• David P. Quigley's avatar
    LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. · 1ee65e37
    David P. Quigley authored
    This patch introduces three new hooks. The inode_getsecctx hook is used to get
    all relevant information from an LSM about an inode. The inode_setsecctx is
    used to set both the in-core and on-disk state for the inode based on a context
    derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
    LSM of a change for the in-core state of the inode in question. These hooks are
    for use in the labeled NFS code and addresses concerns of how to set security
    on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
    explanation of the reason for these hooks is pasted below.
    Quote Stephen Smalley
    inode_setsecctx:  Change the security context of an inode.  Updates the
    in core security context managed by the security module and invokes the
    fs code as needed (via __vfs_setxattr_noperm) to update any backing
    xattrs that represent the context.  Example usage:  NFS server invokes
    this hook to change the security context in its incore inode and on the
    backing file system to a value provided by the client on a SETATTR
    inode_notifysecctx:  Notify the security module of what the security
    context of an inode should be.  Initializes the incore security context
    managed by the security module for this inode.  Example usage:  NFS
    client invokes this hook to initialize the security context in its
    incore inode to the value provided by the server for the file when the
    server returned the file's attributes to the client.
    Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
    Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
security.c 32.5 KB