From 2a7dba391e5628ad665ce84ef9a6648da541ebab Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Tue, 1 Feb 2011 11:05:39 -0500
Subject: fs/vfs/security: pass last path component to LSM on inode creation
SELinux would like to implement a new labeling behavior of newly created
inodes. We currently label new inodes based on the parent and the creating
process. This new behavior would also take into account the name of the
new object when deciding the new label. This is not the (supposed) full path,
just the last component of the path.
This is very useful because creating /etc/shadow is different than creating
/etc/passwd but the kernel hooks are unable to differentiate these
operations. We currently require that userspace realize it is doing some
difficult operation like that and than userspace jumps through SELinux hoops
to get things set up correctly. This patch does not implement new
behavior, that is obviously contained in a seperate SELinux patch, but it
does pass the needed name down to the correct LSM hook. If no such name
exists it is fine to pass NULL.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
security/capability.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
(limited to 'security/capability.c')
diff --git a/security/capability.c b/security/capability.c
index 2a5df2b7da83..383d14dc12ef 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -118,7 +118,8 @@ static void cap_inode_free_security(struct inode *inode)
}
static int cap_inode_init_security(struct inode *inode, struct inode *dir,
- char **name, void **value, size_t *len)
+ const struct qstr *qstr, char **name,
+ void **value, size_t *len)
{
return -EOPNOTSUPP;
}
--
cgit v1.2.3
From 4916ca401e3051dad326ddd69765bd0e3f32fb9b Mon Sep 17 00:00:00 2001
From: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Date: Tue, 1 Feb 2011 18:44:56 +0200
Subject: security: remove unused security_sysctl hook
The only user for this hook was selinux. sysctl routes every call
through /proc/sys/. Selinux and other security modules use the file
system checks for sysctl too, so no need for this hook any more.
Signed-off-by: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
---
include/linux/security.h | 13 -------------
kernel/sysctl.c | 5 -----
security/capability.c | 6 ------
security/security.c | 5 -----
4 files changed, 29 deletions(-)
(limited to 'security/capability.c')
diff --git a/include/linux/security.h b/include/linux/security.h
index 05dd5a64aa76..14167f2eb35a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1259,12 +1259,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @cap contains the capability <include/linux/capability.h>.
* @audit: Whether to write an audit message or not
* Return 0 if the capability is granted for @tsk.
- * @sysctl:
- * Check permission before accessing the @table sysctl variable in the
- * manner specified by @op.
- * @table contains the ctl_table structure for the sysctl variable.
- * @op contains the operation (001 = search, 002 = write, 004 = read).
- * Return 0 if permission is granted.
* @syslog:
* Check permission before accessing the kernel message ring or changing
* logging to the console.
@@ -1385,7 +1379,6 @@ struct security_operations {
const kernel_cap_t *permitted);
int (*capable) (struct task_struct *tsk, const struct cred *cred,
int cap, int audit);
- int (*sysctl) (struct ctl_table *table, int op);
int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
int (*quota_on) (struct dentry *dentry);
int (*syslog) (int type);
@@ -1668,7 +1661,6 @@ int security_capset(struct cred *new, const struct cred *old,
int security_capable(int cap);
int security_real_capable(struct task_struct *tsk, int cap);
int security_real_capable_noaudit(struct task_struct *tsk, int cap);
-int security_sysctl(struct ctl_table *table, int op);
int security_quotactl(int cmds, int type, int id, struct super_block *sb);
int security_quota_on(struct dentry *dentry);
int security_syslog(int type);
@@ -1887,11 +1879,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap)
return ret;
}
-static inline int security_sysctl(struct ctl_table *table, int op)
-{
- return 0;
-}
-
static inline int security_quotactl(int cmds, int type, int id,
struct super_block *sb)
{
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ae5cbb1e3ced..e24254c27eaf 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1691,13 +1691,8 @@ static int test_perm(int mode, int op)
int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
{
- int error;
int mode;
- error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
- if (error)
- return error;
-
if (root->permissions)
mode = root->permissions(root, current->nsproxy, table);
else
diff --git a/security/capability.c b/security/capability.c
index 383d14dc12ef..85b67c8632df 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -12,11 +12,6 @@
#include <linux/security.h>
-static int cap_sysctl(ctl_table *table, int op)
-{
- return 0;
-}
-
static int cap_syslog(int type)
{
return 0;
@@ -881,7 +876,6 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, capable);
set_to_cap_if_null(ops, quotactl);
set_to_cap_if_null(ops, quota_on);
- set_to_cap_if_null(ops, sysctl);
set_to_cap_if_null(ops, syslog);
set_to_cap_if_null(ops, settime);
set_to_cap_if_null(ops, vm_enough_memory);
diff --git a/security/security.c b/security/security.c
index 4830f36e1ab5..8f28685ee0d9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -182,11 +182,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap)
