* [RFC] [PATCH] Stacking support for inode_init_security
@ 2005-08-19 20:47 hallyn
2005-09-06 11:42 ` Christoph Hellwig
0 siblings, 1 reply; 2+ messages in thread
From: hallyn @ 2005-08-19 20:47 UTC (permalink / raw)
To: linux-fsdevel, linux-security-module, Alexander Viro, Ext2-devel,
Andreas Gruenbacher, Andreas Dilger, Christoph Hellwig,
Andrew Morton, Stephen Tweedie, Stephen Smalley, James Morris,
Chris Wright
The following patch changes the (new to -mm) inode_init_security
function to support multiple LSMs. It does this by placing the
three passed arguments (name, value, len) into a structure, and
passing in a list_head, onto which the structure can be appended.
The callers (filesystems) call their <fs>_xattr_set functions
on each returned (name, value, len) set.
This is useful both for the stacker LSM, and for any two (or more)
LSMs which might want to cooperate even without stacker.
I've tested it under a plain selinux-enabled 2.6.13-rc6-mm1 using
Stephen Smalley's sample exploit originally motivating
inode_init_security, as well as with a simple 'touch ab; ls -Z ab'.
I've also tested it with a corresponding stacker patch, with
selinux stacked with two test LSMs which simply define
inode_init_security. Again, this passed the sample exploit, and
manually inspecting the .security xattrs gave the expected results.
thanks,
-serge
--
fs/ext2/xattr_security.c | 22 ++++++++++++++--------
fs/ext3/xattr_security.c | 22 ++++++++++++++--------
include/linux/security.h | 30 +++++++++++++++++++-----------
mm/shmem.c | 6 ++----
security/dummy.c | 2 +-
security/selinux/hooks.c | 42 ++++++++++++++++++++++++++----------------
6 files changed, 76 insertions(+), 48 deletions(-)
Index: linux-2.6.13-rc6-mm1/include/linux/security.h
===================================================================
--- linux-2.6.13-rc6-mm1.orig/include/linux/security.h 2005-08-19 17:39:44.000000000 -0500
+++ linux-2.6.13-rc6-mm1/include/linux/security.h 2005-08-19 19:02:30.000000000 -0500
@@ -89,6 +89,14 @@ struct swap_info_struct;
#ifdef CONFIG_SECURITY
+struct xattr_data {
+ struct list_head list;
+ char *name;
+ void *value;
+ int len;
+};
+
+
/**
* struct security_operations - main security structure
*
@@ -263,9 +271,13 @@ struct swap_info_struct;
* then it should return -EOPNOTSUPP to skip this processing.
* @inode contains the inode structure of the newly created inode.
* @dir contains the inode structure of the parent directory.
- * @name will be set to the allocated name suffix (e.g. selinux).
- * @value will be set to the allocated attribute value.
- * @len will be set to the length of the value.
+ * @head, if not null, points to a listhead to which to append a
+ * newly allocated struct xattr_data with the following data:
+ * @data->name will be set to the allocated name suffix
+ * (e.g. selinux).
+ * @data->value will be set to the allocated attribute value.
+ * @data->len will be set to the length of the value.
+ * @data->list is used to add the data to the list_head
* Returns 0 if @name and @value have been successfully set,
* -EOPNOTSUPP if no security attribute is needed, or
* -ENOMEM on memory allocation failure.
@@ -1064,7 +1076,7 @@ struct security_operations {
int (*inode_alloc_security) (struct inode *inode);
void (*inode_free_security) (struct inode *inode);
int (*inode_init_security) (struct inode *inode, struct inode *dir,
- char **name, void **value, size_t *len);
+ struct list_head *head);
int (*inode_create) (struct inode *dir,
struct dentry *dentry, int mode);
int (*inode_link) (struct dentry *old_dentry,
@@ -1415,13 +1427,11 @@ static inline void security_inode_free (
static inline int security_inode_init_security (struct inode *inode,
struct inode *dir,
- char **name,
- void **value,
- size_t *len)
+ struct list_head *head)
{
if (unlikely (IS_PRIVATE (inode)))
return -EOPNOTSUPP;
- return security_ops->inode_init_security (inode, dir, name, value, len);
+ return security_ops->inode_init_security (inode, dir, head);
}
static inline int security_inode_create (struct inode *dir,
@@ -2103,9 +2113,7 @@ static inline void security_inode_free (
static inline int security_inode_init_security (struct inode *inode,
struct inode *dir,
- char **name,
- void **value,
- size_t *len)
+ struct list_head *head)
{
return -EOPNOTSUPP;
}
Index: linux-2.6.13-rc6-mm1/mm/shmem.c
===================================================================
--- linux-2.6.13-rc6-mm1.orig/mm/shmem.c 2005-08-19 17:39:44.000000000 -0500
+++ linux-2.6.13-rc6-mm1/mm/shmem.c 2005-08-19 19:00:05.000000000 -0500
@@ -1611,8 +1611,7 @@ shmem_mknod(struct inode *dir, struct de
int error = -ENOSPC;
if (inode) {
- error = security_inode_init_security(inode, dir, NULL, NULL,
- NULL);
+ error = security_inode_init_security(inode, dir, NULL);
if (error) {
if (error != -EOPNOTSUPP) {
iput(inode);
@@ -1758,8 +1757,7 @@ static int shmem_symlink(struct inode *d
if (!inode)
return -ENOSPC;
- error = security_inode_init_security(inode, dir, NULL, NULL,
- NULL);
+ error = security_inode_init_security(inode, dir, NULL);
if (error) {
if (error != -EOPNOTSUPP) {
iput(inode);
Index: linux-2.6.13-rc6-mm1/security/dummy.c
===================================================================
--- linux-2.6.13-rc6-mm1.orig/security/dummy.c 2005-08-19 17:39:45.000000000 -0500
+++ linux-2.6.13-rc6-mm1/security/dummy.c 2005-08-19 19:00:05.000000000 -0500
@@ -259,7 +259,7 @@ static void dummy_inode_free_security (s
}
static int dummy_inode_init_security (struct inode *inode, struct inode *dir,
- char **name, void **value, size_t *len)
+ struct list_head *head)
{
return -EOPNOTSUPP;
}
Index: linux-2.6.13-rc6-mm1/security/selinux/hooks.c
===================================================================
--- linux-2.6.13-rc6-mm1.orig/security/selinux/hooks.c 2005-08-19 17:39:45.000000000 -0500
+++ linux-2.6.13-rc6-mm1/security/selinux/hooks.c 2005-08-19 19:00:05.000000000 -0500
@@ -1942,13 +1942,13 @@ static void selinux_inode_free_security(
}
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- char **name, void **value,
- size_t *len)
+ struct list_head *head)
{
struct task_security_struct *tsec;
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
struct inode_security_struct *isec;
+ struct xattr_data *datap;
u32 newsid, clen;
int rc;
char *namep = NULL, *context;
@@ -1976,24 +1976,34 @@ static int selinux_inode_init_security(s
inode_security_set_sid(inode, newsid);
- if (name) {
- namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
- if (!namep)
- return -ENOMEM;
- *name = namep;
- }
+ if (!head)
+ return 0;
- if (value && len) {
- rc = security_sid_to_context(newsid, &context, &clen);
- if (rc) {
- kfree(namep);
- return rc;
- }
- *value = context;
- *len = clen;
+ datap = kmalloc(sizeof(struct xattr_data), GFP_KERNEL);
+ if (!datap)
+ return -ENOMEM;
+
+ namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
+ if (!namep) {
+ rc = -ENOMEM;
+ goto err;
}
+ rc = security_sid_to_context(newsid, &context, &clen);
+ if (rc)
+ goto err;
+ datap->value = context;
+ datap->len = clen;
+ datap->name = namep;
+ INIT_LIST_HEAD(&datap->list);
+
+ list_add_tail(&datap->list, head);
return 0;
+
+err:
+ kfree(namep);
+ kfree(datap);
+ return rc;
}
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
