Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List[PATCH][RFC] Security mount data & sb_copy_data hook.
From: James Morris <jmorris_at_redhat.com>
Date: Sat, 24 Jan 2004 13:28:24 -0500 (EST)
An example of use is under SELinux, where a filesystem may need to be mounted with a specific security context because the filesystem does not support extended attributes (e.g. NFS), or where the existing attributes are not trusted (e.g. inserting removable media). A new LSM hook has been added, sb_copy_data, which allows the security module to copy security-specific mount data once the superblock has been setup by the filesystem. The sb_kern_mount hook has been modified to take this security data as a parameter, and would typically be used at that point to configure the security parameters of the filesystem being mounted. Allocation and freeing of the security data has been implemented in the core fs code as it is cleaner than trying to do it purely via LSM hooks, and should make maintenance easier. This code will be compiled away if LSM is not enabled. Any feedback on this will be most appreciated.
Related patches for NFS, userspace and experimental SELinux context
mounting are at:
diff -urN -X dontdiff linux-2.6.2-rc1.p/fs/super.c linux-2.6.2-rc1.w/fs/super.c --- linux-2.6.2-rc1.p/fs/super.c 2003-10-15 08:53:19.000000000 -0400 +++ linux-2.6.2-rc1.w/fs/super.c 2004-01-22 14:11:36.000000000 -0500 @@ -708,6 +708,7 @@ struct super_block *sb = ERR_PTR(-ENOMEM); struct vfsmount *mnt; int error; out: diff -urN -X dontdiff linux-2.6.2-rc1.p/include/linux/fs.h linux-2.6.2-rc1.w/include/linux/fs.h --- linux-2.6.2-rc1.p/include/linux/fs.h 2004-01-21 13:39:03.000000000 -0500 +++ linux-2.6.2-rc1.w/include/linux/fs.h 2004-01-22 11:58:50.000000000 -0500@@ -1421,5 +1421,25 @@ /* kernel/fork.c */ extern int unshare_files(void); +#ifdef CONFIG_SECURITY +static inline char *alloc_secdata(void) +{ @@ -1024,7 +1034,8 @@ int (*sb_alloc_security) (struct super_block * sb); void (*sb_free_security) (struct super_block * sb); - int (*sb_kern_mount) (struct super_block *sb); } -static inline int security_sb_kern_mount (struct super_block *sb) +static inline int security_sb_copy_data (const char *fstype, void *orig, void *copy) { - return security_ops->sb_kern_mount (sb);}
static inline int security_sb_statfs (struct super_block *sb)
@@ -1973,7 +1989,12 @@
-static inline int security_sb_kern_mount (struct super_block *sb) +static inline int security_sb_copy_data (const char *fstype, void *orig, void *copy) +{ } diff -urN -X dontdiff linux-2.6.2-rc1.p/security/dummy.c linux-2.6.2-rc1.w/security/dummy.c --- linux-2.6.2-rc1.p/security/dummy.c 2004-01-21 13:39:03.000000000 -0500 +++ linux-2.6.2-rc1.w/security/dummy.c 2004-01-21 17:17:13.000000000 -0500 @@ -194,7 +194,12 @@ return; } -static int dummy_sb_kern_mount (struct super_block *sb) +static int dummy_sb_copy_data (const char *fstype, void *orig, void *copy) +{ } @@ -877,6 +882,7 @@ set_to_dummy_if_null(ops, bprm_secureexec); set_to_dummy_if_null(ops, sb_alloc_security); set_to_dummy_if_null(ops, sb_free_security); -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Sat 24 Jan 2004 - 13:28:36 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |