Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

Rebase changes from the v4.8.11 branch #34

Merged
merged 21 commits into from
Jan 5, 2017
Merged

Rebase changes from the v4.8.11 branch #34

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
d11e6b1
security, overlayfs: provide copy up security hook for unioned files
rhvgoyal Jul 19, 2016
1636c35
selinux: Implementation for inode_copy_up() hook
rhvgoyal Jul 19, 2016
5997ba3
security,overlayfs: Provide security hook for copy up of xattrs for o…
rhvgoyal Jul 19, 2016
b56d9cf
selinux: Implementation for inode_copy_up_xattr() hook
rhvgoyal Jul 19, 2016
ac403de
selinux: Pass security pointer to determine_inode_label()
rhvgoyal Jul 19, 2016
1c6d33c
security, overlayfs: Provide hook to correctly label newly created files
rhvgoyal Jul 19, 2016
0dc3b47
selinux: Implement dentry_create_files_as() hook
rhvgoyal Jul 19, 2016
4d5d28f
Add secure_modules() call
Aug 9, 2013
386785a
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
fcf2ade
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
8ea1fcb
ACPI: Limit access to custom_method
Mar 9, 2012
30a3b4d
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
efef5e7
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
177ac26
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
48b5a95
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
a301f23
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
03115eb
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
3e2d384
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
1c1054b
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
5b4d167
hibernate: Disable in a signed modules environment
Jun 20, 2014
624e36c
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
security, overlayfs: provide copy up security hook for unioned files 
Provide a security hook to label new file correctly when a file is copied
up from lower layer to upper layer of a overlay/union mount.

This hook can prepare a new set of creds which are suitable for new file
creation during copy up. Caller will use new creds to create file and then
revert back to old creds and release new creds.

Signed-off-by: Vivek Goyal <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
  • Loading branch information
@rhvgoyal @crawford
rhvgoyal authored and crawford committed Jan 5, 2017
commit d11e6b12ab72ee6e20a68c57fc9bc15e43488157
15 changes: 15 additions & 0 deletions fs/overlayfs/copy_up.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
struct dentry *upper = NULL;
umode_t mode = stat->mode;
int err;
const struct cred *old_creds = NULL;
struct cred *new_creds = NULL;

newdentry = ovl_lookup_temp(workdir, dentry);
err = PTR_ERR(newdentry);
Expand All @@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
if (IS_ERR(upper))
goto out1;

err = security_inode_copy_up(dentry, &new_creds);
if (err < 0)
goto out2;

if (new_creds)
old_creds = override_creds(new_creds);

/* Can't properly set mode on creation because of the umask */
stat->mode &= S_IFMT;
err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
stat->mode = mode;

if (new_creds) {
revert_creds(old_creds);
put_cred(new_creds);
}

if (err)
goto out2;

Expand Down
11 changes: 11 additions & 0 deletions include/linux/lsm_hooks.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,15 @@
* @inode contains a pointer to the inode.
* @secid contains a pointer to the location where result will be saved.
* In case of failure, @secid will be set to zero.
* @inode_copy_up:
* A file is about to be copied up from lower layer to upper layer of
* overlay filesystem. Security module can prepare a set of new creds
* and modify as need be and return new creds. Caller will switch to
* new creds temporarily to create new file and release newly allocated
* creds.
* @src indicates the union dentry of file that is being copied up.
* @new pointer to pointer to return newly allocated creds.
* Returns 0 on success or a negative error code on error.
*
* Security hooks for file operations
*
Expand Down Expand Up @@ -1425,6 +1434,7 @@ union security_list_options {
int (*inode_listsecurity)(struct inode *inode, char *buffer,
size_t buffer_size);
void (*inode_getsecid)(struct inode *inode, u32 *secid);
int (*inode_copy_up) (struct dentry *src, struct cred **new);

int (*file_permission)(struct file *file, int mask);
int (*file_alloc_security)(struct file *file);
Expand Down Expand Up @@ -1696,6 +1706,7 @@ struct security_hook_heads {
struct list_head inode_setsecurity;
struct list_head inode_listsecurity;
struct list_head inode_getsecid;
struct list_head inode_copy_up;
struct list_head file_permission;
struct list_head file_alloc_security;
struct list_head file_free_security;
Expand Down
6 changes: 6 additions & 0 deletions include/linux/security.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
void security_inode_getsecid(struct inode *inode, u32 *secid);
int security_inode_copy_up(struct dentry *src, struct cred **new);
int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
Expand Down Expand Up @@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
*secid = 0;
}

static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
{
return 0;
}

static inline int security_file_permission(struct file *file, int mask)
{
return 0;
Expand Down
8 changes: 8 additions & 0 deletions security/security.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
call_void_hook(inode_getsecid, inode, secid);
}

int security_inode_copy_up(struct dentry *src, struct cred **new)
{
return call_int_hook(inode_copy_up, 0, src, new);
}
EXPORT_SYMBOL(security_inode_copy_up);

int security_file_permission(struct file *file, int mask)
{
int ret;
Expand Down Expand Up @@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
.inode_getsecid =
LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
.inode_copy_up =
LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
.file_permission =
LIST_HEAD_INIT(security_hook_heads.file_permission),
.file_alloc_security =
Expand Down