From: Casey Schaufler <casey@schaufler-ca.com>
To: Anna Schumaker <anna.schumaker@netapp.com>,
Olga Kornievskaia <olga.kornievskaia@gmail.com>
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v4 1/3] [security] Add new hook to compare new mount to an existing mount
Date: Tue, 2 Mar 2021 10:51:33 -0800 [thread overview]
Message-ID: <f8f5323c-cdfd-92e8-b359-43caaf9d7490@schaufler-ca.com> (raw)
In-Reply-To: <CAFX2Jfk--KwkAss1gqTPnQt-bKvUUapNdHbuicu=m+jOtjrMyQ@mail.gmail.com>
On 3/2/2021 10:20 AM, Anna Schumaker wrote:
> Hi Casey,
>
> On Fri, Feb 26, 2021 at 10:40 PM Olga Kornievskaia
> <olga.kornievskaia@gmail.com> wrote:
>> From: Olga Kornievskaia <kolga@netapp.com>
>>
>> Add a new hook that takes an existing super block and a new mount
>> with new options and determines if new options confict with an
>> existing mount or not.
>>
>> A filesystem can use this new hook to determine if it can share
>> the an existing superblock with a new superblock for the new mount.
>>
>> Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
> Do you have any other thoughts on this patch? I'm also wondering how
> you want to handle sending it upstream.
James Morris is the maintainer for the security sub-system,
so you'll want to send this through him. He will want you to
have an ACK from Paul Moore, who is the SELinux maintainer.
> I'm happy to take it through
> the NFS tree (with an acked-by) for a 5.12-rc with Olga's bugfix
> patches, but if you have other thoughts or plans then let me know!
>
> Thanks,
> Anna
>
>> ---
>> include/linux/lsm_hook_defs.h | 1 +
>> include/linux/lsm_hooks.h | 6 ++++
>> include/linux/security.h | 8 +++++
>> security/security.c | 7 +++++
>> security/selinux/hooks.c | 56 +++++++++++++++++++++++++++++++++++
>> 5 files changed, 78 insertions(+)
>>
>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
>> index 7aaa753b8608..1b12a5266a51 100644
>> --- a/include/linux/lsm_hook_defs.h
>> +++ b/include/linux/lsm_hook_defs.h
>> @@ -62,6 +62,7 @@ LSM_HOOK(int, 0, sb_alloc_security, struct super_block *sb)
>> LSM_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb)
>> LSM_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts)
>> LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts)
>> +LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts)
>> LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts)
>> LSM_HOOK(int, 0, sb_kern_mount, struct super_block *sb)
>> LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb)
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index a19adef1f088..0de8eb2ea547 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -142,6 +142,12 @@
>> * @orig the original mount data copied from userspace.
>> * @copy copied data which will be passed to the security module.
>> * Returns 0 if the copy was successful.
>> + * @sb_mnt_opts_compat:
>> + * Determine if the new mount options in @mnt_opts are allowed given
>> + * the existing mounted filesystem at @sb.
>> + * @sb superblock being compared
>> + * @mnt_opts new mount options
>> + * Return 0 if options are compatible.
>> * @sb_remount:
>> * Extracts security system specific mount options and verifies no changes
>> * are being made to those options.
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index c35ea0ffccd9..50db3d5d1608 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -291,6 +291,7 @@ int security_sb_alloc(struct super_block *sb);
>> void security_sb_free(struct super_block *sb);
>> void security_free_mnt_opts(void **mnt_opts);
>> int security_sb_eat_lsm_opts(char *options, void **mnt_opts);
>> +int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts);
>> int security_sb_remount(struct super_block *sb, void *mnt_opts);
>> int security_sb_kern_mount(struct super_block *sb);
>> int security_sb_show_options(struct seq_file *m, struct super_block *sb);
>> @@ -635,6 +636,13 @@ static inline int security_sb_remount(struct super_block *sb,
>> return 0;
>> }
>>
>> +static inline int security_sb_mnt_opts_compat(struct super_block *sb,
>> + void *mnt_opts)
>> +{
>> + return 0;
>> +}
>> +
>> +
>> static inline int security_sb_kern_mount(struct super_block *sb)
>> {
>> return 0;
>> diff --git a/security/security.c b/security/security.c
>> index 7b09cfbae94f..56cf5563efde 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -890,6 +890,13 @@ int security_sb_eat_lsm_opts(char *options, void **mnt_opts)
>> }
>> EXPORT_SYMBOL(security_sb_eat_lsm_opts);
>>
>> +int security_sb_mnt_opts_compat(struct super_block *sb,
>> + void *mnt_opts)
>> +{
>> + return call_int_hook(sb_mnt_opts_compat, 0, sb, mnt_opts);
>> +}
>> +EXPORT_SYMBOL(security_sb_mnt_opts_compat);
>> +
>> int security_sb_remount(struct super_block *sb,
>> void *mnt_opts)
>> {
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 644b17ec9e63..afee3a222a0e 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -2656,6 +2656,61 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
>> return rc;
>> }
>>
>> +static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
>> +{
>> + struct selinux_mnt_opts *opts = mnt_opts;
>> + struct superblock_security_struct *sbsec = sb->s_security;
>> + u32 sid;
>> + int rc;
>> +
>> + /*
>> + * Superblock not initialized (i.e. no options) - reject if any
>> + * options specified, otherwise accept.
>> + */
>> + if (!(sbsec->flags & SE_SBINITIALIZED))
>> + return opts ? 1 : 0;
>> +
>> + /*
>> + * Superblock initialized and no options specified - reject if
>> + * superblock has any options set, otherwise accept.
>> + */
>> + if (!opts)
>> + return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
>> +
>> + if (opts->fscontext) {
>> + rc = parse_sid(sb, opts->fscontext, &sid);
>> + if (rc)
>> + return 1;
>> + if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
>> + return 1;
>> + }
>> + if (opts->context) {
>> + rc = parse_sid(sb, opts->context, &sid);
>> + if (rc)
>> + return 1;
>> + if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
>> + return 1;
>> + }
>> + if (opts->rootcontext) {
>> + struct inode_security_struct *root_isec;
>> +
>> + root_isec = backing_inode_security(sb->s_root);
>> + rc = parse_sid(sb, opts->rootcontext, &sid);
>> + if (rc)
>> + return 1;
>> + if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
>> + return 1;
>> + }
>> + if (opts->defcontext) {
>> + rc = parse_sid(sb, opts->defcontext, &sid);
>> + if (rc)
>> + return 1;
>> + if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
>> + return 1;
>> + }
>> + return 0;
>> +}
>> +
>> static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
>> {
>> struct selinux_mnt_opts *opts = mnt_opts;
>> @@ -6984,6 +7039,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
>>
>> LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
>> LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
>> + LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
>> LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
>> LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
>> LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
>> --
>> 2.27.0
>>
next prev parent reply other threads:[~2021-03-03 3:01 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-19 22:22 [PATCH v3 1/3] [security] Add new hook to compare new mount to an existing mount Olga Kornievskaia
2021-02-19 22:22 ` [PATCH v3 2/3] [NFS] cleanup: remove unneeded null check in nfs_fill_super() Olga Kornievskaia
2021-03-22 19:00 ` Paul Moore
2021-02-19 22:22 ` [PATCH v3 3/3] NFSv4 account for selinux security context when deciding to share superblock Olga Kornievskaia
2021-03-22 19:04 ` Paul Moore
2021-02-25 17:53 ` [PATCH v3 1/3] [security] Add new hook to compare new mount to an existing mount Paul Moore
2021-02-25 18:03 ` Olga Kornievskaia
2021-02-25 18:22 ` Casey Schaufler
2021-02-25 19:30 ` Paul Moore
2021-02-27 3:37 ` [PATCH v4 " Olga Kornievskaia
2021-03-02 18:20 ` Anna Schumaker
2021-03-02 18:51 ` Casey Schaufler [this message]
2021-03-05 1:32 ` Paul Moore
2021-03-12 15:45 ` Anna Schumaker
2021-03-12 21:54 ` Paul Moore
2021-03-12 22:34 ` Olga Kornievskaia
2021-03-15 1:43 ` Paul Moore
2021-03-15 15:30 ` Olga Kornievskaia
2021-03-15 16:15 ` Paul Moore
2021-03-18 19:12 ` Paul Moore
2021-03-18 19:21 ` Casey Schaufler
2021-03-18 22:49 ` James Morris
2021-03-18 22:59 ` Olga Kornievskaia
2021-03-22 18:56 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8f5323c-cdfd-92e8-b359-43caaf9d7490@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=anna.schumaker@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=selinux@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).