From: Chirantan Ekbote <chirantan@chromium.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Vivek Goyal <vgoyal@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com,
Dylan Reid <dgreid@chromium.org>,
Suleiman Souhlal <suleiman@chromium.org>,
fuse-devel@lists.sourceforge.net,
Chirantan Ekbote <chirantan@chromium.org>
Subject: [PATCHv4 2/2] fuse: Call security hooks on new inodes
Date: Mon, 13 Jul 2020 18:57:00 +0900 [thread overview]
Message-ID: <20200713095700.350234-2-chirantan@chromium.org> (raw)
In-Reply-To: <20200713095700.350234-1-chirantan@chromium.org>
Add a new `init_security` field to `fuse_conn` that controls whether we
initialize security when a new inode is created. Set this to true when
the `flags` field of the fuse_init_out struct contains
FUSE_SECURITY_CTX.
When set to true, get the security context for a newly created inode via
`security_dentry_init_security` and append it to the create, mkdir,
mknod, and symlink requests.
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
---
Changes in v4:
* Added signoff to commit message.
* Fixed style warnings reported by checkpatch.pl.
Changes in v3:
* Moved uapi changes into a separate patch.
* Refactored duplicated common code into create_new_entry.
* Dropped check if security_ctxlen > 0 since kfree can handle NULL.
Changes in v2:
* Added the FUSE_SECURITY_CTX flag for init_out responses.
* Switched to security_dentry_init_security.
* Send security context with create, mknod, mkdir, and symlink
requests instead of applying it after creation.
fs/fuse/dir.c | 60 ++++++++++++++++++++++++++++++++++++++++++++----
fs/fuse/fuse_i.h | 3 +++
fs/fuse/inode.c | 5 +++-
3 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index ee190119f45cc..c6791c49afe4d 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -16,6 +16,9 @@
#include <linux/xattr.h>
#include <linux/iversion.h>
#include <linux/posix_acl.h>
+#include <linux/security.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
static void fuse_advise_use_readdirplus(struct inode *dir)
{
@@ -442,6 +445,8 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
struct fuse_entry_out outentry;
struct fuse_inode *fi;
struct fuse_file *ff;
+ void *security_ctx = NULL;
+ u32 security_ctxlen = 0;
/* Userspace expects S_IFREG in create mode */
BUG_ON((mode & S_IFMT) != S_IFREG);
@@ -477,6 +482,21 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
args.out_args[0].value = &outentry;
args.out_args[1].size = sizeof(outopen);
args.out_args[1].value = &outopen;
+
+ if (fc->init_security) {
+ err = security_dentry_init_security(entry, mode, &entry->d_name,
+ &security_ctx,
+ &security_ctxlen);
+ if (err)
+ goto out_put_forget_req;
+
+ if (security_ctxlen > 0) {
+ args.in_numargs = 3;
+ args.in_args[2].size = security_ctxlen;
+ args.in_args[2].value = security_ctx;
+ }
+ }
+
err = fuse_simple_request(fc, &args);
if (err)
goto out_free_ff;
@@ -513,6 +533,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
return err;
out_free_ff:
+ kfree(security_ctx);
fuse_file_free(ff);
out_put_forget_req:
kfree(forget);
@@ -569,13 +590,15 @@ static int fuse_atomic_open(struct inode *dir, struct dentry *entry,
*/
static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
struct inode *dir, struct dentry *entry,
- umode_t mode)
+ umode_t mode, bool init_security)
{
struct fuse_entry_out outarg;
struct inode *inode;
struct dentry *d;
int err;
struct fuse_forget_link *forget;
+ void *security_ctx = NULL;
+ u32 security_ctxlen = 0;
forget = fuse_alloc_forget();
if (!forget)
@@ -586,7 +609,29 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
args->out_numargs = 1;
args->out_args[0].size = sizeof(outarg);
args->out_args[0].value = &outarg;
+
+ if (init_security) {
+ unsigned short idx = args->in_numargs;
+
+ if ((size_t)idx >= ARRAY_SIZE(args->in_args))
+ return -ENOMEM;
+
+ err = security_dentry_init_security(entry, mode, &entry->d_name,
+ &security_ctx,
+ &security_ctxlen);
+ if (err)
+ return err;
+
+ if (security_ctxlen > 0) {
+ args->in_args[idx].size = security_ctxlen;
+ args->in_args[idx].value = security_ctx;
+ args->in_numargs++;
+ }
+ }
+
err = fuse_simple_request(fc, args);
+ kfree(security_ctx);
+
if (err)
goto out_put_forget_req;
@@ -644,7 +689,8 @@ static int fuse_mknod(struct inode *dir, struct dentry *entry, umode_t mode,
args.in_args[0].value = &inarg;
args.in_args[1].size = entry->d_name.len + 1;
args.in_args[1].value = entry->d_name.name;
- return create_new_entry(fc, &args, dir, entry, mode);
+
+ return create_new_entry(fc, &args, dir, entry, mode, fc->init_security);
}
static int fuse_create(struct inode *dir, struct dentry *entry, umode_t mode,
@@ -671,7 +717,9 @@ static int fuse_mkdir(struct inode *dir, struct dentry *entry, umode_t mode)
args.in_args[0].value = &inarg;
args.in_args[1].size = entry->d_name.len + 1;
args.in_args[1].value = entry->d_name.name;
- return create_new_entry(fc, &args, dir, entry, S_IFDIR);
+
+ return create_new_entry(fc, &args, dir, entry, S_IFDIR,
+ fc->init_security);
}
static int fuse_symlink(struct inode *dir, struct dentry *entry,
@@ -687,7 +735,9 @@ static int fuse_symlink(struct inode *dir, struct dentry *entry,
args.in_args[0].value = entry->d_name.name;
args.in_args[1].size = len;
args.in_args[1].value = link;
- return create_new_entry(fc, &args, dir, entry, S_IFLNK);
+
+ return create_new_entry(fc, &args, dir, entry, S_IFLNK,
+ fc->init_security);
}
void fuse_update_ctime(struct inode *inode)
@@ -858,7 +908,7 @@ static int fuse_link(struct dentry *entry, struct inode *newdir,
args.in_args[0].value = &inarg;
args.in_args[1].size = newent->d_name.len + 1;
args.in_args[1].value = newent->d_name.name;
- err = create_new_entry(fc, &args, newdir, newent, inode->i_mode);
+ err = create_new_entry(fc, &args, newdir, newent, inode->i_mode, false);
/* Contrary to "normal" filesystems it can happen that link
makes two "logical" inodes point to the same "physical"
inode. We invalidate the attributes of the old one, so it
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index d7cde216fc871..dd7422d83da3d 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -720,6 +720,9 @@ struct fuse_conn {
/* Do not show mount options */
unsigned int no_mount_options:1;
+ /* Initialize security xattrs when creating a new inode */
+ unsigned int init_security : 1;
+
/** The number of requests waiting for completion */
atomic_t num_waiting;
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 16aec32f7f3d7..1a311771c5555 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -951,6 +951,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_args *args,
min_t(unsigned int, FUSE_MAX_MAX_PAGES,
max_t(unsigned int, arg->max_pages, 1));
}
+ if (arg->flags & FUSE_SECURITY_CTX)
+ fc->init_security = 1;
} else {
ra_pages = fc->max_read / PAGE_SIZE;
fc->no_lock = 1;
@@ -988,7 +990,8 @@ void fuse_send_init(struct fuse_conn *fc)
FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
FUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |
FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |
- FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA;
+ FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
+ FUSE_SECURITY_CTX;
ia->args.opcode = FUSE_INIT;
ia->args.in_numargs = 1;
ia->args.in_args[0].size = sizeof(ia->in);
--
2.27.0.383.g050319c2ae-goog
WARNING: multiple messages have this Message-ID (diff)
From: Chirantan Ekbote <chirantan@chromium.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: fuse-devel@lists.sourceforge.net,
Suleiman Souhlal <suleiman@chromium.org>,
virtio-fs@redhat.com, linux-fsdevel@vger.kernel.org,
Dylan Reid <dgreid@chromium.org>, Vivek Goyal <vgoyal@redhat.com>
Subject: [Virtio-fs] [PATCHv4 2/2] fuse: Call security hooks on new inodes
Date: Mon, 13 Jul 2020 18:57:00 +0900 [thread overview]
Message-ID: <20200713095700.350234-2-chirantan@chromium.org> (raw)
In-Reply-To: <20200713095700.350234-1-chirantan@chromium.org>
Add a new `init_security` field to `fuse_conn` that controls whether we
initialize security when a new inode is created. Set this to true when
the `flags` field of the fuse_init_out struct contains
FUSE_SECURITY_CTX.
When set to true, get the security context for a newly created inode via
`security_dentry_init_security` and append it to the create, mkdir,
mknod, and symlink requests.
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
---
Changes in v4:
* Added signoff to commit message.
* Fixed style warnings reported by checkpatch.pl.
Changes in v3:
* Moved uapi changes into a separate patch.
* Refactored duplicated common code into create_new_entry.
* Dropped check if security_ctxlen > 0 since kfree can handle NULL.
Changes in v2:
* Added the FUSE_SECURITY_CTX flag for init_out responses.
* Switched to security_dentry_init_security.
* Send security context with create, mknod, mkdir, and symlink
requests instead of applying it after creation.
fs/fuse/dir.c | 60 ++++++++++++++++++++++++++++++++++++++++++++----
fs/fuse/fuse_i.h | 3 +++
fs/fuse/inode.c | 5 +++-
3 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index ee190119f45cc..c6791c49afe4d 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -16,6 +16,9 @@
#include <linux/xattr.h>
#include <linux/iversion.h>
#include <linux/posix_acl.h>
+#include <linux/security.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
static void fuse_advise_use_readdirplus(struct inode *dir)
{
@@ -442,6 +445,8 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
struct fuse_entry_out outentry;
struct fuse_inode *fi;
struct fuse_file *ff;
+ void *security_ctx = NULL;
+ u32 security_ctxlen = 0;
/* Userspace expects S_IFREG in create mode */
BUG_ON((mode & S_IFMT) != S_IFREG);
@@ -477,6 +482,21 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
args.out_args[0].value = &outentry;
args.out_args[1].size = sizeof(outopen);
args.out_args[1].value = &outopen;
+
+ if (fc->init_security) {
+ err = security_dentry_init_security(entry, mode, &entry->d_name,
+ &security_ctx,
+ &security_ctxlen);
+ if (err)
+ goto out_put_forget_req;
+
+ if (security_ctxlen > 0) {
+ args.in_numargs = 3;
+ args.in_args[2].size = security_ctxlen;
+ args.in_args[2].value = security_ctx;
+ }
+ }
+
err = fuse_simple_request(fc, &args);
if (err)
goto out_free_ff;
@@ -513,6 +533,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
return err;
out_free_ff:
+ kfree(security_ctx);
fuse_file_free(ff);
out_put_forget_req:
kfree(forget);
@@ -569,13 +590,15 @@ static int fuse_atomic_open(struct inode *dir, struct dentry *entry,
*/
static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
struct inode *dir, struct dentry *entry,
- umode_t mode)
+ umode_t mode, bool init_security)
{
struct fuse_entry_out outarg;
struct inode *inode;
struct dentry *d;
int err;
struct fuse_forget_link *forget;
+ void *security_ctx = NULL;
+ u32 security_ctxlen = 0;
forget = fuse_alloc_forget();
if (!forget)
@@ -586,7 +609,29 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
args->out_numargs = 1;
args->out_args[0].size = sizeof(outarg);
args->out_args[0].value = &outarg;
+
+ if (init_security) {
+ unsigned short idx = args->in_numargs;
+
+ if ((size_t)idx >= ARRAY_SIZE(args->in_args))
+ return -ENOMEM;
+
+ err = security_dentry_init_security(entry, mode, &entry->d_name,
+ &security_ctx,
+ &security_ctxlen);
+ if (err)
+ return err;
+
+ if (security_ctxlen > 0) {
+ args->in_args[idx].size = security_ctxlen;
+ args->in_args[idx].value = security_ctx;
+ args->in_numargs++;
+ }
+ }
+
err = fuse_simple_request(fc, args);
+ kfree(security_ctx);
+
if (err)
goto out_put_forget_req;
@@ -644,7 +689,8 @@ static int fuse_mknod(struct inode *dir, struct dentry *entry, umode_t mode,
args.in_args[0].value = &inarg;
args.in_args[1].size = entry->d_name.len + 1;
args.in_args[1].value = entry->d_name.name;
- return create_new_entry(fc, &args, dir, entry, mode);
+
+ return create_new_entry(fc, &args, dir, entry, mode, fc->init_security);
}
static int fuse_create(struct inode *dir, struct dentry *entry, umode_t mode,
@@ -671,7 +717,9 @@ static int fuse_mkdir(struct inode *dir, struct dentry *entry, umode_t mode)
args.in_args[0].value = &inarg;
args.in_args[1].size = entry->d_name.len + 1;
args.in_args[1].value = entry->d_name.name;
- return create_new_entry(fc, &args, dir, entry, S_IFDIR);
+
+ return create_new_entry(fc, &args, dir, entry, S_IFDIR,
+ fc->init_security);
}
static int fuse_symlink(struct inode *dir, struct dentry *entry,
@@ -687,7 +735,9 @@ static int fuse_symlink(struct inode *dir, struct dentry *entry,
args.in_args[0].value = entry->d_name.name;
args.in_args[1].size = len;
args.in_args[1].value = link;
- return create_new_entry(fc, &args, dir, entry, S_IFLNK);
+
+ return create_new_entry(fc, &args, dir, entry, S_IFLNK,
+ fc->init_security);
}
void fuse_update_ctime(struct inode *inode)
@@ -858,7 +908,7 @@ static int fuse_link(struct dentry *entry, struct inode *newdir,
args.in_args[0].value = &inarg;
args.in_args[1].size = newent->d_name.len + 1;
args.in_args[1].value = newent->d_name.name;
- err = create_new_entry(fc, &args, newdir, newent, inode->i_mode);
+ err = create_new_entry(fc, &args, newdir, newent, inode->i_mode, false);
/* Contrary to "normal" filesystems it can happen that link
makes two "logical" inodes point to the same "physical"
inode. We invalidate the attributes of the old one, so it
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index d7cde216fc871..dd7422d83da3d 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -720,6 +720,9 @@ struct fuse_conn {
/* Do not show mount options */
unsigned int no_mount_options:1;
+ /* Initialize security xattrs when creating a new inode */
+ unsigned int init_security : 1;
+
/** The number of requests waiting for completion */
atomic_t num_waiting;
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 16aec32f7f3d7..1a311771c5555 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -951,6 +951,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_args *args,
min_t(unsigned int, FUSE_MAX_MAX_PAGES,
max_t(unsigned int, arg->max_pages, 1));
}
+ if (arg->flags & FUSE_SECURITY_CTX)
+ fc->init_security = 1;
} else {
ra_pages = fc->max_read / PAGE_SIZE;
fc->no_lock = 1;
@@ -988,7 +990,8 @@ void fuse_send_init(struct fuse_conn *fc)
FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
FUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |
FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |
- FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA;
+ FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
+ FUSE_SECURITY_CTX;
ia->args.opcode = FUSE_INIT;
ia->args.in_numargs = 1;
ia->args.in_args[0].size = sizeof(ia->in);
--
2.27.0.383.g050319c2ae-goog
next prev parent reply other threads:[~2020-07-13 9:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-01 5:32 [PATCH] RFC: fuse: virtiofs: Call security hooks on new inodes Chirantan Ekbote
2020-06-01 5:32 ` [Virtio-fs] " Chirantan Ekbote
2020-06-02 18:23 ` Vivek Goyal
2020-06-02 18:23 ` [Virtio-fs] " Vivek Goyal
2020-06-10 9:27 ` [PATCH v2] RFC: fuse: " Chirantan Ekbote
2020-06-10 9:27 ` [Virtio-fs] " Chirantan Ekbote
2020-06-15 7:37 ` Chirantan Ekbote
2020-06-15 7:37 ` [Virtio-fs] " Chirantan Ekbote
2020-06-16 9:29 ` Miklos Szeredi
2020-06-16 9:29 ` [Virtio-fs] " Miklos Szeredi
2020-06-16 9:41 ` Chirantan Ekbote
2020-06-16 9:41 ` [Virtio-fs] " Chirantan Ekbote
2020-06-16 10:27 ` Miklos Szeredi
2020-06-16 10:27 ` [Virtio-fs] " Miklos Szeredi
2020-07-13 9:09 ` [PATCHv3 1/2] uapi: fuse: Add FUSE_SECURITY_CTX Chirantan Ekbote
2020-07-13 9:09 ` [Virtio-fs] " Chirantan Ekbote
2020-07-13 9:09 ` [PATCHv3 2/2] fuse: Call security hooks on new inodes Chirantan Ekbote
2020-07-13 9:09 ` [Virtio-fs] " Chirantan Ekbote
2020-07-13 9:56 ` [PATCHv4 1/2] uapi: fuse: Add FUSE_SECURITY_CTX Chirantan Ekbote
2020-07-13 9:56 ` [Virtio-fs] " Chirantan Ekbote
2020-07-13 9:57 ` Chirantan Ekbote [this message]
2020-07-13 9:57 ` [Virtio-fs] [PATCHv4 2/2] fuse: Call security hooks on new inodes Chirantan Ekbote
2020-07-21 8:07 ` Chirantan Ekbote
2020-07-21 8:07 ` [Virtio-fs] " Chirantan Ekbote
2020-07-21 14:23 ` Miklos Szeredi
2020-07-21 14:23 ` [Virtio-fs] " Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200713095700.350234-2-chirantan@chromium.org \
--to=chirantan@chromium.org \
--cc=dgreid@chromium.org \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stefanha@redhat.com \
--cc=suleiman@chromium.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.