From: David Howells <dhowells@redhat.com>
To: Trond.Myklebust@netapp.com
Cc: nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org
Subject: [PATCH 08/27] Add a secctx_to_secid() LSM hook to go along with the existing [try #2]
Date: Wed, 23 Jan 2008 17:21:22 +0000 [thread overview]
Message-ID: <20080123172121.11107.96242.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20080123172038.11107.86025.stgit@warthog.procyon.org.uk>
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
include/linux/security.h | 13 +++++++++++++
security/dummy.c | 6 ++++++
security/security.c | 6 ++++++
security/selinux/hooks.c | 6 ++++++
4 files changed, 31 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index b7ba073..e8f2f2d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1200,6 +1200,10 @@ struct request_sock;
* Convert secid to security context.
* @secid contains the security ID.
* @secdata contains the pointer that stores the converted security context.
+ * @secctx_to_secid:
+ * Convert security context to secid.
+ * @secid contains the pointer to the generated security ID.
+ * @secdata contains the security context.
*
* @release_secctx:
* Release the security context.
@@ -1389,6 +1393,7 @@ struct security_operations {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+ int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
void (*release_secctx)(char *secdata, u32 seclen);
#ifdef CONFIG_SECURITY_NETWORK
@@ -1623,6 +1628,7 @@ int security_setprocattr(struct task_struct *p, char *name, void *value, size_t
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_netlink_recv(struct sk_buff *skb, int cap);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
#else /* CONFIG_SECURITY */
@@ -2305,6 +2311,13 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
return -EOPNOTSUPP;
}
+static inline int security_secctx_to_secid(char *secdata,
+ u32 seclen,
+ u32 *secid)
+{
+ return -EOPNOTSUPP;
+}
+
static inline void security_release_secctx(char *secdata, u32 seclen)
{
}
diff --git a/security/dummy.c b/security/dummy.c
index 6f97089..72f1666 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -943,6 +943,11 @@ static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return -EOPNOTSUPP;
}
+static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+ return -EOPNOTSUPP;
+}
+
static void dummy_release_secctx(char *secdata, u32 seclen)
{
}
@@ -1109,6 +1114,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, getprocattr);
set_to_dummy_if_null(ops, setprocattr);
set_to_dummy_if_null(ops, secid_to_secctx);
+ set_to_dummy_if_null(ops, secctx_to_secid);
set_to_dummy_if_null(ops, release_secctx);
#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, unix_stream_connect);
diff --git a/security/security.c b/security/security.c
index 92d66d6..1ef4908 100644
--- a/security/security.c
+++ b/security/security.c
@@ -821,6 +821,12 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
}
EXPORT_SYMBOL(security_secid_to_secctx);
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+ return security_ops->secctx_to_secid(secdata, seclen, secid);
+}
+EXPORT_SYMBOL(security_secctx_to_secid);
+
void security_release_secctx(char *secdata, u32 seclen)
{
return security_ops->release_secctx(secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 20a6b55..1d3eab7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4734,6 +4734,11 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return security_sid_to_context(secid, secdata, seclen);
}
+static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+ return security_context_to_sid(secdata, seclen, secid);
+}
+
static void selinux_release_secctx(char *secdata, u32 seclen)
{
kfree(secdata);
@@ -4937,6 +4942,7 @@ static struct security_operations selinux_ops = {
.setprocattr = selinux_setprocattr,
.secid_to_secctx = selinux_secid_to_secctx,
+ .secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx,
.unix_stream_connect = selinux_socket_unix_stream_connect,
next prev parent reply other threads:[~2008-01-23 17:21 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-23 17:20 [PATCH 00/27] Permit filesystem local caching [try #2] David Howells
2008-01-23 17:20 ` [PATCH 01/27] KEYS: Increase the payload size when instantiating a key " David Howells
2008-01-23 17:20 ` [PATCH 02/27] KEYS: Check starting keyring as part of search " David Howells
2008-01-23 17:20 ` [PATCH 03/27] KEYS: Allow the callout data to be passed as a blob rather than a string " David Howells
2008-01-23 17:21 ` [PATCH 04/27] KEYS: Add keyctl function to get a security label " David Howells
2008-01-23 17:21 ` [PATCH 05/27] Security: Change current->fs[ug]id to current_fs[ug]id() " David Howells
2008-01-23 17:21 ` [PATCH 06/27] Security: Separate task security context from task_struct " David Howells
2008-01-23 17:21 ` [PATCH 07/27] Security: De-embed task security record from task and use refcounting " David Howells
2008-01-23 17:21 ` David Howells [this message]
2008-01-23 17:21 ` [PATCH 09/27] Security: Pre-add additional non-caching classes " David Howells
2008-01-23 17:21 ` [PATCH 10/27] Security: Add a kernel_service object class to SELinux " David Howells
2008-01-23 17:21 ` [PATCH 11/27] Security: Allow kernel services to override LSM settings for task actions " David Howells
2008-01-23 17:21 ` [PATCH 12/27] Security: Make NFSD work with detached security " David Howells
2008-01-23 17:21 ` [PATCH 13/27] FS-Cache: Release page->private after failed readahead " David Howells
2008-01-23 17:21 ` [PATCH 14/27] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2008-01-23 17:21 ` [PATCH 15/27] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2008-01-23 17:22 ` [PATCH 16/27] FS-Cache: Generic filesystem caching facility " David Howells
2008-01-23 17:22 ` [PATCH 17/27] CacheFiles: Add missing copy_page export for ia64 " David Howells
2008-01-23 17:22 ` [PATCH 18/27] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 " David Howells
2008-01-23 17:22 ` [PATCH 19/27] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2008-01-23 17:22 ` [PATCH 20/27] CacheFiles: Permit the page lock state to be monitored " David Howells
2008-01-23 17:22 ` [PATCH 21/27] CacheFiles: Export things for CacheFiles " David Howells
2008-01-23 17:22 ` [PATCH 22/27] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2008-01-23 17:22 ` [PATCH 23/27] NFS: Fix memory leak " David Howells
2008-01-24 21:15 ` Trond Myklebust
2008-01-23 17:22 ` [PATCH 24/27] NFS: Use local caching " David Howells
2008-01-24 21:08 ` Trond Myklebust
2008-01-24 21:22 ` Chuck Lever
2008-01-30 3:25 ` David Howells
2008-01-30 6:46 ` Trond Myklebust
2008-01-30 22:36 ` Chuck Lever
2008-01-31 23:29 ` David Howells
2008-02-07 10:57 ` David Howells
2008-01-23 17:22 ` [PATCH 25/27] NFS: Configuration and mount option changes to enable local caching on NFS " David Howells
2008-01-24 21:14 ` Trond Myklebust
2008-01-23 17:22 ` [PATCH 26/27] NFS: Display local caching state " David Howells
2008-01-23 17:23 ` [PATCH 27/27] NFS: Separate caching by superblock, explicitly if necessary " David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080123172121.11107.96242.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nfsv4@linux-nfs.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).