LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Dave Quigley <dpquigl@tycho.nsa.gov>
To: "Josef 'Jeff' Sipek" <jeffpc@josefsipek.net>
Cc: hch@infradead.org, viro@ftp.linux.org.uk,
trond.myklebust@fys.uio.no, bfields@fieldses.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 03/11] VFS: Add security label support to *notify
Date: Thu, 28 Feb 2008 15:39:30 -0500 [thread overview]
Message-ID: <1204231170.24345.100.camel@moss-terrapins.epoch.ncsc.mil> (raw)
In-Reply-To: <20080228201004.GC32351@josefsipek.net>
On Thu, 2008-02-28 at 15:10 -0500, Josef 'Jeff' Sipek wrote:
> Ignoring the security parts of it, here are a few comments about the VFS and
> coding style related bits...
>
> Josef 'Jeff' Sipek.
>
> On Wed, Feb 27, 2008 at 03:39:38PM -0500, David P. Quigley wrote:
> > This patch adds two new fields to the iattr structure. The first field holds a
> > security label while the second contains the length of this label. In addition
> > the patch adds a new helper function inode_setsecurity which calls the LSM to
> > set the security label on the inode. Finally the patch modifies the necessary
> > functions such that fsnotify_change can handle notification requests for
> > dnotify and inotify.
> >
> > Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> > ---
> > fs/attr.c | 43 +++++++++++++++++++++++++++++++++++++++++++
> > fs/xattr.c | 33 +++++++++++++++++++++++++++------
> > include/linux/fcntl.h | 1 +
> > include/linux/fs.h | 11 +++++++++++
> > include/linux/fsnotify.h | 6 ++++++
> > include/linux/inotify.h | 3 ++-
> > include/linux/xattr.h | 1 +
> > 7 files changed, 91 insertions(+), 7 deletions(-)
> >
> > diff --git a/fs/attr.c b/fs/attr.c
> > index 966b73e..1df6603 100644
> > --- a/fs/attr.c
> > +++ b/fs/attr.c
> > @@ -5,6 +5,7 @@
> > * changes by Thomas Schoebel-Theuer
> > */
> >
> > +#include <linux/fs.h>
> > #include <linux/module.h>
> > #include <linux/time.h>
> > #include <linux/mm.h>
> > @@ -14,9 +15,35 @@
> > #include <linux/fcntl.h>
> > #include <linux/quotaops.h>
> > #include <linux/security.h>
> > +#include <linux/xattr.h>
> >
> > /* Taken over from the old code... */
> >
> > +#ifdef CONFIG_SECURITY
> > +/*
> > + * Update the in core label.
> > + */
> > +int inode_setsecurity(struct inode *inode, struct iattr *attr)
> > +{
> > + const char *suffix = security_maclabel_getname()
> > + + XATTR_SECURITY_PREFIX_LEN;
> > + int error;
> > +
> > + if (!attr->ia_valid & ATTR_SECURITY_LABEL)
> > + return -EINVAL;
>
> You most likely want:
>
> if (!(attr->ia_valid & ATTR_SECURITY_LABEL))
>
> IOW, watch out for operator precedence.
Already raised by James and fixed but thanks for catching it again.
>
> > +
> > + error = security_inode_setsecurity(inode, suffix, attr->ia_label,
> > + attr->ia_label_len, 0);
> > + if (error)
> > + printk(KERN_ERR "%s() %s %d security_inode_setsecurity() %d\n"
> > + , __func__, (char *)attr->ia_label, attr->ia_label_len
> > + , error);
>
> The commas should really be on the previous line.
Fixed.
>
> > +
> > + return error;
> > +}
> > +EXPORT_SYMBOL(inode_setsecurity);
> > +#endif
> > +
> > /* POSIX UID/GID verification for setting inode attributes. */
> > int inode_change_ok(struct inode *inode, struct iattr *attr)
> > {
> > @@ -94,6 +121,10 @@ int inode_setattr(struct inode * inode, struct iattr * attr)
> > mode &= ~S_ISGID;
> > inode->i_mode = mode;
> > }
> > +#ifdef CONFIG_SECURITY
> > + if (ia_valid & ATTR_SECURITY_LABEL)
> > + inode_setsecurity(inode, attr);
> > +#endif
> > mark_inode_dirty(inode);
> >
> > return 0;
> > @@ -157,6 +188,18 @@ int notify_change(struct dentry * dentry, struct iattr * attr)
> > if (ia_valid & ATTR_SIZE)
> > down_write(&dentry->d_inode->i_alloc_sem);
> >
> > +#ifdef CONFIG_SECURITY
> > + if (ia_valid & ATTR_SECURITY_LABEL) {
> > + char *key = (char *)security_maclabel_getname();
> > + vfs_setxattr_locked(dentry, key,
> > + attr->ia_label, attr->ia_label_len, 0);
> > + /* Avoid calling inode_setsecurity()
> > + * via inode_setattr() below
> > + */
> > + attr->ia_valid &= ~ATTR_SECURITY_LABEL;
> > + }
> > +#endif
> > +
> > if (inode->i_op && inode->i_op->setattr) {
> > error = security_inode_setattr(dentry, attr);
> > if (!error)
> > diff --git a/fs/xattr.c b/fs/xattr.c
> > index 3acab16..b5a91e1 100644
> > --- a/fs/xattr.c
> > +++ b/fs/xattr.c
> > @@ -67,9 +67,9 @@ xattr_permission(struct inode *inode, const char *name, int mask)
> > return permission(inode, mask, NULL);
> > }
> >
> > -int
> > -vfs_setxattr(struct dentry *dentry, char *name, void *value,
> > - size_t size, int flags)
> > +static int
> > +_vfs_setxattr(struct dentry *dentry, char *name, void *value,
> > + size_t size, int flags, int lock)
>
> The convention is to use __ or do_ as the prefix.
Fixed (added another _ to the beginning.)
>
> > {
> > struct inode *inode = dentry->d_inode;
> > int error;
> > @@ -78,7 +78,8 @@ vfs_setxattr(struct dentry *dentry, char *name, void *value,
> > if (error)
> > return error;
> >
> > - mutex_lock(&inode->i_mutex);
> > + if (lock)
> > + mutex_lock(&inode->i_mutex);
> > error = security_inode_setxattr(dentry, name, value, size, flags);
> > if (error)
> > goto out;
> > @@ -95,15 +96,35 @@ vfs_setxattr(struct dentry *dentry, char *name, void *value,
> > const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
> > error = security_inode_setsecurity(inode, suffix, value,
> > size, flags);
> > - if (!error)
> > + if (!error) {
> > +#ifdef CONFIG_SECURITY
> > + fsnotify_change(dentry, ATTR_SECURITY_LABEL);
> > +#endif
> > fsnotify_xattr(dentry);
> > + }
> > }
> > out:
> > - mutex_unlock(&inode->i_mutex);
> > + if (lock)
> > + mutex_unlock(&inode->i_mutex);
> > return error;
> > }
> > +
> > +int
> > +vfs_setxattr(struct dentry *dentry, char *name, void *value,
> > + size_t size, int flags)
> > +{
> > + return _vfs_setxattr(dentry, name, value, size, flags, 1);
> > +}
> > EXPORT_SYMBOL_GPL(vfs_setxattr);
> >
> > +int
> > +vfs_setxattr_locked(struct dentry *dentry, char *name, void *value,
> > + size_t size, int flags)
> > +{
> > + return _vfs_setxattr(dentry, name, value, size, flags, 0);
> > +}
> > +EXPORT_SYMBOL_GPL(vfs_setxattr_locked);
>
> Alright...so, few things...
>
> 1) why do you need the locked/unlocked versions?
