Commit d58fda90 authored by Dave Kleikamp's avatar Dave Kleikamp

Merge bk://linux.bkbits.net/linux-2.5

into bkbits.net:/repos/j/jfs/linux-2.5
parents 48b28cc7 d6828b19
...@@ -266,6 +266,18 @@ config JFS_POSIX_ACL ...@@ -266,6 +266,18 @@ config JFS_POSIX_ACL
If you don't know what Access Control Lists are, say N If you don't know what Access Control Lists are, say N
config JFS_SECURITY
bool "JFS Security Labels"
depends on JFS_FS
help
Security labels support alternative access control models
implemented by security modules like SELinux. This option
enables an extended attribute handler for file security
labels in the jfs filesystem.
If you are not using a security module that requires using
extended attributes for file security labels, say N.
config JFS_DEBUG config JFS_DEBUG
bool "JFS debugging" bool "JFS debugging"
depends on JFS_FS depends on JFS_FS
......
...@@ -81,8 +81,7 @@ int jfs_commit_inode(struct inode *inode, int wait) ...@@ -81,8 +81,7 @@ int jfs_commit_inode(struct inode *inode, int wait)
* Don't commit if inode has been committed since last being * Don't commit if inode has been committed since last being
* marked dirty, or if it has been deleted. * marked dirty, or if it has been deleted.
*/ */
if (test_cflag(COMMIT_Nolink, inode) || if (inode->i_nlink == 0 || !test_cflag(COMMIT_Dirty, inode))
!test_cflag(COMMIT_Dirty, inode))
return 0; return 0;
if (isReadOnly(inode)) { if (isReadOnly(inode)) {
...@@ -100,7 +99,13 @@ int jfs_commit_inode(struct inode *inode, int wait) ...@@ -100,7 +99,13 @@ int jfs_commit_inode(struct inode *inode, int wait)
tid = txBegin(inode->i_sb, COMMIT_INODE); tid = txBegin(inode->i_sb, COMMIT_INODE);
down(&JFS_IP(inode)->commit_sem); down(&JFS_IP(inode)->commit_sem);
/*
* Retest inode state after taking commit_sem
*/
if (inode->i_nlink && test_cflag(COMMIT_Dirty, inode))
rc = txCommit(tid, 1, &inode, wait ? COMMIT_SYNC : 0); rc = txCommit(tid, 1, &inode, wait ? COMMIT_SYNC : 0);
txEnd(tid); txEnd(tid);
up(&JFS_IP(inode)->commit_sem); up(&JFS_IP(inode)->commit_sem);
return rc; return rc;
......
...@@ -91,6 +91,12 @@ struct ea_buffer { ...@@ -91,6 +91,12 @@ struct ea_buffer {
#define XATTR_OS2_PREFIX "os2." #define XATTR_OS2_PREFIX "os2."
#define XATTR_OS2_PREFIX_LEN (sizeof (XATTR_OS2_PREFIX) - 1) #define XATTR_OS2_PREFIX_LEN (sizeof (XATTR_OS2_PREFIX) - 1)
/* XATTR_SECURITY_PREFIX is defined in include/linux/xattr.h */
#define XATTR_SECURITY_PREFIX_LEN (sizeof (XATTR_SECURITY_PREFIX) - 1)
#define XATTR_TRUSTED_PREFIX "trusted."
#define XATTR_TRUSTED_PREFIX_LEN (sizeof (XATTR_TRUSTED_PREFIX) - 1)
/* /*
* These three routines are used to recognize on-disk extended attributes * These three routines are used to recognize on-disk extended attributes
* that are in a recognized namespace. If the attribute is not recognized, * that are in a recognized namespace. If the attribute is not recognized,
...@@ -110,6 +116,19 @@ static inline int is_os2_xattr(struct jfs_ea *ea) ...@@ -110,6 +116,19 @@ static inline int is_os2_xattr(struct jfs_ea *ea)
if ((ea->namelen >= XATTR_USER_PREFIX_LEN) && if ((ea->namelen >= XATTR_USER_PREFIX_LEN) &&
!strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
return FALSE; return FALSE;
/*
* Check for "security."
*/
if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) &&
!strncmp(ea->name, XATTR_SECURITY_PREFIX,
XATTR_SECURITY_PREFIX_LEN))
return FALSE;
/*
* Check for "trusted."
*/
if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) &&
!strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
return FALSE;
/* /*
* Add any other valid namespace prefixes here * Add any other valid namespace prefixes here
*/ */
...@@ -770,6 +789,15 @@ static int can_set_xattr(struct inode *inode, const char *name, ...@@ -770,6 +789,15 @@ static int can_set_xattr(struct inode *inode, const char *name,
*/ */
return can_set_system_xattr(inode, name, value, value_len); return can_set_system_xattr(inode, name, value, value_len);
if(strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
return (capable(CAP_SYS_ADMIN) ? 0 : -EPERM);
#ifdef CONFIG_JFS_SECURITY
if (strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN)
!= 0)
return 0; /* Leave it to the security module */
#endif
if((strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) != 0) && if((strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) != 0) &&
(strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) != 0)) (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) != 0))
return -EOPNOTSUPP; return -EOPNOTSUPP;
...@@ -937,8 +965,17 @@ int jfs_setxattr(struct dentry *dentry, const char *name, const void *value, ...@@ -937,8 +965,17 @@ int jfs_setxattr(struct dentry *dentry, const char *name, const void *value,
static int can_get_xattr(struct inode *inode, const char *name) static int can_get_xattr(struct inode *inode, const char *name)
{ {
#ifdef CONFIG_JFS_SECURITY
if(strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) == 0)
return 0;
#endif
if(strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) == 0)
return (capable(CAP_SYS_ADMIN) ? 0 : -EPERM);
if(strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) == 0) if(strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) == 0)
return 0; return 0;
return permission(inode, MAY_READ, NULL); return permission(inode, MAY_READ, NULL);
} }
...@@ -1021,6 +1058,16 @@ ssize_t jfs_getxattr(struct dentry *dentry, const char *name, void *data, ...@@ -1021,6 +1058,16 @@ ssize_t jfs_getxattr(struct dentry *dentry, const char *name, void *data,
return err; return err;
} }
/*
* No special permissions are needed to list attributes except for trusted.*
*/
static inline int can_list(struct jfs_ea *ea)
{
return (strncmp(ea->name, XATTR_TRUSTED_PREFIX,
XATTR_TRUSTED_PREFIX_LEN) ||
capable(CAP_SYS_ADMIN));
}
ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size) ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size)
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
...@@ -1045,8 +1092,10 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size) ...@@ -1045,8 +1092,10 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size)
ealist = (struct jfs_ea_list *) ea_buf.xattr; ealist = (struct jfs_ea_list *) ea_buf.xattr;
/* compute required size of list */ /* compute required size of list */
for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) {
if (can_list(ea))
size += name_size(ea) + 1; size += name_size(ea) + 1;
}
if (!data) if (!data)
goto release; goto release;
...@@ -1059,9 +1108,11 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size) ...@@ -1059,9 +1108,11 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size)
/* Copy attribute names to buffer */ /* Copy attribute names to buffer */
buffer = data; buffer = data;
for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) { for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) {
if (can_list(ea)) {
int namelen = copy_name(buffer, ea); int namelen = copy_name(buffer, ea);
buffer += namelen + 1; buffer += namelen + 1;
} }
}
release: release:
ea_release(inode, &ea_buf); ea_release(inode, &ea_buf);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment