Commit 3528a953 authored by Cory Olmo's avatar Cory Olmo Committed by Linus Torvalds

[PATCH] SELinux: support mls categories for context mounts

Allows commas to be embedded into context mount options (i.e.  "-o
context=some_selinux_context_t"), to better support multiple categories,
which are separated by commas and confuse mount.

For example, with the current code:

  mount -t iso9660 /dev/cdrom /media/cdrom -o \
  ro,context=system_u:object_r:iso9660_t:s0:c1,c3,c4,exec

The context option that will be interpreted by SELinux is
context=system_u:object_r:iso9660_t:s0:c1

instead of
context=system_u:object_r:iso9660_t:s0:c1,c3,c4

The options that will be passed on to the file system will be
ro,c3,c4,exec.

The proposed solution is to allow/require the SELinux context option
specified to mount to use quotes when the context contains a comma.

This patch modifies the option parsing in parse_opts(), contained in
mount.c, to take options after finding a comma only if it hasn't seen a
quote or if the quotes are matched.  It also introduces a new function that
will strip the quotes from the context option prior to translation.  The
quotes are replaced after the translation is completed to insure that in
the event the raw context contains commas the kernel will be able to
interpret the correct context.
Signed-off-by: default avatarCory Olmo <colmo@TrustedCS.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 79f5acf5
...@@ -398,7 +398,7 @@ static int try_context_mount(struct super_block *sb, void *data) ...@@ -398,7 +398,7 @@ static int try_context_mount(struct super_block *sb, void *data)
/* Standard string-based options. */ /* Standard string-based options. */
char *p, *options = data; char *p, *options = data;
while ((p = strsep(&options, ",")) != NULL) { while ((p = strsep(&options, "|")) != NULL) {
int token; int token;
substring_t args[MAX_OPT_ARGS]; substring_t args[MAX_OPT_ARGS];
...@@ -1923,18 +1923,40 @@ static inline void take_option(char **to, char *from, int *first, int len) ...@@ -1923,18 +1923,40 @@ static inline void take_option(char **to, char *from, int *first, int len)
if (!*first) { if (!*first) {
**to = ','; **to = ',';
*to += 1; *to += 1;
} } else
else
*first = 0; *first = 0;
memcpy(*to, from, len); memcpy(*to, from, len);
*to += len; *to += len;
} }
static inline void take_selinux_option(char **to, char *from, int *first,
int len)
{
int current_size = 0;
if (!*first) {
**to = '|';
*to += 1;
}
else
*first = 0;
while (current_size < len) {
if (*from != '"') {
**to = *from;
*to += 1;
}
from += 1;
current_size += 1;
}
}
static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
{ {
int fnosec, fsec, rc = 0; int fnosec, fsec, rc = 0;
char *in_save, *in_curr, *in_end; char *in_save, *in_curr, *in_end;
char *sec_curr, *nosec_save, *nosec; char *sec_curr, *nosec_save, *nosec;
int open_quote = 0;
in_curr = orig; in_curr = orig;
sec_curr = copy; sec_curr = copy;
...@@ -1956,11 +1978,14 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void ...@@ -1956,11 +1978,14 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void
in_save = in_end = orig; in_save = in_end = orig;
do { do {
if (*in_end == ',' || *in_end == '\0') { if (*in_end == '"')
open_quote = !open_quote;
if ((*in_end == ',' && open_quote == 0) ||
*in_end == '\0') {
int len = in_end - in_curr; int len = in_end - in_curr;
if (selinux_option(in_curr, len)) if (selinux_option(in_curr, len))
take_option(&sec_curr, in_curr, &fsec, len); take_selinux_option(&sec_curr, in_curr, &fsec, len);
else else
take_option(&nosec, in_curr, &fnosec, len); take_option(&nosec, in_curr, &fnosec, len);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment