security: new security_inode_init_security API adds function callback
This patch changes the security_inode_init_security API by adding a filesystem specific callback to write security extended attributes. This change is in preparation for supporting the initialization of multiple LSM xattrs and the EVM xattr. Initially the callback function walks an array of xattrs, writing each xattr separately, but could be optimized to write multiple xattrs at once. For existing security_inode_init_security() calls, which have not yet been converted to use the new callback function, such as those in reiserfs and ocfs2, this patch defines security_old_inode_init_security(). Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
This commit is contained in:
		
					parent
					
						
							
								0f2a55d5bb
							
						
					
				
			
			
				commit
				
					
						9d8f13ba3f
					
				
			
		
					 14 changed files with 255 additions and 188 deletions
				
			
		|  | @ -360,36 +360,36 @@ int btrfs_removexattr(struct dentry *dentry, const char *name) | ||||||
| 				XATTR_REPLACE); | 				XATTR_REPLACE); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int btrfs_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		     void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	struct btrfs_trans_handle *trans = fs_info; | ||||||
|  | 	char *name; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		name = kmalloc(XATTR_SECURITY_PREFIX_LEN + | ||||||
|  | 			       strlen(xattr->name) + 1, GFP_NOFS); | ||||||
|  | 		if (!name) { | ||||||
|  | 			err = -ENOMEM; | ||||||
|  | 			break; | ||||||
|  | 		} | ||||||
|  | 		strcpy(name, XATTR_SECURITY_PREFIX); | ||||||
|  | 		strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name); | ||||||
|  | 		err = __btrfs_setxattr(trans, inode, name, | ||||||
|  | 				       xattr->value, xattr->value_len, 0); | ||||||
|  | 		kfree(name); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int btrfs_xattr_security_init(struct btrfs_trans_handle *trans, | int btrfs_xattr_security_init(struct btrfs_trans_handle *trans, | ||||||
| 			      struct inode *inode, struct inode *dir, | 			      struct inode *inode, struct inode *dir, | ||||||
| 			      const struct qstr *qstr) | 			      const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int err; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &btrfs_initxattrs, trans); | ||||||
| 	void *value; |  | ||||||
| 	char *suffix; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	err = security_inode_init_security(inode, dir, qstr, &suffix, &value, |  | ||||||
| 					   &len); |  | ||||||
| 	if (err) { |  | ||||||
| 		if (err == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return err; |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	name = kmalloc(XATTR_SECURITY_PREFIX_LEN + strlen(suffix) + 1, |  | ||||||
| 		       GFP_NOFS); |  | ||||||
| 	if (!name) { |  | ||||||
| 		err = -ENOMEM; |  | ||||||
| 	} else { |  | ||||||
| 		strcpy(name, XATTR_SECURITY_PREFIX); |  | ||||||
| 		strcpy(name + XATTR_SECURITY_PREFIX_LEN, suffix); |  | ||||||
| 		err = __btrfs_setxattr(trans, inode, name, value, len, 0); |  | ||||||
| 		kfree(name); |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	kfree(suffix); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return err; |  | ||||||
| } | } | ||||||
|  |  | ||||||
|  | @ -46,26 +46,28 @@ ext2_xattr_security_set(struct dentry *dentry, const char *name, | ||||||
| 			      value, size, flags); | 			      value, size, flags); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int ext2_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		    void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = ext2_xattr_set(inode, EXT2_XATTR_INDEX_SECURITY, | ||||||
|  | 				     xattr->name, xattr->value, | ||||||
|  | 				     xattr->value_len, 0); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int | int | ||||||
