diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-04-03 13:07:43 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-04-03 13:07:43 -0400 |
| commit | 3cc50ac0dbda5100684e570247782330155d35e0 (patch) | |
| tree | f4b8f22d1725ebe65d2fe658d292dabacd7ed564 /fs/cachefiles/security.c | |
| parent | d9b9be024a6628a01d8730d1fd0b5f25658a2794 (diff) | |
| parent | b797cac7487dee6bfddeb161631c1bbc54fa3cdb (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-fscache
* git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-fscache: (41 commits)
NFS: Add mount options to enable local caching on NFS
NFS: Display local caching state
NFS: Store pages from an NFS inode into a local cache
NFS: Read pages from FS-Cache into an NFS inode
NFS: nfs_readpage_async() needs to be accessible as a fallback for local caching
NFS: Add read context retention for FS-Cache to call back with
NFS: FS-Cache page management
NFS: Add some new I/O counters for FS-Cache doing things for NFS
NFS: Invalidate FsCache page flags when cache removed
NFS: Use local disk inode cache
NFS: Define and create inode-level cache objects
NFS: Define and create superblock-level objects
NFS: Define and create server-level objects
NFS: Register NFS for caching and retrieve the top-level index
NFS: Permit local filesystem caching to be enabled for NFS
NFS: Add FS-Cache option bit and debug bit
NFS: Add comment banners to some NFS functions
FS-Cache: Make kAFS use FS-Cache
CacheFiles: A cache that backs onto a mounted filesystem
CacheFiles: Export things for CacheFiles
...
Diffstat (limited to 'fs/cachefiles/security.c')
| -rw-r--r-- | fs/cachefiles/security.c | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/fs/cachefiles/security.c b/fs/cachefiles/security.c new file mode 100644 index 000000000000..b5808cdb2232 --- /dev/null +++ b/fs/cachefiles/security.c | |||
| @@ -0,0 +1,116 @@ | |||
| 1 | /* CacheFiles security management | ||
| 2 | * | ||
| 3 | * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. | ||
| 4 | * Written by David Howells (dhowells@redhat.com) | ||
| 5 | * | ||
| 6 | * This program is free software; you can redistribute it and/or | ||
| 7 | * modify it under the terms of the GNU General Public Licence | ||
| 8 | * as published by the Free Software Foundation; either version | ||
| 9 | * 2 of the Licence, or (at your option) any later version. | ||
| 10 | */ | ||
| 11 | |||
| 12 | #include <linux/fs.h> | ||
| 13 | #include <linux/cred.h> | ||
| 14 | #include "internal.h" | ||
| 15 | |||
| 16 | /* | ||
| 17 | * determine the security context within which we access the cache from within | ||
| 18 | * the kernel | ||
| 19 | */ | ||
| 20 | int cachefiles_get_security_ID(struct cachefiles_cache *cache) | ||
| 21 | { | ||
| 22 | struct cred *new; | ||
| 23 | int ret; | ||
| 24 | |||
| 25 | _enter("{%s}", cache->secctx); | ||
| 26 | |||
| 27 | new = prepare_kernel_cred(current); | ||
| 28 | if (!new) { | ||
| 29 | ret = -ENOMEM; | ||
| 30 | goto error; | ||
| 31 | } | ||
| 32 | |||
| 33 | if (cache->secctx) { | ||
| 34 | ret = set_security_override_from_ctx(new, cache->secctx); | ||
| 35 | if (ret < 0) { | ||
| 36 | put_cred(new); | ||
| 37 | printk(KERN_ERR "CacheFiles:" | ||
| 38 | " Security denies permission to nominate" | ||
| 39 | " security context: error %d\n", | ||
| 40 | ret); | ||
| 41 | goto error; | ||
| 42 | } | ||
| 43 | } | ||
| 44 | |||
| 45 | cache->cache_cred = new; | ||
| 46 | ret = 0; | ||
| 47 | error: | ||
| 48 | _leave(" = %d", ret); | ||
| 49 | return ret; | ||
| 50 | } | ||
| 51 | |||
| 52 | /* | ||
| 53 | * see if mkdir and create can be performed in the root directory | ||
| 54 | */ | ||
| 55 | static int cachefiles_check_cache_dir(struct cachefiles_cache *cache, | ||
| 56 | struct dentry *root) | ||
| 57 | { | ||
| 58 | int ret; | ||
| 59 | |||
| 60 | ret = security_inode_mkdir(root->d_inode, root, 0); | ||
| 61 | if (ret < 0) { | ||
| 62 | printk(KERN_ERR "CacheFiles:" | ||
| 63 | " Security denies permission to make dirs: error %d", | ||
| 64 | ret); | ||
| 65 | return ret; | ||
| 66 | } | ||
| 67 | |||
| 68 | ret = security_inode_create(root->d_inode, root, 0); | ||
| 69 | if (ret < 0) | ||
| 70 | printk(KERN_ERR "CacheFiles:" | ||
| 71 | " Security denies permission to create files: error %d", | ||
| 72 | ret); | ||
| 73 | |||
| 74 | return ret; | ||
| 75 | } | ||
| 76 | |||
| 77 | /* | ||
| 78 | * check the security details of the on-disk cache | ||
| 79 | * - must be called with security override in force | ||
| 80 | */ | ||
| 81 | int cachefiles_determine_cache_security(struct cachefiles_cache *cache, | ||
| 82 | struct dentry *root, | ||
| 83 | const struct cred **_saved_cred) | ||
| 84 | { | ||
| 85 | struct cred *new; | ||
| 86 | int ret; | ||
| 87 | |||
| 88 | _enter(""); | ||
| 89 | |||
| 90 | /* duplicate the cache creds for COW (the override is currently in | ||
| 91 | * force, so we can use prepare_creds() to do this) */ | ||
| 92 | new = prepare_creds(); | ||
| 93 | if (!new) | ||
| 94 | return -ENOMEM; | ||
| 95 | |||
| 96 | cachefiles_end_secure(cache, *_saved_cred); | ||
| 97 | |||
| 98 | /* use the cache root dir's security context as the basis with | ||
| 99 | * which create files */ | ||
| 100 | ret = set_create_files_as(new, root->d_inode); | ||
| 101 | if (ret < 0) { | ||
| 102 | _leave(" = %d [cfa]", ret); | ||
| 103 | return ret; | ||
| 104 | } | ||
| 105 | |||
| 106 | put_cred(cache->cache_cred); | ||
| 107 | cache->cache_cred = new; | ||
| 108 | |||
| 109 | cachefiles_begin_secure(cache, _saved_cred); | ||
| 110 | ret = cachefiles_check_cache_dir(cache, root); | ||
| 111 | |||
| 112 | if (ret == -EOPNOTSUPP) | ||
| 113 | ret = 0; | ||
| 114 | _leave(" = %d", ret); | ||
| 115 | return ret; | ||
| 116 | } | ||