From: Stephen Smalley <sds@tycho.nsa.gov>
To: James Morris <jmorris@namei.org>
Cc: auke-jan.h.kok@intel.com, e1000-devel@lists.sourceforge.net,
netdev@vger.kernel.org, Alexey Dobriyan <adobriyan@gmail.com>,
Chris Wright <chrisw@sous-sol.org>,
linux-security-module@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@ftp.linux.org.uk>,
Eric Paris <eparis@parisplace.org>,
Andrew Morton <akpm@linux-foundation.org>,
David Miller <davem@davemloft.net>
Subject: Re: [PATCH 2/3][RFC] security: pass mount flags to security_sb_kern_mount()
Date: Fri, 19 Dec 2008 07:52:35 -0500 [thread overview]
Message-ID: <1229691155.4948.2.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LRH.1.10.0812191205530.4137@tundra.namei.org>
On Fri, 2008-12-19 at 12:06 +1100, James Morris wrote:
> Pass mount flags to security_sb_kern_mount(), so security modules
> can determine if a mount operation is being performed by the kernel.
>
> Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> fs/super.c | 2 +-
> include/linux/security.h | 6 +++---
> security/capability.c | 2 +-
> security/security.c | 4 ++--
> security/selinux/hooks.c | 2 +-
> security/smack/smack_lsm.c | 3 ++-
> 6 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/fs/super.c b/fs/super.c
> index 400a760..ddba069 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -914,7 +914,7 @@ vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void
> goto out_free_secdata;
> BUG_ON(!mnt->mnt_sb);
>
> - error = security_sb_kern_mount(mnt->mnt_sb, secdata);
> + error = security_sb_kern_mount(mnt->mnt_sb, flags, secdata);
> if (error)
> goto out_sb;
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c13f1ce..dff563b 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1327,7 +1327,7 @@ struct security_operations {
> int (*sb_alloc_security) (struct super_block *sb);
> void (*sb_free_security) (struct super_block *sb);
> int (*sb_copy_data) (char *orig, char *copy);
> - int (*sb_kern_mount) (struct super_block *sb, void *data);
> + int (*sb_kern_mount) (struct super_block *sb, int flags, void *data);
> int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
> int (*sb_statfs) (struct dentry *dentry);
> int (*sb_mount) (char *dev_name, struct path *path,
> @@ -1596,7 +1596,7 @@ int security_bprm_secureexec(struct linux_binprm *bprm);
> int security_sb_alloc(struct super_block *sb);
> void security_sb_free(struct super_block *sb);
> int security_sb_copy_data(char *orig, char *copy);
> -int security_sb_kern_mount(struct super_block *sb, void *data);
> +int security_sb_kern_mount(struct super_block *sb, int flags, void *data);
> int security_sb_show_options(struct seq_file *m, struct super_block *sb);
> int security_sb_statfs(struct dentry *dentry);
> int security_sb_mount(char *dev_name, struct path *path,
> @@ -1877,7 +1877,7 @@ static inline int security_sb_copy_data(char *orig, char *copy)
> return 0;
> }
>
> -static inline int security_sb_kern_mount(struct super_block *sb, void *data)
> +static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
> {
> return 0;
> }
> diff --git a/security/capability.c b/security/capability.c
> index 2458748..0f6612d 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -64,7 +64,7 @@ static int cap_sb_copy_data(char *orig, char *copy)
> return 0;
> }
>
> -static int cap_sb_kern_mount(struct super_block *sb, void *data)
> +static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
> {
> return 0;
> }
> diff --git a/security/security.c b/security/security.c
> index c0acfa7..5a37d79 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -266,9 +266,9 @@ int security_sb_copy_data(char *orig, char *copy)
> }
> EXPORT_SYMBOL(security_sb_copy_data);
>
> -int security_sb_kern_mount(struct super_block *sb, void *data)
> +int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
> {
> - return security_ops->sb_kern_mount(sb, data);
> + return security_ops->sb_kern_mount(sb, flags, data);
> }
>
> int security_sb_show_options(struct seq_file *m, struct super_block *sb)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 470763a..3897758 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2452,7 +2452,7 @@ out:
> return rc;
> }
>
> -static int selinux_sb_kern_mount(struct super_block *sb, void *data)
> +static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
> {
> struct avc_audit_data ad;
> int rc;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 6e2dc0b..f23e927 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -248,11 +248,12 @@ static int smack_sb_copy_data(char *orig, char *smackopts)
> /**
> * smack_sb_kern_mount - Smack specific mount processing
> * @sb: the file system superblock
> + * @flags: the mount flags
> * @data: the smack mount options
> *
> * Returns 0 on success, an error code on failure
> */
> -static int smack_sb_kern_mount(struct super_block *sb, void *data)
> +static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
> {
> struct dentry *root = sb->s_root;
> struct inode *inode = root->d_inode;
--
Stephen Smalley
National Security Agency
------------------------------------------------------------------------------
next prev parent reply other threads:[~2008-12-19 12:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-04 1:18 networking probs in next-20081203 Andrew Morton
2008-12-04 15:14 ` Alexey Dobriyan
2008-12-04 17:41 ` Kok, Auke
2008-12-04 17:52 ` Alexey Dobriyan
2008-12-04 18:11 ` [E1000-devel] " Stephen Smalley
2008-12-04 18:21 ` David Miller
2008-12-04 19:32 ` Stephen Smalley
2008-12-04 20:06 ` Stephen Smalley
2008-12-04 21:00 ` [E1000-devel] " Eric W. Biederman
2008-12-05 2:03 ` James Morris
2008-12-05 7:49 ` Eric W. Biederman
2008-12-05 14:12 ` Stephen Smalley
2008-12-11 10:41 ` James Morris
2008-12-12 5:24 ` Alexey Dobriyan
2008-12-12 9:26 ` James Morris
2008-12-12 9:29 ` James Morris
2008-12-12 10:51 ` Eric W. Biederman
2008-12-12 21:40 ` [E1000-devel] " James Morris
2008-12-12 21:24 ` Stephen Smalley
2008-12-15 13:28 ` James Morris
2008-12-19 1:04 ` [PATCH 0/3][RFC] Fix security and SELinux handling of proc/* filesystems James Morris
2008-12-19 1:05 ` [PATCH 1/3][RFC] SELinux: correctly detect proc filesystems of the form "proc/foo" James Morris
2008-12-19 12:29 ` David P. Quigley
2008-12-19 1:06 ` [PATCH 2/3][RFC] security: pass mount flags to security_sb_kern_mount() James Morris
2008-12-19 12:52 ` Stephen Smalley [this message]
2008-12-19 1:07 ` [PATCH 3/3][RFC] SELinux: don't check permissions for kernel mounts James Morris
2008-12-19 12:52 ` Stephen Smalley
2008-12-19 6:40 ` [PATCH 0/3][RFC] Fix security and SELinux handling of proc/* filesystems David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1229691155.4948.2.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=auke-jan.h.kok@intel.com \
--cc=chrisw@sous-sol.org \
--cc=davem@davemloft.net \
--cc=e1000-devel@lists.sourceforge.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).