NFSD: Server implementation of MAC Labeling

Implement labeled NFS on the server: encoding and decoding, and writing and reading, of file labels. Enabled with CONFIG_NFSD_V4_SECURITY_LABEL. Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
author: David Quigley <dpquigl@davequigley.com> 2013-05-02 13:19:10 -0400
committer: J. Bruce Fields <bfields@redhat.com> 2013-05-15 09:27:02 -0400
commit: 18032ca062e621e15683cb61c066ef3dc5414a7b (patch)
tree: 18b061105452a5d47a85c0f693a151227ff3c02c /fs/nfsd/nfs4proc.c
parent: 4bdc33ed5bd9fbaa243bda6fdccb22674aed6305 (diff)
1 files changed, 41 insertions, 0 deletions
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 27d74a294515..1a1ff247bc59 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -42,6 +42,36 @@
 #include "current_stateid.h"
 #include "netns.h"
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+#include <linux/security.h>
+static inline void
+nfsd4_security_inode_setsecctx(struct svc_fh *resfh, struct xdr_netobj *label, u32 *bmval)
+{
+        struct inode *inode = resfh->fh_dentry->d_inode;
+        int status;
+        mutex_lock(&inode->i_mutex);
+        status = security_inode_setsecctx(resfh->fh_dentry,
+                label->data, label->len);
+        mutex_unlock(&inode->i_mutex);
+        if (status)
+                /*
+                 * XXX: We should really fail the whole open, but we may
+                 * already have created a new file, so it may be too
+                 * late.  For now this seems the least of evils:
+                 */
+                bmval[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+        return;
+}
+#else
+static inline void
+nfsd4_security_inode_setsecctx(struct svc_fh *resfh, struct xdr_netobj *label, u32 *bmval)
+{ }
+#endif
 #define NFSDDBG_FACILITY                NFSDDBG_PROC
 static u32 nfsd_attrmask[] = {
@@ -239,6 +269,9 @@ do_open_lookup(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, stru
                                        (u32 *)open->op_verf.data,
                                        &open->op_truncate, &open->op_created);
+                if (!status && open->op_label.len)
+                        nfsd4_security_inode_setsecctx(resfh, &open->op_label, open->op_bmval);
                /*
                 * Following rfc 3530 14.2.16, use the returned bitmask
                 * to indicate which attributes we used to store the
@@ -637,6 +670,9 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
        if (status)
                goto out;
+        if (create->cr_label.len)
+                nfsd4_security_inode_setsecctx(&resfh, &create->cr_label, create->cr_bmval);
        if (create->cr_acl != NULL)
                do_set_nfs4_acl(rqstp, &resfh, create->cr_acl,
                                create->cr_bmval);
@@ -916,6 +952,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                                            setattr->sa_acl);
        if (status)
                goto out;
+        if (setattr->sa_label.len)
+                status = nfsd4_set_nfs4_label(rqstp, &cstate->current_fh,
+                                &setattr->sa_label);
+        if (status)
+                goto out;
        status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,
                                0, (time_t)0);
 out:
author	David Quigley <dpquigl@davequigley.com>	2013-05-02 13:19:10 -0400
committer	J. Bruce Fields <bfields@redhat.com>	2013-05-15 09:27:02 -0400
commit	18032ca062e621e15683cb61c066ef3dc5414a7b (patch)
tree	18b061105452a5d47a85c0f693a151227ff3c02c /fs/nfsd/nfs4proc.c
parent	4bdc33ed5bd9fbaa243bda6fdccb22674aed6305 (diff)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 27d74a294515..1a1ff247bc59 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c
@@ -42,6 +42,36 @@
42	#include "current_stateid.h"	42	#include "current_stateid.h"
43	#include "netns.h"	43	#include "netns.h"
44		44
		45	#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
		46	#include <linux/security.h>
		47
		48	static inline void
		49	nfsd4_security_inode_setsecctx(struct svc_fh resfh, struct xdr_netobj label, u32 *bmval)
		50	{
		51	struct inode *inode = resfh->fh_dentry->d_inode;
		52	int status;
		53
		54	mutex_lock(&inode->i_mutex);
		55	status = security_inode_setsecctx(resfh->fh_dentry,
		56	label->data, label->len);
		57	mutex_unlock(&inode->i_mutex);
		58
		59	if (status)
		60	/*
		61	* XXX: We should really fail the whole open, but we may
		62	* already have created a new file, so it may be too
		63	* late. For now this seems the least of evils:
		64	*/
		65	bmval[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
		66
		67	return;
		68	}
		69	#else
		70	static inline void
		71	nfsd4_security_inode_setsecctx(struct svc_fh resfh, struct xdr_netobj label, u32 *bmval)
		72	{ }
		73	#endif
		74
45	#define NFSDDBG_FACILITY NFSDDBG_PROC	75	#define NFSDDBG_FACILITY NFSDDBG_PROC
46		76
47	static u32 nfsd_attrmask[] = {	77	static u32 nfsd_attrmask[] = {
@@ -239,6 +269,9 @@ do_open_lookup(struct svc_rqst rqstp, struct nfsd4_compound_state cstate, stru
239	(u32 *)open->op_verf.data,	269	(u32 *)open->op_verf.data,
240	&open->op_truncate, &open->op_created);	270	&open->op_truncate, &open->op_created);
241		271
		272	if (!status && open->op_label.len)
		273	nfsd4_security_inode_setsecctx(resfh, &open->op_label, open->op_bmval);
		274
242	/*	275	/*
243	* Following rfc 3530 14.2.16, use the returned bitmask	276	* Following rfc 3530 14.2.16, use the returned bitmask
244	* to indicate which attributes we used to store the	277	* to indicate which attributes we used to store the
@@ -637,6 +670,9 @@ nfsd4_create(struct svc_rqst rqstp, struct nfsd4_compound_state cstate,
637	if (status)	670	if (status)
638	goto out;	671	goto out;
639		672
		673	if (create->cr_label.len)
		674	nfsd4_security_inode_setsecctx(&resfh, &create->cr_label, create->cr_bmval);
		675
640	if (create->cr_acl != NULL)	676	if (create->cr_acl != NULL)
641	do_set_nfs4_acl(rqstp, &resfh, create->cr_acl,	677	do_set_nfs4_acl(rqstp, &resfh, create->cr_acl,
642	create->cr_bmval);	678	create->cr_bmval);
@@ -916,6 +952,11 @@ nfsd4_setattr(struct svc_rqst rqstp, struct nfsd4_compound_state cstate,
916	setattr->sa_acl);	952	setattr->sa_acl);
917	if (status)	953	if (status)
918	goto out;	954	goto out;
		955	if (setattr->sa_label.len)
		956	status = nfsd4_set_nfs4_label(rqstp, &cstate->current_fh,
		957	&setattr->sa_label);
		958	if (status)
		959	goto out;
919	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,	960	status = nfsd_setattr(rqstp, &cstate->current_fh, &setattr->sa_iattr,
920	0, (time_t)0);	961	0, (time_t)0);
921	out:	962	out: