[SELINUX] Handle fuse binary mount data.

[SELINUX] Handle fuse binary mount data.

[James Morris]

This patch ensures that fuse filesystems are able to be mounted with 
SELinux enabled.

Please apply.


diff -urN -X dontdiff linux-2.6.3-mm4.o/security/selinux/hooks.c linux-2.6.3-mm4.w/security/selinux/hooks.c
--- linux-2.6.3-mm4.o/security/selinux/hooks.c	2004-02-25 22:42:16.000000000 -0500
+++ linux-2.6.3-mm4.w/security/selinux/hooks.c	2004-02-28 23:44:04.885656768 -0500
@@ -332,8 +332,8 @@
 	name = sb->s_type->name;
 
 	/* Ignore these fileystems with binary mount option data. */
-	if (!strcmp(name, "coda") ||
-	    !strcmp(name, "afs") || !strcmp(name, "smbfs"))
+	if (!strcmp(name, "coda") || !strcmp(name, "afs") ||
+	    !strcmp(name, "smbfs") || !strcmp(name, "fuse"))
 		goto out;
 
 	/* NFS we understand. */
@@ -1897,7 +1897,8 @@
 
 	/* Binary mount data: just copy */
 	if (!strcmp(fstype, "nfs") || !strcmp(fstype, "coda") ||
-	    !strcmp(fstype, "smbfs") || !strcmp(fstype, "afs")) {
+	    !strcmp(fstype, "smbfs") || !strcmp(fstype, "afs") ||
+	    !strcmp(fstype, "fuse")) {
 		copy_page(sec_curr, in_curr);
 		goto out;
 	}

Re: [SELINUX] Handle fuse binary mount data.

[Christoph Hellwig]

On Sun, Feb 29, 2004 at 04:38:51PM -0500, James Morris wrote:
>  	/* Ignore these fileystems with binary mount option data. */
> -	if (!strcmp(name, "coda") ||
> -	    !strcmp(name, "afs") || !strcmp(name, "smbfs"))
> +	if (!strcmp(name, "coda") || !strcmp(name, "afs") ||
> +	    !strcmp(name, "smbfs") || !strcmp(name, "fuse"))
>  		goto out;

Umm, binary mount data is bad enough, but hardcoding filesystem-depend code
in selinux is just bogus..

Re: [SELINUX] Handle fuse binary mount data.

[Andrew Morton]

Christoph Hellwig <hch@infradead.org> wrote:
>
> On Sun, Feb 29, 2004 at 04:38:51PM -0500, James Morris wrote:
> >  	/* Ignore these fileystems with binary mount option data. */
> > -	if (!strcmp(name, "coda") ||
> > -	    !strcmp(name, "afs") || !strcmp(name, "smbfs"))
> > +	if (!strcmp(name, "coda") || !strcmp(name, "afs") ||
> > +	    !strcmp(name, "smbfs") || !strcmp(name, "fuse"))
> >  		goto out;
> 
> Umm, binary mount data is bad enough, but hardcoding filesystem-depend code
> in selinux is just bogus..

Yes, it's rather awkward.

Could we do something such as passing a new mount flag in from userspace? 
Add a new flag alongside MS_SYNCHRONOUS, MS_REMOUNT and friends?

Re: [SELINUX] Handle fuse binary mount data.

[H. Peter Anvin]

Followup to:  <20040229150213.3ebd7ef9.akpm@osdl.org>
By author:    Andrew Morton <akpm@osdl.org>
In newsgroup: linux.dev.kernel
> 
> Yes, it's rather awkward.
> 
> Could we do something such as passing a new mount flag in from userspace? 
> Add a new flag alongside MS_SYNCHRONOUS, MS_REMOUNT and friends?
> 

IMNSHO it should be a flag exported by any registered filesystem.

	-hpa

Re: [SELINUX] Handle fuse binary mount data.

[James Morris]

On Sun, 29 Feb 2004, Andrew Morton wrote:

> Christoph Hellwig <hch@infradead.org> wrote:
>
> > Umm, binary mount data is bad enough, but hardcoding filesystem-depend code
> > in selinux is just bogus..
> 
> Yes, it's rather awkward.
> 
> Could we do something such as passing a new mount flag in from userspace? 
> Add a new flag alongside MS_SYNCHRONOUS, MS_REMOUNT and friends?

