rpms/kernel/devel linux-2.6-selinux-ecryptfs-support.patch, NONE, 1.1 kernel.spec, 1.697, 1.698
Eric Paris (eparis)
fedora-extras-commits at redhat.com
Wed Jun 18 15:14:27 UTC 2008
- Previous message (by thread): rpms/filesystem/devel filesystem.spec, 1.46, 1.47 lang-exceptions, 1.2, 1.3
- Next message (by thread): rpms/mugshot/F-9 .cvsignore, 1.22, 1.23 mugshot.spec, 1.39, 1.40 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: eparis
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8957
Modified Files:
kernel.spec
Added Files:
linux-2.6-selinux-ecryptfs-support.patch
Log Message:
* Wed Jun 18 2008 Eric Paris <eparis at redhat.com>
- Better selinux support for ecryptfs overlays (BZ 450867)
linux-2.6-selinux-ecryptfs-support.patch:
--- NEW FILE linux-2.6-selinux-ecryptfs-support.patch ---
security/selinux/hooks.c | 22 +++++++++++++++++-----
security/selinux/include/security.h | 2 +-
security/selinux/ss/services.c | 27 +++++++++++++++++++--------
3 files changed, 37 insertions(+), 14 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1c864c0..e4e5c3e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -554,13 +554,15 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct task_security_struct *tsec = current->security;
struct superblock_security_struct *sbsec = sb->s_security;
const char *name = sb->s_type->name;
- struct inode *inode = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *root_isec = inode->i_security;
+ struct dentry *root = sb->s_root;
+ struct inode *root_inode = root->d_inode;
+ struct inode_security_struct *root_isec = root_inode->i_security;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts;
int *flags = opts->mnt_opts_flags;
int num_opts = opts->num_mnt_opts;
+ bool can_xattr = false;
mutex_lock(&sbsec->lock);
@@ -664,14 +666,24 @@ static int selinux_set_mnt_opts(struct super_block *sb,
goto out;
}
- if (strcmp(sb->s_type->name, "proc") == 0)
+ if (strcmp(name, "proc") == 0)
sbsec->proc = 1;
+ /*
+ * test if the fs supports xattrs, fs_use might make use of this if the
+ * fs has no definition in policy.
+ */
+ if (root_inode->i_op->getxattr) {
+ rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
+ if (rc >= 0 || rc == -ENODATA)
+ can_xattr = true;
+ }
+
/* Determine the labeling behavior to use for this filesystem type. */
- rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
+ rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
if (rc) {
printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
- __func__, sb->s_type->name, rc);
+ __func__, name, rc);
goto out;
}
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ad30ac4..cc5f791 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -131,7 +131,7 @@ int security_get_allow_unknown(void);
#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
int security_fs_use(const char *fstype, unsigned int *behavior,
- u32 *sid);
+ u32 *sid, bool can_xattr);
int security_genfs_sid(const char *fstype, char *name, u16 sclass,
u32 *sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index dcc2e1c..f54c661 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1825,7 +1825,8 @@ out:
int security_fs_use(
const char *fstype,
unsigned int *behavior,
- u32 *sid)
+ u32 *sid,
+ bool can_xattr)
{
int rc = 0;
struct ocontext *c;
@@ -1839,6 +1840,7 @@ int security_fs_use(
c = c->next;
}
+ /* look for labeling behavior defined in policy */
if (c) {
*behavior = c->v.behavior;
if (!c->sid[0]) {
@@ -1849,14 +1851,23 @@ int security_fs_use(
goto out;
}
*sid = c->sid[0];
+ goto out;
+ }
+
+ /* labeling behavior not in policy, use xattrs if possible */
+ if (can_xattr) {
+ *behavior = SECURITY_FS_USE_XATTR;
+ *sid = SECINITSID_FS;
+ goto out;
+ }
+
+ /* no behavior in policy and can't use xattrs, try GENFS */
+ rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
+ if (rc) {
+ *behavior = SECURITY_FS_USE_NONE;
+ rc = 0;
} else {
- rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
- if (rc) {
- *behavior = SECURITY_FS_USE_NONE;
- rc = 0;
- } else {
- *behavior = SECURITY_FS_USE_GENFS;
- }
+ *behavior = SECURITY_FS_USE_GENFS;
}
out:
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.697
retrieving revision 1.698
diff -u -r1.697 -r1.698
--- kernel.spec 17 Jun 2008 13:11:11 -0000 1.697
+++ kernel.spec 18 Jun 2008 15:13:39 -0000 1.698
@@ -622,6 +622,7 @@
Patch802: linux-2.6-selinux-generic-ioctl.patch
Patch803: linux-2.6-selinux-new-proc-checks.patch
Patch804: linux-2.6-selinux-get-invalid-xattrs.patch
+Patch805: linux-2.6-selinux-ecryptfs-support.patch
#
Patch1101: linux-2.6-default-mmf_dump_elf_headers.patch
@@ -1133,6 +1134,7 @@
ApplyPatch linux-2.6-selinux-generic-ioctl.patch
ApplyPatch linux-2.6-selinux-new-proc-checks.patch
ApplyPatch linux-2.6-selinux-get-invalid-xattrs.patch
+ApplyPatch linux-2.6-selinux-ecryptfs-support.patch
# wireless patches headed for 2.6.26
ApplyPatch linux-2.6-wireless.patch
@@ -1780,6 +1782,9 @@
%kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
%changelog
+* Wed Jun 18 2008 Eric Paris <eparis at redhat.com>
+- Better selinux support for ecryptfs overlays (BZ 450867)
+
* Tue Jun 17 2008 Dave Jones <davej at redhat.com>
- 2.6.26-rc6-git4
- Previous message (by thread): rpms/filesystem/devel filesystem.spec, 1.46, 1.47 lang-exceptions, 1.2, 1.3
- Next message (by thread): rpms/mugshot/F-9 .cvsignore, 1.22, 1.23 mugshot.spec, 1.39, 1.40 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list