From patchwork Fri Mar 3 07:44:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hyunchul Lee X-Patchwork-Id: 734970 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vZLns6C3zz9s73 for ; Fri, 3 Mar 2017 18:45:37 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="stwphbeQ"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=OW6wj9sCdp4D0O8LEWeprFzgaFEC5lzxeEZh/mnS+f4=; b=stwphbeQOzVqx8 bNaGp9w6dSZXzx6q2xjc0b1Zhc3Agst5qHDFA09EJDvU69v2wYAL9vyzm8xqZUxIVaiVZcE0sgd++ E1eg+lmrvGEtLbagr3Cn3p5D3iCdr8sc0iur3trSaq3YvgdvQ7ee0Qiw7iagK9mEdxXJ9Qza9J3FV GG/4ackCv3wFhMdCCEjBGVMTs4iyeAy7lnQ4AGz1o3nQc2UHJiHDTLraVldQdm2hJoiIpMGmKrIqH lEhKsjiUVF1bKlJPX17gRhq9pfaFu+9ibLd7Ue4MaPCCEZ440EdjyotyKPS/yeaF67w640+MEwx7r 9zhBhPFdHcz8J1YgmYtg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cjhu3-0004Qc-EN; Fri, 03 Mar 2017 07:45:27 +0000 Received: from lgeamrelo13.lge.com ([156.147.23.53]) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cjhtd-0003QF-NQ for linux-mtd@lists.infradead.org; Fri, 03 Mar 2017 07:45:04 +0000 Received: from unknown (HELO lgemrelse6q.lge.com) (156.147.1.121) by 156.147.23.53 with ESMTP; 3 Mar 2017 16:44:38 +0900 X-Original-SENDERIP: 156.147.1.121 X-Original-MAILFROM: hyc.lee@gmail.com Received: from unknown (HELO LGEAEXHB03P.LGE.NET) (165.244.249.23) by 156.147.1.121 with ESMTP; 3 Mar 2017 16:44:37 +0900 X-Original-SENDERIP: 165.244.249.23 X-Original-MAILFROM: hyc.lee@gmail.com Received: from lgekrmhub02.lge.com (10.185.110.12) by LGEAEXHB03P.LGE.NET (165.244.249.23) with Microsoft SMTP Server id 8.3.264.0; Fri, 3 Mar 2017 16:44:36 +0900 Received: from lgeamrelo04.lge.com ([156.147.1.127]) by lgekrmhub02.lge.com (Lotus Domino Release 8.5.3FP6) with ESMTP id 2017030316442896-1761564 ; Fri, 3 Mar 2017 16:44:28 +0900 Received: from unknown (HELO localhost.localdomain) (10.177.225.40) by 156.147.1.127 with ESMTP; 3 Mar 2017 16:44:29 +0900 X-Original-SENDERIP: 10.177.225.40 X-Original-MAILFROM: hyc.lee@gmail.com From: Hyunchul Lee To: Richard Weinberger Subject: [PATCH] ubifs: add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels Date: Fri, 3 Mar 2017 16:44:03 +0900 Message-ID: <1488527043-7195-1-git-send-email-hyc.lee@gmail.com> X-Mailer: git-send-email 1.9.1 X-MIMETrack: Itemize by SMTP Server on LGEKRMHUB02/LGE/LG Group(Release 8.5.3FP6|November 21, 2013) at 2017/03/03 16:44:28, Serialize by Router on LGEKRMHUB02/LGE/LG Group(Release 8.5.3FP6|November 21, 2013) at 2017/03/03 16:44:36, Serialize complete at 2017/03/03 16:44:36 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170302_234502_533964_F1F45131 X-CRM114-Status: GOOD ( 12.44 ) X-Spam-Score: -0.4 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.4 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [156.147.23.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [156.147.23.53 listed in wl.mailspike.net] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (hyc.lee[at]gmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Artem Bityutskiy , adrian.hunter@intel.com, linux-kernel@vger.kernel.org, kernel-team@lge.com, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, Hyunchul Lee Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Hyunchul Lee When write syscall is called, every time security label is searched to determine that file's privileges should be changed. If LSM(Linux Security Model) is not used, this is useless. So introduce CONFIG_UBIFS_SECURITY to disable security labels. it's default value is "y". Signed-off-by: Hyunchul Lee --- fs/ubifs/Kconfig | 13 +++++++++++++ fs/ubifs/ubifs.h | 14 ++++++++++++-- fs/ubifs/xattr.c | 6 ++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/fs/ubifs/Kconfig b/fs/ubifs/Kconfig index b0d0623..83a961b 100644 --- a/fs/ubifs/Kconfig +++ b/fs/ubifs/Kconfig @@ -61,3 +61,16 @@ config UBIFS_FS_ENCRYPTION feature is similar to ecryptfs, but it is more memory efficient since it avoids caching the encrypted and decrypted pages in the page cache. + +config UBIFS_FS_SECURITY + bool "UBIFS Security Labels" + depends on UBIFS_FS + default y + help + Security labels provide an access control facility to support Linux + Security Models (LSMs) accepted by AppArmor, SELinux, Smack and TOMOYO + Linux. This option enables an extended attribute handler for file + security labels in the ubifs filesystem, so that it requires enabling + the extended attribute support in advance. + + If you are not using a security module, say N. diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h index ca72382..e960734 100644 --- a/fs/ubifs/ubifs.h +++ b/fs/ubifs/ubifs.h @@ -1752,13 +1752,23 @@ int ubifs_getattr(struct vfsmount *mnt, struct dentry *dentry, /* xattr.c */ extern const struct xattr_handler *ubifs_xattr_handlers[]; ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size); -int ubifs_init_security(struct inode *dentry, struct inode *inode, - const struct qstr *qstr); int ubifs_xattr_set(struct inode *host, const char *name, const void *value, size_t size, int flags); ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf, size_t size); +#ifdef CONFIG_UBIFS_FS_SECURITY +extern int ubifs_init_security(struct inode *dentry, struct inode *inode, + const struct qstr *qstr); +#else +static inline int ubifs_init_security(struct inode *dentry, + struct inode *inode, const struct qstr *qstr) +{ + return 0; +} +#endif + + /* super.c */ struct inode *ubifs_iget(struct super_block *sb, unsigned long inum); diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index efe00fc..de88732 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -559,6 +559,7 @@ static int ubifs_xattr_remove(struct inode *host, const char *name) return err; } +#ifdef CONFIG_UBIFS_FS_SECURITY static int init_xattrs(struct inode *inode, const struct xattr *xattr_array, void *fs_info) { @@ -599,6 +600,7 @@ int ubifs_init_security(struct inode *dentry, struct inode *inode, } return err; } +#endif static int xattr_get(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, @@ -639,15 +641,19 @@ static int xattr_set(const struct xattr_handler *handler, .set = xattr_set, }; +#ifdef CONFIG_UBIFS_FS_SECURITY static const struct xattr_handler ubifs_security_xattr_handler = { .prefix = XATTR_SECURITY_PREFIX, .get = xattr_get, .set = xattr_set, }; +#endif const struct xattr_handler *ubifs_xattr_handlers[] = { &ubifs_user_xattr_handler, &ubifs_trusted_xattr_handler, +#ifdef CONFIG_UBIFS_FS_SECURITY &ubifs_security_xattr_handler, +#endif NULL };