aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2008-07-15 04:32:49 -0400
committerJames Morris <jmorris@namei.org>2008-07-15 04:32:49 -0400
commit089be43e403a78cd6889cde2fba164fefe9dfd89 (patch)
treede401b27c91c528dbf64c712e6b64d185ded0c54 /security/selinux
parent50515af207d410c9f228380e529c56f43c3de0bd (diff)
Revert "SELinux: allow fstype unknown to policy to use xattrs if present"
This reverts commit 811f3799279e567aa354c649ce22688d949ac7a9. From Eric Paris: "Please drop this patch for now. It deadlocks on ntfs-3g. I need to rework it to handle fuse filesystems better. (casey was right)"
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c22
-rw-r--r--security/selinux/include/security.h2
-rw-r--r--security/selinux/ss/services.c27
3 files changed, 14 insertions, 37 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 91200feb3f9c..63f131fc42e4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -555,15 +555,13 @@ static int selinux_set_mnt_opts(struct super_block *sb,
555 struct task_security_struct *tsec = current->security; 555 struct task_security_struct *tsec = current->security;
556 struct superblock_security_struct *sbsec = sb->s_security; 556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name; 557 const char *name = sb->s_type->name;
558 struct dentry *root = sb->s_root; 558 struct inode *inode = sbsec->sb->s_root->d_inode;
559 struct inode *root_inode = root->d_inode; 559 struct inode_security_struct *root_isec = inode->i_security;
560 struct inode_security_struct *root_isec = root_inode->i_security;
561 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 560 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
562 u32 defcontext_sid = 0; 561 u32 defcontext_sid = 0;
563 char **mount_options = opts->mnt_opts; 562 char **mount_options = opts->mnt_opts;
564 int *flags = opts->mnt_opts_flags; 563 int *flags = opts->mnt_opts_flags;
565 int num_opts = opts->num_mnt_opts; 564 int num_opts = opts->num_mnt_opts;
566 bool can_xattr = false;
567 565
568 mutex_lock(&sbsec->lock); 566 mutex_lock(&sbsec->lock);
569 567
@@ -667,24 +665,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
667 goto out; 665 goto out;
668 } 666 }
669 667
670 if (strcmp(name, "proc") == 0) 668 if (strcmp(sb->s_type->name, "proc") == 0)
671 sbsec->proc = 1; 669 sbsec->proc = 1;
672 670
673 /*
674 * test if the fs supports xattrs, fs_use might make use of this if the
675 * fs has no definition in policy.
676 */
677 if (root_inode->i_op->getxattr) {
678 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
679 if (rc >= 0 || rc == -ENODATA)
680 can_xattr = true;
681 }
682
683 /* Determine the labeling behavior to use for this filesystem type. */ 671 /* Determine the labeling behavior to use for this filesystem type. */
684 rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr); 672 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
685 if (rc) { 673 if (rc) {
686 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 674 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
687 __func__, name, rc); 675 __func__, sb->s_type->name, rc);
688 goto out; 676 goto out;
689 } 677 }
690 678
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 44cba2e21dcf..7c543003d653 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -136,7 +136,7 @@ int security_get_allow_unknown(void);
136#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ 136#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
137 137
138int security_fs_use(const char *fstype, unsigned int *behavior, 138int security_fs_use(const char *fstype, unsigned int *behavior,
139 u32 *sid, bool can_xattr); 139 u32 *sid);
140 140
141int security_genfs_sid(const char *fstype, char *name, u16 sclass, 141int security_genfs_sid(const char *fstype, char *name, u16 sclass,
142 u32 *sid); 142 u32 *sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8e42da120101..b52f923ce680 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1934,8 +1934,7 @@ out:
1934int security_fs_use( 1934int security_fs_use(
1935 const char *fstype, 1935 const char *fstype,
1936 unsigned int *behavior, 1936 unsigned int *behavior,
1937 u32 *sid, 1937 u32 *sid)
1938 bool can_xattr)
1939{ 1938{
1940 int rc = 0; 1939 int rc = 0;
1941 struct ocontext *c; 1940 struct ocontext *c;
@@ -1949,7 +1948,6 @@ int security_fs_use(
1949 c = c->next; 1948 c = c->next;
1950 } 1949 }
1951 1950
1952 /* look for labeling behavior defined in policy */
1953 if (c) { 1951 if (c) {
1954 *behavior = c->v.behavior; 1952 *behavior = c->v.behavior;
1955 if (!c->sid[0]) { 1953 if (!c->sid[0]) {
@@ -1960,23 +1958,14 @@ int security_fs_use(
1960 goto out; 1958 goto out;
1961 } 1959 }
1962 *sid = c->sid[0]; 1960 *sid = c->sid[0];
1963 goto out;
1964 }
1965
1966 /* labeling behavior not in policy, use xattrs if possible */
1967 if (can_xattr) {
1968 *behavior = SECURITY_FS_USE_XATTR;
1969 *sid = SECINITSID_FS;
1970 goto out;
1971 }
1972
1973 /* no behavior in policy and can't use xattrs, try GENFS */
1974 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1975 if (rc) {
1976 *behavior = SECURITY_FS_USE_NONE;
1977 rc = 0;
1978 } else { 1961 } else {
1979 *behavior = SECURITY_FS_USE_GENFS; 1962 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1963 if (rc) {
1964 *behavior = SECURITY_FS_USE_NONE;
1965 rc = 0;
1966 } else {
1967 *behavior = SECURITY_FS_USE_GENFS;
1968 }
1980 } 1969 }
1981 1970
1982out: 1971out: