[PATCH 0/2] fuse: Send file/inode security context during creation
Vivek Goyal
vgoyal at redhat.com
Fri Sep 24 19:24:40 UTC 2021
Hi,
When a file is created (create, mknod, mkdir, symlink), typically file
systems call ecurity_inode_init_security() to initialize security
context of an inode. But this does not very well with remote filesystems
as inode is not there yet. Client will send a creation request to
server and once server has created the file, client will instantiate
the inode.
So filesystems like nfs and ceph use security_dentry_init_security()
instead. This takes in a dentry and returns the security context of
file if any.
These patches call security_dentry_init_security() and send security
label of file along with creation request (FUSE_CREATE, FUSE_MKDIR,
FUSE_MKNOD, FUSE_SYMLINK). This will give server an opportunity
to create new file and also set security label (possibly atomically
where possible).
These patches are based on the work Chirantan Ekbote did some time
back but it never got upstreamed. So I have taken his patches,
made some modifications and posting again.
https://listman.redhat.com/archives/virtio-fs/2020-July/msg00014.html
https://listman.redhat.com/archives/virtio-fs/2020-July/msg00015.html
These patches will allow us to support SELinux on virtiofs.
Vivek Goyal (2):
fuse: Add a flag FUSE_SECURITY_CTX
fuse: Send security context of inode on file creation
fs/fuse/dir.c | 114 ++++++++++++++++++++++++++++++++++++--
fs/fuse/fuse_i.h | 3 +
fs/fuse/inode.c | 4 +-
include/uapi/linux/fuse.h | 20 ++++++-
4 files changed, 134 insertions(+), 7 deletions(-)
--
2.31.1
More information about the Linux-security-module-archive
mailing list