_SSFDC is not set
# CONFIG_SM_FTL is not set
# CONFIG_MTD_OOPS is not set
# CONFIG_MTD_SWAP is not set

#
# RAM/ROM/Flash chip drivers
#
# CONFIG_MTD_CFI is not set
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_MTD_MAP_BANK_WIDTH_1=y
CONFIG_MTD_MAP_BANK_WIDTH_2=y
CONFIG_MTD_MAP_BANK_WIDTH_4=y
# CONFIG_MTD_MAP_BANK_WIDTH_8 is not set
# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set
# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set
CONFIG_MTD_CFI_I1=y
CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_CFI_I4 is not set
# CONFIG_MTD_CFI_I8 is not set
# CONFIG_MTD_RAM is not set
# CONFIG_MTD_ROM is not set
# CONFIG_MTD_ABSENT is not set

#
# Mapping drivers for chip access
#
# CONFIG_MTD_COMPLEX_MAPPINGS is not set
# CONFIG_MTD_TS5500 is not set
# CONFIG_MTD_INTEL_VR_NOR is not set
# CONFIG_MTD_PLATRAM is not set

#
# Self-contained MTD device drivers
#
# CONFIG_MTD_PMC551 is not set
# CONFIG_MTD_SLRAM is not set
CONFIG_MTD_PHRAM=m
# CONFIG_MTD_MTDRAM is not set
# CONFIG_MTD_BLOCK2MTD is not set

#
# Disk-On-Chip Device Drivers
#
# CONFIG_MTD_DOCG3 is not set
# CONFIG_MTD_NAND is not set
# CONFIG_MTD_ONENAND is not set

#
# LPDDR flash memory drivers
#
# CONFIG_MTD_LPDDR is not set
CONFIG_MTD_UBI=m
CONFIG_MTD_UBI_WL_THRESHOLD=4096
CONFIG_MTD_UBI_BEB_LIMIT=20
# CONFIG_MTD_UBI_FASTMAP is not set
CONFIG_MTD_UBI_GLUEBI=m
CONFIG_PARPORT=m
CONFIG_PARPORT_PC=m
CONFIG_PARPORT_SERIAL=m
# CONFIG_PARPORT_PC_FIFO is not set
# CONFIG_PARPORT_PC_SUPERIO is not set
CONFIG_PARPORT_PC_PCMCIA=m
# CONFIG_PARPORT_GSC is not set
# CONFIG_PARPORT_AX88796 is not set
CONFIG_PARPORT_1284=y
CONFIG_PARPORT_NOT_PC=y
CONFIG_PNP=y
# CONFIG_PNP_DEBUG_MESSAGES is not set

#
# Protocols
#
CONFIG_PNPACPI=y
CONFIG_BLK_DEV=y
CONFIG_BLK_DEV_FD=m
# CONFIG_PARIDE is not set
CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
CONFIG_BLK_CPQ_DA=m
CONFIG_BLK_CPQ_CISS_DA=m
CONFIG_CISS_SCSI_TAPE=y
CONFIG_BLK_DEV_DAC960=m
CONFIG_BLK_DEV_UMEM=m
# CONFIG_BLK_DEV_COW_COMMON is not set
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_BLK_DEV_DRBD=m
# CONFIG_DRBD_FAULT_INJECTION is not set
CONFIG_BLK_DEV_NBD=m
CONFIG_BLK_DEV_NVME=m
CONFIG_BLK_DEV_OSD=m
CONFIG_BLK_DEV_SX8=m
CONFIG_BLK_DEV_RAM=m
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=16384
# CONFIG_BLK_DEV_XIP is not set
CONFIG_CDROM_PKTCDVD=m
CONFIG_CDROM_PKTCDVD_BUFFERS=8
# CONFIG_CDROM_PKTCDVD_WCACHE is not set
CONFIG_ATA_OVER_ETH=m
CONFIG_XEN_BLKDEV_FRONTEND=m
CONFIG_XEN_BLKDEV_BACKEND=m
CONFIG_VIRTIO_BLK=m
# CONFIG_BLK_DEV_HD is not set
CONFIG_BLK_DEV_RBD=m

#
# Misc devices
#
CONFIG_SENSORS_LIS3LV02D=m
# CONFIG_AD525X_DPOT is not set
# CONFIG_IBM_ASM is not set
# CONFIG_PHANTOM is not set
# CONFIG_INTEL_MID_PTI is not set
CONFIG_SGI_IOC4=m
CONFIG_TIFM_CORE=m
CONFIG_TIFM_7XX1=m
# CONFIG_ICS932S401 is not set
CONFIG_ENCLOSURE_SERVICES=m
CONFIG_HP_ILO=m
CONFIG_APDS9802ALS=m
CONFIG_ISL29003=m
CONFIG_ISL29020=m
CONFIG_SENSORS_TSL2550=m
# CONFIG_SENSORS_BH1780 is not set
CONFIG_SENSORS_BH1770=m
CONFIG_SENSORS_APDS990X=m
# CONFIG_HMC6352 is not set
# CONFIG_DS1682 is not set
CONFIG_VMWARE_BALLOON=m
# CONFIG_BMP085_I2C is not set
CONFIG_PCH_PHUB=m
# CONFIG_USB_SWITCH_FSA9480 is not set
# CONFIG_C2PORT is not set

#
# EEPROM support
#
CONFIG_EEPROM_AT24=m
CONFIG_EEPROM_LEGACY=m
CONFIG_EEPROM_MAX6875=m
CONFIG_EEPROM_93CX6=m
CONFIG_CB710_CORE=m
# CONFIG_CB710_DEBUG is not set
CONFIG_CB710_DEBUG_ASSUMPTIONS=y

#
# Texas Instruments shared transport line discipline
#
CONFIG_SENSORS_LIS3_I2C=m

#
# Altera FPGA firmware download module
#
CONFIG_ALTERA_STAPL=m
CONFIG_INTEL_MEI=m
CONFIG_HAVE_IDE=y
# CONFIG_IDE is not set

#
# SCSI device support
#
CONFIG_SCSI_MOD=y
CONFIG_RAID_ATTRS=m
CONFIG_SCSI=y
CONFIG_SCSI_DMA=y
CONFIG_SCSI_TGT=m
CONFIG_SCSI_NETLINK=y
CONFIG_SCSI_PROC_FS=y

#
# SCSI support type (disk, tape, CD-ROM)
#
CONFIG_BLK_DEV_SD=y
CONFIG_CHR_DEV_ST=m
CONFIG_CHR_DEV_OSST=m
CONFIG_BLK_DEV_SR=y
CONFIG_BLK_DEV_SR_VENDOR=y
CONFIG_CHR_DEV_SG=y
CONFIG_CHR_DEV_SCH=m
CONFIG_SCSI_ENCLOSURE=m
CONFIG_SCSI_MULTI_LUN=y
CONFIG_SCSI_CONSTANTS=y
CONFIG_SCSI_LOGGING=y
CONFIG_SCSI_SCAN_ASYNC=y

#
# SCSI Transports
#
CONFIG_SCSI_SPI_ATTRS=m
CONFIG_SCSI_FC_ATTRS=m
CONFIG_SCSI_FC_TGT_ATTRS=y
CONFIG_SCSI_ISCSI_ATTRS=m
CONFIG_SCSI_SAS_ATTRS=m
CONFIG_SCSI_SAS_LIBSAS=m
CONFIG_SCSI_SAS_ATA=y
CONFIG_SCSI_SAS_HOST_SMP=y
CONFIG_SCSI_SRP_ATTRS=m
CONFIG_SCSI_SRP_TGT_ATTRS=y
CONFIG_SCSI_LOWLEVEL=y
CONFIG_ISCSI_TCP=m
CONFIG_ISCSI_BOOT_SYSFS=m
CONFIG_SCSI_CXGB3_ISCSI=m
CONFIG_SCSI_CXGB4_ISCSI=m
CONFIG_SCSI_BNX2_ISCSI=m
CONFIG_SCSI_BNX2X_FCOE=m
CONFIG_BE2ISCSI=m
CONFIG_BLK_DEV_3W_XXXX_RAID=m
CONFIG_SCSI_HPSA=m
CONFIG_SCSI_3W_9XXX=m
CONFIG_SCSI_3W_SAS=m
CONFIG_SCSI_ACARD=m
CONFIG_SCSI_AACRAID=m
CONFIG_SCSI_AIC7XXX=m
CONFIG_AIC7XXX_CMDS_PER_DEVICE=4
CONFIG_AIC7XXX_RESET_DELAY_MS=15000
# CONFIG_AIC7XXX_DEBUG_ENABLE is not set
CONFIG_AIC7XXX_DEBUG_MASK=0
# CONFIG_AIC7XXX_REG_PRETTY_PRINT is not set
CONFIG_SCSI_AIC7XXX_OLD=m
CONFIG_SCSI_AIC79XX=m
CONFIG_AIC79XX_CMDS_PER_DEVICE=4
CONFIG_AIC79XX_RESET_DELAY_MS=15000
# CONFIG_AIC79XX_DEBUG_ENABLE is not set
CONFIG_AIC79XX_DEBUG_MASK=0
# CONFIG_AIC79XX_REG_PRETTY_PRINT is not set
CONFIG_SCSI_AIC94XX=m
# CONFIG_AIC94XX_DEBUG is not set
CONFIG_SCSI_MVSAS=m
# CONFIG_SCSI_MVSAS_DEBUG is not set
CONFIG_SCSI_MVSAS_TASKLET=y
CONFIG_SCSI_MVUMI=m
# CONFIG_SCSI_DPT_I2O is not set
CONFIG_SCSI_ADVANSYS=m
CONFIG_SCSI_ARCMSR=m
CONFIG_MEGARAID_NEWGEN=y
CONFIG_MEGARAID_MM=m
CONFIG_MEGARAID_MAILBOX=m
CONFIG_MEGARAID_LEGACY=m
CONFIG_MEGARAID_SAS=m
CONFIG_SCSI_MPT2SAS=m
CONFIG_SCSI_MPT2SAS_MAX_SGE=128
CONFIG_SCSI_MPT2SAS_LOGGING=y
CONFIG_SCSI_UFSHCD=m
CONFIG_SCSI_HPTIOP=m
CONFIG_SCSI_BUSLOGIC=m
CONFIG_VMWARE_PVSCSI=m
CONFIG_HYPERV_STORAGE=m
CONFIG_LIBFC=m
CONFIG_LIBFCOE=m
CONFIG_FCOE=m
CONFIG_FCOE_FNIC=m
# CONFIG_SCSI_DMX3191D is not set
# CONFIG_SCSI_EATA is not set
# CONFIG_SCSI_FUTURE_DOMAIN is not set
CONFIG_SCSI_GDTH=m
CONFIG_SCSI_ISCI=m
CONFIG_SCSI_IPS=m
CONFIG_SCSI_INITIO=m
CONFIG_SCSI_INIA100=m
# CONFIG_SCSI_PPA is not set
# CONFIG_SCSI_IMM is not set
CONFIG_SCSI_STEX=m
CONFIG_SCSI_SYM53C8XX_2=m
CONFIG_SCSI_SYM53C8XX_DMA_ADDRESSING_MODE=1
CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
CONFIG_SCSI_SYM53C8XX_MMIO=y
# CONFIG_SCSI_IPR is not set
CONFIG_SCSI_QLOGIC_1280=m
CONFIG_SCSI_QLA_FC=m
CONFIG_TCM_QLA2XXX=m
CONFIG_SCSI_QLA_ISCSI=m
CONFIG_SCSI_LPFC=m
# CONFIG_SCSI_LPFC_DEBUG_FS is not set
CONFIG_SCSI_DC395x=m
CONFIG_SCSI_DC390T=m
CONFIG_SCSI_DEBUG=m
CONFIG_SCSI_PMCRAID=m
CONFIG_SCSI_PM8001=m
CONFIG_SCSI_SRP=m
CONFIG_SCSI_BFA_FC=m
CONFIG_SCSI_VIRTIO=m
# CONFIG_SCSI_LOWLEVEL_PCMCIA is not set
CONFIG_SCSI_DH=y
CONFIG_SCSI_DH_RDAC=m
CONFIG_SCSI_DH_HP_SW=m
CONFIG_SCSI_DH_EMC=m
CONFIG_SCSI_DH_ALUA=m
CONFIG_SCSI_OSD_INITIATOR=m
CONFIG_SCSI_OSD_ULD=m
CONFIG_SCSI_OSD_DPRINT_SENSE=1
# CONFIG_SCSI_OSD_DEBUG is not set
CONFIG_ATA=y
# CONFIG_ATA_NONSTANDARD is not set
CONFIG_ATA_VERBOSE_ERROR=y
CONFIG_ATA_ACPI=y
CONFIG_SATA_PMP=y

#
# Controllers with non-SFF native interface
#
CONFIG_SATA_AHCI=y
CONFIG_SATA_AHCI_PLATFORM=m
CONFIG_SATA_INIC162X=m
CONFIG_SATA_ACARD_AHCI=m
CONFIG_SATA_SIL24=m
CONFIG_ATA_SFF=y

#
# SFF controllers with custom DMA interface
#
CONFIG_PDC_ADMA=m
CONFIG_SATA_QSTOR=m
CONFIG_SATA_SX4=m
CONFIG_ATA_BMDMA=y

#
# SATA SFF controllers with BMDMA
#
CONFIG_ATA_PIIX=y
# CONFIG_SATA_HIGHBANK is not set
CONFIG_SATA_MV=m
CONFIG_SATA_NV=m
CONFIG_SATA_PROMISE=m
CONFIG_SATA_SIL=m
CONFIG_SATA_SIS=m
CONFIG_SATA_SVW=m
CONFIG_SATA_ULI=m
CONFIG_SATA_VIA=m
CONFIG_SATA_VITESSE=m

#
# PATA SFF controllers with BMDMA
#
CONFIG_PATA_ALI=m
CONFIG_PATA_AMD=m
CONFIG_PATA_ARASAN_CF=m
CONFIG_PATA_ARTOP=m
CONFIG_PATA_ATIIXP=m
CONFIG_PATA_ATP867X=m
CONFIG_PATA_CMD64X=m
CONFIG_PATA_CS5520=m
CONFIG_PATA_CS5530=m
CONFIG_PATA_CS5536=m
CONFIG_PATA_CYPRESS=m
CONFIG_PATA_EFAR=m
CONFIG_PATA_HPT366=m
CONFIG_PATA_HPT37X=m
CONFIG_PATA_HPT3X2N=m
CONFIG_PATA_HPT3X3=m
# CONFIG_PATA_HPT3X3_DMA is not set
CONFIG_PATA_IT8213=m
CONFIG_PATA_IT821X=m
CONFIG_PATA_JMICRON=m
CONFIG_PATA_MARVELL=m
CONFIG_PATA_NETCELL=m
CONFIG_PATA_NINJA32=m
CONFIG_PATA_NS87415=m
CONFIG_PATA_OLDPIIX=m
CONFIG_PATA_OPTIDMA=m
CONFIG_PATA_PDC2027X=m
CONFIG_PATA_PDC_OLD=m
# CONFIG_PATA_RADISYS is not set
CONFIG_PATA_RDC=m
# CONFIG_PATA_SC1200 is not set
CONFIG_PATA_SCH=m
CONFIG_PATA_SERVERWORKS=m
CONFIG_PATA_SIL680=m
CONFIG_PATA_SIS=m
CONFIG_PATA_TOSHIBA=m
CONFIG_PATA_TRIFLEX=m
CONFIG_PATA_VIA=m
CONFIG_PATA_WINBOND=m

#
# PIO-only SFF controllers
#
CONFIG_PATA_CMD640_PCI=m
CONFIG_PATA_MPIIX=m
CONFIG_PATA_NS87410=m
CONFIG_PATA_OPTI=m
CONFIG_PATA_PCMCIA=m
# CONFIG_PATA_RZ1000 is not set

#
# Generic fallback / legacy drivers
#
CONFIG_PATA_ACPI=m
CONFIG_ATA_GENERIC=m
# CONFIG_PATA_LEGACY is not set
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_AUTODETECT=y
CONFIG_MD_LINEAR=m
CONFIG_MD_RAID0=m
CONFIG_MD_RAID1=m
CONFIG_MD_RAID10=m
CONFIG_MD_RAID456=m
# CONFIG_MULTICORE_RAID456 is not set
CONFIG_MD_MULTIPATH=m
CONFIG_MD_FAULTY=m
CONFIG_BLK_DEV_DM=y
CONFIG_DM_DEBUG=y
CONFIG_DM_BUFIO=m
CONFIG_DM_BIO_PRISON=m
CONFIG_DM_PERSISTENT_DATA=m
CONFIG_DM_CRYPT=m
CONFIG_DM_SNAPSHOT=y
CONFIG_DM_THIN_PROVISIONING=m
# CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set
CONFIG_DM_MIRROR=y
CONFIG_DM_RAID=m
CONFIG_DM_LOG_USERSPACE=m
CONFIG_DM_ZERO=y
CONFIG_DM_MULTIPATH=m
CONFIG_DM_MULTIPATH_QL=m
CONFIG_DM_MULTIPATH_ST=m
# CONFIG_DM_DELAY is not set
CONFIG_DM_UEVENT=y
CONFIG_DM_FLAKEY=m
CONFIG_DM_VERITY=m
CONFIG_TARGET_CORE=m
CONFIG_TCM_IBLOCK=m
CONFIG_TCM_FILEIO=m
CONFIG_TCM_PSCSI=m
CONFIG_LOOPBACK_TARGET=m
CONFIG_TCM_FC=m
CONFIG_ISCSI_TARGET=m
CONFIG_SBP_TARGET=m
CONFIG_FUSION=y
CONFIG_FUSION_SPI=m
CONFIG_FUSION_FC=m
CONFIG_FUSION_SAS=m
CONFIG_FUSION_MAX_SGE=40
CONFIG_FUSION_CTL=m
CONFIG_FUSION_LAN=m
CONFIG_FUSION_LOGGING=y

#
# IEEE 1394 (FireWire) support
#
CONFIG_FIREWIRE=m
CONFIG_FIREWIRE_OHCI=m
CONFIG_FIREWIRE_SBP2=m
CONFIG_FIREWIRE_NET=m
CONFIG_FIREWIRE_NOSY=m
# CONFIG_I2O is not set
CONFIG_MACINTOSH_DRIVERS=y
CONFIG_MAC_EMUMOUSEBTN=y
CONFIG_NETDEVICES=y
CONFIG_NET_CORE=y
CONFIG_BONDING=m
CONFIG_DUMMY=m
CONFIG_EQUALIZER=m
CONFIG_NET_FC=y
CONFIG_MII=m
CONFIG_IFB=m
CONFIG_NET_TEAM=m
CONFIG_NET_TEAM_MODE_BROADCAST=m
CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
CONFIG_NET_TEAM_MODE_LOADBALANCE=m
CONFIG_MACVLAN=m
CONFIG_MACVTAP=m
# CONFIG_VXLAN is not set
CONFIG_NETCONSOLE=m
CONFIG_NETCONSOLE_DYNAMIC=y
CONFIG_NETPOLL=y
CONFIG_NETPOLL_TRAP=y
CONFIG_NET_POLL_CONTROLLER=y
CONFIG_TUN=m
CONFIG_VETH=m
CONFIG_VIRTIO_NET=m
CONFIG_SUNGEM_PHY=m
# CONFIG_ARCNET is not set
CONFIG_ATM_DRIVERS=y
# CONFIG_ATM_DUMMY is not set
CONFIG_ATM_TCP=m
# CONFIG_ATM_LANAI is not set
CONFIG_ATM_ENI=m
# CONFIG_ATM_ENI_DEBUG is not set
# CONFIG_ATM_ENI_TUNE_BURST is not set
CONFIG_ATM_FIRESTREAM=m
# CONFIG_ATM_ZATM is not set
CONFIG_ATM_NICSTAR=m
# CONFIG_ATM_NICSTAR_USE_SUNI is not set
# CONFIG_ATM_NICSTAR_USE_IDT77105 is not set
# CONFIG_ATM_IDT77252 is not set
# CONFIG_ATM_AMBASSADOR is not set
# CONFIG_ATM_HORIZON is not set
# CONFIG_ATM_IA is not set
# CONFIG_ATM_FORE200E is not set
CONFIG_ATM_HE=m
# CONFIG_ATM_HE_USE_SUNI is not set
CONFIG_ATM_SOLOS=m

#
# CAIF transport drivers
#

#
# Distributed Switch Architecture drivers
#
CONFIG_NET_DSA_MV88E6XXX=m
CONFIG_NET_DSA_MV88E6060=m
CONFIG_NET_DSA_MV88E6XXX_NEED_PPU=y
CONFIG_NET_DSA_MV88E6131=m
CONFIG_NET_DSA_MV88E6123_61_65=m
CONFIG_ETHERNET=y
CONFIG_MDIO=m
CONFIG_NET_VENDOR_3COM=y
CONFIG_PCMCIA_3C574=m
CONFIG_PCMCIA_3C589=m
CONFIG_VORTEX=m
CONFIG_TYPHOON=m
CONFIG_NET_VENDOR_ADAPTEC=y
CONFIG_ADAPTEC_STARFIRE=m
CONFIG_NET_VENDOR_ALTEON=y
CONFIG_ACENIC=m
# CONFIG_ACENIC_OMIT_TIGON_I is not set
CONFIG_NET_VENDOR_AMD=y
CONFIG_AMD8111_ETH=m
CONFIG_PCNET32=m
CONFIG_PCMCIA_NMCLAN=m
CONFIG_NET_VENDOR_ATHEROS=y
CONFIG_ATL2=m
CONFIG_ATL1=m
CONFIG_ATL1E=m
CONFIG_ATL1C=m
CONFIG_NET_VENDOR_BROADCOM=y
CONFIG_B44=m
CONFIG_B44_PCI_AUTOSELECT=y
CONFIG_B44_PCICORE_AUTOSELECT=y
CONFIG_B44_PCI=y
CONFIG_BNX2=m
CONFIG_CNIC=m
CONFIG_TIGON3=m
CONFIG_BNX2X=m
CONFIG_NET_VENDOR_BROCADE=y
CONFIG_BNA=m
CONFIG_NET_CALXEDA_XGMAC=m
CONFIG_NET_VENDOR_CHELSIO=y
CONFIG_CHELSIO_T1=m
CONFIG_CHELSIO_T1_1G=y
CONFIG_CHELSIO_T3=m
CONFIG_CHELSIO_T4=m
CONFIG_CHELSIO_T4VF=m
CONFIG_NET_VENDOR_CISCO=y
CONFIG_ENIC=m
CONFIG_DNET=m
CONFIG_NET_VENDOR_DEC=y
CONFIG_NET_TULIP=y
CONFIG_DE2104X=m
CONFIG_DE2104X_DSL=0
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
CONFIG_TULIP_MMIO=y
# CONFIG_TULIP_NAPI is not set
CONFIG_DE4X5=m
CONFIG_WINBOND_840=m
CONFIG_DM9102=m
CONFIG_ULI526X=m
CONFIG_PCMCIA_XIRCOM=m
CONFIG_NET_VENDOR_DLINK=y
CONFIG_DE600=m
CONFIG_DE620=m
CONFIG_DL2K=m
CONFIG_SUNDANCE=m
# CONFIG_SUNDANCE_MMIO is not set
CONFIG_NET_VENDOR_EMULEX=y
CONFIG_BE2NET=m
CONFIG_NET_VENDOR_EXAR=y
CONFIG_S2IO=m
CONFIG_VXGE=m
# CONFIG_VXGE_DEBUG_TRACE_ALL is not set
# CONFIG_NET_VENDOR_FUJITSU is not set
# CONFIG_NET_VENDOR_HP is not set
CONFIG_NET_VENDOR_INTEL=y
CONFIG_E100=m
CONFIG_E1000=m
CONFIG_E1000E=m
CONFIG_IGB=m
CONFIG_IGB_DCA=y
CONFIG_IGB_PTP=y
CONFIG_IGBVF=m
CONFIG_IXGB=m
CONFIG_IXGBE=m
CONFIG_IXGBE_HWMON=y
CONFIG_IXGBE_DCA=y
CONFIG_IXGBE_DCB=y
CONFIG_IXGBE_PTP=y
CONFIG_IXGBEVF=m
# CONFIG_NET_VENDOR_I825XX is not set
CONFIG_IP1000=m
CONFIG_JME=m
CONFIG_NET_VENDOR_MARVELL=y
CONFIG_SKGE=m
# CONFIG_SKGE_DEBUG is not set
CONFIG_SKGE_GENESIS=y
CONFIG_SKY2=m
# CONFIG_SKY2_DEBUG is not set
CONFIG_NET_VENDOR_MELLANOX=y
CONFIG_MLX4_EN=m
CONFIG_MLX4_EN_DCB=y
CONFIG_MLX4_CORE=m
CONFIG_MLX4_DEBUG=y
CONFIG_NET_VENDOR_MICREL=y
# CONFIG_KS8842 is not set
# CONFIG_KS8851_MLL is not set
CONFIG_KSZ884X_PCI=m
CONFIG_NET_VENDOR_MYRI=y
CONFIG_MYRI10GE=m
CONFIG_MYRI10GE_DCA=y
CONFIG_FEALNX=m
CONFIG_NET_VENDOR_NATSEMI=y
CONFIG_NATSEMI=m
CONFIG_NS83820=m
CONFIG_NET_VENDOR_8390=y
CONFIG_PCMCIA_AXNET=m
CONFIG_NE2K_PCI=m
CONFIG_PCMCIA_PCNET=m
CONFIG_NET_VENDOR_NVIDIA=y
CONFIG_FORCEDETH=m
CONFIG_NET_VENDOR_OKI=y
CONFIG_PCH_GBE=m
# CONFIG_PCH_PTP is not set
CONFIG_ETHOC=m
CONFIG_NET_PACKET_ENGINE=y
CONFIG_HAMACHI=m
CONFIG_YELLOWFIN=m
CONFIG_NET_VENDOR_QLOGIC=y
CONFIG_QLA3XXX=m
CONFIG_QLCNIC=m
CONFIG_QLGE=m
CONFIG_NETXEN_NIC=m
CONFIG_NET_VENDOR_REALTEK=y
CONFIG_ATP=m
CONFIG_8139CP=m
CONFIG_8139TOO=m
# CONFIG_8139TOO_PIO is not set
# CONFIG_8139TOO_TUNE_TWISTER is not set
CONFIG_8139TOO_8129=y
# CONFIG_8139_OLD_RX_RESET is not set
CONFIG_R8169=m
CONFIG_NET_VENDOR_RDC=y
CONFIG_R6040=m
# CONFIG_NET_VENDOR_SEEQ is not set
CONFIG_NET_VENDOR_SILAN=y
CONFIG_SC92031=m
CONFIG_NET_VENDOR_SIS=y
CONFIG_SIS900=m
CONFIG_SIS190=m
CONFIG_SFC=m
# CONFIG_SFC_MTD is not set
CONFIG_SFC_MCDI_MON=y
CONFIG_SFC_SRIOV=y
CONFIG_SFC_PTP=y
CONFIG_NET_VENDOR_SMSC=y
CONFIG_PCMCIA_SMC91C92=m
CONFIG_EPIC100=m
CONFIG_SMSC9420=m
CONFIG_NET_VENDOR_STMICRO=y
CONFIG_STMMAC_ETH=m
# CONFIG_STMMAC_PLATFORM is not set
# CONFIG_STMMAC_PCI is not set
# CONFIG_STMMAC_DEBUG_FS is not set
# CONFIG_STMMAC_DA is not set
CONFIG_STMMAC_RING=y
# CONFIG_STMMAC_CHAINED is not set
CONFIG_NET_VENDOR_SUN=y
CONFIG_HAPPYMEAL=m
CONFIG_SUNGEM=m
CONFIG_CASSINI=m
CONFIG_NIU=m
CONFIG_NET_VENDOR_TEHUTI=y
CONFIG_TEHUTI=m
CONFIG_NET_VENDOR_TI=y
CONFIG_TLAN=m
CONFIG_NET_VENDOR_VIA=y
CONFIG_VIA_RHINE=m
CONFIG_VIA_RHINE_MMIO=y
CONFIG_VIA_VELOCITY=m
CONFIG_NET_VENDOR_WIZNET=y
CONFIG_WIZNET_W5100=m
CONFIG_WIZNET_W5300=m
# CONFIG_WIZNET_BUS_DIRECT is not set
# CONFIG_WIZNET_BUS_INDIRECT is not set
CONFIG_WIZNET_BUS_ANY=y
CONFIG_NET_VENDOR_XIRCOM=y
CONFIG_PCMCIA_XIRC2PS=m
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
# CONFIG_NET_SB1000 is not set
CONFIG_PHYLIB=y

#
# MII PHY device drivers
#
# CONFIG_AT803X_PHY is not set
CONFIG_AMD_PHY=m
CONFIG_MARVELL_PHY=m
CONFIG_DAVICOM_PHY=m
CONFIG_QSEMI_PHY=m
CONFIG_LXT_PHY=m
CONFIG_CICADA_PHY=m
CONFIG_VITESSE_PHY=m
CONFIG_SMSC_PHY=m
CONFIG_BROADCOM_PHY=m
CONFIG_BCM87XX_PHY=m
CONFIG_ICPLUS_PHY=m
CONFIG_REALTEK_PHY=m
CONFIG_NATIONAL_PHY=m
CONFIG_STE10XP=m
CONFIG_LSI_ET1011C_PHY=m
CONFIG_MICREL_PHY=m
CONFIG_FIXED_PHY=y
CONFIG_MDIO_BITBANG=m
# CONFIG_PLIP is not set
CONFIG_PPP=m
CONFIG_PPP_BSDCOMP=m
CONFIG_PPP_DEFLATE=m
CONFIG_PPP_FILTER=y
CONFIG_PPP_MPPE=m
CONFIG_PPP_MULTILINK=y
CONFIG_PPPOATM=m
CONFIG_PPPOE=m
CONFIG_PPTP=m
CONFIG_PPPOL2TP=m
CONFIG_PPP_ASYNC=m
CONFIG_PPP_SYNC_TTY=m
CONFIG_SLIP=m
CONFIG_SLHC=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
# CONFIG_SLIP_MODE_SLIP6 is not set

#
# USB Network Adapters
#
CONFIG_USB_CATC=m
CONFIG_USB_KAWETH=m
CONFIG_USB_PEGASUS=m
CONFIG_USB_RTL8150=m
CONFIG_USB_USBNET=m
CONFIG_USB_NET_AX8817X=m
CONFIG_USB_NET_CDCETHER=m
CONFIG_USB_NET_CDC_EEM=m
CONFIG_USB_NET_CDC_NCM=m
CONFIG_USB_NET_DM9601=m
CONFIG_USB_NET_SMSC75XX=m
CONFIG_USB_NET_SMSC95XX=m
CONFIG_USB_NET_GL620A=m
CONFIG_USB_NET_NET1080=m
CONFIG_USB_NET_PLUSB=m
CONFIG_USB_NET_MCS7830=m
CONFIG_USB_NET_RNDIS_HOST=m
CONFIG_USB_NET_CDC_SUBSET=m
CONFIG_USB_ALI_M5632=y
CONFIG_USB_AN2720=y
CONFIG_USB_BELKIN=y
CONFIG_USB_ARMLINUX=y
CONFIG_USB_EPSON2888=y
CONFIG_USB_KC2190=y
CONFIG_USB_NET_ZAURUS=m
CONFIG_USB_NET_CX82310_ETH=m
CONFIG_USB_NET_KALMIA=m
CONFIG_USB_NET_QMI_WWAN=m
CONFIG_USB_HSO=m
CONFIG_USB_NET_INT51X1=m
CONFIG_USB_IPHETH=m
CONFIG_USB_SIERRA_NET=m
CONFIG_USB_VL600=m
CONFIG_WLAN=y
# CONFIG_PCMCIA_RAYCS is not set
# CONFIG_LIBERTAS_THINFIRM is not set
# CONFIG_AIRO is not set
# CONFIG_ATMEL is not set
CONFIG_AT76C50X_USB=m
# CONFIG_AIRO_CS is not set
# CONFIG_PCMCIA_WL3501 is not set
# CONFIG_PRISM54 is not set
# CONFIG_USB_ZD1201 is not set
CONFIG_USB_NET_RNDIS_WLAN=m
CONFIG_RTL8180=m
CONFIG_RTL8187=m
CONFIG_RTL8187_LEDS=y
# CONFIG_ADM8211 is not set
CONFIG_MAC80211_HWSIM=m
CONFIG_MWL8K=m
CONFIG_ATH_COMMON=m
# CONFIG_ATH_DEBUG is not set
CONFIG_ATH5K=m
CONFIG_ATH5K_DEBUG=y
# CONFIG_ATH5K_TRACER is not set
CONFIG_ATH5K_PCI=y
CONFIG_ATH9K_HW=m
CONFIG_ATH9K_COMMON=m
CONFIG_ATH9K_BTCOEX_SUPPORT=y
CONFIG_ATH9K=m
CONFIG_ATH9K_PCI=y
CONFIG_ATH9K_AHB=y
CONFIG_ATH9K_DEBUGFS=y
# CONFIG_ATH9K_MAC_DEBUG is not set
CONFIG_ATH9K_RATE_CONTROL=y
CONFIG_ATH9K_HTC=m
# CONFIG_ATH9K_HTC_DEBUGFS is not set
CONFIG_CARL9170=m
CONFIG_CARL9170_LEDS=y
# CONFIG_CARL9170_DEBUGFS is not set
CONFIG_CARL9170_WPC=y
# CONFIG_CARL9170_HWRNG is not set
CONFIG_ATH6KL=m
CONFIG_ATH6KL_SDIO=m
CONFIG_ATH6KL_USB=m
CONFIG_ATH6KL_DEBUG=y
CONFIG_B43=m
CONFIG_B43_BCMA=y
# CONFIG_B43_BCMA_EXTRA is not set
CONFIG_B43_SSB=y
CONFIG_B43_PCI_AUTOSELECT=y
CONFIG_B43_PCICORE_AUTOSELECT=y
CONFIG_B43_PCMCIA=y
CONFIG_B43_SDIO=y
CONFIG_B43_BCMA_PIO=y
CONFIG_B43_PIO=y
CONFIG_B43_PHY_N=y
CONFIG_B43_PHY_LP=y
CONFIG_B43_PHY_HT=y
CONFIG_B43_LEDS=y
CONFIG_B43_HWRNG=y
# CONFIG_B43_DEBUG is not set
CONFIG_B43LEGACY=m
CONFIG_B43LEGACY_PCI_AUTOSELECT=y
CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y
CONFIG_B43LEGACY_LEDS=y
CONFIG_B43LEGACY_HWRNG=y
# CONFIG_B43LEGACY_DEBUG is not set
CONFIG_B43LEGACY_DMA=y
CONFIG_B43LEGACY_PIO=y
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
# CONFIG_B43LEGACY_DMA_MODE is not set
# CONFIG_B43LEGACY_PIO_MODE is not set
CONFIG_BRCMUTIL=m
CONFIG_BRCMSMAC=m
CONFIG_BRCMFMAC=m
CONFIG_BRCMFMAC_SDIO=y
CONFIG_BRCMFMAC_SDIO_OOB=y
CONFIG_BRCMFMAC_USB=y
# CONFIG_BRCMISCAN is not set
# CONFIG_BRCMDBG is not set
# CONFIG_HOSTAP is not set
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPW2200_MONITOR=y
CONFIG_IPW2200_RADIOTAP=y
CONFIG_IPW2200_PROMISCUOUS=y
CONFIG_IPW2200_QOS=y
# CONFIG_IPW2200_DEBUG is not set
CONFIG_LIBIPW=m
# CONFIG_LIBIPW_DEBUG is not set
CONFIG_IWLWIFI=m
CONFIG_IWLDVM=m

#
# Debugging Options
#
CONFIG_IWLWIFI_DEBUG=y
CONFIG_IWLWIFI_DEBUGFS=y
# CONFIG_IWLWIFI_DEBUG_EXPERIMENTAL_UCODE is not set
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
# CONFIG_IWLWIFI_P2P is not set
# CONFIG_IWLWIFI_EXPERIMENTAL_MFP is not set
CONFIG_IWLEGACY=m
CONFIG_IWL4965=m
CONFIG_IWL3945=m

#
# iwl3945 / iwl4965 Debugging Options
#
CONFIG_IWLEGACY_DEBUG=y
CONFIG_IWLEGACY_DEBUGFS=y
CONFIG_LIBERTAS=m
CONFIG_LIBERTAS_USB=m
CONFIG_LIBERTAS_CS=m
CONFIG_LIBERTAS_SDIO=m
# CONFIG_LIBERTAS_DEBUG is not set
CONFIG_LIBERTAS_MESH=y
# CONFIG_HERMES is not set
CONFIG_P54_COMMON=m
CONFIG_P54_USB=m
CONFIG_P54_PCI=m
CONFIG_P54_LEDS=y
CONFIG_RT2X00=m
CONFIG_RT2400PCI=m
CONFIG_RT2500PCI=m
CONFIG_RT61PCI=m
CONFIG_RT2800PCI=m
CONFIG_RT2800PCI_RT33XX=y
CONFIG_RT2800PCI_RT35XX=y
CONFIG_RT2800PCI_RT53XX=y
CONFIG_RT2800PCI_RT3290=y
CONFIG_RT2500USB=m
CONFIG_RT73USB=m
CONFIG_RT2800USB=m
CONFIG_RT2800USB_RT33XX=y
CONFIG_RT2800USB_RT35XX=y
CONFIG_RT2800USB_RT53XX=y
CONFIG_RT2800USB_UNKNOWN=y
CONFIG_RT2800_LIB=m
CONFIG_RT2X00_LIB_PCI=m
CONFIG_RT2X00_LIB_USB=m
CONFIG_RT2X00_LIB=m
CONFIG_RT2X00_LIB_FIRMWARE=y
CONFIG_RT2X00_LIB_CRYPTO=y
CONFIG_RT2X00_LIB_LEDS=y
CONFIG_RT2X00_LIB_DEBUGFS=y
# CONFIG_RT2X00_DEBUG is not set
CONFIG_RTL8192CE=m
CONFIG_RTL8192SE=m
CONFIG_RTL8192DE=m
CONFIG_RTL8192CU=m
CONFIG_RTLWIFI=m
# CONFIG_RTLWIFI_DEBUG is not set
CONFIG_RTL8192C_COMMON=m
# CONFIG_WL_TI is not set
CONFIG_ZD1211RW=m
# CONFIG_ZD1211RW_DEBUG is not set
CONFIG_MWIFIEX=m
CONFIG_MWIFIEX_SDIO=m
CONFIG_MWIFIEX_PCIE=m
CONFIG_MWIFIEX_USB=m

#
# WiMAX Wireless Broadband devices
#
CONFIG_WIMAX_I2400M=m
CONFIG_WIMAX_I2400M_USB=m
CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8
# CONFIG_WAN is not set
CONFIG_IEEE802154_DRIVERS=m
CONFIG_IEEE802154_FAKEHARD=m
CONFIG_IEEE802154_FAKELB=m
CONFIG_XEN_NETDEV_FRONTEND=m
CONFIG_XEN_NETDEV_BACKEND=m
CONFIG_VMXNET3=m
CONFIG_HYPERV_NET=m
CONFIG_ISDN=y
CONFIG_ISDN_I4L=m
CONFIG_ISDN_PPP=y
CONFIG_ISDN_PPP_VJ=y
CONFIG_ISDN_MPP=y
CONFIG_IPPP_FILTER=y
# CONFIG_ISDN_PPP_BSDCOMP is not set
CONFIG_ISDN_AUDIO=y
CONFIG_ISDN_TTY_FAX=y

#
# ISDN feature submodules
#
CONFIG_ISDN_DIVERSION=m

#
# ISDN4Linux hardware drivers
#

#
# Passive cards
#
CONFIG_ISDN_DRV_HISAX=m

#
# D-channel protocol features
#
CONFIG_HISAX_EURO=y
CONFIG_DE_AOC=y
CONFIG_HISAX_NO_SENDCOMPLETE=y
CONFIG_HISAX_NO_LLC=y
CONFIG_HISAX_NO_KEYPAD=y
CONFIG_HISAX_1TR6=y
CONFIG_HISAX_NI1=y
CONFIG_HISAX_MAX_CARDS=8

#
# HiSax supported cards
#
CONFIG_HISAX_16_3=y
CONFIG_HISAX_TELESPCI=y
CONFIG_HISAX_S0BOX=y
CONFIG_HISAX_FRITZPCI=y
CONFIG_HISAX_AVM_A1_PCMCIA=y
CONFIG_HISAX_ELSA=y
CONFIG_HISAX_DIEHLDIVA=y
CONFIG_HISAX_SEDLBAUER=y
CONFIG_HISAX_NETJET=y
CONFIG_HISAX_NETJET_U=y
CONFIG_HISAX_NICCY=y
CONFIG_HISAX_BKM_A4T=y
CONFIG_HISAX_SCT_QUADRO=y
CONFIG_HISAX_GAZEL=y
CONFIG_HISAX_HFC_PCI=y
CONFIG_HISAX_W6692=y
CONFIG_HISAX_HFC_SX=y
CONFIG_HISAX_ENTERNOW_PCI=y
# CONFIG_HISAX_DEBUG is not set

#
# HiSax PCMCIA card service modules
#
CONFIG_HISAX_SEDLBAUER_CS=m
CONFIG_HISAX_ELSA_CS=m
CONFIG_HISAX_AVM_A1_CS=m
CONFIG_HISAX_TELES_CS=m

#
# HiSax sub driver modules
#
CONFIG_HISAX_ST5481=m
# CONFIG_HISAX_HFCUSB is not set
CONFIG_HISAX_HFC4S8S=m
CONFIG_HISAX_FRITZ_PCIPNP=m

#
# Active cards
#
CONFIG_ISDN_CAPI=m
CONFIG_ISDN_DRV_AVMB1_VERBOSE_REASON=y
# CONFIG_CAPI_TRACE is not set
CONFIG_ISDN_CAPI_MIDDLEWARE=y
CONFIG_ISDN_CAPI_CAPI20=m
CONFIG_ISDN_CAPI_CAPIDRV=m

#
# CAPI hardware drivers
#
CONFIG_CAPI_AVM=y
CONFIG_ISDN_DRV_AVMB1_B1PCI=m
CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y
CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m
CONFIG_ISDN_DRV_AVMB1_AVM_CS=m
CONFIG_ISDN_DRV_AVMB1_T1PCI=m
CONFIG_ISDN_DRV_AVMB1_C4=m
CONFIG_CAPI_EICON=y
CONFIG_ISDN_DIVAS=m
CONFIG_ISDN_DIVAS_BRIPCI=y
CONFIG_ISDN_DIVAS_PRIPCI=y
CONFIG_ISDN_DIVAS_DIVACAPI=m
CONFIG_ISDN_DIVAS_USERIDI=m
CONFIG_ISDN_DIVAS_MAINT=m
CONFIG_ISDN_DRV_GIGASET=m
CONFIG_GIGASET_CAPI=y
# CONFIG_GIGASET_I4L is not set
# CONFIG_GIGASET_DUMMYLL is not set
CONFIG_GIGASET_BASE=m
CONFIG_GIGASET_M105=m
CONFIG_GIGASET_M101=m
# CONFIG_GIGASET_DEBUG is not set
CONFIG_HYSDN=m
CONFIG_HYSDN_CAPI=y
CONFIG_MISDN=m
CONFIG_MISDN_DSP=m
CONFIG_MISDN_L1OIP=m

#
# mISDN hardware drivers
#
CONFIG_MISDN_HFCPCI=m
CONFIG_MISDN_HFCMULTI=m
CONFIG_MISDN_HFCUSB=m
CONFIG_MISDN_AVMFRITZ=m
CONFIG_MISDN_SPEEDFAX=m
CONFIG_MISDN_INFINEON=m
CONFIG_MISDN_W6692=m
CONFIG_MISDN_NETJET=m
CONFIG_MISDN_IPAC=m
CONFIG_MISDN_ISAR=m
CONFIG_ISDN_HDLC=m

#
# Input device support
#
CONFIG_INPUT=y
CONFIG_INPUT_FF_MEMLESS=y
CONFIG_INPUT_POLLDEV=m
CONFIG_INPUT_SPARSEKMAP=m
# CONFIG_INPUT_MATRIXKMAP is not set

#
# Userland interfaces
#
CONFIG_INPUT_MOUSEDEV=y
# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
CONFIG_INPUT_JOYDEV=m
CONFIG_INPUT_EVDEV=y
# CONFIG_INPUT_EVBUG is not set

#
# Input Device Drivers
#
CONFIG_INPUT_KEYBOARD=y
# CONFIG_KEYBOARD_ADP5588 is not set
# CONFIG_KEYBOARD_ADP5589 is not set
CONFIG_KEYBOARD_ATKBD=y
# CONFIG_KEYBOARD_QT1070 is not set
# CONFIG_KEYBOARD_QT2160 is not set
# CONFIG_KEYBOARD_LKKBD is not set
# CONFIG_KEYBOARD_TCA6416 is not set
# CONFIG_KEYBOARD_TCA8418 is not set
# CONFIG_KEYBOARD_LM8323 is not set
# CONFIG_KEYBOARD_LM8333 is not set
# CONFIG_KEYBOARD_MAX7359 is not set
# CONFIG_KEYBOARD_MCS is not set
# CONFIG_KEYBOARD_MPR121 is not set
# CONFIG_KEYBOARD_NEWTON is not set
# CONFIG_KEYBOARD_OPENCORES is not set
# CONFIG_KEYBOARD_STOWAWAY is not set
# CONFIG_KEYBOARD_SUNKBD is not set
# CONFIG_KEYBOARD_OMAP4 is not set
# CONFIG_KEYBOARD_XTKBD is not set
CONFIG_INPUT_MOUSE=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_ALPS=y
CONFIG_MOUSE_PS2_LOGIPS2PP=y
CONFIG_MOUSE_PS2_SYNAPTICS=y
CONFIG_MOUSE_PS2_LIFEBOOK=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_MOUSE_PS2_ELANTECH=y
CONFIG_MOUSE_PS2_SENTELIC=y
# CONFIG_MOUSE_PS2_TOUCHKIT is not set
CONFIG_MOUSE_SERIAL=m
CONFIG_MOUSE_APPLETOUCH=m
CONFIG_MOUSE_BCM5974=m
CONFIG_MOUSE_VSXXXAA=m
CONFIG_MOUSE_SYNAPTICS_I2C=m
CONFIG_MOUSE_SYNAPTICS_USB=m
CONFIG_INPUT_JOYSTICK=y
CONFIG_JOYSTICK_ANALOG=m
CONFIG_JOYSTICK_A3D=m
CONFIG_JOYSTICK_ADI=m
CONFIG_JOYSTICK_COBRA=m
CONFIG_JOYSTICK_GF2K=m
CONFIG_JOYSTICK_GRIP=m
CONFIG_JOYSTICK_GRIP_MP=m
CONFIG_JOYSTICK_GUILLEMOT=m
CONFIG_JOYSTICK_INTERACT=m
CONFIG_JOYSTICK_SIDEWINDER=m
CONFIG_JOYSTICK_TMDC=m
CONFIG_JOYSTICK_IFORCE=m
CONFIG_JOYSTICK_IFORCE_USB=y
CONFIG_JOYSTICK_IFORCE_232=y
CONFIG_JOYSTICK_WARRIOR=m
CONFIG_JOYSTICK_MAGELLAN=m
CONFIG_JOYSTICK_SPACEORB=m
CONFIG_JOYSTICK_SPACEBALL=m
CONFIG_JOYSTICK_STINGER=m
CONFIG_JOYSTICK_TWIDJOY=m
CONFIG_JOYSTICK_ZHENHUA=m
CONFIG_JOYSTICK_DB9=m
CONFIG_JOYSTICK_GAMECON=m
CONFIG_JOYSTICK_TURBOGRAFX=m
# CONFIG_JOYSTICK_AS5011 is not set
CONFIG_JOYSTICK_JOYDUMP=m
CONFIG_JOYSTICK_XPAD=m
CONFIG_JOYSTICK_XPAD_FF=y
CONFIG_JOYSTICK_XPAD_LEDS=y
CONFIG_JOYSTICK_WALKERA0701=m
CONFIG_INPUT_TABLET=y
CONFIG_TABLET_USB_ACECAD=m
CONFIG_TABLET_USB_AIPTEK=m
CONFIG_TABLET_USB_GTCO=m
CONFIG_TABLET_USB_HANWANG=m
CONFIG_TABLET_USB_KBTAB=m
CONFIG_TABLET_USB_WACOM=m
CONFIG_INPUT_TOUCHSCREEN=y
# CONFIG_TOUCHSCREEN_AD7879 is not set
CONFIG_TOUCHSCREEN_ATMEL_MXT=m
# CONFIG_TOUCHSCREEN_BU21013 is not set
# CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set
CONFIG_TOUCHSCREEN_DYNAPRO=m
# CONFIG_TOUCHSCREEN_HAMPSHIRE is not set
CONFIG_TOUCHSCREEN_EETI=m
CONFIG_TOUCHSCREEN_FUJITSU=m
CONFIG_TOUCHSCREEN_ILI210X=m
CONFIG_TOUCHSCREEN_GUNZE=m
CONFIG_TOUCHSCREEN_ELO=m
CONFIG_TOUCHSCREEN_WACOM_W8001=m
CONFIG_TOUCHSCREEN_WACOM_I2C=m
# CONFIG_TOUCHSCREEN_MAX11801 is not set
CONFIG_TOUCHSCREEN_MCS5000=m
CONFIG_TOUCHSCREEN_MMS114=m
CONFIG_TOUCHSCREEN_MTOUCH=m
CONFIG_TOUCHSCREEN_INEXIO=m
CONFIG_TOUCHSCREEN_MK712=m
CONFIG_TOUCHSCREEN_PENMOUNT=m
CONFIG_TOUCHSCREEN_EDT_FT5X06=m
CONFIG_TOUCHSCREEN_TOUCHRIGHT=m
CONFIG_TOUCHSCREEN_TOUCHWIN=m
CONFIG_TOUCHSCREEN_PIXCIR=m
# CONFIG_TOUCHSCREEN_WM97XX is not set
CONFIG_TOUCHSCREEN_USB_COMPOSITE=m
CONFIG_TOUCHSCREEN_USB_EGALAX=y
CONFIG_TOUCHSCREEN_USB_PANJIT=y
CONFIG_TOUCHSCREEN_USB_3M=y
CONFIG_TOUCHSCREEN_USB_ITM=y
CONFIG_TOUCHSCREEN_USB_ETURBO=y
CONFIG_TOUCHSCREEN_USB_GUNZE=y
CONFIG_TOUCHSCREEN_USB_DMC_TSC10=y
CONFIG_TOUCHSCREEN_USB_IRTOUCH=y
CONFIG_TOUCHSCREEN_USB_IDEALTEK=y
CONFIG_TOUCHSCREEN_USB_GENERAL_TOUCH=y
CONFIG_TOUCHSCREEN_USB_GOTOP=y
CONFIG_TOUCHSCREEN_USB_JASTEC=y
CONFIG_TOUCHSCREEN_USB_ELO=y
CONFIG_TOUCHSCREEN_USB_E2I=y
CONFIG_TOUCHSCREEN_USB_ZYTRONIC=y
CONFIG_TOUCHSCREEN_USB_ETT_TC45USB=y
CONFIG_TOUCHSCREEN_USB_NEXIO=y
CONFIG_TOUCHSCREEN_USB_EASYTOUCH=y
CONFIG_TOUCHSCREEN_TOUCHIT213=m
CONFIG_TOUCHSCREEN_TSC_SERIO=m
CONFIG_TOUCHSCREEN_TSC2007=m
CONFIG_TOUCHSCREEN_ST1232=m
# CONFIG_TOUCHSCREEN_TPS6507X is not set
CONFIG_INPUT_MISC=y
# CONFIG_INPUT_AD714X is not set
# CONFIG_INPUT_BMA150 is not set
CONFIG_INPUT_PCSPKR=m
CONFIG_INPUT_MMA8450=m
CONFIG_INPUT_MPU3050=m
CONFIG_INPUT_APANEL=m
CONFIG_INPUT_ATLAS_BTNS=m
CONFIG_INPUT_ATI_REMOTE2=m
CONFIG_INPUT_KEYSPAN_REMOTE=m
CONFIG_INPUT_KXTJ9=m
# CONFIG_INPUT_KXTJ9_POLLED_MODE is not set
CONFIG_INPUT_POWERMATE=m
CONFIG_INPUT_YEALINK=m
CONFIG_INPUT_CM109=m
CONFIG_INPUT_UINPUT=m
# CONFIG_INPUT_PCF8574 is not set
# CONFIG_INPUT_ADXL34X is not set
CONFIG_INPUT_CMA3000=m
CONFIG_INPUT_CMA3000_I2C=m
CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y

#
# Hardware I/O ports
#
CONFIG_SERIO=y
CONFIG_SERIO_I8042=y
CONFIG_SERIO_SERPORT=y
# CONFIG_SERIO_CT82C710 is not set
# CONFIG_SERIO_PARKBD is not set
# CONFIG_SERIO_PCIPS2 is not set
CONFIG_SERIO_LIBPS2=y
CONFIG_SERIO_RAW=m
CONFIG_SERIO_ALTERA_PS2=m
# CONFIG_SERIO_PS2MULT is not set
CONFIG_GAMEPORT=m
CONFIG_GAMEPORT_NS558=m
CONFIG_GAMEPORT_L4=m
CONFIG_GAMEPORT_EMU10K1=m
CONFIG_GAMEPORT_FM801=m

#
# Character devices
#
CONFIG_VT=y
CONFIG_CONSOLE_TRANSLATIONS=y
CONFIG_VT_CONSOLE=y
CONFIG_VT_CONSOLE_SLEEP=y
CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
# CONFIG_LEGACY_PTYS is not set
CONFIG_SERIAL_NONSTANDARD=y
CONFIG_ROCKETPORT=m
CONFIG_CYCLADES=m
# CONFIG_CYZ_INTR is not set
# CONFIG_MOXA_INTELLIO is not set
# CONFIG_MOXA_SMARTIO is not set
CONFIG_SYNCLINK=m
CONFIG_SYNCLINKMP=m
CONFIG_SYNCLINK_GT=m
CONFIG_NOZOMI=m
# CONFIG_ISI is not set
CONFIG_N_HDLC=m
CONFIG_N_GSM=m
# CONFIG_TRACE_SINK is not set
# CONFIG_DEVKMEM is not set
# CONFIG_STALDRV is not set

#
# Serial drivers
#
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_PNP=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_FIX_EARLYCON_MEM=y
CONFIG_SERIAL_8250_PCI=y
CONFIG_SERIAL_8250_CS=m
CONFIG_SERIAL_8250_NR_UARTS=32
CONFIG_SERIAL_8250_RUNTIME_UARTS=4
CONFIG_SERIAL_8250_EXTENDED=y
CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
# CONFIG_SERIAL_8250_DETECT_IRQ is not set
CONFIG_SERIAL_8250_RSA=y

#
# Non-8250 serial port support
#
# CONFIG_SERIAL_KGDB_NMI is not set
# CONFIG_SERIAL_MFD_HSU is not set
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
CONFIG_CONSOLE_POLL=y
CONFIG_SERIAL_JSM=m
# CONFIG_SERIAL_SCCNXP is not set
# CONFIG_SERIAL_TIMBERDALE is not set
# CONFIG_SERIAL_ALTERA_JTAGUART is not set
# CONFIG_SERIAL_ALTERA_UART is not set
# CONFIG_SERIAL_PCH_UART is not set
# CONFIG_SERIAL_XILINX_PS_UART is not set
CONFIG_PRINTER=m
CONFIG_LP_CONSOLE=y
CONFIG_PPDEV=m
CONFIG_HVC_DRIVER=y
CONFIG_HVC_IRQ=y
CONFIG_HVC_XEN=y
CONFIG_HVC_XEN_FRONTEND=y
CONFIG_VIRTIO_CONSOLE=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=m
CONFIG_HW_RANDOM_TPM=m
CONFIG_NVRAM=y
CONFIG_R3964=m
# CONFIG_APPLICOM is not set

#
# PCMCIA character devices
#
# CONFIG_SYNCLINK_CS is not set
CONFIG_CARDMAN_4000=m
CONFIG_CARDMAN_4040=m
CONFIG_IPWIRELESS=m
CONFIG_MWAVE=m
CONFIG_RAW_DRIVER=y
CONFIG_MAX_RAW_DEVS=8192
CONFIG_HPET=y
# CONFIG_HPET_MMAP is not set
CONFIG_HANGCHECK_TIMER=m
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS=m
# CONFIG_TCG_TIS_I2C_INFINEON is not set
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TELCLOCK=m
CONFIG_DEVPORT=y
CONFIG_I2C=m
CONFIG_I2C_BOARDINFO=y
CONFIG_I2C_COMPAT=y
CONFIG_I2C_CHARDEV=m
# CONFIG_I2C_MUX is not set
CONFIG_I2C_HELPER_AUTO=y
CONFIG_I2C_SMBUS=m
CONFIG_I2C_ALGOBIT=m
CONFIG_I2C_ALGOPCA=m

#
# I2C Hardware Bus support
#

#
# PC SMBus host controller drivers
#
# CONFIG_I2C_ALI1535 is not set
# CONFIG_I2C_ALI1563 is not set
# CONFIG_I2C_ALI15X3 is not set
CONFIG_I2C_AMD756=m
CONFIG_I2C_AMD756_S4882=m
CONFIG_I2C_AMD8111=m
CONFIG_I2C_I801=m
CONFIG_I2C_ISCH=m
CONFIG_I2C_PIIX4=m
CONFIG_I2C_NFORCE2=m
CONFIG_I2C_NFORCE2_S4985=m
# CONFIG_I2C_SIS5595 is not set
# CONFIG_I2C_SIS630 is not set
CONFIG_I2C_SIS96X=m
CONFIG_I2C_VIA=m
CONFIG_I2C_VIAPRO=m

#
# ACPI drivers
#
CONFIG_I2C_SCMI=m

#
# I2C system bus drivers (mostly embedded / system-on-chip)
#
# CONFIG_I2C_DESIGNWARE_PCI is not set
# CONFIG_I2C_EG20T is not set
# CONFIG_I2C_INTEL_MID is not set
# CONFIG_I2C_OCORES is not set
CONFIG_I2C_PCA_PLATFORM=m
# CONFIG_I2C_PXA_PCI is not set
CONFIG_I2C_SIMTEC=m
# CONFIG_I2C_XILINX is not set

#
# External I2C/SMBus adapter drivers
#
CONFIG_I2C_DIOLAN_U2C=m
CONFIG_I2C_PARPORT=m
CONFIG_I2C_PARPORT_LIGHT=m
# CONFIG_I2C_TAOS_EVM is not set
CONFIG_I2C_TINY_USB=m

#
# Other I2C/SMBus bus drivers
#
CONFIG_I2C_STUB=m
# CONFIG_I2C_DEBUG_CORE is not set
# CONFIG_I2C_DEBUG_ALGO is not set
# CONFIG_I2C_DEBUG_BUS is not set
# CONFIG_SPI is not set
# CONFIG_HSI is not set

#
# PPS support
#
CONFIG_PPS=m
# CONFIG_PPS_DEBUG is not set

#
# PPS clients support
#
# CONFIG_PPS_CLIENT_KTIMER is not set
CONFIG_PPS_CLIENT_LDISC=m
CONFIG_PPS_CLIENT_PARPORT=m
CONFIG_PPS_CLIENT_GPIO=m

#
# PPS generators support
#

#
# PTP clock support
#
CONFIG_PTP_1588_CLOCK=m
CONFIG_DP83640_PHY=m
CONFIG_PTP_1588_CLOCK_PCH=m
CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
# CONFIG_GPIOLIB is not set
CONFIG_W1=m
CONFIG_W1_CON=y

#
# 1-wire Bus Masters
#
# CONFIG_W1_MASTER_MATROX is not set
CONFIG_W1_MASTER_DS2490=m
CONFIG_W1_MASTER_DS2482=m
CONFIG_W1_MASTER_DS1WM=m
# CONFIG_HDQ_MASTER_OMAP is not set

#
# 1-wire Slaves
#
CONFIG_W1_SLAVE_THERM=m
CONFIG_W1_SLAVE_SMEM=m
CONFIG_W1_SLAVE_DS2408=m
CONFIG_W1_SLAVE_DS2423=m
CONFIG_W1_SLAVE_DS2431=m
CONFIG_W1_SLAVE_DS2433=m
CONFIG_W1_SLAVE_DS2433_CRC=y
CONFIG_W1_SLAVE_DS2760=m
CONFIG_W1_SLAVE_DS2780=m
CONFIG_W1_SLAVE_DS2781=m
CONFIG_W1_SLAVE_DS28E04=m
CONFIG_W1_SLAVE_BQ27000=m
CONFIG_POWER_SUPPLY=y
# CONFIG_POWER_SUPPLY_DEBUG is not set
# CONFIG_PDA_POWER is not set
# CONFIG_TEST_POWER is not set
# CONFIG_BATTERY_DS2760 is not set
# CONFIG_BATTERY_DS2780 is not set
# CONFIG_BATTERY_DS2781 is not set
# CONFIG_BATTERY_DS2782 is not set
# CONFIG_BATTERY_SBS is not set
# CONFIG_BATTERY_BQ27x00 is not set
# CONFIG_BATTERY_MAX17040 is not set
# CONFIG_BATTERY_MAX17042 is not set
# CONFIG_CHARGER_ISP1704 is not set
# CONFIG_CHARGER_MAX8903 is not set
# CONFIG_CHARGER_LP8727 is not set
CONFIG_CHARGER_SMB347=m
# CONFIG_POWER_AVS is not set
CONFIG_HWMON=y
CONFIG_HWMON_VID=m
# CONFIG_HWMON_DEBUG_CHIP is not set

#
# Native drivers
#
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ABITUGURU3=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m
CONFIG_SENSORS_ADM1021=m
CONFIG_SENSORS_ADM1025=m
CONFIG_SENSORS_ADM1026=m
CONFIG_SENSORS_ADM1029=m
CONFIG_SENSORS_ADM1031=m
CONFIG_SENSORS_ADM9240=m
# CONFIG_SENSORS_ADT7410 is not set
CONFIG_SENSORS_ADT7411=m
CONFIG_SENSORS_ADT7462=m
CONFIG_SENSORS_ADT7470=m
CONFIG_SENSORS_ADT7475=m
CONFIG_SENSORS_ASC7621=m
CONFIG_SENSORS_K8TEMP=m
CONFIG_SENSORS_K10TEMP=m
CONFIG_SENSORS_FAM15H_POWER=m
CONFIG_SENSORS_ASB100=m
CONFIG_SENSORS_ATXP1=m
CONFIG_SENSORS_DS620=m
CONFIG_SENSORS_DS1621=m
CONFIG_SENSORS_I5K_AMB=m
CONFIG_SENSORS_F71805F=m
CONFIG_SENSORS_F71882FG=m
CONFIG_SENSORS_F75375S=m
CONFIG_SENSORS_FSCHMD=m
CONFIG_SENSORS_G760A=m
CONFIG_SENSORS_GL518SM=m
CONFIG_SENSORS_GL520SM=m
# CONFIG_SENSORS_HIH6130 is not set
CONFIG_SENSORS_CORETEMP=m
CONFIG_SENSORS_IBMAEM=m
CONFIG_SENSORS_IBMPEX=m
CONFIG_SENSORS_IT87=m
# CONFIG_SENSORS_JC42 is not set
CONFIG_SENSORS_LINEAGE=m
CONFIG_SENSORS_LM63=m
CONFIG_SENSORS_LM73=m
CONFIG_SENSORS_LM75=m
CONFIG_SENSORS_LM77=m
CONFIG_SENSORS_LM78=m
CONFIG_SENSORS_LM80=m
CONFIG_SENSORS_LM83=m
CONFIG_SENSORS_LM85=m
CONFIG_SENSORS_LM87=m
CONFIG_SENSORS_LM90=m
CONFIG_SENSORS_LM92=m
CONFIG_SENSORS_LM93=m
CONFIG_SENSORS_LTC4151=m
CONFIG_SENSORS_LTC4215=m
CONFIG_SENSORS_LTC4245=m
CONFIG_SENSORS_LTC4261=m
CONFIG_SENSORS_LM95241=m
CONFIG_SENSORS_LM95245=m
CONFIG_SENSORS_MAX16065=m
CONFIG_SENSORS_MAX1619=m
CONFIG_SENSORS_MAX1668=m
# CONFIG_SENSORS_MAX197 is not set
CONFIG_SENSORS_MAX6639=m
CONFIG_SENSORS_MAX6642=m
CONFIG_SENSORS_MAX6650=m
CONFIG_SENSORS_MCP3021=m
CONFIG_SENSORS_NTC_THERMISTOR=m
CONFIG_SENSORS_PC87360=m
CONFIG_SENSORS_PC87427=m
CONFIG_SENSORS_PCF8591=m
CONFIG_PMBUS=m
CONFIG_SENSORS_PMBUS=m
CONFIG_SENSORS_ADM1275=m
CONFIG_SENSORS_LM25066=m
CONFIG_SENSORS_LTC2978=m
CONFIG_SENSORS_MAX16064=m
CONFIG_SENSORS_MAX34440=m
CONFIG_SENSORS_MAX8688=m
CONFIG_SENSORS_UCD9000=m
CONFIG_SENSORS_UCD9200=m
CONFIG_SENSORS_ZL6100=m
CONFIG_SENSORS_SHT21=m
CONFIG_SENSORS_SIS5595=m
# CONFIG_SENSORS_SMM665 is not set
CONFIG_SENSORS_DME1737=m
CONFIG_SENSORS_EMC1403=m
# CONFIG_SENSORS_EMC2103 is not set
CONFIG_SENSORS_EMC6W201=m
CONFIG_SENSORS_SMSC47M1=m
CONFIG_SENSORS_SMSC47M192=m
CONFIG_SENSORS_SMSC47B397=m
CONFIG_SENSORS_SCH56XX_COMMON=m
CONFIG_SENSORS_SCH5627=m
CONFIG_SENSORS_SCH5636=m
CONFIG_SENSORS_ADS1015=m
CONFIG_SENSORS_ADS7828=m
CONFIG_SENSORS_AMC6821=m
CONFIG_SENSORS_INA2XX=m
CONFIG_SENSORS_THMC50=m
CONFIG_SENSORS_TMP102=m
CONFIG_SENSORS_TMP401=m
CONFIG_SENSORS_TMP421=m
CONFIG_SENSORS_VIA_CPUTEMP=m
CONFIG_SENSORS_VIA686A=m
CONFIG_SENSORS_VT1211=m
CONFIG_SENSORS_VT8231=m
CONFIG_SENSORS_W83781D=m
CONFIG_SENSORS_W83791D=m
CONFIG_SENSORS_W83792D=m
CONFIG_SENSORS_W83793=m
CONFIG_SENSORS_W83795=m
# CONFIG_SENSORS_W83795_FANCTRL is not set
CONFIG_SENSORS_W83L785TS=m
CONFIG_SENSORS_W83L786NG=m
CONFIG_SENSORS_W83627HF=m
CONFIG_SENSORS_W83627EHF=m
CONFIG_SENSORS_APPLESMC=m

#
# ACPI drivers
#
CONFIG_SENSORS_ACPI_POWER=m
CONFIG_SENSORS_ATK0110=m
CONFIG_THERMAL=y
CONFIG_THERMAL_HWMON=y
# CONFIG_CPU_THERMAL is not set
CONFIG_WATCHDOG=y
CONFIG_WATCHDOG_CORE=y
# CONFIG_WATCHDOG_NOWAYOUT is not set

#
# Watchdog Device Drivers
#
CONFIG_SOFT_WATCHDOG=m
# CONFIG_ACQUIRE_WDT is not set
# CONFIG_ADVANTECH_WDT is not set
CONFIG_ALIM1535_WDT=m
CONFIG_ALIM7101_WDT=m
CONFIG_F71808E_WDT=m
CONFIG_SP5100_TCO=m
# CONFIG_SC520_WDT is not set
CONFIG_SBC_FITPC2_WATCHDOG=m
# CONFIG_EUROTECH_WDT is not set
CONFIG_IB700_WDT=m
CONFIG_IBMASR=m
# CONFIG_WAFER_WDT is not set
CONFIG_I6300ESB_WDT=m
CONFIG_IE6XX_WDT=m
CONFIG_ITCO_WDT=m
CONFIG_ITCO_VENDOR_SUPPORT=y
CONFIG_IT8712F_WDT=m
CONFIG_IT87_WDT=m
CONFIG_HP_WATCHDOG=m
CONFIG_HPWDT_NMI_DECODING=y
# CONFIG_SC1200_WDT is not set
# CONFIG_PC87413_WDT is not set
CONFIG_NV_TCO=m
# CONFIG_60XX_WDT is not set
# CONFIG_SBC8360_WDT is not set
# CONFIG_CPU5_WDT is not set
CONFIG_SMSC_SCH311X_WDT=m
# CONFIG_SMSC37B787_WDT is not set
CONFIG_VIA_WDT=m
CONFIG_W83627HF_WDT=m
CONFIG_W83697HF_WDT=m
CONFIG_W83697UG_WDT=m
CONFIG_W83877F_WDT=m
CONFIG_W83977F_WDT=m
CONFIG_MACHZ_WDT=m
# CONFIG_SBC_EPX_C3_WATCHDOG is not set
CONFIG_XEN_WDT=m

#
# PCI-based Watchdog Cards
#
CONFIG_PCIPCWATCHDOG=m
CONFIG_WDTPCI=m

#
# USB-based Watchdog Cards
#
CONFIG_USBPCWATCHDOG=m
CONFIG_SSB_POSSIBLE=y

#
# Sonics Silicon Backplane
#
CONFIG_SSB=m
CONFIG_SSB_SPROM=y
CONFIG_SSB_BLOCKIO=y
CONFIG_SSB_PCIHOST_POSSIBLE=y
CONFIG_SSB_PCIHOST=y
CONFIG_SSB_B43_PCI_BRIDGE=y
CONFIG_SSB_PCMCIAHOST_POSSIBLE=y
CONFIG_SSB_PCMCIAHOST=y
CONFIG_SSB_SDIOHOST_POSSIBLE=y
CONFIG_SSB_SDIOHOST=y
# CONFIG_SSB_DEBUG is not set
CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
CONFIG_SSB_DRIVER_PCICORE=y
CONFIG_BCMA_POSSIBLE=y

#
# Broadcom specific AMBA
#
CONFIG_BCMA=m
CONFIG_BCMA_BLOCKIO=y
CONFIG_BCMA_HOST_PCI_POSSIBLE=y
CONFIG_BCMA_HOST_PCI=y
CONFIG_BCMA_DRIVER_GMAC_CMN=y
# CONFIG_BCMA_DEBUG is not set

#
# Multifunction device drivers
#
CONFIG_MFD_CORE=m
CONFIG_MFD_SM501=m
# CONFIG_HTC_PASIC3 is not set
# CONFIG_MFD_LM3533 is not set
# CONFIG_TPS6105X is not set
# CONFIG_TPS6507X is not set
# CONFIG_MFD_TPS65217 is not set
# CONFIG_MFD_TMIO is not set
# CONFIG_MFD_ARIZONA_I2C is not set
# CONFIG_MFD_PCF50633 is not set
# CONFIG_MFD_MC13XXX_I2C is not set
# CONFIG_ABX500_CORE is not set
# CONFIG_MFD_CS5535 is not set
CONFIG_LPC_SCH=m
CONFIG_LPC_ICH=m
# CONFIG_MFD_RDC321X is not set
# CONFIG_MFD_JANZ_CMODIO is not set
CONFIG_MFD_VX855=m
CONFIG_MFD_WL1273_CORE=m
# CONFIG_REGULATOR is not set
CONFIG_MEDIA_SUPPORT=m

#
# Multimedia core support
#
CONFIG_MEDIA_CAMERA_SUPPORT=y
CONFIG_MEDIA_ANALOG_TV_SUPPORT=y
CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
CONFIG_MEDIA_RADIO_SUPPORT=y
CONFIG_MEDIA_RC_SUPPORT=y
CONFIG_MEDIA_CONTROLLER=y
CONFIG_VIDEO_DEV=m
CONFIG_VIDEO_V4L2_SUBDEV_API=y
CONFIG_VIDEO_V4L2=m
# CONFIG_VIDEO_ADV_DEBUG is not set
# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
CONFIG_DVB_CORE=m
CONFIG_DVB_NET=y
CONFIG_DVB_MAX_ADAPTERS=8
CONFIG_DVB_DYNAMIC_MINORS=y

#
# Media drivers
#
CONFIG_RC_CORE=m
CONFIG_RC_MAP=m
CONFIG_RC_DECODERS=y
CONFIG_LIRC=m
CONFIG_IR_LIRC_CODEC=m
CONFIG_IR_NEC_DECODER=m
CONFIG_IR_RC5_DECODER=m
CONFIG_IR_RC6_DECODER=m
CONFIG_IR_JVC_DECODER=m
CONFIG_IR_SONY_DECODER=m
CONFIG_IR_RC5_SZ_DECODER=m
CONFIG_IR_SANYO_DECODER=m
CONFIG_IR_MCE_KBD_DECODER=m
CONFIG_RC_DEVICES=y
CONFIG_RC_ATI_REMOTE=m
CONFIG_IR_ENE=m
CONFIG_IR_IMON=m
CONFIG_IR_MCEUSB=m
CONFIG_IR_ITE_CIR=m
CONFIG_IR_FINTEK=m
CONFIG_IR_NUVOTON=m
CONFIG_IR_REDRAT3=m
CONFIG_IR_STREAMZAP=m
CONFIG_IR_WINBOND_CIR=m
CONFIG_IR_IGUANA=m
# CONFIG_IR_TTUSBIR is not set
CONFIG_RC_LOOPBACK=m
CONFIG_IR_GPIO_CIR=m
# CONFIG_MEDIA_USB_SUPPORT is not set
# CONFIG_MEDIA_PCI_SUPPORT is not set
# CONFIG_V4L_PLATFORM_DRIVERS is not set
CONFIG_V4L_MEM2MEM_DRIVERS=y
# CONFIG_VIDEO_MEM2MEM_DEINTERLACE is not set
# CONFIG_V4L_TEST_DRIVERS is not set

#
# Supported MMC/SDIO adapters
#
CONFIG_SMS_SDIO_DRV=m
# CONFIG_MEDIA_PARPORT_SUPPORT is not set
CONFIG_RADIO_ADAPTERS=y
CONFIG_RADIO_SI470X=y
CONFIG_USB_SI470X=m
CONFIG_I2C_SI470X=m
CONFIG_USB_MR800=m
CONFIG_USB_DSBR=m
CONFIG_RADIO_MAXIRADIO=m
CONFIG_RADIO_SHARK=m
CONFIG_RADIO_SHARK2=m
CONFIG_I2C_SI4713=m
CONFIG_RADIO_SI4713=m
CONFIG_USB_KEENE=m
CONFIG_RADIO_TEA5764=m
CONFIG_RADIO_SAA7706H=m
# CONFIG_RADIO_TEF6862 is not set
CONFIG_RADIO_WL1273=m

#
# Texas Instruments WL128x FM driver (ST based)
#

#
# Supported FireWire (IEEE 1394) Adapters
#
CONFIG_DVB_FIREDTV=m
CONFIG_DVB_FIREDTV_INPUT=y
CONFIG_SMS_SIANO_MDTV=m
CONFIG_MEDIA_SUBDRV_AUTOSELECT=y

#
# Media ancillary drivers (tuners, sensors, i2c, frontends)
#
CONFIG_VIDEO_IR_I2C=m

#
# Audio decoders, processors and mixers
#

#
# RDS decoders
#

#
# Video decoders
#

#
# Video and audio decoders
#

#
# MPEG video encoders
#

#
# Video encoders
#

#
# Camera sensor devices
#

#
# Flash devices
#

#
# Video improvement chips
#

#
# Miscelaneous helper chips
#

#
# Sensors used on soc_camera driver
#
CONFIG_MEDIA_ATTACH=y
CONFIG_MEDIA_TUNER=m
CONFIG_MEDIA_TUNER_SIMPLE=m
CONFIG_MEDIA_TUNER_TDA8290=m
CONFIG_MEDIA_TUNER_TDA827X=m
CONFIG_MEDIA_TUNER_TDA18271=m
CONFIG_MEDIA_TUNER_TDA9887=m
CONFIG_MEDIA_TUNER_TEA5761=m
CONFIG_MEDIA_TUNER_TEA5767=m
CONFIG_MEDIA_TUNER_MT20XX=m
CONFIG_MEDIA_TUNER_XC2028=m
CONFIG_MEDIA_TUNER_XC5000=m
CONFIG_MEDIA_TUNER_XC4000=m
CONFIG_MEDIA_TUNER_MC44S803=m

#
# Multistandard (satellite) frontends
#

#
# Multistandard (cable + terrestrial) frontends
#

#
# DVB-S (satellite) frontends
#

#
# DVB-T (terrestrial) frontends
#

#
# DVB-C (cable) frontends
#

#
# ATSC (North American/Korean Terrestrial/Cable DTV) frontends
#

#
# ISDB-T (terrestrial) frontends
#

#
# Digital terrestrial only tuners/PLL
#

#
# SEC control devices for DVB-S
#

#
# Tools to develop new frontends
#
# CONFIG_DVB_DUMMY_FE is not set

#
# Graphics support
#
CONFIG_AGP=y
CONFIG_AGP_AMD64=y
CONFIG_AGP_INTEL=y
CONFIG_AGP_SIS=y
CONFIG_AGP_VIA=y
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=16
CONFIG_VGA_SWITCHEROO=y
CONFIG_DRM=m
CONFIG_DRM_KMS_HELPER=m
CONFIG_DRM_LOAD_EDID_FIRMWARE=y
CONFIG_DRM_TTM=m
# CONFIG_DRM_TDFX is not set
# CONFIG_DRM_R128 is not set
CONFIG_DRM_RADEON=m
CONFIG_DRM_RADEON_KMS=y
CONFIG_DRM_NOUVEAU=m
CONFIG_NOUVEAU_DEBUG=5
CONFIG_NOUVEAU_DEBUG_DEFAULT=3
CONFIG_DRM_NOUVEAU_BACKLIGHT=y

#
# I2C encoder or helper chips
#
CONFIG_DRM_I2C_CH7006=m
CONFIG_DRM_I2C_SIL164=m
# CONFIG_DRM_I810 is not set
CONFIG_DRM_I915=m
CONFIG_DRM_I915_KMS=y
# CONFIG_DRM_MGA is not set
# CONFIG_DRM_SIS is not set
CONFIG_DRM_VIA=m
# CONFIG_DRM_SAVAGE is not set
CONFIG_DRM_VMWGFX=m
# CONFIG_DRM_VMWGFX_FBCON is not set
CONFIG_DRM_GMA500=m
# CONFIG_DRM_GMA600 is not set
CONFIG_DRM_GMA3600=y
# CONFIG_DRM_UDL is not set
# CONFIG_DRM_AST is not set
# CONFIG_DRM_MGAG200 is not set
# CONFIG_DRM_CIRRUS_QEMU is not set
# CONFIG_STUB_POULSBO is not set
CONFIG_VGASTATE=m
CONFIG_VIDEO_OUTPUT_CONTROL=m
CONFIG_FB=y
# CONFIG_FIRMWARE_EDID is not set
# CONFIG_FB_DDC is not set
CONFIG_FB_BOOT_VESA_SUPPORT=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
CONFIG_FB_SYS_FILLRECT=y
CONFIG_FB_SYS_COPYAREA=y
CONFIG_FB_SYS_IMAGEBLIT=y
# CONFIG_FB_FOREIGN_ENDIAN is not set
CONFIG_FB_SYS_FOPS=y
# CONFIG_FB_WMT_GE_ROPS is not set
CONFIG_FB_DEFERRED_IO=y
# CONFIG_FB_SVGALIB is not set
# CONFIG_FB_MACMODES is not set
CONFIG_FB_BACKLIGHT=y
CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y

#
# Frame buffer hardware drivers
#
# CONFIG_FB_CIRRUS is not set
# CONFIG_FB_PM2 is not set
# CONFIG_FB_CYBER2000 is not set
# CONFIG_FB_ARC is not set
# CONFIG_FB_ASILIANT is not set
# CONFIG_FB_IMSTT is not set
CONFIG_FB_VGA16=m
# CONFIG_FB_UVESA is not set
CONFIG_FB_VESA=y
CONFIG_FB_EFI=y
# CONFIG_FB_N411 is not set
# CONFIG_FB_HGA is not set
# CONFIG_FB_S1D13XXX is not set
# CONFIG_FB_NVIDIA is not set
# CONFIG_FB_RIVA is not set
# CONFIG_FB_I740 is not set
# CONFIG_FB_LE80578 is not set
# CONFIG_FB_MATROX is not set
# CONFIG_FB_RADEON is not set
# CONFIG_FB_ATY128 is not set
# CONFIG_FB_ATY is not set
# CONFIG_FB_S3 is not set
# CONFIG_FB_SAVAGE is not set
# CONFIG_FB_SIS is not set
# CONFIG_FB_VIA is not set
# CONFIG_FB_NEOMAGIC is not set
# CONFIG_FB_KYRO is not set
# CONFIG_FB_3DFX is not set
CONFIG_FB_VOODOO1=m
# CONFIG_FB_VT8623 is not set
# CONFIG_FB_TRIDENT is not set
# CONFIG_FB_ARK is not set
# CONFIG_FB_PM3 is not set
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_GEODE is not set
# CONFIG_FB_TMIO is not set
# CONFIG_FB_SM501 is not set
# CONFIG_FB_SMSCUFX is not set
CONFIG_FB_UDL=m
CONFIG_FB_VIRTUAL=m
CONFIG_XEN_FBDEV_FRONTEND=y
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
# CONFIG_FB_BROADSHEET is not set
# CONFIG_FB_AUO_K190X is not set
# CONFIG_EXYNOS_VIDEO is not set
CONFIG_BACKLIGHT_LCD_SUPPORT=y
CONFIG_LCD_CLASS_DEVICE=m
CONFIG_LCD_PLATFORM=m
CONFIG_BACKLIGHT_CLASS_DEVICE=y
# CONFIG_BACKLIGHT_GENERIC is not set
CONFIG_BACKLIGHT_APPLE=m
# CONFIG_BACKLIGHT_SAHARA is not set
# CONFIG_BACKLIGHT_ADP8860 is not set
# CONFIG_BACKLIGHT_ADP8870 is not set
# CONFIG_BACKLIGHT_LM3630 is not set
# CONFIG_BACKLIGHT_LM3639 is not set
CONFIG_BACKLIGHT_LP855X=m

#
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
CONFIG_VGACON_SOFT_SCROLLBACK=y
CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
CONFIG_DUMMY_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
# CONFIG_FONTS is not set
CONFIG_FONT_8x8=y
CONFIG_FONT_8x16=y
CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
CONFIG_LOGO_LINUX_CLUT224=y
CONFIG_SOUND=m
CONFIG_SOUND_OSS_CORE=y
CONFIG_SOUND_OSS_CORE_PRECLAIM=y
CONFIG_SND=m
CONFIG_SND_TIMER=m
CONFIG_SND_PCM=m
CONFIG_SND_HWDEP=m
CONFIG_SND_RAWMIDI=m
CONFIG_SND_JACK=y
CONFIG_SND_SEQUENCER=m
CONFIG_SND_SEQ_DUMMY=m
CONFIG_SND_OSSEMUL=y
CONFIG_SND_MIXER_OSS=m
CONFIG_SND_PCM_OSS=m
CONFIG_SND_PCM_OSS_PLUGINS=y
CONFIG_SND_SEQUENCER_OSS=y
CONFIG_SND_HRTIMER=m
CONFIG_SND_SEQ_HRTIMER_DEFAULT=y
CONFIG_SND_DYNAMIC_MINORS=y
# CONFIG_SND_SUPPORT_OLD_API is not set
CONFIG_SND_VERBOSE_PROCFS=y
CONFIG_SND_VERBOSE_PRINTK=y
CONFIG_SND_DEBUG=y
# CONFIG_SND_DEBUG_VERBOSE is not set
CONFIG_SND_PCM_XRUN_DEBUG=y
CONFIG_SND_VMASTER=y
CONFIG_SND_KCTL_JACK=y
CONFIG_SND_DMA_SGBUF=y
CONFIG_SND_RAWMIDI_SEQ=m
CONFIG_SND_OPL3_LIB_SEQ=m
# CONFIG_SND_OPL4_LIB_SEQ is not set
# CONFIG_SND_SBAWE_SEQ is not set
CONFIG_SND_EMU10K1_SEQ=m
CONFIG_SND_MPU401_UART=m
CONFIG_SND_OPL3_LIB=m
CONFIG_SND_VX_LIB=m
CONFIG_SND_AC97_CODEC=m
CONFIG_SND_DRIVERS=y
CONFIG_SND_PCSP=m
CONFIG_SND_DUMMY=m
CONFIG_SND_ALOOP=m
CONFIG_SND_VIRMIDI=m
CONFIG_SND_MTPAV=m
CONFIG_SND_MTS64=m
CONFIG_SND_SERIAL_U16550=m
CONFIG_SND_MPU401=m
CONFIG_SND_PORTMAN2X4=m
CONFIG_SND_AC97_POWER_SAVE=y
CONFIG_SND_AC97_POWER_SAVE_DEFAULT=0
CONFIG_SND_SB_COMMON=m
CONFIG_SND_SB16_DSP=m
CONFIG_SND_TEA575X=m
CONFIG_SND_PCI=y
CONFIG_SND_AD1889=m
CONFIG_SND_ALS300=m
CONFIG_SND_ALS4000=m
CONFIG_SND_ALI5451=m
CONFIG_SND_ASIHPI=m
CONFIG_SND_ATIIXP=m
CONFIG_SND_ATIIXP_MODEM=m
CONFIG_SND_AU8810=m
CONFIG_SND_AU8820=m
CONFIG_SND_AU8830=m
# CONFIG_SND_AW2 is not set
CONFIG_SND_AZT3328=m
CONFIG_SND_BT87X=m
# CONFIG_SND_BT87X_OVERCLOCK is not set
CONFIG_SND_CA0106=m
CONFIG_SND_CMIPCI=m
CONFIG_SND_OXYGEN_LIB=m
CONFIG_SND_OXYGEN=m
CONFIG_SND_CS4281=m
CONFIG_SND_CS46XX=m
CONFIG_SND_CS46XX_NEW_DSP=y
CONFIG_SND_CS5530=m
CONFIG_SND_CS5535AUDIO=m
CONFIG_SND_CTXFI=m
CONFIG_SND_DARLA20=m
CONFIG_SND_GINA20=m
CONFIG_SND_LAYLA20=m
CONFIG_SND_DARLA24=m
CONFIG_SND_GINA24=m
CONFIG_SND_LAYLA24=m
CONFIG_SND_MONA=m
CONFIG_SND_MIA=m
CONFIG_SND_ECHO3G=m
CONFIG_SND_INDIGO=m
CONFIG_SND_INDIGOIO=m
CONFIG_SND_INDIGODJ=m
CONFIG_SND_INDIGOIOX=m
CONFIG_SND_INDIGODJX=m
CONFIG_SND_EMU10K1=m
CONFIG_SND_EMU10K1X=m
CONFIG_SND_ENS1370=m
CONFIG_SND_ENS1371=m
CONFIG_SND_ES1938=m
CONFIG_SND_ES1968=m
CONFIG_SND_ES1968_INPUT=y
CONFIG_SND_ES1968_RADIO=y
CONFIG_SND_FM801=m
CONFIG_SND_FM801_TEA575X_BOOL=y
CONFIG_SND_HDA_INTEL=m
CONFIG_SND_HDA_PREALLOC_SIZE=4096
CONFIG_SND_HDA_HWDEP=y
CONFIG_SND_HDA_RECONFIG=y
CONFIG_SND_HDA_INPUT_BEEP=y
CONFIG_SND_HDA_INPUT_BEEP_MODE=0
CONFIG_SND_HDA_INPUT_JACK=y
CONFIG_SND_HDA_PATCH_LOADER=y
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_ANALOG=y
CONFIG_SND_HDA_CODEC_SIGMATEL=y
CONFIG_SND_HDA_CODEC_VIA=y
CONFIG_SND_HDA_CODEC_HDMI=y
CONFIG_SND_HDA_CODEC_CIRRUS=y
CONFIG_SND_HDA_CODEC_CONEXANT=y
CONFIG_SND_HDA_CODEC_CA0110=y
CONFIG_SND_HDA_CODEC_CA0132=y
CONFIG_SND_HDA_CODEC_CMEDIA=y
CONFIG_SND_HDA_CODEC_SI3054=y
CONFIG_SND_HDA_GENERIC=y
CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
CONFIG_SND_HDSP=m
CONFIG_SND_HDSPM=m
CONFIG_SND_ICE1712=m
CONFIG_SND_ICE1724=m
CONFIG_SND_INTEL8X0=m
CONFIG_SND_INTEL8X0M=m
CONFIG_SND_KORG1212=m
CONFIG_SND_LOLA=m
CONFIG_SND_LX6464ES=m
CONFIG_SND_MAESTRO3=m
CONFIG_SND_MAESTRO3_INPUT=y
CONFIG_SND_MIXART=m
CONFIG_SND_NM256=m
CONFIG_SND_PCXHR=m
CONFIG_SND_RIPTIDE=m
CONFIG_SND_RME32=m
CONFIG_SND_RME96=m
CONFIG_SND_RME9652=m
CONFIG_SND_SONICVIBES=m
CONFIG_SND_TRIDENT=m
CONFIG_SND_VIA82XX=m
CONFIG_SND_VIA82XX_MODEM=m
CONFIG_SND_VIRTUOSO=m
CONFIG_SND_VX222=m
CONFIG_SND_YMFPCI=m
CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=m
CONFIG_SND_USB_UA101=m
CONFIG_SND_USB_USX2Y=m
CONFIG_SND_USB_CAIAQ=m
CONFIG_SND_USB_CAIAQ_INPUT=y
CONFIG_SND_USB_US122L=m
CONFIG_SND_USB_6FIRE=m
CONFIG_SND_FIREWIRE=y
CONFIG_SND_FIREWIRE_LIB=m
CONFIG_SND_FIREWIRE_SPEAKERS=m
CONFIG_SND_ISIGHT=m
# CONFIG_SND_PCMCIA is not set
# CONFIG_SND_SOC is not set
# CONFIG_SOUND_PRIME is not set
CONFIG_AC97_BUS=m

#
# HID support
#
CONFIG_HID=y
CONFIG_HID_BATTERY_STRENGTH=y
CONFIG_HIDRAW=y
CONFIG_UHID=m
CONFIG_HID_GENERIC=y

#
# Special HID drivers
#
CONFIG_HID_A4TECH=y
CONFIG_HID_ACRUX=m
CONFIG_HID_ACRUX_FF=y
CONFIG_HID_APPLE=y
CONFIG_HID_AUREAL=m
CONFIG_HID_BELKIN=y
CONFIG_HID_CHERRY=y
CONFIG_HID_CHICONY=y
CONFIG_HID_PRODIKEYS=m
CONFIG_HID_CYPRESS=y
CONFIG_HID_DRAGONRISE=m
CONFIG_DRAGONRISE_FF=y
CONFIG_HID_EMS_FF=m
CONFIG_HID_ELECOM=m
CONFIG_HID_EZKEY=y
CONFIG_HID_HOLTEK=m
CONFIG_HOLTEK_FF=y
CONFIG_HID_KEYTOUCH=m
CONFIG_HID_KYE=m
CONFIG_HID_UCLOGIC=m
CONFIG_HID_WALTOP=m
CONFIG_HID_GYRATION=m
CONFIG_HID_TWINHAN=m
CONFIG_HID_KENSINGTON=y
CONFIG_HID_LCPOWER=m
CONFIG_HID_LENOVO_TPKBD=m
CONFIG_HID_LOGITECH=y
CONFIG_HID_LOGITECH_DJ=m
CONFIG_LOGITECH_FF=y
CONFIG_LOGIRUMBLEPAD2_FF=y
CONFIG_LOGIG940_FF=y
CONFIG_LOGIWHEELS_FF=y
CONFIG_HID_MAGICMOUSE=m
CONFIG_HID_MICROSOFT=y
CONFIG_HID_MONTEREY=y
CONFIG_HID_MULTITOUCH=m
CONFIG_HID_NTRIG=y
CONFIG_HID_ORTEK=m
CONFIG_HID_PANTHERLORD=m
CONFIG_PANTHERLORD_FF=y
CONFIG_HID_PETALYNX=m
CONFIG_HID_PICOLCD=m
CONFIG_HID_PICOLCD_FB=y
CONFIG_HID_PICOLCD_BACKLIGHT=y
CONFIG_HID_PICOLCD_LCD=y
CONFIG_HID_PICOLCD_LEDS=y
CONFIG_HID_PICOLCD_CIR=y
CONFIG_HID_PRIMAX=m
# CONFIG_HID_PS3REMOTE is not set
CONFIG_HID_ROCCAT=m
CONFIG_HID_SAITEK=m
CONFIG_HID_SAMSUNG=m
CONFIG_HID_SONY=m
CONFIG_HID_SPEEDLINK=m
CONFIG_HID_SUNPLUS=m
CONFIG_HID_GREENASIA=m
CONFIG_GREENASIA_FF=y
CONFIG_HID_HYPERV_MOUSE=m
CONFIG_HID_SMARTJOYPLUS=m
CONFIG_SMARTJOYPLUS_FF=y
CONFIG_HID_TIVO=m
CONFIG_HID_TOPSEED=m
CONFIG_HID_THRUSTMASTER=m
CONFIG_THRUSTMASTER_FF=y
CONFIG_HID_WACOM=m
CONFIG_HID_WIIMOTE=m
CONFIG_HID_WIIMOTE_EXT=y
CONFIG_HID_ZEROPLUS=m
CONFIG_ZEROPLUS_FF=y
CONFIG_HID_ZYDACRON=m
# CONFIG_HID_SENSOR_HUB is not set

