Add support to yaffs to set the security attribute of new inodes when
they are created. This parallels similar support in other filesystems,
and is a requirement for SELinux and other MAC systems. This support
is used by SE Android,
http://selinuxproject.org/page/SEAndroid
Signed-off-by: Stephen Smalley <
sds@tycho.nsa.gov>
---
yaffs_vfs_multi.c | 43 +++++++++++++++++++++++++++++++++++++++++++
yaffs_vfs_single.c | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+)
diff --git a/yaffs_vfs_multi.c b/yaffs_vfs_multi.c
index ce41d6c..462ebdb 100644
--- a/yaffs_vfs_multi.c
+++ b/yaffs_vfs_multi.c
@@ -71,6 +71,7 @@
#include <linux/slab.h>
#include <linux/init.h>
#include <linux/fs.h>
+#include <linux/security.h>
#include <linux/proc_fs.h>
#if (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 39))
#include <linux/smp_lock.h>
@@ -1618,6 +1619,46 @@ out:
#define YCRED(x) (x->cred)
#endif
+static int yaffs_init_security(struct inode *dir, struct dentry *dentry,
+ struct inode *inode)
+{
+ int err;
+ size_t size;
+ void *value;
+ char *suffix;
+ char name[XATTR_NAME_MAX];
+ struct yaffs_dev *dev;
+ struct yaffs_obj *obj = yaffs_inode_to_obj(inode);
+ int result;
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 39))
+ err = security_inode_init_security(inode, dir, &dentry->d_name,
+ &suffix, &value, &size);
+#else
+ err = security_inode_init_security(inode, dir, &suffix, &value, &size);
+#endif
+ if (err) {
+ if (err == -EOPNOTSUPP)
+ return 0;
+ return err;
+ }
+ snprintf(name, sizeof name, "%s%s", XATTR_SECURITY_PREFIX, suffix);
+
+ /* inlined yaffs_setxattr: no instantiated dentry yet */
+ dev = obj->my_dev;
+ yaffs_gross_lock(dev);
+ result = yaffs_set_xattrib(obj, name, value, size, 0);
+ if (result == YAFFS_OK)
+ err = 0;
+ else if (result < 0)
+ err = result;
+ yaffs_gross_unlock(dev);
+
+ kfree(value);
+ kfree(suffix);
+ return err;
+}
+
#if (LINUX_VERSION_CODE > KERNEL_VERSION(2, 5, 0))
static int yaffs_mknod(struct inode *dir, struct dentry *dentry, int mode,
dev_t rdev)
@@ -1694,6 +1735,7 @@ static int yaffs_mknod(struct inode *dir, struct dentry *dentry, int mode,
if (obj) {
inode = yaffs_get_inode(dir->i_sb, mode, rdev, obj);
+ yaffs_init_security(dir, dentry, inode);
d_instantiate(dentry, inode);
update_dir_time(dir);
yaffs_trace(YAFFS_TRACE_OS,
@@ -1827,6 +1869,7 @@ static int yaffs_symlink(struct inode *dir, struct dentry *dentry,
struct inode *inode;
inode = yaffs_get_inode(dir->i_sb, obj->yst_mode, 0, obj);
+ yaffs_init_security(dir, dentry, inode);
d_instantiate(dentry, inode);
update_dir_time(dir);
yaffs_trace(YAFFS_TRACE_OS, "symlink created OK");
diff --git a/yaffs_vfs_single.c b/yaffs_vfs_single.c
index 8d41f69..5ce7a55 100644
--- a/yaffs_vfs_single.c
+++ b/yaffs_vfs_single.c
@@ -41,6 +41,7 @@
#include <linux/slab.h>
#include <linux/init.h>
#include <linux/fs.h>
+#include <linux/security.h>
#include <linux/proc_fs.h>
#include <linux/pagemap.h>
#include <linux/mtd/mtd.h>
@@ -187,6 +188,42 @@ struct inode *yaffs_get_inode(struct super_block *sb, int mode, int dev,
return inode;
}
+static int yaffs_init_security(struct inode *dir, struct dentry *dentry,
+ struct inode *inode)
+{
+ int err;
+ size_t size;
+ void *value;
+ char *suffix;
+ char name[XATTR_NAME_MAX];
+ struct yaffs_dev *dev;
+ struct yaffs_obj *obj = yaffs_inode_to_obj(inode);
+ int result;
+
+ err = security_inode_init_security(inode, dir, &dentry->d_name,
+ &suffix, &value, &size);
+ if (err) {
+ if (err == -EOPNOTSUPP)
+ return 0;
+ return err;
+ }
+ snprintf(name, sizeof name, "%s%s", XATTR_SECURITY_PREFIX, suffix);
+
+ /* inlined yaffs_setxattr: no instantiated dentry yet */
+ dev = obj->my_dev;
+ yaffs_gross_lock(dev);
+ result = yaffs_set_xattrib(obj, name, value, size, 0);
+ if (result == YAFFS_OK)
+ err = 0;
+ else if (result < 0)
+ err = result;
+ yaffs_gross_unlock(dev);
+
+ kfree(value);
+ kfree(suffix);
+ return err;
+}
+
static int yaffs_mknod(struct inode *dir, struct dentry *dentry, int mode,
dev_t rdev)
{
@@ -259,6 +296,7 @@ static int yaffs_mknod(struct inode *dir, struct dentry *dentry, int mode,
inode = yaffs_get_inode(dir->i_sb, mode, rdev, obj);
+ yaffs_init_security(dir, dentry, inode);
d_instantiate(dentry, inode);
update_dir_time(dir);
yaffs_trace(YAFFS_TRACE_OS,
@@ -357,6 +395,7 @@ static int yaffs_symlink(struct inode *dir, struct dentry *dentry,
}
inode = yaffs_get_inode(dir->i_sb, obj->yst_mode, 0, obj);
+ yaffs_init_security(dir, dentry, inode);
d_instantiate(dentry, inode);
update_dir_time(dir);
yaffs_trace(YAFFS_TRACE_OS, "symlink created OK");
--
1.7.11.2
--
Stephen Smalley
National Security Agency