Re: [RFC][PATCH] super block [alloc|free]_security

From: Chris Wright (chrisat_private)
Date: Mon Dec 17 2001 - 10:16:52 PST

  • Next message: Stephen Smalley: "Re: [RFC][PATCH] super block [alloc|free]_security"

    * Greg KH (gregat_private) wrote:
    > On Mon, Dec 17, 2001 at 02:31:45AM -0800, Chris Wright wrote:
    > > as i mentioned in the merge mail...here is the beginning of a patch to
    > > move the super block [alloc|free]_security stuff around.  the patch is
    > > against 2.5.1-lsm (which, btw, i'm running right now, and with the
    > > signal patch reverted can even reboot cleanly ;-)
    > > 
    > > comments?
    > 
    > Problem with your patch is that the super_block is empty of any
    > information that the security module previously thought it had access
    > to.  This change is fine with me, but people who have to maintain LSM
    > modules might not like it :)
    
    yes, i'm aware of that.  the pieces that were available are:
     s->s_dev
     s->s_bdev (if appropriate)
     s->s_flags
     s->s_type
    
    i think we need to investigate a method to set the label which is
    separate from allocation.  especially since super blocks can be re-used
    (see deactivate_super and grab_super).  i hadn't added this to the patch,
    yet, just fishing for comments.  i originally considered creating a
    read_super method which would look roughly like:
    	lock_super(s);
    	if (security_ops->sb_ops->read_super(s))
    		goto out_fail;
    	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
    		goto out_fail;
    	s->s_flags |= MS_ACTIVE;
    	unlock_super(s);
    
    however, it's not clear to me that modules need to use this as access
    control or just label coherence.  adding set_security to insert_super()
    is less invasive, but returns void, which may not work for everyone.
    so below, i added set_security to insert_super().  (i did not update
    any other files besides super.c, this is just for discussion).
    
    comments?
    
    cheers,
    -chris
    
    ===== super.c 1.43 vs edited =====
    --- 1.43/fs/super.c	Sun Dec 16 22:08:55 2001
    +++ edited/super.c	Mon Dec 17 10:17:19 2001
    @@ -269,6 +269,11 @@
     	struct super_block *s = kmalloc(sizeof(struct super_block),  GFP_USER);
     	if (s) {
     		memset(s, 0, sizeof(struct super_block));
    +		if (security_ops->sb_ops->alloc_security(s)) {
    +			kfree(s);
    +			s = NULL;
    +			goto out;
    +		}
     		INIT_LIST_HEAD(&s->s_dirty);
     		INIT_LIST_HEAD(&s->s_locked_inodes);
     		INIT_LIST_HEAD(&s->s_files);
    @@ -284,6 +289,7 @@
     		sema_init(&s->s_dquot.dqoff_sem, 1);
     		s->s_maxbytes = MAX_NON_LFS;
     	}
    +out:
     	return s;
     }
     
    @@ -295,6 +301,7 @@
      */
     static inline void destroy_super(struct super_block *s)
     {
    +	security_ops->sb_ops->free_security(s);
     	kfree(s);
     }
     
    @@ -377,6 +384,7 @@
     	list_add(&s->s_instances, &type->fs_supers);
     	spin_unlock(&sb_lock);
     	get_filesystem(type);
    +	security_ops->sb_ops->set_security(s);
     }
     
     void put_unnamed_dev(kdev_t dev);	/* should become static */
    @@ -637,13 +645,10 @@
     	s->s_dev = dev;
     	s->s_bdev = bdev;
     	s->s_flags = flags;
    -	s->s_security = NULL;
     	insert_super(s, fs_type);
     
     	error = -EINVAL;
     	lock_super(s);
    -	if (security_ops->sb_ops->alloc_security(s))
    -		goto out_fail;
     	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
     		goto out_fail;
     	s->s_flags |= MS_ACTIVE;
    @@ -652,8 +657,6 @@
     	return s;
     
     out_fail:
    -	if (s->s_security)
    -		security_ops->sb_ops->free_security(s);
     	unlock_super(s);
     	deactivate_super(s);
     	remove_super(s);
    @@ -675,12 +678,9 @@
     		return ERR_PTR(-EMFILE);
     	}
     	s->s_flags = flags;
    -	s->s_security = NULL;
     	spin_lock(&sb_lock);
     	insert_super(s, fs_type);
     	lock_super(s);
    -	if (security_ops->sb_ops->alloc_security(s))
    -		goto out_fail;
     	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
     		goto out_fail;
     	s->s_flags |= MS_ACTIVE;
    @@ -688,8 +688,6 @@
     	return s;
     
     out_fail:
    -	if (s->s_security)
    -		security_ops->sb_ops->free_security(s);
     	unlock_super(s);
     	deactivate_super(s);
     	remove_super(s);
    @@ -725,11 +723,8 @@
     			return ERR_PTR(-EMFILE);
     		}
     		s->s_flags = flags;
    -		s->s_security = NULL;
     		insert_super(s, fs_type);
     		lock_super(s);
    -		if (security_ops->sb_ops->alloc_security(s))
    -			goto out_fail;
     		if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
     			goto out_fail;
     		s->s_flags |= MS_ACTIVE;
    @@ -737,8 +732,6 @@
     		return s;
     
     	out_fail:
    -		if (s->s_security)
    -			security_ops->sb_ops->free_security(s);
     		unlock_super(s);
     		deactivate_super(s);
     		remove_super(s);
    @@ -780,7 +773,6 @@
     			"Self-destruct in 5 seconds.  Have a nice day...\n");
     	}
     
    -	security_ops->sb_ops->free_security(sb);
     	unlock_kernel();
     	unlock_super(sb);
     	remove_super(sb);
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 10:18:22 PST