It seems more like a property of the filesystem type: perhaps add 
FS_BINARY_MOUNTDATA to fs_flags for such filesystems, per the patch below.

We also need to change one of the LSM hook arguments.


diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/afs/super.c linux-2.6.3-mm4.w/fs/afs/super.c
--- linux-2.6.3-mm4.o/fs/afs/super.c	2004-02-04 08:39:05.000000000 -0500
+++ linux-2.6.3-mm4.w/fs/afs/super.c	2004-02-29 19:50:28.797502696 -0500
@@ -53,6 +53,7 @@
 	.name		= "afs",
 	.get_sb		= afs_get_sb,
 	.kill_sb	= kill_anon_super,
+	.fs_flags	= FS_BINARY_MOUNTDATA,
 };
 
 static struct super_operations afs_super_ops = {
diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/coda/inode.c linux-2.6.3-mm4.w/fs/coda/inode.c
--- linux-2.6.3-mm4.o/fs/coda/inode.c	2003-09-27 20:50:20.000000000 -0400
+++ linux-2.6.3-mm4.w/fs/coda/inode.c	2004-02-29 19:49:14.272832168 -0500
@@ -306,5 +306,6 @@
 	.name		= "coda",
 	.get_sb		= coda_get_sb,
 	.kill_sb	= kill_anon_super,
+	.fs_flags	= FS_BINARY_MOUNTDATA,
 };
 
diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/nfs/inode.c linux-2.6.3-mm4.w/fs/nfs/inode.c
--- linux-2.6.3-mm4.o/fs/nfs/inode.c	2004-02-25 22:42:12.000000000 -0500
+++ linux-2.6.3-mm4.w/fs/nfs/inode.c	2004-02-29 19:48:24.350421528 -0500
@@ -1406,7 +1406,7 @@
 	.name		= "nfs",
 	.get_sb		= nfs_get_sb,
 	.kill_sb	= nfs_kill_super,
-	.fs_flags	= FS_ODD_RENAME|FS_REVAL_DOT,
+	.fs_flags	= FS_ODD_RENAME|FS_REVAL_DOT|FS_BINARY_MOUNTDATA,
 };
 
 #ifdef CONFIG_NFS_V4
@@ -1720,7 +1720,7 @@
 	.name		= "nfs4",
 	.get_sb		= nfs4_get_sb,
 	.kill_sb	= nfs_kill_super,
-	.fs_flags	= FS_ODD_RENAME|FS_REVAL_DOT,
+	.fs_flags	= FS_ODD_RENAME|FS_REVAL_DOT|FS_BINARY_MOUNTDATA,
 };
 
 #define nfs4_zero_state(nfsi) \
diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/smbfs/inode.c linux-2.6.3-mm4.w/fs/smbfs/inode.c
--- linux-2.6.3-mm4.o/fs/smbfs/inode.c	2003-10-15 08:53:19.000000000 -0400
+++ linux-2.6.3-mm4.w/fs/smbfs/inode.c	2004-02-29 19:50:58.172037088 -0500
@@ -778,6 +778,7 @@
 	.name		= "smbfs",
 	.get_sb		= smb_get_sb,
 	.kill_sb	= kill_anon_super,
+	.fs_flags	= FS_BINARY_MOUNTDATA,
 };
 
 static int __init init_smb_fs(void)
diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/super.c linux-2.6.3-mm4.w/fs/super.c
--- linux-2.6.3-mm4.o/fs/super.c	2004-02-25 22:42:12.000000000 -0500
+++ linux-2.6.3-mm4.w/fs/super.c	2004-02-29 19:56:03.687591664 -0500
@@ -746,7 +746,7 @@
 			goto out_mnt;
 		}
 
-		error = security_sb_copy_data(fstype, data, secdata);
+		error = security_sb_copy_data(type, data, secdata);
 		if (error) {
 			sb = ERR_PTR(error);
 			goto out_free_secdata;
diff -urN -X dontdiff linux-2.6.3-mm4.o/include/linux/fs.h linux-2.6.3-mm4.w/include/linux/fs.h
--- linux-2.6.3-mm4.o/include/linux/fs.h	2004-02-25 22:42:14.000000000 -0500
+++ linux-2.6.3-mm4.w/include/linux/fs.h	2004-02-29 19:43:33.922573272 -0500
@@ -89,6 +89,7 @@
 
 /* public flags for file_system_type */
 #define FS_REQUIRES_DEV 1 
+#define FS_BINARY_MOUNTDATA 2
 #define FS_REVAL_DOT	16384	/* Check the paths ".", ".." for staleness */
 #define FS_ODD_RENAME	32768	/* Temporary stuff; will go away as soon
 				  * as nfs_rename() will be cleaned up
diff -urN -X dontdiff linux-2.6.3-mm4.o/include/linux/security.h linux-2.6.3-mm4.w/include/linux/security.h
--- linux-2.6.3-mm4.o/include/linux/security.h	2004-02-25 22:42:14.000000000 -0500
+++ linux-2.6.3-mm4.w/include/linux/security.h	2004-02-29 19:57:58.125194504 -0500
@@ -177,7 +177,7 @@
  *	options cleanly (a filesystem may modify the data e.g. with strsep()).
  *	This also allows the original mount data to be stripped of security-
  *	specific options to avoid having to make filesystems aware of them.
- *	@fstype the type of filesystem being mounted.
+ *	@type the type of filesystem being mounted.
  *	@orig the original mount data copied from userspace.
  *	@copy copied data which will be passed to the security module.
  *	Returns 0 if the copy was successful.
@@ -1033,7 +1033,8 @@
 
 	int (*sb_alloc_security) (struct super_block * sb);
 	void (*sb_free_security) (struct super_block * sb);
-	int (*sb_copy_data)(const char *fstype, void *orig, void *copy);
+	int (*sb_copy_data)(struct file_system_type *type,
+			    void *orig, void *copy);
 	int (*sb_kern_mount) (struct super_block *sb, void *data);
 	int (*sb_statfs) (struct super_block * sb);
 	int (*sb_mount) (char *dev_name, struct nameidata * nd,
@@ -1318,9 +1319,10 @@
 	security_ops->sb_free_security (sb);
 }
 
-static inline int security_sb_copy_data (const char *fstype, void *orig, void *copy)
+static inline int security_sb_copy_data (struct file_system_type *type,
+					 void *orig, void *copy)
 {
-	return security_ops->sb_copy_data (fstype, orig, copy);
+	return security_ops->sb_copy_data (type, orig, copy);
 }
 
 static inline int security_sb_kern_mount (struct super_block *sb, void *data)
@@ -1988,7 +1990,8 @@
 static inline void security_sb_free (struct super_block *sb)
 { }
 
-static inline int security_sb_copy_data (const char *fstype, void *orig, void *copy)
+static inline int security_sb_copy_data (struct file_system_type *type,
+					 void *orig, void *copy)
 {
 	return 0;
 }
diff -urN -X dontdiff linux-2.6.3-mm4.o/security/dummy.c linux-2.6.3-mm4.w/security/dummy.c
--- linux-2.6.3-mm4.o/security/dummy.c	2004-02-25 22:42:16.000000000 -0500
+++ linux-2.6.3-mm4.w/security/dummy.c	2004-02-29 19:58:29.999348896 -0500
@@ -194,7 +194,8 @@
 	return;
 }
 
-static int dummy_sb_copy_data (const char *fstype, void *orig, void *copy)
+static int dummy_sb_copy_data (struct file_system_type *type,
+			       void *orig, void *copy)
 {
 	return 0;
 }
diff -urN -X dontdiff linux-2.6.3-mm4.o/security/selinux/hooks.c linux-2.6.3-mm4.w/security/selinux/hooks.c
--- linux-2.6.3-mm4.o/security/selinux/hooks.c	2004-02-25 22:42:16.000000000 -0500
+++ linux-2.6.3-mm4.w/security/selinux/hooks.c	2004-02-29 20:15:19.841829504 -0500
@@ -331,25 +331,24 @@
 
 	name = sb->s_type->name;
 
