security,overlayfs: Provide security hook for copy up of xattrs for overlay file

Provide a security hook which is called when xattrs of a file are being
copied up. This hook is called once for each xattr and LSM can return
0 if the security module wants the xattr to be copied up, 1 if the
security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
if the security module does not handle/manage the xattr, or a -errno
upon an error.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespace cleanup for checkpatch.pl]
Signed-off-by: Paul Moore <paul@paul-moore.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/security/security.c b/security/security.c
index f2a7f27bd3e9..a9e2bb9fb9d3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
 }
 EXPORT_SYMBOL(security_inode_copy_up);
 
+int security_inode_copy_up_xattr(const char *name)
+{
+        return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
+}
+EXPORT_SYMBOL(security_inode_copy_up_xattr);
+
 int security_file_permission(struct file *file, int mask)
 {
         int ret;
@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
                 LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
         .inode_copy_up =
                 LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
+        .inode_copy_up_xattr =
+                LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
         .file_permission =
                 LIST_HEAD_INIT(security_hook_heads.file_permission),
         .file_alloc_security =