Security: Add Hook to test if the particular xattr is part of a MAC model.

The interface to request security labels from user space is the xattr interface. When requesting the security label from an NFS server it is important to make sure the requested xattr actually is a MAC label. This allows us to make sure that we get the desired semantics from the attribute instead of something else such as capabilities or a time based LSM. Acked-by: Eric Paris <eparis@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: David Quigley <dpquigl@davequigley.com> 2013-05-22 12:50:35 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2013-06-08 16:20:11 -0400
commit: 746df9b59c8a5f162c907796c7295d3c4c0d8995 (patch)
tree: 6c0e7ae018bfb33f482afdc74d0c77d6b9edd152 /include/linux/security.h
parent: d47be3dfecaf20255af89a57460285c82d5271ad (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index c2af46264ae0..cff3e4fc4281 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1323,6 +1323,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @pages contains the number of pages.
 *      Return 0 if permission is granted.
 *
+ * @ismaclabel:
+ *      Check if the extended attribute specified by @name
+ *      represents a MAC label. Returns 1 if name is a MAC
+ *      attribute otherwise returns 0.
+ *      @name full extended attribute name to check against
+ *      LSM as a MAC label.
+ *
 * @secid_to_secctx:
 *      Convert secid to security context.  If secdata is NULL the length of
 *      the result will be returned in seclen, but no secdata will be returned.
@@ -1604,6 +1611,7 @@ struct security_operations {
        int (*getprocattr) (struct task_struct *p, char *name, char **value);
        int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
+        int (*ismaclabel) (const char *name);
        int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
        int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
        void (*release_secctx) (char *secdata, u32 seclen);
@@ -1857,6 +1865,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
 int security_getprocattr(struct task_struct *p, char *name, char **value);
 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -2547,6 +2556,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
        return cap_netlink_send(sk, skb);
 }
+static inline int security_ismaclabel(const char *name)
+{
+        return 0;
+}
 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
        return -EOPNOTSUPP;
author	David Quigley <dpquigl@davequigley.com>	2013-05-22 12:50:35 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2013-06-08 16:20:11 -0400
commit	746df9b59c8a5f162c907796c7295d3c4c0d8995 (patch)
tree	6c0e7ae018bfb33f482afdc74d0c77d6b9edd152 /include/linux/security.h
parent	d47be3dfecaf20255af89a57460285c82d5271ad (diff)