From: Steve Dickson <SteveD@redhat.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>,
"J. Bruce Fields" <bfields@redhat.com>,
"David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: Linux NFS list <linux-nfs@vger.kernel.org>,
Linux FS devel list <linux-fsdevel@vger.kernel.org>,
Linux Security List <linux-security-module@vger.kernel.org>,
SELinux List <selinux@tycho.nsa.gov>
Subject: [PATCH 05/17] Security: Add Hook to test if the particular xattr is part of a MAC model.
Date: Mon, 29 Apr 2013 08:57:07 -0400 [thread overview]
Message-ID: <1367240239-19326-6-git-send-email-SteveD@redhat.com> (raw)
In-Reply-To: <1367240239-19326-1-git-send-email-SteveD@redhat.com>
From: David Quigley <dpquigl@davequigley.com>
The interface to request security labels from user space is the xattr
interface. When requesting the security label from an NFS server it is
important to make sure the requested xattr actually is a MAC label. This allows
us to make sure that we get the desired semantics from the attribute instead of
something else such as capabilities or a time based LSM.
Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
---
include/linux/security.h | 14 ++++++++++++++
security/capability.c | 6 ++++++
security/security.c | 6 ++++++
security/selinux/hooks.c | 6 ++++++
security/smack/smack_lsm.c | 11 +++++++++++
5 files changed, 43 insertions(+)
diff --git a/include/linux/security.h b/include/linux/security.h
index f3d7956..934f96f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1323,6 +1323,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @pages contains the number of pages.
* Return 0 if permission is granted.
*
+ * @ismaclabel:
+ * Check if the extended attribute specified by @name
+ * represents a MAC label. Returns 1 if name is a MAC
+ * attribute otherwise returns 0.
+ * @name full extended attribute name to check against
+ * LSM as a MAC label.
+ *
* @secid_to_secctx:
* Convert secid to security context. If secdata is NULL the length of
* the result will be returned in seclen, but no secdata will be returned.
@@ -1604,6 +1611,7 @@ struct security_operations {
int (*getprocattr) (struct task_struct *p, char *name, char **value);
int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
+ int (*ismaclabel) (const char *name);
int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
void (*release_secctx) (char *secdata, u32 seclen);
@@ -1857,6 +1865,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
int security_getprocattr(struct task_struct *p, char *name, char **value);
int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
@@ -2545,6 +2554,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return cap_netlink_send(sk, skb);
}
+static inline int security_ismaclabel(const char *name)
+{
+ return 0;
+}
+
static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
return -EOPNOTSUPP;
diff --git a/security/capability.c b/security/capability.c
index 782045e..71e5052 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -822,6 +822,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
return -EINVAL;
}
+static int cap_ismaclabel(const char *name)
+{
+ return 0;
+}
+
static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
return -EOPNOTSUPP;
@@ -1041,6 +1046,7 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, d_instantiate);
set_to_cap_if_null(ops, getprocattr);
set_to_cap_if_null(ops, setprocattr);
+ set_to_cap_if_null(ops, ismaclabel);
set_to_cap_if_null(ops, secid_to_secctx);
set_to_cap_if_null(ops, secctx_to_secid);
set_to_cap_if_null(ops, release_secctx);
diff --git a/security/security.c b/security/security.c
index 7c18e3c..07391f3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1057,6 +1057,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return security_ops->netlink_send(sk, skb);
}
+int security_ismaclabel(const char *name)
+{
+ return security_ops->ismaclabel(name);
+}
+EXPORT_SYMBOL(security_ismaclabel);
+
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
return security_ops->secid_to_secctx(secid, secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 622b205..273e28b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5423,6 +5423,11 @@ abort_change:
return error;
}
+static int selinux_ismaclabel(const char *name)
+{
+ return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
+}
+
static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
return security_sid_to_context(secid, secdata, seclen);
@@ -5661,6 +5666,7 @@ static struct security_operations selinux_ops = {
.getprocattr = selinux_getprocattr,
.setprocattr = selinux_setprocattr,
+ .ismaclabel = selinux_ismaclabel,
.secid_to_secctx = selinux_secid_to_secctx,
.secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fa64740..ca01d71 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3329,6 +3329,16 @@ static void smack_audit_rule_free(void *vrule)
#endif /* CONFIG_AUDIT */
/**
+ * smack_ismaclabel - check if xattr @name references a smack MAC label
+ * @name: Full xattr name to check.
+ */
+static int smack_ismaclabel(const char *name)
+{
+ return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
+}
+
+
+/**
* smack_secid_to_secctx - return the smack label for a secid
* @secid: incoming integer
* @secdata: destination
@@ -3524,6 +3534,7 @@ struct security_operations smack_ops = {
.audit_rule_free = smack_audit_rule_free,
#endif /* CONFIG_AUDIT */
+ .ismaclabel = smack_ismaclabel,
.secid_to_secctx = smack_secid_to_secctx,
.secctx_to_secid = smack_secctx_to_secid,
.release_secctx = smack_release_secctx,
--
1.8.1.4
next prev parent reply other threads:[~2013-04-29 12:59 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-29 12:57 [PATCH 00/17] lnfs: 3.9-rc8 release (take 2) Steve Dickson
2013-04-29 12:57 ` [PATCH 01/17] NFSv4.2: Added v4.2 error codes Steve Dickson
2013-04-29 12:57 ` [PATCH 02/17] NFSv4.2: Added NFS v4.2 support to the NFS client Steve Dickson
2013-04-29 12:57 ` [PATCH 03/17] NFSDv4.2: Added NFS v4.2 support to the NFS server Steve Dickson
2013-05-07 20:44 ` J. Bruce Fields
2013-05-07 20:46 ` J. Bruce Fields
2013-04-29 12:57 ` [PATCH 04/17] Security: Add hook to calculate context based on a negative dentry Steve Dickson
2013-04-29 12:57 ` Steve Dickson [this message]
2013-04-29 12:57 ` [PATCH 06/17] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data Steve Dickson
2013-04-29 12:57 ` [PATCH 07/17] SELinux: Add new labeling type native labels Steve Dickson
2013-04-29 12:57 ` [PATCH 08/17] NFSv4: Add label recommended attribute and NFSv4 flags Steve Dickson
2013-04-29 12:57 ` [PATCH 09/17] NFSv4: Introduce new label structure Steve Dickson
2013-05-01 18:59 ` Myklebust, Trond
2013-05-02 18:31 ` Steve Dickson
[not found] ` <5182B100.2080900-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-05-02 18:39 ` Myklebust, Trond
[not found] ` <1367434764.4189.33.camel-5lNtUQgoD8Pfa3cDbr2K10B+6BGkLq7r@public.gmane.org>
2013-05-08 13:43 ` Steve Dickson
[not found] ` <518A567F.5060405-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-05-08 15:16 ` Casey Schaufler
2013-05-08 17:32 ` Steve Dickson
[not found] ` <518A8C3D.9000407-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-05-08 18:06 ` Myklebust, Trond
2013-05-08 18:56 ` J. Bruce Fields
[not found] ` <20130508185635.GB11497-spRCxval1Z7TsXDwO4sDpg@public.gmane.org>
2013-05-08 19:06 ` Steve Dickson
2013-04-29 12:57 ` [PATCH 12/17] NFS: Add label lifecycle management Steve Dickson
2013-04-29 12:57 ` [PATCH 13/17] NFS: Client implementation of Labeled-NFS Steve Dickson
2013-05-01 19:03 ` Myklebust, Trond
2013-05-08 16:39 ` Steve Dickson
2013-05-08 16:43 ` Myklebust, Trond
2013-05-08 17:39 ` Steve Dickson
2013-05-08 18:07 ` Myklebust, Trond
2013-05-08 18:27 ` Steve Dickson
2013-05-08 18:31 ` Myklebust, Trond
[not found] ` <1368037873.5978.34.camel-5lNtUQgoD8Pfa3cDbr2K10B+6BGkLq7r@public.gmane.org>
2013-05-08 18:41 ` Steve Dickson
2013-05-08 18:47 ` Myklebust, Trond
2013-04-29 12:57 ` [PATCH 14/17] NFS: Extend NFS xattr handlers to accept the security namespace Steve Dickson
2013-04-29 12:57 ` [PATCH 16/17] NFSD: Server implementation of MAC Labeling Steve Dickson
2013-04-30 15:49 ` J. Bruce Fields
2013-05-06 20:26 ` J. Bruce Fields
[not found] ` <1367240239-19326-1-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-04-29 12:57 ` [PATCH 10/17] NFSv4: Extend fattr bitmaps to support all 3 words Steve Dickson
2013-04-29 12:57 ` [PATCH 11/17] NFS:Add labels to client function prototypes Steve Dickson
2013-04-29 12:57 ` [PATCH 15/17] Kconfig: Add Kconfig entry for Labeled NFS V4 client Steve Dickson
2013-04-29 12:57 ` [PATCH 17/17] Kconfig: Add Kconfig entry for Labeled NFS V4 server Steve Dickson
2013-04-30 15:57 ` [PATCH 00/17] lnfs: 3.9-rc8 release (take 2) J. Bruce Fields
2013-04-30 16:11 ` Myklebust, Trond
2013-04-30 16:13 ` J. Bruce Fields
[not found] ` <1367338308.4260.18.camel-5lNtUQgoD8Pfa3cDbr2K10B+6BGkLq7r@public.gmane.org>
2013-04-30 17:32 ` Steve Dickson
-- strict thread matches above, loose matches on Subject: below --
2013-05-02 17:18 [PATCH 00/17] lnfs: linux-3.9 release Steve Dickson
2013-05-02 17:18 ` [PATCH 05/17] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-05-02 23:36 ` James Morris
2013-04-24 20:17 [PATCH 00/17] lnfs: 3.9-rc8 release Steve Dickson
[not found] ` <1366834683-29075-1-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-04-24 20:17 ` [PATCH 05/17] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-04-24 22:03 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1367240239-19326-6-git-send-email-SteveD@redhat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@redhat.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).