From: Vivek Goyal <vgoyal@redhat.com>
Date: Wed, 13 Jul 2016 14:44:48 +0000 (-0400)
Subject: selinux: Implementation for inode_copy_up() hook
X-Git-Tag: v4.1.12-117.0_27200813_3~147
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=12576c41441b5aa69eb9a1b432f865e3a9c517d1;p=users%2Fjedix%2Flinux-maple.git

selinux: Implementation for inode_copy_up() hook

A file is being copied up for overlay file system. Prepare a new set of
creds and set create_sid appropriately so that new file is created with
appropriate label.

Overlay inode has right label for both context and non-context mount
cases. In case of non-context mount, overlay inode will have the label
of lower file and in case of context mount, overlay inode will have
the label from context= mount option.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

Orabug: 25684456

(backport upstream commit 56909eb3f559103196ecbf2c08c923e0804980fb)

Signed-off-by: Anand Jain <anand.jain@oracle.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8b851f76a377..08384b887bb0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3204,6 +3204,26 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
 	*secid = isec->sid;
 }
 
+static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
+{
+	u32 sid;
+	struct task_security_struct *tsec;
+	struct cred *new_creds = *new;
+
+	if (new_creds == NULL) {
+		new_creds = prepare_creds();
+		if (!new_creds)
+			return -ENOMEM;
+	}
+
+	tsec = new_creds->security;
+	/* Get label from overlay inode and set it in create_sid */
+	selinux_inode_getsecid(d_inode(src), &sid);
+	tsec->create_sid = sid;
+	*new = new_creds;
+	return 0;
+}
+
 /* file security operations */
 
 static int selinux_revalidate_file_permission(struct file *file, int mask)
@@ -5922,6 +5942,7 @@ static struct security_operations selinux_ops = {
 	.inode_setsecurity =		selinux_inode_setsecurity,
 	.inode_listsecurity =		selinux_inode_listsecurity,
 	.inode_getsecid =		selinux_inode_getsecid,
+	.inode_copy_up =		selinux_inode_copy_up,
 
 	.file_permission =		selinux_file_permission,
 	.file_alloc_security =		selinux_file_alloc_security,