lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <51B25B17.3010807@schaufler-ca.com>
Date:	Fri, 07 Jun 2013 15:13:43 -0700
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Jaegeuk Kim <jaegeuk.kim@...sung.com>
CC:	Casey Schaufler <casey@...aufler-ca.com>,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [PATCH 2/2] f2fs: support xattr security labels

On 6/6/2013 10:55 PM, Jaegeuk Kim wrote:
> This patch adds the support of security labels for f2fs, which will be used
> by SElinux.

Please be inclusive. Security xattrs are used by LSMs other than SELinux.

> Signed-off-by: Jaegeuk Kim <jaegeuk.kim@...sung.com>
> ---
>  fs/f2fs/Kconfig |  9 +++++++++
>  fs/f2fs/dir.c   |  5 +++++
>  fs/f2fs/xattr.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>  fs/f2fs/xattr.h | 12 +++++++++++-
>  4 files changed, 82 insertions(+), 3 deletions(-)
>
> diff --git a/fs/f2fs/Kconfig b/fs/f2fs/Kconfig
> index fd27e7e..2214cc9 100644
> --- a/fs/f2fs/Kconfig
> +++ b/fs/f2fs/Kconfig
> @@ -51,3 +51,12 @@ config F2FS_FS_POSIX_ACL
>  	  Linux website <http://acl.bestbits.at/>.
>  
>  	  If you don't know what Access Control Lists are, say N
> +
> +config F2FS_FS_SECURITY
> +	bool "F2FS Security Labels"
> +	depends on F2FS_FS_XATTR
> +	help
> +	  Security labels provide acls used by the security modules
> +	  like SELinux. This option should be used with the xattr mode.

This description missuses the term "acl". Security labels are not
Access Control Lists (ACLs). What is the "xattr mode"? If this option
depends on xattr support "should" is not correct.

> +
> +	  If you are not using a security module, say N.
> diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
> index 67e2d13..81a1d6f 100644
> --- a/fs/f2fs/dir.c
> +++ b/fs/f2fs/dir.c
> @@ -13,6 +13,7 @@
>  #include "f2fs.h"
>  #include "node.h"
>  #include "acl.h"
> +#include "xattr.h"
>  
>  static unsigned long dir_blocks(struct inode *inode)
>  {
> @@ -334,6 +335,10 @@ static struct page *init_inode_metadata(struct inode *inode,
>  		if (err)
>  			goto error;
>  
> +		err = f2fs_init_security(inode, dir, name);
> +		if (err)
> +			goto error;
> +
>  		wait_on_page_writeback(page);
>  	} else {
>  		page = get_node_page(F2FS_SB(dir->i_sb), inode->i_ino);
> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
> index ae61f35..b5292fa 100644
> --- a/fs/f2fs/xattr.c
> +++ b/fs/f2fs/xattr.c
> @@ -20,6 +20,7 @@
>   */
>  #include <linux/rwsem.h>
>  #include <linux/f2fs_fs.h>
> +#include <linux/security.h>
>  #include "f2fs.h"
>  #include "xattr.h"
>  
> @@ -43,6 +44,10 @@ static size_t f2fs_xattr_generic_list(struct dentry *dentry, char *list,
>  		prefix = XATTR_TRUSTED_PREFIX;
>  		prefix_len = XATTR_TRUSTED_PREFIX_LEN;
>  		break;
> +	case F2FS_XATTR_INDEX_SECURITY:
> +		prefix = XATTR_SECURITY_PREFIX;
> +		prefix_len = XATTR_SECURITY_PREFIX_LEN;
> +		break;
>  	default:
>  		return -EINVAL;
>  	}
> @@ -70,13 +75,14 @@ static int f2fs_xattr_generic_get(struct dentry *dentry, const char *name,
>  		if (!capable(CAP_SYS_ADMIN))
>  			return -EPERM;
>  		break;
> +	case F2FS_XATTR_INDEX_SECURITY:
> +		break;
>  	default:
>  		return -EINVAL;
>  	}
>  	if (strcmp(name, "") == 0)
>  		return -EINVAL;
> -	return f2fs_getxattr(dentry->d_inode, type, name,
> -			buffer, size);
> +	return f2fs_getxattr(dentry->d_inode, type, name, buffer, size);
>  }
>  
>  static int f2fs_xattr_generic_set(struct dentry *dentry, const char *name,
> @@ -93,6 +99,8 @@ static int f2fs_xattr_generic_set(struct dentry *dentry, const char *name,
>  		if (!capable(CAP_SYS_ADMIN))
>  			return -EPERM;
>  		break;
> +	case F2FS_XATTR_INDEX_SECURITY:
> +		break;
>  	default:
>  		return -EINVAL;
>  	}
> @@ -145,6 +153,40 @@ static int f2fs_xattr_advise_set(struct dentry *dentry, const char *name,
>  	return 0;
>  }
>  
> +#ifdef CONFIG_F2FS_FS_SECURITY
> +static int f2fs_initxattrs(struct inode *inode, const struct xattr *xattr_array,
> +		void *fs_info)
> +{
> +	const struct xattr *xattr;
> +	char *name;
> +	int err = 0;
> +
> +	for (xattr = xattr_array; xattr->name != NULL; xattr++) {
> +		name = kmalloc(XATTR_SECURITY_PREFIX_LEN +
> +			       strlen(xattr->name) + 1, GFP_NOFS);
> +		if (!name) {
> +			err = -ENOMEM;
> +			break;
> +		}
> +		strcpy(name, XATTR_SECURITY_PREFIX);
> +		strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);

		sprintf(name, XATTR_SECURITY_PREFIX "%s", xattr->name);

might look simpler.

> +		err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_SECURITY, name,
> +					xattr->value, xattr->value_len);
> +		kfree(name);
> +		if (err < 0)
> +			break;
> +	}
> +	return err;
> +}
> +
> +int f2fs_init_security(struct inode *inode, struct inode *dir,
> +				const struct qstr *qstr)
> +{
> +	return security_inode_init_security(inode, dir, qstr,
> +				&f2fs_initxattrs, NULL);
> +}
> +#endif
> +
>  const struct xattr_handler f2fs_xattr_user_handler = {
>  	.prefix	= XATTR_USER_PREFIX,
>  	.flags	= F2FS_XATTR_INDEX_USER,
> @@ -169,6 +211,13 @@ const struct xattr_handler f2fs_xattr_advise_handler = {
>  	.set    = f2fs_xattr_advise_set,
>  };
>  
> +const struct xattr_handler f2fs_xattr_security_handler = {
> +	.prefix	= XATTR_SECURITY_PREFIX,
> +	.list	= f2fs_xattr_generic_list,
> +	.get	= f2fs_xattr_generic_get,
> +	.set	= f2fs_xattr_generic_set,
> +};
> +
>  static const struct xattr_handler *f2fs_xattr_handler_map[] = {
>  	[F2FS_XATTR_INDEX_USER] = &f2fs_xattr_user_handler,
>  #ifdef CONFIG_F2FS_FS_POSIX_ACL
> @@ -177,6 +226,9 @@ static const struct xattr_handler *f2fs_xattr_handler_map[] = {
>  #endif
>  	[F2FS_XATTR_INDEX_TRUSTED] = &f2fs_xattr_trusted_handler,
>  	[F2FS_XATTR_INDEX_ADVISE] = &f2fs_xattr_advise_handler,
> +#ifdef CONFIG_F2FS_FS_SECURITY
> +	[F2FS_XATTR_INDEX_SECURITY] = &f2fs_xattr_security_handler,
> +#endif
>  };
>  
>  const struct xattr_handler *f2fs_xattr_handlers[] = {
> @@ -187,6 +239,9 @@ const struct xattr_handler *f2fs_xattr_handlers[] = {
>  #endif
>  	&f2fs_xattr_trusted_handler,
>  	&f2fs_xattr_advise_handler,
> +#ifdef CONFIG_F2FS_FS_SECURITY
> +	&f2fs_xattr_security_handler,
> +#endif
>  	NULL,
>  };
>  
> diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h
> index 49c9558..14e1329 100644
> --- a/fs/f2fs/xattr.h
> +++ b/fs/f2fs/xattr.h
> @@ -112,6 +112,7 @@ extern const struct xattr_handler f2fs_xattr_trusted_handler;
>  extern const struct xattr_handler f2fs_xattr_acl_access_handler;
>  extern const struct xattr_handler f2fs_xattr_acl_default_handler;
>  extern const struct xattr_handler f2fs_xattr_advise_handler;
> +extern const struct xattr_handler f2fs_xattr_security_handler;
>  
>  extern const struct xattr_handler *f2fs_xattr_handlers[];
>  
> @@ -121,7 +122,6 @@ extern int f2fs_getxattr(struct inode *inode, int name_index, const char *name,
>  		void *buffer, size_t buffer_size);
>  extern ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer,
>  		size_t buffer_size);
> -
>  #else
>  
>  #define f2fs_xattr_handlers	NULL
> @@ -142,4 +142,14 @@ static inline ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer,
>  }
>  #endif
>  
> +#ifdef CONFIG_F2FS_FS_SECURITY
> +extern int f2fs_init_security(struct inode *inode, struct inode *dir,
> +				const struct qstr *qstr);
> +#else
> +static inline int f2fs_init_security(struct inode *inode, struct inode *dir,
> +				const struct qstr *qstr)
> +{
> +	return 0;
> +}
> +#endif
>  #endif /* __F2FS_XATTR_H__ */

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