On 3/28/2013 3:19 PM, J. Bruce Fields wrote:
Dave, I think these are both questions for you?
--b.
On Thu, Mar 28, 2013 at 02:58:45PM -0400, bfields wrote:
On Thu, Mar 28, 2013 at 09:54:04AM -0400, Steve Dickson wrote:
@@ -1988,6 +2044,50 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, struct nfs4_ace *ace,
FATTR4_WORD0_RDATTR_ERROR)
#define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+static inline __be32
+nfsd4_encode_security_label(struct svc_rqst *rqstp, struct dentry *dentry, __be32 **pp, int *buflen)
+{
+ void *context;
+ int err;
+ int len;
+ uint32_t pi = 0;
+ uint32_t lfs = 0;
+ __be32 *p = *pp;
+
+ err = 0;
+ (void)security_inode_getsecctx(dentry->d_inode, &context, &len);
+ if (len < 0)
+ return nfserrno(len);
+
+ if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) {
+ err = nfserr_resource;
+ goto out;
+ }
+
+ /* XXX: A call to the translation code should be placed here
+ * for now send 0 until we have that to indicate the null
+ * translation */
Could we better a better comment here?
We could remove this comment all together if you want. We're trying to
indicate that at some point in the future there will be a label
translation facility like idmapd but for labels instead. This is where
the call would go if we had it. I had a basic version of the code a long
time ago and that is where I had the call but there was way too much
work to make it usable for now. Instead I just pass the null translation
indicator on the wire and we wave our hands and say don't look at the
man behind the curtain.
...
+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ struct nfs4_label *label)
+{
+ __be32 error;
+ int host_error;
+ struct dentry *dentry;
+
+ /* XXX: should we have a MAY_SSECCTX? */
Again: could we get an answer to this question?
I'm pretty sure we can just remove that comment. It was a question from
about 5 years ago now and I never found a compelling reason to say yes
to it.
--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
