This patch causes SELinux mount options to show up in /proc/mounts.  As
with other code in the area seq_put errors are ignored.  Other LSM's
will not have their mount options displayed until they fill in their own
security_sb_show_options() function.

Signed-off-by: Eric Paris <eparis@redhat.com>

---

fs/namespace.c           |    4 +++
 include/linux/security.h |    9 ++++++++
 security/dummy.c         |    6 +++++
 security/security.c      |    5 ++++
 security/selinux/hooks.c |   52 ++++++++++++++++++++++++++++++++++++++++++++-
 5 files changed, 74 insertions(+), 2 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 94f026e..a9748d3 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -426,8 +426,12 @@ static int show_vfsmnt(struct seq_file *m, void *v)
 		if (mnt->mnt_flags & fs_infop->flag)
 			seq_puts(m, fs_infop->str);
 	}
+	err = security_sb_show_options(m, mnt->mnt_sb);
+	if (err)
+		goto out;
 	if (mnt->mnt_sb->s_op->show_options)
 		err = mnt->mnt_sb->s_op->show_options(m, mnt);
+out:
 	seq_puts(m, " 0 0\n");
 	return err;
 }
diff --git a/include/linux/security.h b/include/linux/security.h
index c673dfd..bb3c7eb 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -74,6 +74,7 @@ struct xfrm_selector;
 struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
+struct seq_file;
 
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
@@ -1259,6 +1260,7 @@ struct security_operations {
 	void (*sb_free_security) (struct super_block * sb);
 	int (*sb_copy_data)(char *orig, char *copy);
 	int (*sb_kern_mount) (struct super_block *sb, void *data);
+	int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
 	int (*sb_statfs) (struct dentry *dentry);
 	int (*sb_mount) (char *dev_name, struct nameidata * nd,
 			 char *type, unsigned long flags, void *data);
@@ -1527,6 +1529,7 @@ int security_sb_...
[ message continues ]

Where's 1/2?  I've ported this to the tip of the vfs-2.6 tree, but
can't compile it without the other half.

Miklos

----
From: Eric Paris <eparis@redhat.com>

This patch causes SELinux mount options to show up in /proc/mounts.  As
with other code in the area seq_put errors are ignored.  Other LSM's
will not have their mount options displayed until they fill in their own
security_sb_show_options() function.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/namespace.c           |   12 ++++++----
 include/linux/security.h |    9 ++++++++
 security/dummy.c         |    6 +++++
 security/security.c      |    5 ++++
 security/selinux/hooks.c |   52 +++++++++++++++++++++++++++++++++++++++++++++--
 5 files changed, 77 insertions(+), 7 deletions(-)

Index: vfs-2.6/include/linux/security.h
===================================================================
--- vfs-2.6.orig/include/linux/security.h	2008-03-31 14:16:24.000000000 +0200
+++ vfs-2.6/include/linux/security.h	2008-04-02 10:59:10.000000000 +0200
@@ -74,6 +74,7 @@ struct xfrm_selector;
 struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
+struct seq_file;
 
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
@@ -1259,6 +1260,7 @@ struct security_operations {
 	void (*sb_free_security) (struct super_block * sb);
 	int (*sb_copy_data)(char *orig, char *copy);
 	int (*sb_kern_mount) (struct super_block *sb, void *data);
+	int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
 	int (*sb_statfs) (struct dentry *dentry);
 	int (*sb_mount) (char *dev_name, struct path *path,
 			 char *type, unsigned long flags, void *data);
@@ -1527,6 +1529,7 @@ int security_sb_alloc(struct super_block
 void security_sb_free(struct super_block *sb);
 int security_sb_copy_data(char *orig, char *copy);
 int security_sb_kern_mount(struct super_block *sb, void *data);
...
[ message continues ]

This patch causes SELinux mount options to show up in /proc/mounts.  As
with other code in the area seq_put errors are ignored.  Other LSM's
will not have their mount options displayed until they fill in their own
security_sb_show_options() function.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>

---

This patch is against a merged vfs-2.6:vfs-2.6.25 and selinux:for-akpm
repo.  It requires the a6307a583a073f85c38399c1e2c21dfe2d6a3da0
changeset in jame's repo to compile.  I'll let you and James decide if
we should push it through the VFS tree or the SELinux tree....

Only change from the last patch is the addition of " around mount
options which contain a comma example:
server:/export/ /import nfs rw,context="system_u:object_r:httpd_sys_content_t:s0:c1,c3",vers=3,rsize=32768,wsize=32768,hard,proto=tcp,timeo=600,retrans=2,sec=sys,addr=X.X.X.X 0 0

 fs/namespace.c           |   12 +++++----
 include/linux/security.h |    9 +++++++
 security/dummy.c         |    6 +++++
 security/security.c      |    5 ++++
 security/selinux/hooks.c |   57 ++++++++++++++++++++++++++++++++++++++++++++-
 5 files changed, 82 insertions(+), 7 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 5df0ab2..496cfa3 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -748,7 +748,7 @@ struct proc_fs_info {
 	const char *str;
 };
 
-static void show_sb_opts(struct seq_file *m, struct super_block *sb)
+static int show_sb_opts(struct seq_file *m, struct super_block *sb)
 {
 	static const struct proc_fs_info fs_info[] = {
 		{ MS_SYNCHRONOUS, ",sync" },
@@ -762,6 +762,8 @@ static void show_sb_opts(struct seq_file *m, struct super_block *sb)
 		if (sb->s_flags & fs_infop->flag)
 			seq_puts(m, fs_infop->str);
 	}
+
+	return security_sb_show_options(m, sb);
 }
 
 static void show_mnt_opts(struct seq_file *m, struct vfsmount *mnt)
@@ -804,9 +806,9 @@ static int show_vfsmnt(struct seq_file *m, void *v)
 	seq_putc(m, '...
[ message continues ]

