From patchwork Thu Sep 28 21:54:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9976791 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E1FB66056F for ; Thu, 28 Sep 2017 21:54:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D1BBD2976F for ; Thu, 28 Sep 2017 21:54:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C2C5229771; Thu, 28 Sep 2017 21:54:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE2B82976F for ; Thu, 28 Sep 2017 21:54:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750857AbdI1Vyx (ORCPT ); Thu, 28 Sep 2017 17:54:53 -0400 Received: from nm10-vm2.bullet.mail.ne1.yahoo.com ([98.138.90.158]:55745 "EHLO nm10-vm2.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750805AbdI1Vyx (ORCPT ); Thu, 28 Sep 2017 17:54:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1506635692; bh=PtDriyiYjUB6edITS3SAufCqYFAwvGboyeei4QbfB0Y=; h=From:To:Cc:Subject:Date:From:Subject; b=BddJCUxH3HBA1kX2z5MjrTyRd9miqUYzYW2X/V43K9y+sOuCBG49O+Evt26fQbPmWr57GqiOYkIw+uA56sGmY5ELs9xEXrQOQIWCf4R9jM1L6PUyDQUEgYkGyO5V3NzGuXpQ4gddfmUWoFcfnhoof50uYxk3G31xxVR/3z+Nd38dsdfEuRanO3jXGwR5oiG2aDlAbvrnYsSF+VvWcCLk0jh1/n8SDAWfBxmer3kqRnQBdd6NBdOvR0to2gNAdX1Nuhn761NLjKMdRh1lCeMiFFM32ZRKCJnCM9jMSEDY1GFHCuWivBo4yRNA9jdYH+EDbDwx678n19fYnhUF5ZNS3A== Received: from [98.138.100.111] by nm10.bullet.mail.ne1.yahoo.com with NNFMP; 28 Sep 2017 21:54:52 -0000 Received: from [98.138.226.132] by tm100.bullet.mail.ne1.yahoo.com with NNFMP; 28 Sep 2017 21:54:52 -0000 Received: from [127.0.0.1] by smtp219.mail.ne1.yahoo.com with NNFMP; 28 Sep 2017 21:54:52 -0000 X-Yahoo-Newman-Id: 518525.82315.bm@smtp219.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: jE3BWmgVM1mT8p1VrmdAaMPSerzsil0XMX7c_3RqFOLKF4x 8DCYJZUj7GlwsML8mRRTq8VBqc9qOa.dsnlMm0wvaldXfFBrJYjOtwBxTIYe iHMSJTVqjMbpvrt1OenhpKsQ3OaiHWzq3XQXpBQ5Cajn411gVE7NiVZf1BOK HmouDV0vGFyAYtFYUJd6lUb12x1cS6uTrlaWlOYgL_L5wlElm_hIpmYxUV6J gFj2Ev531Gzojk6f9g7_TyTMEftjrel_rmq2O5FfdaZHmq4er0dbLThE6Jsc 7KfwzP_Is3RseK2NtU96B0OEzzZj3OGnAaZc0gwpz6MPjDdx0mWFMvj9IfYe iz2YGAEp8sgVZDdhJAHXSVtc4RIJxQkibXs.pbaLP46.MWI31HR99VkxtBjD VVVn5TFiakNOrN2ZTpLhG7KtctCGUQ5Y.EgnJOPS9Ay06Dt6e_DZypz5l.hh OZRNw_TN7wfUxCVyT9WgNwFpW0ahS_0a4Um_4e_9oA4S50FlfknywxwV__EP JCkY0qurAvlkCfHb1_2OKn2je93nfBms- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- From: Casey Schaufler To: LSM , "SMACK-discuss@lists.01.org" Cc: daniele.romanini@aalto.fi, Elena Reshetova Subject: [PATCH] Smack: Base support for overlayfs Message-ID: <408f9331-c780-9a35-f2fe-b803a38aa84f@schaufler-ca.com> Date: Thu, 28 Sep 2017 14:54:50 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: Smack: Base support for overlayfs Supply the Smack module hooks in support of overlayfs. Ensure that the Smack label of new files gets the correct value when a directory is transmuting. Original implementation by Romanini Daniele, with a few tweaks added. Signed-off-by: Romanini Daniele Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 319add3..569f280 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4605,6 +4605,82 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) return 0; } +static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) +{ + + struct task_smack *tsp; + struct smack_known *skp; + struct inode_smack *isp; + struct cred *new_creds = *new; + + if (new_creds == NULL) { + new_creds = prepare_creds(); + if (new_creds == NULL) + return -ENOMEM; + } + + tsp = new_creds->security; + + /* + * Get label from overlay inode and set it in create_sid + */ + isp = d_inode(dentry->d_parent)->i_security; + skp = isp->smk_inode; + tsp->smk_task = skp; + *new = new_creds; + return 0; +} + +static int smack_inode_copy_up_xattr(const char *name) +{ + /* + * Return 1 if this is the smack access Smack attribute. + */ + if (strcmp(name, XATTR_NAME_SMACK) == 0) + return 1; + + return -EOPNOTSUPP; +} + +static int smack_dentry_create_files_as(struct dentry *dentry, int mode, + struct qstr *name, + const struct cred *old, + struct cred *new) +{ + struct task_smack *otsp = old->security; + struct task_smack *ntsp = new->security; + struct inode_smack *isp; + int may; + + /* + * Use the process credential unless all of + * the transmuting criteria are met + */ + ntsp->smk_task = otsp->smk_task; + + /* + * the attribute of the containing directory + */ + isp = d_inode(dentry->d_parent)->i_security; + + if (isp->smk_flags & SMK_INODE_TRANSMUTE) { + rcu_read_lock(); + may = smk_access_entry(otsp->smk_task->smk_known, + isp->smk_inode->smk_known, + &otsp->smk_task->smk_rules); + rcu_read_unlock(); + + /* + * If the directory is transmuting and the rule + * providing access is transmuting use the containing + * directory label instead of the process label. + */ + if (may > 0 && (may & MAY_TRANSMUTE)) + ntsp->smk_task = isp->smk_inode; + } + return 0; +} + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4740,6 +4816,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), + LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), + LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), + LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), };