From: Vivek Goyal <vgoyal@redhat.com> To: miklos@szeredi.hu Cc: virtio-fs@redhat.com, chirantan@chromium.org, stephen.smalley.work@gmail.com, dwalsh@redhat.com, casey@schaufler-ca.com, omosnace@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org Subject: Re: [PATCH v2 0/2] fuse: Send file/inode security context during creation Date: Mon, 25 Oct 2021 11:55:37 -0400 [thread overview] Message-ID: <YXbTeb3G810yo216@redhat.com> (raw) In-Reply-To: <20211012180624.447474-1-vgoyal@redhat.com> On Tue, Oct 12, 2021 at 02:06:22PM -0400, Vivek Goyal wrote: > Hi, > > This is V2 of patches. Posted V1 here. Hi Miklos, Wondering how do these patches look to you. Can you please consider these for inclusion. These patches are dependent on following patch which Paul Moore is now carrying in this tree. https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=15bf32398ad488c0df1cbaf16431422c87e4feea Thanks Vivek > > https://lore.kernel.org/linux-fsdevel/20210924192442.916927-1-vgoyal@redhat.com/ > > Changes since v1: > > - Added capability to send multiple security contexts in fuse protocol. > Miklos suggestd this. So now protocol can easily carry multiple > security labels. Just that right now we only send one. When a security > hook becomes available which can handle multiple security labels, > it should be easy to send those. > > This patch series is dependent on following patch I have posted to > change signature of security_dentry_init_security(). > > https://lore.kernel.org/linux-fsdevel/YWWMO%2FZDrvDZ5X4c@redhat.com/ > > Description > ----------- > When a file is created (create, mknod, mkdir, symlink), typically file > systems call security_inode_init_security() to initialize security > context of an inode. But this does not very well with remote filesystems > as inode is not there yet. Client will send a creation request to > server and once server has created the file, client will instantiate > the inode. > > So filesystems like nfs and ceph use security_dentry_init_security() > instead. This takes in a dentry and returns the security context of > file if any. > > These patches call security_dentry_init_security() and send security > label of file along with creation request (FUSE_CREATE, FUSE_MKDIR, > FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity > to create new file and also set security label (possibly atomically > where possible). > > These patches are based on the work Chirantan Ekbote did some time > back but it never got upstreamed. So I have taken his patches, > and made modifications on top. > > https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html > https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html > > These patches will allow us to support SELinux on virtiofs. > > Vivek Goyal (2): > fuse: Add a flag FUSE_SECURITY_CTX > fuse: Send security context of inode on file creation > > fs/fuse/dir.c | 115 ++++++++++++++++++++++++++++++++++++-- > fs/fuse/fuse_i.h | 3 + > fs/fuse/inode.c | 4 +- > include/uapi/linux/fuse.h | 29 +++++++++- > 4 files changed, 144 insertions(+), 7 deletions(-) > > -- > 2.31.1 >
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com> To: miklos@szeredi.hu Cc: stephen.smalley.work@gmail.com, omosnace@redhat.com, virtio-fs@redhat.com, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, casey@schaufler-ca.com, selinux@vger.kernel.org Subject: Re: [Virtio-fs] [PATCH v2 0/2] fuse: Send file/inode security context during creation Date: Mon, 25 Oct 2021 11:55:37 -0400 [thread overview] Message-ID: <YXbTeb3G810yo216@redhat.com> (raw) In-Reply-To: <20211012180624.447474-1-vgoyal@redhat.com> On Tue, Oct 12, 2021 at 02:06:22PM -0400, Vivek Goyal wrote: > Hi, > > This is V2 of patches. Posted V1 here. Hi Miklos, Wondering how do these patches look to you. Can you please consider these for inclusion. These patches are dependent on following patch which Paul Moore is now carrying in this tree. https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=15bf32398ad488c0df1cbaf16431422c87e4feea Thanks Vivek > > https://lore.kernel.org/linux-fsdevel/20210924192442.916927-1-vgoyal@redhat.com/ > > Changes since v1: > > - Added capability to send multiple security contexts in fuse protocol. > Miklos suggestd this. So now protocol can easily carry multiple > security labels. Just that right now we only send one. When a security > hook becomes available which can handle multiple security labels, > it should be easy to send those. > > This patch series is dependent on following patch I have posted to > change signature of security_dentry_init_security(). > > https://lore.kernel.org/linux-fsdevel/YWWMO%2FZDrvDZ5X4c@redhat.com/ > > Description > ----------- > When a file is created (create, mknod, mkdir, symlink), typically file > systems call security_inode_init_security() to initialize security > context of an inode. But this does not very well with remote filesystems > as inode is not there yet. Client will send a creation request to > server and once server has created the file, client will instantiate > the inode. > > So filesystems like nfs and ceph use security_dentry_init_security() > instead. This takes in a dentry and returns the security context of > file if any. > > These patches call security_dentry_init_security() and send security > label of file along with creation request (FUSE_CREATE, FUSE_MKDIR, > FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity > to create new file and also set security label (possibly atomically > where possible). > > These patches are based on the work Chirantan Ekbote did some time > back but it never got upstreamed. So I have taken his patches, > and made modifications on top. > > https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html > https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html > > These patches will allow us to support SELinux on virtiofs. > > Vivek Goyal (2): > fuse: Add a flag FUSE_SECURITY_CTX > fuse: Send security context of inode on file creation > > fs/fuse/dir.c | 115 ++++++++++++++++++++++++++++++++++++-- > fs/fuse/fuse_i.h | 3 + > fs/fuse/inode.c | 4 +- > include/uapi/linux/fuse.h | 29 +++++++++- > 4 files changed, 144 insertions(+), 7 deletions(-) > > -- > 2.31.1 >
next prev parent reply other threads:[~2021-10-25 15:56 UTC|newest] Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-12 18:06 [PATCH v2 0/2] fuse: Send file/inode security context during creation Vivek Goyal 2021-10-12 18:06 ` [Virtio-fs] " Vivek Goyal 2021-10-12 18:06 ` [PATCH v2 1/2] fuse: Add a flag FUSE_SECURITY_CTX Vivek Goyal 2021-10-12 18:06 ` [Virtio-fs] " Vivek Goyal 2021-10-12 19:09 ` Casey Schaufler 2021-10-12 19:09 ` [Virtio-fs] " Casey Schaufler 2021-10-12 20:38 ` Vivek Goyal 2021-10-12 20:38 ` [Virtio-fs] " Vivek Goyal 2021-10-12 18:06 ` [PATCH v2 2/2] fuse: Send security context of inode on file creation Vivek Goyal 2021-10-12 18:06 ` [Virtio-fs] " Vivek Goyal 2021-10-12 18:24 ` Casey Schaufler 2021-10-12 18:24 ` [Virtio-fs] " Casey Schaufler 2021-10-12 18:34 ` Vivek Goyal 2021-10-12 18:34 ` [Virtio-fs] " Vivek Goyal 2021-10-12 18:41 ` Casey Schaufler 2021-10-12 18:41 ` [Virtio-fs] " Casey Schaufler 2021-10-13 4:04 ` kernel test robot 2021-10-13 12:50 ` Vivek Goyal 2021-10-15 0:39 ` Chen, Rong A 2021-11-02 14:00 ` Miklos Szeredi 2021-11-02 14:00 ` [Virtio-fs] " Miklos Szeredi 2021-11-02 15:30 ` Vivek Goyal 2021-11-02 15:30 ` [Virtio-fs] " Vivek Goyal 2021-11-02 15:38 ` Miklos Szeredi 2021-11-02 15:38 ` [Virtio-fs] " Miklos Szeredi 2021-11-02 19:09 ` Vivek Goyal 2021-11-02 19:09 ` [Virtio-fs] " Vivek Goyal 2021-10-25 15:55 ` Vivek Goyal [this message] 2021-10-25 15:55 ` [Virtio-fs] [PATCH v2 0/2] fuse: Send file/inode security context during creation Vivek Goyal
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=YXbTeb3G810yo216@redhat.com \ --to=vgoyal@redhat.com \ --cc=casey@schaufler-ca.com \ --cc=chirantan@chromium.org \ --cc=dwalsh@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=miklos@szeredi.hu \ --cc=omosnace@redhat.com \ --cc=selinux@vger.kernel.org \ --cc=stephen.smalley.work@gmail.com \ --cc=virtio-fs@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.