* [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels
@ 2017-03-03 7:44 Hyunchul Lee
2017-03-03 7:56 ` Richard Weinberger
0 siblings, 1 reply; 3+ messages in thread
From: Hyunchul Lee @ 2017-03-03 7:44 UTC (permalink / raw)
To: Richard Weinberger
Cc: kernel-team, Artem Bityutskiy, adrian.hunter, linux-kernel,
linux-fsdevel, linux-mtd, Hyunchul Lee
From: Hyunchul Lee <cheol.lee@lge.com>
When write syscall is called, every time security label is searched to
determine that file's privileges should be changed.
If LSM(Linux Security Model) is not used, this is useless.
So introduce CONFIG_UBIFS_SECURITY to disable security labels. it's default
value is "y".
Signed-off-by: Hyunchul Lee <cheol.lee@lge.com>
---
fs/ubifs/Kconfig | 13 +++++++++++++
fs/ubifs/ubifs.h | 14 ++++++++++++--
fs/ubifs/xattr.c | 6 ++++++
3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/fs/ubifs/Kconfig b/fs/ubifs/Kconfig
index b0d0623..83a961b 100644
--- a/fs/ubifs/Kconfig
+++ b/fs/ubifs/Kconfig
@@ -61,3 +61,16 @@ config UBIFS_FS_ENCRYPTION
feature is similar to ecryptfs, but it is more memory
efficient since it avoids caching the encrypted and
decrypted pages in the page cache.
+
+config UBIFS_FS_SECURITY
+ bool "UBIFS Security Labels"
+ depends on UBIFS_FS
+ default y
+ help
+ Security labels provide an access control facility to support Linux
+ Security Models (LSMs) accepted by AppArmor, SELinux, Smack and TOMOYO
+ Linux. This option enables an extended attribute handler for file
+ security labels in the ubifs filesystem, so that it requires enabling
+ the extended attribute support in advance.
+
+ If you are not using a security module, say N.
diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
index ca72382..e960734 100644
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h
@@ -1752,13 +1752,23 @@ int ubifs_getattr(struct vfsmount *mnt, struct dentry *dentry,
/* xattr.c */
extern const struct xattr_handler *ubifs_xattr_handlers[];
ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size);
-int ubifs_init_security(struct inode *dentry, struct inode *inode,
- const struct qstr *qstr);
int ubifs_xattr_set(struct inode *host, const char *name, const void *value,
size_t size, int flags);
ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf,
size_t size);
+#ifdef CONFIG_UBIFS_FS_SECURITY
+extern int ubifs_init_security(struct inode *dentry, struct inode *inode,
+ const struct qstr *qstr);
+#else
+static inline int ubifs_init_security(struct inode *dentry,
+ struct inode *inode, const struct qstr *qstr)
+{
+ return 0;
+}
+#endif
+
+
/* super.c */
struct inode *ubifs_iget(struct super_block *sb, unsigned long inum);
diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index efe00fc..de88732 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -559,6 +559,7 @@ static int ubifs_xattr_remove(struct inode *host, const char *name)
return err;
}
+#ifdef CONFIG_UBIFS_FS_SECURITY
static int init_xattrs(struct inode *inode, const struct xattr *xattr_array,
void *fs_info)
{
@@ -599,6 +600,7 @@ int ubifs_init_security(struct inode *dentry, struct inode *inode,
}
return err;
}
+#endif
static int xattr_get(const struct xattr_handler *handler,
struct dentry *dentry, struct inode *inode,
@@ -639,15 +641,19 @@ static int xattr_set(const struct xattr_handler *handler,
.set = xattr_set,
};
+#ifdef CONFIG_UBIFS_FS_SECURITY
static const struct xattr_handler ubifs_security_xattr_handler = {
.prefix = XATTR_SECURITY_PREFIX,
.get = xattr_get,
.set = xattr_set,
};
+#endif
const struct xattr_handler *ubifs_xattr_handlers[] = {
&ubifs_user_xattr_handler,
&ubifs_trusted_xattr_handler,
+#ifdef CONFIG_UBIFS_FS_SECURITY
&ubifs_security_xattr_handler,
+#endif
NULL
};
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels
2017-03-03 7:44 [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels Hyunchul Lee
@ 2017-03-03 7:56 ` Richard Weinberger
2017-03-03 10:38 ` Hyunchul Lee
0 siblings, 1 reply; 3+ messages in thread
From: Richard Weinberger @ 2017-03-03 7:56 UTC (permalink / raw)
To: Hyunchul Lee
Cc: kernel-team, Artem Bityutskiy, adrian.hunter, linux-kernel,
linux-fsdevel, linux-mtd, Hyunchul Lee
Hyunchul Lee,
Am 03.03.2017 um 08:44 schrieb Hyunchul Lee:
> From: Hyunchul Lee <cheol.lee@lge.com>
>
> When write syscall is called, every time security label is searched to
> determine that file's privileges should be changed.
> If LSM(Linux Security Model) is not used, this is useless.
>
> So introduce CONFIG_UBIFS_SECURITY to disable security labels. it's default
> value is "y".
Can you please explain what the benefit is and why UBIFS needs this (and why not
all other filesystems)?
I guess some performance issue, do you have numbers?
Thanks,
//richard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels
2017-03-03 7:56 ` Richard Weinberger
@ 2017-03-03 10:38 ` Hyunchul Lee
0 siblings, 0 replies; 3+ messages in thread
From: Hyunchul Lee @ 2017-03-03 10:38 UTC (permalink / raw)
To: Richard Weinberger
Cc: kernel-team, Artem Bityutskiy, adrian.hunter, linux-kernel,
linux-fsdevel, linux-mtd, Hyunchul Lee
Hi, Richard
On 03/03/2017 04:56 PM, Richard Weinberger wrote:
> Hyunchul Lee,
>
> Am 03.03.2017 um 08:44 schrieb Hyunchul Lee:
>> From: Hyunchul Lee <cheol.lee@lge.com>
>>
>> When write syscall is called, every time security label is searched to
>> determine that file's privileges should be changed.
>> If LSM(Linux Security Model) is not used, this is useless.
>>
>> So introduce CONFIG_UBIFS_SECURITY to disable security labels. it's default
>> value is "y".
>
> Can you please explain what the benefit is and why UBIFS needs this (and why not
> all other filesystems)?
> I guess some performance issue, do you have numbers?
no, i don't have issues and profile result. but, every time when i write
4KB blocks, ubifs_xattr_get is called with "security.capabilties" for
each 4KB write. so i think that it is useless if LSM isn't used.
<7>[92028.334484] xattr_get:610: UBIFS DBG gen (pid 25746): xattr 'capability', ino 70 ('rand_5'), buf size 0
<7>[92028.334485] ubifs_lookup_level0:1183: UBIFS DBG tnc (pid 25746): search key (70, xentry, 0x10888ae6)
<7>[92028.334486] ubifs_lookup_level0:1221: UBIFS DBG tnc (pid 25746): found 0, lvl 0, n 6
and some file system such as ext4 and f2fs have a kernel config to
disable security labels. (EXT4_FS_SECURITY, F2FS_FS_SECURITY)
>
> Thanks,
> //richard
>
Thanks,
Hyunchul
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-03 11:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-03 7:44 [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels Hyunchul Lee
2017-03-03 7:56 ` Richard Weinberger
2017-03-03 10:38 ` Hyunchul Lee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).