(sorry for such long delay) * James Morris (jmorris@private) wrote: > The patch below allows security-specific mount data to be managed via LSM. > > An example of use is under SELinux, where a filesystem may need to be > mounted with a specific security context because the filesystem does not > support extended attributes (e.g. NFS), or where the existing attributes > are not trusted (e.g. inserting removable media). > > A new LSM hook has been added, sb_copy_data, which allows the security > module to copy security-specific mount data once the superblock has been > setup by the filesystem. > > The sb_kern_mount hook has been modified to take this security data as a > parameter, and would typically be used at that point to configure the > security parameters of the filesystem being mounted. > > Allocation and freeing of the security data has been implemented in the > core fs code as it is cleaner than trying to do it purely via LSM hooks, > and should make maintenance easier. This code will be compiled away if > LSM is not enabled. > > Any feedback on this will be most appreciated. Hrm, I'm not really fond of the extra page, and extra hook. Unfortunately, it doesn't seem like doing something generic in lib/parser.c is feasible since not each fs uses it, and touching each fs to find this is even uglier. Would it be possible to handle it all in the module with something like: mount -tselinux -oreal_type=$fstype,context=foo,the_fs_opts dev mntpnt thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
This archive was generated by hypermail 2b30 : Fri Jan 30 2004 - 10:03:35 PST