security, overlayfs: provide copy up security hook for unioned files

Provide a security hook to label new file correctly when a file is copied
up from lower layer to upper layer of a overlay/union mount.

This hook can prepare a new set of creds which are suitable for new file
creation during copy up. Caller will use new creds to create file and then
revert back to old creds and release new creds.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespace cleanup to appease checkpatch.pl]
Signed-off-by: Paul Moore <paul@paul-moore.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/security/security.c b/security/security.c
index 4838e7fefa1f..f2a7f27bd3e9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
         call_void_hook(inode_getsecid, inode, secid);
 }
 
+int security_inode_copy_up(struct dentry *src, struct cred **new)
+{
+        return call_int_hook(inode_copy_up, 0, src, new);
+}
+EXPORT_SYMBOL(security_inode_copy_up);
+
 int security_file_permission(struct file *file, int mask)
 {
         int ret;
@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
                 LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
         .inode_getsecid =
                 LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+        .inode_copy_up =
+                LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
         .file_permission =
                 LIST_HEAD_INIT(security_hook_heads.file_permission),
         .file_alloc_security =