diff options
author | Eric Paris <eparis@redhat.com> | 2008-03-05 10:31:54 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-03-05 16:40:53 -0500 |
commit | e0007529893c1c064be90bd21422ca0da4a0198e (patch) | |
tree | c2334ba940e682183a18d18972cf95bd3a3da46a /security/security.c | |
parent | 29e8c3c304b62f31b799565c9ee85d42bd163f80 (diff) |
LSM/SELinux: Interfaces to allow FS to control mount options
Introduce new LSM interfaces to allow an FS to deal with their own mount
options. This includes a new string parsing function exported from the
LSM that an FS can use to get a security data blob and a new security
data blob. This is particularly useful for an FS which uses binary
mount data, like NFS, which does not pass strings into the vfs to be
handled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK
when dealing with binary mount data. If the binary mount data is less
than one page the copy_page() in security_sb_copy_data() can cause an
illegal page fault and boom. Remove all NFSisms from the SELinux code
since they were broken by past NFS changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/security.c')
-rw-r--r-- | security/security.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/security/security.c b/security/security.c index d15e56cbaade..b1387a6b416d 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -244,10 +244,11 @@ void security_sb_free(struct super_block *sb) | |||
244 | security_ops->sb_free_security(sb); | 244 | security_ops->sb_free_security(sb); |
245 | } | 245 | } |
246 | 246 | ||
247 | int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy) | 247 | int security_sb_copy_data(char *orig, char *copy) |
248 | { | 248 | { |
249 | return security_ops->sb_copy_data(type, orig, copy); | 249 | return security_ops->sb_copy_data(orig, copy); |
250 | } | 250 | } |
251 | EXPORT_SYMBOL(security_sb_copy_data); | ||
251 | 252 | ||
252 | int security_sb_kern_mount(struct super_block *sb, void *data) | 253 | int security_sb_kern_mount(struct super_block *sb, void *data) |
253 | { | 254 | { |
@@ -306,24 +307,30 @@ void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_ | |||
306 | } | 307 | } |
307 | 308 | ||
308 | int security_sb_get_mnt_opts(const struct super_block *sb, | 309 | int security_sb_get_mnt_opts(const struct super_block *sb, |
309 | char ***mount_options, | 310 | struct security_mnt_opts *opts) |
310 | int **flags, int *num_opts) | ||
311 | { | 311 | { |
312 | return security_ops->sb_get_mnt_opts(sb, mount_options, flags, num_opts); | 312 | return security_ops->sb_get_mnt_opts(sb, opts); |
313 | } | 313 | } |
314 | 314 | ||
315 | int security_sb_set_mnt_opts(struct super_block *sb, | 315 | int security_sb_set_mnt_opts(struct super_block *sb, |
316 | char **mount_options, | 316 | struct security_mnt_opts *opts) |
317 | int *flags, int num_opts) | ||
318 | { | 317 | { |
319 | return security_ops->sb_set_mnt_opts(sb, mount_options, flags, num_opts); | 318 | return security_ops->sb_set_mnt_opts(sb, opts); |
320 | } | 319 | } |
320 | EXPORT_SYMBOL(security_sb_set_mnt_opts); | ||
321 | 321 | ||
322 | void security_sb_clone_mnt_opts(const struct super_block *oldsb, | 322 | void security_sb_clone_mnt_opts(const struct super_block *oldsb, |
323 | struct super_block *newsb) | 323 | struct super_block *newsb) |
324 | { | 324 | { |
325 | security_ops->sb_clone_mnt_opts(oldsb, newsb); | 325 | security_ops->sb_clone_mnt_opts(oldsb, newsb); |
326 | } | 326 | } |
327 | EXPORT_SYMBOL(security_sb_clone_mnt_opts); | ||
328 | |||
329 | int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) | ||
330 | { | ||
331 | return security_ops->sb_parse_opts_str(options, opts); | ||
332 | } | ||
333 | EXPORT_SYMBOL(security_sb_parse_opts_str); | ||
327 | 334 | ||
328 | int security_inode_alloc(struct inode *inode) | 335 | int security_inode_alloc(struct inode *inode) |
329 | { | 336 | { |