| ext2_init_security(struct inode *inode, struct inode *dir, | ext2_init_security(struct inode *inode, struct inode *dir, | ||||||
| 		   const struct qstr *qstr) | 		   const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int err; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &ext2_initxattrs, NULL); | ||||||
| 	void *value; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	err = security_inode_init_security(inode, dir, qstr, &name, &value, &len); |  | ||||||
| 	if (err) { |  | ||||||
| 		if (err == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return err; |  | ||||||
| 	} |  | ||||||
| 	err = ext2_xattr_set(inode, EXT2_XATTR_INDEX_SECURITY, |  | ||||||
| 			     name, value, len, 0); |  | ||||||
| 	kfree(name); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return err; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| const struct xattr_handler ext2_xattr_security_handler = { | const struct xattr_handler ext2_xattr_security_handler = { | ||||||
|  |  | ||||||
|  | @ -48,26 +48,30 @@ ext3_xattr_security_set(struct dentry *dentry, const char *name, | ||||||
| 			      name, value, size, flags); | 			      name, value, size, flags); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int ext3_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		    void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	handle_t *handle = fs_info; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = ext3_xattr_set_handle(handle, inode, | ||||||
|  | 					    EXT3_XATTR_INDEX_SECURITY, | ||||||
|  | 					    xattr->name, xattr->value, | ||||||
|  | 					    xattr->value_len, 0); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int | int | ||||||
| ext3_init_security(handle_t *handle, struct inode *inode, struct inode *dir, | ext3_init_security(handle_t *handle, struct inode *inode, struct inode *dir, | ||||||
| 		   const struct qstr *qstr) | 		   const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int err; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &ext3_initxattrs, handle); | ||||||
| 	void *value; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	err = security_inode_init_security(inode, dir, qstr, &name, &value, &len); |  | ||||||
| 	if (err) { |  | ||||||
| 		if (err == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return err; |  | ||||||
| 	} |  | ||||||
| 	err = ext3_xattr_set_handle(handle, inode, EXT3_XATTR_INDEX_SECURITY, |  | ||||||
| 				    name, value, len, 0); |  | ||||||
| 	kfree(name); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return err; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| const struct xattr_handler ext3_xattr_security_handler = { | const struct xattr_handler ext3_xattr_security_handler = { | ||||||
|  |  | ||||||
|  | @ -48,26 +48,30 @@ ext4_xattr_security_set(struct dentry *dentry, const char *name, | ||||||
| 			      name, value, size, flags); | 			      name, value, size, flags); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int ext4_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		    void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	handle_t *handle = fs_info; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = ext4_xattr_set_handle(handle, inode, | ||||||
|  | 					    EXT4_XATTR_INDEX_SECURITY, | ||||||
|  | 					    xattr->name, xattr->value, | ||||||
|  | 					    xattr->value_len, 0); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int | int | ||||||
| ext4_init_security(handle_t *handle, struct inode *inode, struct inode *dir, | ext4_init_security(handle_t *handle, struct inode *inode, struct inode *dir, | ||||||
| 		   const struct qstr *qstr) | 		   const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int err; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &ext4_initxattrs, handle); | ||||||
| 	void *value; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	err = security_inode_init_security(inode, dir, qstr, &name, &value, &len); |  | ||||||
| 	if (err) { |  | ||||||
| 		if (err == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return err; |  | ||||||
| 	} |  | ||||||
| 	err = ext4_xattr_set_handle(handle, inode, EXT4_XATTR_INDEX_SECURITY, |  | ||||||
| 				    name, value, len, 0); |  | ||||||
| 	kfree(name); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return err; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| const struct xattr_handler ext4_xattr_security_handler = { | const struct xattr_handler ext4_xattr_security_handler = { | ||||||
|  |  | ||||||
|  | @ -624,29 +624,27 @@ fail: | ||||||
| 	return error; | 	return error; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int gfs2_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		    void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = __gfs2_xattr_set(inode, xattr->name, xattr->value, | ||||||
|  | 				       xattr->value_len, 0, | ||||||
|  | 				       GFS2_EATYPE_SECURITY); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| static int gfs2_security_init(struct gfs2_inode *dip, struct gfs2_inode *ip, | static int gfs2_security_init(struct gfs2_inode *dip, struct gfs2_inode *ip, | ||||||
| 			      const struct qstr *qstr) | 			      const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int err; | 	return security_inode_init_security(&ip->i_inode, &dip->i_inode, qstr, | ||||||
| 	size_t len; | 					    &gfs2_initxattrs, NULL); | ||||||
| 	void *value; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	err = security_inode_init_security(&ip->i_inode, &dip->i_inode, qstr, |  | ||||||
| 					   &name, &value, &len); |  | ||||||
| 
 |  | ||||||
| 	if (err) { |  | ||||||
| 		if (err == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return err; |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	err = __gfs2_xattr_set(&ip->i_inode, name, value, len, 0, |  | ||||||
| 			       GFS2_EATYPE_SECURITY); |  | ||||||
| 	kfree(value); |  | ||||||
| 	kfree(name); |  | ||||||
| 
 |  | ||||||
| 	return err; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| /**
 | /**
 | ||||||
|  |  | ||||||
|  | @ -22,26 +22,29 @@ | ||||||
| #include <linux/security.h> | #include <linux/security.h> | ||||||
| #include "nodelist.h" | #include "nodelist.h" | ||||||
| 
 | 
 | ||||||
| /* ---- Initial Security Label Attachment -------------- */ | /* ---- Initial Security Label(s) Attachment callback --- */ | ||||||
|  | int jffs2_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		     void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = do_jffs2_setxattr(inode, JFFS2_XPREFIX_SECURITY, | ||||||
|  | 					xattr->name, xattr->value, | ||||||
|  | 					xattr->value_len, 0); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | /* ---- Initial Security Label(s) Attachment ----------- */ | ||||||
| int jffs2_init_security(struct inode *inode, struct inode *dir, | int jffs2_init_security(struct inode *inode, struct inode *dir, | ||||||
| 			const struct qstr *qstr) | 			const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int rc; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &jffs2_initxattrs, NULL); | ||||||
| 	void *value; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	rc = security_inode_init_security(inode, dir, qstr, &name, &value, &len); |  | ||||||
| 	if (rc) { |  | ||||||
| 		if (rc == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return rc; |  | ||||||
| 	} |  | ||||||
| 	rc = do_jffs2_setxattr(inode, JFFS2_XPREFIX_SECURITY, name, value, len, 0); |  | ||||||
| 
 |  | ||||||
| 	kfree(name); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return rc; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| /* ---- XATTR Handler for "security.*" ----------------- */ | /* ---- XATTR Handler for "security.*" ----------------- */ | ||||||
|  |  | ||||||
|  | @ -1091,38 +1091,37 @@ int jfs_removexattr(struct dentry *dentry, const char *name) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_JFS_SECURITY | #ifdef CONFIG_JFS_SECURITY | ||||||