#
# USB HID support
#
CONFIG_USB_HID=y
CONFIG_HID_PID=y
CONFIG_USB_HIDDEV=y
CONFIG_USB_ARCH_HAS_OHCI=y
CONFIG_USB_ARCH_HAS_EHCI=y
CONFIG_USB_ARCH_HAS_XHCI=y
CONFIG_USB_SUPPORT=y
CONFIG_USB_COMMON=y
CONFIG_USB_ARCH_HAS_HCD=y
CONFIG_USB=y
# CONFIG_USB_DEBUG is not set
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y

#
# Miscellaneous USB options
#
# CONFIG_USB_DYNAMIC_MINORS is not set
CONFIG_USB_SUSPEND=y
# CONFIG_USB_OTG is not set
CONFIG_USB_MON=y
CONFIG_USB_WUSB=m
CONFIG_USB_WUSB_CBAF=m
# CONFIG_USB_WUSB_CBAF_DEBUG is not set

#
# USB Host Controller Drivers
#
# CONFIG_USB_C67X00_HCD is not set
CONFIG_USB_XHCI_HCD=y
# CONFIG_USB_XHCI_HCD_DEBUGGING is not set
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_ROOT_HUB_TT=y
CONFIG_USB_EHCI_TT_NEWSCHED=y
# CONFIG_USB_OXU210HP_HCD is not set
# CONFIG_USB_ISP116X_HCD is not set
# CONFIG_USB_ISP1760_HCD is not set
CONFIG_USB_ISP1362_HCD=m
CONFIG_USB_OHCI_HCD=y
# CONFIG_USB_OHCI_HCD_PLATFORM is not set
# CONFIG_USB_EHCI_HCD_PLATFORM is not set
# CONFIG_USB_OHCI_BIG_ENDIAN_DESC is not set
# CONFIG_USB_OHCI_BIG_ENDIAN_MMIO is not set
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_UHCI_HCD=y
CONFIG_USB_U132_HCD=m
CONFIG_USB_SL811_HCD=m
CONFIG_USB_SL811_HCD_ISO=y
# CONFIG_USB_SL811_CS is not set
# CONFIG_USB_R8A66597_HCD is not set
CONFIG_USB_WHCI_HCD=m
CONFIG_USB_HWA_HCD=m
# CONFIG_USB_HCD_BCMA is not set
# CONFIG_USB_HCD_SSB is not set
# CONFIG_USB_CHIPIDEA is not set

#
# USB Device Class drivers
#
CONFIG_USB_ACM=m
CONFIG_USB_PRINTER=m
CONFIG_USB_WDM=m
CONFIG_USB_TMC=m

#
# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
#

#
# also be needed; see USB_STORAGE Help for more info
#
CONFIG_USB_STORAGE=m
# CONFIG_USB_STORAGE_DEBUG is not set
CONFIG_USB_STORAGE_REALTEK=m
CONFIG_REALTEK_AUTOPM=y
CONFIG_USB_STORAGE_DATAFAB=m
CONFIG_USB_STORAGE_FREECOM=m
CONFIG_USB_STORAGE_ISD200=m
CONFIG_USB_STORAGE_USBAT=m
CONFIG_USB_STORAGE_SDDR09=m
CONFIG_USB_STORAGE_SDDR55=m
CONFIG_USB_STORAGE_JUMPSHOT=m
CONFIG_USB_STORAGE_ALAUDA=m
CONFIG_USB_STORAGE_ONETOUCH=m
CONFIG_USB_STORAGE_KARMA=m
CONFIG_USB_STORAGE_CYPRESS_ATACB=m
CONFIG_USB_STORAGE_ENE_UB6250=m
# CONFIG_USB_UAS is not set

#
# USB Imaging devices
#
CONFIG_USB_MDC800=m
CONFIG_USB_MICROTEK=m

#
# USB port drivers
#
CONFIG_USB_USS720=m
CONFIG_USB_SERIAL=y
CONFIG_USB_SERIAL_CONSOLE=y
CONFIG_USB_SERIAL_GENERIC=y
CONFIG_USB_SERIAL_AIRCABLE=m
CONFIG_USB_SERIAL_ARK3116=m
CONFIG_USB_SERIAL_BELKIN=m
CONFIG_USB_SERIAL_CH341=m
CONFIG_USB_SERIAL_WHITEHEAT=m
CONFIG_USB_SERIAL_DIGI_ACCELEPORT=m
CONFIG_USB_SERIAL_CP210X=m
CONFIG_USB_SERIAL_CYPRESS_M8=m
CONFIG_USB_SERIAL_EMPEG=m
CONFIG_USB_SERIAL_FTDI_SIO=m
CONFIG_USB_SERIAL_FUNSOFT=m
CONFIG_USB_SERIAL_VISOR=m
CONFIG_USB_SERIAL_IPAQ=m
CONFIG_USB_SERIAL_IR=m
CONFIG_USB_SERIAL_EDGEPORT=m
CONFIG_USB_SERIAL_EDGEPORT_TI=m
# CONFIG_USB_SERIAL_F81232 is not set
CONFIG_USB_SERIAL_GARMIN=m
CONFIG_USB_SERIAL_IPW=m
CONFIG_USB_SERIAL_IUU=m
CONFIG_USB_SERIAL_KEYSPAN_PDA=m
CONFIG_USB_SERIAL_KEYSPAN=m
CONFIG_USB_SERIAL_KLSI=m
CONFIG_USB_SERIAL_KOBIL_SCT=m
CONFIG_USB_SERIAL_MCT_U232=m
# CONFIG_USB_SERIAL_METRO is not set
CONFIG_USB_SERIAL_MOS7720=m
CONFIG_USB_SERIAL_MOS7715_PARPORT=y
CONFIG_USB_SERIAL_MOS7840=m
CONFIG_USB_SERIAL_MOTOROLA=m
CONFIG_USB_SERIAL_NAVMAN=m
CONFIG_USB_SERIAL_PL2303=m
CONFIG_USB_SERIAL_OTI6858=m
CONFIG_USB_SERIAL_QCAUX=m
CONFIG_USB_SERIAL_QUALCOMM=m
CONFIG_USB_SERIAL_SPCP8X5=m
CONFIG_USB_SERIAL_HP4X=m
CONFIG_USB_SERIAL_SAFE=m
CONFIG_USB_SERIAL_SAFE_PADDED=y
CONFIG_USB_SERIAL_SIEMENS_MPI=m
CONFIG_USB_SERIAL_SIERRAWIRELESS=m
CONFIG_USB_SERIAL_SYMBOL=m
CONFIG_USB_SERIAL_TI=m
CONFIG_USB_SERIAL_CYBERJACK=m
CONFIG_USB_SERIAL_XIRCOM=m
CONFIG_USB_SERIAL_WWAN=m
CONFIG_USB_SERIAL_OPTION=m
CONFIG_USB_SERIAL_OMNINET=m
CONFIG_USB_SERIAL_OPTICON=m
CONFIG_USB_SERIAL_VIVOPAY_SERIAL=m
# CONFIG_USB_SERIAL_ZIO is not set
# CONFIG_USB_SERIAL_ZTE is not set
CONFIG_USB_SERIAL_SSU100=m
CONFIG_USB_SERIAL_QT2=m
CONFIG_USB_SERIAL_DEBUG=m

#
# USB Miscellaneous drivers
#
CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
# CONFIG_USB_RIO500 is not set
CONFIG_USB_LEGOTOWER=m
CONFIG_USB_LCD=m
CONFIG_USB_LED=m
# CONFIG_USB_CYPRESS_CY7C63 is not set
# CONFIG_USB_CYTHERM is not set
CONFIG_USB_IDMOUSE=m
CONFIG_USB_FTDI_ELAN=m
CONFIG_USB_APPLEDISPLAY=m
CONFIG_USB_SISUSBVGA=m
CONFIG_USB_SISUSBVGA_CON=y
CONFIG_USB_LD=m
CONFIG_USB_TRANCEVIBRATOR=m
CONFIG_USB_IOWARRIOR=m
# CONFIG_USB_TEST is not set
CONFIG_USB_ISIGHTFW=m
CONFIG_USB_YUREX=m
CONFIG_USB_EZUSB_FX2=m

#
# USB Physical Layer drivers
#
# CONFIG_OMAP_USB2 is not set
# CONFIG_USB_ISP1301 is not set
CONFIG_USB_ATM=m
CONFIG_USB_SPEEDTOUCH=m
CONFIG_USB_CXACRU=m
CONFIG_USB_UEAGLEATM=m
CONFIG_USB_XUSBATM=m
# CONFIG_USB_GADGET is not set

#
# OTG and related infrastructure
#
CONFIG_USB_OTG_UTILS=y
CONFIG_NOP_USB_XCEIV=m
CONFIG_UWB=m
CONFIG_UWB_HWA=m
CONFIG_UWB_WHCI=m
CONFIG_UWB_I1480U=m
CONFIG_MMC=m
# CONFIG_MMC_DEBUG is not set
# CONFIG_MMC_UNSAFE_RESUME is not set
# CONFIG_MMC_CLKGATE is not set

#
# MMC/SD/SDIO Card Drivers
#
CONFIG_MMC_BLOCK=m
CONFIG_MMC_BLOCK_MINORS=8
CONFIG_MMC_BLOCK_BOUNCE=y
CONFIG_SDIO_UART=m
# CONFIG_MMC_TEST is not set

#
# MMC/SD/SDIO Host Controller Drivers
#
CONFIG_MMC_SDHCI=m
CONFIG_MMC_SDHCI_PCI=m
CONFIG_MMC_RICOH_MMC=y
CONFIG_MMC_SDHCI_PLTFM=m
CONFIG_MMC_WBSD=m
CONFIG_MMC_TIFM_SD=m
CONFIG_MMC_SDRICOH_CS=m
CONFIG_MMC_CB710=m
CONFIG_MMC_VIA_SDMMC=m
CONFIG_MMC_VUB300=m
CONFIG_MMC_USHC=m
CONFIG_MEMSTICK=m
# CONFIG_MEMSTICK_DEBUG is not set

#
# MemoryStick drivers
#
# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
CONFIG_MSPRO_BLOCK=m

#
# MemoryStick Host Controller Drivers
#
CONFIG_MEMSTICK_TIFM_MS=m
CONFIG_MEMSTICK_JMICRON_38X=m
CONFIG_MEMSTICK_R592=m
CONFIG_NEW_LEDS=y
CONFIG_LEDS_CLASS=y

#
# LED drivers
#
CONFIG_LEDS_LM3530=m
# CONFIG_LEDS_LM3642 is not set
# CONFIG_LEDS_PCA9532 is not set
CONFIG_LEDS_LP3944=m
CONFIG_LEDS_LP5521=m
CONFIG_LEDS_LP5523=m
CONFIG_LEDS_CLEVO_MAIL=m
# CONFIG_LEDS_PCA955X is not set
# CONFIG_LEDS_PCA9633 is not set
# CONFIG_LEDS_BD2802 is not set
CONFIG_LEDS_INTEL_SS4200=m
CONFIG_LEDS_DELL_NETBOOKS=m
# CONFIG_LEDS_TCA6507 is not set
# CONFIG_LEDS_LM355x is not set
# CONFIG_LEDS_OT200 is not set
CONFIG_LEDS_BLINKM=m
CONFIG_LEDS_TRIGGERS=y

#
# LED Triggers
#
CONFIG_LEDS_TRIGGER_TIMER=m
CONFIG_LEDS_TRIGGER_ONESHOT=m
CONFIG_LEDS_TRIGGER_HEARTBEAT=m
CONFIG_LEDS_TRIGGER_BACKLIGHT=m
# CONFIG_LEDS_TRIGGER_CPU is not set
CONFIG_LEDS_TRIGGER_DEFAULT_ON=m

#
# iptables trigger is under Netfilter config (LED target)
#
CONFIG_LEDS_TRIGGER_TRANSIENT=m
CONFIG_ACCESSIBILITY=y
CONFIG_A11Y_BRAILLE_CONSOLE=y
CONFIG_INFINIBAND=m
CONFIG_INFINIBAND_USER_MAD=m
CONFIG_INFINIBAND_USER_ACCESS=m
CONFIG_INFINIBAND_USER_MEM=y
CONFIG_INFINIBAND_ADDR_TRANS=y
CONFIG_INFINIBAND_MTHCA=m
CONFIG_INFINIBAND_MTHCA_DEBUG=y
CONFIG_INFINIBAND_IPATH=m
CONFIG_INFINIBAND_QIB=m
CONFIG_INFINIBAND_AMSO1100=m
# CONFIG_INFINIBAND_AMSO1100_DEBUG is not set
CONFIG_INFINIBAND_CXGB3=m
# CONFIG_INFINIBAND_CXGB3_DEBUG is not set
CONFIG_INFINIBAND_CXGB4=m
CONFIG_MLX4_INFINIBAND=m
CONFIG_INFINIBAND_NES=m
# CONFIG_INFINIBAND_NES_DEBUG is not set
# CONFIG_INFINIBAND_OCRDMA is not set
CONFIG_INFINIBAND_IPOIB=m
CONFIG_INFINIBAND_IPOIB_CM=y
CONFIG_INFINIBAND_IPOIB_DEBUG=y
CONFIG_INFINIBAND_IPOIB_DEBUG_DATA=y
CONFIG_INFINIBAND_SRP=m
CONFIG_INFINIBAND_SRPT=m
CONFIG_INFINIBAND_ISER=m
CONFIG_EDAC=y

#
# Reporting subsystems
#
CONFIG_EDAC_LEGACY_SYSFS=y
# CONFIG_EDAC_DEBUG is not set
CONFIG_EDAC_DECODE_MCE=m
CONFIG_EDAC_MCE_INJ=m
CONFIG_EDAC_MM_EDAC=m
CONFIG_EDAC_AMD64=m
# CONFIG_EDAC_AMD64_ERROR_INJECTION is not set
CONFIG_EDAC_E752X=m
CONFIG_EDAC_I82975X=m
CONFIG_EDAC_I3000=m
CONFIG_EDAC_I3200=m
CONFIG_EDAC_X38=m
CONFIG_EDAC_I5400=m
CONFIG_EDAC_I7CORE=m
CONFIG_EDAC_I5000=m
CONFIG_EDAC_I5100=m
CONFIG_EDAC_I7300=m
CONFIG_EDAC_SBRIDGE=m
CONFIG_RTC_LIB=y
CONFIG_RTC_CLASS=y
CONFIG_RTC_HCTOSYS=y
CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
# CONFIG_RTC_DEBUG is not set

#
# RTC interfaces
#
CONFIG_RTC_INTF_SYSFS=y
CONFIG_RTC_INTF_PROC=y
CONFIG_RTC_INTF_DEV=y
# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
# CONFIG_RTC_DRV_TEST is not set

#
# I2C RTC drivers
#
CONFIG_RTC_DRV_DS1307=m
CONFIG_RTC_DRV_DS1374=m
CONFIG_RTC_DRV_DS1672=m
CONFIG_RTC_DRV_DS3232=m
CONFIG_RTC_DRV_MAX6900=m
CONFIG_RTC_DRV_RS5C372=m
CONFIG_RTC_DRV_ISL1208=m
CONFIG_RTC_DRV_ISL12022=m
CONFIG_RTC_DRV_X1205=m
CONFIG_RTC_DRV_PCF8563=m
CONFIG_RTC_DRV_PCF8583=m
CONFIG_RTC_DRV_M41T80=m
CONFIG_RTC_DRV_M41T80_WDT=y
CONFIG_RTC_DRV_BQ32K=m
# CONFIG_RTC_DRV_S35390A is not set
CONFIG_RTC_DRV_FM3130=m
CONFIG_RTC_DRV_RX8581=m
CONFIG_RTC_DRV_RX8025=m
CONFIG_RTC_DRV_EM3027=m
CONFIG_RTC_DRV_RV3029C2=m

#
# SPI RTC drivers
#

#
# Platform RTC drivers
#
CONFIG_RTC_DRV_CMOS=y
CONFIG_RTC_DRV_DS1286=m
CONFIG_RTC_DRV_DS1511=m
CONFIG_RTC_DRV_DS1553=m
CONFIG_RTC_DRV_DS1742=m
CONFIG_RTC_DRV_STK17TA8=m
# CONFIG_RTC_DRV_M48T86 is not set
CONFIG_RTC_DRV_M48T35=m
CONFIG_RTC_DRV_M48T59=m
CONFIG_RTC_DRV_MSM6242=m
CONFIG_RTC_DRV_BQ4802=m
CONFIG_RTC_DRV_RP5C01=m
CONFIG_RTC_DRV_V3020=m
# CONFIG_RTC_DRV_DS2404 is not set

#
# on-CPU RTC drivers
#
CONFIG_DMADEVICES=y
# CONFIG_DMADEVICES_DEBUG is not set

#
# DMA Devices
#
# CONFIG_INTEL_MID_DMAC is not set
CONFIG_INTEL_IOATDMA=m
# CONFIG_TIMB_DMA is not set
CONFIG_PCH_DMA=m
CONFIG_DMA_ENGINE=y

#
# DMA Clients
#
CONFIG_NET_DMA=y
CONFIG_ASYNC_TX_DMA=y
# CONFIG_DMATEST is not set
CONFIG_DCA=m
CONFIG_AUXDISPLAY=y
CONFIG_KS0108=m
CONFIG_KS0108_PORT=0x378
CONFIG_KS0108_DELAY=2
CONFIG_CFAG12864B=m
CONFIG_CFAG12864B_RATE=20
CONFIG_UIO=m
CONFIG_UIO_CIF=m
# CONFIG_UIO_PDRV is not set
# CONFIG_UIO_PDRV_GENIRQ is not set
CONFIG_UIO_AEC=m
CONFIG_UIO_SERCOS3=m
CONFIG_UIO_PCI_GENERIC=m
# CONFIG_UIO_NETX is not set
CONFIG_VFIO_IOMMU_TYPE1=m
CONFIG_VFIO=m
CONFIG_VFIO_PCI=m
CONFIG_VIRTIO=y

#
# Virtio drivers
#
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_BALLOON=m
CONFIG_VIRTIO_MMIO=m
# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set

#
# Microsoft Hyper-V guest support
#
CONFIG_HYPERV=m
CONFIG_HYPERV_UTILS=m

#
# Xen driver support
#
CONFIG_XEN_BALLOON=y
CONFIG_XEN_SELFBALLOONING=y
CONFIG_XEN_SCRUB_PAGES=y
CONFIG_XEN_DEV_EVTCHN=m
CONFIG_XEN_BACKEND=y
CONFIG_XENFS=m
CONFIG_XEN_COMPAT_XENFS=y
CONFIG_XEN_SYS_HYPERVISOR=y
CONFIG_XEN_XENBUS_FRONTEND=y
CONFIG_XEN_GNTDEV=m
CONFIG_XEN_GRANT_DEV_ALLOC=m
CONFIG_SWIOTLB_XEN=y
CONFIG_XEN_TMEM=y
CONFIG_XEN_PCIDEV_BACKEND=m
CONFIG_XEN_PRIVCMD=m
CONFIG_XEN_ACPI_PROCESSOR=m
# CONFIG_XEN_MCE_LOG is not set
CONFIG_STAGING=y
# CONFIG_ET131X is not set
# CONFIG_SLICOSS is not set
# CONFIG_USBIP_CORE is not set
# CONFIG_W35UND is not set
# CONFIG_PRISM2_USB is not set
# CONFIG_ECHO is not set
# CONFIG_COMEDI is not set
# CONFIG_ASUS_OLED is not set
# CONFIG_PANEL is not set
# CONFIG_R8187SE is not set
# CONFIG_RTL8192U is not set
# CONFIG_RTLLIB is not set
CONFIG_R8712U=m
# CONFIG_RTS_PSTOR is not set
# CONFIG_RTS5139 is not set
# CONFIG_TRANZPORT is not set
# CONFIG_IDE_PHISON is not set
# CONFIG_LINE6_USB is not set
# CONFIG_USB_SERIAL_QUATECH2 is not set
# CONFIG_VT6655 is not set
# CONFIG_VT6656 is not set
# CONFIG_DX_SEP is not set
# CONFIG_ZSMALLOC is not set
# CONFIG_WLAGS49_H2 is not set
# CONFIG_WLAGS49_H25 is not set
# CONFIG_FB_SM7XX is not set
CONFIG_CRYSTALHD=m
# CONFIG_FB_XGI is not set
# CONFIG_ACPI_QUICKSTART is not set
# CONFIG_USB_ENESTORAGE is not set
# CONFIG_BCM_WIMAX is not set
# CONFIG_FT1000 is not set

#
# Speakup console speech
#
# CONFIG_SPEAKUP is not set
# CONFIG_TOUCHSCREEN_SYNAPTICS_I2C_RMI4 is not set
CONFIG_STAGING_MEDIA=y
# CONFIG_DVB_AS102 is not set
# CONFIG_DVB_CXD2099 is not set
# CONFIG_VIDEO_DT3155 is not set
# CONFIG_VIDEO_GO7007 is not set
# CONFIG_SOLO6X10 is not set
CONFIG_LIRC_STAGING=y
CONFIG_LIRC_BT829=m
CONFIG_LIRC_IGORPLUGUSB=m
CONFIG_LIRC_IMON=m
CONFIG_LIRC_PARALLEL=m
CONFIG_LIRC_SASEM=m
CONFIG_LIRC_SERIAL=m
CONFIG_LIRC_SERIAL_TRANSMITTER=y
CONFIG_LIRC_SIR=m
CONFIG_LIRC_ZILOG=m

#
# Android
#
# CONFIG_ANDROID is not set
# CONFIG_PHONE is not set
# CONFIG_USB_WPAN_HCD is not set
# CONFIG_IPACK_BUS is not set
# CONFIG_WIMAX_GDM72XX is not set
# CONFIG_CSR_WIFI is not set
# CONFIG_ZCACHE2 is not set
CONFIG_NET_VENDOR_SILICOM=y
# CONFIG_SBYPASS is not set
# CONFIG_BPCTL is not set
# CONFIG_CED1401 is not set
# CONFIG_DGRP is not set
CONFIG_X86_PLATFORM_DEVICES=y
CONFIG_ACER_WMI=m
CONFIG_ACERHDF=m
CONFIG_ASUS_LAPTOP=m
CONFIG_DELL_LAPTOP=m
CONFIG_DELL_WMI=m
CONFIG_DELL_WMI_AIO=m
CONFIG_FUJITSU_LAPTOP=m
# CONFIG_FUJITSU_LAPTOP_DEBUG is not set
CONFIG_FUJITSU_TABLET=m
CONFIG_AMILO_RFKILL=m
CONFIG_HP_ACCEL=m
CONFIG_HP_WMI=m
CONFIG_MSI_LAPTOP=m
CONFIG_PANASONIC_LAPTOP=m
CONFIG_COMPAL_LAPTOP=m
CONFIG_SONY_LAPTOP=m
CONFIG_SONYPI_COMPAT=y
CONFIG_IDEAPAD_LAPTOP=m
CONFIG_THINKPAD_ACPI=m
CONFIG_THINKPAD_ACPI_ALSA_SUPPORT=y
# CONFIG_THINKPAD_ACPI_DEBUGFACILITIES is not set
# CONFIG_THINKPAD_ACPI_DEBUG is not set
# CONFIG_THINKPAD_ACPI_UNSAFE_LEDS is not set
CONFIG_THINKPAD_ACPI_VIDEO=y
CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y
CONFIG_SENSORS_HDAPS=m
# CONFIG_INTEL_MENLOW is not set
CONFIG_EEEPC_LAPTOP=m
CONFIG_ASUS_WMI=m
CONFIG_ASUS_NB_WMI=m
CONFIG_EEEPC_WMI=m
CONFIG_ACPI_WMI=m
CONFIG_MSI_WMI=m
CONFIG_TOPSTAR_LAPTOP=m
CONFIG_ACPI_TOSHIBA=m
CONFIG_TOSHIBA_BT_RFKILL=m
CONFIG_ACPI_CMPC=m
CONFIG_INTEL_IPS=m
# CONFIG_IBM_RTL is not set
# CONFIG_XO15_EBOOK is not set
CONFIG_SAMSUNG_LAPTOP=m
CONFIG_MXM_WMI=m
CONFIG_INTEL_OAKTRAIL=m
CONFIG_SAMSUNG_Q10=m
CONFIG_APPLE_GMUX=m

#
# Hardware Spinlock drivers
#
CONFIG_CLKEVT_I8253=y
CONFIG_I8253_LOCK=y
CONFIG_CLKBLD_I8253=y
CONFIG_IOMMU_API=y
CONFIG_IOMMU_SUPPORT=y
CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_STATS=y
CONFIG_AMD_IOMMU_V2=m
CONFIG_DMAR_TABLE=y
CONFIG_INTEL_IOMMU=y
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
CONFIG_IRQ_REMAP=y

#
# Remoteproc drivers (EXPERIMENTAL)
#
# CONFIG_STE_MODEM_RPROC is not set

#
# Rpmsg drivers (EXPERIMENTAL)
#
# CONFIG_VIRT_DRIVERS is not set
# CONFIG_PM_DEVFREQ is not set
# CONFIG_EXTCON is not set
# CONFIG_MEMORY is not set
# CONFIG_IIO is not set
# CONFIG_VME_BUS is not set
# CONFIG_PWM is not set

#
# Firmware Drivers
#
CONFIG_EDD=m
# CONFIG_EDD_OFF is not set
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_EFI_VARS=y
CONFIG_DELL_RBU=m
CONFIG_DCDBAS=m
CONFIG_DMIID=y
CONFIG_DMI_SYSFS=y
CONFIG_ISCSI_IBFT_FIND=y
CONFIG_ISCSI_IBFT=m
# CONFIG_GOOGLE_FIRMWARE is not set

#
# File systems
#
CONFIG_DCACHE_WORD_ACCESS=y
# CONFIG_EXT2_FS is not set
CONFIG_EXT3_FS=y
CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT23=y
CONFIG_EXT4_FS_XATTR=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_DEBUG is not set
CONFIG_JBD=y
# CONFIG_JBD_DEBUG is not set
CONFIG_JBD2=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_FS_MBCACHE=y
CONFIG_REISERFS_FS=m
# CONFIG_REISERFS_CHECK is not set
CONFIG_REISERFS_PROC_INFO=y
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFS_FS=m
CONFIG_JFS_POSIX_ACL=y
CONFIG_JFS_SECURITY=y
# CONFIG_JFS_DEBUG is not set
# CONFIG_JFS_STATISTICS is not set
CONFIG_XFS_FS=m
CONFIG_XFS_QUOTA=y
CONFIG_XFS_POSIX_ACL=y
# CONFIG_XFS_RT is not set
# CONFIG_XFS_DEBUG is not set
CONFIG_GFS2_FS=m
CONFIG_GFS2_FS_LOCKING_DLM=y
CONFIG_OCFS2_FS=m
CONFIG_OCFS2_FS_O2CB=m
CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m
# CONFIG_OCFS2_FS_STATS is not set
# CONFIG_OCFS2_DEBUG_MASKLOG is not set
# CONFIG_OCFS2_DEBUG_FS is not set
CONFIG_BTRFS_FS=m
CONFIG_BTRFS_FS_POSIX_ACL=y
# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
CONFIG_NILFS2_FS=m
CONFIG_FS_POSIX_ACL=y
CONFIG_EXPORTFS=y
CONFIG_FILE_LOCKING=y
CONFIG_FSNOTIFY=y
CONFIG_DNOTIFY=y
CONFIG_INOTIFY_USER=y
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
# CONFIG_PRINT_QUOTA_WARNING is not set
# CONFIG_QUOTA_DEBUG is not set
CONFIG_QUOTA_TREE=y
# CONFIG_QFMT_V1 is not set
CONFIG_QFMT_V2=y
CONFIG_QUOTACTL=y
CONFIG_QUOTACTL_COMPAT=y
CONFIG_AUTOFS4_FS=y
CONFIG_FUSE_FS=m
CONFIG_CUSE=m
CONFIG_GENERIC_ACL=y

#
# Caches
#
CONFIG_FSCACHE=m
CONFIG_FSCACHE_STATS=y
# CONFIG_FSCACHE_HISTOGRAM is not set
# CONFIG_FSCACHE_DEBUG is not set
CONFIG_FSCACHE_OBJECT_LIST=y
CONFIG_CACHEFILES=m
# CONFIG_CACHEFILES_DEBUG is not set
# CONFIG_CACHEFILES_HISTOGRAM is not set

#
# CD-ROM/DVD Filesystems
#
CONFIG_ISO9660_FS=y
CONFIG_JOLIET=y
CONFIG_ZISOFS=y
CONFIG_UDF_FS=m
CONFIG_UDF_NLS=y

#
# DOS/FAT/NT Filesystems
#
CONFIG_FAT_FS=m
CONFIG_MSDOS_FS=m
CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
# CONFIG_NTFS_FS is not set

#
# Pseudo filesystems
#
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_VMCORE=y
CONFIG_PROC_SYSCTL=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y
CONFIG_CONFIGFS_FS=y
CONFIG_MISC_FILESYSTEMS=y
# CONFIG_ADFS_FS is not set
CONFIG_AFFS_FS=m
CONFIG_ECRYPT_FS=m
CONFIG_HFS_FS=m
CONFIG_HFSPLUS_FS=m
CONFIG_BEFS_FS=m
# CONFIG_BEFS_DEBUG is not set
# CONFIG_BFS_FS is not set
# CONFIG_EFS_FS is not set
# CONFIG_JFFS2_FS is not set
CONFIG_UBIFS_FS=m
# CONFIG_UBIFS_FS_ADVANCED_COMPR is not set
CONFIG_UBIFS_FS_LZO=y
CONFIG_UBIFS_FS_ZLIB=y
# CONFIG_LOGFS is not set
CONFIG_CRAMFS=m
CONFIG_SQUASHFS=m
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
# CONFIG_SQUASHFS_EMBEDDED is not set
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
# CONFIG_VXFS_FS is not set
CONFIG_MINIX_FS=m
# CONFIG_OMFS_FS is not set
# CONFIG_HPFS_FS is not set
# CONFIG_QNX4FS_FS is not set
# CONFIG_QNX6FS_FS is not set
CONFIG_ROMFS_FS=m
CONFIG_ROMFS_BACKED_BY_BLOCK=y
# CONFIG_ROMFS_BACKED_BY_MTD is not set
# CONFIG_ROMFS_BACKED_BY_BOTH is not set
CONFIG_ROMFS_ON_BLOCK=y
CONFIG_PSTORE=y
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_FTRACE is not set
CONFIG_PSTORE_RAM=m
CONFIG_SYSV_FS=m
CONFIG_UFS_FS=m
# CONFIG_UFS_FS_WRITE is not set
# CONFIG_UFS_DEBUG is not set
# CONFIG_EXOFS_FS is not set
CONFIG_ORE=m
CONFIG_NETWORK_FILESYSTEMS=y
CONFIG_NFS_FS=y
CONFIG_NFS_V2=m
CONFIG_NFS_V3=m
CONFIG_NFS_V3_ACL=y
CONFIG_NFS_V4=y
# CONFIG_NFS_SWAP is not set
CONFIG_NFS_V4_1=y
CONFIG_PNFS_FILE_LAYOUT=m
CONFIG_PNFS_BLOCK=m
CONFIG_PNFS_OBJLAYOUT=m
CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
CONFIG_NFS_V4_SECURITY_LABEL=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
CONFIG_NFS_DEBUG=y
CONFIG_NFSD=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NFSD_V4_SECURITY_LABEL=y
# CONFIG_NFSD_FAULT_INJECTION is not set
CONFIG_LOCKD=y
CONFIG_LOCKD_V4=y
CONFIG_NFS_ACL_SUPPORT=y
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=y
CONFIG_SUNRPC_GSS=y
CONFIG_SUNRPC_BACKCHANNEL=y
CONFIG_SUNRPC_XPRT_RDMA=m
CONFIG_RPCSEC_GSS_KRB5=m
CONFIG_SUNRPC_DEBUG=y
CONFIG_CEPH_FS=m
CONFIG_CIFS=m
CONFIG_CIFS_STATS=y
# CONFIG_CIFS_STATS2 is not set
CONFIG_CIFS_WEAK_PW_HASH=y
CONFIG_CIFS_UPCALL=y
CONFIG_CIFS_XATTR=y
CONFIG_CIFS_POSIX=y
CONFIG_CIFS_ACL=y
# CONFIG_CIFS_DEBUG2 is not set
CONFIG_CIFS_DFS_UPCALL=y
# CONFIG_CIFS_SMB2 is not set
CONFIG_CIFS_FSCACHE=y
CONFIG_NCP_FS=m
CONFIG_NCPFS_PACKET_SIGNING=y
CONFIG_NCPFS_IOCTL_LOCKING=y
CONFIG_NCPFS_STRONG=y
CONFIG_NCPFS_NFS_NS=y
CONFIG_NCPFS_OS2_NS=y
CONFIG_NCPFS_SMALLDOS=y
CONFIG_NCPFS_NLS=y
CONFIG_NCPFS_EXTRAS=y
CONFIG_CODA_FS=m
# CONFIG_AFS_FS is not set
CONFIG_9P_FS=m
CONFIG_9P_FSCACHE=y
CONFIG_9P_FS_POSIX_ACL=y
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="utf8"
CONFIG_NLS_CODEPAGE_437=y
CONFIG_NLS_CODEPAGE_737=m
CONFIG_NLS_CODEPAGE_775=m
CONFIG_NLS_CODEPAGE_850=m
CONFIG_NLS_CODEPAGE_852=m
CONFIG_NLS_CODEPAGE_855=m
CONFIG_NLS_CODEPAGE_857=m
CONFIG_NLS_CODEPAGE_860=m
CONFIG_NLS_CODEPAGE_861=m
CONFIG_NLS_CODEPAGE_862=m
CONFIG_NLS_CODEPAGE_863=m
CONFIG_NLS_CODEPAGE_864=m
CONFIG_NLS_CODEPAGE_865=m
CONFIG_NLS_CODEPAGE_866=m
CONFIG_NLS_CODEPAGE_869=m
CONFIG_NLS_CODEPAGE_936=m
CONFIG_NLS_CODEPAGE_950=m
CONFIG_NLS_CODEPAGE_932=m
CONFIG_NLS_CODEPAGE_949=m
CONFIG_NLS_CODEPAGE_874=m
CONFIG_NLS_ISO8859_8=m
CONFIG_NLS_CODEPAGE_1250=m
CONFIG_NLS_CODEPAGE_1251=m
CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=m
CONFIG_NLS_ISO8859_2=m
CONFIG_NLS_ISO8859_3=m
CONFIG_NLS_ISO8859_4=m
CONFIG_NLS_ISO8859_5=m
CONFIG_NLS_ISO8859_6=m
CONFIG_NLS_ISO8859_7=m
CONFIG_NLS_ISO8859_9=m
CONFIG_NLS_ISO8859_13=m
CONFIG_NLS_ISO8859_14=m
CONFIG_NLS_ISO8859_15=m
CONFIG_NLS_KOI8_R=m
CONFIG_NLS_KOI8_U=m
CONFIG_NLS_MAC_ROMAN=m
CONFIG_NLS_MAC_CELTIC=m
CONFIG_NLS_MAC_CENTEURO=m
CONFIG_NLS_MAC_CROATIAN=m
CONFIG_NLS_MAC_CYRILLIC=m
CONFIG_NLS_MAC_GAELIC=m
CONFIG_NLS_MAC_GREEK=m
CONFIG_NLS_MAC_ICELAND=m
CONFIG_NLS_MAC_INUIT=m
CONFIG_NLS_MAC_ROMANIAN=m
CONFIG_NLS_MAC_TURKISH=m
CONFIG_NLS_UTF8=m
CONFIG_DLM=m
CONFIG_DLM_DEBUG=y

#
# Kernel hacking
#
CONFIG_TRACE_IRQFLAGS_SUPPORT=y
CONFIG_PRINTK_TIME=y
CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
# CONFIG_ENABLE_WARN_DEPRECATED is not set
CONFIG_ENABLE_MUST_CHECK=y
CONFIG_FRAME_WARN=2048
CONFIG_MAGIC_SYSRQ=y
CONFIG_STRIP_ASM_SYMS=y
# CONFIG_READABLE_ASM is not set
CONFIG_UNUSED_SYMBOLS=y
CONFIG_DEBUG_FS=y
CONFIG_HEADERS_CHECK=y
# CONFIG_DEBUG_SECTION_MISMATCH is not set
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_SHIRQ=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_HARDLOCKUP_DETECTOR=y
# CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
# CONFIG_PANIC_ON_OOPS is not set
CONFIG_PANIC_ON_OOPS_VALUE=0
# CONFIG_DETECT_HUNG_TASK is not set
CONFIG_SCHED_DEBUG=y
CONFIG_SCHEDSTATS=y
CONFIG_TIMER_STATS=y
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_SLUB_DEBUG_ON is not set
# CONFIG_SLUB_STATS is not set
CONFIG_HAVE_DEBUG_KMEMLEAK=y
# CONFIG_DEBUG_KMEMLEAK is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_RT_MUTEX_TESTER is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
CONFIG_SPARSE_RCU_POINTER=y
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
CONFIG_STACKTRACE=y
# CONFIG_DEBUG_STACK_USAGE is not set
# CONFIG_DEBUG_KOBJECT is not set
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
# CONFIG_DEBUG_INFO_REDUCED is not set
CONFIG_DEBUG_VM=y
# CONFIG_DEBUG_VM_RB is not set
# CONFIG_DEBUG_VIRTUAL is not set
# CONFIG_DEBUG_WRITECOUNT is not set
CONFIG_DEBUG_MEMORY_INIT=y
CONFIG_DEBUG_LIST=y
# CONFIG_TEST_LIST_SORT is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
# CONFIG_DEBUG_CREDENTIALS is not set
CONFIG_ARCH_WANT_FRAME_POINTERS=y
CONFIG_FRAME_POINTER=y
CONFIG_BOOT_PRINTK_DELAY=y
# CONFIG_RCU_TORTURE_TEST is not set
CONFIG_RCU_CPU_STALL_TIMEOUT=60
# CONFIG_RCU_CPU_STALL_INFO is not set
# CONFIG_RCU_TRACE is not set
# CONFIG_KPROBES_SANITY_TEST is not set
# CONFIG_BACKTRACE_SELF_TEST is not set
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
# CONFIG_DEBUG_PER_CPU_MAPS is not set
# CONFIG_LKDTM is not set
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
# CONFIG_FAULT_INJECTION is not set
CONFIG_LATENCYTOP=y
# CONFIG_DEBUG_PAGEALLOC is not set
CONFIG_USER_STACKTRACE_SUPPORT=y
CONFIG_NOP_TRACER=y
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
CONFIG_HAVE_FENTRY=y
CONFIG_HAVE_C_RECORDMCOUNT=y
CONFIG_TRACER_MAX_TRACE=y
CONFIG_TRACE_CLOCK=y
CONFIG_RING_BUFFER=y
CONFIG_EVENT_TRACING=y
CONFIG_EVENT_POWER_TRACING_DEPRECATED=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_RING_BUFFER_ALLOW_SWAP=y
CONFIG_TRACING=y
CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_PROFILE_ALL_BRANCHES is not set
CONFIG_STACK_TRACER=y
CONFIG_BLK_DEV_IO_TRACE=y
CONFIG_KPROBE_EVENT=y
CONFIG_UPROBE_EVENT=y
CONFIG_PROBE_EVENTS=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_FUNCTION_PROFILER=y
CONFIG_FTRACE_MCOUNT_RECORD=y
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_MMIOTRACE is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_RBTREE_TEST is not set
# CONFIG_INTERVAL_TREE_TEST is not set
CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
# CONFIG_FIREWIRE_OHCI_REMOTE_DMA is not set
CONFIG_BUILD_DOCSRC=y
CONFIG_DYNAMIC_DEBUG=y
# CONFIG_DMA_API_DEBUG is not set
CONFIG_ATOMIC64_SELFTEST=y
CONFIG_ASYNC_RAID6_TEST=m
# CONFIG_SAMPLES is not set
CONFIG_HAVE_ARCH_KGDB=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
CONFIG_KGDB_TESTS=y
# CONFIG_KGDB_TESTS_ON_BOOT is not set
CONFIG_KGDB_LOW_LEVEL_TRAP=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
CONFIG_HAVE_ARCH_KMEMCHECK=y
CONFIG_TEST_KSTRTOX=y
CONFIG_STRICT_DEVMEM=y
# CONFIG_X86_VERBOSE_BOOTUP is not set
CONFIG_EARLY_PRINTK=y
CONFIG_EARLY_PRINTK_DBGP=y
CONFIG_DEBUG_STACKOVERFLOW=y
# CONFIG_X86_PTDUMP is not set
CONFIG_DEBUG_RODATA=y
CONFIG_DEBUG_RODATA_TEST=y
CONFIG_DEBUG_SET_MODULE_RONX=y
CONFIG_DEBUG_NX_TEST=m
# CONFIG_DEBUG_TLBFLUSH is not set
# CONFIG_IOMMU_DEBUG is not set
# CONFIG_IOMMU_STRESS is not set
CONFIG_HAVE_MMIOTRACE_SUPPORT=y
CONFIG_X86_DECODER_SELFTEST=y
CONFIG_IO_DELAY_TYPE_0X80=0
CONFIG_IO_DELAY_TYPE_0XED=1
CONFIG_IO_DELAY_TYPE_UDELAY=2
CONFIG_IO_DELAY_TYPE_NONE=3
CONFIG_IO_DELAY_0X80=y
# CONFIG_IO_DELAY_0XED is not set
# CONFIG_IO_DELAY_UDELAY is not set
# CONFIG_IO_DELAY_NONE is not set
CONFIG_DEFAULT_IO_DELAY_TYPE=0
CONFIG_DEBUG_BOOT_PARAMS=y
# CONFIG_CPA_DEBUG is not set
CONFIG_OPTIMIZE_INLINING=y
# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
# CONFIG_DEBUG_NMI_SELFTEST is not set

#
# Security options
#
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=m
CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_PATH is not set
CONFIG_INTEL_TXT=y
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_SMACK=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
# CONFIG_IMA is not set
CONFIG_DEFAULT_SECURITY_SMACK=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="smack"
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
CONFIG_ASYNC_XOR=m
CONFIG_ASYNC_PQ=m
CONFIG_ASYNC_RAID6_RECOV=m
CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
CONFIG_CRYPTO=y

#
# Crypto core or helper
#
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_PCOMP=m
CONFIG_CRYPTO_PCOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=m
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=m
CONFIG_CRYPTO_TEST=m
CONFIG_CRYPTO_ABLK_HELPER_X86=y
CONFIG_CRYPTO_GLUE_HELPER_X86=m

#
# Authenticated Encryption with Associated Data
#
CONFIG_CRYPTO_CCM=m
CONFIG_CRYPTO_GCM=m
CONFIG_CRYPTO_SEQIV=y

#
# Block modes
#
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=m
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_LRW=y
CONFIG_CRYPTO_PCBC=m
CONFIG_CRYPTO_XTS=y

#
# Hash modes
#
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_XCBC=m
CONFIG_CRYPTO_VMAC=m

#
# Digest
#
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=m
CONFIG_CRYPTO_GHASH=m
CONFIG_CRYPTO_MD4=m
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_MICHAEL_MIC=m
CONFIG_CRYPTO_RMD128=m
CONFIG_CRYPTO_RMD160=m
CONFIG_CRYPTO_RMD256=m
CONFIG_CRYPTO_RMD320=m
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA1_SSSE3=m
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_TGR192=m
CONFIG_CRYPTO_WP512=m
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m

#
# Ciphers
#
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_X86_64=y
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_CRYPTO_ANUBIS=m
CONFIG_CRYPTO_ARC4=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_BLOWFISH_COMMON=m
CONFIG_CRYPTO_BLOWFISH_X86_64=m
CONFIG_CRYPTO_CAMELLIA=m
CONFIG_CRYPTO_CAMELLIA_X86_64=m
CONFIG_CRYPTO_CAST5=m
# CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
CONFIG_CRYPTO_CAST6=m
# CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_KHAZAD=m
CONFIG_CRYPTO_SALSA20=m
CONFIG_CRYPTO_SALSA20_X86_64=m
CONFIG_CRYPTO_SEED=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TWOFISH=m
CONFIG_CRYPTO_TWOFISH_COMMON=m
CONFIG_CRYPTO_TWOFISH_X86_64=m
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m

#
# Compression
#
CONFIG_CRYPTO_DEFLATE=m
CONFIG_CRYPTO_ZLIB=m
CONFIG_CRYPTO_LZO=m

#
# Random Number Generation
#
CONFIG_CRYPTO_ANSI_CPRNG=m
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
# CONFIG_ASYMMETRIC_KEY_TYPE is not set
CONFIG_HAVE_KVM=y
CONFIG_HAVE_KVM_IRQCHIP=y
CONFIG_HAVE_KVM_EVENTFD=y
CONFIG_KVM_APIC_ARCHITECTURE=y
CONFIG_KVM_MMIO=y
CONFIG_KVM_ASYNC_PF=y
CONFIG_HAVE_KVM_MSI=y
CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
CONFIG_VIRTUALIZATION=y
CONFIG_KVM=m
CONFIG_KVM_INTEL=m
CONFIG_KVM_AMD=m
CONFIG_KVM_MMU_AUDIT=y
CONFIG_VHOST_NET=m
CONFIG_TCM_VHOST=m
CONFIG_BINARY_PRINTF=y

#
# Library routines
#
CONFIG_RAID6_PQ=m
CONFIG_BITREVERSE=y
CONFIG_GENERIC_STRNCPY_FROM_USER=y
CONFIG_GENERIC_STRNLEN_USER=y
CONFIG_GENERIC_FIND_FIRST_BIT=y
CONFIG_GENERIC_PCI_IOMAP=y
CONFIG_GENERIC_IOMAP=y
CONFIG_GENERIC_IO=y
CONFIG_CRC_CCITT=m
CONFIG_CRC16=y
CONFIG_CRC_T10DIF=y
CONFIG_CRC_ITU_T=m
CONFIG_CRC32=y
# CONFIG_CRC32_SELFTEST is not set
CONFIG_CRC32_SLICEBY8=y
# CONFIG_CRC32_SLICEBY4 is not set
# CONFIG_CRC32_SARWATE is not set
# CONFIG_CRC32_BIT is not set
# CONFIG_CRC7 is not set
CONFIG_LIBCRC32C=m
CONFIG_CRC8=m
CONFIG_ZLIB_INFLATE=y
CONFIG_ZLIB_DEFLATE=m
CONFIG_LZO_COMPRESS=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_XZ_DEC=y
CONFIG_XZ_DEC_X86=y
CONFIG_XZ_DEC_POWERPC=y
CONFIG_XZ_DEC_IA64=y
CONFIG_XZ_DEC_ARM=y
CONFIG_XZ_DEC_ARMTHUMB=y
CONFIG_XZ_DEC_SPARC=y
CONFIG_XZ_DEC_BCJ=y
# CONFIG_XZ_DEC_TEST is not set
CONFIG_DECOMPRESS_GZIP=y
CONFIG_DECOMPRESS_BZIP2=y
CONFIG_DECOMPRESS_LZMA=y
CONFIG_DECOMPRESS_XZ=y
CONFIG_DECOMPRESS_LZO=y
CONFIG_GENERIC_ALLOCATOR=y
CONFIG_REED_SOLOMON=m
CONFIG_REED_SOLOMON_ENC8=y
CONFIG_REED_SOLOMON_DEC8=y
CONFIG_TEXTSEARCH=y
CONFIG_TEXTSEARCH_KMP=m
CONFIG_TEXTSEARCH_BM=m
CONFIG_TEXTSEARCH_FSM=m
CONFIG_BTREE=y
CONFIG_HAS_IOMEM=y
CONFIG_HAS_IOPORT=y
CONFIG_HAS_DMA=y
CONFIG_CHECK_SIGNATURE=y
CONFIG_CPU_RMAP=y
CONFIG_DQL=y
CONFIG_NLATTR=y
CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
CONFIG_LRU_CACHE=m
CONFIG_AVERAGE=y
CONFIG_CORDIC=m
# CONFIG_DDR is not set

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/28/2012 6:08 PM, Casey Schaufler wrote:
> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> Or I could just give you this link and you should be good to go ;)
>>>>>>
>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>
>>>>>> I haven't tried it but it should work. If it doesn't let me know and
>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>> remove
>>>>>> nfs-utils first before adding this new one or you could also try an
>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>> ...
>>>
>>>
>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>> attached stack trace on mount. After mounting I'm getting
>>> denials when I should, but also when I shouldn't.
>>>
>>> I've tried tracking down the issue, but there's a lot going on
>>> that I don't find obvious. I added a dentry_init hook just for
>>> grins, but it's not getting called.
>>>
>>> .
>>>
>>>
>> Any chance of you throwing a kickstart file my way that's configured
>> with SMACK so I can use it for a test box (both server and client)? I
>> can have the guys working with me test for SMACK as well if you
>> provide an appropriate test harness and image for testing.
> I've attached the .config from my Fedora17 machine. Who knows, maybe
> I got something wrong there. I get the error doing the test on the
> loopback interface (mount -t nfs4 localhist:/ /mnt).

I've done some instrumentation and security_ismaclabel() is getting
called with "selinux", but never "SMACK64". I would guess that somewhere
in the tools you're telling the kernel to expect "selinux". Where is
that, so that I can tell it to try "SMACK64" instead?

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/28/2012 6:08 PM, Casey Schaufler wrote:
> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> Or I could just give you this link and you should be good to go ;)
>>>>>>
>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>
>>>>>> I haven't tried it but it should work. If it doesn't let me know and
>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>> remove
>>>>>> nfs-utils first before adding this new one or you could also try an
>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>> ...
>>>
>>>
>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>> attached stack trace on mount. After mounting I'm getting
>>> denials when I should, but also when I shouldn't.
>>>
>>> I've tried tracking down the issue, but there's a lot going on
>>> that I don't find obvious. I added a dentry_init hook just for
>>> grins, but it's not getting called.
>>>
>>> .
>>>
>>>
>> Any chance of you throwing a kickstart file my way that's configured
>> with SMACK so I can use it for a test box (both server and client)? I
>> can have the guys working with me test for SMACK as well if you
>> provide an appropriate test harness and image for testing.
> I've attached the .config from my Fedora17 machine. Who knows, maybe
> I got something wrong there. I get the error doing the test on the
> loopback interface (mount -t nfs4 localhist:/ /mnt).

I've done some instrumentation and security_ismaclabel() is getting
called with "selinux", but never "SMACK64". I would guess that somewhere
in the tools you're telling the kernel to expect "selinux". Where is
that, so that I can tell it to try "SMACK64" instead?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

I have an idea of what it is then. I'm cloning the tree so I can take a 
look really quick but I have a feeling that I didn't convey something 
properly and it got messed up in the implementation. If that's the case 
I'll make sure to be clearer next time to avoid confusion.

Re: Labeled NFS [v5]

[David Quigley]

I have an idea of what it is then. I'm cloning the tree so I can take a 
look really quick but I have a feeling that I didn't convey something 
properly and it got messed up in the implementation. If that's the case 
I'll make sure to be clearer next time to avoid confusion.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 17:49, David Quigley wrote:
> I have an idea of what it is then. I'm cloning the tree so I can take
> a look really quick but I have a feeling that I didn't convey
> something properly and it got messed up in the implementation. If
> that's the case I'll make sure to be clearer next time to avoid
> confusion.
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


So the problem isn't clear to me. If we look in fs/nfs/nfs4proc.c we'll 
see the xattr handlers for the security namespace. This will strip off 
the security and should pass the second part to the security_ismaclabel 
call on the key.

The code in question is below.


static int nfs4_xattr_get_nfs4_label(struct dentry *dentry, const char 
*key,
                                    void *buf, size_t buflen, int type)
{
         if (security_ismaclabel(key))
                 return nfs4_get_security_label(dentry->d_inode, buf, 
buflen);
         return -EOPNOTSUPP;
}

This means whatever is making the getxattr call from userspace is 
requesting security.selinux instead of security.smack. Is there a 
different command to ls that will give you security.smack (or whatever 
it is)? what happens if you install getfattr and do getfattr -n 
security.whatever -m security.* /mnt/file

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 17:49, David Quigley wrote:
> I have an idea of what it is then. I'm cloning the tree so I can take
> a look really quick but I have a feeling that I didn't convey
> something properly and it got messed up in the implementation. If
> that's the case I'll make sure to be clearer next time to avoid
> confusion.
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


So the problem isn't clear to me. If we look in fs/nfs/nfs4proc.c we'll 
see the xattr handlers for the security namespace. This will strip off 
the security and should pass the second part to the security_ismaclabel 
call on the key.

The code in question is below.


static int nfs4_xattr_get_nfs4_label(struct dentry *dentry, const char 
*key,
                                    void *buf, size_t buflen, int type)
{
         if (security_ismaclabel(key))
                 return nfs4_get_security_label(dentry->d_inode, buf, 
buflen);
         return -EOPNOTSUPP;
}

This means whatever is making the getxattr call from userspace is 
requesting security.selinux instead of security.smack. Is there a 
different command to ls that will give you security.smack (or whatever 
it is)? what happens if you install getfattr and do getfattr -n 
security.whatever -m security.* /mnt/file


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 17:28, Casey Schaufler wrote:
> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> Or I could just give you this link and you should be good to go 
>>>>>>> ;)
>>>>>>>
>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>
>>>>>>> I haven't tried it but it should work. If it doesn't let me 
>>>>>>> know and
>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>> remove
>>>>>>> nfs-utils first before adding this new one or you could also 
>>>>>>> try an
>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>> ...
>>>>
>>>>
>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>> attached stack trace on mount. After mounting I'm getting
>>>> denials when I should, but also when I shouldn't.
>>>>
>>>> I've tried tracking down the issue, but there's a lot going on
>>>> that I don't find obvious. I added a dentry_init hook just for
>>>> grins, but it's not getting called.
>>>>
>>>> .
>>>>
>>>>
>>> Any chance of you throwing a kickstart file my way that's 
>>> configured
>>> with SMACK so I can use it for a test box (both server and client)? 
>>> I
>>> can have the guys working with me test for SMACK as well if you
>>> provide an appropriate test harness and image for testing.
>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>> I got something wrong there. I get the error doing the test on the
>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>
> I've done some instrumentation and security_ismaclabel() is getting
> called with "selinux", but never "SMACK64". I would guess that 
> somewhere
> in the tools you're telling the kernel to expect "selinux". Where is
> that, so that I can tell it to try "SMACK64" instead?
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


What tools do you use in SMACK to see the labels? Do you just use 
getxattr? If so can you try calling that and seeing what happens? I'm 
concerned that you aren't getting any attribute information on that 
file. Do you have a disto that I can use that has full smack integration 
and is easy to setup?

Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 17:28, Casey Schaufler wrote:
> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> Or I could just give you this link and you should be good to go 
>>>>>>> ;)
>>>>>>>
>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>
>>>>>>> I haven't tried it but it should work. If it doesn't let me 
>>>>>>> know and
>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>> remove
>>>>>>> nfs-utils first before adding this new one or you could also 
>>>>>>> try an
>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>> ...
>>>>
>>>>
>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>> attached stack trace on mount. After mounting I'm getting
>>>> denials when I should, but also when I shouldn't.
>>>>
>>>> I've tried tracking down the issue, but there's a lot going on
>>>> that I don't find obvious. I added a dentry_init hook just for
>>>> grins, but it's not getting called.
>>>>
>>>> .
>>>>
>>>>
>>> Any chance of you throwing a kickstart file my way that's 
>>> configured
>>> with SMACK so I can use it for a test box (both server and client)? 
>>> I
>>> can have the guys working with me test for SMACK as well if you
>>> provide an appropriate test harness and image for testing.
>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>> I got something wrong there. I get the error doing the test on the
>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>
> I've done some instrumentation and security_ismaclabel() is getting
> called with "selinux", but never "SMACK64". I would guess that 
> somewhere
> in the tools you're telling the kernel to expect "selinux". Where is
> that, so that I can tell it to try "SMACK64" instead?
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


What tools do you use in SMACK to see the labels? Do you just use 
getxattr? If so can you try calling that and seeing what happens? I'm 
concerned that you aren't getting any attribute information on that 
file. Do you have a disto that I can use that has full smack integration 
and is easy to setup?

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/29/2012 4:07 PM, David Quigley wrote:
> On 11/29/2012 17:28, Casey Schaufler wrote:
>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> Or I could just give you this link and you should be good to go ;)
>>>>>>>>
>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>
>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>> know and
>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>>> remove
>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>> try an
>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>> ...
>>>>>
>>>>>
>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>> attached stack trace on mount. After mounting I'm getting
>>>>> denials when I should, but also when I shouldn't.
>>>>>
>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>> grins, but it's not getting called.
>>>>>
>>>>> .
>>>>>
>>>>>
>>>> Any chance of you throwing a kickstart file my way that's configured
>>>> with SMACK so I can use it for a test box (both server and client)? I
>>>> can have the guys working with me test for SMACK as well if you
>>>> provide an appropriate test harness and image for testing.
>>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>>> I got something wrong there. I get the error doing the test on the
>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>
>> I've done some instrumentation and security_ismaclabel() is getting
>> called with "selinux", but never "SMACK64". I would guess that somewhere
>> in the tools you're telling the kernel to expect "selinux". Where is
>> that, so that I can tell it to try "SMACK64" instead?
>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> What tools do you use in SMACK to see the labels?

attr -S -g SMACK64 <path>

> Do you just use getxattr? If so can you try calling that and seeing
> what happens? I'm concerned that you aren't getting any attribute
> information on that file.

I would think that were it not for the case that access is denied
and I get an audit record for nfsd that reports a subject label of "_"
(which is correct for nfsd but not the process attempting access) and
an object label of "WhooHoo", which is correct. The server side
looks like it might be working right, given the information that it
has.

> Do you have a disto that I can use that has full smack integration and
> is easy to setup?

There's no full integration, but Ubuntu is easy to set up because they
compile in all the LSMs.
Set "security=smack" on the boot line in grub.cfg and reboot.

All processes and files will get the floor ("_") label unless you change
one. You can change
a file label with:
     # attr -S -s SMACK64 WhooHoo path
or execute at a different label with:
    # (echo WhooHoo > /proc/self/attr/current ; command)


>
> Dave
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/29/2012 4:07 PM, David Quigley wrote:
> On 11/29/2012 17:28, Casey Schaufler wrote:
>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> Or I could just give you this link and you should be good to go ;)
>>>>>>>>
>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>
>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>> know and
>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>>> remove
>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>> try an
>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>> ...
>>>>>
>>>>>
>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>> attached stack trace on mount. After mounting I'm getting
>>>>> denials when I should, but also when I shouldn't.
>>>>>
>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>> grins, but it's not getting called.
>>>>>
>>>>> .
>>>>>
>>>>>
>>>> Any chance of you throwing a kickstart file my way that's configured
>>>> with SMACK so I can use it for a test box (both server and client)? I
>>>> can have the guys working with me test for SMACK as well if you
>>>> provide an appropriate test harness and image for testing.
>>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>>> I got something wrong there. I get the error doing the test on the
>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>
>> I've done some instrumentation and security_ismaclabel() is getting
>> called with "selinux", but never "SMACK64". I would guess that somewhere
>> in the tools you're telling the kernel to expect "selinux". Where is
>> that, so that I can tell it to try "SMACK64" instead?
>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> What tools do you use in SMACK to see the labels?

attr -S -g SMACK64 <path>

> Do you just use getxattr? If so can you try calling that and seeing
> what happens? I'm concerned that you aren't getting any attribute
> information on that file.

I would think that were it not for the case that access is denied
and I get an audit record for nfsd that reports a subject label of "_"
(which is correct for nfsd but not the process attempting access) and
an object label of "WhooHoo", which is correct. The server side
looks like it might be working right, given the information that it
has.

> Do you have a disto that I can use that has full smack integration and
> is easy to setup?

There's no full integration, but Ubuntu is easy to set up because they
compile in all the LSMs.
Set "security=smack" on the boot line in grub.cfg and reboot.

All processes and files will get the floor ("_") label unless you change
one. You can change
a file label with:
     # attr -S -s SMACK64 WhooHoo path
or execute at a different label with:
    # (echo WhooHoo > /proc/self/attr/current ; command)


>
> Dave
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 19:34, Casey Schaufler wrote:
> On 11/29/2012 4:07 PM, David Quigley wrote:
>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Or I could just give you this link and you should be good to 
>>>>>>>>> go ;)
>>>>>>>>>
>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>
>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>> know and
>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to 
>>>>>>>>> yum
>>>>>>>>> remove
>>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>>> try an
>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>> denials when I should, but also when I shouldn't.
>>>>>>
>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>> grins, but it's not getting called.
>>>>>>
>>>>>> .
>>>>>>
>>>>>>
>>>>> Any chance of you throwing a kickstart file my way that's 
>>>>> configured
>>>>> with SMACK so I can use it for a test box (both server and 
>>>>> client)? I
>>>>> can have the guys working with me test for SMACK as well if you
>>>>> provide an appropriate test harness and image for testing.
>>>> I've attached the .config from my Fedora17 machine. Who knows, 
>>>> maybe
>>>> I got something wrong there. I get the error doing the test on the
>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>
>>> I've done some instrumentation and security_ismaclabel() is getting
>>> called with "selinux", but never "SMACK64". I would guess that 
>>> somewhere
>>> in the tools you're telling the kernel to expect "selinux". Where 
>>> is
>>> that, so that I can tell it to try "SMACK64" instead?
>>>
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing 
>>> list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> What tools do you use in SMACK to see the labels?
>
> attr -S -g SMACK64 <path>

ok so that seems to work for SELinux as well. Never knew about that. 
I'd always just rip the xattr out of the inode with getfattr.


>
>> Do you just use getxattr? If so can you try calling that and seeing
>> what happens? I'm concerned that you aren't getting any attribute
>> information on that file.
>
> I would think that were it not for the case that access is denied
> and I get an audit record for nfsd that reports a subject label of 
> "_"
> (which is correct for nfsd but not the process attempting access) and
> an object label of "WhooHoo", which is correct. The server side
> looks like it might be working right, given the information that it
> has.
>

Ok so this is the problem. nfsd is a kernel thread I believe. In 
SELinux land it has the type kernel_t which is all powerful. We don't 
have client label transport yet (That requires RPCSECGSSv3). Is there a 
way you can have that kernel thread running as a type that has access to 
everything? I think that is the current problem. Which makes perfect 
sense. If your kernel threads don't get started with max privilege then 
the server would be denied access on all of the file attributes and 
wouldn't be able to ship it over the wire properly. I'm not sure what 
you need to do but you'll probably have to work this out. We have a 
usage mode in the IETF spec which has a non-mac enforcing server which 
still support object labeling. In the SELinux case it works for us since 
kernel_t can access anything. Ideally when RPCSECGSSv3 is finished and 
merged we'll be able to choose whether to use the label of the process 
on the client side or kernel_t for the server if its not available.

