f2fs: support xattr security labels

This patch adds the support of security labels for f2fs, which will be used
by Linus Security Models (LSMs).

Quote from http://en.wikipedia.org/wiki/Linux_Security_Modules:
"Linux Security Modules (LSM) is a framework that allows the Linux kernel to
support a variety of computer security models while avoiding favoritism toward
any single security implementation. The framework is licensed under the terms of
the GNU General Public License and is standard part of the Linux kernel since
Linux 2.6. AppArmor, SELinux, Smack and TOMOYO Linux are the currently accepted
modules in the official kernel.".

Signed-off-by: Jaegeuk Kim <jaegeuk.kim@samsung.com>

diff --git a/fs/f2fs/Kconfig b/fs/f2fs/Kconfig
index fd27e7e6326e61ddecee85c3435099aa12ba2dfd..e06e0995e00fdf619d1bbd7f48ebe0e9df25ebc0 100644 (file)
--- a/fs/f2fs/Kconfig
+++ b/fs/f2fs/Kconfig
@@ -51,3 +51,15 @@ config F2FS_FS_POSIX_ACL
          Linux website <http://acl.bestbits.at/>.
 
          If you don't know what Access Control Lists are, say N
+
+config F2FS_FS_SECURITY
+       bool "F2FS Security Labels"
+       depends on F2FS_FS_XATTR
+       help
+         Security labels provide an access control facility to support Linux
+         Security Models (LSMs) accepted by AppArmor, SELinux, Smack and TOMOYO
+         Linux. This option enables an extended attribute handler for file
+         security labels in the f2fs filesystem, so that it requires enabling
+         the extended attribute support in advance.
+
+         If you are not using a security module, say N.

diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
index 44abc2f286e00ad4ecff03e0293f80ab8d3d19fd..b7826ec1b47062fdb30891192b42a8dbf5e20788 100644 (file)
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -250,7 +250,7 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
                }
        }
 
-       error = f2fs_setxattr(inode, name_index, "", value, size);
+       error = f2fs_setxattr(inode, name_index, "", value, size, NULL);
 
        kfree(value);
        if (!error)

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 67e2d1361fa296e3c1ec7f1dc54f5fdaa1c9951d..eaea5b50d9c172d5dab8cea5400c91fb26f476c9 100644 (file)
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -13,6 +13,7 @@
 #include "f2fs.h"
 #include "node.h"
 #include "acl.h"
+#include "xattr.h"
 
 static unsigned long dir_blocks(struct inode *inode)
 {
@@ -334,6 +335,10 @@ static struct page *init_inode_metadata(struct inode *inode,
                if (err)
                        goto error;
 
+               err = f2fs_init_security(inode, dir, name, page);
+               if (err)
+                       goto error;
+
                wait_on_page_writeback(page);
        } else {
                page = get_node_page(F2FS_SB(dir->i_sb), inode->i_ino);

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index d6e63da513cfd0647762e13321f0bcb43a7d56d6..4f2c209ae8c1690b514e56fbbd6239abc89cfc62 100644 (file)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -968,7 +968,7 @@ int get_dnode_of_data(struct dnode_of_data *, pgoff_t, int);
 int truncate_inode_blocks(struct inode *, pgoff_t);
 int remove_inode_page(struct inode *);
 struct page *new_inode_page(struct inode *, const struct qstr *);
-struct page *new_node_page(struct dnode_of_data *, unsigned int);
+struct page *new_node_page(struct dnode_of_data *, unsigned int, struct page *);
 void ra_node_page(struct f2fs_sb_info *, nid_t);
 struct page *get_node_page(struct f2fs_sb_info *, pgoff_t);
 struct page *get_node_page_ra(struct page *, int);

diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 5a59780b22d054a8868a0729498f9f6154c9e077..b02440c5b2eb33cba68c39e6a91dccce4a1a4497 100644 (file)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -433,7 +433,7 @@ int get_dnode_of_data(struct dnode_of_data *dn, pgoff_t index, int mode)
                        }
 
                        dn->nid = nids[i];
-                       npage[i] = new_node_page(dn, noffset[i]);
+                       npage[i] = new_node_page(dn, noffset[i], NULL);
                        if (IS_ERR(npage[i])) {
                                alloc_nid_failed(sbi, nids[i]);
                                err = PTR_ERR(npage[i]);
@@ -814,10 +814,11 @@ struct page *new_inode_page(struct inode *inode, const struct qstr *name)
        set_new_dnode(&dn, inode, NULL, NULL, inode->i_ino);
 
        /* caller should f2fs_put_page(page, 1); */
-       return new_node_page(&dn, 0);
+       return new_node_page(&dn, 0, NULL);
 }
 
-struct page *new_node_page(struct dnode_of_data *dn, unsigned int ofs)
+struct page *new_node_page(struct dnode_of_data *dn,
+                               unsigned int ofs, struct page *ipage)
 {
        struct f2fs_sb_info *sbi = F2FS_SB(dn->inode->i_sb);
        struct address_space *mapping = sbi->node_inode->i_mapping;
@@ -850,7 +851,10 @@ struct page *new_node_page(struct dnode_of_data *dn, unsigned int ofs)
        set_cold_node(dn->inode, page);
 
        dn->node_page = page;
-       sync_inode_page(dn);
+       if (ipage)
+               update_inode(dn->inode, ipage);
+       else
+               sync_inode_page(dn);
        set_page_dirty(page);
        if (ofs == 0)
                inc_valid_inode_count(sbi);

diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index ae61f359554fdc90fa621ff7c6035116ce4f999c..3ab07ecd86ca16b5aaaa4e89792e5fe0db22ffca 100644 (file)
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -20,6 +20,7 @@
  */
 #include <linux/rwsem.h>
 #include <linux/f2fs_fs.h>
+#include <linux/security.h>
 #include "f2fs.h"
 #include "xattr.h"
 
@@ -43,6 +44,10 @@ static size_t f2fs_xattr_generic_list(struct dentry *dentry, char *list,
                prefix = XATTR_TRUSTED_PREFIX;
                prefix_len = XATTR_TRUSTED_PREFIX_LEN;
                break;
+       case F2FS_XATTR_INDEX_SECURITY:
+               prefix = XATTR_SECURITY_PREFIX;
+               prefix_len = XATTR_SECURITY_PREFIX_LEN;
+               break;
        default:
                return -EINVAL;
        }
@@ -50,7 +55,7 @@ static size_t f2fs_xattr_generic_list(struct dentry *dentry, char *list,
        total_len = prefix_len + name_len + 1;
        if (list && total_len <= list_size) {
                memcpy(list, prefix, prefix_len);
-               memcpy(list+prefix_len, name, name_len);
+               memcpy(list + prefix_len, name, name_len);
                list[prefix_len + name_len] = '\0';
        }
        return total_len;
@@ -70,13 +75,14 @@ static int f2fs_xattr_generic_get(struct dentry *dentry, const char *name,
                if (!capable(CAP_SYS_ADMIN))
                        return -EPERM;
                break;
+       case F2FS_XATTR_INDEX_SECURITY:
+               break;
        default:
                return -EINVAL;
        }
        if (strcmp(name, "") == 0)
                return -EINVAL;
-       return f2fs_getxattr(dentry->d_inode, type, name,
-                       buffer, size);
+       return f2fs_getxattr(dentry->d_inode, type, name, buffer, size);
 }
 
 static int f2fs_xattr_generic_set(struct dentry *dentry, const char *name,
@@ -93,13 +99,15 @@ static int f2fs_xattr_generic_set(struct dentry *dentry, const char *name,
                if (!capable(CAP_SYS_ADMIN))
                        return -EPERM;
                break;
+       case F2FS_XATTR_INDEX_SECURITY:
+               break;
        default:
                return -EINVAL;
        }
        if (strcmp(name, "") == 0)
                return -EINVAL;
 
-       return f2fs_setxattr(dentry->d_inode, type, name, value, size);
+       return f2fs_setxattr(dentry->d_inode, type, name, value, size, NULL);
 }
 
 static size_t f2fs_xattr_advise_list(struct dentry *dentry, char *list,
@@ -145,6 +153,31 @@ static int f2fs_xattr_advise_set(struct dentry *dentry, const char *name,
        return 0;
 }
 
+#ifdef CONFIG_F2FS_FS_SECURITY
+static int f2fs_initxattrs(struct inode *inode, const struct xattr *xattr_array,
+               void *page)
+{
+       const struct xattr *xattr;
+       int err = 0;
+
+       for (xattr = xattr_array; xattr->name != NULL; xattr++) {
+               err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_SECURITY,
+                               xattr->name, xattr->value,
+                               xattr->value_len, (struct page *)page);
+               if (err < 0)
+                       break;
+       }
+       return err;
+}
+
+int f2fs_init_security(struct inode *inode, struct inode *dir,
+                               const struct qstr *qstr, struct page *ipage)
+{
+       return security_inode_init_security(inode, dir, qstr,
+                               &f2fs_initxattrs, ipage);
+}
+#endif
+
 const struct xattr_handler f2fs_xattr_user_handler = {
        .prefix = XATTR_USER_PREFIX,
        .flags  = F2FS_XATTR_INDEX_USER,
@@ -169,6 +202,14 @@ const struct xattr_handler f2fs_xattr_advise_handler = {
        .set    = f2fs_xattr_advise_set,
 };
 
