From: David Howells <dhowells@redhat.com>
To: torvalds@osdl.org, akpm@osdl.org, steved@redhat.com,
trond.myklebust@fys.uio.no
Cc: linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com,
nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: [PATCH 12/16] CacheFiles: Get the SID under which the CacheFiles module should operate [try #3]
Date: Fri, 10 Aug 2007 17:05:58 +0100 [thread overview]
Message-ID: <20070810160558.24698.11275.stgit@warthog.cambridge.redhat.com> (raw)
In-Reply-To: <20070810160455.24698.30983.stgit@warthog.cambridge.redhat.com>
Get the SID under which the CacheFiles module should operate so that the
SELinux security system can control the accesses it makes.
Signed-Off-By: David Howells <dhowells@redhat.com>
---
include/linux/security.h | 20 ++++++++++++++++++++
security/dummy.c | 7 +++++++
security/selinux/hooks.c | 7 +++++++
3 files changed, 34 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index a54958a..593a4d0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1173,6 +1173,14 @@ struct request_sock;
* previously acting.
* @oldsecid points the location in which to return the displaced security ID.
*
+ * @cachefiles_get_secid:
+ * Determine the security ID for the CacheFiles module to use when
+ * accessing the filesystem containing the cache.
+ * @secid contains the security ID under which cachefiles daemon is
+ * running.
+ * @modsecid contains the pointer to where the security ID for the module
+ * is to be stored.
+ *
* This is the main security structure.
*/
struct security_operations {
@@ -1361,6 +1369,7 @@ struct security_operations {
int (*set_fscreate_secid)(u32 secid, u32 *oldsecid);
int (*act_as_secid)(u32 secid, u32 *oldsecid);
int (*act_as_self)(u32 *oldsecid);
+ int (*cachefiles_get_secid)(u32 secid, u32 *modsecid);
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect) (struct socket * sock,
@@ -2185,6 +2194,11 @@ static inline int security_act_as_self(u32 *oldsecid)
return security_ops->act_as_self(oldsecid);
}
+static inline int security_cachefiles_get_secid(u32 secid, u32 *modsecid)
+{
+ return security_ops->cachefiles_get_secid(secid, modsecid);
+}
+
/* prototypes */
extern int security_init (void);
extern int register_security (struct security_operations *ops);
@@ -2897,6 +2911,12 @@ static inline u32 security_act_as_self(u32 *oldsecid)
return 0;
}
+static inline int security_cachefiles_get_secid(u32 secid, u32 *modsecid)
+{
+ *modsecid = 0;
+ return 0;
+}
+
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/dummy.c b/security/dummy.c
index 6be18fe..6e79dd4 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -960,6 +960,12 @@ static int dummy_act_as_self(u32 *oldsecid)
return 0;
}
+static int dummy_cachefiles_get_secid(u32 secid, u32 *modsecid)
+{
+ *modsecid = 0;
+ return 0;
+}
+
#ifdef CONFIG_KEYS
static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
unsigned long flags)
@@ -1119,6 +1125,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, set_fscreate_secid);
set_to_dummy_if_null(ops, act_as_secid);
set_to_dummy_if_null(ops, act_as_self);
+ set_to_dummy_if_null(ops, cachefiles_get_secid);
#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, unix_stream_connect);
set_to_dummy_if_null(ops, unix_may_send);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 34646f8..54542b4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4723,6 +4723,12 @@ static int selinux_act_as_self(u32 *oldsecid)
return 0;
}
+static int selinux_cachefiles_get_secid(u32 secid, u32 *modsecid)
+{
+ return security_transition_sid(secid, SECINITSID_KERNEL,
+ SECCLASS_PROCESS, modsecid);
+}
+
#ifdef CONFIG_KEYS
static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
@@ -4910,6 +4916,7 @@ static struct security_operations selinux_ops = {
.set_fscreate_secid = selinux_set_fscreate_secid,
.act_as_secid = selinux_act_as_secid,
.act_as_self = selinux_act_as_self,
+ .cachefiles_get_secid = selinux_cachefiles_get_secid,
.unix_stream_connect = selinux_socket_unix_stream_connect,
.unix_may_send = selinux_socket_unix_may_send,
next prev parent reply other threads:[~2007-08-10 16:05 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-10 16:04 [PATCH 00/16] Permit filesystem local caching [try #3] David Howells
2007-08-10 16:05 ` [PATCH 01/16] FS-Cache: Release page->private after failed readahead " David Howells
2007-08-10 16:05 ` [PATCH 02/16] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2007-08-10 16:05 ` [PATCH 03/16] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2007-08-10 16:05 ` [PATCH 04/16] FS-Cache: Generic filesystem caching facility " David Howells
2007-08-10 16:05 ` [PATCH 05/16] CacheFiles: Add missing copy_page export for ia64 " David Howells
2007-08-10 16:05 ` [PATCH 06/16] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2007-08-10 16:05 ` [PATCH 07/16] CacheFiles: Permit the page lock state to be monitored " David Howells
2007-08-10 16:05 ` [PATCH 08/16] CacheFiles: Export things for CacheFiles " David Howells
2007-08-10 16:05 ` [PATCH 09/16] CacheFiles: Permit a process's create SID to be overridden " David Howells
2007-08-10 16:52 ` Casey Schaufler
2007-08-10 16:05 ` [PATCH 10/16] CacheFiles: Add an act-as SID override in task_security_struct " David Howells
2007-08-10 16:05 ` [PATCH 11/16] CacheFiles: Permit an inode's security ID to be obtained " David Howells
2007-08-10 16:05 ` David Howells [this message]
2007-08-10 16:06 ` [PATCH 13/16] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2007-08-10 16:06 ` [PATCH 14/16] NFS: Use local caching " David Howells
2007-08-10 16:06 ` [PATCH 15/16] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2007-08-10 16:06 ` [PATCH 16/16] NFS: Display local caching state " David Howells
2007-08-10 22:13 ` [PATCH 00/16] Permit filesystem local caching " Casey Schaufler
2007-08-11 8:41 ` David Howells
2007-08-11 15:56 ` Casey Schaufler
2007-08-13 10:54 ` David Howells
2007-08-13 13:46 ` Casey Schaufler
2007-08-13 14:51 ` David Howells
2007-08-13 14:57 ` Stephen Smalley
2007-08-13 15:42 ` Casey Schaufler
2007-08-13 15:22 ` David Howells
2007-08-13 16:20 ` Casey Schaufler
2007-08-13 16:31 ` David Howells
2007-08-13 16:58 ` Casey Schaufler
2007-08-13 19:52 ` David Howells
2007-08-13 21:44 ` Casey Schaufler
2007-08-14 9:39 ` David Howells
2007-08-14 15:53 ` Casey Schaufler
2007-08-14 17:42 ` Stephen Smalley
2007-08-15 16:30 ` Casey Schaufler
2007-08-14 17:58 ` David Howells
2007-08-14 17:50 ` Stephen Smalley
2007-08-13 13:50 ` Stephen Smalley
2007-08-13 15:10 ` Casey Schaufler
2007-08-13 13:01 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070810160558.24698.11275.stgit@warthog.cambridge.redhat.com \
--to=dhowells@redhat.com \
--cc=akpm@osdl.org \
--cc=linux-cachefs@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nfsv4@linux-nfs.org \
--cc=selinux@tycho.nsa.gov \
--cc=steved@redhat.com \
--cc=torvalds@osdl.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).