smack: Implement filesystem context security hooks
authorDavid Howells <dhowells@redhat.com>
Thu, 1 Nov 2018 23:07:24 +0000 (23:07 +0000)
committerAl Viro <viro@zeniv.linux.org.uk>
Thu, 28 Feb 2019 08:29:25 +0000 (03:29 -0500)
Implement filesystem context security hooks for the smack LSM.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-security-module@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
security/smack/smack.h
security/smack/smack_lsm.c

index f7db791..0380a9c 100644 (file)
@@ -195,22 +195,13 @@ struct smack_known_list_elem {
 
 enum {
        Opt_error = -1,
-       Opt_fsdefault = 1,
-       Opt_fsfloor = 2,
-       Opt_fshat = 3,
-       Opt_fsroot = 4,
-       Opt_fstransmute = 5,
+       Opt_fsdefault = 0,
+       Opt_fsfloor = 1,
+       Opt_fshat = 2,
+       Opt_fsroot = 3,
+       Opt_fstransmute = 4,
 };
 
-/*
- * Mount options
- */
-#define SMK_FSDEFAULT  "smackfsdef="
-#define SMK_FSFLOOR    "smackfsfloor="
-#define SMK_FSHAT      "smackfshat="
-#define SMK_FSROOT     "smackfsroot="
-#define SMK_FSTRANS    "smackfstransmute="
-
 #define SMACK_DELETE_OPTION    "-DELETE"
 #define SMACK_CIPSO_OPTION     "-CIPSO"
 
index 430d4f3..5f93c4f 100644 (file)
@@ -43,6 +43,8 @@
 #include <linux/shm.h>
 #include <linux/binfmts.h>
 #include <linux/parser.h>
+#include <linux/fs_context.h>
+#include <linux/fs_parser.h>
 #include "smack.h"
 
 #define TRANS_TRUE     "TRUE"
@@ -541,7 +543,6 @@ static int smack_syslog(int typefrom_file)
        return rc;
 }
 
-
 /*
  * Superblock Hooks.
  */
@@ -646,6 +647,44 @@ out_opt_err:
        return -EINVAL;
 }
 
+static const struct fs_parameter_spec smack_param_specs[] = {
+       fsparam_string("fsdefault",     Opt_fsdefault),
+       fsparam_string("fsfloor",       Opt_fsfloor),
+       fsparam_string("fshat",         Opt_fshat),
+       fsparam_string("fsroot",        Opt_fsroot),
+       fsparam_string("fstransmute",   Opt_fstransmute),
+       {}
+};
+
+static const struct fs_parameter_description smack_fs_parameters = {
+       .name           = "smack",
+       .specs          = smack_param_specs,
+};
+
+/**
+ * smack_fs_context_parse_param - Parse a single mount parameter
+ * @fc: The new filesystem context being constructed.
+ * @param: The parameter.
+ *
+ * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
+ * error.
+ */
+static int smack_fs_context_parse_param(struct fs_context *fc,
+                                       struct fs_parameter *param)
+{
+       struct fs_parse_result result;
+       int opt, rc;
+
+       opt = fs_parse(fc, &smack_fs_parameters, param, &result);
+       if (opt < 0)
+               return opt;
+
+       rc = smack_add_opt(opt, param->string, &fc->security);
+       if (!rc)
+               param->string = NULL;
+       return rc;
+}
+
 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts)
 {
        char *from = options, *to = options;
@@ -4587,6 +4626,8 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
        LSM_HOOK_INIT(syslog, smack_syslog),
 
+       LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param),
+
        LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
        LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
        LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts),