Re: [PATCH 04/13] SELinux: Add new labeling type native labels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
> From: David Quigley <dpquigl@xxxxxxxxxxxxxxx>
>
> There currently doesn't exist a labeling type that is adequate for use with
> labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr
> labeling behavior. For this we developed a new labeling type. The native
> labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime
> by the NFS code instead of relying on the SELinux security server on the client
> end.
>
> Acked-by: James Morris <james.l.morris@xxxxxxxxxx>
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@xxxxxxxxxx>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@xxxxxxxxxxxxxxxxx>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@xxxxxxxxxxxxxxxxx>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@xxxxxxxxxxxxxxxxx>

Acked-by: Eric Paris <eparis@xxxxxxxxxx>

> ---
>  include/linux/security.h            |  3 +++
>  security/selinux/hooks.c            | 35 ++++++++++++++++++++++++++---------
>  security/selinux/include/security.h |  2 ++
>  security/selinux/ss/policydb.c      |  5 ++++-
>  4 files changed, 35 insertions(+), 10 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index aa656fb..a585a90 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -61,6 +61,9 @@ struct mm_struct;
>  #define SECURITY_CAP_NOAUDIT 0
>  #define SECURITY_CAP_AUDIT 1
>
> +/* LSM Agnostic defines for sb_set_mnt_opts */
> +#define SECURITY_LSM_NATIVE_LABELS     1
> +
>  struct ctl_table;
>  struct audit_krule;
>  struct user_namespace;
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f3b5446..6149633 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -81,6 +81,7 @@
>  #include <linux/syslog.h>
>  #include <linux/user_namespace.h>
>  #include <linux/export.h>
> +#include <linux/security.h>
>  #include <linux/msg.h>
>  #include <linux/shm.h>
>
> @@ -284,13 +285,14 @@ static void superblock_free_security(struct super_block *sb)
>
>  /* The file system's label must be initialized prior to use. */
>
> -static const char *labeling_behaviors[6] = {
> +static const char *labeling_behaviors[7] = {
>         "uses xattr",
>         "uses transition SIDs",
>         "uses task SIDs",
>         "uses genfs_contexts",
>         "not configured for labeling",
>         "uses mountpoint labeling",
> +       "uses native labeling",
>  };
>
>  static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
> @@ -678,14 +680,21 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>         if (strcmp(sb->s_type->name, "proc") == 0)
>                 sbsec->flags |= SE_SBPROC;
>
> -       /* Determine the labeling behavior to use for this filesystem type. */
> -       rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
> -       if (rc) {
> -               printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
> -                      __func__, sb->s_type->name, rc);
> -               goto out;
> +       if (!sbsec->behavior) {
> +               /*
> +                * Determine the labeling behavior to use for this
> +                * filesystem type.
> +                */
> +               rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
> +                                       "proc" : sb->s_type->name,
> +                                       &sbsec->behavior, &sbsec->sid);
> +               if (rc) {
> +                       printk(KERN_WARNING
> +                               "%s: security_fs_use(%s) returned %d\n",
> +                                       __func__, sb->s_type->name, rc);
> +                       goto out;
> +               }
>         }
> -
>         /* sets the context of the superblock for the fs being mounted. */
>         if (fscontext_sid) {
>                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
> @@ -700,6 +709,11 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>          * sets the label used on all file below the mountpoint, and will set
>          * the superblock context if not already set.
>          */
> +       if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
> +               sbsec->behavior = SECURITY_FS_USE_NATIVE;
> +               *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
> +       }
> +
>         if (context_sid) {
>                 if (!fscontext_sid) {
>                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
> @@ -731,7 +745,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>         }
>
>         if (defcontext_sid) {
> -               if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
> +               if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
> +                       sbsec->behavior != SECURITY_FS_USE_NATIVE) {
>                         rc = -EINVAL;
>                         printk(KERN_WARNING "SELinux: defcontext option is "
>                                "invalid for this filesystem type\n");
> @@ -1230,6 +1245,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
>         }
>
>         switch (sbsec->behavior) {
> +       case SECURITY_FS_USE_NATIVE:
> +               break;
>         case SECURITY_FS_USE_XATTR:
>                 if (!inode->i_op->getxattr) {
>                         isec->sid = sbsec->def_sid;
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 6d38851..8fd8e18 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -169,6 +169,8 @@ int security_get_allow_unknown(void);
>  #define SECURITY_FS_USE_GENFS          4 /* use the genfs support */
>  #define SECURITY_FS_USE_NONE           5 /* no labeling support */
>  #define SECURITY_FS_USE_MNTPOINT       6 /* use mountpoint labeling */
> +#define SECURITY_FS_USE_NATIVE         7 /* use native label support */
> +#define SECURITY_FS_USE_MAX            7 /* Highest SECURITY_FS_USE_XXX */
>
>  int security_fs_use(const char *fstype, unsigned int *behavior,
>         u32 *sid);
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 9cd9b7c..c8adde3 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
>
>                                 rc = -EINVAL;
>                                 c->v.behavior = le32_to_cpu(buf[0]);
> -                               if (c->v.behavior > SECURITY_FS_USE_NONE)
> +                               /* Determined at runtime, not in policy DB. */
> +                               if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
> +                                       goto out;
> +                               if (c->v.behavior > SECURITY_FS_USE_MAX)
>                                         goto out;
>
>                                 rc = -ENOMEM;
> --
> 1.8.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux