From dd6ed20027b8e3c33bbc8206aea456f68c7fd58c Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Thu, 3 Aug 2017 09:10:07 +0800 Subject: [PATCH] security, overlayfs: provide copy up security hook for unioned files Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union mount. This hook can prepare a new set of creds which are suitable for new file creation during copy up. Caller will use new creds to create file and then revert back to old creds and release new creds. Signed-off-by: Vivek Goyal Acked-by: Stephen Smalley [PM: whitespace cleanup to appease checkpatch.pl] Signed-off-by: Paul Moore Orabug: 25684456 (backport upstream commit d8ad8b49618410ddeafd78465b63a6cedd6c9484) Signed-off-by: Anand Jain Reviewed-by: James Morris Acked-by: James Morris Conflict fix: include/linux/security.h security/security.c security/capability.c --- fs/overlayfs/copy_up.c | 15 +++++++++++++++ include/linux/security.h | 16 ++++++++++++++++ security/capability.c | 6 ++++++ security/security.c | 6 ++++++ 4 files changed, 43 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 779be609abce..2f149dc68e01 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -215,6 +215,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, struct dentry *upper = NULL; umode_t mode = stat->mode; int err; + const struct cred *old_creds = NULL; + struct cred *new_creds = NULL; newdentry = ovl_lookup_temp(workdir, dentry); err = PTR_ERR(newdentry); @@ -227,10 +229,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, if (IS_ERR(upper)) goto out1; + err = security_inode_copy_up(dentry, &new_creds); + if (err < 0) + goto out2; + + if (new_creds) + old_creds = override_creds(new_creds); + /* Can't properly set mode on creation because of the umask */ stat->mode &= S_IFMT; err = ovl_create_real(wdir, newdentry, stat, link, NULL, true); stat->mode = mode; + + if (new_creds) { + revert_creds(old_creds); + put_cred(new_creds); + } + if (err) goto out2; diff --git a/include/linux/security.h b/include/linux/security.h index 00b7bbf2311e..3a32ec884ba2 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -562,6 +562,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inode contains a pointer to the inode. * @secid contains a pointer to the location where result will be saved. * In case of failure, @secid will be set to zero. + * @inode_copy_up: + * A file is about to be copied up from lower layer to upper layer of + * overlay filesystem. Security module can prepare a set of new creds + * and modify as need be and return new creds. Caller will switch to + * new creds temporarily to create new file and release newly allocated + * creds. + * @src indicates the union dentry of file that is being copied up. + * @new pointer to pointer to return newly allocated creds. + * Returns 0 on success or a negative error code on error. * * Security hooks for file operations * @@ -1570,6 +1579,7 @@ struct security_operations { int (*inode_setsecurity) (struct inode *inode, const char *name, const void *value, size_t size, int flags); int (*inode_listsecurity) (struct inode *inode, char *buffer, size_t buffer_size); void (*inode_getsecid) (const struct inode *inode, u32 *secid); + int (*inode_copy_up)(struct dentry *src, struct cred **new); int (*file_permission) (struct file *file, int mask); int (*file_alloc_security) (struct file *file); @@ -1856,6 +1866,7 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); void security_inode_getsecid(const struct inode *inode, u32 *secid); +int security_inode_copy_up(struct dentry *src, struct cred **new); int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); @@ -2320,6 +2331,11 @@ static inline void security_inode_getsecid(const struct inode *inode, u32 *secid *secid = 0; } +static inline int security_inode_copy_up(struct dentry *src, struct cred **new) +{ + return 0; +} + static inline int security_file_permission(struct file *file, int mask) { return 0; diff --git a/security/capability.c b/security/capability.c index 0d03fcc489a4..359fd2f30130 100644 --- a/security/capability.c +++ b/security/capability.c @@ -268,6 +268,11 @@ static void cap_inode_getsecid(const struct inode *inode, u32 *secid) *secid = 0; } +static int cap_inode_copy_up(struct dentry *src, struct cred **new) +{ + return 0; +} + #ifdef CONFIG_SECURITY_PATH static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, unsigned int dev) @@ -1008,6 +1013,7 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, inode_setsecurity); set_to_cap_if_null(ops, inode_listsecurity); set_to_cap_if_null(ops, inode_getsecid); + set_to_cap_if_null(ops, inode_copy_up); #ifdef CONFIG_SECURITY_PATH set_to_cap_if_null(ops, path_mknod); set_to_cap_if_null(ops, path_mkdir); diff --git a/security/security.c b/security/security.c index 391496b0c877..85bf122235dc 100644 --- a/security/security.c +++ b/security/security.c @@ -706,6 +706,12 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid) security_ops->inode_getsecid(inode, secid); } +int security_inode_copy_up(struct dentry *src, struct cred **new) +{ + security_ops->inode_copy_up(src, new); +} +EXPORT_SYMBOL(security_inode_copy_up); + int security_file_permission(struct file *file, int mask) { int ret; -- 2.50.1