• David P. Quigley's avatar
    sysfs: Add labeling support for sysfs · ddd29ec6
    David P. Quigley authored
    This patch adds a setxattr handler to the file, directory, and symlink
    inode_operations structures for sysfs. The patch uses hooks introduced in the
    previous patch to handle the getting and setting of security information for
    the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
    sysfs_dirent structure has been replaced by a structure which contains the
    iattr, secdata and secdata length to allow the changes to persist in the event
    that the inode representing the sysfs_dirent is evicted. Because sysfs only
    stores this information when a change is made all the optional data is moved
    into one dynamically allocated field.
    
    This patch addresses an issue where SELinux was denying virtd access to the PCI
    configuration entries in sysfs. The lack of setxattr handlers for sysfs
    required that a single label be assigned to all entries in sysfs. Granting virtd
    access to every entry in sysfs is not an acceptable solution so fine grained
    labeling of sysfs is required such that individual entries can be labeled
    appropriately.
    
    [sds:  Fixed compile-time warnings, coding style, and setting of inode security init flags.]
    Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
    Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    ddd29ec6
smack_lsm.c 76.2 KB