1 files changed, 79 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 286171a16ed2..14cc7940b36d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4600,6 +4600,82 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
        return 0;
 }
+static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
+{
+        struct task_smack *tsp;
+        struct smack_known *skp;
+        struct inode_smack *isp;
+        struct cred *new_creds = *new;
+        if (new_creds == NULL) {
+                new_creds = prepare_creds();
+                if (new_creds == NULL)
+                        return -ENOMEM;
+        }
+        tsp = new_creds->security;
+        /*
+         * Get label from overlay inode and set it in create_sid
+         */
+        isp = d_inode(dentry->d_parent)->i_security;
+        skp = isp->smk_inode;
+        tsp->smk_task = skp;
+        *new = new_creds;
+        return 0;
+}
+static int smack_inode_copy_up_xattr(const char *name)
+{
+        /*
+         * Return 1 if this is the smack access Smack attribute.
+         */
+        if (strcmp(name, XATTR_NAME_SMACK) == 0)
+                return 1;
+        return -EOPNOTSUPP;
+}
+static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
+                                        struct qstr *name,
+                                        const struct cred *old,
+                                        struct cred *new)
+{
+        struct task_smack *otsp = old->security;
+        struct task_smack *ntsp = new->security;
+        struct inode_smack *isp;
+        int may;
+        /*
+         * Use the process credential unless all of
+         * the transmuting criteria are met
+         */
+        ntsp->smk_task = otsp->smk_task;
+        /*
+         * the attribute of the containing directory
+         */
+        isp = d_inode(dentry->d_parent)->i_security;
+        if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
+                rcu_read_lock();
+                may = smk_access_entry(otsp->smk_task->smk_known,
+                                       isp->smk_inode->smk_known,
+                                       &otsp->smk_task->smk_rules);
+                rcu_read_unlock();
+                /*
+                 * If the directory is transmuting and the rule
+                 * providing access is transmuting use the containing
+                 * directory label instead of the process label.
+                 */
+                if (may > 0 && (may & MAY_TRANSMUTE))
+                        ntsp->smk_task = isp->smk_inode;
+        }
+        return 0;
+}
 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4735,6 +4811,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
        LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
        LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
+        LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
+        LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
+        LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
 };

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 286171a16ed2..14cc7940b36d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -4600,6 +4600,82 @@ static int smack_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
4600	return 0;	4600	return 0;
4601	}	4601	}
4602		4602
		4603	static int smack_inode_copy_up(struct dentry dentry, struct cred *new)
		4604	{
		4605
		4606	struct task_smack *tsp;
		4607	struct smack_known *skp;
		4608	struct inode_smack *isp;
		4609	struct cred new_creds = new;
		4610
		4611	if (new_creds == NULL) {
		4612	new_creds = prepare_creds();
		4613	if (new_creds == NULL)
		4614	return -ENOMEM;
		4615	}
		4616
		4617	tsp = new_creds->security;
		4618
		4619	/*
		4620	* Get label from overlay inode and set it in create_sid
		4621	*/
		4622	isp = d_inode(dentry->d_parent)->i_security;
		4623	skp = isp->smk_inode;
		4624	tsp->smk_task = skp;
		4625	*new = new_creds;
		4626	return 0;
		4627	}
		4628
		4629	static int smack_inode_copy_up_xattr(const char *name)
		4630	{
		4631	/*
		4632	* Return 1 if this is the smack access Smack attribute.
		4633	*/
		4634	if (strcmp(name, XATTR_NAME_SMACK) == 0)
		4635	return 1;
		4636
		4637	return -EOPNOTSUPP;
		4638	}
		4639
		4640	static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
		4641	struct qstr *name,
		4642	const struct cred *old,
		4643	struct cred *new)
		4644	{
		4645	struct task_smack *otsp = old->security;
		4646	struct task_smack *ntsp = new->security;
		4647	struct inode_smack *isp;
		4648	int may;
		4649
		4650	/*
		4651	* Use the process credential unless all of
		4652	* the transmuting criteria are met
		4653	*/
		4654	ntsp->smk_task = otsp->smk_task;
		4655
		4656	/*
		4657	* the attribute of the containing directory
		4658	*/
		4659	isp = d_inode(dentry->d_parent)->i_security;
		4660
		4661	if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
		4662	rcu_read_lock();
		4663	may = smk_access_entry(otsp->smk_task->smk_known,
		4664	isp->smk_inode->smk_known,
		4665	&otsp->smk_task->smk_rules);
		4666	rcu_read_unlock();
		4667
		4668	/*
		4669	* If the directory is transmuting and the rule
		4670	* providing access is transmuting use the containing
		4671	* directory label instead of the process label.
		4672	*/
		4673	if (may > 0 && (may & MAY_TRANSMUTE))
		4674	ntsp->smk_task = isp->smk_inode;
		4675	}
		4676	return 0;
		4677	}
		4678
4603	static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {	4679	static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
4604	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),	4680	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
4605	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),	4681	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4735,6 +4811,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
4735	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),	4811	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
4736	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),	4812	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
4737	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),	4813	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
		4814	LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
		4815	LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
		4816	LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
4738	};	4817	};
4739		4818
4740		4819