+const struct xattr_handler f2fs_xattr_security_handler = {
+       .prefix = XATTR_SECURITY_PREFIX,
+       .flags  = F2FS_XATTR_INDEX_SECURITY,
+       .list   = f2fs_xattr_generic_list,
+       .get    = f2fs_xattr_generic_get,
+       .set    = f2fs_xattr_generic_set,
+};
+
 static const struct xattr_handler *f2fs_xattr_handler_map[] = {
        [F2FS_XATTR_INDEX_USER] = &f2fs_xattr_user_handler,
 #ifdef CONFIG_F2FS_FS_POSIX_ACL
@@ -176,6 +217,9 @@ static const struct xattr_handler *f2fs_xattr_handler_map[] = {
        [F2FS_XATTR_INDEX_POSIX_ACL_DEFAULT] = &f2fs_xattr_acl_default_handler,
 #endif
        [F2FS_XATTR_INDEX_TRUSTED] = &f2fs_xattr_trusted_handler,
+#ifdef CONFIG_F2FS_FS_SECURITY
+       [F2FS_XATTR_INDEX_SECURITY] = &f2fs_xattr_security_handler,
+#endif
        [F2FS_XATTR_INDEX_ADVISE] = &f2fs_xattr_advise_handler,
 };
 
@@ -186,6 +230,9 @@ const struct xattr_handler *f2fs_xattr_handlers[] = {
        &f2fs_xattr_acl_default_handler,
 #endif
        &f2fs_xattr_trusted_handler,
+#ifdef CONFIG_F2FS_FS_SECURITY
+       &f2fs_xattr_security_handler,
+#endif
        &f2fs_xattr_advise_handler,
        NULL,
 };
@@ -300,7 +347,7 @@ cleanup:
 }
 
 int f2fs_setxattr(struct inode *inode, int name_index, const char *name,
-                                       const void *value, size_t value_len)
+                       const void *value, size_t value_len, struct page *ipage)
 {
        struct f2fs_sb_info *sbi = F2FS_SB(inode->i_sb);
        struct f2fs_inode_info *fi = F2FS_I(inode);
@@ -339,7 +386,7 @@ int f2fs_setxattr(struct inode *inode, int name_index, const char *name,
                set_new_dnode(&dn, inode, NULL, NULL, fi->i_xattr_nid);
                mark_inode_dirty(inode);
 
-               page = new_node_page(&dn, XATTR_NODE_OFFSET);
+               page = new_node_page(&dn, XATTR_NODE_OFFSET, ipage);
                if (IS_ERR(page)) {
                        alloc_nid_failed(sbi, fi->i_xattr_nid);
                        fi->i_xattr_nid = 0;
@@ -439,7 +486,10 @@ int f2fs_setxattr(struct inode *inode, int name_index, const char *name,
                inode->i_ctime = CURRENT_TIME;
                clear_inode_flag(fi, FI_ACL_MODE);
        }
-       update_inode_page(inode);
+       if (ipage)
+               update_inode(inode, ipage);
+       else
+               update_inode_page(inode);
        mutex_unlock_op(sbi, ilock);
 
        return 0;

diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h
index 49c9558305e3b4dae06e16733f150af76dbfe954..3c0817bef25d5fdbab3279cb446a5e2c20ba5f38 100644 (file)
--- a/fs/f2fs/xattr.h
+++ b/fs/f2fs/xattr.h
@@ -112,21 +112,19 @@ extern const struct xattr_handler f2fs_xattr_trusted_handler;
 extern const struct xattr_handler f2fs_xattr_acl_access_handler;
 extern const struct xattr_handler f2fs_xattr_acl_default_handler;
 extern const struct xattr_handler f2fs_xattr_advise_handler;
+extern const struct xattr_handler f2fs_xattr_security_handler;
 
 extern const struct xattr_handler *f2fs_xattr_handlers[];
 
-extern int f2fs_setxattr(struct inode *inode, int name_index, const char *name,
-               const void *value, size_t value_len);
-extern int f2fs_getxattr(struct inode *inode, int name_index, const char *name,
-               void *buffer, size_t buffer_size);
-extern ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer,
-               size_t buffer_size);
-
+extern int f2fs_setxattr(struct inode *, int, const char *,
+                               const void *, size_t, struct page *);
+extern int f2fs_getxattr(struct inode *, int, const char *, void *, size_t);
+extern ssize_t f2fs_listxattr(struct dentry *, char *, size_t);
 #else
 
 #define f2fs_xattr_handlers    NULL
 static inline int f2fs_setxattr(struct inode *inode, int name_index,
-       const char *name, const void *value, size_t value_len)
+               const char *name, const void *value, size_t value_len)
 {
        return -EOPNOTSUPP;
 }
@@ -142,4 +140,14 @@ static inline ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer,
 }
 #endif
 
+#ifdef CONFIG_F2FS_FS_SECURITY
+extern int f2fs_init_security(struct inode *, struct inode *,
+                               const struct qstr *, struct page *);
+#else
+static inline int f2fs_init_security(struct inode *inode, struct inode *dir,
+                               const struct qstr *qstr, struct page *ipage)
+{
+       return 0;
+}
+#endif
 #endif /* __F2FS_XATTR_H__ */