aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorDavid P. Quigley <dpquigl@tycho.nsa.gov>2008-02-05 01:29:39 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-02-05 12:44:20 -0500
commit42492594043d621a7910ff5877c3eb9202870b45 (patch)
tree9188d112c019a189606847dc1d90ccc63c1bacf2 /include/linux/security.h
parent3729145821e3088a0c3c4183037fde356204bf97 (diff)
VFS/Security: Rework inode_getsecurity and callers to return resulting buffer
This patch modifies the interface to inode_getsecurity to have the function return a buffer containing the security blob and its length via parameters instead of relying on the calling function to give it an appropriately sized buffer. Security blobs obtained with this function should be freed using the release_secctx LSM hook. This alleviates the problem of the caller having to guess a length and preallocate a buffer for this function allowing it to be used elsewhere for Labeled NFS. The patch also removed the unused err parameter. The conversion is similar to the one performed by Al Viro for the security_getprocattr hook. Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Chris Wright <chrisw@sous-sol.org> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h21
1 files changed, 9 insertions, 12 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index d24974262dc6..9d289e726fd8 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -423,15 +423,12 @@ struct request_sock;
423 * identified by @name for @dentry. 423 * identified by @name for @dentry.
424 * Return 0 if permission is granted. 424 * Return 0 if permission is granted.
425 * @inode_getsecurity: 425 * @inode_getsecurity:
426 * Copy the extended attribute representation of the security label 426 * Retrieve a copy of the extended attribute representation of the
427 * associated with @name for @inode into @buffer. @buffer may be 427 * security label associated with @name for @inode via @buffer. Note that
428 * NULL to request the size of the buffer required. @size indicates 428 * @name is the remainder of the attribute name after the security prefix
429 * the size of @buffer in bytes. Note that @name is the remainder 429 * has been removed. @alloc is used to specify of the call should return a
430 * of the attribute name after the security. prefix has been removed. 430 * value via the buffer or just the value length Return size of buffer on
431 * @err is the return value from the preceding fs getxattr call, 431 * success.
432 * and can be used by the security module to determine whether it
433 * should try and canonicalize the attribute value.
434 * Return number of bytes used/required on success.
435 * @inode_setsecurity: 432 * @inode_setsecurity:
436 * Set the security label associated with @name for @inode from the 433 * Set the security label associated with @name for @inode from the
437 * extended attribute value @value. @size indicates the size of the 434 * extended attribute value @value. @size indicates the size of the
@@ -1304,7 +1301,7 @@ struct security_operations {
1304 int (*inode_removexattr) (struct dentry *dentry, char *name); 1301 int (*inode_removexattr) (struct dentry *dentry, char *name);
1305 int (*inode_need_killpriv) (struct dentry *dentry); 1302 int (*inode_need_killpriv) (struct dentry *dentry);
1306 int (*inode_killpriv) (struct dentry *dentry); 1303 int (*inode_killpriv) (struct dentry *dentry);
1307 int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err); 1304 int (*inode_getsecurity)(const struct inode *inode, const char *name, void **buffer, bool alloc);
1308 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1305 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1309 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1306 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
1310 1307
@@ -1565,7 +1562,7 @@ int security_inode_listxattr(struct dentry *dentry);
1565int security_inode_removexattr(struct dentry *dentry, char *name); 1562int security_inode_removexattr(struct dentry *dentry, char *name);
1566int security_inode_need_killpriv(struct dentry *dentry); 1563int security_inode_need_killpriv(struct dentry *dentry);
1567int security_inode_killpriv(struct dentry *dentry); 1564int security_inode_killpriv(struct dentry *dentry);
1568int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err); 1565int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
1569int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1566int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1570int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); 1567int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
1571int security_file_permission(struct file *file, int mask); 1568int security_file_permission(struct file *file, int mask);
@@ -1967,7 +1964,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
1967 return cap_inode_killpriv(dentry); 1964 return cap_inode_killpriv(dentry);
1968} 1965}
1969 1966
1970static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 1967static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1971{ 1968{
1972 return -EOPNOTSUPP; 1969 return -EOPNOTSUPP;
1973} 1970}