Return-Path: linux-nfs-owner@vger.kernel.org
Received: from tundra.namei.org ([65.99.196.166]:39919 "EHLO tundra.namei.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1758841Ab3EBXdm (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
	Thu, 2 May 2013 19:33:42 -0400
Date: Fri, 3 May 2013 09:37:14 +1000 (EST)
From: James Morris <jmorris@namei.org>
To: Steve Dickson <SteveD@redhat.com>
cc: Trond Myklebust <Trond.Myklebust@netapp.com>,
        "J. Bruce Fields" <bfields@redhat.com>,
        "David P. Quigley" <dpquigl@tycho.nsa.gov>,
        Linux NFS list <linux-nfs@vger.kernel.org>,
        Linux FS devel list <linux-fsdevel@vger.kernel.org>,
        Linux Security List <linux-security-module@vger.kernel.org>,
        SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 07/17] SELinux: Add new labeling type native labels
In-Reply-To: <1367515151-31015-8-git-send-email-SteveD@redhat.com>
Message-ID: <alpine.LRH.2.02.1305030937070.1113@tundra.namei.org>
References: <1367515151-31015-1-git-send-email-SteveD@redhat.com> <1367515151-31015-8-git-send-email-SteveD@redhat.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>

On Thu, 2 May 2013, Steve Dickson wrote:

> From: David Quigley <dpquigl@davequigley.com>
> 
> There currently doesn't exist a labeling type that is adequate for use with
> labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr
> labeling behavior. For this we developed a new labeling type. The native
> labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime
> by the NFS code instead of relying on the SELinux security server on the client
> end.
> 
> Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
> Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
> Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
> Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>


Acked-by: James Morris <james.l.morris@oracle.com>

> ---
>  include/linux/security.h            |  3 +++
>  security/selinux/hooks.c            | 35 ++++++++++++++++++++++++++---------
>  security/selinux/include/security.h |  2 ++
>  security/selinux/ss/policydb.c      |  5 ++++-
>  4 files changed, 35 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 4ab51e2..bc924d7 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -61,6 +61,9 @@ struct mm_struct;
>  #define SECURITY_CAP_NOAUDIT 0
>  #define SECURITY_CAP_AUDIT 1
>  
> +/* LSM Agnostic defines for sb_set_mnt_opts */
> +#define SECURITY_LSM_NATIVE_LABELS	1
> +
>  struct ctl_table;
>  struct audit_krule;
>  struct user_namespace;
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6cb24ec..d7ff806 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -81,6 +81,7 @@
>  #include <linux/syslog.h>
>  #include <linux/user_namespace.h>
>  #include <linux/export.h>
> +#include <linux/security.h>
>  #include <linux/msg.h>
>  #include <linux/shm.h>
>  
> @@ -284,13 +285,14 @@ static void superblock_free_security(struct super_block *sb)
>  
>  /* The file system's label must be initialized prior to use. */
>  
> -static const char *labeling_behaviors[6] = {
> +static const char *labeling_behaviors[7] = {
>  	"uses xattr",
>  	"uses transition SIDs",
>  	"uses task SIDs",
>  	"uses genfs_contexts",
>  	"not configured for labeling",
>  	"uses mountpoint labeling",
> +	"uses native labeling",
>  };
>  
>  static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
> @@ -678,14 +680,21 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>  	if (strcmp(sb->s_type->name, "proc") == 0)
>  		sbsec->flags |= SE_SBPROC;
>  
> -	/* Determine the labeling behavior to use for this filesystem type. */
> -	rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
> -	if (rc) {
> -		printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
> -		       __func__, sb->s_type->name, rc);
> -		goto out;
> +	if (!sbsec->behavior) {
> +		/*
> +		 * Determine the labeling behavior to use for this
> +		 * filesystem type.
> +		 */
> +		rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
> +					"proc" : sb->s_type->name,
> +					&sbsec->behavior, &sbsec->sid);
> +		if (rc) {
> +			printk(KERN_WARNING
> +				"%s: security_fs_use(%s) returned %d\n",
> +					__func__, sb->s_type->name, rc);
> +			goto out;
> +		}
>  	}
> -
>  	/* sets the context of the superblock for the fs being mounted. */
>  	if (fscontext_sid) {
>  		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
> @@ -700,6 +709,11 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>  	 * sets the label used on all file below the mountpoint, and will set
>  	 * the superblock context if not already set.
>  	 */
> +	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
> +		sbsec->behavior = SECURITY_FS_USE_NATIVE;
> +		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
> +	}
> +
>  	if (context_sid) {
>  		if (!fscontext_sid) {
>  			rc = may_context_mount_sb_relabel(context_sid, sbsec,
> @@ -731,7 +745,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
>  	}
>  
>  	if (defcontext_sid) {
> -		if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
> +		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
> +			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
>  			rc = -EINVAL;
>  			printk(KERN_WARNING "SELinux: defcontext option is "
>  			       "invalid for this filesystem type\n");
> @@ -1199,6 +1214,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
>  	}
>  
>  	switch (sbsec->behavior) {
> +	case SECURITY_FS_USE_NATIVE:
> +		break;
>  	case SECURITY_FS_USE_XATTR:
>  		if (!inode->i_op->getxattr) {
>  			isec->sid = sbsec->def_sid;
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 6d38851..8fd8e18 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -169,6 +169,8 @@ int security_get_allow_unknown(void);
>  #define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
>  #define SECURITY_FS_USE_NONE		5 /* no labeling support */
>  #define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
> +#define SECURITY_FS_USE_NATIVE		7 /* use native label support */
> +#define SECURITY_FS_USE_MAX		7 /* Highest SECURITY_FS_USE_XXX */
>  
>  int security_fs_use(const char *fstype, unsigned int *behavior,
>  	u32 *sid);
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 9cd9b7c..c8adde3 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
>  
>  				rc = -EINVAL;
>  				c->v.behavior = le32_to_cpu(buf[0]);
> -				if (c->v.behavior > SECURITY_FS_USE_NONE)
> +				/* Determined at runtime, not in policy DB. */
> +				if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
> +					goto out;
> +				if (c->v.behavior > SECURITY_FS_USE_MAX)
>  					goto out;
>  
>  				rc = -ENOMEM;
> -- 
> 1.8.1.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
James Morris
<jmorris@namei.org>