From: Vivek Goyal <vgoyal@redhat.com>
To: linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: chirantan@chromium.org, vgoyal@redhat.com, miklos@szeredi.hu,
stephen.smalley.work@gmail.com, dwalsh@redhat.com
Subject: [PATCH 0/2] fuse: Send file/inode security context during creation
Date: Fri, 24 Sep 2021 15:24:40 -0400 [thread overview]
Message-ID: <20210924192442.916927-1-vgoyal@redhat.com> (raw)
Hi,
When a file is created (create, mknod, mkdir, symlink), typically file
systems call ecurity_inode_init_security() to initialize security
context of an inode. But this does not very well with remote filesystems
as inode is not there yet. Client will send a creation request to
server and once server has created the file, client will instantiate
the inode.
So filesystems like nfs and ceph use security_dentry_init_security()
instead. This takes in a dentry and returns the security context of
file if any.
These patches call security_dentry_init_security() and send security
label of file along with creation request (FUSE_CREATE, FUSE_MKDIR,
FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity
to create new file and also set security label (possibly atomically
where possible).
These patches are based on the work Chirantan Ekbote did some time
back but it never got upstreamed. So I have taken his patches,
made some modifications and posting again.
https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html
https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html
These patches will allow us to support SELinux on virtiofs.
Vivek Goyal (2):
fuse: Add a flag FUSE_SECURITY_CTX
fuse: Send security context of inode on file creation
fs/fuse/dir.c | 114 ++++++++++++++++++++++++++++++++++++--
fs/fuse/fuse_i.h | 3 +
fs/fuse/inode.c | 4 +-
include/uapi/linux/fuse.h | 20 ++++++-
4 files changed, 134 insertions(+), 7 deletions(-)
--
2.31.1
next reply other threads:[~2021-09-24 19:25 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-24 19:24 Vivek Goyal [this message]
2021-09-24 19:24 ` [PATCH 1/2] fuse: Add a flag FUSE_SECURITY_CTX Vivek Goyal
2021-09-24 19:24 ` [PATCH 2/2] fuse: Send security context of inode on file creation Vivek Goyal
2021-09-24 19:58 ` Casey Schaufler
2021-09-24 20:18 ` Vivek Goyal
2021-09-24 20:54 ` Casey Schaufler
2021-09-24 21:16 ` Vivek Goyal
2021-09-24 21:55 ` Casey Schaufler
2021-09-24 22:00 ` Colin Walters
2021-09-24 23:32 ` Vivek Goyal
2021-09-27 0:53 ` Casey Schaufler
2021-09-27 14:05 ` Vivek Goyal
2021-09-27 15:22 ` Casey Schaufler
2021-09-27 15:56 ` Vivek Goyal
2021-09-27 17:56 ` Casey Schaufler
2021-09-27 19:20 ` Vivek Goyal
2021-09-27 20:19 ` Casey Schaufler
2021-09-27 20:45 ` Vivek Goyal
2021-09-27 21:45 ` Casey Schaufler
2021-09-28 12:49 ` Vivek Goyal
2021-09-28 14:25 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210924192442.916927-1-vgoyal@redhat.com \
--to=vgoyal@redhat.com \
--cc=chirantan@chromium.org \
--cc=dwalsh@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).