This series of patches adds support for SELinux 'context mounts', which
allows filesystems to be assigned security context information at mount time.
For example, some filesystems do not support extended attributes (e.g. NFS,
vfat), and this feature allows security contexts to be assigned to them on a
per-mountpoint basis. It is also useful when the existing labeling on a
filesystem is untrusted or unwanted for some reason (e.g. removable media),
and needs to be overridden with a safe default.
The first patch below consists of infrastructure changes to the kernel:
- A new LSM hook has been added, sb_copy_data, which allows the security
module to copy security-specific mount data once the superblock has been
setup by the filesystem.
- The sb_kern_mount hook has been modified to take this security data as a
parameter, and would typically be used at that point to configure the
security parameters of the filesystem being mounted.
- Allocation and freeing of the security data has been implemented in the
core fs code as it is cleaner than trying to do it purely via LSM hooks,
and should make maintenance easier. This code will be compiled away if LSM
is not enabled.
projects / history.git / commit