Merge tag 'nfs-for-3.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

Pull NFS client updates from Trond Myklebust: "Feature highlights include: - Add basic client support for NFSv4.2 - Add basic client support for Labeled NFS (selinux for NFSv4.2) - Fix the use of credentials in NFSv4.1 stateful operations, and add support for NFSv4.1 state protection. Bugfix highlights: - Fix another NFSv4 open state recovery race - Fix an NFSv4.1 back channel session regression - Various rpc_pipefs races - Fix another issue with NFSv3 auth negotiation Please note that Labeled NFS does require some additional support from the security subsystem. The relevant changesets have all been reviewed and acked by James Morris." * tag 'nfs-for-3.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (54 commits) NFS: Set NFS_CS_MIGRATION for NFSv4 mounts NFSv4.1 Refactor nfs4_init_session and nfs4_init_channel_attrs nfs: have NFSv3 try server-specified auth flavors in turn nfs: have nfs_mount fake up a auth_flavs list when the server didn't provide it nfs: move server_authlist into nfs_try_mount_request nfs: refactor "need_mount" code out of nfs_try_mount SUNRPC: PipeFS MOUNT notification optimization for dying clients SUNRPC: split client creation routine into setup and registration SUNRPC: fix races on PipeFS UMOUNT notifications SUNRPC: fix races on PipeFS MOUNT notifications NFSv4.1 use pnfs_device maxcount for the objectlayout gdia_maxcount NFSv4.1 use pnfs_device maxcount for the blocklayout gdia_maxcount NFSv4.1 Fix gdia_maxcount calculation to fit in ca_maxresponsesize NFS: Improve legacy idmapping fallback NFSv4.1 end back channel session draining NFS: Apply v4.1 capabilities to v4.2 NFSv4.1: Clean up layout segment comparison helper names NFSv4.1: layout segment comparison helpers should take 'const' parameters NFSv4: Move the DNS resolver into the NFSv4 module rpc_pipefs: only set rpc_dentry_ops if d_op isn't already set ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-07-09 15:09:43 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-07-09 15:09:43 -0400
commit: be0c5d8c0bb0023e11f5c6d38e90f7b0f24edb64 (patch)
tree: 6d7a6e290f8ed2f2ca250965a8debdd9f02a9cc9 /include/linux/security.h
parent: 1f792dd1765e6f047ecd2d5f6a81f025b50d471a (diff)
parent: 959d921f5eb8878ea16049a7f6e9bcbb6dfbcb88 (diff)
1 files changed, 54 insertions, 3 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 40560f41e3d5..7ce53ae1266b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -26,6 +26,7 @@
 #include <linux/capability.h>
 #include <linux/slab.h>
 #include <linux/err.h>
+#include <linux/string.h>
 struct linux_binprm;
 struct cred;
@@ -60,6 +61,9 @@ struct mm_struct;
 #define SECURITY_CAP_NOAUDIT 0
 #define SECURITY_CAP_AUDIT 1
+/* LSM Agnostic defines for sb_set_mnt_opts */
+#define SECURITY_LSM_NATIVE_LABELS      1
 struct ctl_table;
 struct audit_krule;
 struct user_namespace;
@@ -306,6 +310,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Parse a string of security data filling in the opts structure
 *      @options string containing all mount options known by the LSM
 *      @opts binary data structure usable by the LSM
+ * @dentry_init_security:
+ *      Compute a context for a dentry as the inode is not yet available
+ *      since NFSv4 has no label backed by an EA anyway.
+ *      @dentry dentry to use in calculating the context.
+ *      @mode mode used to determine resource type.
+ *      @name name of the last path component used to create file
+ *      @ctx pointer to place the pointer to the resulting context in.
+ *      @ctxlen point to place the length of the resulting context.
+ *
 *
 * Security hooks for inode operations.
 *
@@ -1313,6 +1326,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @pages contains the number of pages.
 *      Return 0 if permission is granted.