>
> 2) instead of passing a flag to a common function, why not have:
>
> vfs_setxattr_locked(....)
> {
> // original code minus the lock/unlock calls
> }
>
> vfs_setxattr(....)
> {
> mutex_lock(...);
> vfs_setxattr_locked(...);
> mutex_unlock(...);
> }
What we do and what you propose aren't logically equivalent. There is a
permission check inside vfs_setxattr before the mutex lock. However
looking at through the xattr_permission function and its call chain it
doesn't seem like we would create a deadlock by locking the inode before
it is called; so it is possible to do what you propose. Since setting of
xattrs (at least from our perspective) is a less common operation I
don't think putting locking around the entire call would make that large
of a difference.
Dave
next prev parent reply other threads:[~2008-02-28 21:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-27 20:39 RFC Labeled NFS Initial Code Review David P. Quigley
2008-02-27 20:39 ` [PATCH 01/11] Security: Add hook to get full maclabel xattr name David P. Quigley
2008-02-27 20:39 ` [PATCH 02/11] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2008-02-27 20:39 ` [PATCH 03/11] VFS: Add security label support to *notify David P. Quigley
2008-02-28 20:10 ` Josef 'Jeff' Sipek
2008-02-28 20:39 ` Dave Quigley [this message]
2008-02-28 21:15 ` Josef 'Jeff' Sipek
2008-02-28 21:05 ` Dave Quigley
2008-02-28 21:39 ` Josef 'Jeff' Sipek
2008-02-28 21:26 ` Dave Quigley
2008-02-29 6:57 ` Andrew Morton
2008-02-27 20:39 ` [PATCH 04/11] KConfig: Add KConfig entries for SELinux labeled NFS David P. Quigley
2008-02-27 20:39 ` [PATCH 05/11] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2008-02-27 20:39 ` [PATCH 06/11] SELinux: Add new labeling type native labels David P. Quigley
2008-02-27 20:39 ` [PATCH 07/11] NFS/SELinux: Add security_label text mount option to nfs and add handling code to the security server David P. Quigley
2008-02-27 20:39 ` [PATCH 08/11] NFS: Introduce lifecycle management for label attribute David P. Quigley
2008-02-28 1:04 ` James Morris
2008-02-28 0:47 ` Dave Quigley
2008-02-28 1:22 ` James Morris
2008-02-28 20:07 ` Dave Quigley
2008-02-28 23:00 ` James Morris
2008-02-28 22:43 ` Dave Quigley
2008-02-27 20:39 ` [PATCH 09/11] NFS: Client implementation of Labeled-NFS David P. Quigley
2008-02-27 20:39 ` [PATCH 10/11] NFS: Extend nfs xattr handlers to accept the security namespace David P. Quigley
2008-02-27 20:39 ` [PATCH 11/11] NFSD: Server implementation of MAC Labeling David P. Quigley
2008-02-27 22:11 RFC Labeled NFS Initial Code Review David P. Quigley
2008-02-27 22:11 ` [PATCH 03/11] VFS: Add security label support to *notify David P. Quigley
2008-02-28 1:20 ` James Morris
2008-02-28 16:07 ` Dave Quigley
2008-02-28 23:54 ` Christoph Hellwig
2008-02-28 23:44 ` Dave Quigley
2008-02-29 0:23 ` Christoph Hellwig
2008-02-29 0:06 ` Dave Quigley
2008-02-29 1:52 ` Dave Quigley
2008-02-29 20:19 ` Dave Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1204231170.24345.100.camel@moss-terrapins.epoch.ncsc.mil \
--to=dpquigl@tycho.nsa.gov \
--cc=bfields@fieldses.org \
--cc=hch@infradead.org \
--cc=jeffpc@josefsipek.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@ftp.linux.org.uk \
--subject='Re: [PATCH 03/11] VFS: Add security label support to *notify' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).