Commit 15bf3239 authored by Vivek Goyal's avatar Vivek Goyal Committed by Paul Moore

security: Return xattr name from security_dentry_init_security()

Right now security_dentry_init_security() only supports single security
label and is used by SELinux only. There are two users of this hook,
namely ceph and nfs.

NFS does not care about xattr name. Ceph hardcodes the xattr name to
security.selinux (XATTR_NAME_SELINUX).

I am making changes to fuse/virtiofs to send security label to virtiofsd
and I need to send xattr name as well. I also hardcoded the name of
xattr to security.selinux.

Stephen Smalley suggested that it probably is a good idea to modify
security_dentry_init_security() to also return name of xattr so that
we can avoid this hardcoding in the callers.

This patch adds a new parameter "const char **xattr_name" to
security_dentry_init_security() and LSM puts the name of xattr
too if caller asked for it (xattr_name != NULL).
Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
Reviewed-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
[PM: fixed typos in the commit description]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 1c73213b
...@@ -1311,7 +1311,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, ...@@ -1311,7 +1311,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
int err; int err;
err = security_dentry_init_security(dentry, mode, &dentry->d_name, err = security_dentry_init_security(dentry, mode, &dentry->d_name,
&as_ctx->sec_ctx, &name, &as_ctx->sec_ctx,
&as_ctx->sec_ctxlen); &as_ctx->sec_ctxlen);
if (err < 0) { if (err < 0) {
WARN_ON_ONCE(err != -EOPNOTSUPP); WARN_ON_ONCE(err != -EOPNOTSUPP);
...@@ -1335,7 +1335,6 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, ...@@ -1335,7 +1335,6 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
* It only supports single security module and only selinux has * It only supports single security module and only selinux has
* dentry_init_security hook. * dentry_init_security hook.
*/ */
name = XATTR_NAME_SELINUX;
name_len = strlen(name); name_len = strlen(name);
err = ceph_pagelist_reserve(pagelist, err = ceph_pagelist_reserve(pagelist,
4 * 2 + name_len + as_ctx->sec_ctxlen); 4 * 2 + name_len + as_ctx->sec_ctxlen);
......
...@@ -127,7 +127,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, ...@@ -127,7 +127,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
return NULL; return NULL;
err = security_dentry_init_security(dentry, sattr->ia_mode, err = security_dentry_init_security(dentry, sattr->ia_mode,
&dentry->d_name, (void **)&label->label, &label->len); &dentry->d_name, NULL,
(void **)&label->label, &label->len);
if (err == 0) if (err == 0)
return label; return label;
......
...@@ -83,7 +83,8 @@ LSM_HOOK(int, 0, sb_add_mnt_opt, const char *option, const char *val, ...@@ -83,7 +83,8 @@ LSM_HOOK(int, 0, sb_add_mnt_opt, const char *option, const char *val,
LSM_HOOK(int, 0, move_mount, const struct path *from_path, LSM_HOOK(int, 0, move_mount, const struct path *from_path,
const struct path *to_path) const struct path *to_path)
LSM_HOOK(int, 0, dentry_init_security, struct dentry *dentry, LSM_HOOK(int, 0, dentry_init_security, struct dentry *dentry,
int mode, const struct qstr *name, void **ctx, u32 *ctxlen) int mode, const struct qstr *name, const char **xattr_name,
void **ctx, u32 *ctxlen)
LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
struct qstr *name, const struct cred *old, struct cred *new) struct qstr *name, const struct cred *old, struct cred *new)
......
...@@ -196,6 +196,9 @@ ...@@ -196,6 +196,9 @@
* @dentry dentry to use in calculating the context. * @dentry dentry to use in calculating the context.
* @mode mode used to determine resource type. * @mode mode used to determine resource type.
* @name name of the last path component used to create file * @name name of the last path component used to create file
* @xattr_name pointer to place the pointer to security xattr name.
* Caller does not have to free the resulting pointer. Its
* a pointer to static string.
* @ctx pointer to place the pointer to the resulting context in. * @ctx pointer to place the pointer to the resulting context in.
* @ctxlen point to place the length of the resulting context. * @ctxlen point to place the length of the resulting context.
* @dentry_create_files_as: * @dentry_create_files_as:
......
...@@ -317,8 +317,9 @@ int security_add_mnt_opt(const char *option, const char *val, ...@@ -317,8 +317,9 @@ int security_add_mnt_opt(const char *option, const char *val,
int len, void **mnt_opts); int len, void **mnt_opts);
int security_move_mount(const struct path *from_path, const struct path *to_path); int security_move_mount(const struct path *from_path, const struct path *to_path);
int security_dentry_init_security(struct dentry *dentry, int mode, int security_dentry_init_security(struct dentry *dentry, int mode,
const struct qstr *name, void **ctx, const struct qstr *name,
u32 *ctxlen); const char **xattr_name, void **ctx,
u32 *ctxlen);
int security_dentry_create_files_as(struct dentry *dentry, int mode, int security_dentry_create_files_as(struct dentry *dentry, int mode,
struct qstr *name, struct qstr *name,
const struct cred *old, const struct cred *old,
...@@ -739,6 +740,7 @@ static inline void security_inode_free(struct inode *inode) ...@@ -739,6 +740,7 @@ static inline void security_inode_free(struct inode *inode)
static inline int security_dentry_init_security(struct dentry *dentry, static inline int security_dentry_init_security(struct dentry *dentry,
int mode, int mode,
const struct qstr *name, const struct qstr *name,
const char **xattr_name,
void **ctx, void **ctx,
u32 *ctxlen) u32 *ctxlen)
{ {
......
...@@ -1052,11 +1052,12 @@ void security_inode_free(struct inode *inode) ...@@ -1052,11 +1052,12 @@ void security_inode_free(struct inode *inode)
} }
int security_dentry_init_security(struct dentry *dentry, int mode, int security_dentry_init_security(struct dentry *dentry, int mode,
const struct qstr *name, void **ctx, const struct qstr *name,
u32 *ctxlen) const char **xattr_name, void **ctx,
u32 *ctxlen)
{ {
return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode, return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
name, ctx, ctxlen); name, xattr_name, ctx, ctxlen);
} }
EXPORT_SYMBOL(security_dentry_init_security); EXPORT_SYMBOL(security_dentry_init_security);
......
...@@ -2927,7 +2927,8 @@ static void selinux_inode_free_security(struct inode *inode) ...@@ -2927,7 +2927,8 @@ static void selinux_inode_free_security(struct inode *inode)
} }
static int selinux_dentry_init_security(struct dentry *dentry, int mode, static int selinux_dentry_init_security(struct dentry *dentry, int mode,
const struct qstr *name, void **ctx, const struct qstr *name,
const char **xattr_name, void **ctx,
u32 *ctxlen) u32 *ctxlen)
{ {
u32 newsid; u32 newsid;
...@@ -2940,6 +2941,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, ...@@ -2940,6 +2941,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
if (rc) if (rc)
return rc; return rc;
if (xattr_name)
*xattr_name = XATTR_NAME_SELINUX;
return security_sid_to_context(&selinux_state, newsid, (char **)ctx, return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
ctxlen); ctxlen);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment