From: "Serge E. Hallyn" <serue@us.ibm.com>
To: "David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: hch@infradead.org, viro@zeniv.linux.org.uk,
casey@schaufler-ca.com, sds@tycho.nsa.gov,
matthew.dodd@sparta.com, trond.myklebust@fys.uio.no,
bfields@fieldses.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
labeled-nfs@linux-nfs.org
Subject: Re: [PATCH 02/14] LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.
Date: Tue, 30 Sep 2008 15:22:11 -0500 [thread overview]
Message-ID: <20080930202211.GD21039@us.ibm.com> (raw)
In-Reply-To: <1222707986-26606-3-git-send-email-dpquigl@tycho.nsa.gov>
Quoting David P. Quigley (dpquigl@tycho.nsa.gov):
> This patch introduces three new hooks. The inode_getsecctx hook is used to get
> all relevant information from an LSM about an inode. The inode_setsecctx is
> used to set both the in-core and on-disk state for the inode based on a context
> derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
> LSM of a change for the in-core state of the inode in question. These hooks are
> for use in the labeled NFS code and addresses concerns of how to set security
> on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
> explanation of the reason for these hooks is pasted below.
>
> Quote Stephen Smalley
>
> inode_setsecctx: Change the security context of an inode. Updates the
> in core security context managed by the security module and invokes the
> fs code as needed (via __vfs_setxattr_noperm) to update any backing
> xattrs that represent the context. Example usage: NFS server invokes
> this hook to change the security context in its incore inode and on the
> backing file system to a value provided by the client on a SETATTR
> operation.
>
> inode_notifysecctx: Notify the security module of what the security
> context of an inode should be. Initializes the incore security context
> managed by the security module for this inode. Example usage: NFS
> client invokes this hook to initialize the security context in its
> incore inode to the value provided by the server for the file when the
> server returned the file's attributes to the client.
>
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Hmm, sorry, for all of these new hooks which you introduce, you do not
define empty cap_* versions and assign them when need in
security_fixup_ops(). But you unconditionally call them if
CONFIG_SECURITY=y. So if you compile a kernel with CONFIG_SECURITY=y
but CONFIG_SECURITY_SELINUX=n, don't you hose your box?
> ---
> include/linux/security.h | 50 ++++++++++++++++++++++++++++++++++++++++++++++
> security/security.c | 18 ++++++++++++++++
> security/selinux/hooks.c | 25 +++++++++++++++++++++++
> 3 files changed, 93 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 80c4d00..8b5b041 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1289,6 +1289,36 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> * audit_rule_init.
> * @rule contains the allocated rule
> *
> + * @inode_notifysecctx:
> + * Notify the security module of what the security context of an inode
> + * should be. Initializes the incore security context managed by the
> + * security module for this inode. Example usage: NFS client invokes
> + * this hook to initialize the security context in its incore inode to the
> + * value provided by the server for the file when the server returned the
> + * file's attributes to the client.
> + *
> + * @inode we wish to set the security context of.
> + * @ctx contains the string which we wish to set in the inode.
> + * @ctxlen contains the length of @ctx.
> + *
> + * @inode_setsecctx:
> + * Change the security context of an inode. Updates the
> + * incore security context managed by the security module and invokes the
> + * fs code as needed (via __vfs_setxattr_noperm) to update any backing
> + * xattrs that represent the context. Example usage: NFS server invokes
> + * this hook to change the security context in its incore inode and on the
> + * backing filesystem to a value provided by the client on a SETATTR
> + * operation.
> + *
> + * @dentry contains the inode we wish to set the security context of.
> + * @ctx contains the string which we wish to set in the inode.
> + * @ctxlen contains the length of @ctx.
> + *
> + * @inode_getsecctx:
> + * Returns a string containing all relavent security context information
> + * @inode we wish to set the security context of.
> + * @ctx is a pointer to place the allocated security context should be placed.
> + * @ctxlen points to the place to put the length of @ctx.
> * This is the main security structure.
> */
> struct security_operations {
> @@ -1479,6 +1509,10 @@ struct security_operations {
> int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
> void (*release_secctx) (char *secdata, u32 seclen);
>
> + int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
> + int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
> + int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
> +
> #ifdef CONFIG_SECURITY_NETWORK
> int (*unix_stream_connect) (struct socket *sock,
> struct socket *other, struct sock *newsk);
> @@ -1727,6 +1761,9 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> void security_release_secctx(char *secdata, u32 seclen);
>
> +int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
> +int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> +int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> #else /* CONFIG_SECURITY */
> struct security_mnt_opts {
> };
> @@ -2458,6 +2495,19 @@ static inline int security_secctx_to_secid(const char *secdata,
> static inline void security_release_secctx(char *secdata, u32 seclen)
> {
> }
> +
> +static inline int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> +{
> + return -EOPNOTSUPP;
> +}
> #endif /* CONFIG_SECURITY */
>
> #ifdef CONFIG_SECURITY_NETWORK
> diff --git a/security/security.c b/security/security.c
> index 3a4b4f5..d0fd42a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -869,6 +869,24 @@ void security_release_secctx(char *secdata, u32 seclen)
> }
> EXPORT_SYMBOL(security_release_secctx);
>
> +int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> +{
> + return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
> +}
> +EXPORT_SYMBOL(security_inode_notifysecctx);
> +
> +int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> +{
> + return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
> +}
> +EXPORT_SYMBOL(security_inode_setsecctx);
> +
> +int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> +{
> + return security_ops->inode_getsecctx(inode, ctx, ctxlen);
> +}
> +EXPORT_SYMBOL(security_inode_getsecctx);
> +
> #ifdef CONFIG_SECURITY_NETWORK
>
> int security_unix_stream_connect(struct socket *sock, struct socket *other,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 03fc6a8..b07871b 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5285,6 +5285,28 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
> kfree(secdata);
> }
>
> +/*
> + * This hook requires that the inode i_mutex be locked
> + */
> +static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> +{
> + return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
> +}
> +
> +/*
> + * This hook requires that the inode i_mutex be locked
> + */
> +static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> +{
> + return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
> +}
> +
> +static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> +{
> + *ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
> + ctx, true);
> + return *ctxlen;
> +}
> #ifdef CONFIG_KEYS
>
> static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
> @@ -5491,6 +5513,9 @@ static struct security_operations selinux_ops = {
> .secid_to_secctx = selinux_secid_to_secctx,
> .secctx_to_secid = selinux_secctx_to_secid,
> .release_secctx = selinux_release_secctx,
> + .inode_notifysecctx = selinux_inode_notifysecctx,
> + .inode_setsecctx = selinux_inode_setsecctx,
> + .inode_getsecctx = selinux_inode_getsecctx,
>
> .unix_stream_connect = selinux_socket_unix_stream_connect,
> .unix_may_send = selinux_socket_unix_may_send,
> --
> 1.5.5.1
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-09-30 20:22 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-29 17:06 [RFC v3] Security Label Support for NFSv4 David P. Quigley
2008-09-29 17:06 ` [PATCH 01/14] VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx David P. Quigley
2008-09-30 19:51 ` Serge E. Hallyn
[not found] ` <1222707986-26606-1-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2008-09-29 17:06 ` [PATCH 02/14] LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information David P. Quigley
2008-09-30 20:01 ` Serge E. Hallyn
2008-10-06 20:52 ` David P. Quigley
2008-09-30 20:22 ` Serge E. Hallyn [this message]
2008-10-06 20:52 ` David P. Quigley
2008-09-29 17:06 ` [PATCH 03/14] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2008-09-30 20:15 ` Serge E. Hallyn
[not found] ` <20080930201524.GC21039-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-10 17:54 ` David P. Quigley
2008-10-10 18:26 ` Serge E. Hallyn
2008-09-29 17:06 ` [PATCH 04/14] Security: Add Hook to test if the particular xattr is part of a MAC model David P. Quigley
2008-09-29 17:06 ` [PATCH 07/14] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2008-09-29 17:06 ` [PATCH 08/14] NFS: Add security_label text mount option and handling code to NFS David P. Quigley
2008-09-29 17:06 ` [PATCH 09/14] NFS: Introduce lifecycle management for label attribute David P. Quigley
2008-09-29 17:06 ` [PATCH 12/14] NFS: Client implementation of Labeled-NFS David P. Quigley
2008-09-29 17:06 ` [PATCH 13/14] NFS: Extend NFS xattr handlers to accept the security namespace David P. Quigley
2008-09-29 17:06 ` [PATCH 14/14] NFSD: Server implementation of MAC Labeling David P. Quigley
2008-09-29 17:06 ` [PATCH 05/14] SELinux: Add new labeling type native labels David P. Quigley
2008-09-29 17:06 ` [PATCH 06/14] KConfig: Add KConfig entries for Labeled NFS David P. Quigley
2008-09-30 20:40 ` Serge E. Hallyn
2008-09-29 17:06 ` [PATCH 10/14] NFSv4: Introduce new label structure David P. Quigley
2008-09-29 17:06 ` [PATCH 11/14] NFS/RPC: Add the auth_seclabel security flavor to allow the process label to be sent to the server David P. Quigley
2008-10-03 14:23 ` Andy Whitcroft
2008-10-03 15:44 ` Matthew N. Dodd
2008-10-13 23:31 ` [RFC v3] Security Label Support for NFSv4 James Morris
2008-10-14 2:15 ` [Labeled-nfs] " Matthew N. Dodd
2008-10-14 13:20 ` Trond Myklebust
2008-10-14 14:28 ` David P. Quigley
-- strict thread matches above, loose matches on Subject: below --
2008-09-15 20:41 [RFC] Labeled NFS Take 2 David P. Quigley
2008-09-15 20:41 ` [PATCH 02/14] LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080930202211.GD21039@us.ibm.com \
--to=serue@us.ibm.com \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=hch@infradead.org \
--cc=labeled-nfs@linux-nfs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.dodd@sparta.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).