|  | int jfs_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		   void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	tid_t *tid = fs_info; | ||||||
|  | 	char *name; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		name = kmalloc(XATTR_SECURITY_PREFIX_LEN + | ||||||
|  | 			       strlen(xattr->name) + 1, GFP_NOFS); | ||||||
|  | 		if (!name) { | ||||||
|  | 			err = -ENOMEM; | ||||||
|  | 			break; | ||||||
|  | 		} | ||||||
|  | 		strcpy(name, XATTR_SECURITY_PREFIX); | ||||||
|  | 		strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name); | ||||||
|  | 
 | ||||||
|  | 		err = __jfs_setxattr(*tid, inode, name, | ||||||
|  | 				     xattr->value, xattr->value_len, 0); | ||||||
|  | 		kfree(name); | ||||||
|  | 		if (err < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int jfs_init_security(tid_t tid, struct inode *inode, struct inode *dir, | int jfs_init_security(tid_t tid, struct inode *inode, struct inode *dir, | ||||||
| 		      const struct qstr *qstr) | 		      const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	int rc; | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t len; | 					    &jfs_initxattrs, &tid); | ||||||
| 	void *value; |  | ||||||
| 	char *suffix; |  | ||||||
| 	char *name; |  | ||||||
| 
 |  | ||||||
| 	rc = security_inode_init_security(inode, dir, qstr, &suffix, &value, |  | ||||||
| 					  &len); |  | ||||||
| 	if (rc) { |  | ||||||
| 		if (rc == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return rc; |  | ||||||
| 	} |  | ||||||
| 	name = kmalloc(XATTR_SECURITY_PREFIX_LEN + 1 + strlen(suffix), |  | ||||||
| 		       GFP_NOFS); |  | ||||||
| 	if (!name) { |  | ||||||
| 		rc = -ENOMEM; |  | ||||||
| 		goto kmalloc_failed; |  | ||||||
| 	} |  | ||||||
| 	strcpy(name, XATTR_SECURITY_PREFIX); |  | ||||||
| 	strcpy(name + XATTR_SECURITY_PREFIX_LEN, suffix); |  | ||||||
| 
 |  | ||||||
| 	rc = __jfs_setxattr(tid, inode, name, value, len, 0); |  | ||||||
| 
 |  | ||||||
| 	kfree(name); |  | ||||||
| kmalloc_failed: |  | ||||||
| 	kfree(suffix); |  | ||||||
| 	kfree(value); |  | ||||||
| 
 |  | ||||||
| 	return rc; |  | ||||||
| } | } | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
|  | @ -7185,20 +7185,9 @@ int ocfs2_init_security_and_acl(struct inode *dir, | ||||||
| { | { | ||||||
| 	int ret = 0; | 	int ret = 0; | ||||||
| 	struct buffer_head *dir_bh = NULL; | 	struct buffer_head *dir_bh = NULL; | ||||||
| 	struct ocfs2_security_xattr_info si = { |  | ||||||
| 		.enable = 1, |  | ||||||
| 	}; |  | ||||||
| 
 | 
 | ||||||
| 	ret = ocfs2_init_security_get(inode, dir, qstr, &si); | 	ret = ocfs2_init_security_get(inode, dir, qstr, NULL); | ||||||
| 	if (!ret) { | 	if (!ret) { | ||||||
| 		ret = ocfs2_xattr_set(inode, OCFS2_XATTR_INDEX_SECURITY, |  | ||||||
| 				      si.name, si.value, si.value_len, |  | ||||||
| 				      XATTR_CREATE); |  | ||||||
| 		if (ret) { |  | ||||||
| 			mlog_errno(ret); |  | ||||||
| 			goto leave; |  | ||||||
| 		} |  | ||||||
| 	} else if (ret != -EOPNOTSUPP) { |  | ||||||
| 		mlog_errno(ret); | 		mlog_errno(ret); | ||||||
| 		goto leave; | 		goto leave; | ||||||
| 	} | 	} | ||||||
|  | @ -7255,6 +7244,22 @@ static int ocfs2_xattr_security_set(struct dentry *dentry, const char *name, | ||||||
| 			       name, value, size, flags); | 			       name, value, size, flags); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | int ocfs2_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		     void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	int err = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		err = ocfs2_xattr_set(inode, OCFS2_XATTR_INDEX_SECURITY, | ||||||
|  | 				      xattr->name, xattr->value, | ||||||
|  | 				      xattr->value_len, XATTR_CREATE); | ||||||
|  | 		if (err) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return err; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| int ocfs2_init_security_get(struct inode *inode, | int ocfs2_init_security_get(struct inode *inode, | ||||||
| 			    struct inode *dir, | 			    struct inode *dir, | ||||||
| 			    const struct qstr *qstr, | 			    const struct qstr *qstr, | ||||||
|  | @ -7263,8 +7268,13 @@ int ocfs2_init_security_get(struct inode *inode, | ||||||
| 	/* check whether ocfs2 support feature xattr */ | 	/* check whether ocfs2 support feature xattr */ | ||||||
| 	if (!ocfs2_supports_xattr(OCFS2_SB(dir->i_sb))) | 	if (!ocfs2_supports_xattr(OCFS2_SB(dir->i_sb))) | ||||||
| 		return -EOPNOTSUPP; | 		return -EOPNOTSUPP; | ||||||
| 	return security_inode_init_security(inode, dir, qstr, &si->name, | 	if (si) | ||||||
| 					    &si->value, &si->value_len); | 		return security_old_inode_init_security(inode, dir, qstr, | ||||||
|  | 							&si->name, &si->value, | ||||||
|  | 							&si->value_len); | ||||||
|  | 
 | ||||||
|  | 	return security_inode_init_security(inode, dir, qstr, | ||||||
|  | 					    &ocfs2_initxattrs, NULL); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| int ocfs2_init_security_set(handle_t *handle, | int ocfs2_init_security_set(handle_t *handle, | ||||||
|  |  | ||||||
|  | @ -66,8 +66,8 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode, | ||||||
| 	if (IS_PRIVATE(dir)) | 	if (IS_PRIVATE(dir)) | ||||||
| 		return 0; | 		return 0; | ||||||
| 
 | 
 | ||||||
| 	error = security_inode_init_security(inode, dir, qstr, &sec->name, | 	error = security_old_inode_init_security(inode, dir, qstr, &sec->name, | ||||||
| 					     &sec->value, &sec->length); | 						 &sec->value, &sec->length); | ||||||
| 	if (error) { | 	if (error) { | ||||||
| 		if (error == -EOPNOTSUPP) | 		if (error == -EOPNOTSUPP) | ||||||
| 			error = 0; | 			error = 0; | ||||||
|  |  | ||||||
|  | @ -93,37 +93,38 @@ xfs_mark_inode_dirty( | ||||||
| 		mark_inode_dirty(inode); | 		mark_inode_dirty(inode); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
|  | int xfs_initxattrs(struct inode *inode, const struct xattr *xattr_array, | ||||||
|  | 		   void *fs_info) | ||||||
|  | { | ||||||
|  | 	const struct xattr *xattr; | ||||||
|  | 	struct xfs_inode *ip = XFS_I(inode); | ||||||
|  | 	int error = 0; | ||||||
|  | 
 | ||||||
|  | 	for (xattr = xattr_array; xattr->name != NULL; xattr++) { | ||||||
|  | 		error = xfs_attr_set(ip, xattr->name, xattr->value, | ||||||
|  | 				     xattr->value_len, ATTR_SECURE); | ||||||
|  | 		if (error < 0) | ||||||
|  | 			break; | ||||||
|  | 	} | ||||||
|  | 	return error; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| /*
 | /*
 | ||||||
|  * Hook in SELinux.  This is not quite correct yet, what we really need |  * Hook in SELinux.  This is not quite correct yet, what we really need | ||||||
|  * here (as we do for default ACLs) is a mechanism by which creation of |  * here (as we do for default ACLs) is a mechanism by which creation of | ||||||
|  * these attrs can be journalled at inode creation time (along with the |  * these attrs can be journalled at inode creation time (along with the | ||||||
|  * inode, of course, such that log replay can't cause these to be lost). |  * inode, of course, such that log replay can't cause these to be lost). | ||||||
|  */ |  */ | ||||||
|  | 
 | ||||||
| STATIC int | STATIC int | ||||||
| xfs_init_security( | xfs_init_security( | ||||||
| 	struct inode	*inode, | 	struct inode	*inode, | ||||||
| 	struct inode	*dir, | 	struct inode	*dir, | ||||||
| 	const struct qstr *qstr) | 	const struct qstr *qstr) | ||||||
| { | { | ||||||
| 	struct xfs_inode *ip = XFS_I(inode); | 	return security_inode_init_security(inode, dir, qstr, | ||||||
| 	size_t		length; | 					    &xfs_initxattrs, NULL); | ||||||
| 	void		*value; |  | ||||||
| 	unsigned char	*name; |  | ||||||
| 	int		error; |  | ||||||
| 
 |  | ||||||
| 	error = security_inode_init_security(inode, dir, qstr, (char **)&name, |  | ||||||
| 					     &value, &length); |  | ||||||
| 	if (error) { |  | ||||||
| 		if (error == -EOPNOTSUPP) |  | ||||||
| 			return 0; |  | ||||||
| 		return -error; |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	error = xfs_attr_set(ip, name, value, length, ATTR_SECURE); |  | ||||||
