The patch titled
SELinux: support mls categories for context mounts
has been added to the -mm tree. Its filename is
selinux-support-mls-categories-for-context-mounts.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: SELinux: support mls categories for context mounts
From: Cory Olmo <colmo@xxxxxxxxxxxxx>
Allows commas to be embedded into context mount options (i.e. "-o
context=some_selinux_context_t"), to better support multiple categories,
which are separated by commas and confuse mount.
For example, with the current code:
mount -t iso9660 /dev/cdrom /media/cdrom -o \
ro,context=system_u:object_r:iso9660_t:s0:c1,c3,c4,exec
The context option that will be interpreted by SELinux is
context=system_u:object_r:iso9660_t:s0:c1
instead of
context=system_u:object_r:iso9660_t:s0:c1,c3,c4
The options that will be passed on to the file system will be
ro,c3,c4,exec.
The proposed solution is to allow/require the SELinux context option
specified to mount to use quotes when the context contains a comma.
This patch modifies the option parsing in parse_opts(), contained in
mount.c, to take options after finding a comma only if it hasn't seen a
quote or if the quotes are matched. It also introduces a new function that
will strip the quotes from the context option prior to translation. The
quotes are replaced after the translation is completed to insure that in
the event the raw context contains commas the kernel will be able to
interpret the correct context.
Signed-off-by: Cory Olmo <colmo@xxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
security/selinux/hooks.c | 32 +++++++++++++++++++++++++++++---
1 files changed, 29 insertions(+), 3 deletions(-)
diff -puN security/selinux/hooks.c~selinux-support-mls-categories-for-context-mounts security/selinux/hooks.c
--- a/security/selinux/hooks.c~selinux-support-mls-categories-for-context-mounts
+++ a/security/selinux/hooks.c
@@ -398,7 +398,7 @@ static int try_context_mount(struct supe
/* Standard string-based options. */
char *p, *options = data;
- while ((p = strsep(&options, ",")) != NULL) {
+ while ((p = strsep(&options, "|")) != NULL) {
int token;
substring_t args[MAX_OPT_ARGS];
@@ -1930,11 +1930,34 @@ static inline void take_option(char **to
*to += len;
}
+static inline void take_selinux_option(char **to, char *from, int *first,
+ int len)
+{
+ int current_size = 0;
+
+ if (!*first) {
+ **to = '|';
+ *to += 1;
+ }
+ else
+ *first = 0;
+
+ while (current_size < len) {
+ if (*from != '"') {
+ **to = *from;
+ *to += 1;
+ }
+ from += 1;
+ current_size += 1;
+ }
+}
+
static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
{
int fnosec, fsec, rc = 0;
char *in_save, *in_curr, *in_end;
char *sec_curr, *nosec_save, *nosec;
+ int open_quote = 0;
in_curr = orig;
sec_curr = copy;
@@ -1956,11 +1979,14 @@ static int selinux_sb_copy_data(struct f
in_save = in_end = orig;
do {
- if (*in_end == ',' || *in_end == '\0') {
+ if (*in_end == '"')
+ open_quote = !open_quote;
+ if ((*in_end == ',' && open_quote == 0) ||
+ *in_end == '\0') {
int len = in_end - in_curr;
if (selinux_option(in_curr, len))
- take_option(&sec_curr, in_curr, &fsec, len);
+ take_selinux_option(&sec_curr, in_curr, &fsec, len);
else
take_option(&nosec, in_curr, &fnosec, len);
_
Patches currently in -mm which might be from colmo@xxxxxxxxxxxxx are
selinux-support-mls-categories-for-context-mounts.patch
selinux-support-mls-categories-for-context-mounts-tidy.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
