diff options
| -rw-r--r-- | fs/nfs/super.c | 3 | ||||
| -rw-r--r-- | include/linux/security.h | 13 | ||||
| -rw-r--r-- | security/capability.c | 5 | ||||
| -rw-r--r-- | security/security.c | 7 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 12 |
5 files changed, 31 insertions, 9 deletions
diff --git a/fs/nfs/super.c b/fs/nfs/super.c index a366107a7331..c1bbb53d444a 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c | |||
| @@ -2411,7 +2411,8 @@ static int nfs_bdi_register(struct nfs_server *server) | |||
| 2411 | int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot, | 2411 | int nfs_set_sb_security(struct super_block *s, struct dentry *mntroot, |
| 2412 | struct nfs_mount_info *mount_info) | 2412 | struct nfs_mount_info *mount_info) |
| 2413 | { | 2413 | { |
| 2414 | return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts); | 2414 | return security_sb_set_mnt_opts(s, &mount_info->parsed->lsm_opts, |
| 2415 | 0, NULL); | ||
| 2415 | } | 2416 | } |
| 2416 | EXPORT_SYMBOL_GPL(nfs_set_sb_security); | 2417 | EXPORT_SYMBOL_GPL(nfs_set_sb_security); |
| 2417 | 2418 | ||
diff --git a/include/linux/security.h b/include/linux/security.h index cff3e4fc4281..aa656fbc4308 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -1456,7 +1456,9 @@ struct security_operations { | |||
| 1456 | int (*sb_pivotroot) (struct path *old_path, | 1456 | int (*sb_pivotroot) (struct path *old_path, |
| 1457 | struct path *new_path); | 1457 | struct path *new_path); |
| 1458 | int (*sb_set_mnt_opts) (struct super_block *sb, | 1458 | int (*sb_set_mnt_opts) (struct super_block *sb, |
| 1459 | struct security_mnt_opts *opts); | 1459 | struct security_mnt_opts *opts, |
| 1460 | unsigned long kern_flags, | ||
| 1461 | unsigned long *set_kern_flags); | ||
| 1460 | int (*sb_clone_mnt_opts) (const struct super_block *oldsb, | 1462 | int (*sb_clone_mnt_opts) (const struct super_block *oldsb, |
| 1461 | struct super_block *newsb); | 1463 | struct super_block *newsb); |
| 1462 | int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); | 1464 | int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); |
| @@ -1747,7 +1749,10 @@ int security_sb_mount(const char *dev_name, struct path *path, | |||
| 1747 | const char *type, unsigned long flags, void *data); | 1749 | const char *type, unsigned long flags, void *data); |
| 1748 | int security_sb_umount(struct vfsmount *mnt, int flags); | 1750 | int security_sb_umount(struct vfsmount *mnt, int flags); |
| 1749 | int security_sb_pivotroot(struct path *old_path, struct path *new_path); | 1751 | int security_sb_pivotroot(struct path *old_path, struct path *new_path); |
| 1750 | int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); | 1752 | int security_sb_set_mnt_opts(struct super_block *sb, |
| 1753 | struct security_mnt_opts *opts, | ||
| 1754 | unsigned long kern_flags, | ||
| 1755 | unsigned long *set_kern_flags); | ||
| 1751 | int security_sb_clone_mnt_opts(const struct super_block *oldsb, | 1756 | int security_sb_clone_mnt_opts(const struct super_block *oldsb, |
| 1752 | struct super_block *newsb); | 1757 | struct super_block *newsb); |
| 1753 | int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); | 1758 | int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); |
| @@ -2037,7 +2042,9 @@ static inline int security_sb_pivotroot(struct path *old_path, | |||
| 2037 | } | 2042 | } |
| 2038 | 2043 | ||
| 2039 | static inline int security_sb_set_mnt_opts(struct super_block *sb, | 2044 | static inline int security_sb_set_mnt_opts(struct super_block *sb, |
| 2040 | struct security_mnt_opts *opts) | 2045 | struct security_mnt_opts *opts, |
| 2046 | unsigned long kern_flags, | ||
| 2047 | unsigned long *set_kern_flags) | ||
| 2041 | { | 2048 | { |
| 2042 | return 0; | 2049 | return 0; |
| 2043 | } | 2050 | } |
diff --git a/security/capability.c b/security/capability.c index 71f9682bfb54..d32e16e3c6ae 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -91,7 +91,10 @@ static int cap_sb_pivotroot(struct path *old_path, struct path *new_path) | |||
| 91 | } | 91 | } |
| 92 | 92 | ||
| 93 | static int cap_sb_set_mnt_opts(struct super_block *sb, | 93 | static int cap_sb_set_mnt_opts(struct super_block *sb, |
| 94 | struct security_mnt_opts *opts) | 94 | struct security_mnt_opts *opts, |
| 95 | unsigned long kern_flags, | ||
| 96 | unsigned long *set_kern_flags) | ||
| 97 | |||
| 95 | { | 98 | { |
| 96 | if (unlikely(opts->num_mnt_opts)) | 99 | if (unlikely(opts->num_mnt_opts)) |
| 97 | return -EOPNOTSUPP; | 100 | return -EOPNOTSUPP; |
diff --git a/security/security.c b/security/security.c index c3ceb754e705..8d0b9a79611a 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -294,9 +294,12 @@ int security_sb_pivotroot(struct path *old_path, struct path *new_path) | |||
| 294 | } | 294 | } |
| 295 | 295 | ||
| 296 | int security_sb_set_mnt_opts(struct super_block *sb, | 296 | int security_sb_set_mnt_opts(struct super_block *sb, |
| 297 | struct security_mnt_opts *opts) | 297 | struct security_mnt_opts *opts, |
| 298 | unsigned long kern_flags, | ||
| 299 | unsigned long *set_kern_flags) | ||
| 298 | { | 300 | { |
| 299 | return security_ops->sb_set_mnt_opts(sb, opts); | 301 | return security_ops->sb_set_mnt_opts(sb, opts, kern_flags, |
| 302 | set_kern_flags); | ||
| 300 | } | 303 | } |
| 301 | EXPORT_SYMBOL(security_sb_set_mnt_opts); | 304 | EXPORT_SYMBOL(security_sb_set_mnt_opts); |
| 302 | 305 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bbf219a494d0..f3b54466a037 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -552,7 +552,9 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag, | |||
| 552 | * labeling information. | 552 | * labeling information. |
| 553 | */ | 553 | */ |
| 554 | static int selinux_set_mnt_opts(struct super_block *sb, | 554 | static int selinux_set_mnt_opts(struct super_block *sb, |
| 555 | struct security_mnt_opts *opts) | 555 | struct security_mnt_opts *opts, |
| 556 | unsigned long kern_flags, | ||
| 557 | unsigned long *set_kern_flags) | ||
| 556 | { | 558 | { |
| 557 | const struct cred *cred = current_cred(); | 559 | const struct cred *cred = current_cred(); |
| 558 | int rc = 0, i; | 560 | int rc = 0, i; |
| @@ -580,6 +582,12 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
| 580 | "before the security server is initialized\n"); | 582 | "before the security server is initialized\n"); |
| 581 | goto out; | 583 | goto out; |
| 582 | } | 584 | } |
| 585 | if (kern_flags && !set_kern_flags) { | ||
| 586 | /* Specifying internal flags without providing a place to | ||
| 587 | * place the results is not allowed */ | ||
| 588 | rc = -EINVAL; | ||
| 589 | goto out; | ||
| 590 | } | ||
| 583 | 591 | ||
| 584 | /* | 592 | /* |
| 585 | * Binary mount data FS will come through this function twice. Once | 593 | * Binary mount data FS will come through this function twice. Once |
| @@ -980,7 +988,7 @@ static int superblock_doinit(struct super_block *sb, void *data) | |||
| 980 | goto out_err; | 988 | goto out_err; |
| 981 | 989 | ||
| 982 | out: | 990 | out: |
| 983 | rc = selinux_set_mnt_opts(sb, &opts); | 991 | rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); |
| 984 | 992 | ||
| 985 | out_err: | 993 | out_err: |
| 986 | security_free_mnt_opts(&opts); | 994 | security_free_mnt_opts(&opts); |