Re: NFS/LSM: allow NFS to control all of its own mount options

Miklos Szeredi Wed, 20 Feb 2008 03:04:57 -0800

> Please don't introduce a special case for just nfs.  All filesystems
> should control their mount options, so please provide some library
> helpers for context= handling and move it into all filesystems that
> can support selinux.


Hmm, looks like selinux is not showing it's mount options in
/proc/mounts.  Well, actually there's no infrastructure for it either.
Here's a template patch (completely untested).

Selinux guys, please fill in the details and submit, thanks.

Signed-off-by: Miklos Szeredi <[EMAIL PROTECTED]>

Index: linux/fs/namespace.c
===================================================================
--- linux.orig/fs/namespace.c   2008-02-20 10:51:11.000000000 +0100
+++ linux/fs/namespace.c        2008-02-20 10:51:25.000000000 +0100
@@ -385,6 +385,7 @@ static int show_vfsmnt(struct seq_file *
                if (mnt->mnt_flags & fs_infop->flag)
                        seq_puts(m, fs_infop->str);
        }
+       security_sb_show_options(m, mnt->mnt_sb);
        if (mnt->mnt_sb->s_op->show_options)
                err = mnt->mnt_sb->s_op->show_options(m, mnt);
        seq_puts(m, " 0 0\n");
Index: linux/include/linux/security.h
===================================================================
--- linux.orig/include/linux/security.h 2008-02-18 21:20:03.000000000 +0100
+++ linux/include/linux/security.h      2008-02-20 11:02:04.000000000 +0100
@@ -80,6 +80,7 @@ struct xfrm_selector;
 struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
+struct seq_file;
 
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
@@ -1226,6 +1227,7 @@ struct security_operations {
        int (*sb_copy_data)(struct file_system_type *type,
                            void *orig, void *copy);
        int (*sb_kern_mount) (struct super_block *sb, void *data);
+       int (*sb_show_options) (struct seq_file *, struct super_block *sb);
        int (*sb_statfs) (struct dentry *dentry);
        int (*sb_mount) (char *dev_name, struct nameidata * nd,
                         char *type, unsigned long flags, void *data);
@@ -1487,6 +1489,7 @@ int security_sb_alloc(struct super_block
 void security_sb_free(struct super_block *sb);
 int security_sb_copy_data(struct file_system_type *type, void *orig, void 
*copy);
 int security_sb_kern_mount(struct super_block *sb, void *data);
+int security_sb_show_options(struct seq_file *, struct super_block *sb);
 int security_sb_statfs(struct dentry *dentry);
 int security_sb_mount(char *dev_name, struct nameidata *nd,
                        char *type, unsigned long flags, void *data);
@@ -1744,6 +1747,12 @@ static inline int security_sb_kern_mount
        return 0;
 }
 
+static inline int security_sb_show_options (struct seq_file *m,
+                                           struct super_block *sb)
+{
+       return 0;
+}
+
 static inline int security_sb_statfs (struct dentry *dentry)
 {
        return 0;
Index: linux/security/security.c
===================================================================
--- linux.orig/security/security.c      2008-02-18 21:20:06.000000000 +0100
+++ linux/security/security.c   2008-02-20 10:56:16.000000000 +0100
@@ -252,6 +252,14 @@ int security_sb_kern_mount(struct super_
        return security_ops->sb_kern_mount(sb, data);
 }
 
+int security_sb_show_options (struct seq_file *m, struct super_block *sb)
+{
+       if (security_ops->sb_show_options)
+               return security_ops->sb_show_options(m, sb);
+       else
+               return 0;
+}
+
 int security_sb_statfs(struct dentry *dentry)
 {
        return security_ops->sb_statfs(dentry);
Index: linux/security/selinux/hooks.c
===================================================================
--- linux.orig/security/selinux/hooks.c 2008-02-18 21:20:06.000000000 +0100
+++ linux/security/selinux/hooks.c      2008-02-20 10:58:57.000000000 +0100
@@ -590,6 +590,12 @@ out:
        return rc;
 }
 
+static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+       /* ... */
+       return 0;
+}
+
 static int superblock_doinit(struct super_block *sb, void *data)
 {
        struct superblock_security_struct *sbsec = sb->s_security;
@@ -4797,6 +4803,7 @@ static struct security_operations selinu
        .sb_free_security =             selinux_sb_free_security,
        .sb_copy_data =                 selinux_sb_copy_data,
        .sb_kern_mount =                selinux_sb_kern_mount,
+       .sb_show_options =              selinux_sb_show_options,
        .sb_statfs =                    selinux_sb_statfs,
        .sb_mount =                     selinux_mount,
        .sb_umount =                    selinux_umount,

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NFS/LSM: allow NFS to control all of its own mount options

Reply via email to