Re: [PATCH] security.h documentation

From: Stephen Smalley (sdsat_private)
Date: Mon Sep 10 2001 - 12:50:44 PDT

  • Next message: Greg KH: "Re: [PATCH] security.h documentation"

    I've attached a patch that adds documentation for the struct
    super_block_security_ops hooks and the mount-related hooks
    in the security_operations structure.
    
    In reviewing these hooks, I noticed that post_addmount is called
    even if the graft_tree call fails.  Should this be changed to only
    call if successful?
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    --- lsm-wirex/include/linux/security.h	Mon Sep 10 12:54:25 2001
    +++ lsm/include/linux/security.h	Mon Sep 10 15:43:44 2001
    @@ -59,8 +59,47 @@
     };
     
     struct super_block_security_ops {
    +	/**
    +	 * alloc_security - allocate security structure for this filesystem
    +	 * @sb: super_block structure to be modified
    +	 *
    +	 * called: read_super <fs/super.c>
    +	 *
    +	 * locks:  lock_super() has been called, so the per-filesystem
    +	 *         semaphore is taken.  The big kernel lock is held
    +	 *         by sys_mount.
    +	 *
    +	 * Allocate and attach a security structure to the
    +	 * sb->s_security field. The s_security field is initialized to
    +	 * NULL when the structure is allocated.  Return 0 if
    +	 * operation was successful.
    +	 */
     	int (* alloc_security)		(struct super_block *sb);
    +
    +	/**
    +	 * free_security - deallocate security structure for this filesystem
    +	 * @sb: super_block structure to be modified
    +	 *
    +	 * called: read_super <fs/super.c>
    +	 * called: kill_super <fs/super.c>
    +	 *
    +	 * locks:  lock_super() has been called, so the per-filesystem
    +	 *         semaphore is taken.  The big kernel lock is held
    +	 *         by sys_mount across the read_super call or by kill_super.
    +	 *
    +	 * Deallocate and clear the sb->s_security field.
    +	 */
     	void (* free_security)		(struct super_block *sb);
    +
    +	/**
    +	 * statfs - check permission when obtaining filesystem statistics
    +	 * @sb: super_block structure for filesystem
    +	 *
    +	 * called: vfs_statfs <fs/open.c>
    +	 *
    +	 * Check permission before obtaining filesystem statistics 
    +	 * for the @sb filesystem.  Return 0 if permission is granted.  
    +	 */
     	int (* statfs)		        (struct super_block *sb);
     };
     
    @@ -393,13 +432,93 @@
     	int  (* sethostname)		(char *hostname);		
     	int  (* setdomainname)		(char *domainname);
     	int  (* reboot)			(unsigned int cmd);	
    +
    +	/**
    +	 * mount - check permission when mounting or remounting 
    +	 * @dev_name: name for object being mounted
    +	 * @nd: nameidata structure for mount point object 
    +	 * @type: filesystem type
    +	 * @flags: mount flags
    +	 * @data: filesystem-specific data
    +	 *
    +	 * called: do_mount <fs/super.c>
    +	 *
    +	 * lock:  The big kernel lock is held by sys_mount.
    +	 *
    +	 * Check permission before an object specified by @dev_name 
    +	 * is mounted on the mount point named by @nd.  For an ordinary 
    +	 * mount, @dev_name identifies a device if the file system type 
    +	 * requires a device.  For a remount (@flags & MS_REMOUNT), @dev_name 
    +	 * is irrelevant.  For a loopback/bind mount (@flags & MS_BIND), 
    +	 * @dev_name identifies the pathname of the object being mounted.
    +	 * Return 0 if permission is granted.
    +	 */
     	int  (* mount)			(char * dev_name, struct nameidata *nd,
     					 char * type, unsigned long flags, 
     					 void * data);			
    +
    +	/**
    +	 * umount - check permission when unmounting a file system
    +	 * @mnt:  the mounted file system
    +	 * @flags: unmount flags, e.g. MNT_FORCE
    +	 *
    +	 * called: do_umount <fs/super.c>
    +	 *
    +	 * lock:  The mount semaphore and the big kernel lock are 
    +	 *        held by sys_umount.
    +	 *
    +	 * Check permission before the @mnt file system is
    +	 * unmounted.  Return 0 if permission is granted.
    +	 */
     	int  (* umount)			(struct vfsmount *mnt, int flags);	
    +
    +	/**
    +	 * umount_close - close any files in a mounted filesystem held open by the security module
    +	 * @mnt: the mounted filesystem
    +	 *
    +	 * called: do_umount <fs/super.c>
    +	 *
    +	 * locks:  The mount semaphore and the big kernel lock are held 
    +	 *         by sys_umount.
    +	 *
    +	 * Close any files in the @mnt mounted filesystem that are
    +	 * held open by the security module.  This hook is called during 
    +	 * an umount operation prior to checking whether the filesystem is 
    +	 * still busy.
    +	 */
     	void (* umount_close)		(struct vfsmount *mnt);    
    +
    +	/**
    +	 * umount_busy - handle a failed umount of a filesystem
    +	 * @mnt: the mounted filesystem
    +	 *
    +	 * called: do_umount <fs/super.c>
    +	 *
    +	 * locks:  The mount semaphore and the big kernel lock are held 
    +	 *         by sys_umount.
    +	 *
    +	 * Handle a failed umount of the @mnt mounted filesystem, e.g. 
    +	 * re-opening any files that were closed by umount_close.  
    +	 * This hook is called during an umount operation if the umount
    +	 * fails after a call to the umount_close hook.
    +	 */
     	void (* umount_busy)		(struct vfsmount *mnt);    
    +
    +	/**
    +	 * post_remount - Update module state when a filesystem is remounted
    +	 * @mnt:  the mounted file system
    +	 * @flags: new filesystem flags
    +	 * @data:  filesystem-specific data
    +	 *
    +	 * called: do_remount <fs/super.c>
    +	 *
    +	 * lock:  The big kernel lock is held by sys_mount.
    +	 *
    +	 * Update the security module's state when a filesystem is remounted.
    +	 * This hook is only called if the remount was successful.
    +	 */
     	void (* post_remount)		(struct vfsmount *mnt, unsigned long flags, void *data);    
    +
     	int  (* ioperm)			(unsigned long from, unsigned long num, int turn_on);
     	int  (* iopl)			(unsigned int old, unsigned int level);		
     	int  (* ptrace)			(struct task_struct *parent, struct task_struct *child);		
    @@ -409,7 +528,30 @@
     	int  (* acct)			(struct file *file);
     	int  (* sysctl)			(ctl_table * table, int op);
     	int  (* capable)		(struct task_struct *tsk, int cap); 
    +
    +	/**
    +	 * post_mountroot - Update module state when the root filesystem is mounted
    +	 * @sb:  the super_block structure for the root filesystem
    +	 *
    +	 * called: mount_root <fs/super.c>
    +	 *
    +	 * Update the security module's state when the root filesystem
    +	 * is mounted.  This hook is only called if the mount was successful.
    +	 */
     	void (* post_mountroot)		(struct super_block *sb);
    +
    +	/**
    +	 * post_addmount - Update module state when a non-root filesystem is mounted
    +	 * @mnt:  the mounted filesystem
    +	 * @nd:  the nameidata structure for the mount point
    +	 *
    +	 * called: do_add_mount <fs/super.c>
    +	 *
    +	 * lock:  The big kernel lock is held by sys_mount.
    +	 *
    +	 * Update the security module's state when a non-root filesystem is mounted.
    +	 * This hook is not called after a loopback/bind mount.
    +	 */
     	void (* post_addmount)		(struct vfsmount *mnt, struct nameidata *mountpoint_nd);
     
     	/* security syscall multiplexor. app can use id to identify module */
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 12:53:35 PDT