www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Vivek Goyal <vgoyal@redhat.com>
	Wed, 13 Jul 2016 14:44:52 +0000 (10:44 -0400)
committer	Anand Jain <anand.jain@oracle.com>
	Thu, 26 Oct 2017 08:15:29 +0000 (16:15 +0800)
commit	f4c45071a0602044d813dd8d49da97e7c94dac21
tree	e6853db676307b31c5e191a416fe6cf97b34a907	tree
parent	4eee847875b1f98e8b7349e82f92f72b00af0f6c	commit \| diff

security, overlayfs: Provide hook to correctly label newly created files

During a new file creation we need to make sure new file is created with the
right label. New file is created in upper/ so effectively file should get
label as if task had created file in upper/.

We switched to mounter's creds for actual file creation. Also if there is a
whiteout present, then file will be created in work/ dir first and then
renamed in upper. In none of the cases file will be labeled as we want it to
be.

This patch introduces a new hook dentry_create_files_as(), which determines
the label/context dentry will get if it had been created by task in upper
and modify passed set of creds appropriately. Caller makes use of these new
creds for file creation.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fix whitespace issues found with checkpatch.pl]
[PM: changes to use stat->mode in ovl_create_or_link()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Orabug: 25684456

(backport upstream commit 2602625b7e46576b00db619ac788c508ba3bcb2c)

Signed-off-by: Anand Jain <anand.jain@oracle.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
conflict fix:
include/linux/security.h
security/capability.c

fs/overlayfs/dir.c		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/capability.c		diff \| blob \| history
security/security.c		diff \| blob \| history