From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
Cc: Chris Mason <clm@fb.com>
Subject: Re: [PATCH v2] btrfs: Make btrfs handle security mount options internally to avoid losing security label.
Date: Wed, 8 Oct 2014 10:14:39 +0800 [thread overview]
Message-ID: <54349E0F.80906@cn.fujitsu.com> (raw)
In-Reply-To: <1412734360-16237-1-git-send-email-quwenruo@cn.fujitsu.com>
Cc Chris:
The delta of the v2 patch is only the following lines:
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 1eb7858..6f64411 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1248,6 +1248,7 @@ static int setup_security_options(struct
btrfs_fs_info *fs_info,
if (ret)
return ret;
+#ifdef CONFIG_SECURITY
if (!fs_info->security_opts.num_mnt_opts) {
/* first time security setup, copy sec_opts to fs_info */
memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));
@@ -1260,6 +1261,7 @@ static int setup_security_options(struct
btrfs_fs_info *fs_info,
*/
security_free_mnt_opts(sec_opts);
}
+#endif
return ret;
}
There should not be much pain to replace the original patch.
Thanks,
Qu
-------- Original Message --------
Subject: [PATCH v2] btrfs: Make btrfs handle security mount options
internally to avoid losing security label.
From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
Date: 2014年10月08日 10:12
> [BUG]
> Originally when mount btrfs with "-o subvol=" mount option, btrfs will
> lose all security lable.
> And if the btrfs fs is mounted somewhere else, due to the lost of
> security lable, SELinux will refuse to mount since the same super block
> is being mounted using different security lable.
>
> [REPRODUCER]
> With SELinux enabled:
> #mkfs -t btrfs /dev/sda5
> #mount -o context=system_u:object_r:nfs_t:s0 /dev/sda5 /mnt/btrfs
> #btrfs subvolume create /mnt/btrfs/subvol
> #mount -o subvol=subvol,context=system_u:object_r:nfs_t:s0 /dev/sda5
> /mnt/test
>
> kernel message:
> SELinux: mount invalid. Same superblock, different security settings
> for (dev sda5, type btrfs)
>
> [REASON]
> This happens because btrfs will call vfs_kern_mount() and then
> mount_subtree() to handle subvolume name lookup.
> First mount will cut off all the security lables and when it comes to
> the second vfs_kern_mount(), it has no security label now.
>
> [FIX]
> This patch will makes btrfs behavior much more like nfs,
> which has the type flag FS_BINARY_MOUNTDATA,
> making btrfs handles the security label internally.
> So security label will be set in the real mount time and won't lose
> label when use with "subvol=" mount option.
>
> Reported-by: Eryu Guan <guaneryu@gmail.com>
> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
> ---
> changelog:
> v2: Fix a compile error when CONFIG_SECURITY is not set.
> ---
> fs/btrfs/ctree.h | 5 +++
> fs/btrfs/super.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
> 2 files changed, 99 insertions(+), 5 deletions(-)
>
> diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
> index 8e29b61..c82dd6d 100644
> --- a/fs/btrfs/ctree.h
> +++ b/fs/btrfs/ctree.h
> @@ -34,6 +34,7 @@
> #include <linux/pagemap.h>
> #include <linux/btrfs.h>
> #include <linux/workqueue.h>
> +#include <linux/security.h>
> #include "extent_io.h"
> #include "extent_map.h"
> #include "async-thread.h"
> @@ -1723,6 +1724,9 @@ struct btrfs_fs_info {
>
> /* Used to reclaim the metadata space in the background. */
> struct work_struct async_reclaim_work;
> +
> + /* For btrfs to record security options */
> + struct security_mnt_opts security_opts;
> };
>
> struct btrfs_subvolume_writers {
> @@ -3604,6 +3608,7 @@ static inline void free_fs_info(struct btrfs_fs_info *fs_info)
> kfree(fs_info->uuid_root);
> kfree(fs_info->super_copy);
> kfree(fs_info->super_for_commit);
> + security_free_mnt_opts(&fs_info->security_opts);
> kfree(fs_info);
> }
>
> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
> index c4124de..6f64411 100644
> --- a/fs/btrfs/super.c
> +++ b/fs/btrfs/super.c
> @@ -1215,6 +1215,56 @@ static struct dentry *mount_subvol(const char *subvol_name, int flags,
> return root;
> }
>
> +static int parse_security_options(char *orig_opts,
> + struct security_mnt_opts *sec_opts)
> +{
> + char *secdata = NULL;
> + int ret = 0;
> +
> + secdata = alloc_secdata();
> + if (!secdata)
> + return -ENOMEM;
> + ret = security_sb_copy_data(orig_opts, secdata);
> + if (ret) {
> + free_secdata(secdata);
> + return ret;
> + }
> + ret = security_sb_parse_opts_str(secdata, sec_opts);
> + free_secdata(secdata);
> + return ret;
> +}
> +
> +static int setup_security_options(struct btrfs_fs_info *fs_info,
> + struct super_block *sb,
> + struct security_mnt_opts *sec_opts)
> +{
> + int ret = 0;
> +
> + /*
> + * Call security_sb_set_mnt_opts() to check whether new sec_opts
> + * is valid.
