From: Vivek Goyal <vgoyal@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
Serge Hallyn <serge@hallyn.com>,
linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
Miklos Szeredi <miklos@szeredi.hu>, Dan Walsh <dwalsh@redhat.com>,
jlayton@kernel.org, idryomov@gmail.com,
ceph-devel@vger.kernel.org, linux-nfs@vger.kernel.org,
bfields@fieldses.org, chuck.lever@oracle.com,
anna.schumaker@netapp.com, trond.myklebust@hammerspace.com,
Stephen Smalley <stephen.smalley.work@gmail.com>,
casey@schaufler-ca.com, Ondrej Mosnacek <omosnace@redhat.com>
Subject: Re: [PATCH v2] security: Return xattr name from security_dentry_init_security()
Date: Wed, 20 Oct 2021 08:31:27 -0400 [thread overview]
Message-ID: <YXAMH1nyfM+IA4Ce@redhat.com> (raw)
In-Reply-To: <CAHC9VhRv8xOoPtfpSYSvUrcHUjhqQWw5LiDSfwR2f4VJ=9Qr8Q@mail.gmail.com>
On Wed, Oct 20, 2021 at 08:24:44AM -0400, Paul Moore wrote:
> On Tue, Oct 12, 2021 at 9:23 AM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > Right now security_dentry_init_security() only supports single security
> > label and is used by SELinux only. There are two users of of this hook,
> > namely ceph and nfs.
> >
> > NFS does not care about xattr name. Ceph hardcodes the xattr name to
> > security.selinux (XATTR_NAME_SELINUX).
> >
> > I am making changes to fuse/virtiofs to send security label to virtiofsd
> > and I need to send xattr name as well. I also hardcoded the name of
> > xattr to security.selinux.
> >
> > Stephen Smalley suggested that it probably is a good idea to modify
> > security_dentry_init_security() to also return name of xattr so that
> > we can avoid this hardcoding in the callers.
> >
> > This patch adds a new parameter "const char **xattr_name" to
> > security_dentry_init_security() and LSM puts the name of xattr
> > too if caller asked for it (xattr_name != NULL).
> >
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > Reviewed-by: Jeff Layton <jlayton@kernel.org>
> > ---
> >
> > Changes since v1:
> > - Updated comment to make it clear caller does not have to free the
> > xattr_name. (Jeff Layton).
> > - Captured Jeff's Reviewed-by ack.
> >
> > I have tested this patch with virtiofs and compile tested for ceph and nfs.
> >
> > NFS changes are trivial. Looking for an ack from NFS maintainers.
> >
> > ---
> > fs/ceph/xattr.c | 3 +--
> > fs/nfs/nfs4proc.c | 3 ++-
> > include/linux/lsm_hook_defs.h | 3 ++-
> > include/linux/lsm_hooks.h | 3 +++
> > include/linux/security.h | 6 ++++--
> > security/security.c | 7 ++++---
> > security/selinux/hooks.c | 6 +++++-
> > 7 files changed, 21 insertions(+), 10 deletions(-)
>
> This looks fine to me and considering the trivial nature of the NFS
> changes I'm okay with merging this without an explicit ACK from the
> NFS folks. Similarly, I generally dislike merging new functionality
> once we hit -rc6, but this is trivial enough that I think it's okay;
> I'm merging this into selinux/next now, thanks everyone.
Thanks Paul. I agree that this a trivial fix with no functionality
change and probability of this breaking something is very very low.
Vivek
prev parent reply other threads:[~2021-10-20 12:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 13:23 [PATCH v2] security: Return xattr name from security_dentry_init_security() Vivek Goyal
2021-10-15 9:07 ` Christian Brauner
2021-10-18 12:35 ` Vivek Goyal
2021-10-19 20:52 ` James Morris
2021-10-19 23:49 ` Paul Moore
2021-10-20 12:24 ` Paul Moore
2021-10-20 12:31 ` Vivek Goyal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YXAMH1nyfM+IA4Ce@redhat.com \
--to=vgoyal@redhat.com \
--cc=anna.schumaker@netapp.com \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=ceph-devel@vger.kernel.org \
--cc=chuck.lever@oracle.com \
--cc=dwalsh@redhat.com \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=trond.myklebust@hammerspace.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).