Commit 46c8ac74 authored May 02, 2008 by Eric Paris Committed by Trond Myklebust May 16, 2008

nfs/lsm: make NFSv4 set LSM mount options



NFSv3 get_sb operations call into the LSM layer to set security options passed
from userspace.  NFSv4 hooks were not originally added since it was reasonably
late in the merge window and NFSv3 was the only thing that had regressed (v4
has never supported any LSM options)

This patch makes NFSv4 call into the LSM to set security options rather than
just blindly dropping them with no notice to the user as happens today.  This
patch was tested in a simple NFSv4 environment with the context= option and
appeared to work as expected.

Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

parent 3a6258e1

fs/nfs/super.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -2015,6 +2015,10 @@ static int nfs4_get_sb(struct file_system_type *fs_type,
		goto error_splat_super;
		}

		error = security_sb_set_mnt_opts(s, &data.lsm_opts);
		if (error)
		goto error_splat_root;

		s->s_flags \|= MS_ACTIVE;
		mnt->mnt_sb = s;
		mnt->mnt_root = mntroot;
		@@ -2031,6 +2035,8 @@ out_free:
		nfs_free_server(server);
		goto out;

		error_splat_root:
		dput(mntroot);
		error_splat_super:
		up_write(&s->s_umount);
		deactivate_super(s);
		@@ -2114,6 +2120,8 @@ static int nfs4_xdev_get_sb(struct file_system_type *fs_type, int flags,
		mnt->mnt_sb = s;
		mnt->mnt_root = mntroot;

		security_sb_clone_mnt_opts(data->sb, s);

		dprintk("<-- nfs4_xdev_get_sb() = 0\n");
		return 0;

		@@ -2197,6 +2205,8 @@ static int nfs4_referral_get_sb(struct file_system_type *fs_type, int flags,
		mnt->mnt_sb = s;
		mnt->mnt_root = mntroot;

		security_sb_clone_mnt_opts(data->sb, s);

		dprintk("<-- nfs4_referral_get_sb() = 0\n");
		return 0;

Admin message