-	/* Ignore these fileystems with binary mount option data. */
-	if (!strcmp(name, "coda") ||
-	    !strcmp(name, "afs") || !strcmp(name, "smbfs"))
-		goto out;
-
-	/* NFS we understand. */
-	if (!strcmp(name, "nfs")) {
-		struct nfs_mount_data *d = data;
+	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
 
-		if (d->version <  NFS_MOUNT_VERSION)
+		/* NFS we understand. */
+		if (!strcmp(name, "nfs")) {
+			struct nfs_mount_data *d = data;
+			
+			if (d->version <  NFS_MOUNT_VERSION)
+				goto out;
+				
+			if (d->context[0]) {
+				context = d->context;
+				seen |= Opt_context;
+			}
+		} else
 			goto out;
 
-		if (d->context[0]) {
-			context = d->context;
-			seen |= Opt_context;
-		}
-
-	/* Standard string-based options. */
 	} else {
+		/* Standard string-based options. */
 		char *p, *options = data;
 
 		while ((p = strsep(&options, ",")) != NULL) {
@@ -1886,7 +1885,7 @@
 	*to += len;
 }
 
-static int selinux_sb_copy_data(const char *fstype, void *orig, void *copy)
+static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
 {
 	int fnosec, fsec, rc = 0;
 	char *in_save, *in_curr, *in_end;
@@ -1896,8 +1895,7 @@
 	sec_curr = copy;
 
 	/* Binary mount data: just copy */
-	if (!strcmp(fstype, "nfs") || !strcmp(fstype, "coda") ||
-	    !strcmp(fstype, "smbfs") || !strcmp(fstype, "afs")) {
+	if (type->fs_flags & FS_BINARY_MOUNTDATA) {
 		copy_page(sec_curr, in_curr);
 		goto out;
 	}

Re: [SELINUX] Handle fuse binary mount data.

[H. Peter Anvin]

Followup to:  <Xine.LNX.4.44.0402291938140.22392-100000@thoron.boston.redhat.com>
By author:    James Morris <jmorris@redhat.com>
In newsgroup: linux.dev.kernel
> 
> It seems more like a property of the filesystem type: perhaps add 
> FS_BINARY_MOUNTDATA to fs_flags for such filesystems, per the patch below.
> 

That's the only sane way to do this.  I concur :)

	-hpa

Re: [SELINUX] Handle fuse binary mount data.

[Urban Widmark]

On Sun, 29 Feb 2004, James Morris wrote:

> It seems more like a property of the filesystem type: perhaps add 
> FS_BINARY_MOUNTDATA to fs_flags for such filesystems, per the patch below.
...
> diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/smbfs/inode.c linux-2.6.3-mm4.w/fs/smbfs/inode.c
> --- linux-2.6.3-mm4.o/fs/smbfs/inode.c	2003-10-15 08:53:19.000000000 -0400
> +++ linux-2.6.3-mm4.w/fs/smbfs/inode.c	2004-02-29 19:50:58.172037088 -0500
> @@ -778,6 +778,7 @@
>  	.name		= "smbfs",
>  	.get_sb		= smb_get_sb,
>  	.kill_sb	= kill_anon_super,
> +	.fs_flags	= FS_BINARY_MOUNTDATA,
>  };
>  
>  static int __init init_smb_fs(void)

smbfs does not have a binary mountdata, unless the smbmount used is really
old (samba 2.0). If that means that it should get a FS_BINARY_MOUNTDATA
flag or not, I don't know.

/Urban

Re: [SELINUX] Handle fuse binary mount data.

[James Morris]

On Mon, 1 Mar 2004, Urban Widmark wrote:

> On Sun, 29 Feb 2004, James Morris wrote:
> 
> > It seems more like a property of the filesystem type: perhaps add 
> > FS_BINARY_MOUNTDATA to fs_flags for such filesystems, per the patch below.
> ...
> > diff -urN -X dontdiff linux-2.6.3-mm4.o/fs/smbfs/inode.c linux-2.6.3-mm4.w/fs/smbfs/inode.c
> > --- linux-2.6.3-mm4.o/fs/smbfs/inode.c	2003-10-15 08:53:19.000000000 -0400
> > +++ linux-2.6.3-mm4.w/fs/smbfs/inode.c	2004-02-29 19:50:58.172037088 -0500
> > @@ -778,6 +778,7 @@
> >  	.name		= "smbfs",
> >  	.get_sb		= smb_get_sb,
> >  	.kill_sb	= kill_anon_super,
> > +	.fs_flags	= FS_BINARY_MOUNTDATA,
> >  };
> >  
> >  static int __init init_smb_fs(void)
> 
> smbfs does not have a binary mountdata, unless the smbmount used is really
> old (samba 2.0). If that means that it should get a FS_BINARY_MOUNTDATA
> flag or not, I don't know.

Well, smb_fill_super() looks like it is dealing with binary mount data 
initially, and we need to treat it as such.  This should be fixed properly 
so that different versions of smbfs have different filesystem types, like 
NFS.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [SELINUX] Handle fuse binary mount data.

[Urban Widmark]

On Mon, 1 Mar 2004, James Morris wrote:

> Well, smb_fill_super() looks like it is dealing with binary mount data 
> initially, and we need to treat it as such.  This should be fixed properly 
> so that different versions of smbfs have different filesystem types, like 
> NFS.

There are no different versions of smbfs, and nfs does not have different
filesystem types for v2 and v3.

The thing smbfs does first is to check if it is binary or ascii^Wutf-8 by
looking at the first 4 bytes which is guaranteed by smbmount to be
(int)6 or the beginning of a string "vers".

I'm not seriously suggesting it, but if the selinux code always passed the
full page of mount data unchanged if it didn't find any of its flags then
it should be ok (in this case) to not mark smbfs as using a binary mount
data. And couldn't that work with all the binary filesystems without
adding any flags?

If smb_get_sb could map to a different "struct file_system_type" from what
it gets from the VFS that should work. Code below is not to be applied to
anything by anyone (yes, that means you Andrew :)

Seems easier to just disable the old smbmounts from working.

/Urban


diff -urN -X exclude linux-2.6.3-rc1-orig/fs/smbfs/inode.c linux-2.6.3-rc1-smbfs/fs/smbfs/inode.c
--- linux-2.6.3-rc1-orig/fs/smbfs/inode.c	Mon Feb  9 19:25:13 2004
+++ linux-2.6.3-rc1-smbfs/fs/smbfs/inode.c	Mon Mar  1 19:58:23 2004
@@ -770,6 +770,19 @@
 static struct super_block *smb_get_sb(struct file_system_type *fs_type,
 	int flags, const char *dev_name, void *data)
 {
+	struct super_block *sb;
+	struct smb_mount_data *oldmnt;
+	int ver;
+
+	oldmnt = (struct smb_mount_data *) data;
+	ver = oldmnt->version;
+	if (ver == SMB_MOUNT_OLDVERSION) {
+		struct file_system_type *type = get_fs_type("smbfs_binary");
+		sb = get_sb_nodev(type, flags, data, smb_fill_super);
+		put_filesystem(type);
+		return sb;
+	}
+
 	return get_sb_nodev(fs_type, flags, data, smb_fill_super);
 }
 
@@ -780,6 +793,14 @@
 	.kill_sb	= kill_anon_super,
 };
 
+static struct file_system_type smb_fs_type_binary = {
+	.owner		= THIS_MODULE,
+	.name		= "smbfs_binary",
+	.get_sb		= smb_get_sb,
+	.kill_sb	= kill_anon_super,
+	.fs_flags	= FS_BINARY_MOUNTDATA,
+};
+
 static int __init init_smb_fs(void)
 {
 	int err;
@@ -799,9 +820,14 @@
 		goto out_request;
 	err = register_filesystem(&smb_fs_type);
 	if (err)
+		goto out_register;
+	err = register_filesystem(&smb_fs_type_binary);
+	if (err)
 		goto out;
 	return 0;
 out:
+	unregister_filesystem(&smb_fs_type);
+out_register:
 	smb_destroy_request_cache();
 out_request:
 	destroy_inodecache();
@@ -813,6 +839,7 @@
 {
 	DEBUG1("unregistering ...\n");
 	unregister_filesystem(&smb_fs_type);
+	unregister_filesystem(&smb_fs_type_binary);
 	smb_destroy_request_cache();
 	destroy_inodecache();
 #ifdef DEBUG_SMB_MALLOC