[PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[David P. Quigley]

This patch introduces two new hooks. One to get all relavent information from
an LSM about an inode an the second given that context to set it on the
inode. The setcontext call takes a flag to indicate if it should set the incore
representation, the ondisk representation or both.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 include/linux/security.h |   18 ++++++++++++++++++
 security/dummy.c         |   12 ++++++++++++
 security/security.c      |   12 ++++++++++++
 security/selinux/hooks.c |   45 ++++++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 86 insertions(+), 1 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index fe52cde..9b1cc6f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -112,6 +112,10 @@ struct request_sock;
 #define LSM_UNSAFE_PTRACE	2
 #define LSM_UNSAFE_PTRACE_CAP	4
 
+/* Flags for setcontext */
+#define LSM_SETCORE	1
+#define LSM_SETDISK	2
+
 #ifdef CONFIG_SECURITY
 
 /**
@@ -1395,6 +1399,9 @@ struct security_operations {
 	int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
 	void (*release_secctx)(char *secdata, u32 seclen);
 
+	int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
+	int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
+
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect) (struct socket * sock,
 				    struct socket * other, struct sock * newsk);
@@ -1634,6 +1641,8 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 
+int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
+int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen);
 #else /* CONFIG_SECURITY */
 
 /*
@@ -2316,6 +2325,15 @@ static inline int security_secctx_to_secid(char *secdata,
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
+
+static inline int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+	return -EOPNOTSUPP;
+}
+static inline int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+	return -EOPNOTSUPP;
+}
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/dummy.c b/security/dummy.c
index 649326b..576f9db 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -960,6 +960,16 @@ static void dummy_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+static int dummy_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+	return -EOPNOTSUPP;
+}
+
+static int dummy_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+	return -EOPNOTSUPP;
+}
+
 #ifdef CONFIG_KEYS
 static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
 				  unsigned long flags)
@@ -1118,6 +1128,8 @@ void security_fixup_ops (struct security_operations *ops)
  	set_to_dummy_if_null(ops, secid_to_secctx);
 	set_to_dummy_if_null(ops, secctx_to_secid);
  	set_to_dummy_if_null(ops, release_secctx);
+	set_to_dummy_if_null(ops, setcontext);
+	set_to_dummy_if_null(ops, getcontext);
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_dummy_if_null(ops, unix_stream_connect);
 	set_to_dummy_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index d15e56c..11871ae 100644
--- a/security/security.c
+++ b/security/security.c
@@ -845,6 +845,18 @@ void security_release_secctx(char *secdata, u32 seclen)
 }
 EXPORT_SYMBOL(security_release_secctx);
 
+int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+	return security_ops->setcontext(dentry, ctx, ctxlen, flags);
+}
+EXPORT_SYMBOL(security_setcontext);
+
+int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+	return security_ops->getcontext(dentry, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_getcontext);
+
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct socket *sock, struct socket *other,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 75c2e99..d28c0ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -75,6 +75,7 @@
 #include <linux/string.h>
 #include <linux/selinux.h>
 #include <linux/mutex.h>
+#include <linux/fsnotify.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -5163,6 +5164,47 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
 	kfree(secdata);
 }
 
+/*
+ *	This hook requires that the inode i_mutex be locked
+ */
+static int selinux_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int flags)
+{
+	struct inode *inode = dentry->d_inode;
+	int rc = 0;
+
+	if (flags & LSM_SETCORE) {
+		rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
+						ctx, ctxlen, 0);
+		if(rc)
+			return rc;
+	}
+	if (flags & LSM_SETDISK) {
+		rc = -EOPNOTSUPP;
+		if (inode->i_op->setxattr) {
+			rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
+			if (!rc) {
+				fsnotify_xattr(dentry);
+				security_inode_post_setxattr(dentry, XATTR_NAME_SELINUX, ctx,
+						ctxlen, 0);
+			}
+		} else {
+			rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
+					ctxlen, 0);
+			if (!rc)
+				fsnotify_xattr(dentry);
+		}
+	}
+	
+	return rc;
+}
+static int selinux_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
+{
+	struct inode *inode = dentry->d_inode;
+	
+	*ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
+						ctx, true);
+	return *ctxlen;
+}
 #ifdef CONFIG_KEYS
 
 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
@@ -5351,7 +5393,8 @@ static struct security_operations selinux_ops = {
 	.secid_to_secctx =		selinux_secid_to_secctx,
 	.secctx_to_secid =		selinux_secctx_to_secid,
 	.release_secctx =		selinux_release_secctx,
-
+	.setcontext =			selinux_setcontext,
+	.getcontext =			selinux_getcontext,
         .unix_stream_connect =		selinux_socket_unix_stream_connect,
 	.unix_may_send =		selinux_socket_unix_may_send,
 
-- 
1.5.4.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

Guilt didn't ask me for a patch prefix so unfortunately this doesn't
have RFC in front of the patch name. This patch is to be treated as an
RFC. I want feedback on it before I start using it in the labeled NFS
patch set.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Chris Wright]

* David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> +/* Flags for setcontext */
> +#define LSM_SETCORE	1
> +#define LSM_SETDISK	2
> +
>  #ifdef CONFIG_SECURITY
>  
>  /**
> @@ -1395,6 +1399,9 @@ struct security_operations {
>  	int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
>  	void (*release_secctx)(char *secdata, u32 seclen);
>  
> +	int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> +	int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);

Is this meant to address Casey's argument about the mac label hook name?
Also, why have you made the distinction of in-core vs. on disk in the
interface?  As I mentioned, I think just needs a little better
description of why.

thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

On Tue, 2008-03-04 at 15:26 -0800, Chris Wright wrote:
> * David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> > +/* Flags for setcontext */
> > +#define LSM_SETCORE	1
> > +#define LSM_SETDISK	2
> > +
> >  #ifdef CONFIG_SECURITY
> >  
> >  /**
> > @@ -1395,6 +1399,9 @@ struct security_operations {
> >  	int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> >  	void (*release_secctx)(char *secdata, u32 seclen);
> >  
> > +	int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> > +	int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> 
> Is this meant to address Casey's argument about the mac label hook name?
> Also, why have you made the distinction of in-core vs. on disk in the
> interface?  As I mentioned, I think just needs a little better
> description of why.
> 
> thanks,
> -chris

The reason for the differentiation is that NFS inodes don't need their
on-disk representation set. Normally this would be taken care of with an
inode_getsecurity call but as you noted Casey objected to a hook to get
the suffix name. Also he did have a point in that the context may have
several components to it that could have multiple suffixes. So I need a
hook that allows us to set possibly multiple internal security values
based on a security context and without using an xattr name.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Chris Wright]

* Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> The reason for the differentiation is that NFS inodes don't need their
> on-disk representation set. Normally this would be taken care of with an
> inode_getsecurity call but as you noted Casey objected to a hook to get
> the suffix name. Also he did have a point in that the context may have
> several components to it that could have multiple suffixes. So I need a
> hook that allows us to set possibly multiple internal security values
> based on a security context and without using an xattr name.

Can you work on a couple things..first the fn name is not particularly
helpful ({get,set}context are just vague), and second, the SELinux
implementation is far too close to VFS code (you should not be manually
calling fsnotify, for example).  IOW, it looks more like a higher
level helper.

thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

On Tue, 2008-03-04 at 15:52 -0800, Chris Wright wrote:
> * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > The reason for the differentiation is that NFS inodes don't need their
> > on-disk representation set. Normally this would be taken care of with an
> > inode_getsecurity call but as you noted Casey objected to a hook to get
> > the suffix name. Also he did have a point in that the context may have
> > several components to it that could have multiple suffixes. So I need a
> > hook that allows us to set possibly multiple internal security values
> > based on a security context and without using an xattr name.
> 
> Can you work on a couple things..first the fn name is not particularly
> helpful ({get,set}context are just vague), and second, the SELinux
> implementation is far too close to VFS code (you should not be manually
> calling fsnotify, for example).  IOW, it looks more like a higher
> level helper.

Is James' suggestion of getsecctx and setsecctx better or would you
prefer another name? The code for the selinux hook is taken from
vfs_setxattr. The issue is that we are going to be doing some VFSish
things in there. We are going to take a string and break it into zero or
more xattr calls (in SELinux's case it is only one). I guess we could
just set the xattr and then rely on the caller of this function to call
fsnotify.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Chris Wright]

* Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> 
> On Tue, 2008-03-04 at 15:52 -0800, Chris Wright wrote:
> > * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > The reason for the differentiation is that NFS inodes don't need their
> > > on-disk representation set. Normally this would be taken care of with an
> > > inode_getsecurity call but as you noted Casey objected to a hook to get
> > > the suffix name. Also he did have a point in that the context may have
> > > several components to it that could have multiple suffixes. So I need a
> > > hook that allows us to set possibly multiple internal security values
> > > based on a security context and without using an xattr name.
> > 
> > Can you work on a couple things..first the fn name is not particularly
> > helpful ({get,set}context are just vague), and second, the SELinux
> > implementation is far too close to VFS code (you should not be manually
> > calling fsnotify, for example).  IOW, it looks more like a higher
> > level helper.
> 
> Is James' suggestion of getsecctx and setsecctx better or would you
> prefer another name?

Mainly capturing that it's doing this to a file not another object.

> The code for the selinux hook is taken from
> vfs_setxattr. The issue is that we are going to be doing some VFSish
> things in there. We are going to take a string and break it into zero or
> more xattr calls (in SELinux's case it is only one). I guess we could
> just set the xattr and then rely on the caller of this function to call
> fsnotify.

Yes, can we formalize this?  the xattr_security code could be cleaned
up if you need better helpers in VFS.

BTW, this is unnecessary after cut 'n paste:

+		rc = -EOPNOTSUPP;  <-- superfluous (and err works better for "if (!err)")
+		if (inode->i_op->setxattr) {
+			rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
...
+		} else {
+			rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,


thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

On Tue, 2008-03-04 at 16:10 -0800, Chris Wright wrote:
> * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > 
> > On Tue, 2008-03-04 at 15:52 -0800, Chris Wright wrote:
> > > * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > > The reason for the differentiation is that NFS inodes don't need their
> > > > on-disk representation set. Normally this would be taken care of with an
> > > > inode_getsecurity call but as you noted Casey objected to a hook to get
> > > > the suffix name. Also he did have a point in that the context may have
> > > > several components to it that could have multiple suffixes. So I need a
> > > > hook that allows us to set possibly multiple internal security values
> > > > based on a security context and without using an xattr name.
> > > 
> > > Can you work on a couple things..first the fn name is not particularly
> > > helpful ({get,set}context are just vague), and second, the SELinux
> > > implementation is far too close to VFS code (you should not be manually
> > > calling fsnotify, for example).  IOW, it looks more like a higher
> > > level helper.
> > 
> > Is James' suggestion of getsecctx and setsecctx better or would you
> > prefer another name?
> 
> Mainly capturing that it's doing this to a file not another object.

I can prefix it with inode so it would be inode_setsecctx and
inode_getsecctx.

> 
> > The code for the selinux hook is taken from
> > vfs_setxattr. The issue is that we are going to be doing some VFSish
> > things in there. We are going to take a string and break it into zero or
> > more xattr calls (in SELinux's case it is only one). I guess we could
> > just set the xattr and then rely on the caller of this function to call
> > fsnotify.
> 
> Yes, can we formalize this?  the xattr_security code could be cleaned
> up if you need better helpers in VFS.

I'm not sure if its a question of better helpers. The code is pretty
simple. I think the question is who should be calling fsnotify. 

> 
> BTW, this is unnecessary after cut 'n paste:
> 
Good point I'll remove it.

> +		rc = -EOPNOTSUPP;  <-- superfluous (and err works better for "if (!err)")
> +		if (inode->i_op->setxattr) {
> +			rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
> ...
> +		} else {
> +			rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
> 
> 
> thanks,
> -chris


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[James Morris]

On Tue, 4 Mar 2008, Dave Quigley wrote:

> > Mainly capturing that it's doing this to a file not another object.
> 
> I can prefix it with inode so it would be inode_setsecctx and
> inode_getsecctx.

'file' might be better, as we may want similar APIs soon for sockets and 
possibly other objects which may or may not have inodes, but different 
semantics.



- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Chris Wright]

* Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> I'm not sure if its a question of better helpers. The code is pretty
> simple.

Yeah, not complextiy issue, just proper layering.

> I think the question is who should be calling fsnotify. 

The VFS ;-)  Shouldn't be too tough to make a simple helper that's used
from SELinux as well as VFS during setxattr.  This keeps things like
locking rules and fsnotify calls in one place.

thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[James Morris]

On Tue, 4 Mar 2008, David P. Quigley wrote:

>  	void (*release_secctx)(char *secdata, u32 seclen);
>  
> +	int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> +	int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);

To remain consistent with the rest of the API, how about getsecctx and 
setsecctx ?


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

That sounds like a reasonable request.

Dave

On Wed, 2008-03-05 at 10:48 +1100, James Morris wrote:
> On Tue, 4 Mar 2008, David P. Quigley wrote:
> 
> >  	void (*release_secctx)(char *secdata, u32 seclen);
> >  
> > +	int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> > +	int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> 
> To remain consistent with the rest of the API, how about getsecctx and 
> setsecctx ?
> 
> 
> - James


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Casey Schaufler]

----- Original Message ----
> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> To: sds@tycho.nsa.gov; jmorris@namei.org; chrisw@sous-sol.org; casey@schaufler-ca.com
> Cc: linux-security-module@vger.kernel.org; selinux@tycho.nsa.gov; David P. Quigley <dpquigl@tycho.nsa.gov>
> Sent: Tuesday, March 4, 2008 1:53:43 PM
> Subject: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
> 
> This patch introduces two new hooks. One to get all relavent information from
> an LSM about an inode an the second given that context to set it on the
> inode. The setcontext call takes a flag to indicate if it should set the incore
> representation, the ondisk representation or both.

Please coordinate with David Powell and Ahmed Darwish on these.
File system cacheing and audit both require similar functionality
and have proposed it in slightly different manners and with
slightly different names.


> Signed-off-by: David P. Quigley 
> ---
> include/linux/security.h | 18 ++++++++++++++++++
> security/dummy.c | 12 ++++++++++++
> security/security.c | 12 ++++++++++++
> security/selinux/hooks.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
> 4 files changed, 86 insertions(+), 1 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index fe52cde..9b1cc6f 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -112,6 +112,10 @@ struct request_sock;
> #define LSM_UNSAFE_PTRACE 2
> #define LSM_UNSAFE_PTRACE_CAP 4
> 
> +/* Flags for setcontext */
> +#define LSM_SETCORE 1
> +#define LSM_SETDISK 2
> +
> #ifdef CONFIG_SECURITY
> 
> /**
> @@ -1395,6 +1399,9 @@ struct security_operations {
> int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> void (*release_secctx)(char *secdata, u32 seclen);
> 
> + int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> + int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> +
> #ifdef CONFIG_SECURITY_NETWORK
> int (*unix_stream_connect) (struct socket * sock,
> struct socket * other, struct sock * newsk);
> @@ -1634,6 +1641,8 @@ int security_secid_to_secctx(u32 secid, char **secdata, 
> u32 *seclen);
> int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
> void security_release_secctx(char *secdata, u32 seclen);
> 
> +int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> flags);
> +int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen);
> #else /* CONFIG_SECURITY */
> 
> /*
> @@ -2316,6 +2325,15 @@ static inline int security_secctx_to_secid(char *secdata,
> static inline void security_release_secctx(char *secdata, u32 seclen)
> {
> }
> +
> +static inline int security_setcontext(struct dentry *dentry, void *ctx, u32 
> ctxlen, int flags)
> +{
> + return -EOPNOTSUPP;
> +}
> +static inline int security_getcontext(struct dentry *dentry, void **ctx, u32 
> *ctxlen)
> +{
> + return -EOPNOTSUPP;
> +}
> #endif /* CONFIG_SECURITY */
> 
> #ifdef CONFIG_SECURITY_NETWORK
> diff --git a/security/dummy.c b/security/dummy.c
> index 649326b..576f9db 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -960,6 +960,16 @@ static void dummy_release_secctx(char *secdata, u32 seclen)
> {
> }
> 
> +static int dummy_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> flags)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +static int dummy_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> #ifdef CONFIG_KEYS
> static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
> unsigned long flags)
> @@ -1118,6 +1128,8 @@ void security_fixup_ops (struct security_operations *ops)
> set_to_dummy_if_null(ops, secid_to_secctx);
> set_to_dummy_if_null(ops, secctx_to_secid);
> set_to_dummy_if_null(ops, release_secctx);
> + set_to_dummy_if_null(ops, setcontext);
> + set_to_dummy_if_null(ops, getcontext);
> #ifdef CONFIG_SECURITY_NETWORK
> set_to_dummy_if_null(ops, unix_stream_connect);
> set_to_dummy_if_null(ops, unix_may_send);
> diff --git a/security/security.c b/security/security.c
> index d15e56c..11871ae 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -845,6 +845,18 @@ void security_release_secctx(char *secdata, u32 seclen)
> }
> EXPORT_SYMBOL(security_release_secctx);
> 
> +int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> flags)
> +{
> + return security_ops->setcontext(dentry, ctx, ctxlen, flags);
> +}
> +EXPORT_SYMBOL(security_setcontext);
> +
> +int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> +{
> + return security_ops->getcontext(dentry, ctx, ctxlen);
> +}
> +EXPORT_SYMBOL(security_getcontext);
> +
> #ifdef CONFIG_SECURITY_NETWORK
> 
> int security_unix_stream_connect(struct socket *sock, struct socket *other,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..d28c0ed 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -75,6 +75,7 @@
> #include 
> #include 
> #include 
> +#include 
> 
> #include "avc.h"
> #include "objsec.h"
> @@ -5163,6 +5164,47 @@ static void selinux_release_secctx(char *secdata, u32 
> seclen)
> kfree(secdata);
> }
> 
> +/*
> + * This hook requires that the inode i_mutex be locked
> + */
> +static int selinux_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> flags)
> +{
> + struct inode *inode = dentry->d_inode;
> + int rc = 0;
> +
> + if (flags & LSM_SETCORE) {
> + rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
> + ctx, ctxlen, 0);
> + if(rc)
> + return rc;
> + }
> + if (flags & LSM_SETDISK) {
> + rc = -EOPNOTSUPP;
> + if (inode->i_op->setxattr) {
> + rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 
> 0);
> + if (!rc) {
> + fsnotify_xattr(dentry);
> + security_inode_post_setxattr(dentry, XATTR_NAME_SELINUX, ctx,
> + ctxlen, 0);
> + }
> + } else {
> + rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
> + ctxlen, 0);
> + if (!rc)
> + fsnotify_xattr(dentry);
> + }
> + }
> + 
> + return rc;
> +}
> +static int selinux_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> +{
> + struct inode *inode = dentry->d_inode;
> + 
> + *ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
> + ctx, true);
> + return *ctxlen;
> +}
> #ifdef CONFIG_KEYS
> 
> static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
> @@ -5351,7 +5393,8 @@ static struct security_operations selinux_ops = {
> .secid_to_secctx = selinux_secid_to_secctx,
> .secctx_to_secid = selinux_secctx_to_secid,
> .release_secctx = selinux_release_secctx,
> -
> + .setcontext = selinux_setcontext,
> + .getcontext = selinux_getcontext,
> .unix_stream_connect = selinux_socket_unix_stream_connect,
> .unix_may_send = selinux_socket_unix_may_send,
> 
> -- 
> 1.5.4.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" 
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


 
Casey Schaufler
casey@schaufler-ca.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

I don't see anything in Ahmed's patch set that has this kind of
functionality. Also a quick glance over the patch names in the FSCache
set doesn't seem to yield a hook like this either. David Howell's
patches are mainly to deal with process contexts not file contexts which
this patch addresses.

Dave


On Tue, 2008-03-04 at 14:53 -0800, Casey Schaufler wrote:
> ----- Original Message ----
> > From: David P. Quigley <dpquigl@tycho.nsa.gov>
> > To: sds@tycho.nsa.gov; jmorris@namei.org; chrisw@sous-sol.org; casey@schaufler-ca.com
> > Cc: linux-security-module@vger.kernel.org; selinux@tycho.nsa.gov; David P. Quigley <dpquigl@tycho.nsa.gov>
> > Sent: Tuesday, March 4, 2008 1:53:43 PM
> > Subject: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
> > 
> > This patch introduces two new hooks. One to get all relavent information from
> > an LSM about an inode an the second given that context to set it on the
> > inode. The setcontext call takes a flag to indicate if it should set the incore
> > representation, the ondisk representation or both.
> 
> Please coordinate with David Powell and Ahmed Darwish on these.
> File system cacheing and audit both require similar functionality
> and have proposed it in slightly different manners and with
> slightly different names.
> 
> 
> > Signed-off-by: David P. Quigley 
> > ---
> > include/linux/security.h | 18 ++++++++++++++++++
> > security/dummy.c | 12 ++++++++++++
> > security/security.c | 12 ++++++++++++
> > security/selinux/hooks.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
> > 4 files changed, 86 insertions(+), 1 deletions(-)
> > 
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index fe52cde..9b1cc6f 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -112,6 +112,10 @@ struct request_sock;
> > #define LSM_UNSAFE_PTRACE 2
> > #define LSM_UNSAFE_PTRACE_CAP 4
> > 
> > +/* Flags for setcontext */
> > +#define LSM_SETCORE 1
> > +#define LSM_SETDISK 2
> > +
> > #ifdef CONFIG_SECURITY
> > 
> > /**
> > @@ -1395,6 +1399,9 @@ struct security_operations {
> > int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> > void (*release_secctx)(char *secdata, u32 seclen);
> > 
> > + int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int flags);
> > + int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> > +
> > #ifdef CONFIG_SECURITY_NETWORK
> > int (*unix_stream_connect) (struct socket * sock,
> > struct socket * other, struct sock * newsk);
> > @@ -1634,6 +1641,8 @@ int security_secid_to_secctx(u32 secid, char **secdata, 
> > u32 *seclen);
> > int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
> > void security_release_secctx(char *secdata, u32 seclen);
> > 
> > +int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags);
> > +int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen);
> > #else /* CONFIG_SECURITY */
> > 
> > /*
> > @@ -2316,6 +2325,15 @@ static inline int security_secctx_to_secid(char *secdata,
> > static inline void security_release_secctx(char *secdata, u32 seclen)
> > {
> > }
> > +
> > +static inline int security_setcontext(struct dentry *dentry, void *ctx, u32 
> > ctxlen, int flags)
> > +{
> > + return -EOPNOTSUPP;
> > +}
> > +static inline int security_getcontext(struct dentry *dentry, void **ctx, u32 
> > *ctxlen)
> > +{
> > + return -EOPNOTSUPP;
> > +}
> > #endif /* CONFIG_SECURITY */
> > 
> > #ifdef CONFIG_SECURITY_NETWORK
> > diff --git a/security/dummy.c b/security/dummy.c
> > index 649326b..576f9db 100644
> > --- a/security/dummy.c
> > +++ b/security/dummy.c
> > @@ -960,6 +960,16 @@ static void dummy_release_secctx(char *secdata, u32 seclen)
> > {
> > }
> > 
> > +static int dummy_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags)
> > +{
> > + return -EOPNOTSUPP;
> > +}
> > +
> > +static int dummy_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> > +{
> > + return -EOPNOTSUPP;
> > +}
> > +
> > #ifdef CONFIG_KEYS
> > static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
> > unsigned long flags)
> > @@ -1118,6 +1128,8 @@ void security_fixup_ops (struct security_operations *ops)
> > set_to_dummy_if_null(ops, secid_to_secctx);
> > set_to_dummy_if_null(ops, secctx_to_secid);
> > set_to_dummy_if_null(ops, release_secctx);
> > + set_to_dummy_if_null(ops, setcontext);
> > + set_to_dummy_if_null(ops, getcontext);
> > #ifdef CONFIG_SECURITY_NETWORK
> > set_to_dummy_if_null(ops, unix_stream_connect);
> > set_to_dummy_if_null(ops, unix_may_send);
> > diff --git a/security/security.c b/security/security.c
> > index d15e56c..11871ae 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -845,6 +845,18 @@ void security_release_secctx(char *secdata, u32 seclen)
> > }
> > EXPORT_SYMBOL(security_release_secctx);
> > 
> > +int security_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags)
> > +{
> > + return security_ops->setcontext(dentry, ctx, ctxlen, flags);
> > +}
> > +EXPORT_SYMBOL(security_setcontext);
> > +
> > +int security_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> > +{
> > + return security_ops->getcontext(dentry, ctx, ctxlen);
> > +}
> > +EXPORT_SYMBOL(security_getcontext);
> > +
> > #ifdef CONFIG_SECURITY_NETWORK
> > 
> > int security_unix_stream_connect(struct socket *sock, struct socket *other,
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 75c2e99..d28c0ed 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -75,6 +75,7 @@
> > #include 
> > #include 
> > #include 
> > +#include 
> > 
> > #include "avc.h"
> > #include "objsec.h"
> > @@ -5163,6 +5164,47 @@ static void selinux_release_secctx(char *secdata, u32 
> > seclen)
> > kfree(secdata);
> > }
> > 
> > +/*
> > + * This hook requires that the inode i_mutex be locked
> > + */
> > +static int selinux_setcontext(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags)
> > +{
> > + struct inode *inode = dentry->d_inode;
> > + int rc = 0;
> > +
> > + if (flags & LSM_SETCORE) {
> > + rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
> > + ctx, ctxlen, 0);
> > + if(rc)
> > + return rc;
> > + }
> > + if (flags & LSM_SETDISK) {
> > + rc = -EOPNOTSUPP;
> > + if (inode->i_op->setxattr) {
> > + rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 
> > 0);
> > + if (!rc) {
> > + fsnotify_xattr(dentry);
> > + security_inode_post_setxattr(dentry, XATTR_NAME_SELINUX, ctx,
> > + ctxlen, 0);
> > + }
> > + } else {
> > + rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
> > + ctxlen, 0);
> > + if (!rc)
> > + fsnotify_xattr(dentry);
> > + }
> > + }
> > + 
> > + return rc;
> > +}
> > +static int selinux_getcontext(struct dentry *dentry, void **ctx, u32 *ctxlen)
> > +{
> > + struct inode *inode = dentry->d_inode;
> > + 
> > + *ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
> > + ctx, true);
> > + return *ctxlen;
> > +}
> > #ifdef CONFIG_KEYS
> > 
> > static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
> > @@ -5351,7 +5393,8 @@ static struct security_operations selinux_ops = {
> > .secid_to_secctx = selinux_secid_to_secctx,
> > .secctx_to_secid = selinux_secctx_to_secid,
> > .release_secctx = selinux_release_secctx,
> > -
> > + .setcontext = selinux_setcontext,
> > + .getcontext = selinux_getcontext,
> > .unix_stream_connect = selinux_socket_unix_stream_connect,
> > .unix_may_send = selinux_socket_unix_may_send,
> > 
> > -- 
> > 1.5.4.1
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" 
> > in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at 
> > http://vger.kernel.org/majordomo-info.html
> 
> 
>  
> Casey Schaufler
> casey@schaufler-ca.com 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Chris Wright]

* Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> I don't see anything in Ahmed's patch set that has this kind of
> functionality.

I suspect Casey's referring to the inode_getsec.  I think you just need
to be more clear about the requirements.

thanks,
-chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

The hook is inode_getsecid though. This hook is used to get a context
which is the string representation of the security information which is
different functionality.

Dave

On Tue, 2008-03-04 at 15:14 -0800, Chris Wright wrote:
> * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > I don't see anything in Ahmed's patch set that has this kind of
> > functionality.
> 
> I suspect Casey's referring to the inode_getsec.  I think you just need
> to be more clear about the requirements.
> 
> thanks,
> -chris


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

On Tue, 2008-03-04 at 17:51 -0500, Dave Quigley wrote:
> The hook is inode_getsecid though. This hook is used to get a context
> which is the string representation of the security information which is
> different functionality.

The reason why this is needed instead of using inode_getsecurity is
because Casey objected to a hook that allowed you to get the security
suffix for inode_getsecurity. Because of this we added a hook that will
allow a LSM to conglomerate all the security information it wants into
one string and return it. The corresponding hook is used to take this
information and then set it in the inode and on disk.

Dave

> 
> Dave
> 
> On Tue, 2008-03-04 at 15:14 -0800, Chris Wright wrote:
> > * Dave Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > I don't see anything in Ahmed's patch set that has this kind of
> > > functionality.
> > 
> > I suspect Casey's referring to the inode_getsec.  I think you just need
> > to be more clear about the requirements.
> > 
> > thanks,
> > -chris
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Casey Schaufler]

----- Original Message ----
> From: Dave Quigley <dpquigl@tycho.nsa.gov>
> To: Chris Wright <chrisw@sous-sol.org>
> Cc: sds@tycho.nsa.gov; jmorris@namei.org; casey@schaufler-ca.com; linux-security-module@vger.kernel.org; selinux@tycho.nsa.gov
> Sent: Tuesday, March 4, 2008 3:07:06 PM
> Subject: Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
> 
> 
> On Tue, 2008-03-04 at 15:26 -0800, Chris Wright wrote:
> > * David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > +/* Flags for setcontext */
> > > +#define LSM_SETCORE 1
> > > +#define LSM_SETDISK 2
> > > +
> > > #ifdef CONFIG_SECURITY
> > > 
> > > /**
> > > @@ -1395,6 +1399,9 @@ struct security_operations {
> > > int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> > > void (*release_secctx)(char *secdata, u32 seclen);
> > > 
> > > + int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> flags);
> > > + int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> > 
> > Is this meant to address Casey's argument about the mac label hook name?
> > Also, why have you made the distinction of in-core vs. on disk in the
> > interface? As I mentioned, I think just needs a little better
> > description of why.
> > 
> > thanks,
> > -chris
> 
> The reason for the differentiation is that NFS inodes don't need their
> on-disk representation set. Normally this would be taken care of with an
> inode_getsecurity call but as you noted Casey objected to a hook to get
> the suffix name.

No, I objected to a hook that is specific to MAC LSMs that
store a single label as an xattr. I objected to it because it
was being used to support one file system on one LSM and
suggested that for that reason it should be an interface
private to either the specific LSM or the specific filesystem.

> Also he did have a point in that the context may have
> several components to it that could have multiple suffixes. So I need a
> hook that allows us to set possibly multiple internal security values
> based on a security context and without using an xattr name.

You could use Ahmed's hook to get the secid of a file and then
use secid_to_secctx to get the context. That's what audit has to
do.


Casey Schaufler
casey@schaufler-ca.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Dave Quigley]

On Tue, 2008-03-04 at 17:08 -0800, Casey Schaufler wrote:
> ----- Original Message ----
> > From: Dave Quigley <dpquigl@tycho.nsa.gov>
> > To: Chris Wright <chrisw@sous-sol.org>
> > Cc: sds@tycho.nsa.gov; jmorris@namei.org; casey@schaufler-ca.com; linux-security-module@vger.kernel.org; selinux@tycho.nsa.gov
> > Sent: Tuesday, March 4, 2008 3:07:06 PM
> > Subject: Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
> > 
> > 
> > On Tue, 2008-03-04 at 15:26 -0800, Chris Wright wrote:
> > > * David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > > +/* Flags for setcontext */
> > > > +#define LSM_SETCORE 1
> > > > +#define LSM_SETDISK 2
> > > > +
> > > > #ifdef CONFIG_SECURITY
> > > > 
> > > > /**
> > > > @@ -1395,6 +1399,9 @@ struct security_operations {
> > > > int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> > > > void (*release_secctx)(char *secdata, u32 seclen);
> > > > 
> > > > + int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags);
> > > > + int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> > > 
> > > Is this meant to address Casey's argument about the mac label hook name?
> > > Also, why have you made the distinction of in-core vs. on disk in the
> > > interface? As I mentioned, I think just needs a little better
> > > description of why.
> > > 
> > > thanks,
> > > -chris
> > 
> > The reason for the differentiation is that NFS inodes don't need their
> > on-disk representation set. Normally this would be taken care of with an
> > inode_getsecurity call but as you noted Casey objected to a hook to get
> > the suffix name.
> 
> No, I objected to a hook that is specific to MAC LSMs that
> store a single label as an xattr. I objected to it because it
> was being used to support one file system on one LSM and
> suggested that for that reason it should be an interface
> private to either the specific LSM or the specific filesystem.
> 
> > Also he did have a point in that the context may have
> > several components to it that could have multiple suffixes. So I need a
> > hook that allows us to set possibly multiple internal security values
> > based on a security context and without using an xattr name.
> 
> You could use Ahmed's hook to get the secid of a file and then
> use secid_to_secctx to get the context. That's what audit has to
> do.
> 

