Re: [PATCH 02/14] Security: Add Hook to test if the particular xattr is part of a MAC model.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 29, 2013 at 07:43:00AM -0400, Mimi Zohar wrote:
> On Thu, 2013-03-28 at 09:53 -0400, Steve Dickson wrote:
> > From: David Quigley <dpquigl@xxxxxxxxxxxxxxx>
> > 
> > The interface to request security labels from user space is the xattr
> > interface. When requesting the security label from an NFS server it is
> > important to make sure the requested xattr actually is a MAC label. This allows
> > us to make sure that we get the desired semantics from the attribute instead of
> > something else such as capabilities or a time based LSM.
> > 
> > Signed-off-by: Matthew N. Dodd <Matthew.Dodd@xxxxxxxxxx>
> > Signed-off-by: Miguel Rodel Felipe <Rodel_FM@xxxxxxxxxxxxxxxxx>
> > Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@xxxxxxxxxxxxxxxxx>
> > Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@xxxxxxxxxxxxxxxxx>
> > ---
> >  include/linux/security.h   | 14 ++++++++++++++
> >  security/capability.c      |  6 ++++++
> >  security/security.c        |  6 ++++++
> >  security/selinux/hooks.c   |  6 ++++++
> >  security/smack/smack_lsm.c | 11 +++++++++++
> >  5 files changed, 43 insertions(+)
> > 
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index a957e7a..8a6faff 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -1319,6 +1319,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> >   *	@pages contains the number of pages.
> >   *	Return 0 if permission is granted.
> >   *
> > + * @ismaclabel:
> > + *	Check if the extended attribute specified by @name
> > + *	represents a MAC label. Returns 0 if name is a MAC
> > + *	attribute otherwise returns non-zero.
> 
> Sorry, the comment doesn't match the code.

Yeah, that looks backwards.  Confirmed by looking at an implementation:

> > +static int selinux_ismaclabel(const char *name)
> > +{
> > +	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
> > +}
> > +

Could we also make the return value bool to make it even less ambiguous?

--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux