[PATCH] add securityfs for all LSMs to use
Greg KH
fs that all LSMs can use instead of creating their own. The fs should
be mounted at /sys/kernel/security, and the fs creates that mount point.
This will make the LSB people happy that we aren't creating a new
/my_lsm_fs directory in the root for every different LSM.
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
include/linux/security.h | 5
security/Makefile | 2
security/inode.c | 344 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 350 insertions(+), 1 deletion(-)
---
--- gregkh-2.6.orig/security/Makefile 2005-06-17 12:48:29.000000000 -0700
+++ gregkh-2.6/security/Makefile 2005-07-06 01:05:56.000000000 -0700
@@ -11,7 +11,7 @@
endif
# Object file lists
-obj-$(CONFIG_SECURITY) += security.o dummy.o
+obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o
# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ gregkh-2.6/security/inode.c 2005-07-06 01:08:12.000000000 -0700
@@ -0,0 +1,344 @@
+/*
+ * inode.c - securityfs
+ *
+ * Copyright (C) 2005 Greg Kroah-Hartman <gre...@suse.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version
+ * 2 as published by the Free Software Foundation.
+ *
+ * Based on fs/debugfs/inode.c which had the following copyright notice:
+ * Copyright (C) 2004 Greg Kroah-Hartman <gr...@kroah.com>
+ * Copyright (C) 2004 IBM Inc.
+ */
+
+/* #define DEBUG */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/pagemap.h>
+#include <linux/init.h>
+#include <linux/namei.h>
+#include <linux/security.h>
+
+#define SECURITYFS_MAGIC 0x73636673
+
+static struct vfsmount *mount;
+static int mount_count;
+
+/*
+ * TODO:
+ * I think I can get rid of these default_file_ops, but not quite sure...
+ */
+static ssize_t default_read_file(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return 0;
+}
+
+static ssize_t default_write_file(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return count;
+}
+
+static int default_open(struct inode *inode, struct file *file)
+{
+ if (inode->u.generic_ip)
+ file->private_data = inode->u.generic_ip;
+
+ return 0;
+}
+
+static struct file_operations default_file_ops = {
+ .read = default_read_file,
+ .write = default_write_file,
+ .open = default_open,
+};
+
+static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev)
+{
+ struct inode *inode = new_inode(sb);
+
+ if (inode) {
+ inode->i_mode = mode;
+ inode->i_uid = 0;
+ inode->i_gid = 0;
+ inode->i_blksize = PAGE_CACHE_SIZE;
+ inode->i_blocks = 0;
+ inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
+ switch (mode & S_IFMT) {
+ default:
+ init_special_inode(inode, mode, dev);
+ break;
+ case S_IFREG:
+ inode->i_fop = &default_file_ops;
+ break;
+ case S_IFDIR:
+ inode->i_op = &simple_dir_inode_operations;
+ inode->i_fop = &simple_dir_operations;
+
+ /* directory inodes start off with i_nlink == 2 (for "." entry) */
+ inode->i_nlink++;
+ break;
+ }
+ }
+ return inode;
+}
+
+/* SMP-safe */
+static int mknod(struct inode *dir, struct dentry *dentry,
+ int mode, dev_t dev)
+{
+ struct inode *inode = get_inode(dir->i_sb, mode, dev);
+ int error = -EPERM;
+
+ if (dentry->d_inode)
+ return -EEXIST;
+
+ if (inode) {
+ d_instantiate(dentry, inode);
+ dget(dentry);
+ error = 0;
+ }
+ return error;
+}
+
+static int mkdir(struct inode *dir, struct dentry *dentry, int mode)
+{
+ int res;
+
+ mode = (mode & (S_IRWXUGO | S_ISVTX)) | S_IFDIR;
+ res = mknod(dir, dentry, mode, 0);
+ if (!res)
+ dir->i_nlink++;
+ return res;
+}
+
+static int create(struct inode *dir, struct dentry *dentry, int mode)
+{
+ mode = (mode & S_IALLUGO) | S_IFREG;
+ return mknod(dir, dentry, mode, 0);
+}
+
+static inline int positive(struct dentry *dentry)
+{
+ return dentry->d_inode && !d_unhashed(dentry);
+}
+
+static int fill_super(struct super_block *sb, void *data, int silent)
+{
+ static struct tree_descr files[] = {{""}};
+
+ return simple_fill_super(sb, SECURITYFS_MAGIC, files);
+}
+
+static struct super_block *get_sb(struct file_system_type *fs_type,
+ int flags, const char *dev_name,
+ void *data)
+{
+ return get_sb_single(fs_type, flags, data, fill_super);
+}
+
+static struct file_system_type fs_type = {
+ .owner = THIS_MODULE,
+ .name = "securityfs",
+ .get_sb = get_sb,
+ .kill_sb = kill_litter_super,
+};
+
+static int create_by_name(const char *name, mode_t mode,
+ struct dentry *parent,
+ struct dentry **dentry)
+{
+ int error = 0;
+
+ /* If the parent is not specified, we create it in the root.
+ * We need the root dentry to do this, which is in the super
+ * block. A pointer to that is in the struct vfsmount that we
+ * have around.
+ */
+ if (!parent ) {
+ if (mount && mount->mnt_sb) {
+ parent = mount->mnt_sb->s_root;
+ }
+ }
+ if (!parent) {
+ pr_debug("securityfs: Ah! can not find a parent!\n");
+ return -EFAULT;
+ }
+
+ *dentry = NULL;
+ down(&parent->d_inode->i_sem);
+ *dentry = lookup_one_len(name, parent, strlen(name));
+ if (!IS_ERR(dentry)) {
+ if ((mode & S_IFMT) == S_IFDIR)
+ error = mkdir(parent->d_inode, *dentry, mode);
+ else
+ error = create(parent->d_inode, *dentry, mode);
+ } else
+ error = PTR_ERR(dentry);
+ up(&parent->d_inode->i_sem);
+
+ return error;
+}
+
+/**
+ * securityfs_create_file - create a file in the securityfs filesystem
+ *
+ * @name: a pointer to a string containing the name of the file to create.
+ * @mode: the permission that the file should have
+ * @parent: a pointer to the parent dentry for this file. This should be a
+ * directory dentry if set. If this paramater is NULL, then the
+ * file will be created in the root of the securityfs filesystem.
+ * @data: a pointer to something that the caller will want to get to later
+ * on. The inode.u.generic_ip pointer will point to this value on
+ * the open() call.
+ * @fops: a pointer to a struct file_operations that should be used for
+ * this file.
+ *
+ * This is the basic "create a file" function for securityfs. It allows for a
+ * wide range of flexibility in createing a file, or a directory (if you
+ * want to create a directory, the securityfs_create_dir() function is
+ * recommended to be used instead.)
+ *
+ * This function will return a pointer to a dentry if it succeeds. This
+ * pointer must be passed to the securityfs_remove() function when the file is
+ * to be removed (no automatic cleanup happens if your module is unloaded,
+ * you are responsible here.) If an error occurs, NULL will be returned.
+ *
+ * If securityfs is not enabled in the kernel, the value -ENODEV will be
+ * returned. It is not wise to check for this value, but rather, check for
+ * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
+ * code.
+ */
+struct dentry *securityfs_create_file(const char *name, mode_t mode,
+ struct dentry *parent, void *data,
+ struct file_operations *fops)
+{
+ struct dentry *dentry = NULL;
+ int error;
+
+ pr_debug("securityfs: creating file '%s'\n",name);
+
+ error = simple_pin_fs("securityfs", &mount, &mount_count);
+ if (error) {
+ dentry = ERR_PTR(error);
+ goto exit;
+ }
+
+ error = create_by_name(name, mode, parent, &dentry);
+ if (error) {
+ dentry = ERR_PTR(error);
+ goto exit;
+ }
+
+ if (dentry->d_inode) {
+ if (fops)
+ dentry->d_inode->i_fop = fops;
+ if (data)
+ dentry->d_inode->u.generic_ip = data;
+ }
+exit:
+ return dentry;
+}
+EXPORT_SYMBOL_GPL(securityfs_create_file);
+
+/**
+ * securityfs_create_dir - create a directory in the securityfs filesystem
+ *
+ * @name: a pointer to a string containing the name of the directory to
+ * create.
+ * @parent: a pointer to the parent dentry for this file. This should be a
+ * directory dentry if set. If this paramater is NULL, then the
+ * directory will be created in the root of the securityfs filesystem.
+ *
+ * This function creates a directory in securityfs with the given name.
+ *
+ * This function will return a pointer to a dentry if it succeeds. This
+ * pointer must be passed to the securityfs_remove() function when the file is
+ * to be removed (no automatic cleanup happens if your module is unloaded,
+ * you are responsible here.) If an error occurs, NULL will be returned.
+ *
+ * If securityfs is not enabled in the kernel, the value -ENODEV will be
+ * returned. It is not wise to check for this value, but rather, check for
+ * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
+ * code.
+ */
+struct dentry *securityfs_create_dir(const char *name, struct dentry *parent)
+{
+ return securityfs_create_file(name,
+ S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
+ parent, NULL, NULL);
+}
+EXPORT_SYMBOL_GPL(securityfs_create_dir);
+
+/**
+ * securityfs_remove - removes a file or directory from the securityfs filesystem
+ *
+ * @dentry: a pointer to a the dentry of the file or directory to be
+ * removed.
+ *
+ * This function removes a file or directory in securityfs that was previously
+ * created with a call to another securityfs function (like
+ * securityfs_create_file() or variants thereof.)
+ *
+ * This function is required to be called in order for the file to be
+ * removed, no automatic cleanup of files will happen when a module is
+ * removed, you are responsible here.
+ */
+void securityfs_remove(struct dentry *dentry)
+{
+ struct dentry *parent;
+
+ if (!dentry)
+ return;
+
+ parent = dentry->d_parent;
+ if (!parent || !parent->d_inode)
+ return;
+
+ down(&parent->d_inode->i_sem);
+ if (positive(dentry)) {
+ if (dentry->d_inode) {
+ if (S_ISDIR(dentry->d_inode->i_mode))
+ simple_rmdir(parent->d_inode, dentry);
+ else
+ simple_unlink(parent->d_inode, dentry);
+ dput(dentry);
+ }
+ }
+ up(&parent->d_inode->i_sem);
+ simple_release_fs(&mount, &mount_count);
+}
+EXPORT_SYMBOL_GPL(securityfs_remove);
+
+static decl_subsys(security, NULL, NULL);
+
+static int __init securityfs_init(void)
+{
+ int retval;
+
+ kset_set_kset_s(&security_subsys, kernel_subsys);
+ retval = subsystem_register(&security_subsys);
+ if (retval)
+ return retval;
+
+ retval = register_filesystem(&fs_type);
+ if (retval)
+ subsystem_unregister(&security_subsys);
+ return retval;
+}
+
+static void __exit securityfs_exit(void)
+{
+ simple_release_fs(&mount, &mount_count);
+ unregister_filesystem(&fs_type);
+ subsystem_unregister(&security_subsys);
+}
+
+core_initcall(securityfs_init);
+module_exit(securityfs_exit);
+MODULE_LICENSE("GPL");
+
--- gregkh-2.6.orig/include/linux/security.h 2005-06-17 12:48:29.000000000 -0700
+++ gregkh-2.6/include/linux/security.h 2005-07-06 01:05:56.000000000 -0700
@@ -1983,6 +1983,11 @@
extern int unregister_security (struct security_operations *ops);
extern int mod_reg_security (const char *name, struct security_operations *ops);
extern int mod_unreg_security (const char *name, struct security_operations *ops);
+extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
+ struct dentry *parent, void *data,
+ struct file_operations *fops);
+extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent);
+extern void securityfs_remove(struct dentry *dentry);
#else /* CONFIG_SECURITY */
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Ingo Oeser
On Wednesday 06 July 2005 10:17, Greg KH wrote:
> + * TODO:
> + * I think I can get rid of these default_file_ops, but not quite sure...
> + */
> +static ssize_t default_read_file(struct file *file, char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + return 0;
> +}
> +
> +static ssize_t default_write_file(struct file *file, const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + return count;
> +}
Yes, you can get rid of both, if you move read_null and write_null from
drivers/char/mem.c to fs/libfs.c and export them.
But for what do you need a successful dummy read/write?
Regards
Ingo Oeser
Greg KH
> Hi Greg,
>
> On Wednesday 06 July 2005 10:17, Greg KH wrote:
> > + * TODO:
> > + * I think I can get rid of these default_file_ops, but not quite sure...
> > + */
> > +static ssize_t default_read_file(struct file *file, char __user *buf,
> > + size_t count, loff_t *ppos)
> > +{
> > + return 0;
> > +}
> > +
> > +static ssize_t default_write_file(struct file *file, const char __user *buf,
> > + size_t count, loff_t *ppos)
> > +{
> > + return count;
> > +}
>
> Yes, you can get rid of both, if you move read_null and write_null from
> drivers/char/mem.c to fs/libfs.c and export them.
That's not really necessary.
> But for what do you need a successful dummy read/write?
I don't. I need a file_ops structure to give to my newly created dentry
before I assign the one passed in by the caller to it. That's all. I
could probably just pass it up the function stack to do it properly,
haven't really looked into it...
thanks,
greg k-h
Mike Waychison
> Here's a small patch against 2.6.13-rc2 that adds securityfs, a virtual
> fs that all LSMs can use instead of creating their own. The fs should
> be mounted at /sys/kernel/security, and the fs creates that mount point.
> This will make the LSB people happy that we aren't creating a new
> /my_lsm_fs directory in the root for every different LSM.
How are LSM modules supposed to use these files? or is that forthcoming?
Comments inline:
You leak an inode here.
You should be guaranteed by here that mount is valid due to the
simple_pin_fs().
> + if (!parent) {
> + pr_debug("securityfs: Ah! can not find a parent!\n");
> + return -EFAULT;
> + }
> +
> + *dentry = NULL;
Not needed?
} else {
> + error = PTR_ERR(dentry);
}
simple_release_fs
Is this true? It would appear that this module can't be unloaded until
all files are _remove'd, no? (due to mount pinning).
> +void securityfs_remove(struct dentry *dentry)
> +{
> + struct dentry *parent;
> +
> + if (!dentry)
> + return;
> +
> + parent = dentry->d_parent;
> + if (!parent || !parent->d_inode)
> + return;
> +
> + down(&parent->d_inode->i_sem);
> + if (positive(dentry)) {
> + if (dentry->d_inode) {
> + if (S_ISDIR(dentry->d_inode->i_mode))
> + simple_rmdir(parent->d_inode, dentry);
> + else
> + simple_unlink(parent->d_inode, dentry);
> + dput(dentry);
Indentation?
> + }
> + }
> + up(&parent->d_inode->i_sem);
> + simple_release_fs(&mount, &mount_count);
> +}
> +EXPORT_SYMBOL_GPL(securityfs_remove);
Does EXPORT_SYMBOL(_GPL) even work from a module? I must be behind the
times.
Greg KH
> Greg KH wrote:
> > Here's a small patch against 2.6.13-rc2 that adds securityfs, a virtual
> > fs that all LSMs can use instead of creating their own. The fs should
> > be mounted at /sys/kernel/security, and the fs creates that mount point.
> > This will make the LSB people happy that we aren't creating a new
> > /my_lsm_fs directory in the root for every different LSM.
>
> How are LSM modules supposed to use these files? or is that forthcoming?
It's up to them to use it. See the patches from Serge that convert
seclvl to use it instead of sysfs.
> > +/* SMP-safe */
> > +static int mknod(struct inode *dir, struct dentry *dentry,
> > + int mode, dev_t dev)
> > +{
> > + struct inode *inode = get_inode(dir->i_sb, mode, dev);
> > + int error = -EPERM;
> > +
> > + if (dentry->d_inode)
>
> You leak an inode here.
Thankfully, the code path never actually has a d_inode assigned to the
dentry at this point, so we really don't :)
But I've fixed up the code now so this doesn't come up again (it was
mentioned on kernelnewbies the other day too...)
> > +static int create_by_name(const char *name, mode_t mode,
> > + struct dentry *parent,
> > + struct dentry **dentry)
> > +{
> > + int error = 0;
> > +
> > + /* If the parent is not specified, we create it in the root.
> > + * We need the root dentry to do this, which is in the super
> > + * block. A pointer to that is in the struct vfsmount that we
> > + * have around.
> > + */
> > + if (!parent ) {
> > + if (mount && mount->mnt_sb) {
> > + parent = mount->mnt_sb->s_root;
> > + }
> > + }
>
> You should be guaranteed by here that mount is valid due to the
> simple_pin_fs().
It's still good to verify :)
> > + if (!parent) {
> > + pr_debug("securityfs: Ah! can not find a parent!\n");
> > + return -EFAULT;
> > + }
> > +
> > + *dentry = NULL;
>
> Not needed?
I've moved it above this if() to be safe.
> > + down(&parent->d_inode->i_sem);
> > + *dentry = lookup_one_len(name, parent, strlen(name));
> > + if (!IS_ERR(dentry)) {
> > + if ((mode & S_IFMT) == S_IFDIR)
> > + error = mkdir(parent->d_inode, *dentry, mode);
> > + else
> > + error = create(parent->d_inode, *dentry, mode);
> > + } else
>
> } else {
>
> > + error = PTR_ERR(dentry);
>
> }
No, not needed.
> > +struct dentry *securityfs_create_file(const char *name, mode_t mode,
> > + struct dentry *parent, void *data,
> > + struct file_operations *fops)
> > +{
> > + struct dentry *dentry = NULL;
> > + int error;
> > +
> > + pr_debug("securityfs: creating file '%s'\n",name);
> > +
> > + error = simple_pin_fs("securityfs", &mount, &mount_count);
> > + if (error) {
> > + dentry = ERR_PTR(error);
> > + goto exit;
> > + }
> > +
> > + error = create_by_name(name, mode, parent, &dentry);
> > + if (error) {
> > + dentry = ERR_PTR(error);
>
> simple_release_fs
Good catch, fixed now, thanks.
> > +/**
> > + * securityfs_remove - removes a file or directory from the securityfs filesystem
> > + *
> > + * @dentry: a pointer to a the dentry of the file or directory to be
> > + * removed.
> > + *
> > + * This function removes a file or directory in securityfs that was previously
> > + * created with a call to another securityfs function (like
> > + * securityfs_create_file() or variants thereof.)
> > + *
> > + * This function is required to be called in order for the file to be
> > + * removed, no automatic cleanup of files will happen when a module is
> > + * removed, you are responsible here.
> > + */
>
> Is this true? It would appear that this module can't be unloaded until
> all files are _remove'd, no? (due to mount pinning).
No, the files are created by a separate module, so you are correct in
that the security core could not be unloaded (if it could be made a
module.) The issue is that the modules themselves could be unloaded.
Make sense?
> > +void securityfs_remove(struct dentry *dentry)
> > +{
> > + struct dentry *parent;
> > +
> > + if (!dentry)
> > + return;
> > +
> > + parent = dentry->d_parent;
> > + if (!parent || !parent->d_inode)
> > + return;
> > +
> > + down(&parent->d_inode->i_sem);
> > + if (positive(dentry)) {
> > + if (dentry->d_inode) {
> > + if (S_ISDIR(dentry->d_inode->i_mode))
> > + simple_rmdir(parent->d_inode, dentry);
> > + else
> > + simple_unlink(parent->d_inode, dentry);
> > + dput(dentry);
>
> Indentation?
Yup, fixed now.
> > + }
> > + }
> > + up(&parent->d_inode->i_sem);
> > + simple_release_fs(&mount, &mount_count);
> > +}
> > +EXPORT_SYMBOL_GPL(securityfs_remove);
>
> Does EXPORT_SYMBOL(_GPL) even work from a module? I must be behind the
> times.
Of course it does. Anyway, this code isn't built as a module, so it's
not really an issue here :)
Thanks for the review and finding those bugs, I really appreciate it.
I'll send out a new version based on your comments in a few minutes.
thanks again,
greg k-h
Greg KH
fs that all LSMs can use instead of creating their own. The fs should
be mounted at /sys/kernel/security, and the fs creates that mount point.
This will make the LSB people happy that we aren't creating a new
/my_lsm_fs directory in the root for every different LSM.
It has changed a bit since the last version, thanks to comments from
Mike Waychison.
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
include/linux/security.h | 5
security/Makefile | 2
security/inode.c | 347 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 353 insertions(+), 1 deletion(-)
--- gregkh-2.6.orig/security/Makefile 2005-07-07 14:24:41.000000000 -0700
+++ gregkh-2.6/security/Makefile 2005-07-07 14:24:46.000000000 -0700
@@ -11,7 +11,7 @@
endif
# Object file lists
-obj-$(CONFIG_SECURITY) += security.o dummy.o
+obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o
# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ gregkh-2.6/security/inode.c 2005-07-07 14:31:55.000000000 -0700
@@ -0,0 +1,347 @@
+ struct inode *inode;
+ int error = -EPERM;
+
+ if (dentry->d_inode)
+ return -EEXIST;
+
+ inode = get_inode(dir->i_sb, mode, dev);
+ *dentry = NULL;
+
+ /* If the parent is not specified, we create it in the root.
+ * We need the root dentry to do this, which is in the super
+ * block. A pointer to that is in the struct vfsmount that we
+ * have around.
+ */
+ if (!parent ) {
+ if (mount && mount->mnt_sb) {
+ parent = mount->mnt_sb->s_root;
+ }
+ }
+ if (!parent) {
+ pr_debug("securityfs: Ah! can not find a parent!\n");
+ return -EFAULT;
+ }
+
+ simple_release_fs(&mount, &mount_count);
--- gregkh-2.6.orig/include/linux/security.h 2005-07-07 14:24:41.000000000 -0700
+++ gregkh-2.6/include/linux/security.h 2005-07-07 14:24:46.000000000 -0700