It doesn't apply to my for-akpm branch.

fs/namespace.c.rej:

***************
*** 748,754 ****
  	const char *str;
  };
  
- static void show_sb_opts(struct seq_file *m, struct super_block *sb)
  {
  	static const struct proc_fs_info fs_info[] = {
  		{ MS_SYNCHRONOUS, ",sync" },
--- 748,754 ----
  	const char *str;
  };
  
+ static int show_sb_opts(struct seq_file *m, struct super_block *sb)
  {
  	static const struct proc_fs_info fs_info[] = {
  		{ MS_SYNCHRONOUS, ",sync" },
***************
*** 786,794 ****
  	seq_putc(m, ' ');
  	show_type(m, mnt->mnt_sb);
  	seq_puts(m, __mnt_is_readonly(mnt) ? " ro" : " rw");
- 	show_sb_opts(m, mnt->mnt_sb);
  	show_mnt_opts(m, mnt);
- 	if (mnt->mnt_sb->s_op->show_options)
  		err = mnt->mnt_sb->s_op->show_options(m, mnt);
  	seq_puts(m, " 0 0\n");
  	return err;
--- 788,796 ----
  	seq_putc(m, ' ');
  	show_type(m, mnt->mnt_sb);
  	seq_puts(m, __mnt_is_readonly(mnt) ? " ro" : " rw");
+ 	err = show_sb_opts(m, mnt->mnt_sb);
  	show_mnt_opts(m, mnt);
+ 	if (!err && mnt->mnt_sb->s_op->show_options)
  		err = mnt->mnt_sb->s_op->show_options(m, mnt);
  	seq_puts(m, " 0 0\n");
  	return err;
***************
*** 845,852 ****
  	seq_putc(m, ' ');
  	mangle(m, mnt->mnt_devname ? mnt->mnt_devname : "none");
  	seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw");
- 	show_sb_opts(m, sb);
- 	if (sb->s_op->show_options)
  		err = sb->s_op->show_options(m, mnt);
  	seq_putc(m, '\n');
  	return err;
--- 847,854 ----
  	seq_putc(m, ' ');
  	mangle(m, mnt->mnt_devname ? mnt->mnt_devname : "none");
  	seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw");
+ 	err = show_sb_opts(m, sb);
+ 	if (!err && sb->s_op->show_options)
  		err = sb->s_op->show_options(m, mnt);
  	seq_putc(m, '\n');
  	return err;


-- 
James Morris
<jmorris@namei.org>
--

I said it was against multiple devel trees and I didn't know how it was
going to go in.  It needs:

http://git.kernel.org/?p=linux/kernel/git/viro/vfs-2.6.git;a=commitdiff;h=a0d807802dfe...

which is in the VFS tree.....

suggestions anyone on the best way to get this merged?

-Eric

--

Either, as James said, wait for the vfs dependency to be merged, or go
through -mm, which pulls from both trees, letting Andrew deal with the
merging order (which isn't all that complicated in this case).

Miklos
--

Wait until the VFS stuff is merged upstream and then I'll push it via the 
SELinux tree.

-- 
James Morris
<jmorris@namei.org>
--

Looks good.

Since the patch is dependent on stuff in the selinux repo, it should
go via that tree.

Even better would be if the non-selinux part was split off into a
separate patch and gone through -mm, to let the interface changes get
extra review.

Thanks,
Miklos
--

I concur. Sorry that I have not been more active on reviewing this.


Casey Schaufler
casey@schaufler-ca.com
--

I have a question for everyone though.  How are these options used?
SELinux mount options can contain commas.  When sending such options
from userspace they are inside quotes.  Should I go ahead and quote
selinux options so they can be directly used back into mount commands?
Should I just leave them in there without quotes and let anyone who
tries to feel them back into mount figure it out?

I'm ignoring seq_* failures.  Which kinda scares me since it means i
could get half of one option and half of another and the user would not
realize it.  Maybe I should build a single string for each selinux
option and do a single seq_puts() so seq_* failure only means missing

--

I don't think they can "figure it out" as they can't unambiguously parse
the option string at that point.  So wrapping the SELinux option value

And is it even adequate to return an incomplete set of options with no
indication of truncation to userspace?  How do we expect userland to use
-- 
Stephen Smalley
National Security Agency

--

seq_file deals with all that: retries with bigger buffer, or if
allocation fails return ENOMEM.  So userspace will never see a
truncated output and callers only need to bother with their own
errors.

It's quite clever, really :)

Miklos
--

Ideally copying the options out of /proc/mounts, then doing a mount

Errors from seq_* can be safely ignored, seq_file remembers that there
was an error.

Miklos
--

Pardon my ignorance, but can you point to where in the code this is
done?  Offhand, it seems like seq_putc and seq_puts overflow will be
ignored if the caller (in this case, Eric's code - selinux_write_opts)
doesn't propagate the error status back up the call chain, and we'll
just end up with a truncated list of options.

-- 
Stephen Smalley
National Security Agency

--

Ah, I see it now - in seq_read().

-- 
Stephen Smalley
National Security Agency

--

Sorry, I forgot to put everyone on cc line of the first patch

http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=e99cf...


--