diff options
author | David Quigley <dpquigl@davequigley.com> | 2013-05-22 12:50:35 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2013-06-08 16:20:11 -0400 |
commit | 746df9b59c8a5f162c907796c7295d3c4c0d8995 (patch) | |
tree | 6c0e7ae018bfb33f482afdc74d0c77d6b9edd152 /security/capability.c | |
parent | d47be3dfecaf20255af89a57460285c82d5271ad (diff) | |
download | op-kernel-dev-746df9b59c8a5f162c907796c7295d3c4c0d8995.zip op-kernel-dev-746df9b59c8a5f162c907796c7295d3c4c0d8995.tar.gz |
Security: Add Hook to test if the particular xattr is part of a MAC model.
The interface to request security labels from user space is the xattr
interface. When requesting the security label from an NFS server it is
important to make sure the requested xattr actually is a MAC label. This allows
us to make sure that we get the desired semantics from the attribute instead of
something else such as capabilities or a time based LSM.
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Matthew N. Dodd <Matthew.Dodd@sparta.com>
Signed-off-by: Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>
Signed-off-by: Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>
Signed-off-by: Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'security/capability.c')
-rw-r--r-- | security/capability.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c index 58578b4..71f9682 100644 --- a/security/capability.c +++ b/security/capability.c @@ -823,6 +823,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value, return -EINVAL; } +static int cap_ismaclabel(const char *name) +{ + return 0; +} + static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { return -EOPNOTSUPP; @@ -1042,6 +1047,7 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, d_instantiate); set_to_cap_if_null(ops, getprocattr); set_to_cap_if_null(ops, setprocattr); + set_to_cap_if_null(ops, ismaclabel); set_to_cap_if_null(ops, secid_to_secctx); set_to_cap_if_null(ops, secctx_to_secid); set_to_cap_if_null(ops, release_secctx); |