* [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
@ 2019-05-28 20:47 David Howells
2019-05-28 21:39 ` Casey Schaufler
0 siblings, 1 reply; 9+ messages in thread
From: David Howells @ 2019-05-28 20:47 UTC (permalink / raw)
To: casey; +Cc: dhowells, viro, jmorris, linux-security-module, linux-kernel
From: Casey Schaufler <casey@schaufler-ca.com>
The 5.1 mount system rework changed the smackfsdef mount option
to smackfsdefault. This fixes the regression by making smackfsdef
treated the same way as smackfsdefault.
Also fix the smack_param_specs[] to have "smack" prefixes on all the names.
This isn't visible to a user unless they either:
(a) Try to mount a filesystem that's converted to the internal mount API
and that implements the ->parse_monolithic() context operation - and
only then if they call security_fs_context_parse_param() rather than
security_sb_eat_lsm_opts().
There are no examples of this upstream yet, but nfs will probably want
to do this for nfs2 or nfs3.
(b) Use fsconfig() to configure the filesystem - in which case
security_fs_context_parse_param() will be called.
This issue is that smack_sb_eat_lsm_opts() checks for the "smack" prefix on
the options, but smack_fs_context_parse_param() does not.
Fixes: c3300aaf95fb ("smack: get rid of match_token()")
Fixes: 2febd254adc4 ("smack: Implement filesystem context security hooks")
Cc: stable@vger.kernel.org
Reported-by: Jose Bollo <jose.bollo@iot.bzh>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/smack/smack_lsm.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0de725f88bed..d99450b4f511 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -68,6 +68,7 @@ static struct {
int len;
int opt;
} smk_mount_opts[] = {
+ {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute)
};
#undef A
@@ -682,11 +683,12 @@ static int smack_fs_context_dup(struct fs_context *fc,
}
static const struct fs_parameter_spec smack_param_specs[] = {
- fsparam_string("fsdefault", Opt_fsdefault),
- fsparam_string("fsfloor", Opt_fsfloor),
- fsparam_string("fshat", Opt_fshat),
- fsparam_string("fsroot", Opt_fsroot),
- fsparam_string("fstransmute", Opt_fstransmute),
+ fsparam_string("smackfsdef", Opt_fsdefault),
+ fsparam_string("smackfsdefault", Opt_fsdefault),
+ fsparam_string("smackfsfloor", Opt_fsfloor),
+ fsparam_string("smackfshat", Opt_fshat),
+ fsparam_string("smackfsroot", Opt_fsroot),
+ fsparam_string("smackfstransmute", Opt_fstransmute),
{}
};
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-05-28 20:47 [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes David Howells
@ 2019-05-28 21:39 ` Casey Schaufler
0 siblings, 0 replies; 9+ messages in thread
From: Casey Schaufler @ 2019-05-28 21:39 UTC (permalink / raw)
To: David Howells; +Cc: viro, jmorris, linux-security-module, linux-kernel, casey
On 5/28/2019 1:47 PM, David Howells wrote:
> From: Casey Schaufler <casey@schaufler-ca.com>
>
> The 5.1 mount system rework changed the smackfsdef mount option
> to smackfsdefault. This fixes the regression by making smackfsdef
> treated the same way as smackfsdefault.
>
> Also fix the smack_param_specs[] to have "smack" prefixes on all the names.
> This isn't visible to a user unless they either:
>
> (a) Try to mount a filesystem that's converted to the internal mount API
> and that implements the ->parse_monolithic() context operation - and
> only then if they call security_fs_context_parse_param() rather than
> security_sb_eat_lsm_opts().
>
> There are no examples of this upstream yet, but nfs will probably want
> to do this for nfs2 or nfs3.
>
> (b) Use fsconfig() to configure the filesystem - in which case
> security_fs_context_parse_param() will be called.
>
> This issue is that smack_sb_eat_lsm_opts() checks for the "smack" prefix on
> the options, but smack_fs_context_parse_param() does not.
>
> Fixes: c3300aaf95fb ("smack: get rid of match_token()")
> Fixes: 2febd254adc4 ("smack: Implement filesystem context security hooks")
> Cc: stable@vger.kernel.org
> Reported-by: Jose Bollo <jose.bollo@iot.bzh>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Looks good. Can you send this in for 5.1 and 5.2?
> ---
>
> security/smack/smack_lsm.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 0de725f88bed..d99450b4f511 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -68,6 +68,7 @@ static struct {
> int len;
> int opt;
> } smk_mount_opts[] = {
> + {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
> A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute)
> };
> #undef A
> @@ -682,11 +683,12 @@ static int smack_fs_context_dup(struct fs_context *fc,
> }
>
> static const struct fs_parameter_spec smack_param_specs[] = {
> - fsparam_string("fsdefault", Opt_fsdefault),
> - fsparam_string("fsfloor", Opt_fsfloor),
> - fsparam_string("fshat", Opt_fshat),
> - fsparam_string("fsroot", Opt_fsroot),
> - fsparam_string("fstransmute", Opt_fstransmute),
> + fsparam_string("smackfsdef", Opt_fsdefault),
> + fsparam_string("smackfsdefault", Opt_fsdefault),
> + fsparam_string("smackfsfloor", Opt_fsfloor),
> + fsparam_string("smackfshat", Opt_fshat),
> + fsparam_string("smackfsroot", Opt_fsroot),
> + fsparam_string("smackfstransmute", Opt_fstransmute),
> {}
> };
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-06-15 0:24 ` Linus Torvalds
@ 2019-06-18 1:59 ` Al Viro
0 siblings, 0 replies; 9+ messages in thread
From: Al Viro @ 2019-06-18 1:59 UTC (permalink / raw)
To: Linus Torvalds
Cc: Casey Schaufler, James Morris, David Howells, stable, Jose Bollo,
LSM List, Linux List Kernel Mailing
On Fri, Jun 14, 2019 at 02:24:09PM -1000, Linus Torvalds wrote:
> On Fri, Jun 14, 2019 at 1:08 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> > Al, are you going to take this, or should I find another way
> > to get it in for 5.2?
>
> I guess I can take it directly.
>
> I was assuming it would come through either Al (which is how I got the
> commit it fixes) or Casey (as smack maintainer), so I ignored the
> patch.
FWIW, (belated) ACK...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-06-14 23:08 ` Casey Schaufler
@ 2019-06-15 0:24 ` Linus Torvalds
2019-06-18 1:59 ` Al Viro
0 siblings, 1 reply; 9+ messages in thread
From: Linus Torvalds @ 2019-06-15 0:24 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, David Howells, Al Viro, stable, Jose Bollo,
LSM List, Linux List Kernel Mailing
On Fri, Jun 14, 2019 at 1:08 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Al, are you going to take this, or should I find another way
> to get it in for 5.2?
I guess I can take it directly.
I was assuming it would come through either Al (which is how I got the
commit it fixes) or Casey (as smack maintainer), so I ignored the
patch.
Linus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-06-03 23:07 ` Casey Schaufler
@ 2019-06-14 23:08 ` Casey Schaufler
2019-06-15 0:24 ` Linus Torvalds
0 siblings, 1 reply; 9+ messages in thread
From: Casey Schaufler @ 2019-06-14 23:08 UTC (permalink / raw)
To: James Morris, David Howells, viro
Cc: stable, Jose Bollo, torvalds, linux-security-module, linux-kernel, casey
On 6/3/2019 4:07 PM, Casey Schaufler wrote:
> On 6/3/2019 3:42 PM, James Morris wrote:
>> On Fri, 31 May 2019, David Howells wrote:
>>
>>> Should this go via Al's tree, James's tree, Casey's tree or directly to Linus?
>> If it's specific to one LSM (as this is), via Casey, who can decide to
>> forward to Al or Linus.
> I would very much appreciate it if Al could send this fix along.
> I am not fully set up for sending directly to Linus.
Al, are you going to take this, or should I find another way
to get it in for 5.2?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-06-03 22:42 ` James Morris
@ 2019-06-03 23:07 ` Casey Schaufler
2019-06-14 23:08 ` Casey Schaufler
0 siblings, 1 reply; 9+ messages in thread
From: Casey Schaufler @ 2019-06-03 23:07 UTC (permalink / raw)
To: James Morris, David Howells
Cc: viro, stable, Jose Bollo, torvalds, linux-security-module,
linux-kernel, casey
On 6/3/2019 3:42 PM, James Morris wrote:
> On Fri, 31 May 2019, David Howells wrote:
>
>> Should this go via Al's tree, James's tree, Casey's tree or directly to Linus?
> If it's specific to one LSM (as this is), via Casey, who can decide to
> forward to Al or Linus.
I would very much appreciate it if Al could send this fix along.
I am not fully set up for sending directly to Linus.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-05-31 10:56 ` David Howells
@ 2019-06-03 22:42 ` James Morris
2019-06-03 23:07 ` Casey Schaufler
0 siblings, 1 reply; 9+ messages in thread
From: James Morris @ 2019-06-03 22:42 UTC (permalink / raw)
To: David Howells
Cc: viro, stable, Jose Bollo, Casey Schaufler, torvalds,
linux-security-module, linux-kernel
On Fri, 31 May 2019, David Howells wrote:
> Should this go via Al's tree, James's tree, Casey's tree or directly to Linus?
If it's specific to one LSM (as this is), via Casey, who can decide to
forward to Al or Linus.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
2019-05-31 10:53 David Howells
@ 2019-05-31 10:56 ` David Howells
2019-06-03 22:42 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: David Howells @ 2019-05-31 10:56 UTC (permalink / raw)
To: viro
Cc: dhowells, stable, Jose Bollo, Casey Schaufler, jmorris, torvalds,
linux-security-module, linux-kernel
Should this go via Al's tree, James's tree, Casey's tree or directly to Linus?
David
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes
@ 2019-05-31 10:53 David Howells
2019-05-31 10:56 ` David Howells
0 siblings, 1 reply; 9+ messages in thread
From: David Howells @ 2019-05-31 10:53 UTC (permalink / raw)
To: viro
Cc: stable, Jose Bollo, Casey Schaufler, Casey Schaufler, jmorris,
dhowells, torvalds, linux-security-module, linux-kernel
From: Casey Schaufler <casey@schaufler-ca.com>
The 5.1 mount system rework changed the smackfsdef mount option
to smackfsdefault. This fixes the regression by making smackfsdef
treated the same way as smackfsdefault.
Also fix the smack_param_specs[] to have "smack" prefixes on all the names.
This isn't visible to a user unless they either:
(a) Try to mount a filesystem that's converted to the internal mount API
and that implements the ->parse_monolithic() context operation - and
only then if they call security_fs_context_parse_param() rather than
security_sb_eat_lsm_opts().
There are no examples of this upstream yet, but nfs will probably want
to do this for nfs2 or nfs3.
(b) Use fsconfig() to configure the filesystem - in which case
security_fs_context_parse_param() will be called.
This issue is that smack_sb_eat_lsm_opts() checks for the "smack" prefix on
the options, but smack_fs_context_parse_param() does not.
Fixes: c3300aaf95fb ("smack: get rid of match_token()")
Fixes: 2febd254adc4 ("smack: Implement filesystem context security hooks")
Cc: stable@vger.kernel.org
Reported-by: Jose Bollo <jose.bollo@iot.bzh>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack_lsm.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0de725f88bed..d99450b4f511 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -68,6 +68,7 @@ static struct {
int len;
int opt;
} smk_mount_opts[] = {
+ {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute)
};
#undef A
@@ -682,11 +683,12 @@ static int smack_fs_context_dup(struct fs_context *fc,
}
static const struct fs_parameter_spec smack_param_specs[] = {
- fsparam_string("fsdefault", Opt_fsdefault),
- fsparam_string("fsfloor", Opt_fsfloor),
- fsparam_string("fshat", Opt_fshat),
- fsparam_string("fsroot", Opt_fsroot),
- fsparam_string("fstransmute", Opt_fstransmute),
+ fsparam_string("smackfsdef", Opt_fsdefault),
+ fsparam_string("smackfsdefault", Opt_fsdefault),
+ fsparam_string("smackfsfloor", Opt_fsfloor),
+ fsparam_string("smackfshat", Opt_fshat),
+ fsparam_string("smackfsroot", Opt_fsroot),
+ fsparam_string("smackfstransmute", Opt_fstransmute),
{}
};
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-06-18 1:59 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-28 20:47 [PATCH] Smack: Restore the smackfsdef mount option and add missing prefixes David Howells
2019-05-28 21:39 ` Casey Schaufler
2019-05-31 10:53 David Howells
2019-05-31 10:56 ` David Howells
2019-06-03 22:42 ` James Morris
2019-06-03 23:07 ` Casey Schaufler
2019-06-14 23:08 ` Casey Schaufler
2019-06-15 0:24 ` Linus Torvalds
2019-06-18 1:59 ` Al Viro
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.