From: Vivek Goyal <vgoyal@redhat.com> To: linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com, selinux@vger.kernel.org, linux-security-module@vger.kernel.org Cc: chirantan@chromium.org, vgoyal@redhat.com, miklos@szeredi.hu, stephen.smalley.work@gmail.com, dwalsh@redhat.com Subject: [PATCH 0/2] fuse: Send file/inode security context during creation Date: Fri, 24 Sep 2021 15:24:40 -0400 [thread overview] Message-ID: <20210924192442.916927-1-vgoyal@redhat.com> (raw) Hi, When a file is created (create, mknod, mkdir, symlink), typically file systems call ecurity_inode_init_security() to initialize security context of an inode. But this does not very well with remote filesystems as inode is not there yet. Client will send a creation request to server and once server has created the file, client will instantiate the inode. So filesystems like nfs and ceph use security_dentry_init_security() instead. This takes in a dentry and returns the security context of file if any. These patches call security_dentry_init_security() and send security label of file along with creation request (FUSE_CREATE, FUSE_MKDIR, FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity to create new file and also set security label (possibly atomically where possible). These patches are based on the work Chirantan Ekbote did some time back but it never got upstreamed. So I have taken his patches, made some modifications and posting again. https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html These patches will allow us to support SELinux on virtiofs. Vivek Goyal (2): fuse: Add a flag FUSE_SECURITY_CTX fuse: Send security context of inode on file creation fs/fuse/dir.c | 114 ++++++++++++++++++++++++++++++++++++-- fs/fuse/fuse_i.h | 3 + fs/fuse/inode.c | 4 +- include/uapi/linux/fuse.h | 20 ++++++- 4 files changed, 134 insertions(+), 7 deletions(-) -- 2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com> To: linux-fsdevel@vger.kernel.org, virtio-fs@redhat.com, selinux@vger.kernel.org, linux-security-module@vger.kernel.org Cc: stephen.smalley.work@gmail.com, vgoyal@redhat.com, miklos@szeredi.hu Subject: [Virtio-fs] [PATCH 0/2] fuse: Send file/inode security context during creation Date: Fri, 24 Sep 2021 15:24:40 -0400 [thread overview] Message-ID: <20210924192442.916927-1-vgoyal@redhat.com> (raw) Hi, When a file is created (create, mknod, mkdir, symlink), typically file systems call ecurity_inode_init_security() to initialize security context of an inode. But this does not very well with remote filesystems as inode is not there yet. Client will send a creation request to server and once server has created the file, client will instantiate the inode. So filesystems like nfs and ceph use security_dentry_init_security() instead. This takes in a dentry and returns the security context of file if any. These patches call security_dentry_init_security() and send security label of file along with creation request (FUSE_CREATE, FUSE_MKDIR, FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity to create new file and also set security label (possibly atomically where possible). These patches are based on the work Chirantan Ekbote did some time back but it never got upstreamed. So I have taken his patches, made some modifications and posting again. https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html These patches will allow us to support SELinux on virtiofs. Vivek Goyal (2): fuse: Add a flag FUSE_SECURITY_CTX fuse: Send security context of inode on file creation fs/fuse/dir.c | 114 ++++++++++++++++++++++++++++++++++++-- fs/fuse/fuse_i.h | 3 + fs/fuse/inode.c | 4 +- include/uapi/linux/fuse.h | 20 ++++++- 4 files changed, 134 insertions(+), 7 deletions(-) -- 2.31.1
next reply other threads:[~2021-09-24 19:25 UTC|newest] Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-09-24 19:24 Vivek Goyal [this message] 2021-09-24 19:24 ` [Virtio-fs] [PATCH 0/2] fuse: Send file/inode security context during creation Vivek Goyal 2021-09-24 19:24 ` [PATCH 1/2] fuse: Add a flag FUSE_SECURITY_CTX Vivek Goyal 2021-09-24 19:24 ` [Virtio-fs] " Vivek Goyal 2021-09-24 19:24 ` [PATCH 2/2] fuse: Send security context of inode on file creation Vivek Goyal 2021-09-24 19:24 ` [Virtio-fs] " Vivek Goyal 2021-09-24 19:58 ` Casey Schaufler 2021-09-24 19:58 ` [Virtio-fs] " Casey Schaufler 2021-09-24 20:18 ` Vivek Goyal 2021-09-24 20:18 ` [Virtio-fs] " Vivek Goyal 2021-09-24 20:54 ` Casey Schaufler 2021-09-24 20:54 ` [Virtio-fs] " Casey Schaufler 2021-09-24 21:16 ` Vivek Goyal 2021-09-24 21:16 ` [Virtio-fs] " Vivek Goyal 2021-09-24 21:55 ` Casey Schaufler 2021-09-24 21:55 ` [Virtio-fs] " Casey Schaufler 2021-09-24 22:00 ` Colin Walters 2021-09-24 22:00 ` [Virtio-fs] " Colin Walters 2021-09-24 23:32 ` Vivek Goyal 2021-09-24 23:32 ` [Virtio-fs] " Vivek Goyal 2021-09-27 0:53 ` Casey Schaufler 2021-09-27 0:53 ` [Virtio-fs] " Casey Schaufler 2021-09-27 14:05 ` Vivek Goyal 2021-09-27 14:05 ` [Virtio-fs] " Vivek Goyal 2021-09-27 15:22 ` Casey Schaufler 2021-09-27 15:22 ` [Virtio-fs] " Casey Schaufler 2021-09-27 15:56 ` Vivek Goyal 2021-09-27 15:56 ` [Virtio-fs] " Vivek Goyal 2021-09-27 17:56 ` Casey Schaufler 2021-09-27 17:56 ` [Virtio-fs] " Casey Schaufler 2021-09-27 19:20 ` Vivek Goyal 2021-09-27 19:20 ` [Virtio-fs] " Vivek Goyal 2021-09-27 20:19 ` Casey Schaufler 2021-09-27 20:19 ` [Virtio-fs] " Casey Schaufler 2021-09-27 20:45 ` Vivek Goyal 2021-09-27 20:45 ` [Virtio-fs] " Vivek Goyal 2021-09-27 21:45 ` Casey Schaufler 2021-09-27 21:45 ` [Virtio-fs] " Casey Schaufler 2021-09-28 12:49 ` Vivek Goyal 2021-09-28 12:49 ` [Virtio-fs] " Vivek Goyal 2021-09-28 14:25 ` Casey Schaufler 2021-09-28 14:25 ` [Virtio-fs] " Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210924192442.916927-1-vgoyal@redhat.com \ --to=vgoyal@redhat.com \ --cc=chirantan@chromium.org \ --cc=dwalsh@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=miklos@szeredi.hu \ --cc=selinux@vger.kernel.org \ --cc=stephen.smalley.work@gmail.com \ --cc=virtio-fs@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.