aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Quigley <dpquigl@davequigley.com>2013-05-22 12:50:36 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2013-06-08 16:20:12 -0400
commit649f6e7718891fe7691e5084ce3fa623acba3129 (patch)
tree3e3cd7cd832749b88082825dfdf797f1695fed1d
parent746df9b59c8a5f162c907796c7295d3c4c0d8995 (diff)
LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data.
There is no way to differentiate if a text mount option is passed from user space or the kernel. A flags field is being added to the security_sb_set_mnt_opts hook to allow for in kernel security flags to be sent to the LSM for processing in addition to the text options received from mount. This patch also updated existing code to fix compilation errors. Acked-by: Eric Paris <eparis@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat
-rw-r--r--fs/nfs/super.c3
-rw-r--r--include/linux/security.h13
-rw-r--r--security/capability.c5
-rw-r--r--security/security.c7
-rw-r--r--security/selinux/hooks.c12
5 files changed, 31 insertions, 9 deletions
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index a366107a7331..c1bbb53d444a 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2411,7 +2411,8 @@ static int nfs_bdi_register(struct nfs_server *server)
2411int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot, 2411int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot,
2412 struct nfs_mount_info *mount_info) 2412 struct nfs_mount_info *mount_info)
2413{ 2413{
2414 return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts); 2414 return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts,
2415 0, NULL);
2415} 2416}
2416EXPORT_SYMBOL_GPL(nfs_set_sb_security); 2417EXPORT_SYMBOL_GPL(nfs_set_sb_security);
2417 2418
diff --git a/include/linux/security.h b/include/linux/security.h
index cff3e4fc4281..aa656fbc4308 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1456,7 +1456,9 @@ struct security_operations {
1456 int (*sb_pivotroot) (struct path *old_path, 1456 int (*sb_pivotroot) (struct path *old_path,
1457 struct path *new_path); 1457 struct path *new_path);
1458 int (*sb_set_mnt_opts) (struct super_block *sb, 1458 int (*sb_set_mnt_opts) (struct super_block *sb,
1459 struct security_mnt_opts *opts); 1459 struct security_mnt_opts *opts,
1460 unsigned long kern_flags,
1461 unsigned long *set_kern_flags);
1460 int (*sb_clone_mnt_opts) (const struct super_block *oldsb, 1462 int (*sb_clone_mnt_opts) (const struct super_block *oldsb,
1461 struct super_block *newsb); 1463 struct super_block *newsb);
1462 int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); 1464 int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
@@ -1747,7 +1749,10 @@ int security_sb_mount(const char *dev_name, struct path *path,
1747 const char *type, unsigned long flags, void *data); 1749 const char *type, unsigned long flags, void *data);
1748int security_sb_umount(struct vfsmount *mnt, int flags); 1750int security_sb_umount(struct vfsmount *mnt, int flags);
1749int security_sb_pivotroot(struct path *old_path, struct path *new_path); 1751int security_sb_pivotroot(struct path *old_path, struct path *new_path);
1750int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); 1752int security_sb_set_mnt_opts(struct super_block *sb,
1753 struct security_mnt_opts *opts,
1754 unsigned long kern_flags,
1755 unsigned long *set_kern_flags);
1751int security_sb_clone_mnt_opts(const struct super_block *oldsb, 1756int security_sb_clone_mnt_opts(const struct super_block *oldsb,
1752 struct super_block *newsb); 1757 struct super_block *newsb);
1753int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); 1758int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
@@ -2037,7 +2042,9 @@ static inline int security_sb_pivotroot(struct path *old_path,
2037} 2042}
2038 2043
2039static inline int security_sb_set_mnt_opts(struct super_block *sb, 2044static inline int security_sb_set_mnt_opts(struct super_block *sb,
2040 struct security_mnt_opts *opts) 2045 struct security_mnt_opts *opts,
2046 unsigned long kern_flags,
2047 unsigned long *set_kern_flags)
2041{ 2048{
2042 return 0; 2049 return 0;
2043} 2050}
diff --git a/security/capability.c b/security/capability.c
index 71f9682bfb54..d32e16e3c6ae 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -91,7 +91,10 @@ static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
91} 91}
92 92
93static int cap_sb_set_mnt_opts(struct super_block *sb, 93static int cap_sb_set_mnt_opts(struct super_block *sb,
94 struct security_mnt_opts *opts) 94 struct security_mnt_opts *opts,
95 unsigned long kern_flags,
96 unsigned long *set_kern_flags)
97
95{ 98{
96 if (unlikely(opts->num_mnt_opts)) 99 if (unlikely(opts->num_mnt_opts))
97 return -EOPNOTSUPP; 100 return -EOPNOTSUPP;
diff --git a/security/security.c b/security/security.c
index c3ceb754e705..8d0b9a79611a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -294,9 +294,12 @@ int security_sb_pivotroot(struct path *old_path, struct path *new_path)
294} 294}
295 295
296int security_sb_set_mnt_opts(struct super_block *sb, 296int security_sb_set_mnt_opts(struct super_block *sb,
297 struct security_mnt_opts *opts) 297 struct security_mnt_opts *opts,
298 unsigned long kern_flags,
299 unsigned long *set_kern_flags)
298{ 300{
299 return security_ops->sb_set_mnt_opts(sb, opts); 301 return security_ops->sb_set_mnt_opts(sb, opts, kern_flags,
302 set_kern_flags);
300} 303}
301EXPORT_SYMBOL(security_sb_set_mnt_opts); 304EXPORT_SYMBOL(security_sb_set_mnt_opts);
302 305
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bbf219a494d0..f3b54466a037 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -552,7 +552,9 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
552 * labeling information. 552 * labeling information.
553 */ 553 */
554static int selinux_set_mnt_opts(struct super_block *sb, 554static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts) 555 struct security_mnt_opts *opts,
556 unsigned long kern_flags,
557 unsigned long *set_kern_flags)
556{ 558{
557 const struct cred *cred = current_cred(); 559 const struct cred *cred = current_cred();
558 int rc = 0, i; 560 int rc = 0, i;
@@ -580,6 +582,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
580 "before the security server is initialized\n"); 582 "before the security server is initialized\n");
581 goto out; 583 goto out;
582 } 584 }
585 if (kern_flags && !set_kern_flags) {
586 /* Specifying internal flags without providing a place to
587 * place the results is not allowed */
588 rc = -EINVAL;
589 goto out;
590 }
583 591
584 /* 592 /*
585 * Binary mount data FS will come through this function twice. Once 593 * Binary mount data FS will come through this function twice. Once
@@ -980,7 +988,7 @@ static int superblock_doinit(struct super_block *sb, void *data)
980 goto out_err; 988 goto out_err;
981 989
982out: 990out:
983 rc = selinux_set_mnt_opts(sb, &opts); 991 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
984 992
985out_err: 993out_err:
986 security_free_mnt_opts(&opts); 994 security_free_mnt_opts(&opts);
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-03 20:23:45 -0500