To allow the security policy on an NFS client to control access to file systems mounted from ordinary NFS servers, each NFS file will be labeled based on the NFS server identity. A file system security context and a file security context can be specified for each NFS server in the policy configuration. These contexts are applied to all file systems and all files mounted from the NFS server.
An initial SID is defined as the default SID for NFS file systems and their files. If security contexts are not defined for the NFS server in the policy configuration, then the security_nfs_sid function returns this initial SID. Otherwise, the security_nfs_sid function returns the SIDs that correspond to the security contexts in the configuration.
The fs/nfs/inode.c:nfs_read_super function obtains the SIDs for the file system and root directory from the security server using the security_nfs_sid function. The nfs_statfs function returns the file system SID. The nfs_fill_inode function copies the inode SID from the SID of the root directory. The nfs_notify_change function returns EACCES if the SID is being changed, or it checks setattr permission otherwise.
Separate labels could be supported for different file systems mounted from the same NFS server, but this would require the nfs_read_super function to pass an additional parameter to security_nfs_sid to identify the particular file system. Since the mount call is only provided with the NFS file handle for the root directory (as opposed to the pathname on the server), this is currently not implemented. If the mount program were modified to also pass the pathname, then the configuration could specify security contexts based on both the server identity and the pathname on the server for the root directory.