From: Scott Mayhew <smayhew@redhat.com>
To: selinux@tycho.nsa.gov, linux-nfs@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
Trond Myklebust <trondmy@primarydata.com>,
"J . Bruce Fields" <bfields@fieldses.org>
Subject: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting
Date: Thu, 25 May 2017 17:07:54 -0400 [thread overview]
Message-ID: <20170525210754.24265-3-smayhew@redhat.com> (raw)
In-Reply-To: <20170525210754.24265-1-smayhew@redhat.com>
When the client traverses from filesystem exported without the
"security_label" option to one exported with the "security_label"
option, it needs to pass SECURITY_LSM_NATIVE_LABELS to
security_sb_set_mnt_opts() so that the new superblock has SBLABEL_MNT
set in its security mount options. Otherwise, attempts to set security
labels via setxattr over NFSv4.2 will fail.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
fs/nfs/super.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 2f3822a..d7a3b89 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2544,10 +2544,31 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security);
int nfs_clone_sb_security(struct super_block *s, struct dentry *mntroot,
struct nfs_mount_info *mount_info)
{
+ int error;
+ unsigned long kflags = 0, kflags_out = 0;
+ struct security_mnt_opts opts;
+
/* clone any lsm security options from the parent to the new sb */
if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client->rpc_ops->dir_inode_ops)
return -ESTALE;
- return security_sb_clone_mnt_opts(mount_info->cloned->sb, s);
+ error = security_sb_clone_mnt_opts(mount_info->cloned->sb, s);
+ if (error)
+ goto err;
+
+ if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
+ !(NFS_SB(mount_info->cloned->sb)->caps & NFS_CAP_SECURITY_LABEL)) {
+ memset(&opts, 0, sizeof(opts));
+ kflags |= SECURITY_LSM_NATIVE_LABELS;
+
+ error = security_sb_set_mnt_opts(s, &opts, kflags, &kflags_out);
+ if (error)
+ goto err;
+
+ if (!(kflags_out & SECURITY_LSM_NATIVE_LABELS))
+ NFS_SB(s)->caps &= ~NFS_CAP_SECURITY_LABEL;
+ }
+err:
+ return error;
}
EXPORT_SYMBOL_GPL(nfs_clone_sb_security);
--
2.9.3
next prev parent reply other threads:[~2017-05-25 21:07 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 15:27 [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts Tomeu Vizoso
2017-03-29 15:27 ` Tomeu Vizoso
2017-03-29 21:34 ` J. Bruce Fields
2017-03-29 21:34 ` J. Bruce Fields
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:52 ` Stephen Smalley
2017-03-30 17:52 ` Stephen Smalley
2017-04-04 23:26 ` J. Bruce Fields
2017-04-04 23:26 ` J. Bruce Fields
2017-05-25 21:07 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 Scott Mayhew
2017-05-25 21:07 ` [PATCH RFC 1/2] selinux: allow SECURITY_LSM_NATIVE_LABELS to be set on an already initialized superblock Scott Mayhew
2017-05-25 21:07 ` Scott Mayhew [this message]
2017-05-26 14:24 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Stephen Smalley
2017-05-26 15:28 ` Scott Mayhew
2017-05-26 15:42 ` Stephen Smalley
2017-06-01 14:46 ` [PATCH] security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior Scott Mayhew
2017-06-01 14:55 ` Scott Mayhew
2017-06-01 18:08 ` Stephen Smalley
2017-06-01 18:48 ` Stephen Smalley
2017-06-01 19:40 ` Scott Mayhew
2017-06-01 18:30 ` Stephen Smalley
2017-06-01 19:42 ` Scott Mayhew
2017-06-01 20:59 ` [PATCH v2] " Scott Mayhew
2017-06-02 12:55 ` Stephen Smalley
2017-06-02 13:09 ` Scott Mayhew
2017-06-05 15:45 ` [PATCH v3] " Scott Mayhew
2017-06-05 15:55 ` Scott Mayhew
2017-06-05 19:53 ` Stephen Smalley
2017-06-05 21:21 ` Paul Moore
2017-06-06 0:46 ` J . Bruce Fields
2017-06-09 20:24 ` Paul Moore
2017-05-30 14:38 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Stephen Smalley
2017-05-30 19:40 ` J . Bruce Fields
2017-05-30 19:52 ` Stephen Smalley
2017-05-26 14:48 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 Stephen Smalley
2017-05-26 15:17 ` J . Bruce Fields
2017-05-26 15:18 ` J . Bruce Fields
2017-05-26 15:30 ` Scott Mayhew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170525210754.24265-3-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc=bfields@fieldses.org \
--cc=eparis@parisplace.org \
--cc=linux-nfs@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trondmy@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.