return ret;
}
-int security_sysctl(struct ctl_table *table, int op)
-{
- return security_ops->sysctl(table, op);
-}
-
int security_quotactl(int cmds, int type, int id, struct super_block *sb)
{
return security_ops->quotactl(cmds, type, id, sb);
--
cgit v1.2.3
From ff36fe2c845cab2102e4826c1ffa0a6ebf487c65 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Thu, 3 Mar 2011 16:09:14 -0500
Subject: LSM: Pass -o remount options to the LSM
The VFS mount code passes the mount options to the LSM. The LSM will remove
options it understands from the data and the VFS will then pass the remaining
options onto the underlying filesystem. This is how options like the
SELinux context= work. The problem comes in that -o remount never calls
into LSM code. So if you include an LSM specific option it will get passed
to the filesystem and will cause the remount to fail. An example of where
this is a problem is the 'seclabel' option. The SELinux LSM hook will
print this word in /proc/mounts if the filesystem is being labeled using
xattrs. If you pass this word on mount it will be silently stripped and
ignored. But if you pass this word on remount the LSM never gets called
and it will be passed to the FS. The FS doesn't know what seclabel means
and thus should fail the mount. For example an ext3 fs mounted over loop
# mount -o loop /tmp/fs /mnt/tmp
# cat /proc/mounts | grep /mnt/tmp
/dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
# mount -o remount /mnt/tmp
mount: /mnt/tmp not mounted already, or bad option
# dmesg
EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value
This patch passes the remount mount options to an new LSM hook.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
---
fs/namespace.c | 4 ++++
include/linux/security.h | 13 +++++++++++++
security/capability.c | 6 ++++++
security/security.c | 5 +++++
4 files changed, 28 insertions(+)
(limited to 'security/capability.c')
diff --git a/fs/namespace.c b/fs/namespace.c
index 3ddfd9046c44..1b3f2ac59c5e 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1800,6 +1800,10 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
if (path->dentry != path->mnt->mnt_root)
return -EINVAL;
+ err = security_sb_remount(sb, data);
+ if (err)
+ return err;
+
down_write(&sb->s_umount);
if (flags & MS_BIND)
err = change_mount_flags(path->mnt, flags);
diff --git a/include/linux/security.h b/include/linux/security.h
index 14167f2eb35a..d11ac43ecc49 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -268,6 +268,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @orig the original mount data copied from userspace.
* @copy copied data which will be passed to the security module.
* Returns 0 if the copy was successful.
+ * @sb_remount:
+ * Extracts security system specifc mount options and verifys no changes
+ * are being made to those options.
+ * @sb superblock being remounted
+ * @data contains the filesystem-specific data.
+ * Return 0 if permission is granted.
* @sb_umount:
* Check permission before the @mnt file system is unmounted.
* @mnt contains the mounted file system.
@@ -1394,6 +1400,7 @@ struct security_operations {
int (*sb_alloc_security) (struct super_block *sb);
void (*sb_free_security) (struct super_block *sb);
int (*sb_copy_data) (char *orig, char *copy);
+ int (*sb_remount) (struct super_block *sb, void *data);
int (*sb_kern_mount) (struct super_block *sb, int flags, void *data);
int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
int (*sb_statfs) (struct dentry *dentry);
@@ -1676,6 +1683,7 @@ int security_bprm_secureexec(struct linux_binprm *bprm);
int security_sb_alloc(struct super_block *sb);
void security_sb_free(struct super_block *sb);
int security_sb_copy_data(char *orig, char *copy);
+int security_sb_remount(struct super_block *sb, void *data);
int security_sb_kern_mount(struct super_block *sb, int flags, void *data);
int security_sb_show_options(struct seq_file *m, struct super_block *sb);
int security_sb_statfs(struct dentry *dentry);
@@ -1955,6 +1963,11 @@ static inline int security_sb_copy_data(char *orig, char *copy)
return 0;
}
+static inline int security_sb_remount(struct super_block *sb, void *data)
+{
+ return 0;
+}
+
static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
return 0;
diff --git a/security/capability.c b/security/capability.c
index 85b67c8632df..ab3d807accc3 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -54,6 +54,11 @@ static int cap_sb_copy_data(char *orig, char *copy)
return 0;
}
+static int cap_sb_remount(struct super_block *sb, void *data)
+{
+ return 0;
+}
+
static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
return 0;
@@ -887,6 +892,7 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, sb_alloc_security);
set_to_cap_if_null(ops, sb_free_security);
set_to_cap_if_null(ops, sb_copy_data);
+ set_to_cap_if_null(ops, sb_remount);
set_to_cap_if_null(ops, sb_kern_mount);
set_to_cap_if_null(ops, sb_show_options);
set_to_cap_if_null(ops, sb_statfs);
diff --git a/security/security.c b/security/security.c
index 8f28685ee0d9..b1d6134548bc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -267,6 +267,11 @@ int security_sb_copy_data(char *orig, char *copy)
}
EXPORT_SYMBOL(security_sb_copy_data);
+int security_sb_remount(struct super_block *sb, void *data)
+{
+ return security_ops->sb_remount(sb, data);
+}
+
int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
return security_ops->sb_kern_mount(sb, flags, data);
--
cgit v1.2.3