From 4a3fbc84058597093f1e08ce749aa364cbf32096 Mon Sep 17 00:00:00 2001 From: Andrew Morton Date: Sun, 25 May 2003 01:12:47 -0700 Subject: [PATCH] devpts xattr handler for security labels From: Stephen Smalley This patch against 2.5.69-bk adds an xattr handler for security labels to devpts and corresponding hooks to the LSM API to support conversion between xattr values and the security labels stored in the inode security field by the security module. This allows userspace to get and set the security labels on devpts nodes, e.g. so that sshd can set the security label for the pty using setxattr, just as sshd already sets the ownership using chown. SELinux uses this support to protect the pty in accordance with the user process' security label. The changes to the LSM API are general and should be re-useable by xattr handlers in other pseudo filesystems to support similar security labeling. The xattr handler for devpts includes the same generic framework as in ext[23], so handlers for other kinds of attributes can be added easily in the future. --- include/linux/security.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) (limited to 'include') diff --git a/include/linux/security.h b/include/linux/security.h index 5c041e89a505..c1d1480d2f49 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -376,6 +376,25 @@ struct swap_info_struct; * Check permission before removing the extended attribute * identified by @name for @dentry. * Return 0 if permission is granted. + * @inode_getsecurity: + * Copy the extended attribute representation of the security label + * associated with @name for @dentry into @buffer. @buffer may be + * NULL to request the size of the buffer required. @size indicates + * the size of @buffer in bytes. Note that @name is the remainder + * of the attribute name after the security. prefix has been removed. + * Return number of bytes used/required on success. + * @inode_setsecurity: + * Set the security label associated with @name for @dentry from the + * extended attribute value @value. @size indicates the size of the + * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. + * Note that @name is the remainder of the attribute name after the + * security. prefix has been removed. + * Return 0 on success. + * @inode_listsecurity: + * Copy the extended attribute names for the security labels + * associated with @dentry into @buffer. @buffer may be NULL to + * request the size of the buffer required. + * Returns number of bytes used/required on success. * * Security hooks for file operations * @@ -1049,6 +1068,9 @@ struct security_operations { int (*inode_getxattr) (struct dentry *dentry, char *name); int (*inode_listxattr) (struct dentry *dentry); int (*inode_removexattr) (struct dentry *dentry, char *name); + int (*inode_getsecurity)(struct dentry *dentry, const char *name, void *buffer, size_t size); + int (*inode_setsecurity)(struct dentry *dentry, const char *name, const void *value, size_t size, int flags); + int (*inode_listsecurity)(struct dentry *dentry, char *buffer); int (*file_permission) (struct file * file, int mask); int (*file_alloc_security) (struct file * file); @@ -1499,6 +1521,21 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) return security_ops->inode_removexattr (dentry, name); } +static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) +{ + return security_ops->inode_getsecurity(dentry, name, buffer, size); +} + +static inline int security_inode_setsecurity(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) +{ + return security_ops->inode_setsecurity(dentry, name, value, size, flags); +} + +static inline int security_inode_listsecurity(struct dentry *dentry, char *buffer) +{ + return security_ops->inode_listsecurity(dentry, buffer); +} + static inline int security_file_permission (struct file *file, int mask) { return security_ops->file_permission (file, mask); @@ -2117,6 +2154,21 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) return 0; } +static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) +{ + return -EOPNOTSUPP; +} + +static inline int security_inode_setsecurity(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) +{ + return -EOPNOTSUPP; +} + +static inline int security_inode_listsecurity(struct dentry *dentry, char *buffer) +{ + return 0; +} + static inline int security_file_permission (struct file *file, int mask) { return 0; -- cgit v1.2.3