Re: [RFC][PATCH] super block [alloc|free]_security

• Previous message: Greg KH: "Re: [Linux-security-module-commit] lsm 2.5 tree change 1.2.1.19 1.2.1.20 1.2.1.21 1.2.1.22 1.2.1.23 1.2.1.24 1.2.1.25 1.2.1.26 1.2.1.27 1.2.1.28 1.2.1.29 1.2.1.30 1.294 1.295 1.296 1.297 1.298 1.299 1.300 1.2.1.31 1.301 1.302"
• In reply to: Greg KH: "Re: [RFC][PATCH] super block [alloc|free]_security"
• Next in thread: Stephen Smalley: "Re: [RFC][PATCH] super block [alloc|free]_security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Greg KH (gregat_private) wrote:
> On Mon, Dec 17, 2001 at 02:31:45AM -0800, Chris Wright wrote:
> > as i mentioned in the merge mail...here is the beginning of a patch to
> > move the super block [alloc|free]_security stuff around.  the patch is
> > against 2.5.1-lsm (which, btw, i'm running right now, and with the
> > signal patch reverted can even reboot cleanly ;-)
> > 
> > comments?
> 
> Problem with your patch is that the super_block is empty of any
> information that the security module previously thought it had access
> to.  This change is fine with me, but people who have to maintain LSM
> modules might not like it :)

yes, i'm aware of that.  the pieces that were available are:
 s->s_dev
 s->s_bdev (if appropriate)
 s->s_flags
 s->s_type

i think we need to investigate a method to set the label which is
separate from allocation.  especially since super blocks can be re-used
(see deactivate_super and grab_super).  i hadn't added this to the patch,
yet, just fishing for comments.  i originally considered creating a
read_super method which would look roughly like:
	lock_super(s);
	if (security_ops->sb_ops->read_super(s))
		goto out_fail;
	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
		goto out_fail;
	s->s_flags |= MS_ACTIVE;
	unlock_super(s);

however, it's not clear to me that modules need to use this as access
control or just label coherence.  adding set_security to insert_super()
is less invasive, but returns void, which may not work for everyone.
so below, i added set_security to insert_super().  (i did not update
any other files besides super.c, this is just for discussion).

comments?

cheers,
-chris

===== super.c 1.43 vs edited =====
--- 1.43/fs/super.c	Sun Dec 16 22:08:55 2001
+++ edited/super.c	Mon Dec 17 10:17:19 2001
@@ -269,6 +269,11 @@
 	struct super_block *s = kmalloc(sizeof(struct super_block),  GFP_USER);
 	if (s) {
 		memset(s, 0, sizeof(struct super_block));
+		if (security_ops->sb_ops->alloc_security(s)) {
+			kfree(s);
+			s = NULL;
+			goto out;
+		}
 		INIT_LIST_HEAD(&s->s_dirty);
 		INIT_LIST_HEAD(&s->s_locked_inodes);
 		INIT_LIST_HEAD(&s->s_files);
@@ -284,6 +289,7 @@
 		sema_init(&s->s_dquot.dqoff_sem, 1);
 		s->s_maxbytes = MAX_NON_LFS;
 	}
+out:
 	return s;
 }
 
@@ -295,6 +301,7 @@
  */
 static inline void destroy_super(struct super_block *s)
 {
+	security_ops->sb_ops->free_security(s);
 	kfree(s);
 }
 
@@ -377,6 +384,7 @@
 	list_add(&s->s_instances, &type->fs_supers);
 	spin_unlock(&sb_lock);
 	get_filesystem(type);
+	security_ops->sb_ops->set_security(s);
 }
 
 void put_unnamed_dev(kdev_t dev);	/* should become static */
@@ -637,13 +645,10 @@
 	s->s_dev = dev;
 	s->s_bdev = bdev;
 	s->s_flags = flags;
-	s->s_security = NULL;
 	insert_super(s, fs_type);
 
 	error = -EINVAL;
 	lock_super(s);
-	if (security_ops->sb_ops->alloc_security(s))
-		goto out_fail;
 	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
 		goto out_fail;
 	s->s_flags |= MS_ACTIVE;
@@ -652,8 +657,6 @@
 	return s;
 
 out_fail:
-	if (s->s_security)
-		security_ops->sb_ops->free_security(s);
 	unlock_super(s);
 	deactivate_super(s);
 	remove_super(s);
@@ -675,12 +678,9 @@
 		return ERR_PTR(-EMFILE);
 	}
 	s->s_flags = flags;
-	s->s_security = NULL;
 	spin_lock(&sb_lock);
 	insert_super(s, fs_type);
 	lock_super(s);
-	if (security_ops->sb_ops->alloc_security(s))
-		goto out_fail;
 	if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
 		goto out_fail;
 	s->s_flags |= MS_ACTIVE;
@@ -688,8 +688,6 @@
 	return s;
 
 out_fail:
-	if (s->s_security)
-		security_ops->sb_ops->free_security(s);
 	unlock_super(s);
 	deactivate_super(s);
 	remove_super(s);
@@ -725,11 +723,8 @@
 			return ERR_PTR(-EMFILE);
 		}
 		s->s_flags = flags;
-		s->s_security = NULL;
 		insert_super(s, fs_type);
 		lock_super(s);
-		if (security_ops->sb_ops->alloc_security(s))
-			goto out_fail;
 		if (!fs_type->read_super(s, data, flags & MS_VERBOSE ? 1 : 0))
 			goto out_fail;
 		s->s_flags |= MS_ACTIVE;
@@ -737,8 +732,6 @@
 		return s;
 
 	out_fail:
-		if (s->s_security)
-			security_ops->sb_ops->free_security(s);
 		unlock_super(s);
 		deactivate_super(s);
 		remove_super(s);
@@ -780,7 +773,6 @@
 			"Self-destruct in 5 seconds.  Have a nice day...\n");
 	}
 
-	security_ops->sb_ops->free_security(sb);
 	unlock_kernel();
 	unlock_super(sb);
 	remove_super(sb);

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: [RFC][PATCH] super block [alloc|free]_security"
• Previous message: Greg KH: "Re: [Linux-security-module-commit] lsm 2.5 tree change 1.2.1.19 1.2.1.20 1.2.1.21 1.2.1.22 1.2.1.23 1.2.1.24 1.2.1.25 1.2.1.26 1.2.1.27 1.2.1.28 1.2.1.29 1.2.1.30 1.294 1.295 1.296 1.297 1.298 1.299 1.300 1.2.1.31 1.301 1.302"
• In reply to: Greg KH: "Re: [RFC][PATCH] super block [alloc|free]_security"
• Next in thread: Stephen Smalley: "Re: [RFC][PATCH] super block [alloc|free]_security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 10:18:22 PST