From: Eric Paris <eparis@redhat.com> Subject: [PATCH RHEL5] selinux: allow quoted commas for non-continguous catagories or sensitivity in context mounts Date: Wed, 01 Nov 2006 12:15:56 -0500 Bugzilla: 211857 Message-Id: <1162401356.9655.22.camel@localhost.localdomain> Changelog: selinux: allow quoted commas for certain catagories in context mounts BZ 211857 There are a few kernel operations where the user can tell the kernel what context to use. An example would be when mounting a filesystem one can use a context= option to set the selinux context for the new filesystem and for all files in that filesystem. With the introduction of MLS and MCS a user may want to set the categories or sensitivity levels of the mount point. As a simple example lets say we want to set the categories to be c1 and c3 and not include c2. To do this we would mount with something like context=system_u:object_r:myfs_t:s0:c1,c3 But now the mount operation is going to see a comma and will think that c3 is a separate mount option. So userspace is implementing the ability to quote a context string. Thus giving context="system_u:object_r:myfs_t:s0:c1,c3" The routine selinux_sb_copy_data() was modified to mark a flag value when it runs across a '"'. This flag value is consulted each time a comma is encountered during the processing of the mount options. If the flag indicates that the current option contains a quote it will move on to the next character. If the flag indicates that there is either a matched set of quotes or no quotes at all then the option is taken. If the option happens to be an selinux option then the new routine take_selinux_option() is called. take_selinux_option() will copy the option to the previously allocated selinux data page. While it is doing the copying it will skip any quotes present in the option so the data page contains only the raw unquoted context. The previously used comma separator between options in the selinux data page was replaced with a '|' character to allow try_context_mount() to properly extract whole context option strings as well. This (along with the userspace fix) has been tested by IBM and shown to allow non-consecutive sensitivities and categories. It is needed for real MLS support to meet LSPP certification. It is userspace compatible with older userspace. -Eric hooks.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) --- linux-2.6.18.i686/security/selinux/hooks.c.comma.category 2006-10-25 16:00:10.000000000 -0400 +++ linux-2.6.18.i686/security/selinux/hooks.c 2006-10-25 16:03:02.000000000 -0400 @@ -398,7 +398,7 @@ static int try_context_mount(struct supe /* Standard string-based options. */ char *p, *options = data; - while ((p = strsep(&options, ",")) != NULL) { + while ((p = strsep(&options, "|")) != NULL) { int token; substring_t args[MAX_OPT_ARGS]; @@ -1958,11 +1958,34 @@ static inline void take_option(char **to *to += len; } +static inline void take_selinux_option(char **to, char *from, int *first, + int len) +{ + int current_size = 0; + + if (!*first) { + **to = '|'; + *to += 1; + } + else + *first = 0; + + while (current_size < len) { + if (*from != '"') { + **to = *from; + *to += 1; + } + from += 1; + current_size += 1; + } +} + static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) { int fnosec, fsec, rc = 0; char *in_save, *in_curr, *in_end; char *sec_curr, *nosec_save, *nosec; + int open_quote = 0; in_curr = orig; sec_curr = copy; @@ -1984,11 +2007,15 @@ static int selinux_sb_copy_data(struct f in_save = in_end = orig; do { - if (*in_end == ',' || *in_end == '\0') { + if (*in_end == '"') { + open_quote = !open_quote; + } + if ((*in_end == ',' && open_quote == 0) || + *in_end == '\0') { int len = in_end - in_curr; if (selinux_option(in_curr, len)) - take_option(&sec_curr, in_curr, &fsec, len); + take_selinux_option(&sec_curr, in_curr, &fsec, len); else take_option(&nosec, in_curr, &fnosec, len);