search for: security_inode_init_security

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Commit 572302af1258 ("reiserfs: Add missing calls to reiserfs_security_free()") fixed possible memory leaks and another issue related to adding an xattr at inode creation time. Define the initxattrs callback reiserfs_initxattrs(), to populate the name/value/len triple in the reiserfs_...

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > In preparation for removing security_old_inode_init_security(), switch to > security_inode_init_security(). > > Extend the existing ocfs2_initxattrs() to take the > ocfs2_security_xattr_info structure from fs_info, and populate the > name/value/len triple with the first xattr provided by LSMs. Hi Mark, Joel, Joseph some time ago I sent this patch set to switch to the newer function secu...

...; On 1/10/23 4:55 PM, Roberto Sassu wrote: > > On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > In preparation for removing security_old_inode_init_security(), switch to > > > security_inode_init_security(). > > > > > > Extend the existing ocfs2_initxattrs() to take the > > > ocfs2_security_xattr_info structure from fs_info, and populate the > > > name/value/len triple with the first xattr provided by LSMs. > > > > Hi Mark, Joel, Joseph > > &g...

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_...

...place in the inode_init_security definition the name/value/len parameters with the beginning of the array containing all xattrs set by LSMs. Due to security_old_inode_init_security() API limitation of setting only one xattr, it has been dropped and the remaining users, ocfs2 and reiserfs, switch to security_inode_init_security(). However, due to the complexity of the changes required to fully exploit the ability of security_inode_init_security() to set multiple xattrs, those users can still set only one xattr (the first set in the xattr array) where previously they called security_old_inode_init_security(). Furthermore,...

...place in the inode_init_security definition the name/value/len parameters with the beginning of the array containing all xattrs set by LSMs. Due to security_old_inode_init_security() API limitation of setting only one xattr, it has been dropped and the remaining users, ocfs2 and reiserfs, switch to security_inode_init_security(). However, due to the complexity of the changes required to fully exploit the ability of security_inode_init_security() to set multiple xattrs, those users can still set only one xattr (the first set in the xattr array) where previously they called security_old_inode_init_security(). Furthermore,...

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com> --- include/linux/security.h |...

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com> Reviewed-by: Mimi Zohar <zoh...

...hu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > <roberto.sassu at huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > metadata. > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > blob rese...

...400, Paul Moore wrote: > > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > > <roberto.sassu at huaweicloud.com> wrote: > > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > > metadata. > > > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > &gt...

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > Currently, evm_inode_init_security() processes a single LSM xattr from > the array passed by security_inode_init_security(), and calculates the > HMAC on it and other inode metadata. > > Given that initxattrs() callbacks, called by > security_inode_init_security(), expect that this array is terminated when > the xattr name is set to NULL, reuse the same assumption to scan all xattrs > and to calcula...

....com> wrote: > On Thu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > metadata. > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > blob reservation mechanism. Introd...

...3..8a7db21 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -5289,6 +5289,9 @@ int ocfs2_init_security_get(struct inode *inode, struct inode *dir, struct ocfs2_security_xattr_info *si) { + if (!ocfs2_supports_xattr(OCFS2_SB(inode->i_sb))) + return -EOPNOTSUPP; + return security_inode_init_security(inode, dir, &si->name, &si->value, &si->value_len); } -- 1.5.4.4

...h" #include "transaction.h" @@ -367,31 +368,49 @@ int btrfs_xattr_security_init(struct btrfs_trans_handle *trans, const struct qstr *qstr) { int err; - size_t len; - void *value; - char *suffix; + struct xattr lsm_xattr; + struct xattr evm_xattr; char *name; - err = security_inode_init_security(inode, dir, qstr, &suffix, &value, - &len); + err = security_inode_init_security(inode, dir, qstr, &lsm_xattr.name, + &lsm_xattr.value, + &lsm_xattr.value_len); if (err) { if (err == -EOPNOTSUPP) return 0; return err; } - name = kmalloc(X...

...h" #include "transaction.h" @@ -367,31 +368,49 @@ int btrfs_xattr_security_init(struct btrfs_trans_handle *trans, const struct qstr *qstr) { int err; - size_t len; - void *value; - char *suffix; + struct xattr lsm_xattr; + struct xattr evm_xattr; char *name; - err = security_inode_init_security(inode, dir, qstr, &suffix, &value, - &len); + err = security_inode_init_security(inode, dir, qstr, &lsm_xattr.name, + &lsm_xattr.value, + &lsm_xattr.value_len); if (err) { if (err == -EOPNOTSUPP) return 0; return err; } - name = kmalloc(X...

Hi everyone, I described the reflink operation at the Linux Storage & Filesystems Workshop last month. Originally implemented as an ocfs2-specific ioctl, the consensus was that it should be a syscall from the get-go. Here's some first-cut patches. For people who have not seen reflink, either at LSF or on the ocfs2 wiki, the first patch contains Documentation/filesystems/reflink.txt to

Hi, These three patches fix the problems in the version two. And them base on the Tao's patches: ocfs2/xattr: xattr improvement The first patch fix some problem in xattr code. The second patch add security EA support. The third patch add ACL support. Best regards, tiger