Re: Some feedback on the hooks

From: Stephen Smalley (sdsat_private)
Date: Fri May 18 2001 - 12:39:25 PDT

  • Next message: Stephen Smalley: "Append vs. write distinctions"

    On Wed, 9 May 2001, Chris Wright wrote:
    
    > a time ;-)  The super_block blob is in there, but I didn't update the
    > security interface much (just added a super_block_security_ops struct with
    > (alloc_|free_)security.  What did you have in mind for the security checks?
    > Just the super_operations stuff?  The dquot_operations also?
    
    I've attached a small patch that inserts calls to the super_block
    alloc_security and free_security hooks in fs/super.c and that
    inserts a newly defined statfs hook call into fs/open.c,
    with the updated definition in include/linux/security.h.  As
    far as other file system security checks go, I'm not sure what else 
    might be needed.  A number of the filesystem-related checks are
    being handled by hooks defined in the top-level security_operations
    structure, e.g. mount, add_vfsmnt, umount*, remount, post_remount.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    
    Index: fs/open.c
    ===================================================================
    RCS file: /cvs/lsm/lsm/fs/open.c,v
    retrieving revision 1.3
    retrieving revision 1.4
    diff -u -r1.3 -r1.4
    --- fs/open.c	2001/05/11 14:17:11	1.3
    +++ fs/open.c	2001/05/18 19:23:21	1.4
    @@ -28,6 +28,9 @@
     		retval = -ENOSYS;
     		if (sb->s_op && sb->s_op->statfs) {
     			memset(buf, 0, sizeof(struct statfs));
    +			retval = security_ops->sb_ops->statfs(sb);
    +			if (retval)
    +				return retval;
     			lock_kernel();
     			retval = sb->s_op->statfs(sb, buf);
     			unlock_kernel();
    Index: fs/super.c
    ===================================================================
    RCS file: /cvs/lsm/lsm/fs/super.c,v
    retrieving revision 1.2
    retrieving revision 1.3
    diff -u -r1.2 -r1.3
    --- fs/super.c	2001/05/09 20:19:19	1.2
    +++ fs/super.c	2001/05/18 19:23:21	1.3
    @@ -701,8 +701,11 @@
     	     s  = sb_entry(s->s_list.next)) {
     		if (s->s_dev)
     			continue;
    -		if (!s->s_lock)
    +		if (!s->s_lock) {
    +			if (security_ops->sb_ops->alloc_security(s))
    +				return NULL;
     			return s;
    +		}
     		printk("VFS: empty superblock %p locked!\n", s);
     	}
     	/* Need a new one... */
    @@ -712,6 +715,10 @@
     	if (s) {
     		nr_super_blocks++;
     		memset(s, 0, sizeof(struct super_block));
    +		if (security_ops->sb_ops->alloc_security(s)) {
    +			kfree(s);
    +			return NULL;
    +		}
     		INIT_LIST_HEAD(&s->s_dirty);
     		INIT_LIST_HEAD(&s->s_locked_inodes);
     		list_add (&s->s_list, super_blocks.prev);
    @@ -756,6 +763,7 @@
     	s->s_dev = 0;
     	s->s_bdev = 0;
     	s->s_type = NULL;
    +	security_ops->sb_ops->free_security(s);
     	unlock_super(s);
     	return NULL;
     }
    @@ -926,6 +934,7 @@
     	sb->s_bdev = NULL;
     	put_filesystem(fs);
     	sb->s_type = NULL;
    +	security_ops->sb_ops->free_security(sb);
     	unlock_super(sb);
     	up_write(&sb->s_umount);
     	if (umount_root) {
    Index: include/linux/security.h
    ===================================================================
    RCS file: /cvs/lsm/lsm/include/linux/security.h,v
    retrieving revision 1.2
    retrieving revision 1.3
    diff -u -r1.2 -r1.3
    --- include/linux/security.h	2001/05/11 14:17:11	1.2
    +++ include/linux/security.h	2001/05/18 19:23:21	1.3
    @@ -38,6 +38,7 @@
     struct super_block_security_ops {
     	int (* alloc_security)		(struct super_block *sb);
     	void (* free_security)		(struct super_block *sb);
    +	int (* statfs)		        (struct super_block *sb);
     };
     
     struct inode_security_ops {
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:40:45 PDT