From: James Morris <jmorris@namei.org>
To: David Howells <dhowells@redhat.com>
Cc: sds@tycho.nsa.gov, casey@schaufler-ca.com,
Trond.Myklebust@netapp.com, npiggin@suse.de,
linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 08/26] Add a secctx_to_secid() LSM hook to go along with the existing
Date: Wed, 16 Jan 2008 12:05:27 +1100 (EST) [thread overview]
Message-ID: <Xine.LNX.4.64.0801161204470.24959@us.intercode.com.au> (raw)
In-Reply-To: <20080115234735.22183.36356.stgit@warthog.procyon.org.uk>
On Tue, 15 Jan 2008, David Howells wrote:
> secid_to_secctx() LSM hook. This patch also includes the SELinux
> implementation for this hook.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
This is useful in its own right, and I would like to push it upstream for
2.6.24 unless there are any objections.
> ---
>
> include/linux/security.h | 13 +++++++++++++
> security/dummy.c | 6 ++++++
> security/security.c | 6 ++++++
> security/selinux/hooks.c | 6 ++++++
> 4 files changed, 31 insertions(+), 0 deletions(-)
>
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index b7ba073..e8f2f2d 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1200,6 +1200,10 @@ struct request_sock;
> * Convert secid to security context.
> * @secid contains the security ID.
> * @secdata contains the pointer that stores the converted security context.
> + * @secctx_to_secid:
> + * Convert security context to secid.
> + * @secid contains the pointer to the generated security ID.
> + * @secdata contains the security context.
> *
> * @release_secctx:
> * Release the security context.
> @@ -1389,6 +1393,7 @@ struct security_operations {
> int (*getprocattr)(struct task_struct *p, char *name, char **value);
> int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
> int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
> + int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
> void (*release_secctx)(char *secdata, u32 seclen);
>
> #ifdef CONFIG_SECURITY_NETWORK
> @@ -1623,6 +1628,7 @@ int security_setprocattr(struct task_struct *p, char *name, void *value, size_t
> int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> int security_netlink_recv(struct sk_buff *skb, int cap);
> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> +int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
> void security_release_secctx(char *secdata, u32 seclen);
>
> #else /* CONFIG_SECURITY */
> @@ -2305,6 +2311,13 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
> return -EOPNOTSUPP;
> }
>
> +static inline int security_secctx_to_secid(char *secdata,
> + u32 seclen,
> + u32 *secid)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> static inline void security_release_secctx(char *secdata, u32 seclen)
> {
> }
> diff --git a/security/dummy.c b/security/dummy.c
> index 6f97089..72f1666 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -943,6 +943,11 @@ static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> return -EOPNOTSUPP;
> }
>
> +static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> static void dummy_release_secctx(char *secdata, u32 seclen)
> {
> }
> @@ -1109,6 +1114,7 @@ void security_fixup_ops (struct security_operations *ops)
> set_to_dummy_if_null(ops, getprocattr);
> set_to_dummy_if_null(ops, setprocattr);
> set_to_dummy_if_null(ops, secid_to_secctx);
> + set_to_dummy_if_null(ops, secctx_to_secid);
> set_to_dummy_if_null(ops, release_secctx);
> #ifdef CONFIG_SECURITY_NETWORK
> set_to_dummy_if_null(ops, unix_stream_connect);
> diff --git a/security/security.c b/security/security.c
> index 92d66d6..1ef4908 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -821,6 +821,12 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> }
> EXPORT_SYMBOL(security_secid_to_secctx);
>
> +int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
> +{
> + return security_ops->secctx_to_secid(secdata, seclen, secid);
> +}
> +EXPORT_SYMBOL(security_secctx_to_secid);
> +
> void security_release_secctx(char *secdata, u32 seclen)
> {
> return security_ops->release_secctx(secdata, seclen);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 20a6b55..1d3eab7 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4734,6 +4734,11 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> return security_sid_to_context(secid, secdata, seclen);
> }
>
