| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090904153135.GA15342@us.ibm.com>
Date: Fri, 4 Sep 2009 10:31:35 -0500
From: "Serge E. Hallyn" <serue@...ibm.com>
To: "David P. Quigley" <dpquigl@...ho.nsa.gov>
Cc: sds@...ho.nsa.gov, jmorris@...ei.org, casey@...aufler-ca.com,
gregkh@...e.de, ebiederm@...ssion.com,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH 1/3] VFS: Factor out part of vfs_setxattr so it can be
called from the SELinux hook for inode_setsecctx.
Quoting David P. Quigley (dpquigl@...ho.nsa.gov):
> This factors out the part of the vfs_setxattr function that performs the
> setting of the xattr and its notification. This is needed so the SELinux
> implementation of inode_setsecctx can handle the setting of the xattr while
> maintaining the proper separation of layers.
>
> Signed-off-by: David P. Quigley <dpquigl@...ho.nsa.gov>
Acked-by: Serge Hallyn <serue@...ibm.com>
> ---
> fs/xattr.c | 55 +++++++++++++++++++++++++++++++++++++-----------
> include/linux/xattr.h | 1 +
> 2 files changed, 43 insertions(+), 13 deletions(-)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 1c3d0af..6d4f6d3 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -66,22 +66,28 @@ xattr_permission(struct inode *inode, const char *name, int mask)
> return inode_permission(inode, mask);
> }
>
> -int
> -vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
> - size_t size, int flags)
> +/**
> + * __vfs_setxattr_noperm - perform setxattr operation without performing
> + * permission checks.
> + *
> + * @dentry - object to perform setxattr on
> + * @name - xattr name to set
> + * @value - value to set @name to
> + * @size - size of @value
> + * @flags - flags to pass into filesystem operations
> + *
> + * returns the result of the internal setxattr or setsecurity operations.
> + *
> + * This function requires the caller to lock the inode's i_mutex before it
> + * is executed. It also assumes that the caller will make the appropriate
> + * permission checks.
> + */
> +int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
> + const void *value, size_t size, int flags)
> {
> struct inode *inode = dentry->d_inode;
> - int error;
> -
> - error = xattr_permission(inode, name, MAY_WRITE);
> - if (error)
> - return error;
> + int error = -EOPNOTSUPP;
>
> - mutex_lock(&inode->i_mutex);
> - error = security_inode_setxattr(dentry, name, value, size, flags);
> - if (error)
> - goto out;
> - error = -EOPNOTSUPP;
> if (inode->i_op->setxattr) {
> error = inode->i_op->setxattr(dentry, name, value, size, flags);
> if (!error) {
> @@ -97,6 +103,29 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
> if (!error)
> fsnotify_xattr(dentry);
> }
> +
> + return error;
> +}
> +
> +
> +int
> +vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
> + size_t size, int flags)
> +{
> + struct inode *inode = dentry->d_inode;
> + int error;
> +
> + error = xattr_permission(inode, name, MAY_WRITE);
> + if (error)
> + return error;
> +
> + mutex_lock(&inode->i_mutex);
> + error = security_inode_setxattr(dentry, name, value, size, flags);
> + if (error)
> + goto out;
> +
> + error = __vfs_setxattr_noperm(dentry, name, value, size, flags);
> +
> out:
> mutex_unlock(&inode->i_mutex);
> return error;
> diff --git a/include/linux/xattr.h b/include/linux/xattr.h
> index d131e35..5c84af8 100644
> --- a/include/linux/xattr.h
> +++ b/include/linux/xattr.h
> @@ -49,6 +49,7 @@ struct xattr_handler {
> ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
> ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
> ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
> +int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
> int vfs_setxattr(struct dentry *, const char *, const void *, size_t, int);
> int vfs_removexattr(struct dentry *, const char *);
>
> --
> 1.5.6.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists