[PATCH 1/3] selinux: make dentry_init_security() return security module name

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: jlayton@kernel.org (Jeff Layton)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 1/3] selinux: make dentry_init_security() return security module name
Date: Thu, 06 Sep 2018 11:08:39 -0400	[thread overview]
Message-ID: <356ec32809a222f457b4e04333bb695c32d49680.camel@kernel.org> (raw)
In-Reply-To: <20180626084306.27511-1-zyan@redhat.com>

On Tue, 2018-06-26 at 16:43 +0800, Yan, Zheng wrote:
> This is preparation for CephFS security label. CephFS's implementation uses
> dentry_init_security() to get security context before inode is created,
> then sends open/mkdir/mknod request to MDS, together with security xattr
> "security.<security module name>"
> 
> Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
> ---
>  fs/nfs/nfs4proc.c         | 3 ++-
>  include/linux/lsm_hooks.h | 4 ++--
>  include/linux/security.h  | 9 +++++----
>  security/security.c       | 7 ++++---
>  security/selinux/hooks.c  | 8 ++++++--
>  5 files changed, 19 insertions(+), 12 deletions(-)
> 
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 6dd146885da9..d18a5fb7aec3 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -122,7 +122,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
>  		return NULL;
>  
>  	err = security_dentry_init_security(dentry, sattr->ia_mode,
> -				&dentry->d_name, (void **)&label->label, &label->len);
> +				&dentry->d_name,  NULL,
> +				(void **)&label->label, &label->len);
>  	if (err == 0)
>  		return label;
>  
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 8f1131c8dd54..e176c2032bdc 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1476,8 +1476,8 @@ union security_list_options {
>  					unsigned long *set_kern_flags);
>  	int (*sb_parse_opts_str)(char *options, struct security_mnt_opts *opts);
>  	int (*dentry_init_security)(struct dentry *dentry, int mode,
> -					const struct qstr *name, void **ctx,
> -					u32 *ctxlen);
> +					const struct qstr *name, const char **label,
> +					void **ctx, u32 *ctxlen);
>  	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
>  					struct qstr *name,
>  					const struct cred *old,
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 63030c85ee19..df2d73998c64 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -246,8 +246,9 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
>  				unsigned long *set_kern_flags);
>  int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
>  int security_dentry_init_security(struct dentry *dentry, int mode,
> -					const struct qstr *name, void **ctx,
> -					u32 *ctxlen);
> +					const struct qstr *name,
> +					const char **label,
> +					void **ctx, u32 *ctxlen);
>  int security_dentry_create_files_as(struct dentry *dentry, int mode,
>  					struct qstr *name,
>  					const struct cred *old,
> @@ -609,8 +610,8 @@ static inline void security_inode_free(struct inode *inode)
>  static inline int security_dentry_init_security(struct dentry *dentry,
>  						 int mode,
>  						 const struct qstr *name,
> -						 void **ctx,
> -						 u32 *ctxlen)
> +						 const char **label,
> +						 void **ctx, u32 *ctxlen)
>  {
>  	return -EOPNOTSUPP;
>  }
> diff --git a/security/security.c b/security/security.c
> index 68f46d849abe..69818d46aa28 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -450,11 +450,12 @@ void security_inode_free(struct inode *inode)
>  }
>  
>  int security_dentry_init_security(struct dentry *dentry, int mode,
> -					const struct qstr *name, void **ctx,
> -					u32 *ctxlen)
> +					const struct qstr *name,
> +					const char **label,
> +					void **ctx, u32 *ctxlen)
>  {
>  	return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
> -				name, ctx, ctxlen);
> +				name, label, ctx, ctxlen);
>  }
>  EXPORT_SYMBOL(security_dentry_init_security);
>  
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2b5ee5fbd652..eca3879d9357 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2985,8 +2985,9 @@ static void selinux_inode_free_security(struct inode *inode)
>  }
>  
>  static int selinux_dentry_init_security(struct dentry *dentry, int mode,
> -					const struct qstr *name, void **ctx,
> -					u32 *ctxlen)
> +					const struct qstr *name,
> +					const char **label,
> +					void **ctx, u32 *ctxlen)
>  {
>  	u32 newsid;
>  	int rc;
> @@ -2998,6 +2999,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
>  	if (rc)
>  		return rc;
>  
> +	if (label)
> +		*label = XATTR_SELINUX_SUFFIX;
> +

nit: I'd probably call this "name" since that's what it's called in
selinux_inode_init_security. "label" has a different connotation in this
context.

>  	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
>  				       ctxlen);
>  }

Patch looks reasonable to me though.

Acked-by: Jeff Layton <jlayton@kernel.org>

next prev parent reply	other threads:[~2018-09-06 15:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-26  8:43 [PATCH 1/3] selinux: make dentry_init_security() return security module name Yan, Zheng
2018-06-26  8:43 ` [PATCH 2/3] ceph: rename struct ceph_acls_info to ceph_acl_sec_ctx Yan, Zheng
2018-09-06 15:14   ` Jeff Layton
2018-06-26  8:43 ` [PATCH 3/3] ceph: xattr security label support Yan, Zheng
2018-09-06 15:50   ` Jeff Layton
2018-09-06 16:05     ` Jeff Layton
2018-06-26 13:28 ` [PATCH 1/3] selinux: make dentry_init_security() return security module name Stephen Smalley
2018-06-26 15:32   ` Yan, Zheng
2018-06-26 16:21 ` Casey Schaufler
2018-06-27  1:46   ` Yan, Zheng
2018-09-06 15:08 ` Jeff Layton [this message]
2018-09-06 15:39   ` Casey Schaufler
2018-09-07  8:31     ` Yan, Zheng
2018-09-07 20:31       ` Casey Schaufler
2018-09-10  3:06         ` Yan, Zheng
2018-09-11 17:23           ` Casey Schaufler
2018-09-12  1:14             ` Yan, Zheng
  -- strict thread matches above, loose matches on Subject: below --
2018-06-26  8:04 Yan, Zheng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=356ec32809a222f457b4e04333bb695c32d49680.camel@kernel.org \
    --to=jlayton@kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).