LSM/SELinux: Interfaces to allow FS to control mount options

Introduce new LSM interfaces to allow an FS to deal with their own mount options. This includes a new string parsing function exported from the LSM that an FS can use to get a security data blob and a new security data blob. This is particularly useful for an FS which uses binary mount data, like NFS, which does not pass strings into the vfs to be handled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK when dealing with binary mount data. If the binary mount data is less than one page the copy_page() in security_sb_copy_data() can cause an illegal page fault and boom. Remove all NFSisms from the SELinux code since they were broken by past NFS changes. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2008-03-05 10:31:54 -0500
committer: James Morris <jmorris@namei.org> 2008-03-05 16:40:53 -0500
commit: e0007529893c1c064be90bd21422ca0da4a0198e (patch)
tree: c2334ba940e682183a18d18972cf95bd3a3da46a /security/security.c
parent: 29e8c3c304b62f31b799565c9ee85d42bd163f80 (diff)
1 files changed, 15 insertions, 8 deletions
diff --git a/security/security.c b/security/security.c
index d15e56cbaade..b1387a6b416d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -244,10 +244,11 @@ void security_sb_free(struct super_block *sb)
        security_ops->sb_free_security(sb);
 }
-int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
+int security_sb_copy_data(char *orig, char *copy)
 {
-        return security_ops->sb_copy_data(type, orig, copy);
+        return security_ops->sb_copy_data(orig, copy);
 }
+EXPORT_SYMBOL(security_sb_copy_data);
 int security_sb_kern_mount(struct super_block *sb, void *data)
 {
@@ -306,24 +307,30 @@ void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_
 }
 int security_sb_get_mnt_opts(const struct super_block *sb,
-                              char ***mount_options,
+                                struct security_mnt_opts *opts)
-                              int **flags, int *num_opts)
 {
-        return security_ops->sb_get_mnt_opts(sb, mount_options, flags, num_opts);
+        return security_ops->sb_get_mnt_opts(sb, opts);
 }
 int security_sb_set_mnt_opts(struct super_block *sb,
-                              char **mount_options,
+                                struct security_mnt_opts *opts)
-                              int *flags, int num_opts)
 {
-        return security_ops->sb_set_mnt_opts(sb, mount_options, flags, num_opts);
+        return security_ops->sb_set_mnt_opts(sb, opts);
 }
+EXPORT_SYMBOL(security_sb_set_mnt_opts);
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
                                struct super_block *newsb)
 {
        security_ops->sb_clone_mnt_opts(oldsb, newsb);
 }
+EXPORT_SYMBOL(security_sb_clone_mnt_opts);
+int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
+{
+        return security_ops->sb_parse_opts_str(options, opts);
+}
+EXPORT_SYMBOL(security_sb_parse_opts_str);
 int security_inode_alloc(struct inode *inode)
 {
author	Eric Paris <eparis@redhat.com>	2008-03-05 10:31:54 -0500
committer	James Morris <jmorris@namei.org>	2008-03-05 16:40:53 -0500
commit	e0007529893c1c064be90bd21422ca0da4a0198e (patch)
tree	c2334ba940e682183a18d18972cf95bd3a3da46a /security/security.c
parent	29e8c3c304b62f31b799565c9ee85d42bd163f80 (diff)