selinux_set_mnt

Name:Allow filesystems with binary mount data to explicitly set mount point* labeling information.

Proto:static int selinux_set_mnt_opts(struct super_block *sb, void *mnt_opts, unsigned long kern_flags, unsigned long *set_kern_flags)

Type:int

Parameter:

Type	Parameter	Name
struct super_block *	sb
void *	mnt_opts
unsigned long	kern_flags
unsigned long *	set_kern_flags

651

cred = current_cred - Access the current task's subjective credentials* Access the subjective credentials of the current task. RCU-safe,* since nobody else can modify it.()

652

sbsec = s_security

653

root = s_root

654

opts = mnt_opts

656

fscontext_sid = 0 , context_sid = 0 , rootcontext_sid = 0

657

defcontext_sid = 0

658

rc = 0

660

mutex_lock( & lock)

662

If Not initialized Then

663

If Not opts Then

667

Go to out

669

rc = -EINVAL

670

pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n")

672

Go to out

674

If kern_flags && Not set_kern_flags Then

677

rc = -EINVAL

678

Go to out

692

If which mount options were specified & Non-mount related flags && fs_flags & FS_BINARY_MOUNTDATA && Not opts Then Go to out

696

root_isec = backing_inode_security_novalidate(root)

703

If opts Then

704

If fscontext Then

705

rc = parse_sid(sb, fscontext, & fscontext_sid)

706

If rc Then Go to out

708

If bad_option(sbsec, FSCONTEXT_MNT, SID of file system superblock , fscontext_sid) Then Go to out_double_mount

711

which mount options were specified |= FSCONTEXT_MNT

713

If context Then

714

rc = parse_sid(sb, context, & context_sid)

715

If rc Then Go to out

717

If bad_option(sbsec, BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts , SECURITY_FS_USE_MNTPOINT context for files , context_sid) Then Go to out_double_mount

720

which mount options were specified |= BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts

722

If rootcontext Then

723

rc = parse_sid(sb, rootcontext, & rootcontext_sid)

724

If rc Then Go to out

726

If bad_option(sbsec, ROOTCONTEXT_MNT, SID of this object , rootcontext_sid) Then Go to out_double_mount

729

which mount options were specified |= ROOTCONTEXT_MNT

731

If defcontext Then

732

rc = parse_sid(sb, defcontext, & defcontext_sid)

733

If rc Then Go to out

735

If bad_option(sbsec, DEFCONTEXT_MNT, default SID for labeling , defcontext_sid) Then Go to out_double_mount

738

which mount options were specified |= DEFCONTEXT_MNT

742

If which mount options were specified & Non-mount related flags Then

744

If which mount options were specified & Mask for just the mount related flags && Not opts Then Go to out_double_mount

746

rc = 0

747

Go to out

750

If strcmp(name, "proc") == 0 Then which mount options were specified |= SE_SBPROC | SE_SBGENFS

753

If Not strcmp(name, "debugfs") || Not strcmp(name, "tracefs") || Not strcmp(name, "pstore") Then which mount options were specified |= SE_SBGENFS

758

If Not strcmp(name, "sysfs") || Not strcmp(name, "cgroup") || Not strcmp(name, "cgroup2") Then which mount options were specified |= SE_SBGENFS | SE_SBGENFS_XATTR

763

If Not labeling behavior Then

768

rc = security_fs_use( & selinux_state, sb)

769

If rc Then

770

pr_warn("%s: security_fs_use(%s) returned %d\n", __func__, name, rc)

772

Go to out

781

If * Owning user namespace and default context in which to * interpret filesystem uids, gids, quotas, device nodes, * xattrs and security labels. != userns count is 1 for root user, 1 for init_uts_ns,* and 1 for... ? && strcmp(name, "tmpfs") && strcmp(name, "ramfs") && strcmp(name, "devpts") Then

785

If context_sid || fscontext_sid || rootcontext_sid || defcontext_sid Then

787

rc = -EACCES

788

Go to out

790

If labeling behavior == use xattr Then

791

labeling behavior = use mountpoint labeling

792

rc = security_transition_sid( & selinux_state, get the subjective security ID of the current task, get the subjective security ID of the current task, SECCLASS_FILE, NULL, & SECURITY_FS_USE_MNTPOINT context for files )

797

If rc Then Go to out

800

Go to out_set_opts

804

If fscontext_sid Then

805

rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred)

806

If rc Then Go to out

809

SID of file system superblock = fscontext_sid

817

If kern_flags & LSM Agnostic defines for fs_context::lsm_flags && Not context_sid Then

818

labeling behavior = use native label support

819

set_kern_flags |= LSM Agnostic defines for fs_context::lsm_flags

822

If context_sid Then

823

If Not fscontext_sid Then

824

rc = may_context_mount_sb_relabel(context_sid, sbsec, cred)

826

If rc Then Go to out

828

SID of file system superblock = context_sid

829

Else

830

rc = may_context_mount_inode_relabel(context_sid, sbsec, cred)

832

If rc Then Go to out

835

If Not rootcontext_sid Then rootcontext_sid = context_sid

838

SECURITY_FS_USE_MNTPOINT context for files = context_sid

839

labeling behavior = use mountpoint labeling

842

If rootcontext_sid Then

843

rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, cred)

845

If rc Then Go to out

848

SID of this object = rootcontext_sid

849

initialization flag = initialized

852

If defcontext_sid Then

853

If labeling behavior != use xattr && labeling behavior != use native label support Then

855

rc = -EINVAL

856

pr_warn("SELinux: defcontext option is invalid for this filesystem type\n")

858

Go to out

861

If defcontext_sid != default SID for labeling Then

862

rc = may_context_mount_inode_relabel(defcontext_sid, sbsec, cred)

864

If rc Then Go to out

868

default SID for labeling = defcontext_sid

871

out_set_opts :

872

rc = sb_finish_set_opts(sb)

873

out :

874

mutex_unlock - release the mutex*@lock: the mutex to be released* Unlock a mutex that has been locked by this task previously.* This function must not be used in interrupt context. Unlocking* of a not locked mutex is not allowed.

875

Return rc

876

out_double_mount :

877

rc = -EINVAL

878

pr_warn("SELinux: mount invalid. Same superblock, different security settings for (dev %s, type %s)\n", Informational name , name)

881

Go to out

**Caller**
Name	Describe
delayed_superblock_init

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion

Function report