> +static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
> +{
> + return security_context_to_sid(secdata, seclen, secid);
> +}
> +
> static void selinux_release_secctx(char *secdata, u32 seclen)
> {
> kfree(secdata);
> @@ -4937,6 +4942,7 @@ static struct security_operations selinux_ops = {
> .setprocattr = selinux_setprocattr,
>
> .secid_to_secctx = selinux_secid_to_secctx,
> + .secctx_to_secid = selinux_secctx_to_secid,
> .release_secctx = selinux_release_secctx,
>
> .unix_stream_connect = selinux_socket_unix_stream_connect,
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2008-01-16 1:06 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-15 23:46 [PATCH 00/26] Permit filesystem local caching David Howells
2008-01-15 23:46 ` [PATCH 01/26] KEYS: Increase the payload size when instantiating a key David Howells
2008-01-15 23:47 ` [PATCH 02/26] KEYS: Check starting keyring as part of search David Howells
2008-01-15 23:47 ` [PATCH 03/26] KEYS: Allow the callout data to be passed as a blob rather than a string David Howells
2008-01-15 23:47 ` [PATCH 04/26] KEYS: Add keyctl function to get a security label David Howells
2008-01-16 15:47 ` Stephen Smalley
2008-01-15 23:47 ` [PATCH 05/26] Security: Change current->fs[ug]id to current_fs[ug]id() David Howells
2008-01-15 23:47 ` [PATCH 06/26] Security: Separate task security context from task_struct David Howells
2008-01-17 17:14 ` [PATCH 06a/26] Extra task_struct -> task_security separation David Howells
2008-01-17 17:17 ` [PATCH 06b/26] Security: Make NFSD work with detached security David Howells
2008-01-17 20:48 ` J. Bruce Fields
2008-01-17 22:48 ` David Howells
2008-01-17 23:02 ` David Howells
2008-01-15 23:47 ` [PATCH 07/26] Security: De-embed task security record from task and use refcounting David Howells
2008-01-15 23:47 ` [PATCH 08/26] Add a secctx_to_secid() LSM hook to go along with the existing David Howells
2008-01-16 1:05 ` James Morris [this message]
2008-01-16 13:41 ` Paul Moore
2008-01-16 17:08 ` Casey Schaufler
2008-01-16 22:13 ` James Morris
2008-01-16 22:19 ` Paul Moore
2008-01-15 23:47 ` [PATCH 09/26] Security: Pre-add additional non-caching classes David Howells
2008-01-15 23:47 ` [PATCH 10/26] Security: Add a kernel_service object class to SELinux David Howells
2008-01-15 23:47 ` [PATCH 11/26] Security: Allow kernel services to override LSM settings for task actions David Howells
2008-01-15 23:47 ` [PATCH 12/26] FS-Cache: Release page->private after failed readahead David Howells
2008-01-15 23:48 ` [PATCH 13/26] FS-Cache: Recruit a couple of page flags for cache management David Howells
2008-01-15 23:48 ` [PATCH 14/26] FS-Cache: Provide an add_wait_queue_tail() function David Howells
2008-01-15 23:48 ` [PATCH 15/26] FS-Cache: Generic filesystem caching facility David Howells
2008-01-15 23:48 ` [PATCH 16/26] CacheFiles: Add missing copy_page export for ia64 David Howells
2008-01-15 23:48 ` [PATCH 17/26] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 David Howells
2008-01-15 23:48 ` [PATCH 18/26] CacheFiles: Add a hook to write a single page of data to an inode David Howells
2008-01-15 23:48 ` [PATCH 19/26] CacheFiles: Permit the page lock state to be monitored David Howells
2008-01-15 23:48 ` [PATCH 20/26] CacheFiles: Export things for CacheFiles David Howells
2008-01-15 23:48 ` [PATCH 21/26] CacheFiles: A cache that backs onto a mounted filesystem David Howells
2008-01-15 23:48 ` [PATCH 22/26] NFS: Fix memory leak David Howells
2008-01-15 23:48 ` [PATCH 23/26] NFS: Use local caching David Howells
2008-01-15 23:49 ` [PATCH 24/26] NFS: Configuration and mount option changes to enable local caching on NFS David Howells
2008-01-15 23:49 ` [PATCH 25/26] NFS: Display local caching state David Howells
2008-01-15 23:49 ` [PATCH 26/26] NFS: Separate caching by superblock, explicitly if necessary David Howells
2008-01-16 0:58 ` [PATCH 00/26] Permit filesystem local caching James Morris
2008-01-16 16:48 ` David Howells
2008-01-16 1:52 ` James Morris
2008-01-16 2:24 ` Kyle Moffett
2008-01-16 16:55 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Xine.LNX.4.64.0801161204470.24959@us.intercode.com.au \
--to=jmorris@namei.org \
--cc=Trond.Myklebust@netapp.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=npiggin@suse.de \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox