LSM/SELinux: show LSM mount options in /proc/mounts

This patch causes SELinux mount options to show up in /proc/mounts. As with other code in the area seq_put errors are ignored. Other LSM's will not have their mount options displayed until they fill in their own security_sb_show_options() function. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2008-07-03 19:47:13 -0400
committer: James Morris <jmorris@namei.org> 2008-07-14 01:02:05 -0400
commit: 2069f457848f846cb31149c9aa29b330a6b66d1b (patch)
tree: 199e7bb15e7d7b5cf008cd6fdb6cefc0d6af7f13 /security
parent: 811f3799279e567aa354c649ce22688d949ac7a9 (diff)
3 files changed, 65 insertions, 1 deletions
diff --git a/security/dummy.c b/security/dummy.c
index 1db712d99dc7..c155f08e9dd8 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -194,6 +194,11 @@ static int dummy_sb_kern_mount (struct super_block *sb, void *data)
        return 0;
 }
+static int dummy_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+        return 0;
+}
 static int dummy_sb_statfs (struct dentry *dentry)
 {
        return 0;
@@ -1088,6 +1093,7 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, sb_free_security);
        set_to_dummy_if_null(ops, sb_copy_data);
        set_to_dummy_if_null(ops, sb_kern_mount);
+        set_to_dummy_if_null(ops, sb_show_options);
        set_to_dummy_if_null(ops, sb_statfs);
        set_to_dummy_if_null(ops, sb_mount);
        set_to_dummy_if_null(ops, sb_check_sb);
diff --git a/security/security.c b/security/security.c
index 2c0a5876b939..de74fdccde26 100644
--- a/security/security.c
+++ b/security/security.c
@@ -292,6 +292,11 @@ int security_sb_kern_mount(struct super_block *sb, void *data)
        return security_ops->sb_kern_mount(sb, data);
 }
+int security_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+        return security_ops->sb_show_options(m, sb);
+}
 int security_sb_statfs(struct dentry *dentry)
 {
        return security_ops->sb_statfs(dentry);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 85f74f665765..33dee83fdd2f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -9,7 +9,8 @@
 *            James Morris <jmorris@redhat.com>
 *
 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *                                         Eric Paris <eparis@redhat.com>
 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 *                          <dgoeddel@trustedcs.com>
 *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
@@ -970,6 +971,57 @@ out_err:
        return rc;
 }
+void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
+{
+        int i;
+        char *prefix;
+        for (i = 0; i < opts->num_mnt_opts; i++) {
+                char *has_comma = strchr(opts->mnt_opts[i], ',');
+                switch (opts->mnt_opts_flags[i]) {
+                case CONTEXT_MNT:
+                        prefix = CONTEXT_STR;
+                        break;
+                case FSCONTEXT_MNT:
+                        prefix = FSCONTEXT_STR;
+                        break;
+                case ROOTCONTEXT_MNT:
+                        prefix = ROOTCONTEXT_STR;
+                        break;
+                case DEFCONTEXT_MNT:
+                        prefix = DEFCONTEXT_STR;
+                        break;
+                default:
+                        BUG();
+                };
+                /* we need a comma before each option */
+                seq_putc(m, ',');
+                seq_puts(m, prefix);
+                if (has_comma)
+                        seq_putc(m, '\"');
+                seq_puts(m, opts->mnt_opts[i]);
+                if (has_comma)
+                        seq_putc(m, '\"');
+        }
+}
+static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+        struct security_mnt_opts opts;
+        int rc;
+        rc = selinux_get_mnt_opts(sb, &opts);
+        if (rc)
+                return rc;
+        selinux_write_opts(m, &opts);
+        security_free_mnt_opts(&opts);
+        return rc;
+}
 static inline u16 inode_mode_to_security_class(umode_t mode)
 {
        switch (mode & S_IFMT) {
@@ -5365,6 +5417,7 @@ static struct security_operations selinux_ops = {
        .sb_free_security =             selinux_sb_free_security,
        .sb_copy_data =                 selinux_sb_copy_data,
        .sb_kern_mount =                selinux_sb_kern_mount,
+        .sb_show_options =              selinux_sb_show_options,
        .sb_statfs =                    selinux_sb_statfs,
        .sb_mount =                     selinux_mount,
        .sb_umount =                    selinux_umount,
author	Eric Paris <eparis@redhat.com>	2008-07-03 19:47:13 -0400
committer	James Morris <jmorris@namei.org>	2008-07-14 01:02:05 -0400
commit	2069f457848f846cb31149c9aa29b330a6b66d1b (patch)
tree	199e7bb15e7d7b5cf008cd6fdb6cefc0d6af7f13 /security
parent	811f3799279e567aa354c649ce22688d949ac7a9 (diff)

diff --git a/security/dummy.c b/security/dummy.c index 1db712d99dc7..c155f08e9dd8 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -194,6 +194,11 @@ static int dummy_sb_kern_mount (struct super_block sb, void data)
194	return 0;	194	return 0;
195	}	195	}
196		196
		197	static int dummy_sb_show_options(struct seq_file m, struct super_block sb)
		198	{
		199	return 0;
		200	}
		201
197	static int dummy_sb_statfs (struct dentry *dentry)	202	static int dummy_sb_statfs (struct dentry *dentry)
198	{	203	{
199	return 0;	204	return 0;
@@ -1088,6 +1093,7 @@ void security_fixup_ops (struct security_operations *ops)
1088	set_to_dummy_if_null(ops, sb_free_security);	1093	set_to_dummy_if_null(ops, sb_free_security);
1089	set_to_dummy_if_null(ops, sb_copy_data);	1094	set_to_dummy_if_null(ops, sb_copy_data);
1090	set_to_dummy_if_null(ops, sb_kern_mount);	1095	set_to_dummy_if_null(ops, sb_kern_mount);
		1096	set_to_dummy_if_null(ops, sb_show_options);
1091	set_to_dummy_if_null(ops, sb_statfs);	1097	set_to_dummy_if_null(ops, sb_statfs);
1092	set_to_dummy_if_null(ops, sb_mount);	1098	set_to_dummy_if_null(ops, sb_mount);
1093	set_to_dummy_if_null(ops, sb_check_sb);	1099	set_to_dummy_if_null(ops, sb_check_sb);


diff --git a/security/security.c b/security/security.c index 2c0a5876b939..de74fdccde26 100644 --- a/security/security.c +++ b/security/security.c
@@ -292,6 +292,11 @@ int security_sb_kern_mount(struct super_block sb, void data)
292	return security_ops->sb_kern_mount(sb, data);	292	return security_ops->sb_kern_mount(sb, data);
293	}	293	}
294		294
		295	int security_sb_show_options(struct seq_file m, struct super_block sb)
		296	{
		297	return security_ops->sb_show_options(m, sb);
		298	}
		299
295	int security_sb_statfs(struct dentry *dentry)	300	int security_sb_statfs(struct dentry *dentry)
296	{	301	{
297	return security_ops->sb_statfs(dentry);	302	return security_ops->sb_statfs(dentry);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 85f74f665765..33dee83fdd2f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -9,7 +9,8 @@
9	* James Morris <jmorris@redhat.com>	9	* James Morris <jmorris@redhat.com>
10	*	10	*
11	* Copyright (C) 2001,2002 Networks Associates Technology, Inc.	11	* Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12	* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>	12	* Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
		13	* Eric Paris <eparis@redhat.com>
13	* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.	14	* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14	* <dgoeddel@trustedcs.com>	15	* <dgoeddel@trustedcs.com>
15	* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.	16	* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
@@ -970,6 +971,57 @@ out_err:
970	return rc;	971	return rc;
971	}	972	}
972		973
		974	void selinux_write_opts(struct seq_file m, struct security_mnt_opts opts)
		975	{
		976	int i;
		977	char *prefix;
		978
		979	for (i = 0; i < opts->num_mnt_opts; i++) {
		980	char *has_comma = strchr(opts->mnt_opts[i], ',');
		981
		982	switch (opts->mnt_opts_flags[i]) {
		983	case CONTEXT_MNT:
		984	prefix = CONTEXT_STR;
		985	break;
		986	case FSCONTEXT_MNT:
		987	prefix = FSCONTEXT_STR;
		988	break;
		989	case ROOTCONTEXT_MNT:
		990	prefix = ROOTCONTEXT_STR;
		991	break;
		992	case DEFCONTEXT_MNT:
		993	prefix = DEFCONTEXT_STR;
		994	break;
		995	default:
		996	BUG();
		997	};
		998	/* we need a comma before each option */
		999	seq_putc(m, ',');
		1000	seq_puts(m, prefix);
		1001	if (has_comma)
		1002	seq_putc(m, '\"');
		1003	seq_puts(m, opts->mnt_opts[i]);
		1004	if (has_comma)
		1005	seq_putc(m, '\"');
		1006	}
		1007	}
		1008
		1009	static int selinux_sb_show_options(struct seq_file m, struct super_block sb)
		1010	{
		1011	struct security_mnt_opts opts;
		1012	int rc;
		1013
		1014	rc = selinux_get_mnt_opts(sb, &opts);
		1015	if (rc)
		1016	return rc;
		1017
		1018	selinux_write_opts(m, &opts);
		1019
		1020	security_free_mnt_opts(&opts);
		1021
		1022	return rc;
		1023	}
		1024
973	static inline u16 inode_mode_to_security_class(umode_t mode)	1025	static inline u16 inode_mode_to_security_class(umode_t mode)
974	{	1026	{
975	switch (mode & S_IFMT) {	1027	switch (mode & S_IFMT) {
@@ -5365,6 +5417,7 @@ static struct security_operations selinux_ops = {
5365	.sb_free_security = selinux_sb_free_security,	5417	.sb_free_security = selinux_sb_free_security,
5366	.sb_copy_data = selinux_sb_copy_data,	5418	.sb_copy_data = selinux_sb_copy_data,
5367	.sb_kern_mount = selinux_sb_kern_mount,	5419	.sb_kern_mount = selinux_sb_kern_mount,
		5420	.sb_show_options = selinux_sb_show_options,
5368	.sb_statfs = selinux_sb_statfs,	5421	.sb_statfs = selinux_sb_statfs,
5369	.sb_mount = selinux_mount,	5422	.sb_mount = selinux_mount,
5370	.sb_umount = selinux_umount,	5423	.sb_umount = selinux_umount,