On Wed, 9 May 2001, Chris Wright wrote: > a time ;-) The super_block blob is in there, but I didn't update the > security interface much (just added a super_block_security_ops struct with > (alloc_|free_)security. What did you have in mind for the security checks? > Just the super_operations stuff? The dquot_operations also? I've attached a small patch that inserts calls to the super_block alloc_security and free_security hooks in fs/super.c and that inserts a newly defined statfs hook call into fs/open.c, with the updated definition in include/linux/security.h. As far as other file system security checks go, I'm not sure what else might be needed. A number of the filesystem-related checks are being handled by hooks defined in the top-level security_operations structure, e.g. mount, add_vfsmnt, umount*, remount, post_remount. -- Stephen D. Smalley, NAI Labs ssmalleyat_private Index: fs/open.c =================================================================== RCS file: /cvs/lsm/lsm/fs/open.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- fs/open.c 2001/05/11 14:17:11 1.3 +++ fs/open.c 2001/05/18 19:23:21 1.4 @@ -28,6 +28,9 @@ retval = -ENOSYS; if (sb->s_op && sb->s_op->statfs) { memset(buf, 0, sizeof(struct statfs)); + retval = security_ops->sb_ops->statfs(sb); + if (retval) + return retval; lock_kernel(); retval = sb->s_op->statfs(sb, buf); unlock_kernel(); Index: fs/super.c =================================================================== RCS file: /cvs/lsm/lsm/fs/super.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- fs/super.c 2001/05/09 20:19:19 1.2 +++ fs/super.c 2001/05/18 19:23:21 1.3 @@ -701,8 +701,11 @@ s = sb_entry(s->s_list.next)) { if (s->s_dev) continue; - if (!s->s_lock) + if (!s->s_lock) { + if (security_ops->sb_ops->alloc_security(s)) + return NULL; return s; + } printk("VFS: empty superblock %p locked!\n", s); } /* Need a new one... */ @@ -712,6 +715,10 @@ if (s) { nr_super_blocks++; memset(s, 0, sizeof(struct super_block)); + if (security_ops->sb_ops->alloc_security(s)) { + kfree(s); + return NULL; + } INIT_LIST_HEAD(&s->s_dirty); INIT_LIST_HEAD(&s->s_locked_inodes); list_add (&s->s_list, super_blocks.prev); @@ -756,6 +763,7 @@ s->s_dev = 0; s->s_bdev = 0; s->s_type = NULL; + security_ops->sb_ops->free_security(s); unlock_super(s); return NULL; } @@ -926,6 +934,7 @@ sb->s_bdev = NULL; put_filesystem(fs); sb->s_type = NULL; + security_ops->sb_ops->free_security(sb); unlock_super(sb); up_write(&sb->s_umount); if (umount_root) { Index: include/linux/security.h =================================================================== RCS file: /cvs/lsm/lsm/include/linux/security.h,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- include/linux/security.h 2001/05/11 14:17:11 1.2 +++ include/linux/security.h 2001/05/18 19:23:21 1.3 @@ -38,6 +38,7 @@ struct super_block_security_ops { int (* alloc_security) (struct super_block *sb); void (* free_security) (struct super_block *sb); + int (* statfs) (struct super_block *sb); }; struct inode_security_ops { _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:40:45 PDT