From mboxrd@z Thu Jan 1 00:00:00 1970 From: "David P. Quigley" Subject: [PATCH]Introduce generalized hooks for getting and setting inode secctx. Date: Wed, 23 Apr 2008 12:57:14 -0400 Message-ID: <1208969836-8129-1-git-send-email-dpquigl@tycho.nsa.gov> Cc: selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, nfsv4-6DNke4IJHB0gsBAKwltoeQ@public.gmane.org To: casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org, chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org, sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org, hch-jcswGhMUV9g@public.gmane.org, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org Return-path: Sender: owner-selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org This patch set does two things. First it factors the section of vfs_setxattr that does the real work into a helper function. This allows LSMs the ability to set the xattrs they need without hitting the permission check inside vfs_setxattr each time. Second it introduces three new hooks inode_{get,set}secctx, and inode_notifysecctx. The first hook retreives all security information the LSM feels is relavent in the form of a security context. The second hook given this context can sets both the in-core and on-disk store for the particular inode. The third hook is used to notify the in-core inode of a change to it's security state. This is the fourth revision of this patch set which takes into account concerns by Casey Schaufler, and Christop Hellwig. fs/xattr.c | 57 ++++++++++++++++++++++++++++++++++----------- include/linux/security.h | 50 ++++++++++++++++++++++++++++++++++++++++ include/linux/xattr.h | 1 + security/dummy.c | 17 +++++++++++++ security/security.c | 18 ++++++++++++++ security/selinux/hooks.c | 28 ++++++++++++++++++++++ 6 files changed, 157 insertions(+), 14 deletions(-)