From 9d8f13ba3f4833219e50767b022b82cd0da930eb Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 6 Jun 2011 15:29:25 -0400 Subject: security: new security_inode_init_security API adds function callback This patch changes the security_inode_init_security API by adding a filesystem specific callback to write security extended attributes. This change is in preparation for supporting the initialization of multiple LSM xattrs and the EVM xattr. Initially the callback function walks an array of xattrs, writing each xattr separately, but could be optimized to write multiple xattrs at once. For existing security_inode_init_security() calls, which have not yet been converted to use the new callback function, such as those in reiserfs and ocfs2, this patch defines security_old_inode_init_security(). Signed-off-by: Mimi Zohar --- include/linux/security.h | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index 8ce59ef3e5a..6a20c702549 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -36,6 +36,7 @@ #include #include #include +#include #include /* Maximum number of letters for an LSM name string */ @@ -147,6 +148,10 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif +/* security_inode_init_security callback function to write xattrs */ +typedef int (*initxattrs) (struct inode *inode, + const struct xattr *xattr_array, void *fs_data); + #ifdef CONFIG_SECURITY struct security_mnt_opts { @@ -1704,8 +1709,11 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); int security_inode_alloc(struct inode *inode); void security_inode_free(struct inode *inode); int security_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len); + const struct qstr *qstr, + initxattrs initxattrs, void *fs_data); +int security_old_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, char **name, + void **value, size_t *len); int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); int security_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); @@ -2035,9 +2043,8 @@ static inline void security_inode_free(struct inode *inode) static inline int security_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, - char **name, - void **value, - size_t *len) + initxattrs initxattrs, + void *fs_data) { return -EOPNOTSUPP; } -- cgit v1.2.3-70-g09d2 From e1c9b23adbe86c725738402857397d7a29f9d6ef Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 11 Aug 2011 00:22:51 -0400 Subject: evm: building without EVM enabled fixes - Missing 'inline' on evm_inode_setattr() definition. Introduced by commit 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm"). - Missing security_old_inode_init_security() stub function definition. Caused by commit 9d8f13ba3f48 ("security: new security_inode_init_security API adds function callback"). Reported-by: Stephen Rothwell Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- include/linux/evm.h | 2 +- include/linux/security.h | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'include/linux/security.h') diff --git a/include/linux/evm.h b/include/linux/evm.h index db5556dcdd2..62deb6557d3 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -45,7 +45,7 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, } #endif -static int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) +static inline int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) { return 0; } diff --git a/include/linux/security.h b/include/linux/security.h index 1c528b19a32..f399cf10e2a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,6 +2048,13 @@ static inline int security_inode_init_security(struct inode *inode, return -EOPNOTSUPP; } +int security_old_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, char **name, + void **value, size_t *len) +{ + return -EOPNOTSUPP; +} + static inline int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) -- cgit v1.2.3-70-g09d2 From 1e39f384bb01b0395b69cb70c2cacae65012f203 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 15 Aug 2011 09:09:16 -0400 Subject: evm: fix build problems - Make the previously missing security_old_inode_init_security() stub function definition static inline. - The stub security_inode_init_security() function previously returned -EOPNOTSUPP and relied on the callers to change it to 0. The stub security/security_old_inode_init_security() functions now return 0. Reported-by: Stephen Rothwell Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- include/linux/security.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index f399cf10e2a..d9f7ec41ba5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2045,14 +2045,16 @@ static inline int security_inode_init_security(struct inode *inode, initxattrs initxattrs, void *fs_data) { - return -EOPNOTSUPP; + return 0; } -int security_old_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len) +static inline int security_old_inode_init_security(struct inode *inode, + struct inode *dir, + const struct qstr *qstr, + char **name, void **value, + size_t *len) { - return -EOPNOTSUPP; + return 0; } static inline int security_inode_create(struct inode *dir, -- cgit v1.2.3-70-g09d2 From fc9ff9b7e3eaff3f49bc0fbbddfc1416212e888a Mon Sep 17 00:00:00 2001 From: "rongqing.li@windriver.com" Date: Tue, 6 Sep 2011 11:35:36 +0800 Subject: security: Fix a typo Fix a typo. Signed-off-by: Roy.Li Signed-off-by: James Morris --- include/linux/security.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index d9f7ec41ba5..a14c2d4b22c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1372,7 +1372,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inode_getsecctx: * Returns a string containing all relavent security context information * - * @inode we wish to set the security context of. + * @inode we wish to get the security context of. * @ctx is a pointer in which to place the allocated security context. * @ctxlen points to the place to put the length of @ctx. * This is the main security structure. -- cgit v1.2.3-70-g09d2 From 5dbe3040c74eef18e66951347eda05b153e69328 Mon Sep 17 00:00:00 2001 From: James Morris Date: Tue, 30 Aug 2011 13:48:53 +1000 Subject: security: sparse fix: Move security_fixup_op to security.h Fix sparse warning by moving declaraion to global header. Signed-off-by: James Morris --- include/linux/security.h | 2 ++ security/security.c | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index a14c2d4b22c..19d8e04e168 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1660,6 +1660,8 @@ struct security_operations { extern int security_init(void); extern int security_module_enable(struct security_operations *ops); extern int register_security(struct security_operations *ops); +extern void __init security_fixup_ops(struct security_operations *ops); + /* Security operations */ int security_ptrace_access_check(struct task_struct *child, unsigned int mode); diff --git a/security/security.c b/security/security.c index a6328421a05..9ebda054a33 100644 --- a/security/security.c +++ b/security/security.c @@ -26,9 +26,6 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; -/* things that live in capability.c */ -extern void __init security_fixup_ops(struct security_operations *ops); - static struct security_operations *security_ops; static struct security_operations default_security_ops = { .name = "default", -- cgit v1.2.3-70-g09d2