| 
 |  | ||||||
| 	kfree(name); |  | ||||||
| 	kfree(value); |  | ||||||
| 	return error; |  | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| static void | static void | ||||||
|  |  | ||||||
|  | @ -36,6 +36,7 @@ | ||||||
| #include <linux/key.h> | #include <linux/key.h> | ||||||
| #include <linux/xfrm.h> | #include <linux/xfrm.h> | ||||||
| #include <linux/slab.h> | #include <linux/slab.h> | ||||||
|  | #include <linux/xattr.h> | ||||||
| #include <net/flow.h> | #include <net/flow.h> | ||||||
| 
 | 
 | ||||||
| /* Maximum number of letters for an LSM name string */ | /* Maximum number of letters for an LSM name string */ | ||||||
|  | @ -147,6 +148,10 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write, | ||||||
| 				 void __user *buffer, size_t *lenp, loff_t *ppos); | 				 void __user *buffer, size_t *lenp, loff_t *ppos); | ||||||
| #endif | #endif | ||||||
| 
 | 
 | ||||||
|  | /* security_inode_init_security callback function to write xattrs */ | ||||||
|  | typedef int (*initxattrs) (struct inode *inode, | ||||||
|  | 			   const struct xattr *xattr_array, void *fs_data); | ||||||
|  | 
 | ||||||
| #ifdef CONFIG_SECURITY | #ifdef CONFIG_SECURITY | ||||||
| 
 | 
 | ||||||
| struct security_mnt_opts { | struct security_mnt_opts { | ||||||
|  | @ -1704,8 +1709,11 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); | ||||||
| int security_inode_alloc(struct inode *inode); | int security_inode_alloc(struct inode *inode); | ||||||
| void security_inode_free(struct inode *inode); | void security_inode_free(struct inode *inode); | ||||||
| int security_inode_init_security(struct inode *inode, struct inode *dir, | int security_inode_init_security(struct inode *inode, struct inode *dir, | ||||||
| 				 const struct qstr *qstr, char **name, | 				 const struct qstr *qstr, | ||||||
| 				 void **value, size_t *len); | 				 initxattrs initxattrs, void *fs_data); | ||||||
|  | int security_old_inode_init_security(struct inode *inode, struct inode *dir, | ||||||
|  | 				     const struct qstr *qstr, char **name, | ||||||
|  | 				     void **value, size_t *len); | ||||||
| int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); | ||||||
| int security_inode_link(struct dentry *old_dentry, struct inode *dir, | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | ||||||
| 			 struct dentry *new_dentry); | 			 struct dentry *new_dentry); | ||||||
|  | @ -2035,9 +2043,8 @@ static inline void security_inode_free(struct inode *inode) | ||||||
| static inline int security_inode_init_security(struct inode *inode, | static inline int security_inode_init_security(struct inode *inode, | ||||||
| 						struct inode *dir, | 						struct inode *dir, | ||||||
| 						const struct qstr *qstr, | 						const struct qstr *qstr, | ||||||
| 						char **name, | 						initxattrs initxattrs, | ||||||
| 						void **value, | 						void *fs_data) | ||||||
| 						size_t *len) |  | ||||||
| { | { | ||||||
| 	return -EOPNOTSUPP; | 	return -EOPNOTSUPP; | ||||||
| } | } | ||||||
|  |  | ||||||
|  | @ -67,6 +67,12 @@ struct xattr_handler { | ||||||
| 		   size_t size, int flags, int handler_flags); | 		   size_t size, int flags, int handler_flags); | ||||||
| }; | }; | ||||||
| 
 | 
 | ||||||
|  | struct xattr { | ||||||
|  | 	char *name; | ||||||
|  | 	void *value; | ||||||
|  | 	size_t value_len; | ||||||
|  | }; | ||||||
|  | 
 | ||||||
| ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t); | ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t); | ||||||
| ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); | ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); | ||||||
| ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); | ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); | ||||||
|  |  | ||||||
|  | @ -1878,7 +1878,7 @@ shmem_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | ||||||
| 	inode = shmem_get_inode(dir->i_sb, dir, mode, dev, VM_NORESERVE); | 	inode = shmem_get_inode(dir->i_sb, dir, mode, dev, VM_NORESERVE); | ||||||
| 	if (inode) { | 	if (inode) { | ||||||
| 		error = security_inode_init_security(inode, dir, | 		error = security_inode_init_security(inode, dir, | ||||||
| 						     &dentry->d_name, NULL, | 						     &dentry->d_name, | ||||||
| 						     NULL, NULL); | 						     NULL, NULL); | ||||||
| 		if (error) { | 		if (error) { | ||||||
| 			if (error != -EOPNOTSUPP) { | 			if (error != -EOPNOTSUPP) { | ||||||
|  | @ -2018,7 +2018,7 @@ static int shmem_symlink(struct inode *dir, struct dentry *dentry, const char *s | ||||||
| 	if (!inode) | 	if (!inode) | ||||||
| 		return -ENOSPC; | 		return -ENOSPC; | ||||||
| 
 | 
 | ||||||
| 	error = security_inode_init_security(inode, dir, &dentry->d_name, NULL, | 	error = security_inode_init_security(inode, dir, &dentry->d_name, | ||||||
| 					     NULL, NULL); | 					     NULL, NULL); | ||||||
| 	if (error) { | 	if (error) { | ||||||
| 		if (error != -EOPNOTSUPP) { | 		if (error != -EOPNOTSUPP) { | ||||||
|  |  | ||||||
|  | @ -18,6 +18,8 @@ | ||||||
| #include <linux/security.h> | #include <linux/security.h> | ||||||
| #include <linux/ima.h> | #include <linux/ima.h> | ||||||
| 
 | 
 | ||||||
|  | #define MAX_LSM_XATTR	1 | ||||||
|  | 
 | ||||||
| /* Boot-time LSM user choice */ | /* Boot-time LSM user choice */ | ||||||
| static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = | ||||||
| 	CONFIG_DEFAULT_SECURITY; | 	CONFIG_DEFAULT_SECURITY; | ||||||
|  | @ -339,15 +341,46 @@ void security_inode_free(struct inode *inode) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| int security_inode_init_security(struct inode *inode, struct inode *dir, | int security_inode_init_security(struct inode *inode, struct inode *dir, | ||||||
| 				 const struct qstr *qstr, char **name, | 				 const struct qstr *qstr, | ||||||
| 				 void **value, size_t *len) | 				 const initxattrs initxattrs, void *fs_data) | ||||||
|  | { | ||||||
|  | 	struct xattr new_xattrs[MAX_LSM_XATTR + 1]; | ||||||
|  | 	struct xattr *lsm_xattr; | ||||||
|  | 	int ret; | ||||||
|  | 
 | ||||||
|  | 	if (unlikely(IS_PRIVATE(inode))) | ||||||
|  | 		return -EOPNOTSUPP; | ||||||
|  | 
 | ||||||
|  | 	memset(new_xattrs, 0, sizeof new_xattrs); | ||||||
|  | 	if (!initxattrs) | ||||||
|  | 		return security_ops->inode_init_security(inode, dir, qstr, | ||||||
|  | 							 NULL, NULL, NULL); | ||||||
|  | 	lsm_xattr = new_xattrs; | ||||||
|  | 	ret = security_ops->inode_init_security(inode, dir, qstr, | ||||||
|  | 						&lsm_xattr->name, | ||||||
|  | 						&lsm_xattr->value, | ||||||
|  | 						&lsm_xattr->value_len); | ||||||
|  | 	if (ret) | ||||||
|  | 		goto out; | ||||||
|  | 	ret = initxattrs(inode, new_xattrs, fs_data); | ||||||
|  | out: | ||||||
|  | 	kfree(lsm_xattr->name); | ||||||
|  | 	kfree(lsm_xattr->value); | ||||||
|  | 
 | ||||||
|  | 	return (ret == -EOPNOTSUPP) ? 0 : ret; | ||||||
|  | } | ||||||
|  | EXPORT_SYMBOL(security_inode_init_security); | ||||||
|  | 
 | ||||||
|  | int security_old_inode_init_security(struct inode *inode, struct inode *dir, | ||||||
|  | 				     const struct qstr *qstr, char **name, | ||||||
|  | 				     void **value, size_t *len) | ||||||
| { | { | ||||||
| 	if (unlikely(IS_PRIVATE(inode))) | 	if (unlikely(IS_PRIVATE(inode))) | ||||||
| 		return -EOPNOTSUPP; | 		return -EOPNOTSUPP; | ||||||
| 	return security_ops->inode_init_security(inode, dir, qstr, name, value, | 	return security_ops->inode_init_security(inode, dir, qstr, name, value, | ||||||
| 						 len); | 						 len); | ||||||
| } | } | ||||||
| EXPORT_SYMBOL(security_inode_init_security); | EXPORT_SYMBOL(security_old_inode_init_security); | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_SECURITY_PATH | #ifdef CONFIG_SECURITY_PATH | ||||||
| int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, | int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Mimi Zohar
				Mimi Zohar