I've attached a patch that adds documentation for the struct super_block_security_ops hooks and the mount-related hooks in the security_operations structure. In reviewing these hooks, I noticed that post_addmount is called even if the graft_tree call fails. Should this be changed to only call if successful? -- Stephen D. Smalley, NAI Labs ssmalleyat_private --- lsm-wirex/include/linux/security.h Mon Sep 10 12:54:25 2001 +++ lsm/include/linux/security.h Mon Sep 10 15:43:44 2001 @@ -59,8 +59,47 @@ }; struct super_block_security_ops { + /** + * alloc_security - allocate security structure for this filesystem + * @sb: super_block structure to be modified + * + * called: read_super <fs/super.c> + * + * locks: lock_super() has been called, so the per-filesystem + * semaphore is taken. The big kernel lock is held + * by sys_mount. + * + * Allocate and attach a security structure to the + * sb->s_security field. The s_security field is initialized to + * NULL when the structure is allocated. Return 0 if + * operation was successful. + */ int (* alloc_security) (struct super_block *sb); + + /** + * free_security - deallocate security structure for this filesystem + * @sb: super_block structure to be modified + * + * called: read_super <fs/super.c> + * called: kill_super <fs/super.c> + * + * locks: lock_super() has been called, so the per-filesystem + * semaphore is taken. The big kernel lock is held + * by sys_mount across the read_super call or by kill_super. + * + * Deallocate and clear the sb->s_security field. + */ void (* free_security) (struct super_block *sb); + + /** + * statfs - check permission when obtaining filesystem statistics + * @sb: super_block structure for filesystem + * + * called: vfs_statfs <fs/open.c> + * + * Check permission before obtaining filesystem statistics + * for the @sb filesystem. Return 0 if permission is granted. + */ int (* statfs) (struct super_block *sb); }; @@ -393,13 +432,93 @@ int (* sethostname) (char *hostname); int (* setdomainname) (char *domainname); int (* reboot) (unsigned int cmd); + + /** + * mount - check permission when mounting or remounting + * @dev_name: name for object being mounted + * @nd: nameidata structure for mount point object + * @type: filesystem type + * @flags: mount flags + * @data: filesystem-specific data + * + * called: do_mount <fs/super.c> + * + * lock: The big kernel lock is held by sys_mount. + * + * Check permission before an object specified by @dev_name + * is mounted on the mount point named by @nd. For an ordinary + * mount, @dev_name identifies a device if the file system type + * requires a device. For a remount (@flags & MS_REMOUNT), @dev_name + * is irrelevant. For a loopback/bind mount (@flags & MS_BIND), + * @dev_name identifies the pathname of the object being mounted. + * Return 0 if permission is granted. + */ int (* mount) (char * dev_name, struct nameidata *nd, char * type, unsigned long flags, void * data); + + /** + * umount - check permission when unmounting a file system + * @mnt: the mounted file system + * @flags: unmount flags, e.g. MNT_FORCE + * + * called: do_umount <fs/super.c> + * + * lock: The mount semaphore and the big kernel lock are + * held by sys_umount. + * + * Check permission before the @mnt file system is + * unmounted. Return 0 if permission is granted. + */ int (* umount) (struct vfsmount *mnt, int flags); + + /** + * umount_close - close any files in a mounted filesystem held open by the security module + * @mnt: the mounted filesystem + * + * called: do_umount <fs/super.c> + * + * locks: The mount semaphore and the big kernel lock are held + * by sys_umount. + * + * Close any files in the @mnt mounted filesystem that are + * held open by the security module. This hook is called during + * an umount operation prior to checking whether the filesystem is + * still busy. + */ void (* umount_close) (struct vfsmount *mnt); + + /** + * umount_busy - handle a failed umount of a filesystem + * @mnt: the mounted filesystem + * + * called: do_umount <fs/super.c> + * + * locks: The mount semaphore and the big kernel lock are held + * by sys_umount. + * + * Handle a failed umount of the @mnt mounted filesystem, e.g. + * re-opening any files that were closed by umount_close. + * This hook is called during an umount operation if the umount + * fails after a call to the umount_close hook. + */ void (* umount_busy) (struct vfsmount *mnt); + + /** + * post_remount - Update module state when a filesystem is remounted + * @mnt: the mounted file system + * @flags: new filesystem flags + * @data: filesystem-specific data + * + * called: do_remount <fs/super.c> + * + * lock: The big kernel lock is held by sys_mount. + * + * Update the security module's state when a filesystem is remounted. + * This hook is only called if the remount was successful. + */ void (* post_remount) (struct vfsmount *mnt, unsigned long flags, void *data); + int (* ioperm) (unsigned long from, unsigned long num, int turn_on); int (* iopl) (unsigned int old, unsigned int level); int (* ptrace) (struct task_struct *parent, struct task_struct *child); @@ -409,7 +528,30 @@ int (* acct) (struct file *file); int (* sysctl) (ctl_table * table, int op); int (* capable) (struct task_struct *tsk, int cap); + + /** + * post_mountroot - Update module state when the root filesystem is mounted + * @sb: the super_block structure for the root filesystem + * + * called: mount_root <fs/super.c> + * + * Update the security module's state when the root filesystem + * is mounted. This hook is only called if the mount was successful. + */ void (* post_mountroot) (struct super_block *sb); + + /** + * post_addmount - Update module state when a non-root filesystem is mounted + * @mnt: the mounted filesystem + * @nd: the nameidata structure for the mount point + * + * called: do_add_mount <fs/super.c> + * + * lock: The big kernel lock is held by sys_mount. + * + * Update the security module's state when a non-root filesystem is mounted. + * This hook is not called after a loopback/bind mount. + */ void (* post_addmount) (struct vfsmount *mnt, struct nameidata *mountpoint_nd); /* security syscall multiplexor. app can use id to identify module */ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 12:53:35 PDT