>> Do you have a disto that I can use that has full smack integration 
>> and
>> is easy to setup?
>
> There's no full integration, but Ubuntu is easy to set up because 
> they
> compile in all the LSMs.
> Set "security=smack" on the boot line in grub.cfg and reboot.
>
> All processes and files will get the floor ("_") label unless you 
> change
> one. You can change
> a file label with:
>      # attr -S -s SMACK64 WhooHoo path
> or execute at a different label with:
>     # (echo WhooHoo > /proc/self/attr/current ; command)
>

I'm not out of here until really late tonight so getting an Ubuntu VM 
setup probably won't happen until sometime next week when everything 
calms down. However I think we isolated the problem above. If I'm 
correct this is strictly a smack labeling problem. I don't know if you 
need to put some code into smack to init kernel threads with a more 
powerful label or not so I'll leave it up to you on how to address this.


Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 19:34, Casey Schaufler wrote:
> On 11/29/2012 4:07 PM, David Quigley wrote:
>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Or I could just give you this link and you should be good to 
>>>>>>>>> go ;)
>>>>>>>>>
>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>
>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>> know and
>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to 
>>>>>>>>> yum
>>>>>>>>> remove
>>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>>> try an
>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>> denials when I should, but also when I shouldn't.
>>>>>>
>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>> grins, but it's not getting called.
>>>>>>
>>>>>> .
>>>>>>
>>>>>>
>>>>> Any chance of you throwing a kickstart file my way that's 
>>>>> configured
>>>>> with SMACK so I can use it for a test box (both server and 
>>>>> client)? I
>>>>> can have the guys working with me test for SMACK as well if you
>>>>> provide an appropriate test harness and image for testing.
>>>> I've attached the .config from my Fedora17 machine. Who knows, 
>>>> maybe
>>>> I got something wrong there. I get the error doing the test on the
>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>
>>> I've done some instrumentation and security_ismaclabel() is getting
>>> called with "selinux", but never "SMACK64". I would guess that 
>>> somewhere
>>> in the tools you're telling the kernel to expect "selinux". Where 
>>> is
>>> that, so that I can tell it to try "SMACK64" instead?
>>>
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing 
>>> list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> What tools do you use in SMACK to see the labels?
>
> attr -S -g SMACK64 <path>

ok so that seems to work for SELinux as well. Never knew about that. 
I'd always just rip the xattr out of the inode with getfattr.


>
>> Do you just use getxattr? If so can you try calling that and seeing
>> what happens? I'm concerned that you aren't getting any attribute
>> information on that file.
>
> I would think that were it not for the case that access is denied
> and I get an audit record for nfsd that reports a subject label of 
> "_"
> (which is correct for nfsd but not the process attempting access) and
> an object label of "WhooHoo", which is correct. The server side
> looks like it might be working right, given the information that it
> has.
>

Ok so this is the problem. nfsd is a kernel thread I believe. In 
SELinux land it has the type kernel_t which is all powerful. We don't 
have client label transport yet (That requires RPCSECGSSv3). Is there a 
way you can have that kernel thread running as a type that has access to 
everything? I think that is the current problem. Which makes perfect 
sense. If your kernel threads don't get started with max privilege then 
the server would be denied access on all of the file attributes and 
wouldn't be able to ship it over the wire properly. I'm not sure what 
you need to do but you'll probably have to work this out. We have a 
usage mode in the IETF spec which has a non-mac enforcing server which 
still support object labeling. In the SELinux case it works for us since 
kernel_t can access anything. Ideally when RPCSECGSSv3 is finished and 
merged we'll be able to choose whether to use the label of the process 
on the client side or kernel_t for the server if its not available.

>> Do you have a disto that I can use that has full smack integration 
>> and
>> is easy to setup?
>
> There's no full integration, but Ubuntu is easy to set up because 
> they
> compile in all the LSMs.
> Set "security=smack" on the boot line in grub.cfg and reboot.
>
> All processes and files will get the floor ("_") label unless you 
> change
> one. You can change
> a file label with:
>      # attr -S -s SMACK64 WhooHoo path
> or execute at a different label with:
>     # (echo WhooHoo > /proc/self/attr/current ; command)
>

I'm not out of here until really late tonight so getting an Ubuntu VM 
setup probably won't happen until sometime next week when everything 
calms down. However I think we isolated the problem above. If I'm 
correct this is strictly a smack labeling problem. I don't know if you 
need to put some code into smack to init kernel threads with a more 
powerful label or not so I'll leave it up to you on how to address this.


Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/29/2012 4:46 PM, David Quigley wrote:
> On 11/29/2012 19:34, Casey Schaufler wrote:
>> On 11/29/2012 4:07 PM, David Quigley wrote:
>>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Or I could just give you this link and you should be good to
>>>>>>>>>> go ;)
>>>>>>>>>>
>>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>>
>>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>>> know and
>>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>>>>> remove
>>>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>>>> try an
>>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>>> denials when I should, but also when I shouldn't.
>>>>>>>
>>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>>> grins, but it's not getting called.
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>>>
>>>>>> Any chance of you throwing a kickstart file my way that's configured
>>>>>> with SMACK so I can use it for a test box (both server and
>>>>>> client)? I
>>>>>> can have the guys working with me test for SMACK as well if you
>>>>>> provide an appropriate test harness and image for testing.
>>>>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>>>>> I got something wrong there. I get the error doing the test on the
>>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>>
>>>> I've done some instrumentation and security_ismaclabel() is getting
>>>> called with "selinux", but never "SMACK64". I would guess that
>>>> somewhere
>>>> in the tools you're telling the kernel to expect "selinux". Where is
>>>> that, so that I can tell it to try "SMACK64" instead?
>>>>
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>> What tools do you use in SMACK to see the labels?
>>
>> attr -S -g SMACK64 <path>
>
> ok so that seems to work for SELinux as well. Never knew about that.
> I'd always just rip the xattr out of the inode with getfattr.
>
>
>>
>>> Do you just use getxattr? If so can you try calling that and seeing
>>> what happens? I'm concerned that you aren't getting any attribute
>>> information on that file.
>>
>> I would think that were it not for the case that access is denied
>> and I get an audit record for nfsd that reports a subject label of "_"
>> (which is correct for nfsd but not the process attempting access) and
>> an object label of "WhooHoo", which is correct. The server side
>> looks like it might be working right, given the information that it
>> has.
>>
>
> Ok so this is the problem. nfsd is a kernel thread I believe. In
> SELinux land it has the type kernel_t which is all powerful. We don't
> have client label transport yet (That requires RPCSECGSSv3). Is there
> a way you can have that kernel thread running as a type that has
> access to everything?

That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff which
is to say, all capabilities.
 

> I think that is the current problem. Which makes perfect sense. If
> your kernel threads don't get started with max privilege then the
> server would be denied access on all of the file attributes and
> wouldn't be able to ship it over the wire properly.

OK. I haven't had to do anything with kernel threads so far.
Where is NFS setting these up? Poking around fs/nfsd looks like
the place, but I haven't seen anything there that makes it look
like they would be running without capabilities. Clearly, that's
what I'm seeing. It looks as if the credential of nfsd does not
match what /proc reports. Bother.


> I'm not sure what you need to do but you'll probably have to work this
> out. We have a usage mode in the IETF spec which has a non-mac
> enforcing server which still support object labeling. In the SELinux
> case it works for us since kernel_t can access anything. Ideally when
> RPCSECGSSv3 is finished and merged we'll be able to choose whether to
> use the label of the process on the client side or kernel_t for the
> server if its not available.
>
>>> Do you have a disto that I can use that has full smack integration and
>>> is easy to setup?
>>
>> There's no full integration, but Ubuntu is easy to set up because they
>> compile in all the LSMs.
>> Set "security=smack" on the boot line in grub.cfg and reboot.
>>
>> All processes and files will get the floor ("_") label unless you change
>> one. You can change
>> a file label with:
>>      # attr -S -s SMACK64 WhooHoo path
>> or execute at a different label with:
>>     # (echo WhooHoo > /proc/self/attr/current ; command)
>>
>
> I'm not out of here until really late tonight so getting an Ubuntu VM
> setup probably won't happen until sometime next week when everything
> calms down. However I think we isolated the problem above. If I'm
> correct this is strictly a smack labeling problem. I don't know if you
> need to put some code into smack to init kernel threads with a more
> powerful label or not so I'll leave it up to you on how to address this.
>
>
> Dave
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/29/2012 4:46 PM, David Quigley wrote:
> On 11/29/2012 19:34, Casey Schaufler wrote:
>> On 11/29/2012 4:07 PM, David Quigley wrote:
>>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Or I could just give you this link and you should be good to
>>>>>>>>>> go ;)
>>>>>>>>>>
>>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>>
>>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>>> know and
>>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to yum
>>>>>>>>>> remove
>>>>>>>>>> nfs-utils first before adding this new one or you could also
>>>>>>>>>> try an
>>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>>> denials when I should, but also when I shouldn't.
>>>>>>>
>>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>>> grins, but it's not getting called.
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>>>
>>>>>> Any chance of you throwing a kickstart file my way that's configured
>>>>>> with SMACK so I can use it for a test box (both server and
>>>>>> client)? I
>>>>>> can have the guys working with me test for SMACK as well if you
>>>>>> provide an appropriate test harness and image for testing.
>>>>> I've attached the .config from my Fedora17 machine. Who knows, maybe
>>>>> I got something wrong there. I get the error doing the test on the
>>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>>
>>>> I've done some instrumentation and security_ismaclabel() is getting
>>>> called with "selinux", but never "SMACK64". I would guess that
>>>> somewhere
>>>> in the tools you're telling the kernel to expect "selinux". Where is
>>>> that, so that I can tell it to try "SMACK64" instead?
>>>>
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>> What tools do you use in SMACK to see the labels?
>>
>> attr -S -g SMACK64 <path>
>
> ok so that seems to work for SELinux as well. Never knew about that.
> I'd always just rip the xattr out of the inode with getfattr.
>
>
>>
>>> Do you just use getxattr? If so can you try calling that and seeing
>>> what happens? I'm concerned that you aren't getting any attribute
>>> information on that file.
>>
>> I would think that were it not for the case that access is denied
>> and I get an audit record for nfsd that reports a subject label of "_"
>> (which is correct for nfsd but not the process attempting access) and
>> an object label of "WhooHoo", which is correct. The server side
>> looks like it might be working right, given the information that it
>> has.
>>
>
> Ok so this is the problem. nfsd is a kernel thread I believe. In
> SELinux land it has the type kernel_t which is all powerful. We don't
> have client label transport yet (That requires RPCSECGSSv3). Is there
> a way you can have that kernel thread running as a type that has
> access to everything?

That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff which
is to say, all capabilities.
 

> I think that is the current problem. Which makes perfect sense. If
> your kernel threads don't get started with max privilege then the
> server would be denied access on all of the file attributes and
> wouldn't be able to ship it over the wire properly.

OK. I haven't had to do anything with kernel threads so far.
Where is NFS setting these up? Poking around fs/nfsd looks like
the place, but I haven't seen anything there that makes it look
like they would be running without capabilities. Clearly, that's
what I'm seeing. It looks as if the credential of nfsd does not
match what /proc reports. Bother.


> I'm not sure what you need to do but you'll probably have to work this
> out. We have a usage mode in the IETF spec which has a non-mac
> enforcing server which still support object labeling. In the SELinux
> case it works for us since kernel_t can access anything. Ideally when
> RPCSECGSSv3 is finished and merged we'll be able to choose whether to
> use the label of the process on the client side or kernel_t for the
> server if its not available.
>
>>> Do you have a disto that I can use that has full smack integration and
>>> is easy to setup?
>>
>> There's no full integration, but Ubuntu is easy to set up because they
>> compile in all the LSMs.
>> Set "security=smack" on the boot line in grub.cfg and reboot.
>>
>> All processes and files will get the floor ("_") label unless you change
>> one. You can change
>> a file label with:
>>      # attr -S -s SMACK64 WhooHoo path
>> or execute at a different label with:
>>     # (echo WhooHoo > /proc/self/attr/current ; command)
>>
>
> I'm not out of here until really late tonight so getting an Ubuntu VM
> setup probably won't happen until sometime next week when everything
> calms down. However I think we isolated the problem above. If I'm
> correct this is strictly a smack labeling problem. I don't know if you
> need to put some code into smack to init kernel threads with a more
> powerful label or not so I'll leave it up to you on how to address this.
>
>
> Dave
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 20:50, Casey Schaufler wrote:
> On 11/29/2012 4:46 PM, David Quigley wrote:
>> On 11/29/2012 19:34, Casey Schaufler wrote:
>>> On 11/29/2012 4:07 PM, David Quigley wrote:
>>>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>>>> ...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Or I could just give you this link and you should be good 
>>>>>>>>>>> to
>>>>>>>>>>> go ;)
>>>>>>>>>>>
>>>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>>>
>>>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>>>> know and
>>>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to 
>>>>>>>>>>> yum
>>>>>>>>>>> remove
>>>>>>>>>>> nfs-utils first before adding this new one or you could 
>>>>>>>>>>> also
>>>>>>>>>>> try an
>>>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>>>> denials when I should, but also when I shouldn't.
>>>>>>>>
>>>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>>>> grins, but it's not getting called.
>>>>>>>>
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>> Any chance of you throwing a kickstart file my way that's 
>>>>>>> configured
>>>>>>> with SMACK so I can use it for a test box (both server and
>>>>>>> client)? I
>>>>>>> can have the guys working with me test for SMACK as well if you
>>>>>>> provide an appropriate test harness and image for testing.
>>>>>> I've attached the .config from my Fedora17 machine. Who knows, 
>>>>>> maybe
>>>>>> I got something wrong there. I get the error doing the test on 
>>>>>> the
>>>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>>>
>>>>> I've done some instrumentation and security_ismaclabel() is 
>>>>> getting
>>>>> called with "selinux", but never "SMACK64". I would guess that
>>>>> somewhere
>>>>> in the tools you're telling the kernel to expect "selinux". Where 
>>>>> is
>>>>> that, so that I can tell it to try "SMACK64" instead?
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux 
>>>>> mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>> What tools do you use in SMACK to see the labels?
>>>
>>> attr -S -g SMACK64 <path>
>>
>> ok so that seems to work for SELinux as well. Never knew about that.
>> I'd always just rip the xattr out of the inode with getfattr.
>>
>>
>>>
>>>> Do you just use getxattr? If so can you try calling that and 
>>>> seeing
>>>> what happens? I'm concerned that you aren't getting any attribute
>>>> information on that file.
>>>
>>> I would think that were it not for the case that access is denied
>>> and I get an audit record for nfsd that reports a subject label of 
>>> "_"
>>> (which is correct for nfsd but not the process attempting access) 
>>> and
>>> an object label of "WhooHoo", which is correct. The server side
>>> looks like it might be working right, given the information that it
>>> has.
>>>
>>
>> Ok so this is the problem. nfsd is a kernel thread I believe. In
>> SELinux land it has the type kernel_t which is all powerful. We 
>> don't
>> have client label transport yet (That requires RPCSECGSSv3). Is 
>> there
>> a way you can have that kernel thread running as a type that has
>> access to everything?
>
> That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
> Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff 
> which
> is to say, all capabilities.
>

Hmm thats interesting then. You could try using rpcdebug -m nfsd to 
turn on some of the debugging to look around the internals and figure 
out whats going on. If you pass -v it will give you all of the potential 
flags.

>
>> I think that is the current problem. Which makes perfect sense. If
>> your kernel threads don't get started with max privilege then the
>> server would be denied access on all of the file attributes and
>> wouldn't be able to ship it over the wire properly.
>
> OK. I haven't had to do anything with kernel threads so far.
> Where is NFS setting these up? Poking around fs/nfsd looks like
> the place, but I haven't seen anything there that makes it look
> like they would be running without capabilities. Clearly, that's
> what I'm seeing. It looks as if the credential of nfsd does not
> match what /proc reports. Bother.
>

I'm not entirely sure whats up either. If you want to look for the NFSd 
threads they are in fs/nfsd/nfssvc.c. The main function starts on line 
487.

>
>> I'm not sure what you need to do but you'll probably have to work 
>> this
>> out. We have a usage mode in the IETF spec which has a non-mac
>> enforcing server which still support object labeling. In the SELinux
>> case it works for us since kernel_t can access anything. Ideally 
>> when
>> RPCSECGSSv3 is finished and merged we'll be able to choose whether 
>> to
>> use the label of the process on the client side or kernel_t for the
>> server if its not available.
>>
>>>> Do you have a disto that I can use that has full smack integration 
>>>> and
>>>> is easy to setup?
>>>
>>> There's no full integration, but Ubuntu is easy to set up because 
>>> they
>>> compile in all the LSMs.
>>> Set "security=smack" on the boot line in grub.cfg and reboot.
>>>
>>> All processes and files will get the floor ("_") label unless you 
>>> change
>>> one. You can change
>>> a file label with:
>>>      # attr -S -s SMACK64 WhooHoo path
>>> or execute at a different label with:
>>>     # (echo WhooHoo > /proc/self/attr/current ; command)
>>>
>>
>> I'm not out of here until really late tonight so getting an Ubuntu 
>> VM
>> setup probably won't happen until sometime next week when everything
>> calms down. However I think we isolated the problem above. If I'm
>> correct this is strictly a smack labeling problem. I don't know if 
>> you
>> need to put some code into smack to init kernel threads with a more
>> powerful label or not so I'll leave it up to you on how to address 
>> this.
>>
>>
>> Dave
>>

Re: Labeled NFS [v5]

[David Quigley]

On 11/29/2012 20:50, Casey Schaufler wrote:
> On 11/29/2012 4:46 PM, David Quigley wrote:
>> On 11/29/2012 19:34, Casey Schaufler wrote:
>>> On 11/29/2012 4:07 PM, David Quigley wrote:
>>>> On 11/29/2012 17:28, Casey Schaufler wrote:
>>>>> On 11/28/2012 6:08 PM, Casey Schaufler wrote:
>>>>>> On 11/28/2012 5:14 PM, Dave Quigley wrote:
>>>>>>> On 11/28/2012 1:57 PM, Casey Schaufler wrote:
>>>>>>>> On 11/20/2012 7:28 PM, Dave Quigley wrote:
>>>>>>>>> On 11/20/2012 9:52 PM, Casey Schaufler wrote:
>>>>>>>>>> On 11/20/2012 4:37 PM, Dave Quigley wrote:
>>>>>>>>>>> ...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Or I could just give you this link and you should be good 
>>>>>>>>>>> to
>>>>>>>>>>> go ;)
>>>>>>>>>>>
>>>>>>>>>>> http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
>>>>>>>>>>>
>>>>>>>>>>> I haven't tried it but it should work. If it doesn't let me
>>>>>>>>>>> know and
>>>>>>>>>>> i'll try to fix it on my end. I'd imagine you might need to 
>>>>>>>>>>> yum
>>>>>>>>>>> remove
>>>>>>>>>>> nfs-utils first before adding this new one or you could 
>>>>>>>>>>> also
>>>>>>>>>>> try an
>>>>>>>>>>> rpm with the upgrade flag for this instead. Good luck.
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> I've tried on Fedora17 and Ubuntu12.04, and I'm getting the
>>>>>>>> attached stack trace on mount. After mounting I'm getting
>>>>>>>> denials when I should, but also when I shouldn't.
>>>>>>>>
>>>>>>>> I've tried tracking down the issue, but there's a lot going on
>>>>>>>> that I don't find obvious. I added a dentry_init hook just for
>>>>>>>> grins, but it's not getting called.
>>>>>>>>
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>> Any chance of you throwing a kickstart file my way that's 
>>>>>>> configured
>>>>>>> with SMACK so I can use it for a test box (both server and
>>>>>>> client)? I
>>>>>>> can have the guys working with me test for SMACK as well if you
>>>>>>> provide an appropriate test harness and image for testing.
>>>>>> I've attached the .config from my Fedora17 machine. Who knows, 
>>>>>> maybe
>>>>>> I got something wrong there. I get the error doing the test on 
>>>>>> the
>>>>>> loopback interface (mount -t nfs4 localhist:/ /mnt).
>>>>>
>>>>> I've done some instrumentation and security_ismaclabel() is 
>>>>> getting
>>>>> called with "selinux", but never "SMACK64". I would guess that
>>>>> somewhere
>>>>> in the tools you're telling the kernel to expect "selinux". Where 
>>>>> is
>>>>> that, so that I can tell it to try "SMACK64" instead?
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux 
>>>>> mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>> What tools do you use in SMACK to see the labels?
>>>
>>> attr -S -g SMACK64 <path>
>>
>> ok so that seems to work for SELinux as well. Never knew about that.
>> I'd always just rip the xattr out of the inode with getfattr.
>>
>>
>>>
>>>> Do you just use getxattr? If so can you try calling that and 
>>>> seeing
>>>> what happens? I'm concerned that you aren't getting any attribute
>>>> information on that file.
>>>
>>> I would think that were it not for the case that access is denied
>>> and I get an audit record for nfsd that reports a subject label of 
>>> "_"
>>> (which is correct for nfsd but not the process attempting access) 
>>> and
>>> an object label of "WhooHoo", which is correct. The server side
>>> looks like it might be working right, given the information that it
>>> has.
>>>
>>
>> Ok so this is the problem. nfsd is a kernel thread I believe. In
>> SELinux land it has the type kernel_t which is all powerful. We 
>> don't
>> have client label transport yet (That requires RPCSECGSSv3). Is 
>> there
>> a way you can have that kernel thread running as a type that has
>> access to everything?
>
> That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
> Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff 
> which
> is to say, all capabilities.
>

Hmm thats interesting then. You could try using rpcdebug -m nfsd to 
turn on some of the debugging to look around the internals and figure 
out whats going on. If you pass -v it will give you all of the potential 
flags.

>
>> I think that is the current problem. Which makes perfect sense. If
>> your kernel threads don't get started with max privilege then the
>> server would be denied access on all of the file attributes and
>> wouldn't be able to ship it over the wire properly.
>
> OK. I haven't had to do anything with kernel threads so far.
> Where is NFS setting these up? Poking around fs/nfsd looks like
> the place, but I haven't seen anything there that makes it look
> like they would be running without capabilities. Clearly, that's
> what I'm seeing. It looks as if the credential of nfsd does not
> match what /proc reports. Bother.
>

I'm not entirely sure whats up either. If you want to look for the NFSd 
threads they are in fs/nfsd/nfssvc.c. The main function starts on line 
487.

>
>> I'm not sure what you need to do but you'll probably have to work 
>> this
>> out. We have a usage mode in the IETF spec which has a non-mac
>> enforcing server which still support object labeling. In the SELinux
>> case it works for us since kernel_t can access anything. Ideally 
>> when
>> RPCSECGSSv3 is finished and merged we'll be able to choose whether 
>> to
>> use the label of the process on the client side or kernel_t for the
>> server if its not available.
>>
>>>> Do you have a disto that I can use that has full smack integration 
>>>> and
>>>> is easy to setup?
>>>
>>> There's no full integration, but Ubuntu is easy to set up because 
>>> they
>>> compile in all the LSMs.
>>> Set "security=smack" on the boot line in grub.cfg and reboot.
>>>
>>> All processes and files will get the floor ("_") label unless you 
>>> change
>>> one. You can change
>>> a file label with:
>>>      # attr -S -s SMACK64 WhooHoo path
>>> or execute at a different label with:
>>>     # (echo WhooHoo > /proc/self/attr/current ; command)
>>>
>>
>> I'm not out of here until really late tonight so getting an Ubuntu 
>> VM
>> setup probably won't happen until sometime next week when everything
>> calms down. However I think we isolated the problem above. If I'm
>> correct this is strictly a smack labeling problem. I don't know if 
>> you
>> need to put some code into smack to init kernel threads with a more
>> powerful label or not so I'll leave it up to you on how to address 
>> this.
>>
>>
>> Dave
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
> On 11/29/2012 20:50, Casey Schaufler wrote:
> >On 11/29/2012 4:46 PM, David Quigley wrote:
> >>On 11/29/2012 19:34, Casey Schaufler wrote:
> >>>I would think that were it not for the case that access is denied
> >>>and I get an audit record for nfsd that reports a subject
> >>>label of "_"
> >>>(which is correct for nfsd but not the process attempting
> >>>access) and
> >>>an object label of "WhooHoo", which is correct. The server side
> >>>looks like it might be working right, given the information that it
> >>>has.
> >>>
> >>
> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
> >>SELinux land it has the type kernel_t which is all powerful. We
> >>don't
> >>have client label transport yet (That requires RPCSECGSSv3). Is
> >>there
> >>a way you can have that kernel thread running as a type that has
> >>access to everything?
> >
> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
> >which
> >is to say, all capabilities.
> >
> 
> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
> turn on some of the debugging to look around the internals and
> figure out whats going on. If you pass -v it will give you all of
> the potential flags.
> 
> >
> >>I think that is the current problem. Which makes perfect sense. If
> >>your kernel threads don't get started with max privilege then the
> >>server would be denied access on all of the file attributes and
> >>wouldn't be able to ship it over the wire properly.
> >
> >OK. I haven't had to do anything with kernel threads so far.
> >Where is NFS setting these up? Poking around fs/nfsd looks like
> >the place, but I haven't seen anything there that makes it look
> >like they would be running without capabilities. Clearly, that's
> >what I'm seeing. It looks as if the credential of nfsd does not
> >match what /proc reports. Bother.
> >
> 
> I'm not entirely sure whats up either. If you want to look for the
> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
> on line 487.

I'm not following the discussion, but: maybe you want to look at
fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
cap_{drop/raise}_nfsd_set() calls at the end.

--b.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 07:14, J. Bruce Fields wrote:
> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>> On 11/29/2012 20:50, Casey Schaufler wrote:
>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>> >>>I would think that were it not for the case that access is denied
>> >>>and I get an audit record for nfsd that reports a subject
>> >>>label of "_"
>> >>>(which is correct for nfsd but not the process attempting
>> >>>access) and
>> >>>an object label of "WhooHoo", which is correct. The server side
>> >>>looks like it might be working right, given the information that 
>> it
>> >>>has.
>> >>>
>> >>
>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>> >>SELinux land it has the type kernel_t which is all powerful. We
>> >>don't
>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>> >>there
>> >>a way you can have that kernel thread running as a type that has
>> >>access to everything?
>> >
>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>> Smackese.
>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>> >which
>> >is to say, all capabilities.
>> >
>>
>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>> turn on some of the debugging to look around the internals and
>> figure out whats going on. If you pass -v it will give you all of
>> the potential flags.
>>
>> >
>> >>I think that is the current problem. Which makes perfect sense. If
>> >>your kernel threads don't get started with max privilege then the
>> >>server would be denied access on all of the file attributes and
>> >>wouldn't be able to ship it over the wire properly.
>> >
>> >OK. I haven't had to do anything with kernel threads so far.
>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>> >the place, but I haven't seen anything there that makes it look
>> >like they would be running without capabilities. Clearly, that's
>> >what I'm seeing. It looks as if the credential of nfsd does not
>> >match what /proc reports. Bother.
>> >
>>
>> I'm not entirely sure whats up either. If you want to look for the
>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>> on line 487.
>
> I'm not following the discussion, but: maybe you want to look at
> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
> cap_{drop/raise}_nfsd_set() calls at the end.
>
> --b.


I'm not as familiar with the capabilities code as Casey is so I'll 
leave this ball in his court. I think you are correct though and the 
problem is that NFSd is dropping and raising caps and we need to make 
sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 07:14, J. Bruce Fields wrote:
> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>> On 11/29/2012 20:50, Casey Schaufler wrote:
>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>> >>>I would think that were it not for the case that access is denied
>> >>>and I get an audit record for nfsd that reports a subject
>> >>>label of "_"
>> >>>(which is correct for nfsd but not the process attempting
>> >>>access) and
>> >>>an object label of "WhooHoo", which is correct. The server side
>> >>>looks like it might be working right, given the information that 
>> it
>> >>>has.
>> >>>
>> >>
>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>> >>SELinux land it has the type kernel_t which is all powerful. We
>> >>don't
>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>> >>there
>> >>a way you can have that kernel thread running as a type that has
>> >>access to everything?
>> >
>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>> Smackese.
>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>> >which
>> >is to say, all capabilities.
>> >
>>
>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>> turn on some of the debugging to look around the internals and
>> figure out whats going on. If you pass -v it will give you all of
>> the potential flags.
>>
>> >
>> >>I think that is the current problem. Which makes perfect sense. If
>> >>your kernel threads don't get started with max privilege then the
>> >>server would be denied access on all of the file attributes and
>> >>wouldn't be able to ship it over the wire properly.
>> >
>> >OK. I haven't had to do anything with kernel threads so far.
>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>> >the place, but I haven't seen anything there that makes it look
>> >like they would be running without capabilities. Clearly, that's
>> >what I'm seeing. It looks as if the credential of nfsd does not
>> >match what /proc reports. Bother.
>> >
>>
>> I'm not entirely sure whats up either. If you want to look for the
>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>> on line 487.
>
> I'm not following the discussion, but: maybe you want to look at
> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
> cap_{drop/raise}_nfsd_set() calls at the end.
>
> --b.


I'm not as familiar with the capabilities code as Casey is so I'll 
leave this ball in his court. I think you are correct though and the 
problem is that NFSd is dropping and raising caps and we need to make 
sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 07:57, David Quigley wrote:
> On 11/30/2012 07:14, J. Bruce Fields wrote:
>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>> >>>I would think that were it not for the case that access is 
>>> denied
>>> >>>and I get an audit record for nfsd that reports a subject
>>> >>>label of "_"
>>> >>>(which is correct for nfsd but not the process attempting
>>> >>>access) and
>>> >>>an object label of "WhooHoo", which is correct. The server side
>>> >>>looks like it might be working right, given the information that 
>>> it
>>> >>>has.
>>> >>>
>>> >>
>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>> >>don't
>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>> >>there
>>> >>a way you can have that kernel thread running as a type that has
>>> >>access to everything?
>>> >
>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>> Smackese.
>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>> >which
>>> >is to say, all capabilities.
>>> >
>>>
>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>> turn on some of the debugging to look around the internals and
>>> figure out whats going on. If you pass -v it will give you all of
>>> the potential flags.
>>>
>>> >
>>> >>I think that is the current problem. Which makes perfect sense. 
>>> If
>>> >>your kernel threads don't get started with max privilege then the
>>> >>server would be denied access on all of the file attributes and
>>> >>wouldn't be able to ship it over the wire properly.
>>> >
>>> >OK. I haven't had to do anything with kernel threads so far.
>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>> >the place, but I haven't seen anything there that makes it look
>>> >like they would be running without capabilities. Clearly, that's
>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>> >match what /proc reports. Bother.
>>> >
>>>
>>> I'm not entirely sure whats up either. If you want to look for the
>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>> on line 487.
>>
>> I'm not following the discussion, but: maybe you want to look at
>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>> cap_{drop/raise}_nfsd_set() calls at the end.
>>
>> --b.
>
>
> I'm not as familiar with the capabilities code as Casey is so I'll
> leave this ball in his court. I think you are correct though and the
> problem is that NFSd is dropping and raising caps and we need to make
> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


I think I found the offending code. I can't test it for a while so 
hopefully Casey can.

In include/linux/capability.h we have the following defines


# define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
                             | CAP_TO_MASK(CAP_MKNOD)            \
                             | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
                             | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
                             | CAP_TO_MASK(CAP_FOWNER)           \
                             | CAP_TO_MASK(CAP_FSETID))

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))

#if _KERNEL_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
#else /* HAND-CODED capability initializers */

# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                     | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), 
\
                                     CAP_FS_MASK_B1 } })
# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                     | CAP_TO_MASK(CAP_SYS_RESOURCE), \
                                     CAP_FS_MASK_B1 } })

So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have 
CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we 
had both then Casey should be able to use the code with SMACK. However 
I'm not sure what implications this has for every other LSM. Honestly 
I'm not sure if we use either of those caps for SELinux at all (I think 
we ignore them completely).


Maybe if CAP_FS_MASK_B1 was like this it would work.

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE)    \
)

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 07:57, David Quigley wrote:
> On 11/30/2012 07:14, J. Bruce Fields wrote:
>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>> >>>I would think that were it not for the case that access is 
>>> denied
>>> >>>and I get an audit record for nfsd that reports a subject
>>> >>>label of "_"
>>> >>>(which is correct for nfsd but not the process attempting
>>> >>>access) and
>>> >>>an object label of "WhooHoo", which is correct. The server side
>>> >>>looks like it might be working right, given the information that 
>>> it
>>> >>>has.
>>> >>>
>>> >>
>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>> >>don't
>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>> >>there
>>> >>a way you can have that kernel thread running as a type that has
>>> >>access to everything?
>>> >
>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>> Smackese.
>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>> >which
>>> >is to say, all capabilities.
>>> >
>>>
>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>> turn on some of the debugging to look around the internals and
>>> figure out whats going on. If you pass -v it will give you all of
>>> the potential flags.
>>>
>>> >
>>> >>I think that is the current problem. Which makes perfect sense. 
>>> If
>>> >>your kernel threads don't get started with max privilege then the
>>> >>server would be denied access on all of the file attributes and
>>> >>wouldn't be able to ship it over the wire properly.
>>> >
>>> >OK. I haven't had to do anything with kernel threads so far.
>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>> >the place, but I haven't seen anything there that makes it look
>>> >like they would be running without capabilities. Clearly, that's
>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>> >match what /proc reports. Bother.
>>> >
>>>
>>> I'm not entirely sure whats up either. If you want to look for the
>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>> on line 487.
>>
>> I'm not following the discussion, but: maybe you want to look at
>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>> cap_{drop/raise}_nfsd_set() calls at the end.
>>
>> --b.
>
>
> I'm not as familiar with the capabilities code as Casey is so I'll
> leave this ball in his court. I think you are correct though and the
> problem is that NFSd is dropping and raising caps and we need to make
> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>
> --
> This message was distributed to subscribers of the selinux mailing 
> list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


I think I found the offending code. I can't test it for a while so 
hopefully Casey can.

In include/linux/capability.h we have the following defines


# define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
                             | CAP_TO_MASK(CAP_MKNOD)            \
                             | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
                             | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
                             | CAP_TO_MASK(CAP_FOWNER)           \
                             | CAP_TO_MASK(CAP_FSETID))

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))

#if _KERNEL_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
#else /* HAND-CODED capability initializers */

# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                     | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), 
\
                                     CAP_FS_MASK_B1 } })
# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                     | CAP_TO_MASK(CAP_SYS_RESOURCE), \
                                     CAP_FS_MASK_B1 } })

So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have 
CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we 
had both then Casey should be able to use the code with SMACK. However 
I'm not sure what implications this has for every other LSM. Honestly 
I'm not sure if we use either of those caps for SELinux at all (I think 
we ignore them completely).


Maybe if CAP_FS_MASK_B1 was like this it would work.

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE)    \
)




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Stephen Smalley]

On 11/30/2012 08:17 AM, David Quigley wrote:
> On 11/30/2012 07:57, David Quigley wrote:
>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>> >>>I would think that were it not for the case that access is denied
>>>> >>>and I get an audit record for nfsd that reports a subject
>>>> >>>label of "_"
>>>> >>>(which is correct for nfsd but not the process attempting
>>>> >>>access) and
>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>> >>>looks like it might be working right, given the information that it
>>>> >>>has.
>>>> >>>
>>>> >>
>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>> >>don't
>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>> >>there
>>>> >>a way you can have that kernel thread running as a type that has
>>>> >>access to everything?
>>>> >
>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>> >which
>>>> >is to say, all capabilities.
>>>> >
>>>>
>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>>> turn on some of the debugging to look around the internals and
>>>> figure out whats going on. If you pass -v it will give you all of
>>>> the potential flags.
>>>>
>>>> >
>>>> >>I think that is the current problem. Which makes perfect sense. If
>>>> >>your kernel threads don't get started with max privilege then the
>>>> >>server would be denied access on all of the file attributes and
>>>> >>wouldn't be able to ship it over the wire properly.
>>>> >
>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>> >the place, but I haven't seen anything there that makes it look
>>>> >like they would be running without capabilities. Clearly, that's
>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>> >match what /proc reports. Bother.
>>>> >
>>>>
>>>> I'm not entirely sure whats up either. If you want to look for the
>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>>> on line 487.
>>>
>>> I'm not following the discussion, but: maybe you want to look at
>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>
>>> --b.
>>
>>
>> I'm not as familiar with the capabilities code as Casey is so I'll
>> leave this ball in his court. I think you are correct though and the
>> problem is that NFSd is dropping and raising caps and we need to make
>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> I think I found the offending code. I can't test it for a while so
> hopefully Casey can.
>
> In include/linux/capability.h we have the following defines
>
>
> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>                              | CAP_TO_MASK(CAP_MKNOD)            \
>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>                              | CAP_TO_MASK(CAP_FOWNER)           \
>                              | CAP_TO_MASK(CAP_FSETID))
>
> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>
> #if _KERNEL_CAPABILITY_U32S != 2
> # error Fix up hand-coded capability macro initializers
> #else /* HAND-CODED capability initializers */
>
> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>                                      | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>                                      CAP_FS_MASK_B1 } })
> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>                                      | CAP_TO_MASK(CAP_SYS_RESOURCE), \
>                                      CAP_FS_MASK_B1 } })
>
> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have
> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
> had both then Casey should be able to use the code with SMACK. However
> I'm not sure what implications this has for every other LSM. Honestly
> I'm not sure if we use either of those caps for SELinux at all (I think
> we ignore them completely).

CAP_MAC_ADMIN is used by SELinux these days, but only to control the 
ability to get or set security contexts that are not yet defined in the 
policy (for package managers that lay down the security contexts before 
reloading policy and for installing a distro within a chroot on a build 
host running a different policy).

Re: Labeled NFS [v5]

[Stephen Smalley]

On 11/30/2012 08:17 AM, David Quigley wrote:
> On 11/30/2012 07:57, David Quigley wrote:
>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>> >>>I would think that were it not for the case that access is denied
>>>> >>>and I get an audit record for nfsd that reports a subject
>>>> >>>label of "_"
>>>> >>>(which is correct for nfsd but not the process attempting
>>>> >>>access) and
>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>> >>>looks like it might be working right, given the information that it
>>>> >>>has.
>>>> >>>
>>>> >>
>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>> >>don't
>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>> >>there
>>>> >>a way you can have that kernel thread running as a type that has
>>>> >>access to everything?
>>>> >
>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>> >which
>>>> >is to say, all capabilities.
>>>> >
>>>>
>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>>> turn on some of the debugging to look around the internals and
>>>> figure out whats going on. If you pass -v it will give you all of
>>>> the potential flags.
>>>>
>>>> >
>>>> >>I think that is the current problem. Which makes perfect sense. If
>>>> >>your kernel threads don't get started with max privilege then the
>>>> >>server would be denied access on all of the file attributes and
>>>> >>wouldn't be able to ship it over the wire properly.
>>>> >
>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>> >the place, but I haven't seen anything there that makes it look
>>>> >like they would be running without capabilities. Clearly, that's
>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>> >match what /proc reports. Bother.
>>>> >
>>>>
>>>> I'm not entirely sure whats up either. If you want to look for the
>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>>> on line 487.
>>>
>>> I'm not following the discussion, but: maybe you want to look at
>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>
>>> --b.
>>
>>
>> I'm not as familiar with the capabilities code as Casey is so I'll
>> leave this ball in his court. I think you are correct though and the
>> problem is that NFSd is dropping and raising caps and we need to make
>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> I think I found the offending code. I can't test it for a while so
> hopefully Casey can.
>
> In include/linux/capability.h we have the following defines
>
>
> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>                              | CAP_TO_MASK(CAP_MKNOD)            \
>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>                              | CAP_TO_MASK(CAP_FOWNER)           \
>                              | CAP_TO_MASK(CAP_FSETID))
>
> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>
> #if _KERNEL_CAPABILITY_U32S != 2
> # error Fix up hand-coded capability macro initializers
> #else /* HAND-CODED capability initializers */
>
> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>                                      | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>                                      CAP_FS_MASK_B1 } })
> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>                                      | CAP_TO_MASK(CAP_SYS_RESOURCE), \
>                                      CAP_FS_MASK_B1 } })
>
> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have
> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
> had both then Casey should be able to use the code with SMACK. However
> I'm not sure what implications this has for every other LSM. Honestly
> I'm not sure if we use either of those caps for SELinux at all (I think
> we ignore them completely).

CAP_MAC_ADMIN is used by SELinux these days, but only to control the 
ability to get or set security contexts that are not yet defined in the 
policy (for package managers that lay down the security contexts before 
reloading policy and for installing a distro within a chroot on a build 
host running a different policy).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 08:28, Stephen Smalley wrote:
> On 11/30/2012 08:17 AM, David Quigley wrote:
>> On 11/30/2012 07:57, David Quigley wrote:
>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>> >>>I would think that were it not for the case that access is 
>>>>> denied
>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>> >>>label of "_"
>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>> >>>access) and
>>>>> >>>an object label of "WhooHoo", which is correct. The server 
>>>>> side
>>>>> >>>looks like it might be working right, given the information 
>>>>> that it
>>>>> >>>has.
>>>>> >>>
>>>>> >>
>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. 
>>>>> In
>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>> >>don't
>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>> >>there
>>>>> >>a way you can have that kernel thread running as a type that 
>>>>> has
>>>>> >>access to everything?
>>>>> >
>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>>>> Smackese.
>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>> >which
>>>>> >is to say, all capabilities.
>>>>> >
>>>>>
>>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd 
>>>>> to
>>>>> turn on some of the debugging to look around the internals and
>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>> the potential flags.
>>>>>
>>>>> >
>>>>> >>I think that is the current problem. Which makes perfect sense. 
>>>>> If
>>>>> >>your kernel threads don't get started with max privilege then 
>>>>> the
>>>>> >>server would be denied access on all of the file attributes and
>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>> >
>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>> >the place, but I haven't seen anything there that makes it look
>>>>> >like they would be running without capabilities. Clearly, that's
>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>> >match what /proc reports. Bother.
>>>>> >
>>>>>
>>>>> I'm not entirely sure whats up either. If you want to look for 
>>>>> the
>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function 
>>>>> starts
>>>>> on line 487.
>>>>
>>>> I'm not following the discussion, but: maybe you want to look at
>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>
>>>> --b.
>>>
>>>
>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>> leave this ball in his court. I think you are correct though and 
>>> the
>>> problem is that NFSd is dropping and raising caps and we need to 
>>> make
>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing 
>>> list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> I think I found the offending code. I can't test it for a while so
>> hopefully Casey can.
>>
>> In include/linux/capability.h we have the following defines
>>
>>
>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>                              | CAP_TO_MASK(CAP_FSETID))
>>
>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>
>> #if _KERNEL_CAPABILITY_U32S != 2
>> # error Fix up hand-coded capability macro initializers
>> #else /* HAND-CODED capability initializers */
>>
>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>                                      | 
>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>                                      CAP_FS_MASK_B1 } })
>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>                                      | 
>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>                                      CAP_FS_MASK_B1 } })
>>
>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we 
>> have
>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if 
>> we
>> had both then Casey should be able to use the code with SMACK. 
>> However
>> I'm not sure what implications this has for every other LSM. 
>> Honestly
>> I'm not sure if we use either of those caps for SELinux at all (I 
>> think
>> we ignore them completely).
>
> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
> ability to get or set security contexts that are not yet defined in
> the policy (for package managers that lay down the security contexts
> before reloading policy and for installing a distro within a chroot 
> on
> a build host running a different policy).


Do you think its reasonable to add that cap into the NFSd thread then? 
I'm not sure what other solution there would be. Casey needs it just so 
SMACK can work with it at all (assuming what I think is happening is 
actually happening).

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 08:28, Stephen Smalley wrote:
> On 11/30/2012 08:17 AM, David Quigley wrote:
>> On 11/30/2012 07:57, David Quigley wrote:
>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>> >>>I would think that were it not for the case that access is 
>>>>> denied
>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>> >>>label of "_"
>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>> >>>access) and
>>>>> >>>an object label of "WhooHoo", which is correct. The server 
>>>>> side
>>>>> >>>looks like it might be working right, given the information 
>>>>> that it
>>>>> >>>has.
>>>>> >>>
>>>>> >>
>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. 
>>>>> In
>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>> >>don't
>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>> >>there
>>>>> >>a way you can have that kernel thread running as a type that 
>>>>> has
>>>>> >>access to everything?
>>>>> >
>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>>>> Smackese.
>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>> >which
>>>>> >is to say, all capabilities.
>>>>> >
>>>>>
>>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd 
>>>>> to
>>>>> turn on some of the debugging to look around the internals and
>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>> the potential flags.
>>>>>
>>>>> >
>>>>> >>I think that is the current problem. Which makes perfect sense. 
>>>>> If
>>>>> >>your kernel threads don't get started with max privilege then 
>>>>> the
>>>>> >>server would be denied access on all of the file attributes and
>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>> >
>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>> >the place, but I haven't seen anything there that makes it look
>>>>> >like they would be running without capabilities. Clearly, that's
>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>> >match what /proc reports. Bother.
>>>>> >
>>>>>
>>>>> I'm not entirely sure whats up either. If you want to look for 
>>>>> the
>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function 
>>>>> starts
>>>>> on line 487.
>>>>
>>>> I'm not following the discussion, but: maybe you want to look at
>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>
>>>> --b.
>>>
>>>
>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>> leave this ball in his court. I think you are correct though and 
>>> the
>>> problem is that NFSd is dropping and raising caps and we need to 
>>> make
>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing 
>>> list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>> I think I found the offending code. I can't test it for a while so
>> hopefully Casey can.
>>
>> In include/linux/capability.h we have the following defines
>>
>>
>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>                              | CAP_TO_MASK(CAP_FSETID))
>>
>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>
>> #if _KERNEL_CAPABILITY_U32S != 2
>> # error Fix up hand-coded capability macro initializers
>> #else /* HAND-CODED capability initializers */
>>
>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>                                      | 
>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>                                      CAP_FS_MASK_B1 } })
>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>                                      | 
>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>                                      CAP_FS_MASK_B1 } })
>>
>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we 
>> have
>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if 
>> we
>> had both then Casey should be able to use the code with SMACK. 
>> However
>> I'm not sure what implications this has for every other LSM. 
>> Honestly
>> I'm not sure if we use either of those caps for SELinux at all (I 
>> think
>> we ignore them completely).
>
> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
> ability to get or set security contexts that are not yet defined in
> the policy (for package managers that lay down the security contexts
> before reloading policy and for installing a distro within a chroot 
> on
> a build host running a different policy).


Do you think its reasonable to add that cap into the NFSd thread then? 
I'm not sure what other solution there would be. Casey needs it just so 
SMACK can work with it at all (assuming what I think is happening is 
actually happening).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Stephen Smalley]

On 11/30/2012 08:35 AM, David Quigley wrote:
> On 11/30/2012 08:28, Stephen Smalley wrote:
>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>> On 11/30/2012 07:57, David Quigley wrote:
>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>> >>>I would think that were it not for the case that access is denied
>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>> >>>label of "_"
>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>> >>>access) and
>>>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>>>> >>>looks like it might be working right, given the information
>>>>>> that it
>>>>>> >>>has.
>>>>>> >>>
>>>>>> >>
>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>>> >>don't
>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>>> >>there
>>>>>> >>a way you can have that kernel thread running as a type that has
>>>>>> >>access to everything?
>>>>>> >
>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>>> >which
>>>>>> >is to say, all capabilities.
>>>>>> >
>>>>>>
>>>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>>>>> turn on some of the debugging to look around the internals and
>>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>>> the potential flags.
>>>>>>
>>>>>> >
>>>>>> >>I think that is the current problem. Which makes perfect sense. If
>>>>>> >>your kernel threads don't get started with max privilege then the
>>>>>> >>server would be denied access on all of the file attributes and
>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>> >
>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>>> >the place, but I haven't seen anything there that makes it look
>>>>>> >like they would be running without capabilities. Clearly, that's
>>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>>> >match what /proc reports. Bother.
>>>>>> >
>>>>>>
>>>>>> I'm not entirely sure whats up either. If you want to look for the
>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>>>>> on line 487.
>>>>>
>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>
>>>>> --b.
>>>>
>>>>
>>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>>> leave this ball in his court. I think you are correct though and the
>>>> problem is that NFSd is dropping and raising caps and we need to make
>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>> I think I found the offending code. I can't test it for a while so
>>> hopefully Casey can.
>>>
>>> In include/linux/capability.h we have the following defines
>>>
>>>
>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>
>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>
>>> #if _KERNEL_CAPABILITY_U32S != 2
>>> # error Fix up hand-coded capability macro initializers
>>> #else /* HAND-CODED capability initializers */
>>>
>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>                                      |
>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>                                      CAP_FS_MASK_B1 } })
>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>                                      | CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>                                      CAP_FS_MASK_B1 } })
>>>
>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have
>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
>>> had both then Casey should be able to use the code with SMACK. However
>>> I'm not sure what implications this has for every other LSM. Honestly
>>> I'm not sure if we use either of those caps for SELinux at all (I think
>>> we ignore them completely).
>>
>> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
>> ability to get or set security contexts that are not yet defined in
>> the policy (for package managers that lay down the security contexts
>> before reloading policy and for installing a distro within a chroot on
>> a build host running a different policy).
>
>
> Do you think its reasonable to add that cap into the NFSd thread then?
> I'm not sure what other solution there would be. Casey needs it just so
> SMACK can work with it at all (assuming what I think is happening is
> actually happening).

Looks like Smack requires CAP_MAC_ADMIN in order to set Smack attributes 
on a file at all.  So nfsd would require that capability for Smack.  I 
think this means however that setting Smack labels on NFS files won't 
work in any case where root is squashed, which seems unfortunate.

On the SELinux side, we don't require CAP_MAC_ADMIN to set the SELinux 
attribute on a file in the normal case, only when the SELinux attribute 
is not known to the security policy yet.  So granting CAP_MAC_ADMIN 
there means that a client will be able to set security contexts on files 
that are unknown to the server.  I guess that might even be desirable in 
some instances where client and server policy are different.  We do have 
the option of denying mac_admin permission in policy for nfsd 
(kernel_t?), in which case we would block such attempts to set unknown 
contexts but would still support setting of known security contexts.

So I think it is workable, albeit a bit confusing.

Re: Labeled NFS [v5]

[Stephen Smalley]

On 11/30/2012 08:35 AM, David Quigley wrote:
> On 11/30/2012 08:28, Stephen Smalley wrote:
>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>> On 11/30/2012 07:57, David Quigley wrote:
>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>> >>>I would think that were it not for the case that access is denied
>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>> >>>label of "_"
>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>> >>>access) and
>>>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>>>> >>>looks like it might be working right, given the information
>>>>>> that it
>>>>>> >>>has.
>>>>>> >>>
>>>>>> >>
>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>>> >>don't
>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>>> >>there
>>>>>> >>a way you can have that kernel thread running as a type that has
>>>>>> >>access to everything?
>>>>>> >
>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in Smackese.
>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>>> >which
>>>>>> >is to say, all capabilities.
>>>>>> >
>>>>>>
>>>>>> Hmm thats interesting then. You could try using rpcdebug -m nfsd to
>>>>>> turn on some of the debugging to look around the internals and
>>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>>> the potential flags.
>>>>>>
>>>>>> >
>>>>>> >>I think that is the current problem. Which makes perfect sense. If
>>>>>> >>your kernel threads don't get started with max privilege then the
>>>>>> >>server would be denied access on all of the file attributes and
>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>> >
>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>>> >the place, but I haven't seen anything there that makes it look
>>>>>> >like they would be running without capabilities. Clearly, that's
>>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>>> >match what /proc reports. Bother.
>>>>>> >
>>>>>>
>>>>>> I'm not entirely sure whats up either. If you want to look for the
>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function starts
>>>>>> on line 487.
>>>>>
>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>
>>>>> --b.
>>>>
>>>>
>>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>>> leave this ball in his court. I think you are correct though and the
>>>> problem is that NFSd is dropping and raising caps and we need to make
>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>> I think I found the offending code. I can't test it for a while so
>>> hopefully Casey can.
>>>
>>> In include/linux/capability.h we have the following defines
>>>
>>>
>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>
>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>
>>> #if _KERNEL_CAPABILITY_U32S != 2
>>> # error Fix up hand-coded capability macro initializers
>>> #else /* HAND-CODED capability initializers */
>>>
>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>                                      |
>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>                                      CAP_FS_MASK_B1 } })
>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>                                      | CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>                                      CAP_FS_MASK_B1 } })
>>>
>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we have
>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
>>> had both then Casey should be able to use the code with SMACK. However
>>> I'm not sure what implications this has for every other LSM. Honestly
>>> I'm not sure if we use either of those caps for SELinux at all (I think
>>> we ignore them completely).
>>
>> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
>> ability to get or set security contexts that are not yet defined in
>> the policy (for package managers that lay down the security contexts
>> before reloading policy and for installing a distro within a chroot on
>> a build host running a different policy).
>
>
> Do you think its reasonable to add that cap into the NFSd thread then?
> I'm not sure what other solution there would be. Casey needs it just so
> SMACK can work with it at all (assuming what I think is happening is
> actually happening).

Looks like Smack requires CAP_MAC_ADMIN in order to set Smack attributes 
on a file at all.  So nfsd would require that capability for Smack.  I 
think this means however that setting Smack labels on NFS files won't 
work in any case where root is squashed, which seems unfortunate.

On the SELinux side, we don't require CAP_MAC_ADMIN to set the SELinux 
attribute on a file in the normal case, only when the SELinux attribute 
is not known to the security policy yet.  So granting CAP_MAC_ADMIN 
there means that a client will be able to set security contexts on files 
that are unknown to the server.  I guess that might even be desirable in 
some instances where client and server policy are different.  We do have 
the option of denying mac_admin permission in policy for nfsd 
(kernel_t?), in which case we would block such attempts to set unknown 
contexts but would still support setting of known security contexts.

So I think it is workable, albeit a bit confusing.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 08:50, Stephen Smalley wrote:
> On 11/30/2012 08:35 AM, David Quigley wrote:
>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>> >>>I would think that were it not for the case that access is 
>>>>>>> denied
>>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>>> >>>label of "_"
>>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>>> >>>access) and
>>>>>>> >>>an object label of "WhooHoo", which is correct. The server 
>>>>>>> side
>>>>>>> >>>looks like it might be working right, given the information
>>>>>>> that it
>>>>>>> >>>has.
>>>>>>> >>>
>>>>>>> >>
>>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. 
>>>>>>> In
>>>>>>> >>SELinux land it has the type kernel_t which is all powerful. 
>>>>>>> We
>>>>>>> >>don't
>>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). 
>>>>>>> Is
>>>>>>> >>there
>>>>>>> >>a way you can have that kernel thread running as a type that 
>>>>>>> has
>>>>>>> >>access to everything?
>>>>>>> >
>>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>>>>>> Smackese.
>>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of 
>>>>>>> fff...fff
>>>>>>> >which
>>>>>>> >is to say, all capabilities.
>>>>>>> >
>>>>>>>
>>>>>>> Hmm thats interesting then. You could try using rpcdebug -m 
>>>>>>> nfsd to
>>>>>>> turn on some of the debugging to look around the internals and
>>>>>>> figure out whats going on. If you pass -v it will give you all 
>>>>>>> of
>>>>>>> the potential flags.
>>>>>>>
>>>>>>> >
>>>>>>> >>I think that is the current problem. Which makes perfect 
>>>>>>> sense. If
>>>>>>> >>your kernel threads don't get started with max privilege then 
>>>>>>> the
>>>>>>> >>server would be denied access on all of the file attributes 
>>>>>>> and
>>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>>> >
>>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks 
>>>>>>> like
>>>>>>> >the place, but I haven't seen anything there that makes it 
>>>>>>> look
>>>>>>> >like they would be running without capabilities. Clearly, 
>>>>>>> that's
>>>>>>> >what I'm seeing. It looks as if the credential of nfsd does 
>>>>>>> not
>>>>>>> >match what /proc reports. Bother.
>>>>>>> >
>>>>>>>
>>>>>>> I'm not entirely sure whats up either. If you want to look for 
>>>>>>> the
>>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function 
>>>>>>> starts
>>>>>>> on line 487.
>>>>>>
>>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>>
>>>>>> --b.
>>>>>
>>>>>
>>>>> I'm not as familiar with the capabilities code as Casey is so 
>>>>> I'll
>>>>> leave this ball in his court. I think you are correct though and 
>>>>> the
>>>>> problem is that NFSd is dropping and raising caps and we need to 
>>>>> make
>>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK 
>>>>> case.
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux 
>>>>> mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>> I think I found the offending code. I can't test it for a while so
>>>> hopefully Casey can.
>>>>
>>>> In include/linux/capability.h we have the following defines
>>>>
>>>>
>>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>>
>>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>>
>>>> #if _KERNEL_CAPABILITY_U32S != 2
>>>> # error Fix up hand-coded capability macro initializers
>>>> #else /* HAND-CODED capability initializers */
>>>>
>>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>                                      |
>>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>>                                      CAP_FS_MASK_B1 } })
>>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>                                      | 
>>>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>>                                      CAP_FS_MASK_B1 } })
>>>>
>>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we 
>>>> have
>>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if 
>>>> we
>>>> had both then Casey should be able to use the code with SMACK. 
>>>> However
>>>> I'm not sure what implications this has for every other LSM. 
>>>> Honestly
>>>> I'm not sure if we use either of those caps for SELinux at all (I 
>>>> think
>>>> we ignore them completely).
>>>
>>> CAP_MAC_ADMIN is used by SELinux these days, but only to control 
>>> the
>>> ability to get or set security contexts that are not yet defined in
>>> the policy (for package managers that lay down the security 
>>> contexts
>>> before reloading policy and for installing a distro within a chroot 
>>> on
>>> a build host running a different policy).
>>
>>
>> Do you think its reasonable to add that cap into the NFSd thread 
>> then?
>> I'm not sure what other solution there would be. Casey needs it just 
>> so
>> SMACK can work with it at all (assuming what I think is happening is
>> actually happening).
>
> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
> attributes on a file at all.  So nfsd would require that capability
> for Smack.  I think this means however that setting Smack labels on
> NFS files won't work in any case where root is squashed, which seems
> unfortunate.

I'll leave that problem to Casey to figure out. However it seems to me 
that regardless of Labeled NFS Casey should have problems with the NFS 
server not being able to serve up files that are dominated by floor. I 
wonder if he has every tried NFSv4 on a SMACK enabled server before. It 
may have just worked because all files implicitly get labeled floor.

>
> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
> SELinux attribute on a file in the normal case, only when the SELinux
> attribute is not known to the security policy yet.  So granting
> CAP_MAC_ADMIN there means that a client will be able to set security
> contexts on files that are unknown to the server.  I guess that might
> even be desirable in some instances where client and server policy 
> are
> different.  We do have the option of denying mac_admin permission in
> policy for nfsd (kernel_t?), in which case we would block such
> attempts to set unknown contexts but would still support setting of
> known security contexts.
>
> So I think it is workable, albeit a bit confusing.

Yea it is unfortunate that we have to go mucking around in capability 
land but it seems that adding CAP_MAC_ADMIN should be fine and we can 
deal with it in policy if we like.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 08:50, Stephen Smalley wrote:
> On 11/30/2012 08:35 AM, David Quigley wrote:
>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>> >>>I would think that were it not for the case that access is 
>>>>>>> denied
>>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>>> >>>label of "_"
>>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>>> >>>access) and
>>>>>>> >>>an object label of "WhooHoo", which is correct. The server 
>>>>>>> side
>>>>>>> >>>looks like it might be working right, given the information
>>>>>>> that it
>>>>>>> >>>has.
>>>>>>> >>>
>>>>>>> >>
>>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. 
>>>>>>> In
>>>>>>> >>SELinux land it has the type kernel_t which is all powerful. 
>>>>>>> We
>>>>>>> >>don't
>>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). 
>>>>>>> Is
>>>>>>> >>there
>>>>>>> >>a way you can have that kernel thread running as a type that 
>>>>>>> has
>>>>>>> >>access to everything?
>>>>>>> >
>>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in 
>>>>>>> Smackese.
>>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of 
>>>>>>> fff...fff
>>>>>>> >which
>>>>>>> >is to say, all capabilities.
>>>>>>> >
>>>>>>>
>>>>>>> Hmm thats interesting then. You could try using rpcdebug -m 
>>>>>>> nfsd to
>>>>>>> turn on some of the debugging to look around the internals and
>>>>>>> figure out whats going on. If you pass -v it will give you all 
>>>>>>> of
>>>>>>> the potential flags.
>>>>>>>
>>>>>>> >
>>>>>>> >>I think that is the current problem. Which makes perfect 
>>>>>>> sense. If
>>>>>>> >>your kernel threads don't get started with max privilege then 
>>>>>>> the
>>>>>>> >>server would be denied access on all of the file attributes 
>>>>>>> and
>>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>>> >
>>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks 
>>>>>>> like
>>>>>>> >the place, but I haven't seen anything there that makes it 
>>>>>>> look
>>>>>>> >like they would be running without capabilities. Clearly, 
>>>>>>> that's
>>>>>>> >what I'm seeing. It looks as if the credential of nfsd does 
>>>>>>> not
>>>>>>> >match what /proc reports. Bother.
>>>>>>> >
>>>>>>>
>>>>>>> I'm not entirely sure whats up either. If you want to look for 
>>>>>>> the
>>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function 
>>>>>>> starts
>>>>>>> on line 487.
>>>>>>
>>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>>
>>>>>> --b.
>>>>>
>>>>>
>>>>> I'm not as familiar with the capabilities code as Casey is so 
>>>>> I'll
>>>>> leave this ball in his court. I think you are correct though and 
>>>>> the
>>>>> problem is that NFSd is dropping and raising caps and we need to 
>>>>> make
>>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK 
>>>>> case.
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux 
>>>>> mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>> I think I found the offending code. I can't test it for a while so
>>>> hopefully Casey can.
>>>>
>>>> In include/linux/capability.h we have the following defines
>>>>
>>>>
>>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>>
>>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>>
>>>> #if _KERNEL_CAPABILITY_U32S != 2
>>>> # error Fix up hand-coded capability macro initializers
>>>> #else /* HAND-CODED capability initializers */
>>>>
>>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>                                      |
>>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>>                                      CAP_FS_MASK_B1 } })
>>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>                                      | 
>>>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>>                                      CAP_FS_MASK_B1 } })
>>>>
>>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we 
>>>> have
>>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if 
>>>> we
>>>> had both then Casey should be able to use the code with SMACK. 
>>>> However
>>>> I'm not sure what implications this has for every other LSM. 
>>>> Honestly
>>>> I'm not sure if we use either of those caps for SELinux at all (I 
>>>> think
>>>> we ignore them completely).
>>>
>>> CAP_MAC_ADMIN is used by SELinux these days, but only to control 
>>> the
>>> ability to get or set security contexts that are not yet defined in
>>> the policy (for package managers that lay down the security 
>>> contexts
>>> before reloading policy and for installing a distro within a chroot 
>>> on
>>> a build host running a different policy).
>>
>>
>> Do you think its reasonable to add that cap into the NFSd thread 
>> then?
>> I'm not sure what other solution there would be. Casey needs it just 
>> so
>> SMACK can work with it at all (assuming what I think is happening is
>> actually happening).
>
> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
> attributes on a file at all.  So nfsd would require that capability
> for Smack.  I think this means however that setting Smack labels on
> NFS files won't work in any case where root is squashed, which seems
> unfortunate.

I'll leave that problem to Casey to figure out. However it seems to me 
that regardless of Labeled NFS Casey should have problems with the NFS 
server not being able to serve up files that are dominated by floor. I 
wonder if he has every tried NFSv4 on a SMACK enabled server before. It 
may have just worked because all files implicitly get labeled floor.

>
> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
> SELinux attribute on a file in the normal case, only when the SELinux
> attribute is not known to the security policy yet.  So granting
> CAP_MAC_ADMIN there means that a client will be able to set security
> contexts on files that are unknown to the server.  I guess that might
> even be desirable in some instances where client and server policy 
> are
> different.  We do have the option of denying mac_admin permission in
> policy for nfsd (kernel_t?), in which case we would block such
> attempts to set unknown contexts but would still support setting of
> known security contexts.
>
> So I think it is workable, albeit a bit confusing.

Yea it is unfortunate that we have to go mucking around in capability 
land but it seems that adding CAP_MAC_ADMIN should be fine and we can 
deal with it in policy if we like.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/30/2012 6:02 AM, David Quigley wrote:

There are times when living by the correct ocean makes
life so much easier. Thanks all for the early morning
brain work.

> On 11/30/2012 08:50, Stephen Smalley wrote:
>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>> >... Whole bunch snipped ...
>>
>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>> attributes on a file at all.  So nfsd would require that capability
>> for Smack.  I think this means however that setting Smack labels on
>> NFS files won't work in any case where root is squashed, which seems
>> unfortunate.

I'm building a kernel with CAP_MAC_ADMIN set for nfsd.
I am reasonably sure that this will get me past the current
issue. As far as a squashed root goes, well, doing things
that the security policy doesn't allow requires privilege.

>
> I'll leave that problem to Casey to figure out. However it seems to me
> that regardless of Labeled NFS Casey should have problems with the NFS
> server not being able to serve up files that are dominated by floor. I
> wonder if he has every tried NFSv4 on a SMACK enabled server before.
> It may have just worked because all files implicitly get labeled floor.

CAP_MAC_OVERRIDE, which nfsd does have, is sufficient for
reading and writing files. A Smack enabled server is able
to serve to Smack and Smackless clients, but of course all
label enforcement is lost. Thus it will "work", but it will
be bad. I haven't used NFS much lately, in part because of
the lack of labeling and the security issues inherent in
serving labeled files to clueless clients. 


>
>>
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the SELinux
>> attribute is not known to the security policy yet.  So granting
>> CAP_MAC_ADMIN there means that a client will be able to set security
>> contexts on files that are unknown to the server.  I guess that might
>> even be desirable in some instances where client and server policy are
>> different.  We do have the option of denying mac_admin permission in
>> policy for nfsd (kernel_t?), in which case we would block such
>> attempts to set unknown contexts but would still support setting of
>> known security contexts.
>>
>> So I think it is workable, albeit a bit confusing.
>
> Yea it is unfortunate that we have to go mucking around in capability
> land but it seems that adding CAP_MAC_ADMIN should be fine and we can
> deal with it in policy if we like.

Worst case we could add a security_set_nfsd_capabilities hook.
Maybe make the capability set an export option?

>
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/30/2012 6:02 AM, David Quigley wrote:

There are times when living by the correct ocean makes
life so much easier. Thanks all for the early morning
brain work.

> On 11/30/2012 08:50, Stephen Smalley wrote:
>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>> >... Whole bunch snipped ...
>>
>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>> attributes on a file at all.  So nfsd would require that capability
>> for Smack.  I think this means however that setting Smack labels on
>> NFS files won't work in any case where root is squashed, which seems
>> unfortunate.

I'm building a kernel with CAP_MAC_ADMIN set for nfsd.
I am reasonably sure that this will get me past the current
issue. As far as a squashed root goes, well, doing things
that the security policy doesn't allow requires privilege.

>
> I'll leave that problem to Casey to figure out. However it seems to me
> that regardless of Labeled NFS Casey should have problems with the NFS
> server not being able to serve up files that are dominated by floor. I
> wonder if he has every tried NFSv4 on a SMACK enabled server before.
> It may have just worked because all files implicitly get labeled floor.

CAP_MAC_OVERRIDE, which nfsd does have, is sufficient for
reading and writing files. A Smack enabled server is able
to serve to Smack and Smackless clients, but of course all
label enforcement is lost. Thus it will "work", but it will
be bad. I haven't used NFS much lately, in part because of
the lack of labeling and the security issues inherent in
serving labeled files to clueless clients. 


>
>>
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the SELinux
>> attribute is not known to the security policy yet.  So granting
>> CAP_MAC_ADMIN there means that a client will be able to set security
>> contexts on files that are unknown to the server.  I guess that might
>> even be desirable in some instances where client and server policy are
>> different.  We do have the option of denying mac_admin permission in
>> policy for nfsd (kernel_t?), in which case we would block such
>> attempts to set unknown contexts but would still support setting of
>> known security contexts.
>>
>> So I think it is workable, albeit a bit confusing.
>
> Yea it is unfortunate that we have to go mucking around in capability
> land but it seems that adding CAP_MAC_ADMIN should be fine and we can
> deal with it in policy if we like.

Worst case we could add a security_set_nfsd_capabilities hook.
Maybe make the capability set an export option?

>
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 11:21, Casey Schaufler wrote:
> On 11/30/2012 6:02 AM, David Quigley wrote:
>
> There are times when living by the correct ocean makes
> life so much easier. Thanks all for the early morning
> brain work.
>
>> On 11/30/2012 08:50, Stephen Smalley wrote:
>>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>>> >... Whole bunch snipped ...
>>>
>>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>>> attributes on a file at all.  So nfsd would require that capability
>>> for Smack.  I think this means however that setting Smack labels on
>>> NFS files won't work in any case where root is squashed, which 
>>> seems
>>> unfortunate.
>
> I'm building a kernel with CAP_MAC_ADMIN set for nfsd.
> I am reasonably sure that this will get me past the current
> issue. As far as a squashed root goes, well, doing things
> that the security policy doesn't allow requires privilege.
>
>>
>> I'll leave that problem to Casey to figure out. However it seems to 
>> me
>> that regardless of Labeled NFS Casey should have problems with the 
>> NFS
>> server not being able to serve up files that are dominated by floor. 
>> I
>> wonder if he has every tried NFSv4 on a SMACK enabled server before.
>> It may have just worked because all files implicitly get labeled 
>> floor.
>
> CAP_MAC_OVERRIDE, which nfsd does have, is sufficient for
> reading and writing files. A Smack enabled server is able
> to serve to Smack and Smackless clients, but of course all
> label enforcement is lost. Thus it will "work", but it will
> be bad. I haven't used NFS much lately, in part because of
> the lack of labeling and the security issues inherent in
> serving labeled files to clueless clients.

Can we confirm that this problem doesn't manifest itself without a 
Labeled NFS kernel? Set the labels on the exported files properly and 
then just mount over NFSv4 and see what happens?


>
>
>>
>>>
>>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>>> SELinux attribute on a file in the normal case, only when the 
>>> SELinux
>>> attribute is not known to the security policy yet.  So granting
>>> CAP_MAC_ADMIN there means that a client will be able to set 
>>> security
>>> contexts on files that are unknown to the server.  I guess that 
>>> might
>>> even be desirable in some instances where client and server policy 
>>> are
>>> different.  We do have the option of denying mac_admin permission 
>>> in
>>> policy for nfsd (kernel_t?), in which case we would block such
>>> attempts to set unknown contexts but would still support setting of
>>> known security contexts.
>>>
>>> So I think it is workable, albeit a bit confusing.
>>
>> Yea it is unfortunate that we have to go mucking around in 
>> capability
>> land but it seems that adding CAP_MAC_ADMIN should be fine and we 
>> can
>> deal with it in policy if we like.
>
> Worst case we could add a security_set_nfsd_capabilities hook.
> Maybe make the capability set an export option?
>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing 
>> list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 11:21, Casey Schaufler wrote:
> On 11/30/2012 6:02 AM, David Quigley wrote:
>
> There are times when living by the correct ocean makes
> life so much easier. Thanks all for the early morning
> brain work.
>
>> On 11/30/2012 08:50, Stephen Smalley wrote:
>>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>>> >... Whole bunch snipped ...
>>>
>>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>>> attributes on a file at all.  So nfsd would require that capability
>>> for Smack.  I think this means however that setting Smack labels on
>>> NFS files won't work in any case where root is squashed, which 
>>> seems
>>> unfortunate.
>
> I'm building a kernel with CAP_MAC_ADMIN set for nfsd.
> I am reasonably sure that this will get me past the current
> issue. As far as a squashed root goes, well, doing things
> that the security policy doesn't allow requires privilege.
>
>>
>> I'll leave that problem to Casey to figure out. However it seems to 
>> me
>> that regardless of Labeled NFS Casey should have problems with the 
>> NFS
>> server not being able to serve up files that are dominated by floor. 
>> I
>> wonder if he has every tried NFSv4 on a SMACK enabled server before.
>> It may have just worked because all files implicitly get labeled 
>> floor.
>
> CAP_MAC_OVERRIDE, which nfsd does have, is sufficient for
> reading and writing files. A Smack enabled server is able
> to serve to Smack and Smackless clients, but of course all
> label enforcement is lost. Thus it will "work", but it will
> be bad. I haven't used NFS much lately, in part because of
> the lack of labeling and the security issues inherent in
> serving labeled files to clueless clients.

Can we confirm that this problem doesn't manifest itself without a 
Labeled NFS kernel? Set the labels on the exported files properly and 
then just mount over NFSv4 and see what happens?


>
>
>>
>>>
>>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>>> SELinux attribute on a file in the normal case, only when the 
>>> SELinux
>>> attribute is not known to the security policy yet.  So granting
>>> CAP_MAC_ADMIN there means that a client will be able to set 
>>> security
>>> contexts on files that are unknown to the server.  I guess that 
>>> might
>>> even be desirable in some instances where client and server policy 
>>> are
>>> different.  We do have the option of denying mac_admin permission 
>>> in
>>> policy for nfsd (kernel_t?), in which case we would block such
>>> attempts to set unknown contexts but would still support setting of
>>> known security contexts.
>>>
>>> So I think it is workable, albeit a bit confusing.
>>
>> Yea it is unfortunate that we have to go mucking around in 
>> capability
>> land but it seems that adding CAP_MAC_ADMIN should be fine and we 
>> can
>> deal with it in policy if we like.
>
> Worst case we could add a security_set_nfsd_capabilities hook.
> Maybe make the capability set an export option?
>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing 
>> list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/30/2012 6:02 AM, David Quigley wrote:
> On 11/30/2012 08:50, Stephen Smalley wrote:
>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>> >>>I would think that were it not for the case that access is
>>>>>>>> denied
>>>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>>>> >>>label of "_"
>>>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>>>> >>>access) and
>>>>>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>>>>>> >>>looks like it might be working right, given the information
>>>>>>>> that it
>>>>>>>> >>>has.
>>>>>>>> >>>
>>>>>>>> >>
>>>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>>>>> >>don't
>>>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>>>>> >>there
>>>>>>>> >>a way you can have that kernel thread running as a type that has
>>>>>>>> >>access to everything?
>>>>>>>> >
>>>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in
>>>>>>>> Smackese.
>>>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>>>>> >which
>>>>>>>> >is to say, all capabilities.
>>>>>>>> >
>>>>>>>>
>>>>>>>> Hmm thats interesting then. You could try using rpcdebug -m
>>>>>>>> nfsd to
>>>>>>>> turn on some of the debugging to look around the internals and
>>>>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>>>>> the potential flags.
>>>>>>>>
>>>>>>>> >
>>>>>>>> >>I think that is the current problem. Which makes perfect
>>>>>>>> sense. If
>>>>>>>> >>your kernel threads don't get started with max privilege then
>>>>>>>> the
>>>>>>>> >>server would be denied access on all of the file attributes and
>>>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>>>> >
>>>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>>>>> >the place, but I haven't seen anything there that makes it look
>>>>>>>> >like they would be running without capabilities. Clearly, that's
>>>>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>>>>> >match what /proc reports. Bother.
>>>>>>>> >
>>>>>>>>
>>>>>>>> I'm not entirely sure whats up either. If you want to look for the
>>>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function
>>>>>>>> starts
>>>>>>>> on line 487.
>>>>>>>
>>>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>>>
>>>>>>> --b.
>>>>>>
>>>>>>
>>>>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>>>>> leave this ball in his court. I think you are correct though and the
>>>>>> problem is that NFSd is dropping and raising caps and we need to
>>>>>> make
>>>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>>>>
>>>>>> -- 
>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>> list.
>>>>>> If you no longer wish to subscribe, send mail to
>>>>>> majordomo@tycho.nsa.gov with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>>>>> I think I found the offending code. I can't test it for a while so
>>>>> hopefully Casey can.
>>>>>
>>>>> In include/linux/capability.h we have the following defines
>>>>>
>>>>>
>>>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>>>
>>>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>>>
>>>>> #if _KERNEL_CAPABILITY_U32S != 2
>>>>> # error Fix up hand-coded capability macro initializers
>>>>> #else /* HAND-CODED capability initializers */
>>>>>
>>>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>>                                      |
>>>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>>>                                      CAP_FS_MASK_B1 } })
>>>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>>                                      |
>>>>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>>>                                      CAP_FS_MASK_B1 } })
>>>>>
>>>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we
>>>>> have
>>>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
>>>>> had both then Casey should be able to use the code with SMACK.
>>>>> However
>>>>> I'm not sure what implications this has for every other LSM. Honestly
>>>>> I'm not sure if we use either of those caps for SELinux at all (I
>>>>> think
>>>>> we ignore them completely).
>>>>
>>>> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
>>>> ability to get or set security contexts that are not yet defined in
>>>> the policy (for package managers that lay down the security contexts
>>>> before reloading policy and for installing a distro within a chroot on
>>>> a build host running a different policy).
>>>
>>>
>>> Do you think its reasonable to add that cap into the NFSd thread then?
>>> I'm not sure what other solution there would be. Casey needs it just so
>>> SMACK can work with it at all (assuming what I think is happening is
>>> actually happening).
>>
>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>> attributes on a file at all.  So nfsd would require that capability
>> for Smack.  I think this means however that setting Smack labels on
>> NFS files won't work in any case where root is squashed, which seems
>> unfortunate.

Adding CAP_MAC_ADMIN has no effect whatsoever. Further,
the audit record from the nfsd access failure is in
smack_get_inode, which would require CAP_MAC_OVERRIDE.
That capability is already supposed to be in the NFSD set.
Humbum and bother. I am doing additional instrumentation
to see if I can track down where it's going awry.


>
> I'll leave that problem to Casey to figure out. However it seems to me
> that regardless of Labeled NFS Casey should have problems with the NFS
> server not being able to serve up files that are dominated by floor. I
> wonder if he has every tried NFSv4 on a SMACK enabled server before.
> It may have just worked because all files implicitly get labeled floor.
>
>>
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the SELinux
>> attribute is not known to the security policy yet.  So granting
>> CAP_MAC_ADMIN there means that a client will be able to set security
>> contexts on files that are unknown to the server.  I guess that might
>> even be desirable in some instances where client and server policy are
>> different.  We do have the option of denying mac_admin permission in
>> policy for nfsd (kernel_t?), in which case we would block such
>> attempts to set unknown contexts but would still support setting of
>> known security contexts.
>>
>> So I think it is workable, albeit a bit confusing.
>
> Yea it is unfortunate that we have to go mucking around in capability
> land but it seems that adding CAP_MAC_ADMIN should be fine and we can
> deal with it in policy if we like.
>
>

Re: Labeled NFS [v5]

[Casey Schaufler]

On 11/30/2012 6:02 AM, David Quigley wrote:
> On 11/30/2012 08:50, Stephen Smalley wrote:
>> On 11/30/2012 08:35 AM, David Quigley wrote:
>>> On 11/30/2012 08:28, Stephen Smalley wrote:
>>>> On 11/30/2012 08:17 AM, David Quigley wrote:
>>>>> On 11/30/2012 07:57, David Quigley wrote:
>>>>>> On 11/30/2012 07:14, J. Bruce Fields wrote:
>>>>>>> On Thu, Nov 29, 2012 at 09:02:49PM -0500, David Quigley wrote:
>>>>>>>> On 11/29/2012 20:50, Casey Schaufler wrote:
>>>>>>>> >On 11/29/2012 4:46 PM, David Quigley wrote:
>>>>>>>> >>On 11/29/2012 19:34, Casey Schaufler wrote:
>>>>>>>> >>>I would think that were it not for the case that access is
>>>>>>>> denied
>>>>>>>> >>>and I get an audit record for nfsd that reports a subject
>>>>>>>> >>>label of "_"
>>>>>>>> >>>(which is correct for nfsd but not the process attempting
>>>>>>>> >>>access) and
>>>>>>>> >>>an object label of "WhooHoo", which is correct. The server side
>>>>>>>> >>>looks like it might be working right, given the information
>>>>>>>> that it
>>>>>>>> >>>has.
>>>>>>>> >>>
>>>>>>>> >>
>>>>>>>> >>Ok so this is the problem. nfsd is a kernel thread I believe. In
>>>>>>>> >>SELinux land it has the type kernel_t which is all powerful. We
>>>>>>>> >>don't
>>>>>>>> >>have client label transport yet (That requires RPCSECGSSv3). Is
>>>>>>>> >>there
>>>>>>>> >>a way you can have that kernel thread running as a type that has
>>>>>>>> >>access to everything?
>>>>>>>> >
>>>>>>>> >That would be having CAP_MAC_ADMIN and CAP_MAC_OVERRIDE in
>>>>>>>> Smackese.
>>>>>>>> >Looking at /proc/<pid-of-nfsd>/status we see CapEff of fff...fff
>>>>>>>> >which
>>>>>>>> >is to say, all capabilities.
>>>>>>>> >
>>>>>>>>
>>>>>>>> Hmm thats interesting then. You could try using rpcdebug -m
>>>>>>>> nfsd to
>>>>>>>> turn on some of the debugging to look around the internals and
>>>>>>>> figure out whats going on. If you pass -v it will give you all of
>>>>>>>> the potential flags.
>>>>>>>>
>>>>>>>> >
>>>>>>>> >>I think that is the current problem. Which makes perfect
>>>>>>>> sense. If
>>>>>>>> >>your kernel threads don't get started with max privilege then
>>>>>>>> the
>>>>>>>> >>server would be denied access on all of the file attributes and
>>>>>>>> >>wouldn't be able to ship it over the wire properly.
>>>>>>>> >
>>>>>>>> >OK. I haven't had to do anything with kernel threads so far.
>>>>>>>> >Where is NFS setting these up? Poking around fs/nfsd looks like
>>>>>>>> >the place, but I haven't seen anything there that makes it look
>>>>>>>> >like they would be running without capabilities. Clearly, that's
>>>>>>>> >what I'm seeing. It looks as if the credential of nfsd does not
>>>>>>>> >match what /proc reports. Bother.
>>>>>>>> >
>>>>>>>>
>>>>>>>> I'm not entirely sure whats up either. If you want to look for the
>>>>>>>> NFSd threads they are in fs/nfsd/nfssvc.c. The main function
>>>>>>>> starts
>>>>>>>> on line 487.
>>>>>>>
>>>>>>> I'm not following the discussion, but: maybe you want to look at
>>>>>>> fs/nfsd/auth.c:nfsd_setuser() ?  In particular, the
>>>>>>> cap_{drop/raise}_nfsd_set() calls at the end.
>>>>>>>
>>>>>>> --b.
>>>>>>
>>>>>>
>>>>>> I'm not as familiar with the capabilities code as Casey is so I'll
>>>>>> leave this ball in his court. I think you are correct though and the
>>>>>> problem is that NFSd is dropping and raising caps and we need to
>>>>>> make
>>>>>> sure that MAC_ADMIN and MAC_OVERRIDE is in there in the SMACK case.
>>>>>>
>>>>>> -- 
>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>> list.
>>>>>> If you no longer wish to subscribe, send mail to
>>>>>> majordomo@tycho.nsa.gov with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>>>>> I think I found the offending code. I can't test it for a while so
>>>>> hopefully Casey can.
>>>>>
>>>>> In include/linux/capability.h we have the following defines
>>>>>
>>>>>
>>>>> # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
>>>>>                              | CAP_TO_MASK(CAP_MKNOD)            \
>>>>>                              | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
>>>>>                              | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
>>>>>                              | CAP_TO_MASK(CAP_FOWNER)           \
>>>>>                              | CAP_TO_MASK(CAP_FSETID))
>>>>>
>>>>> # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
>>>>>
>>>>> #if _KERNEL_CAPABILITY_U32S != 2
>>>>> # error Fix up hand-coded capability macro initializers
>>>>> #else /* HAND-CODED capability initializers */
>>>>>
>>>>> # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
>>>>> # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
>>>>> # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>>                                      |
>>>>> CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
>>>>>                                      CAP_FS_MASK_B1 } })
>>>>> # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
>>>>>                                      |
>>>>> CAP_TO_MASK(CAP_SYS_RESOURCE), \
>>>>>                                      CAP_FS_MASK_B1 } })
>>>>>
>>>>> So raise and drop nfsd caps uses CAP_NFSD_SET. In CAP_NFSD_SET we
>>>>> have
>>>>> CAP_MAC_OVERRIDE but we don't have CAP_MAC_ADMIN. I think maybe if we
>>>>> had both then Casey should be able to use the code with SMACK.
>>>>> However
>>>>> I'm not sure what implications this has for every other LSM. Honestly
>>>>> I'm not sure if we use either of those caps for SELinux at all (I
>>>>> think
>>>>> we ignore them completely).
>>>>
>>>> CAP_MAC_ADMIN is used by SELinux these days, but only to control the
>>>> ability to get or set security contexts that are not yet defined in
>>>> the policy (for package managers that lay down the security contexts
>>>> before reloading policy and for installing a distro within a chroot on
>>>> a build host running a different policy).
>>>
>>>
>>> Do you think its reasonable to add that cap into the NFSd thread then?
>>> I'm not sure what other solution there would be. Casey needs it just so
>>> SMACK can work with it at all (assuming what I think is happening is
>>> actually happening).
>>
>> Looks like Smack requires CAP_MAC_ADMIN in order to set Smack
>> attributes on a file at all.  So nfsd would require that capability
>> for Smack.  I think this means however that setting Smack labels on
>> NFS files won't work in any case where root is squashed, which seems
>> unfortunate.

Adding CAP_MAC_ADMIN has no effect whatsoever. Further,
the audit record from the nfsd access failure is in
smack_get_inode, which would require CAP_MAC_OVERRIDE.
That capability is already supposed to be in the NFSD set.
Humbum and bother. I am doing additional instrumentation
to see if I can track down where it's going awry.


>
> I'll leave that problem to Casey to figure out. However it seems to me
> that regardless of Labeled NFS Casey should have problems with the NFS
> server not being able to serve up files that are dominated by floor. I
> wonder if he has every tried NFSv4 on a SMACK enabled server before.
> It may have just worked because all files implicitly get labeled floor.
>
>>
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the SELinux
>> attribute is not known to the security policy yet.  So granting
>> CAP_MAC_ADMIN there means that a client will be able to set security
>> contexts on files that are unknown to the server.  I guess that might
>> even be desirable in some instances where client and server policy are
>> different.  We do have the option of denying mac_admin permission in
>> policy for nfsd (kernel_t?), in which case we would block such
>> attempts to set unknown contexts but would still support setting of
>> known security contexts.
>>
>> So I think it is workable, albeit a bit confusing.
>
> Yea it is unfortunate that we have to go mucking around in capability
> land but it seems that adding CAP_MAC_ADMIN should be fine and we can
> deal with it in policy if we like.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[J. Bruce Fields]

On Fri, Nov 30, 2012 at 08:50:55AM -0500, Stephen Smalley wrote:
> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
> SELinux attribute on a file in the normal case, only when the
> SELinux attribute is not known to the security policy yet.  So
> granting CAP_MAC_ADMIN there means that a client will be able to set
> security contexts on files that are unknown to the server.  I guess
> that might even be desirable in some instances where client and
> server policy are different.

Note (as you probably know) this first pass at labeled NFS only lets us
label files, not rpc calls--if we want the server to know who's doing
something (beyond the information the rpc headers already carry), we'll
need to implement rpcsec_gss v3, and that's a project for another day.

I've been assuming that makes server-side enforcement less useful for
now.

--b.

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 11:55, J. Bruce Fields wrote:
> On Fri, Nov 30, 2012 at 08:50:55AM -0500, Stephen Smalley wrote:
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the
>> SELinux attribute is not known to the security policy yet.  So
>> granting CAP_MAC_ADMIN there means that a client will be able to set
>> security contexts on files that are unknown to the server.  I guess
>> that might even be desirable in some instances where client and
>> server policy are different.
>
> Note (as you probably know) this first pass at labeled NFS only lets 
> us
> label files, not rpc calls--if we want the server to know who's doing
> something (beyond the information the rpc headers already carry), 
> we'll
> need to implement rpcsec_gss v3, and that's a project for another 
> day.
>
> I've been assuming that makes server-side enforcement less useful for
> now.
>
> --b.

Ideally what will happen is that when we get RPCSECGSSv3 in we'll set 
the security context in the same place that we set uid and gid for the 
process in the auth code. Until then you're right server side 
enforcement really isn't possible because we have whatever context the 
kernel gives to the thread being our security context. In the SELinux 
case this is the all powerful kernel_t in the smack case its the floor 
context.

Dave

Re: Labeled NFS [v5]

[David Quigley]

On 11/30/2012 11:55, J. Bruce Fields wrote:
> On Fri, Nov 30, 2012 at 08:50:55AM -0500, Stephen Smalley wrote:
>> On the SELinux side, we don't require CAP_MAC_ADMIN to set the
>> SELinux attribute on a file in the normal case, only when the
>> SELinux attribute is not known to the security policy yet.  So
>> granting CAP_MAC_ADMIN there means that a client will be able to set
>> security contexts on files that are unknown to the server.  I guess
>> that might even be desirable in some instances where client and
>> server policy are different.
>
> Note (as you probably know) this first pass at labeled NFS only lets 
> us
> label files, not rpc calls--if we want the server to know who's doing
> something (beyond the information the rpc headers already carry), 
> we'll
> need to implement rpcsec_gss v3, and that's a project for another 
> day.
>
> I've been assuming that makes server-side enforcement less useful for
> now.
>
> --b.

Ideally what will happen is that when we get RPCSECGSSv3 in we'll set 
the security context in the same place that we set uid and gid for the 
process in the auth code. Until then you're right server side 
enforcement really isn't possible because we have whatever context the 
kernel gives to the thread being our security context. In the SELinux 
case this is the all powerful kernel_t in the smack case its the floor 
context.

Dave

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled NFS [v5]

[David Quigley]

That last part should have read


Maybe if CAP_FS_MASK_B1 was like this it would work.

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE)    \
                              | CAP_TO_MASK(CAP_MAC_ADMIN))

Re: Labeled NFS [v5]

[David Quigley]

That last part should have read


Maybe if CAP_FS_MASK_B1 was like this it would work.

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE)    \
                              | CAP_TO_MASK(CAP_MAC_ADMIN))

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 00/13] NFSv4: Label NFS Patches

[Steve Dickson]

Here are the current version of Dave Quigley's Label NFS patches
which have been ported to the 3.7-rc2 kernel. Both client and 
patches are included in this posting.

I'm posting these patches to help the reviewing process proceed.

The Dave's Git tree is at:
    git://www.selinuxproject.org/~dpquigl/lnfs/

The label NFS wiki is at:
    http://www.selinuxproject.org/page/Labeled_NFS

Dave Quigley (2):
  NFS:Add labels to client function prototypes
  NFS: Add label lifecycle management

David Quigley (11):
  Security: Add hook to calculate context based on a negative dentry.
  Security: Add Hook to test if the particular xattr is part of a MAC
    model.
  LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount
    data.
  SELinux: Add new labeling type native labels
  KConfig: Add KConfig entries for Labeled NFS
  NFSv4: Add label recommended attribute and NFSv4 flags
  NFSv4: Introduce new label structure
  NFSv4: Extend fattr bitmaps to support all 3 words
  NFS: Client implementation of Labeled-NFS
  NFS: Extend NFS xattr handlers to accept the security namespace
  NFSD: Server implementation of MAC Labeling

 fs/nfs/Kconfig                      |  16 +
 fs/nfs/client.c                     |   2 +-
 fs/nfs/dir.c                        |  53 +++-
 fs/nfs/getroot.c                    |   2 +-
 fs/nfs/inode.c                      | 138 ++++++--
 fs/nfs/namespace.c                  |   2 +-
 fs/nfs/nfs3acl.c                    |   4 +-
 fs/nfs/nfs3proc.c                   |  41 +--
 fs/nfs/nfs4_fs.h                    |   8 +-
 fs/nfs/nfs4namespace.c              |   2 +-
 fs/nfs/nfs4proc.c                   | 612 ++++++++++++++++++++++++++++++++----
 fs/nfs/nfs4xdr.c                    | 202 +++++++++---
 fs/nfs/proc.c                       |  15 +-
 fs/nfs/super.c                      |  19 +-
 fs/nfsd/Kconfig                     |  13 +
 fs/nfsd/export.c                    |   3 +
 fs/nfsd/nfs4proc.c                  |  33 ++
 fs/nfsd/nfs4xdr.c                   | 121 ++++++-
 fs/nfsd/nfsd.h                      |   8 +-
 fs/nfsd/vfs.c                       |  31 ++
 fs/nfsd/vfs.h                       |   2 +
 fs/nfsd/xdr4.h                      |   3 +
 include/linux/nfs4.h                |   9 +
 include/linux/nfs_fs.h              |  26 +-
 include/linux/nfs_fs_sb.h           |  10 +-
 include/linux/nfs_xdr.h             |  30 +-
 include/linux/security.h            |  57 +++-
 include/uapi/linux/nfs4.h           |   1 +
 include/uapi/linux/nfsd/export.h    |   5 +-
 security/capability.c               |  19 +-
 security/security.c                 |  24 +-
 security/selinux/hooks.c            |  92 +++++-
 security/selinux/include/security.h |   2 +
 security/selinux/ss/policydb.c      |   5 +-
 security/smack/smack_lsm.c          |  11 +
 35 files changed, 1416 insertions(+), 205 deletions(-)

-- 
1.7.11.7

[PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS

[Steve Dickson]

From: David Quigley <dpquigl@davequigley.com>

This patch adds two entries into the fs/KConfig file. The first entry
NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
the server side.

Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
---
 fs/nfs/Kconfig  | 16 ++++++++++++++++
 fs/nfsd/Kconfig | 13 +++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 13ca196..0077197 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -131,6 +131,22 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
 	  If the NFS client is unchanged from the upstream kernel, this
 	  option should be set to the default "kernel.org".
 
+config NFS_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 client"
+	depends on NFS_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
+
+	  If unsure, say N.
+
 config ROOT_NFS
 	bool "Root file system on NFS"
 	depends on NFS_FS=y && IP_PNP
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 8df1ea4..75ba894 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -81,6 +81,19 @@ config NFSD_V4
 
 	  If unsure, say N.
 
+config NFSD_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 server"
+	depends on NFSD_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
 config NFSD_FAULT_INJECTION
 	bool "NFS server manual fault injection"
 	depends on NFSD_V4 && DEBUG_KERNEL
-- 
1.7.11.7