From: David Howells <dhowells@redhat.com>
To: viro@zeniv.linux.org.uk
Cc: dhowells@redhat.com, raven@themaw.net, mszeredi@redhat.com,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 15/25] fsinfo: Support SELinux superblock parameter retrieval [ver #14]
Date: Mon, 24 Jun 2019 15:11:04 +0100 [thread overview]
Message-ID: <156138546489.25627.8348943895696087628.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <156138532485.25627.7459410522109581052.stgit@warthog.procyon.org.uk>
Add support to SELinux for retrieval of the superblock parameters by
fsinfo(FSINFO_ATTR_LSM_PARAMETERS).
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/selinux/hooks.c | 41 +++++++++++++++++++++++++++++
security/selinux/include/security.h | 2 +
security/selinux/ss/services.c | 49 +++++++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c61787b15f27..9b5dbdcde9e6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
#include <linux/bpf.h>
#include <linux/kernfs.h>
#include <linux/stringhash.h> /* for hashlen_string() */
+#include <linux/fsinfo.h>
#include <uapi/linux/mount.h>
#include "avc.h"
@@ -2735,6 +2736,43 @@ static int selinux_sb_statfs(struct dentry *dentry)
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
}
+#ifdef CONFIG_FSINFO
+/*
+ * Retrieve the SELinux filesystem information, including mount parameters.
+ */
+static int selinux_sb_fsinfo(struct path *path, struct fsinfo_kparams *params)
+{
+ struct superblock_security_struct *sbsec = path->dentry->d_sb->s_security;
+
+ switch (params->request) {
+ case FSINFO_ATTR_LSM_PARAMETERS:
+ if (!(sbsec->flags & SE_SBINITIALIZED) ||
+ !selinux_state.initialized)
+ return params->usage;
+
+ if (sbsec->flags & FSCONTEXT_MNT)
+ fsinfo_note_sid(params, FSCONTEXT_STR, sbsec->sid);
+ if (sbsec->flags & CONTEXT_MNT)
+ fsinfo_note_sid(params, CONTEXT_STR, sbsec->mntpoint_sid);
+ if (sbsec->flags & DEFCONTEXT_MNT)
+ fsinfo_note_sid(params, DEFCONTEXT_STR, sbsec->def_sid);
+ if (sbsec->flags & ROOTCONTEXT_MNT) {
+ struct dentry *root = sbsec->sb->s_root;
+ struct inode_security_struct *isec = backing_inode_security(root);
+ fsinfo_note_sid(params, ROOTCONTEXT_STR, isec->sid);
+ }
+ if (sbsec->flags & SBLABEL_MNT)
+ fsinfo_note_param(params, SECLABEL_STR, NULL);
+
+ return params->usage;
+
+ default:
+ return -ENODATA;
+ }
+ return 0;
+}
+#endif
+
static int selinux_mount(const char *dev_name,
const struct path *path,
const char *type,
@@ -6761,6 +6799,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
+#ifdef CONFIG_FSINFO
+ LSM_HOOK_INIT(sb_fsinfo, selinux_sb_fsinfo),
+#endif
LSM_HOOK_INIT(sb_mount, selinux_mount),
LSM_HOOK_INIT(sb_umount, selinux_umount),
LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 111121281c47..e9617bfcc6ee 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -67,6 +67,7 @@
#define SECLABEL_STR "seclabel"
struct netlbl_lsm_secattr;
+struct fsinfo_kparams;
extern int selinux_enabled;
@@ -258,6 +259,7 @@ int security_sid_to_context_force(struct selinux_state *state,
int security_sid_to_context_inval(struct selinux_state *state,
u32 sid, char **scontext, u32 *scontext_len);
+void fsinfo_note_sid(struct fsinfo_kparams *params, const char *key, u32 sid);
int security_context_to_sid(struct selinux_state *state,
const char *scontext, u32 scontext_len,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index cc043bc8fd4c..1111b02a999b 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -50,6 +50,7 @@
#include <linux/audit.h>
#include <linux/mutex.h>
#include <linux/vmalloc.h>
+#include <linux/fsinfo.h>
#include <net/netlabel.h>
#include "flask.h"
@@ -1374,6 +1375,54 @@ int security_sid_to_context_inval(struct selinux_state *state, u32 sid,
scontext_len, 1, 1);
}
+#ifdef CONFIG_FSINFO
+void fsinfo_note_sid(struct fsinfo_kparams *params, const char *key, u32 sid)
+{
+ struct selinux_state *state = &selinux_state;
+ struct policydb *policydb;
+ struct context *context;
+ const char *val = "<<<INVALID>>>";
+ char *p;
+ int n;
+
+ if (!state->initialized) {
+ if (sid <= SECINITSID_NUM) {
+ val = initial_sid_to_string[sid];
+ goto out;
+ }
+
+ pr_err("SELinux: %s: called before initial "
+ "load_policy on unknown SID %d\n", __func__, sid);
+ goto out;
+ }
+
+ read_lock(&state->ss->policy_rwlock);
+
+ policydb = &state->ss->policydb;
+ context = sidtab_search(state->ss->sidtab, sid);
+ if (!context) {
+ pr_err("SELinux: %s: unrecognized SID %d\n", __func__, sid);
+ } else {
+ /* Copy the user name, role name and type name into the scratch
+ * buffer and then tack on the MLS.
+ */
+ val = p = params->scratch_buffer;
+ n = sprintf(p, "%s:%s:%s",
+ sym_name(policydb, SYM_USERS, context->user - 1),
+ sym_name(policydb, SYM_ROLES, context->role - 1),
+ sym_name(policydb, SYM_TYPES, context->type - 1));
+
+ p += n;
+ mls_sid_to_context(policydb, context, &p);
+ *p = 0;
+ }
+
+ read_unlock(&state->ss->policy_rwlock);
+out:
+ fsinfo_note_param(params, key, val);
+}
+#endif
+
/*
* Caveat: Mutates scontext.
*/
next prev parent reply other threads:[~2019-06-24 14:11 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 14:08 [PATCH 00/25] VFS: Introduce filesystem information query syscall [ver #14] David Howells
2019-06-24 14:08 ` [PATCH 01/25] vfs: syscall: Add fsinfo() to query filesystem information " David Howells
2019-06-25 8:28 ` Christian Brauner
2019-06-26 9:49 ` David Howells
2019-06-26 9:58 ` Christian Brauner
2019-06-24 14:09 ` [PATCH 02/25] fsinfo: Add syscalls to other arches " David Howells
2019-06-25 9:31 ` Christian Brauner
2019-06-24 14:09 ` [PATCH 03/25] vfs: Allow fsinfo() to query what's in an fs_context " David Howells
2019-06-25 9:27 ` Christian Brauner
2019-06-26 10:02 ` David Howells
2019-06-26 10:06 ` Christian Brauner
2019-06-24 14:09 ` [PATCH 04/25] vfs: Allow fsinfo() to be used to query an fs parameter description " David Howells
2019-06-25 9:40 ` Christian Brauner
2019-06-24 14:09 ` [PATCH 05/25] vfs: Implement parameter value retrieval with fsinfo() " David Howells
2019-06-25 9:44 ` Christian Brauner
2019-06-24 14:09 ` [PATCH 06/25] fsinfo: Implement retrieval of LSM parameters " David Howells
2019-06-24 14:09 ` [PATCH 07/25] vfs: Introduce a non-repeating system-unique superblock ID " David Howells
2019-06-24 14:09 ` [PATCH 08/25] vfs: Allow fsinfo() to look up a mount object by " David Howells
2019-06-26 9:49 ` Christian Brauner
2019-06-24 14:10 ` [PATCH 09/25] vfs: Add mount notification count " David Howells
2019-06-26 9:52 ` Christian Brauner
2019-06-24 14:10 ` [PATCH 10/25] vfs: Allow mount information to be queried by fsinfo() " David Howells
2019-06-26 9:53 ` Christian Brauner
2019-06-24 14:10 ` [PATCH 11/25] vfs: fsinfo sample: Mount listing program " David Howells
2019-06-24 14:10 ` [PATCH 12/25] fsinfo: Add API documentation " David Howells
2019-06-24 14:10 ` [PATCH 13/25] hugetlbfs: Add support for fsinfo() " David Howells
2019-06-24 14:10 ` [PATCH 14/25] kernfs, cgroup: Add fsinfo support " David Howells
2019-06-24 14:11 ` David Howells [this message]
2019-06-24 14:11 ` [PATCH 16/25] fsinfo: Support Smack superblock parameter retrieval " David Howells
2019-06-24 14:11 ` [PATCH 17/25] afs: Support fsinfo() " David Howells
2019-06-24 14:11 ` [PATCH 18/25] fsinfo: proc - add sb operation " David Howells
2019-06-24 14:11 ` [PATCH 19/25] fsinfo: autofs " David Howells
2019-06-24 14:11 ` [PATCH 20/25] fsinfo: shmem - add tmpfs " David Howells
2019-06-24 14:11 ` [PATCH 21/25] fsinfo: devpts - add " David Howells
2019-06-24 14:12 ` [PATCH 22/25] fsinfo: pstore " David Howells
2019-06-24 14:12 ` [PATCH 23/25] fsinfo: debugfs " David Howells
2019-06-24 14:12 ` [PATCH 24/25] fsinfo: bpf " David Howells
2019-06-24 14:12 ` [PATCH 25/25] fsinfo: ufs " David Howells
2019-06-26 10:05 ` [PATCH 00/25] VFS: Introduce filesystem information query syscall " Christian Brauner
2019-06-26 10:42 ` Ian Kent
2019-06-26 10:47 ` Christian Brauner
2019-06-27 0:38 ` Ian Kent
2019-06-26 13:19 ` Christian Brauner
2019-06-26 14:31 ` David Howells
2019-06-26 14:50 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=156138546489.25627.8348943895696087628.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=raven@themaw.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).