Historically though audit was using inode_getsecurity with the suffix.
The reason for the switch to secids was that they didn't want to
overhead of retrieving and storing the context unless they needed it.
With the NFS case we always want to context so we are going to be going
through double calls here all the time which is silly. A robust set of
interfaces should have the ability to get/set contexts get/set secids
and convert between them. As of right now the context half of that is
missing.

Dave



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Stephen Smalley]

On Tue, 2008-03-04 at 17:08 -0800, Casey Schaufler wrote:
> ----- Original Message ----
> > From: Dave Quigley <dpquigl@tycho.nsa.gov>
> > To: Chris Wright <chrisw@sous-sol.org>
> > Cc: sds@tycho.nsa.gov; jmorris@namei.org; casey@schaufler-ca.com; linux-security-module@vger.kernel.org; selinux@tycho.nsa.gov
> > Sent: Tuesday, March 4, 2008 3:07:06 PM
> > Subject: Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.
> > 
> > 
> > On Tue, 2008-03-04 at 15:26 -0800, Chris Wright wrote:
> > > * David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> > > > +/* Flags for setcontext */
> > > > +#define LSM_SETCORE 1
> > > > +#define LSM_SETDISK 2
> > > > +
> > > > #ifdef CONFIG_SECURITY
> > > > 
> > > > /**
> > > > @@ -1395,6 +1399,9 @@ struct security_operations {
> > > > int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> > > > void (*release_secctx)(char *secdata, u32 seclen);
> > > > 
> > > > + int (*setcontext)(struct dentry *dentry, void *ctx, u32 ctxlen, int 
> > flags);
> > > > + int (*getcontext)(struct dentry *dentry, void **ctx, u32 *ctxlen);
> > > 
> > > Is this meant to address Casey's argument about the mac label hook name?
> > > Also, why have you made the distinction of in-core vs. on disk in the
> > > interface? As I mentioned, I think just needs a little better
> > > description of why.
> > > 
> > > thanks,
> > > -chris
> > 
> > The reason for the differentiation is that NFS inodes don't need their
> > on-disk representation set. Normally this would be taken care of with an
> > inode_getsecurity call but as you noted Casey objected to a hook to get
> > the suffix name.
> 
> No, I objected to a hook that is specific to MAC LSMs that
> store a single label as an xattr. I objected to it because it
> was being used to support one file system on one LSM and
> suggested that for that reason it should be an interface
> private to either the specific LSM or the specific filesystem.
> 
> > Also he did have a point in that the context may have
> > several components to it that could have multiple suffixes. So I need a
> > hook that allows us to set possibly multiple internal security values
> > based on a security context and without using an xattr name.
> 
> You could use Ahmed's hook to get the secid of a file and then
> use secid_to_secctx to get the context. That's what audit has to
> do.

IIRC, originally audit directly called inode_getsecurity() to get the
string label, and there was a (since removed) LSM hook to get the name
suffix that it needed to pass in as input.  That was then replaced by
use of interfaces to get the secid at audit collection time and convert
that into a context only upon audit record generation to avoid the
overhead associated with collecting a context always.

Whereas I think NFS just wants the context always, and it doesn't serve
any purpose to first get a secid and then later turn it into a context.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] LSM/SELinux: {get,set}context hooks to access LSM security context information.

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> ...
> IIRC, originally audit directly called inode_getsecurity() to get the
> string label, and there was a (since removed) LSM hook to get the name
> suffix that it needed to pass in as input.  That was then replaced by
> use of interfaces to get the secid at audit collection time and convert
> that into a context only upon audit record generation to avoid the
> overhead associated with collecting a context always.
> 
> Whereas I think NFS just wants the context always, and it doesn't serve
> any purpose to first get a secid and then later turn it into a context.

It turns out that I agree that hooks to get the secctx of things
would be good to have, in fact I much prefer them to the secid
interfaces. I would personally prefer to see audit use them instead
of the secid interfaces, but I acknowlege the performance implications
that would have on SELinux.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.