diff options
| author | Andrew Morton <akpm@digeo.com> | 2003-05-25 01:12:47 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@home.transmeta.com> | 2003-05-25 01:12:47 -0700 |
| commit | 4a3fbc84058597093f1e08ce749aa364cbf32096 (patch) | |
| tree | 040cb69b9e5789a70d3fe53e70eecd0762b963d3 /include | |
| parent | fb39f360f4dc671e1f7843c64fa4624aa945841d (diff) | |
[PATCH] devpts xattr handler for security labels
From: Stephen Smalley <sds@epoch.ncsc.mil>
This patch against 2.5.69-bk adds an xattr handler for security labels
to devpts and corresponding hooks to the LSM API to support conversion
between xattr values and the security labels stored in the inode
security field by the security module.
This allows userspace to get and set the security labels on devpts
nodes, e.g. so that sshd can set the security label for the pty using
setxattr, just as sshd already sets the ownership using chown.
SELinux uses this support to protect the pty in accordance with the user
process' security label. The changes to the LSM API are general and
should be re-useable by xattr handlers in other pseudo filesystems to
support similar security labeling. The xattr handler for devpts
includes the same generic framework as in ext[23], so handlers for other
kinds of attributes can be added easily in the future.
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/security.h | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 5c041e89a505..c1d1480d2f49 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -376,6 +376,25 @@ struct swap_info_struct; * Check permission before removing the extended attribute * identified by @name for @dentry. * Return 0 if permission is granted. + * @inode_getsecurity: + * Copy the extended attribute representation of the security label + * associated with @name for @dentry into @buffer. @buffer may be + * NULL to request the size of the buffer required. @size indicates + * the size of @buffer in bytes. Note that @name is the remainder + * of the attribute name after the security. prefix has been removed. + * Return number of bytes used/required on success. + * @inode_setsecurity: + * Set the security label associated with @name for @dentry from the + * extended attribute value @value. @size indicates the size of the + * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. + * Note that @name is the remainder of the attribute name after the + * security. prefix has been removed. + * Return 0 on success. + * @inode_listsecurity: + * Copy the extended attribute names for the security labels + * associated with @dentry into @buffer. @buffer may be NULL to + * request the size of the buffer required. + * Returns number of bytes used/required on success. * * Security hooks for file operations * @@ -1049,6 +1068,9 @@ struct security_operations { int (*inode_getxattr) (struct dentry *dentry, char *name); int (*inode_listxattr) (struct dentry *dentry); int (*inode_removexattr) (struct dentry *dentry, char *name); + int (*inode_getsecurity)(struct dentry *dentry, const char *name, void *buffer, size_t size); + int (*inode_setsecurity)(struct dentry *dentry, const char *name, const void *value, size_t size, int flags); + int (*inode_listsecurity)(struct dentry *dentry, char *buffer); int (*file_permission) (struct file * file, int mask); int (*file_alloc_security) (struct file * file); @@ -1499,6 +1521,21 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) return security_ops->inode_removexattr (dentry, name); } +static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) +{ + return security_ops->inode_getsecurity(dentry, name, buffer, size); +} + +static inline int security_inode_setsecurity(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) +{ + return security_ops->inode_setsecurity(dentry, name, value, size, flags); +} + +static inline int security_inode_listsecurity(struct dentry *dentry, char *buffer) +{ + return security_ops->inode_listsecurity(dentry, buffer); +} + static inline int security_file_permission (struct file *file, int mask) { return security_ops->file_permission (file, mask); @@ -2117,6 +2154,21 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) return 0; } +static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) +{ + return -EOPNOTSUPP; +} + +static inline int security_inode_setsecurity(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) +{ + return -EOPNOTSUPP; +} + +static inline int security_inode_listsecurity(struct dentry *dentry, char *buffer) +{ + return 0; +} + static inline int security_file_permission (struct file *file, int mask) { return 0; |