> + */
> + ret = security_sb_set_mnt_opts(sb, sec_opts, 0, NULL);
> + if (ret)
> + return ret;
> +
> +#ifdef CONFIG_SECURITY
> + if (!fs_info->security_opts.num_mnt_opts) {
> + /* first time security setup, copy sec_opts to fs_info */
> + memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));
> + } else {
> + /*
> + * Since SELinux(the only one supports security_mnt_opts) does
> + * NOT support changing context during remount/mount same sb,
> + * This must be the same or part of the same security options,
> + * just free it.
> + */
> + security_free_mnt_opts(sec_opts);
> + }
> +#endif
> + return ret;
> +}
> +
> /*
> * Find a superblock for the given device / mount point.
> *
> @@ -1229,6 +1279,7 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
> struct dentry *root;
> struct btrfs_fs_devices *fs_devices = NULL;
> struct btrfs_fs_info *fs_info = NULL;
> + struct security_mnt_opts new_sec_opts;
> fmode_t mode = FMODE_READ;
> char *subvol_name = NULL;
> u64 subvol_objectid = 0;
> @@ -1251,9 +1302,16 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
> return root;
> }
>
> + security_init_mnt_opts(&new_sec_opts);
> + if (data) {
> + error = parse_security_options(data, &new_sec_opts);
> + if (error)
> + return ERR_PTR(error);
> + }
> +
> error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);
> if (error)
> - return ERR_PTR(error);
> + goto error_sec_opts;
>
> /*
> * Setup a dummy root and fs_info for test/set super. This is because
> @@ -1262,13 +1320,16 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
> * then open_ctree will properly initialize everything later.
> */
> fs_info = kzalloc(sizeof(struct btrfs_fs_info), GFP_NOFS);
> - if (!fs_info)
> - return ERR_PTR(-ENOMEM);
> + if (!fs_info) {
> + error = -ENOMEM;
> + goto error_sec_opts;
> + }
>
> fs_info->fs_devices = fs_devices;
>
> fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_NOFS);
> fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_NOFS);
> + security_init_mnt_opts(&fs_info->security_opts);
> if (!fs_info->super_copy || !fs_info->super_for_commit) {
> error = -ENOMEM;
> goto error_fs_info;
> @@ -1306,8 +1367,19 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
> }
>
> root = !error ? get_default_root(s, subvol_objectid) : ERR_PTR(error);
> - if (IS_ERR(root))
> + if (IS_ERR(root)) {
> deactivate_locked_super(s);
> + error = PTR_ERR(root);
> + goto error_sec_opts;
> + }
> +
> + fs_info = btrfs_sb(s);
> + error = setup_security_options(fs_info, s, &new_sec_opts);
> + if (error) {
> + dput(root);
> + deactivate_locked_super(s);
> + goto error_sec_opts;
> + }
>
> return root;
>
> @@ -1315,6 +1387,8 @@ error_close_devices:
> btrfs_close_devices(fs_devices);
> error_fs_info:
> free_fs_info(fs_info);
> +error_sec_opts:
> + security_free_mnt_opts(&new_sec_opts);
> return ERR_PTR(error);
> }
>
> @@ -1396,6 +1470,21 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data)
> sync_filesystem(sb);
> btrfs_remount_prepare(fs_info);
>
> + if (data) {
> + struct security_mnt_opts new_sec_opts;
> +
> + security_init_mnt_opts(&new_sec_opts);
> + ret = parse_security_options(data, &new_sec_opts);
> + if (ret)
> + goto restore;
> + ret = setup_security_options(fs_info, sb,
> + &new_sec_opts);
> + if (ret) {
> + security_free_mnt_opts(&new_sec_opts);
> + goto restore;
> + }
> + }
> +
> ret = btrfs_parse_options(root, data);
> if (ret) {
> ret = -EINVAL;
> @@ -1769,7 +1858,7 @@ static struct file_system_type btrfs_fs_type = {
> .name = "btrfs",
> .mount = btrfs_mount,
> .kill_sb = btrfs_kill_super,
> - .fs_flags = FS_REQUIRES_DEV,
> + .fs_flags = FS_REQUIRES_DEV | FS_BINARY_MOUNTDATA,
> };
> MODULE_ALIAS_FS("btrfs");
>
next prev parent reply other threads:[~2014-10-08 2:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-08 2:12 [PATCH v2] btrfs: Make btrfs handle security mount options internally to avoid losing security label Qu Wenruo
2014-10-08 2:14 ` Qu Wenruo [this message]
2014-10-08 2:16 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54349E0F.80906@cn.fujitsu.com \
--to=quwenruo@cn.fujitsu.com \
--cc=clm@fb.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.