Re: [PATCH][RFC] Security mount data & sb_copy_data hook.

From: Chris Wright (chrisw@private)
Date: Fri Jan 30 2004 - 10:02:08 PST

  • Next message: James Morris: "Re: [PATCH][RFC] Security mount data & sb_copy_data hook."

    (sorry for such long delay)
    * James Morris (jmorris@private) wrote:
    > The patch below allows security-specific mount data to be managed via LSM.
    > An example of use is under SELinux, where a filesystem may need to be 
    > mounted with a specific security context because the filesystem does not 
    > support extended attributes (e.g. NFS), or where the existing attributes 
    > are not trusted (e.g. inserting removable media).
    > A new LSM hook has been added, sb_copy_data, which allows the security
    > module to copy security-specific mount data once the superblock has been
    > setup by the filesystem.
    > The sb_kern_mount hook has been modified to take this security data as a
    > parameter, and would typically be used at that point to configure the
    > security parameters of the filesystem being mounted.
    > Allocation and freeing of the security data has been implemented in the
    > core fs code as it is cleaner than trying to do it purely via LSM hooks,
    > and should make maintenance easier.  This code will be compiled away if 
    > LSM is not enabled.
    > Any feedback on this will be most appreciated.
    Hrm, I'm not really fond of the extra page, and extra hook.
    Unfortunately, it doesn't seem like doing something generic in
    lib/parser.c is feasible since not each fs uses it, and touching each
    fs to find this is even uglier.  Would it be possible to handle it all
    in the module with something like:
    mount -tselinux -oreal_type=$fstype,context=foo,the_fs_opts dev mntpnt
    Linux Security Modules

    This archive was generated by hypermail 2b30 : Fri Jan 30 2004 - 10:03:35 PST