From: Dave Quigley <dpquigl@tycho.nsa.gov>
To: hch@infradead.org
Cc: viro@ftp.linux.org.uk, trond.myklebust@fys.uio.no,
bfields@fieldses.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name
Date: Fri, 29 Feb 2008 16:50:45 -0500 [thread overview]
Message-ID: <1204321845.2715.125.camel@moss-terrapins.epoch.ncsc.mil> (raw)
In-Reply-To: <1204150294-4678-2-git-send-email-dpquigl@tycho.nsa.gov>
I am adding a new hook to provide the functionality that Casey
suggested. It takes an inode, context, contextlen and sets it in the
LSM. The question is that since there is a need to be able to set
in-core, on-disk, or both; should these be two separate hooks? or should
we make the hook take a flag that has in-core, and ondisk and it can be
masked together for both?
Dave
On Wed, 2008-02-27 at 17:11 -0500, David P. Quigley wrote:
> Before the inode_xattr_getsecurity call was removed the caller would
> concatenate the security namespace prefix and the suffix provided by the lsm to
> obtain the security xattr. This hook provides the functionality to obtain the full
> LSM xattr name. The patch also provides implementations for the dummy security
> module and SELinux. This method is used instead of restoring the old method
> since it only requires an offset into the returned pointer to obtain the
> suffix. This approach is more efficient than concatenating the security xattr
> namespace string with the suffix to get a usable string.
>
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
> include/linux/security.h | 8 ++++++++
> security/dummy.c | 6 ++++++
> security/security.c | 6 ++++++
> security/selinux/hooks.c | 10 ++++++++--
> 4 files changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index fe52cde..c80bee4 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1394,6 +1394,7 @@ struct security_operations {
> int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
> int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> void (*release_secctx)(char *secdata, u32 seclen);
> + const char *(*maclabel_getname) (void);
>
> #ifdef CONFIG_SECURITY_NETWORK
> int (*unix_stream_connect) (struct socket * sock,
> @@ -1633,6 +1634,7 @@ int security_netlink_recv(struct sk_buff *skb, int cap);
> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
> void security_release_secctx(char *secdata, u32 seclen);
> +const char *security_maclabel_getname(void);
>
> #else /* CONFIG_SECURITY */
>
> @@ -2316,6 +2318,12 @@ static inline int security_secctx_to_secid(char *secdata,
> static inline void security_release_secctx(char *secdata, u32 seclen)
> {
> }
> +
> +static inline const char *security_maclabel_getname(void)
> +{
> + return NULL;
> +}
> +
> #endif /* CONFIG_SECURITY */
>
> #ifdef CONFIG_SECURITY_NETWORK
> diff --git a/security/dummy.c b/security/dummy.c
> index 649326b..928ef41 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -960,6 +960,11 @@ static void dummy_release_secctx(char *secdata, u32 seclen)
> {
> }
>
> +static const char *dummy_maclabel_getname(void)
> +{
> + return NULL;
> +}
> +
> #ifdef CONFIG_KEYS
> static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
> unsigned long flags)
> @@ -1118,6 +1123,7 @@ void security_fixup_ops (struct security_operations *ops)
> set_to_dummy_if_null(ops, secid_to_secctx);
> set_to_dummy_if_null(ops, secctx_to_secid);
> set_to_dummy_if_null(ops, release_secctx);
> + set_to_dummy_if_null(ops, maclabel_getname);
> #ifdef CONFIG_SECURITY_NETWORK
> set_to_dummy_if_null(ops, unix_stream_connect);
> set_to_dummy_if_null(ops, unix_may_send);
> diff --git a/security/security.c b/security/security.c
> index d15e56c..1a84eb1 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -845,6 +845,12 @@ void security_release_secctx(char *secdata, u32 seclen)
> }
> EXPORT_SYMBOL(security_release_secctx);
>
> +const char *security_maclabel_getname(void)
> +{
> + return security_ops->maclabel_getname();
> +}
> +EXPORT_SYMBOL(security_maclabel_getname);
> +
> #ifdef CONFIG_SECURITY_NETWORK
>
> int security_unix_stream_connect(struct socket *sock, struct socket *other,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..e7fc9c9 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5163,6 +5163,11 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
> kfree(secdata);
> }
>
> +static const char *selinux_maclabel_getname(void)
> +{
> + return XATTR_NAME_SELINUX;
> +}
> +
> #ifdef CONFIG_KEYS
>
> static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
> @@ -5351,8 +5356,9 @@ static struct security_operations selinux_ops = {
> .secid_to_secctx = selinux_secid_to_secctx,
> .secctx_to_secid = selinux_secctx_to_secid,
> .release_secctx = selinux_release_secctx,
> -
> - .unix_stream_connect = selinux_socket_unix_stream_connect,
> + .maclabel_getname = selinux_maclabel_getname,
> +
> + .unix_stream_connect = selinux_socket_unix_stream_connect,
> .unix_may_send = selinux_socket_unix_may_send,
>
> .socket_create = selinux_socket_create,
next prev parent reply other threads:[~2008-02-29 22:15 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-27 22:11 RFC Labeled NFS Initial Code Review David P. Quigley
2008-02-27 22:11 ` [PATCH 01/11] Security: Add hook to get full maclabel xattr name David P. Quigley
2008-02-27 23:42 ` Casey Schaufler
2008-02-28 0:12 ` Dave Quigley
2008-02-28 1:07 ` Casey Schaufler
2008-02-28 13:43 ` Stephen Smalley
2008-02-28 19:23 ` Casey Schaufler
2008-02-28 19:30 ` Stephen Smalley
2008-02-28 19:59 ` Casey Schaufler
2008-02-28 23:48 ` Christoph Hellwig
2008-02-29 0:04 ` Dave Quigley
2008-02-29 0:39 ` Christoph Hellwig
2008-02-29 0:32 ` Dave Quigley
2008-02-29 1:00 ` Christoph Hellwig
2008-02-29 0:42 ` Dave Quigley
2008-02-29 2:07 ` Casey Schaufler
2008-02-29 1:48 ` Dave Quigley
2008-02-29 13:30 ` Stephen Smalley
2008-02-29 14:45 ` Stephen Smalley
2008-02-29 1:47 ` Casey Schaufler
2008-02-29 1:33 ` Dave Quigley
2008-02-29 2:15 ` James Morris
2008-02-29 0:50 ` Trond Myklebust
2008-02-29 0:51 ` Christoph Hellwig
2008-02-29 1:00 ` Trond Myklebust
2008-02-29 1:55 ` Casey Schaufler
2008-02-29 5:04 ` Trond Myklebust
2008-02-29 17:46 ` Casey Schaufler
2008-02-29 18:28 ` Trond Myklebust
2008-02-29 18:52 ` Casey Schaufler
2008-02-29 19:50 ` Trond Myklebust
2008-02-29 21:07 ` Casey Schaufler
2008-02-29 21:00 ` Dave Quigley
2008-02-29 22:27 ` Casey Schaufler
2008-02-29 22:15 ` Dave Quigley
2008-02-29 22:58 ` Casey Schaufler
2008-03-01 0:09 ` Trond Myklebust
2008-03-01 0:41 ` Casey Schaufler
2008-02-29 1:26 ` Casey Schaufler
2008-02-29 5:01 ` Trond Myklebust
2008-02-29 17:26 ` Casey Schaufler
2008-02-29 1:04 ` Casey Schaufler
2008-02-29 0:52 ` Dave Quigley
2008-02-29 2:29 ` Casey Schaufler
2008-02-29 2:09 ` Dave Quigley
2008-02-29 1:15 ` James Morris
2008-02-29 13:31 ` Stephen Smalley
2008-02-29 17:52 ` Casey Schaufler
2008-02-29 21:50 ` Dave Quigley [this message]
2008-02-27 22:11 ` [PATCH 02/11] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2008-02-27 22:11 ` [PATCH 03/11] VFS: Add security label support to *notify David P. Quigley
2008-02-28 1:20 ` James Morris
2008-02-28 16:07 ` Dave Quigley
2008-02-28 23:54 ` Christoph Hellwig
2008-02-28 23:44 ` Dave Quigley
2008-02-29 0:23 ` Christoph Hellwig
2008-02-29 0:06 ` Dave Quigley
2008-02-29 1:52 ` Dave Quigley
2008-02-29 20:19 ` Dave Quigley
2008-02-27 22:11 ` [PATCH 04/11] KConfig: Add KConfig entries for SELinux labeled NFS David P. Quigley
2008-02-27 22:11 ` [PATCH 05/11] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2008-02-28 1:52 ` James Morris
2008-02-28 1:45 ` Dave Quigley
2008-02-28 13:55 ` Stephen Smalley
2008-02-27 22:11 ` [PATCH 06/11] SELinux: Add new labeling type native labels David P. Quigley
2008-02-27 22:11 ` [PATCH 07/11] NFS/SELinux: Add security_label text mount option to nfs and add handling code to the security server David P. Quigley
2008-02-28 14:22 ` Eric Paris
2008-02-27 22:11 ` [PATCH 08/11] NFS: Introduce lifecycle management for label attribute David P. Quigley
2008-02-28 4:13 ` James Morris
2008-02-28 16:24 ` Dave Quigley
2008-02-28 16:46 ` Dave Quigley
2008-02-27 22:11 ` [PATCH 09/11] NFS: Client implementation of Labeled-NFS David P. Quigley
2008-02-27 22:11 ` [PATCH 10/11] NFS: Extend nfs xattr handlers to accept the security namespace David P. Quigley
2008-02-27 22:11 ` [PATCH 11/11] NFSD: Server implementation of MAC Labeling David P. Quigley
2008-02-28 1:46 ` James Morris
2008-02-28 0:48 ` RFC Labeled NFS Initial Code Review Dave Quigley
2008-02-28 1:23 ` Dave Quigley
-- strict thread matches above, loose matches on Subject: below --
2008-02-27 20:39 David P. Quigley
2008-02-27 20:39 ` [PATCH 01/11] Security: Add hook to get full maclabel xattr name David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1204321845.2715.125.camel@moss-terrapins.epoch.ncsc.mil \
--to=dpquigl@tycho.nsa.gov \
--cc=bfields@fieldses.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).