| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jan 2007 15:08:08 -0500
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Trond Myklebust <Trond.Myklebust@...app.com>
Cc: torvalds@...l.org, akpm@...l.org, linux-kernel@...r.kernel.org,
nfs@...ts.sourceforge.net, James Morris <jmorris@...ei.org>,
Eric Paris <eparis@...hat.com>,
Jim Meyering <meyering@...hat.com>
Subject: Re: [PATCH 3/3] NFS: Ensure we support selinux xattrs
On Wed, 2007-01-24 at 11:54 -0800, Trond Myklebust wrote:
> From: Trond Myklebust <Trond.Myklebust@...app.com>
>
> Some programs (e.g. GNU "cp") are currently crashing because NFS
> allows you to inquire about SELinux security attributes (vfs_getxattr()
> automatically handles this), but returns -EOPNOTSUPP when they later
> attempt to set the SELinux security attributes.
>
> The following patch just ensures that we pass the request to set security
> attributes on to the default SELinux handler.
That seems like a bug in cp, and it can happen under other circumstances
as well (mount with context= option).
I don't think you want to just set the incore inode security state on
the client side, as that won't be preserved.
> Signed-off-by: Trond Myklebust <Trond.Myklebust@...app.com>
> ---
>
> fs/nfs/nfs3acl.c | 13 +++++++++++++
> fs/nfs/nfs4proc.c | 14 ++++++++++++++
> 2 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
> index 7322da4..5970e7b 100644
> --- a/fs/nfs/nfs3acl.c
> +++ b/fs/nfs/nfs3acl.c
> @@ -4,6 +4,9 @@ #include <linux/nfs3.h>
> #include <linux/nfs_fs.h>
> #include <linux/posix_acl_xattr.h>
> #include <linux/nfsacl.h>
> +#include <linux/security.h>
> +#include <linux/xattr.h>
> +#include <linux/fsnotify.h>
>
> #define NFSDBG_FACILITY NFSDBG_PROC
>
> @@ -82,6 +85,16 @@ int nfs3_setxattr(struct dentry *dentry,
> struct posix_acl *acl;
> int type, error;
>
> + /* Selinux support */
> + if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN)) {
> + const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
> + error = security_inode_setsecurity(inode, suffix, value,
> + size, flags);
> + if (!error)
> + fsnotify_xattr(dentry);
> + return error;
> + }
> +
> if (strcmp(name, POSIX_ACL_XATTR_ACCESS) == 0)
> type = ACL_TYPE_ACCESS;
> else if (strcmp(name, POSIX_ACL_XATTR_DEFAULT) == 0)
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index b3fd29b..ac1082b 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -48,6 +48,9 @@ #include <linux/nfs_page.h>
> #include <linux/smp_lock.h>
> #include <linux/namei.h>
> #include <linux/mount.h>
> +#include <linux/security.h>
> +#include <linux/xattr.h>
> +#include <linux/fsnotify.h>
>
> #include "nfs4_fs.h"
> #include "delegation.h"
> @@ -3547,6 +3550,17 @@ int nfs4_setxattr(struct dentry *dentry,
> {
> struct inode *inode = dentry->d_inode;
>
> + /* Selinux support */
> + if (!strncmp(key, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN)) {
> + const char *suffix = key + XATTR_SECURITY_PREFIX_LEN;
> + int error;
> + error = security_inode_setsecurity(inode, suffix, buf,
> + buflen, flags);
> + if (!error)
> + fsnotify_xattr(dentry);
> + return error;
> + }
> +
> if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
> return -EOPNOTSUPP;
>
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists