Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-20 23:13:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

evm: Pass user namespace to set/remove xattr hooks

Browse Source 
In preparation for 'evm: Allow setxattr() and setattr() for unmodified
metadata', this patch passes mnt_userns to the inode set/remove xattr hooks
so that the GID of the inode on an idmapped mount is correctly determined
by posix_acl_update_mode().

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Roberto Sassu 2021-05-14 17:27:48 +02:00 committed by Mimi Zohar
parent cdef685be5
commit 7e135dc725
3 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/linux/evm.h
View File

@ -23,13 +23,15 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
struct integrity_iint_cache *iint); struct integrity_iint_cache *iint);
extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr); extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
extern int evm_inode_setxattr(struct dentry *dentry, const char *name, extern int evm_inode_setxattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *name,
const void *value, size_t size); const void *value, size_t size);
extern void evm_inode_post_setxattr(struct dentry *dentry, extern void evm_inode_post_setxattr(struct dentry *dentry,
const char *xattr_name, const char *xattr_name,
const void *xattr_value, const void *xattr_value,
size_t xattr_value_len); size_t xattr_value_len);
extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); extern int evm_inode_removexattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *xattr_name);
extern void evm_inode_post_removexattr(struct dentry *dentry, extern void evm_inode_post_removexattr(struct dentry *dentry,
const char *xattr_name); const char *xattr_name);
extern int evm_inode_init_security(struct inode *inode, extern int evm_inode_init_security(struct inode *inode,
@ -72,7 +74,8 @@ static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
return; return;
} }
static inline int evm_inode_setxattr(struct dentry *dentry, const char *name, static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *name,
const void *value, size_t size) const void *value, size_t size)
{ {
return 0; return 0;
@ -86,7 +89,8 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry,
return; return;
} }
static inline int evm_inode_removexattr(struct dentry *dentry, static inline int evm_inode_removexattr(struct user_namespace *mnt_userns,
struct dentry *dentry,
const char *xattr_name) const char *xattr_name)
{ {
return 0; return 0;

17
security/integrity/evm/evm_main.c
View File

@ -342,7 +342,8 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
* For posix xattr acls only, permit security.evm, even if it currently * For posix xattr acls only, permit security.evm, even if it currently
* doesn't exist, to be updated unless the EVM signature is immutable. * doesn't exist, to be updated unless the EVM signature is immutable.
*/ */
static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, static int evm_protect_xattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *xattr_name,
const void *xattr_value, size_t xattr_value_len) const void *xattr_value, size_t xattr_value_len)
{ {
enum integrity_status evm_status; enum integrity_status evm_status;
@ -406,6 +407,7 @@ out:
/** /**
* evm_inode_setxattr - protect the EVM extended attribute * evm_inode_setxattr - protect the EVM extended attribute
* @mnt_userns: user namespace of the idmapped mount
* @dentry: pointer to the affected dentry * @dentry: pointer to the affected dentry
* @xattr_name: pointer to the affected extended attribute name * @xattr_name: pointer to the affected extended attribute name
* @xattr_value: pointer to the new extended attribute value * @xattr_value: pointer to the new extended attribute value
@ -417,8 +419,9 @@ out:
* userspace from writing HMAC value. Writing 'security.evm' requires * userspace from writing HMAC value. Writing 'security.evm' requires
* requires CAP_SYS_ADMIN privileges. * requires CAP_SYS_ADMIN privileges.
*/ */
int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
const void *xattr_value, size_t xattr_value_len) const char *xattr_name, const void *xattr_value,
size_t xattr_value_len)
{ {
const struct evm_ima_xattr_data *xattr_data = xattr_value; const struct evm_ima_xattr_data *xattr_data = xattr_value;
@ -435,19 +438,21 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
return -EPERM; return -EPERM;
} }
return evm_protect_xattr(dentry, xattr_name, xattr_value, return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,
xattr_value_len); xattr_value_len);
} }
/** /**
* evm_inode_removexattr - protect the EVM extended attribute * evm_inode_removexattr - protect the EVM extended attribute
* @mnt_userns: user namespace of the idmapped mount
* @dentry: pointer to the affected dentry * @dentry: pointer to the affected dentry
* @xattr_name: pointer to the affected extended attribute name * @xattr_name: pointer to the affected extended attribute name
* *
* Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that
* the current value is valid. * the current value is valid.
*/ */
int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) int evm_inode_removexattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *xattr_name)
{ {
/* Policy permits modification of the protected xattrs even though /* Policy permits modification of the protected xattrs even though
* there's no HMAC key loaded * there's no HMAC key loaded
@ -455,7 +460,7 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
if (evm_initialized & EVM_ALLOW_METADATA_WRITES) if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
return 0; return 0;
return evm_protect_xattr(dentry, xattr_name, NULL, 0); return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);
} }
static void evm_reset_status(struct inode *inode) static void evm_reset_status(struct inode *inode)

4
security/security.c
View File

@ -1354,7 +1354,7 @@ int security_inode_setxattr(struct user_namespace *mnt_userns,
ret = ima_inode_setxattr(dentry, name, value, size); ret = ima_inode_setxattr(dentry, name, value, size);
if (ret) if (ret)
return ret; return ret;
return evm_inode_setxattr(dentry, name, value, size); return evm_inode_setxattr(mnt_userns, dentry, name, value, size);
} }
void security_inode_post_setxattr(struct dentry *dentry, const char *name, void security_inode_post_setxattr(struct dentry *dentry, const char *name,
@ -1399,7 +1399,7 @@ int security_inode_removexattr(struct user_namespace *mnt_userns,
ret = ima_inode_removexattr(dentry, name); ret = ima_inode_removexattr(dentry, name);
if (ret) if (ret)
return ret; return ret;
return evm_inode_removexattr(dentry, name); return evm_inode_removexattr(mnt_userns, dentry, name);
} }
int security_inode_need_killpriv(struct dentry *dentry) int security_inode_need_killpriv(struct dentry *dentry)