@@ -122,7 +122,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
return NULL;
err = security_dentry_init_security(dentry, sattr->ia_mode,
- &dentry->d_name, (void **)&label->label, &label->len);
+ &dentry->d_name, NULL,
+ (void **)&label->label, &label->len);
if (err == 0)
return label;
@@ -1476,8 +1476,8 @@ union security_list_options {
unsigned long *set_kern_flags);
int (*sb_parse_opts_str)(char *options, struct security_mnt_opts *opts);
int (*dentry_init_security)(struct dentry *dentry, int mode,
- const struct qstr *name, void **ctx,
- u32 *ctxlen);
+ const struct qstr *name, const char **label,
+ void **ctx, u32 *ctxlen);
int (*dentry_create_files_as)(struct dentry *dentry, int mode,
struct qstr *name,
const struct cred *old,
@@ -246,8 +246,9 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
unsigned long *set_kern_flags);
int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
int security_dentry_init_security(struct dentry *dentry, int mode,
- const struct qstr *name, void **ctx,
- u32 *ctxlen);
+ const struct qstr *name,
+ const char **label,
+ void **ctx, u32 *ctxlen);
int security_dentry_create_files_as(struct dentry *dentry, int mode,
struct qstr *name,
const struct cred *old,
@@ -609,8 +610,8 @@ static inline void security_inode_free(struct inode *inode)
static inline int security_dentry_init_security(struct dentry *dentry,
int mode,
const struct qstr *name,
- void **ctx,
- u32 *ctxlen)
+ const char **label,
+ void **ctx, u32 *ctxlen)
{
return -EOPNOTSUPP;
}
@@ -450,11 +450,12 @@ void security_inode_free(struct inode *inode)
}
int security_dentry_init_security(struct dentry *dentry, int mode,
- const struct qstr *name, void **ctx,
- u32 *ctxlen)
+ const struct qstr *name,
+ const char **label,
+ void **ctx, u32 *ctxlen)
{
return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
- name, ctx, ctxlen);
+ name, label, ctx, ctxlen);
}
EXPORT_SYMBOL(security_dentry_init_security);
@@ -2985,8 +2985,9 @@ static void selinux_inode_free_security(struct inode *inode)
}
static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- const struct qstr *name, void **ctx,
- u32 *ctxlen)
+ const struct qstr *name,
+ const char **label,
+ void **ctx, u32 *ctxlen)
{
u32 newsid;
int rc;
@@ -2998,6 +2999,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
if (rc)
return rc;
+ if (label)
+ *label = XATTR_SELINUX_SUFFIX;
+
return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
ctxlen);
}
This is preparation for CephFS security label. CephFS's implementation uses dentry_init_security() to get security context before inode is created, then sends open/mkdir/mknod request to MDS, together with security xattr "security.<security module name>" Signed-off-by: "Yan, Zheng" <zyan@redhat.com> --- fs/nfs/nfs4proc.c | 3 ++- include/linux/lsm_hooks.h | 4 ++-- include/linux/security.h | 9 +++++---- security/security.c | 7 ++++--- security/selinux/hooks.c | 8 ++++++-- 5 files changed, 19 insertions(+), 12 deletions(-)