mirror of
https://github.com/torvalds/linux.git
synced 2024-12-25 12:21:37 +00:00
Two patches that improve inode attribute initialization.
-----BEGIN PGP SIGNATURE----- iQJLBAABCAA1FiEEC+9tH1YyUwIQzUIeOKUVfIxDyBEFAmSa9X8XHGNhc2V5QHNj aGF1Zmxlci1jYS5jb20ACgkQOKUVfIxDyBFVXRAAuxSLzbFmkWwm89tOK5YJRgnC xbnfqsG8/z2YRRbpg2pjcod4wvcBUjwLwg/Y727iWHqxD8/dXaZRyoIcxnWJsVCX tCq6puL3XF8NQKSyggMYGvNPYsWgOcHoypGbCmLDcS135GFy2redd6pEAgIokg5r XJbRBpmcEiQUUOqwB/gSU29EiVFMYxEmLTPnzxGz6UwU4WTq0oUicpNBIc3znozv hQjx7VFxMNDEv3bQupR/gI09MiYWOZGChluyyegyuW5FGTn7OfCcfXsqpP0/eqLg OA9JCO9scnsfss8mhO30qQmPFfh1HTbm/dN96TsRPzz9IzTCTALDx1PzbgwQeqZb vCeA9eucsxiUWCyNWs+Q1QM0RR7mBsSoyZc4IxJ61R9ee4uYuliBX0ipiX8gHwBK 6HNaSDwR/gvwbQBTqXic0OV7c1IlZIQLRSbMUNi/6a3AZNkIZvLRkvo+1taKW+2Z VYZekvSJl0NU4a/AfYCQUFXAgga93QlegZ0AgKg5YNX9hyWblyau8Owg6DkimM6E grbqQ706BoEuFC3xrxHMs2rMQM7G4i9NPjmUyAMCMOJFqeUqdemPCmoGMXG9G6Yk F6/YC76Y+y/plLnDdqyLpTyLVmwtXYz8aWFtYHVddCOW2Um3mU1tG7sA8q8C3hxg 0mUQKznynvk92kOFT7w= =KtxS -----END PGP SIGNATURE----- Merge tag 'Smack-for-6.5' of https://github.com/cschaufler/smack-next Pull smack updates from Casey Schaufler: "There are two patches, both of which change how Smack initializes the SMACK64TRANSMUTE extended attribute. The first corrects the behavior of overlayfs, which creates inodes differently from other filesystems. The second ensures that transmute attributes specified by mount options are correctly assigned" * tag 'Smack-for-6.5' of https://github.com/cschaufler/smack-next: smack: Record transmuting in smk_transmuted smack: Retrieve transmuting information in smack_inode_getsecurity()
This commit is contained in:
commit
98be618ad0
@ -120,6 +120,7 @@ struct inode_smack {
|
||||
struct task_smack {
|
||||
struct smack_known *smk_task; /* label for access control */
|
||||
struct smack_known *smk_forked; /* label when forked */
|
||||
struct smack_known *smk_transmuted;/* label when transmuted */
|
||||
struct list_head smk_rules; /* per task access rules */
|
||||
struct mutex smk_rules_lock; /* lock for the rules */
|
||||
struct list_head smk_relabel; /* transit allowed labels */
|
||||
|
@ -933,8 +933,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
const struct qstr *qstr, const char **name,
|
||||
void **value, size_t *len)
|
||||
{
|
||||
struct task_smack *tsp = smack_cred(current_cred());
|
||||
struct inode_smack *issp = smack_inode(inode);
|
||||
struct smack_known *skp = smk_of_current();
|
||||
struct smack_known *skp = smk_of_task(tsp);
|
||||
struct smack_known *isp = smk_of_inode(inode);
|
||||
struct smack_known *dsp = smk_of_inode(dir);
|
||||
int may;
|
||||
@ -943,20 +944,34 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
|
||||
*name = XATTR_SMACK_SUFFIX;
|
||||
|
||||
if (value && len) {
|
||||
rcu_read_lock();
|
||||
may = smk_access_entry(skp->smk_known, dsp->smk_known,
|
||||
&skp->smk_rules);
|
||||
rcu_read_unlock();
|
||||
/*
|
||||
* If equal, transmuting already occurred in
|
||||
* smack_dentry_create_files_as(). No need to check again.
|
||||
*/
|
||||
if (tsp->smk_task != tsp->smk_transmuted) {
|
||||
rcu_read_lock();
|
||||
may = smk_access_entry(skp->smk_known, dsp->smk_known,
|
||||
&skp->smk_rules);
|
||||
rcu_read_unlock();
|
||||
}
|
||||
|
||||
/*
|
||||
* If the access rule allows transmutation and
|
||||
* the directory requests transmutation then
|
||||
* by all means transmute.
|
||||
* In addition to having smk_task equal to smk_transmuted,
|
||||
* if the access rule allows transmutation and the directory
|
||||
* requests transmutation then by all means transmute.
|
||||
* Mark the inode as changed.
|
||||
*/
|
||||
if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
|
||||
smk_inode_transmutable(dir)) {
|
||||
isp = dsp;
|
||||
if ((tsp->smk_task == tsp->smk_transmuted) ||
|
||||
(may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
|
||||
smk_inode_transmutable(dir))) {
|
||||
/*
|
||||
* The caller of smack_dentry_create_files_as()
|
||||
* should have overridden the current cred, so the
|
||||
* inode label was already set correctly in
|
||||
* smack_inode_alloc_security().
|
||||
*/
|
||||
if (tsp->smk_task != tsp->smk_transmuted)
|
||||
isp = dsp;
|
||||
issp->smk_flags |= SMK_INODE_CHANGED;
|
||||
}
|
||||
|
||||
@ -1463,10 +1478,19 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
|
||||
struct super_block *sbp;
|
||||
struct inode *ip = inode;
|
||||
struct smack_known *isp;
|
||||
struct inode_smack *ispp;
|
||||
size_t label_len;
|
||||
char *label = NULL;
|
||||
|
||||
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
|
||||
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
|
||||
isp = smk_of_inode(inode);
|
||||
else {
|
||||
} else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) {
|
||||
ispp = smack_inode(inode);
|
||||
if (ispp->smk_flags & SMK_INODE_TRANSMUTE)
|
||||
label = TRANS_TRUE;
|
||||
else
|
||||
label = "";
|
||||
} else {
|
||||
/*
|
||||
* The rest of the Smack xattrs are only on sockets.
|
||||
*/
|
||||
@ -1488,13 +1512,18 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
if (!label)
|
||||
label = isp->smk_known;
|
||||
|
||||
label_len = strlen(label);
|
||||
|
||||
if (alloc) {
|
||||
*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
|
||||
*buffer = kstrdup(label, GFP_KERNEL);
|
||||
if (*buffer == NULL)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
return strlen(isp->smk_known);
|
||||
return label_len;
|
||||
}
|
||||
|
||||
|
||||
@ -4753,8 +4782,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
|
||||
* providing access is transmuting use the containing
|
||||
* directory label instead of the process label.
|
||||
*/
|
||||
if (may > 0 && (may & MAY_TRANSMUTE))
|
||||
if (may > 0 && (may & MAY_TRANSMUTE)) {
|
||||
ntsp->smk_task = isp->smk_inode;
|
||||
ntsp->smk_transmuted = ntsp->smk_task;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user