From: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
To: Hugh Dickins <hughd@google.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@intel.com>
Subject: [PATCH] tmpfs: security xattr setting on inode creation
Date: Thu, 23 Feb 2012 11:46:05 +0200 [thread overview]
Message-ID: <1329990365-23779-1-git-send-email-jarkko.sakkinen@intel.com> (raw)
Adds to generic xattr support introduced in Linux 3.0 by
implementing initxattrs callback. This enables consulting
of security attributes from LSM and EVM when inode is
created.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
---
mm/shmem.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 66 insertions(+), 16 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 7a45ad0..cd367b1 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1478,6 +1478,64 @@ static int shmem_statfs(struct dentry *dentry, struct kstatfs *buf)
}
/*
+ * Allocate new xattr.
+ */
+static int shmem_xattr_alloc(size_t size, struct shmem_xattr **new_xattr)
+{
+ /* wrap around? */
+ size_t len = sizeof(**new_xattr) + size;
+ if (len <= sizeof(**new_xattr))
+ return -ENOMEM;
+
+ *new_xattr = kmalloc(len, GFP_KERNEL);
+ if (*new_xattr == NULL)
+ return -ENOMEM;
+
+ (*new_xattr)->size = size;
+ return 0;
+}
+
+/*
+ * Callback for security_inode_init_security() for acquiring xattrs.
+ */
+static int shmem_initxattrs(struct inode *inode,
+ const struct xattr *xattr_array,
+ void *fs_info)
+{
+ const struct xattr *xattr;
+ struct shmem_inode_info *info = SHMEM_I(inode);
+ struct shmem_xattr *new_xattr = NULL;
+ size_t len;
+ int err = 0;
+
+ for (xattr = xattr_array; xattr->name != NULL; xattr++) {
+ err = shmem_xattr_alloc(xattr->value_len, &new_xattr);
+ if (err < 0)
+ return err;
+
+ len = strlen(xattr->name) + 1;
+ new_xattr->name = kmalloc(XATTR_SECURITY_PREFIX_LEN + len,
+ GFP_KERNEL);
+ if (new_xattr->name == NULL) {
+ kfree(new_xattr);
+ return -ENOMEM;
+ }
+
+ memcpy(new_xattr->name, XATTR_SECURITY_PREFIX,
+ XATTR_SECURITY_PREFIX_LEN);
+ memcpy(new_xattr->name + XATTR_SECURITY_PREFIX_LEN,
+ xattr->name, len);
+ memcpy(new_xattr->value, xattr->value, xattr->value_len);
+
+ spin_lock(&info->lock);
+ list_add(&new_xattr->list, &info->xattr_list);
+ spin_unlock(&info->lock);
+ }
+
+ return 0;
+}
+
+/*
* File creation. Allocate an inode, and we're done..
*/
static int
@@ -1490,7 +1548,7 @@ shmem_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
if (inode) {
error = security_inode_init_security(inode, dir,
&dentry->d_name,
- NULL, NULL);
+ &shmem_initxattrs, NULL);
if (error) {
if (error != -EOPNOTSUPP) {
iput(inode);
@@ -1630,7 +1688,7 @@ static int shmem_symlink(struct inode *dir, struct dentry *dentry, const char *s
return -ENOSPC;
error = security_inode_init_security(inode, dir, &dentry->d_name,
- NULL, NULL);
+ &shmem_initxattrs, NULL);
if (error) {
if (error != -EOPNOTSUPP) {
iput(inode);
@@ -1731,26 +1789,19 @@ static int shmem_xattr_get(struct dentry *dentry, const char *name,
return ret;
}
-static int shmem_xattr_set(struct dentry *dentry, const char *name,
+static int shmem_xattr_set(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
- struct inode *inode = dentry->d_inode;
struct shmem_inode_info *info = SHMEM_I(inode);
struct shmem_xattr *xattr;
struct shmem_xattr *new_xattr = NULL;
- size_t len;
int err = 0;
/* value == NULL means remove */
if (value) {
- /* wrap around? */
- len = sizeof(*new_xattr) + size;
- if (len <= sizeof(*new_xattr))
- return -ENOMEM;
-
- new_xattr = kmalloc(len, GFP_KERNEL);
- if (!new_xattr)
- return -ENOMEM;
+ err = shmem_xattr_alloc(size, &new_xattr);
+ if (err < 0)
+ return err;
new_xattr->name = kstrdup(name, GFP_KERNEL);
if (!new_xattr->name) {
@@ -1758,7 +1809,6 @@ static int shmem_xattr_set(struct dentry *dentry, const char *name,
return -ENOMEM;
}
- new_xattr->size = size;
memcpy(new_xattr->value, value, size);
}
@@ -1858,7 +1908,7 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
if (size == 0)
value = ""; /* empty EA, do not remove */
- return shmem_xattr_set(dentry, name, value, size, flags);
+ return shmem_xattr_set(dentry->d_inode, name, value, size, flags);
}
@@ -1878,7 +1928,7 @@ static int shmem_removexattr(struct dentry *dentry, const char *name)
if (err)
return err;
- return shmem_xattr_set(dentry, name, NULL, 0, XATTR_REPLACE);
+ return shmem_xattr_set(dentry->d_inode, name, NULL, 0, XATTR_REPLACE);
}
static bool xattr_is_trusted(const char *name)
--
1.7.5.4
next reply other threads:[~2012-02-23 9:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-23 9:46 Jarkko Sakkinen [this message]
2012-02-24 8:13 ` [PATCH] tmpfs: security xattr setting on inode creation James Morris
2012-02-25 3:19 ` Hugh Dickins
2012-02-25 7:03 ` Sakkinen, Jarkko
2012-02-27 22:46 ` Andrew Morton
2012-02-28 3:46 ` Ware, Ryan R
[not found] ` <CAGGTEhPQ6OLgqZbbAwE=3Xj8qE2iNhLOk5LdkGU13WxbY=qb2w@mail.gmail.com>
2012-02-28 4:10 ` Hugh Dickins
2012-02-28 5:51 ` Sakkinen, Jarkko
-- strict thread matches above, loose matches on Subject: below --
2012-02-22 7:48 Jarkko Sakkinen
2012-02-22 17:46 ` Sakkinen, Jarkko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1329990365-23779-1-git-send-email-jarkko.sakkinen@intel.com \
--to=jarkko.sakkinen@intel.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).