 *
+ * @ismaclabel:
+ *      Check if the extended attribute specified by @name
+ *      represents a MAC label. Returns 1 if name is a MAC
+ *      attribute otherwise returns 0.
+ *      @name full extended attribute name to check against
+ *      LSM as a MAC label.
+ *
 * @secid_to_secctx:
 *      Convert secid to security context.  If secdata is NULL the length of
 *      the result will be returned in seclen, but no secdata will be returned.
@@ -1440,10 +1460,16 @@ struct security_operations {
        int (*sb_pivotroot) (struct path *old_path,
                             struct path *new_path);
        int (*sb_set_mnt_opts) (struct super_block *sb,
-                                struct security_mnt_opts *opts);
+                                struct security_mnt_opts *opts,
+                                unsigned long kern_flags,
+                                unsigned long *set_kern_flags);
        int (*sb_clone_mnt_opts) (const struct super_block *oldsb,
                                   struct super_block *newsb);
        int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
+        int (*dentry_init_security) (struct dentry *dentry, int mode,
+                                        struct qstr *name, void **ctx,
+                                        u32 *ctxlen);
 #ifdef CONFIG_SECURITY_PATH
        int (*path_unlink) (struct path *dir, struct dentry *dentry);
@@ -1591,6 +1617,7 @@ struct security_operations {
        int (*getprocattr) (struct task_struct *p, char *name, char **value);
        int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
+        int (*ismaclabel) (const char *name);
        int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
        int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
        void (*release_secctx) (char *secdata, u32 seclen);
@@ -1726,10 +1753,16 @@ int security_sb_mount(const char *dev_name, struct path *path,
                      const char *type, unsigned long flags, void *data);
 int security_sb_umount(struct vfsmount *mnt, int flags);
 int security_sb_pivotroot(struct path *old_path, struct path *new_path);
-int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
+int security_sb_set_mnt_opts(struct super_block *sb,
+                                struct security_mnt_opts *opts,
+                                unsigned long kern_flags,
+                                unsigned long *set_kern_flags);
 int security_sb_clone_mnt_opts(const struct super_block *oldsb,
                                struct super_block *newsb);
 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+int security_dentry_init_security(struct dentry *dentry, int mode,
+                                        struct qstr *name, void **ctx,
+                                        u32 *ctxlen);
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
@@ -1841,6 +1874,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
 int security_getprocattr(struct task_struct *p, char *name, char **value);
 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -2012,7 +2046,9 @@ static inline int security_sb_pivotroot(struct path *old_path,
 }
 static inline int security_sb_set_mnt_opts(struct super_block *sb,
-                                           struct security_mnt_opts *opts)
+                                           struct security_mnt_opts *opts,
+                                           unsigned long kern_flags,
+                                           unsigned long *set_kern_flags)
 {
        return 0;
 }
@@ -2036,6 +2072,16 @@ static inline int security_inode_alloc(struct inode *inode)
 static inline void security_inode_free(struct inode *inode)
 { }
+static inline int security_dentry_init_security(struct dentry *dentry,
+                                                 int mode,
+                                                 struct qstr *name,
+                                                 void **ctx,
+                                                 u32 *ctxlen)
+{
+        return -EOPNOTSUPP;
+}
 static inline int security_inode_init_security(struct inode *inode,
                                                struct inode *dir,
                                                const struct qstr *qstr,
@@ -2521,6 +2567,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
        return cap_netlink_send(sk, skb);
 }
+static inline int security_ismaclabel(const char *name)
+{
+        return 0;
+}
 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
        return -EOPNOTSUPP;
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-07-09 15:09:43 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-07-09 15:09:43 -0400
commit	be0c5d8c0bb0023e11f5c6d38e90f7b0f24edb64 (patch)
tree	6d7a6e290f8ed2f2ca250965a8debdd9f02a9cc9 /include/linux/security.h
parent	1f792dd1765e6f047ecd2d5f6a81f025b50d471a (diff)
parent	959d921f5eb8878ea16049a7f6e9bcbb6dfbcb88 (diff)