Smack: Base support for overlayfs

Supply the Smack module hooks in support of overlayfs. Ensure that the Smack label of new files gets the correct value when a directory is transmuting. Original implementation by Romanini Daniele, with a few tweaks added. Signed-off-by: Romanini Daniele <daniele.romanini@aalto.fi> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Casey Schaufler <casey@schaufler-ca.com> 2017-09-28 17:54:50 -0400
committer: James Morris <james.l.morris@oracle.com> 2017-11-01 20:26:57 -0400
commit: d6d80cb57be45fc1a7d08c30526ab81ae9e7bc3d (patch)
tree: f39219dec9fe53e8684de04e4e2cea552f54d4bc /security/smack
parent: e28aa8aeab433b62e85a2da8d9bff2ba81c2ea4e (diff)
1 files changed, 79 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 319add31b4a4..569f28034116 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4605,6 +4605,82 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
        return 0;
 }
+static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
+{
+        struct task_smack *tsp;
+        struct smack_known *skp;
+        struct inode_smack *isp;
+        struct cred *new_creds = *new;
+        if (new_creds == NULL) {
+                new_creds = prepare_creds();
+                if (new_creds == NULL)
+                        return -ENOMEM;
+        }
+        tsp = new_creds->security;
+        /*
+         * Get label from overlay inode and set it in create_sid
+         */
+        isp = d_inode(dentry->d_parent)->i_security;
+        skp = isp->smk_inode;
+        tsp->smk_task = skp;
+        *new = new_creds;
+        return 0;
+}
+static int smack_inode_copy_up_xattr(const char *name)
+{
+        /*
+         * Return 1 if this is the smack access Smack attribute.
+         */
+        if (strcmp(name, XATTR_NAME_SMACK) == 0)
+                return 1;
+        return -EOPNOTSUPP;
+}
+static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
+                                        struct qstr *name,
+                                        const struct cred *old,
+                                        struct cred *new)
+{
+        struct task_smack *otsp = old->security;
+        struct task_smack *ntsp = new->security;
+        struct inode_smack *isp;
+        int may;
+        /*
+         * Use the process credential unless all of
+         * the transmuting criteria are met
+         */
+        ntsp->smk_task = otsp->smk_task;
+        /*
+         * the attribute of the containing directory
+         */
+        isp = d_inode(dentry->d_parent)->i_security;
+        if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
+                rcu_read_lock();
+                may = smk_access_entry(otsp->smk_task->smk_known,
+                                       isp->smk_inode->smk_known,
+                                       &otsp->smk_task->smk_rules);
+                rcu_read_unlock();
+                /*
+                 * If the directory is transmuting and the rule
+                 * providing access is transmuting use the containing
+                 * directory label instead of the process label.
+                 */
+                if (may > 0 && (may & MAY_TRANSMUTE))
+                        ntsp->smk_task = isp->smk_inode;
+        }
+        return 0;
+}
 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4740,6 +4816,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
        LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
        LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
+        LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
+        LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
+        LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
 };
author	Casey Schaufler <casey@schaufler-ca.com>	2017-09-28 17:54:50 -0400
committer	James Morris <james.l.morris@oracle.com>	2017-11-01 20:26:57 -0400
commit	d6d80cb57be45fc1a7d08c30526ab81ae9e7bc3d (patch)
tree	f39219dec9fe53e8684de04e4e2cea552f54d4bc /security/smack
parent	e28aa8aeab433b62e85a2da8d9bff2ba81c2ea4e (diff)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 319add31b4a4..569f28034116 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -4605,6 +4605,82 @@ static int smack_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
4605	return 0;	4605	return 0;
4606	}	4606	}
4607		4607
		4608	static int smack_inode_copy_up(struct dentry dentry, struct cred *new)
		4609	{
		4610
		4611	struct task_smack *tsp;
		4612	struct smack_known *skp;
		4613	struct inode_smack *isp;
		4614	struct cred new_creds = new;
		4615
		4616	if (new_creds == NULL) {
		4617	new_creds = prepare_creds();
		4618	if (new_creds == NULL)
		4619	return -ENOMEM;
		4620	}
		4621
		4622	tsp = new_creds->security;
		4623
		4624	/*
		4625	* Get label from overlay inode and set it in create_sid
		4626	*/
		4627	isp = d_inode(dentry->d_parent)->i_security;
		4628	skp = isp->smk_inode;
		4629	tsp->smk_task = skp;
		4630	*new = new_creds;
		4631	return 0;
		4632	}
		4633
		4634	static int smack_inode_copy_up_xattr(const char *name)
		4635	{
		4636	/*
		4637	* Return 1 if this is the smack access Smack attribute.
		4638	*/
		4639	if (strcmp(name, XATTR_NAME_SMACK) == 0)
		4640	return 1;
		4641
		4642	return -EOPNOTSUPP;
		4643	}
		4644
		4645	static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
		4646	struct qstr *name,
		4647	const struct cred *old,
		4648	struct cred *new)
		4649	{
		4650	struct task_smack *otsp = old->security;
		4651	struct task_smack *ntsp = new->security;
		4652	struct inode_smack *isp;
		4653	int may;
		4654
		4655	/*
		4656	* Use the process credential unless all of
		4657	* the transmuting criteria are met
		4658	*/
		4659	ntsp->smk_task = otsp->smk_task;
		4660
		4661	/*
		4662	* the attribute of the containing directory
		4663	*/
		4664	isp = d_inode(dentry->d_parent)->i_security;
		4665
		4666	if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
		4667	rcu_read_lock();
		4668	may = smk_access_entry(otsp->smk_task->smk_known,
		4669	isp->smk_inode->smk_known,
		4670	&otsp->smk_task->smk_rules);
		4671	rcu_read_unlock();
		4672
		4673	/*
		4674	* If the directory is transmuting and the rule
		4675	* providing access is transmuting use the containing
		4676	* directory label instead of the process label.
		4677	*/
		4678	if (may > 0 && (may & MAY_TRANSMUTE))
		4679	ntsp->smk_task = isp->smk_inode;
		4680	}
		4681	return 0;
		4682	}
		4683
4608	static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {	4684	static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
4609	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),	4685	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
4610	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),	4686	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4740,6 +4816,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
4740	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),	4816	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
4741	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),	4817	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
4742	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),	4818	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
		4819	LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
		4820	LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
		4821	LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
4743	};	4822	};
4744		4823
4745		4824