06 Nov, 2019
1 commit
-
Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.For the use case where access is to be blocked by the security layer.
The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECURITY) ->
lower_handler->get(lower_dentry...XATTR_NOSECURITY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).Signed-off-by: Mark Salyzyn
Reviewed-by: Jan Kara
Acked-by: Jan Kara
Acked-by: Jeff Layton
Acked-by: David Sterba
Acked-by: Darrick J. Wong
Acked-by: Mike Marshall
Cc: Stephen Smalley
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: linux-security-module@vger.kernel.org(cherry picked from (rejected from archive because of too many recipients))
Signed-off-by: Mark Salyzyn
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: Iabbb8771939d5f66667a26bb23ddf4c562c349a1
24 Oct, 2018
1 commit
-
In the iov_iter struct, separate the iterator type from the iterator
direction and use accessor functions to access them in most places.Convert a bunch of places to use switch-statements to access them rather
then chains of bitwise-AND statements. This makes it easier to add further
iterator types. Also, this can be more efficient as to implement a switch
of small contiguous integers, the compiler can use ~50% fewer compare
instructions than it has to use bitwise-and instructions.Further, cease passing the iterator type into the iterator setup function.
The iterator function can set that itself. Only the direction is required.Signed-off-by: David Howells
13 Aug, 2018
1 commit
-
In my testing, v9fs_fid_xattr_set will return successfully even if the
backend ext4 filesystem has no space to store xattr key-value. That will
cause inconsistent behavior between front end and back end. The reason is
that lsetxattr will be triggered by p9_client_clunk, and unfortunately we
did not catch the error. This patch will catch the error to notify upper
caller.p9_client_clunk (in 9p)
p9_client_rpc(clnt, P9_TCLUNK, "d", fid->fid);
v9fs_clunk (in qemu)
put_fid
free_fid
v9fs_xattr_fid_clunk
v9fs_co_lsetxattr
s->ops->lsetxattr
ext4_xattr_user_set (in host ext4 filesystem)Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com
Signed-off-by: Jun Piao
Cc: Eric Van Hensbergen
Cc: Ron Minnich
Cc: Latchesar Ionkov
Cc: Andrew Morton
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet
03 Aug, 2016
1 commit
-
in a bunch of places it cleans the things up
Signed-off-by: Al Viro
28 May, 2016
1 commit
-
preparation for similar switch in ->setxattr() (see the next commit for
rationale).Signed-off-by: Al Viro
11 Apr, 2016
1 commit
-
... and do not assume they are already attached to each other
Signed-off-by: Al Viro
07 Dec, 2015
1 commit
-
Add an additional "name" field to struct xattr_handler. When the name
is set, the handler matches attributes with exactly that name. When the
prefix is set instead, the handler matches attributes with the given
prefix and with a non-empty suffix.This patch should avoid bugs like the one fixed in commit c361016a in
the future.Signed-off-by: Andreas Gruenbacher
Reviewed-by: James Morris
Signed-off-by: Al Viro
14 Nov, 2015
1 commit
-
Now that the xattr handler is passed to the xattr handler operations, we
can use the same get and set operations for the user, trusted, and security
xattr namespaces. In those namespaces, we can access the full attribute
name by "reattaching" the name prefix the vfs has skipped for us. Add a
xattr_full_name helper to make this obvious in the code.For the "system.posix_acl_access" and "system.posix_acl_default"
attributes, handler->prefix is the full attribute name; the suffix is the
empty string.Signed-off-by: Andreas Gruenbacher
Cc: Eric Van Hensbergen
Cc: Ron Minnich
Cc: Latchesar Ionkov
Cc: v9fs-developer@lists.sourceforge.net
Signed-off-by: Al Viro
12 Apr, 2015
2 commits
-
... and make it loop
Signed-off-by: Al Viro
-
... and make it loop until it's done
Signed-off-by: Al Viro
02 Jun, 2014
1 commit
-
v9fs_fid_xattr_set is supposed to return 0 on success.
This corrects the behaviour introduced in commit
bdd5c28dcb8330b9074404cc92a0b83aae5606a
"9p: fix return value in case in v9fs_fid_xattr_set()"(The function returns a negative error on error, as expected)
Signed-off-by: Dominique Martinet
Signed-off-by: Eric Van Hensbergen
24 Nov, 2013
1 commit
-
In case of error in the p9_client_write, the function v9fs_fid_xattr_set
should return its negative value, what was never being done.In case of success it only retuned 0. Now it returns the 'offset'
variable (write_count total).Signed-off-by: Geyslan G. Bem
Signed-off-by: Eric Van Hensbergen
08 Jul, 2013
1 commit
-
Allow requests for security.* and trusted.* xattr name spaces
to pass through to server.The new files are 99% cut and paste from fs/9p/xattr_user.c with the
namespaces changed. It has the intended effect in superficial testing.
I do not know much detail about how these namespaces are used, but passing
them through to the server, which can decide whether to handle them or not,
seems reasonable.I want to support a use case where an ext4 file system is mounted via 9P,
then re-exported via samba to windows clients in a cluster. Windows wants
to store xattrs such as security.NTACL. This works when ext4 directly
backs samba, but not when 9P is inserted. This use case is documented here:
http://code.google.com/p/diod/issues/detail?id=95Signed-off-by: Jim Garlick
Signed-off-by: Eric Van Hensbergen
26 Feb, 2013
1 commit
-
... making v9fs_xattr_set() a wrapper for it.
Signed-off-by: Al Viro
06 Jan, 2012
1 commit
-
Reduce object size by deduplicating formats.
Use vsprintf extension %pV.
Rename P9_DPRINTK uses to p9_debug, align arguments.
Add function for _p9_debug and macro to add __func__.
Add missing "\n"s to p9_debug uses.
Remove embedded function names as p9_debug adds it.
Remove P9_EPRINTK macro and convert use to pr_.
Add and use pr_fmt and pr_.$ size fs/9p/built-in.o*
text data bss dec hex filename
62133 984 16000 79117 1350d fs/9p/built-in.o.new
67342 984 16928 85254 14d06 fs/9p/built-in.o.old
$ size net/9p/built-in.o*
text data bss dec hex filename
88792 4148 22024 114964 1c114 net/9p/built-in.o.new
94072 4148 23232 121452 1da6c net/9p/built-in.o.oldSigned-off-by: Joe Perches
Signed-off-by: Eric Van Hensbergen
11 Jan, 2011
1 commit
-
Signed-off-by: Joe Perches
Signed-off-by: Eric Van Hensbergen
28 Oct, 2010
2 commits
-
This patch implement fetching POSIX ACL from the server
Signed-off-by: Aneesh Kumar K.V
Signed-off-by: Venkateswararao Jujjuri
Signed-off-by: Eric Van Hensbergen -
The ACL value is fetched as a part of inode initialization
from the server and the permission checking function use the
cached value of the ACLSigned-off-by: Aneesh Kumar K.V
Signed-off-by: Venkateswararao Jujjuri
Signed-off-by: Eric Van Hensbergen
03 Aug, 2010
2 commits
-
fixes:
CHECK fs/9p/xattr.c
fs/9p/xattr.c:73:6: warning: Using plain integer as NULL pointer
fs/9p/xattr.c:135:6: warning: Using plain integer as NULL pointerSigned-off-by: Eric Van Hensbergen
-
Signed-off-by: Aneesh Kumar K.V
Signed-off-by: Venkateswararao Jujjuri
Signed-off-by: Eric Van Hensbergen