Re: [PATCH 7/8] SELinux: Create a common helper to determine an inode label

[Stephen Smalley <sds@tycho.nsa.gov>]

On 06/18/2015 11:32 AM, David Howells wrote:
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
>>> Fair point.  What does SBLABEL_MNT mean precisely?  It seems to indicate one
>>> of an odd mix of behaviours.  I presume it means that we *have* to calculate a
>>> label and can't get one from the underlying fs if it is not set.
>>
>> It means the filesystem supports per-file labeling and you can use
>> setxattr(..."security.selinux") and setfscreatecon() for files on it.
>> You can see whether it is set on a filesystem by looking for the
>> seclabel option in cat /proc/mounts.  If it is not set, then we ignore
>> tsec->create_sid.  It is arguable as to whether it is correct to always
>> call security_transition_sid() there either, but that's another topic.
> 
> Okay, so how about the attached?
> 
> David
> ---
> static int selinux_determine_inode_label(const struct inode *dir,
> 					 const struct qstr *name,
> 					 const char *caller,
> 					 u16 tclass,
> 					 u32 *_new_isid)
> {
> 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
> 	const struct inode_security_struct *dsec = dir->i_security;
> 	const struct task_security_struct *tsec = current_security();
> 
> 	if ((sbsec->flags & SE_SBINITIALIZED) &&
> 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
> 		*_new_isid = sbsec->mntpoint_sid;
> 	} else if ((sbsec->flags & SBLABEL_MNT) &&
> 		   tsec->create_sid) {
> 		*_new_isid = tsec->create_sid;
> 	} else {
> 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
> 					       name, _new_isid);
> 	}
> 
> 	return 0;
> }

Except you can drop the caller argument now.