From: "David P. Quigley" <dpquigl@tycho.nsa.gov>
To: hch@infradead.org, viro@zeniv.linux.org.uk,
casey@schaufler-ca.com, sds@tycho.nsa.gov,
matthew.dodd@sparta.com, trond.myklebust@fys.uio.no,
bfields@fieldses.org
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
linux-nfs@vger.kernel.org,
"David P. Quigley" <dpquigl@tycho.nsa.gov>,
"Matthew N. Dodd" <Matthew.Dodd@sparta.com>
Subject: [PATCH 09/10] NFS: Extend NFS xattr handlers to accept the security namespace
Date: Wed, 7 Jul 2010 10:31:25 -0400 [thread overview]
Message-ID: <1278513086-23964-10-git-send-email-dpquigl@tycho.nsa.gov> (raw)
In-Reply-To: <1278513086-23964-1-git-send-email-dpquigl@tycho.nsa.gov>
The existing NFSv4 xattr handlers do not accept xattr calls to the security
namespace. This patch extends these handlers to accept xattrs from the security
namespace in addition to the default NFSv4 ACL namespace.
Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
fs/nfs/nfs4proc.c | 48 +++++++++++++++++++++++++++++++++++++-----------
security/security.c | 1 +
2 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index e2b9010..7eac20b 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4870,10 +4870,13 @@ int nfs4_setxattr(struct dentry *dentry, const char *key, const void *buf,
{
struct inode *inode = dentry->d_inode;
- if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
- return -EOPNOTSUPP;
-
- return nfs4_proc_set_acl(inode, buf, buflen);
+ if (strcmp(key, XATTR_NAME_NFSV4_ACL) == 0)
+ return nfs4_proc_set_acl(inode, buf, buflen);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ if (security_ismaclabel(key))
+ return nfs4_set_security_label(dentry, buf, buflen);
+#endif
+ return -EOPNOTSUPP;
}
/* The getxattr man page suggests returning -ENODATA for unknown attributes,
@@ -4885,22 +4888,45 @@ ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
{
struct inode *inode = dentry->d_inode;
- if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
- return -EOPNOTSUPP;
+ if (strcmp(key, XATTR_NAME_NFSV4_ACL) == 0)
+ return nfs4_proc_get_acl(inode, buf, buflen);
- return nfs4_proc_get_acl(inode, buf, buflen);
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ if (security_ismaclabel(key))
+ return nfs4_get_security_label(inode, buf, buflen);
+#endif
+ return -EOPNOTSUPP;
}
ssize_t nfs4_listxattr(struct dentry *dentry, char *buf, size_t buflen)
{
- size_t len = strlen(XATTR_NAME_NFSV4_ACL) + 1;
+ size_t len = 0, l;
+ char *p;
- if (!nfs4_server_supports_acls(NFS_SERVER(dentry->d_inode)))
+ if (nfs4_server_supports_acls(NFS_SERVER(dentry->d_inode)))
+ len += strlen(XATTR_NAME_NFSV4_ACL) + 1;
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ if (nfs_server_capable(dentry->d_inode, NFS_CAP_SECURITY_LABEL))
+ len += security_inode_listsecurity(dentry->d_inode, NULL, 0);
+#endif
+ if (!len)
return 0;
if (buf && buflen < len)
return -ERANGE;
- if (buf)
- memcpy(buf, XATTR_NAME_NFSV4_ACL, len);
+ if (!buf)
+ return len;
+
+ p = buf;
+ if (nfs4_server_supports_acls(NFS_SERVER(dentry->d_inode))) {
+ l = strlen(XATTR_NAME_NFSV4_ACL) + 1;
+ memcpy(p, XATTR_NAME_NFSV4_ACL, l);
+ p += l;
+ }
+#ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ if (nfs_server_capable(dentry->d_inode, NFS_CAP_SECURITY_LABEL))
+ p += security_inode_listsecurity(dentry->d_inode, p,
+ buflen - (p - buf));
+#endif
return len;
}
diff --git a/security/security.c b/security/security.c
index 2246b5a..1f88c4a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -663,6 +663,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
return 0;
return security_ops->inode_listsecurity(inode, buffer, buffer_size);
}
+EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(const struct inode *inode, u32 *secid)
{
--
1.6.2.5
next prev parent reply other threads:[~2010-07-07 14:31 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-07 14:31 Labeled-NFS: Security Label support in NFSv4 David P. Quigley
2010-07-07 14:31 ` [PATCH 01/10] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2010-07-08 12:51 ` Stephen Smalley
2010-07-07 14:31 ` [PATCH 02/10] Security: Add Hook to test if the particular xattr is part of a MAC model David P. Quigley
[not found] ` <1278513086-23964-3-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-07-07 16:49 ` J. Bruce Fields
2010-07-07 14:31 ` [PATCH 03/10] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David P. Quigley
2010-07-07 14:31 ` [PATCH 04/10] SELinux: Add new labeling type native labels David P. Quigley
2010-07-07 23:23 ` James Morris
2010-07-08 13:31 ` David P. Quigley
2010-07-08 22:33 ` James Morris
2010-07-09 14:09 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS David P. Quigley
[not found] ` <1278513086-23964-6-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-07-07 16:56 ` J. Bruce Fields
[not found] ` <20100707165602.GC28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2010-07-07 17:05 ` David P. Quigley
2010-07-07 17:53 ` Chuck Lever
2010-07-07 14:31 ` [PATCH 06/10] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2010-07-07 17:00 ` J. Bruce Fields
2010-07-07 23:30 ` James Morris
[not found] ` <alpine.LRH.2.00.1007080928180.14102-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-07-08 13:39 ` David P. Quigley
2010-07-08 22:48 ` James Morris
[not found] ` <alpine.LRH.2.00.1007090834190.23354-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-07-09 13:47 ` Stephen Smalley
2010-07-09 14:05 ` David P. Quigley
[not found] ` <1278684348.2494.223.camel-88+Bj4OksMGWPftkNcioYDMZycKHmlmlfvIqQ387n9k@public.gmane.org>
2010-07-11 5:02 ` Kyle Moffett
[not found] ` <AANLkTinUO-xqvQQINTzKLcXnljq-RaN5X6ulEAqvuf0d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-11 5:12 ` Casey Schaufler
2010-07-12 14:36 ` Stephen Smalley
[not found] ` <1278945396.5221.14.camel-i1KelmKhlFUEBZ0NE5PZeDSSxhlBfLG+Zkel5v8DVj8@public.gmane.org>
2010-07-17 0:09 ` Kyle Moffett
2010-07-07 14:31 ` [PATCH 07/10] NFSv4: Introduce new label structure David P. Quigley
2010-07-07 16:01 ` Chuck Lever
[not found] ` <4C34A4F1.3060708-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2010-07-07 16:21 ` Casey Schaufler
[not found] ` <4C34A9A2.4080308-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2010-07-07 16:24 ` David P. Quigley
2010-07-07 17:42 ` Chuck Lever
2010-07-07 16:22 ` David P. Quigley
2010-07-07 17:49 ` Chuck Lever
2010-07-07 18:11 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 08/10] NFS: Client implementation of Labeled-NFS David P. Quigley
2010-07-07 14:31 ` David P. Quigley [this message]
2010-07-07 14:31 ` [PATCH 10/10] NFSD: Server implementation of MAC Labeling David P. Quigley
2010-07-07 17:21 ` J. Bruce Fields
[not found] ` <20100707172100.GE28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2010-07-07 18:03 ` David P. Quigley
2010-07-07 19:24 ` J. Bruce Fields
2010-07-08 13:27 ` David P. Quigley
-- strict thread matches above, loose matches on Subject: below --
2010-06-08 16:22 Labeled-NFS: Security Label support in NFSv4 David P. Quigley
[not found] ` <1276014176-20315-1-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-06-08 16:22 ` [PATCH 09/10] NFS: Extend NFS xattr handlers to accept the security namespace David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1278513086-23964-10-git-send-email-dpquigl@tycho.nsa.gov \
--to=dpquigl@tycho.nsa.gov \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.dodd@sparta.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).