Index: linux-2.6.13-rc6-mm1/fs/ext2/xattr_security.c
===================================================================
--- linux-2.6.13-rc6-mm1.orig/fs/ext2/xattr_security.c 2005-08-19 17:39:40.000000000 -0500
+++ linux-2.6.13-rc6-mm1/fs/ext2/xattr_security.c 2005-08-19 19:00:06.000000000 -0500
@@ -50,20 +50,26 @@ int
ext2_init_security(struct inode *inode, struct inode *dir)
{
int err;
- size_t len;
- void *value;
- char *name;
+ struct xattr_data *p, *n;
+ LIST_HEAD(head);
- err = security_inode_init_security(inode, dir, &name, &value, &len);
+ err = security_inode_init_security(inode, dir, &head);
if (err) {
if (err == -EOPNOTSUPP)
return 0;
return err;
}
- err = ext2_xattr_set(inode, EXT2_XATTR_INDEX_SECURITY,
- name, value, len, 0);
- kfree(name);
- kfree(value);
+
+ list_for_each_entry_safe(p, n, &head, list) {
+ if (!err)
+ err = ext2_xattr_set(inode,
+ EXT2_XATTR_INDEX_SECURITY,
+ p->name, p->value, p->len, 0);
+ list_del(&p->list);
+ kfree(p->name);
+ kfree(p->value);
+ kfree(p);
+ }
return err;
}
Index: linux-2.6.13-rc6-mm1/fs/ext3/xattr_security.c
===================================================================
--- linux-2.6.13-rc6-mm1.orig/fs/ext3/xattr_security.c 2005-08-19 17:39:40.000000000 -0500
+++ linux-2.6.13-rc6-mm1/fs/ext3/xattr_security.c 2005-08-19 19:00:06.000000000 -0500
@@ -52,20 +52,26 @@ int
ext3_init_security(handle_t *handle, struct inode *inode, struct inode *dir)
{
int err;
- size_t len;
- void *value;
- char *name;
+ struct xattr_data *p, *n;
+ LIST_HEAD(head);
- err = security_inode_init_security(inode, dir, &name, &value, &len);
+ err = security_inode_init_security(inode, dir, &head);
if (err) {
if (err == -EOPNOTSUPP)
return 0;
return err;
}
- err = ext3_xattr_set_handle(handle, inode, EXT3_XATTR_INDEX_SECURITY,
- name, value, len, 0);
- kfree(name);
- kfree(value);
+
+ list_for_each_entry_safe(p, n, &head, list) {
+ if (!err)
+ err = ext3_xattr_set_handle(handle, inode,
+ EXT3_XATTR_INDEX_SECURITY,
+ p->name, p->value, p->len, 0);
+ list_del(&p->list);
+ kfree(p->name);
+ kfree(p->value);
+ kfree(p);
+ }
return err;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [RFC] [PATCH] Stacking support for inode_init_security
2005-08-19 20:47 [RFC] [PATCH] Stacking support for inode_init_security hallyn
@ 2005-09-06 11:42 ` Christoph Hellwig
0 siblings, 0 replies; 2+ messages in thread
From: Christoph Hellwig @ 2005-09-06 11:42 UTC (permalink / raw)
To: hallyn
Cc: linux-fsdevel, linux-security-module, Alexander Viro, Ext2-devel,
Andreas Gruenbacher, Andreas Dilger, Christoph Hellwig,
Andrew Morton, Stephen Tweedie, Stephen Smalley, James Morris,
Chris Wright
On Fri, Aug 19, 2005 at 03:47:12PM -0500, hallyn@serge.ibm.com wrote:
> The following patch changes the (new to -mm) inode_init_security
> function to support multiple LSMs. It does this by placing the
> three passed arguments (name, value, len) into a structure, and
> passing in a list_head, onto which the structure can be appended.
> The callers (filesystems) call their <fs>_xattr_set functions
> on each returned (name, value, len) set.
>
> This is useful both for the stacker LSM, and for any two (or more)
> LSMs which might want to cooperate even without stacker.
>
> I've tested it under a plain selinux-enabled 2.6.13-rc6-mm1 using
> Stephen Smalley's sample exploit originally motivating
> inode_init_security, as well as with a simple 'touch ab; ls -Z ab'.
>
> I've also tested it with a corresponding stacker patch, with
> selinux stacked with two test LSMs which simply define
> inode_init_security. Again, this passed the sample exploit, and
> manually inspecting the .security xattrs gave the expected results.
I'm personally against supporting stacking LSMs, but if the relevant
maintainers decided we really want to have them this patch is nessecary
to support it and thus okay.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-09-06 11:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-19 20:47 [RFC] [PATCH] Stacking support for inode_init_security hallyn
2005-09-06 11:42 ` Christoph Hellwig
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).