* [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up()
[not found] <CGME20210917073827epcas5p11a811c82ba4c748de3923a62f51250ed@epcas5p1.samsung.com>
@ 2021-09-17 7:38 ` Vishal Goel
2021-09-17 16:32 ` Casey Schaufler
[not found] ` <CGME20210917073827epcas5p11a811c82ba4c748de3923a62f51250ed@epcms5p7>
0 siblings, 2 replies; 3+ messages in thread
From: Vishal Goel @ 2021-09-17 7:38 UTC (permalink / raw)
To: casey, linux-security-module, linux-kernel
Cc: a.sahrawat, v.narang, Vishal Goel
Currently in "smack_inode_copy_up()" function, process label is
changed with the label on parent inode. Due to which,
process is assigned directory label and whatever file or directory
created by the process are also getting directory label
which is wrong label.
Changes has been done to use label of overlay inode instead
of parent inode.
Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
---
security/smack/smack_lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cacbe7518..91e50e5cb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4634,7 +4634,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
/*
* Get label from overlay inode and set it in create_sid
*/
- isp = smack_inode(d_inode(dentry->d_parent));
+ isp = smack_inode(d_inode(dentry));
skp = isp->smk_inode;
tsp->smk_task = skp;
*new = new_creds;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up()
2021-09-17 7:38 ` [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up() Vishal Goel
@ 2021-09-17 16:32 ` Casey Schaufler
[not found] ` <CGME20210917073827epcas5p11a811c82ba4c748de3923a62f51250ed@epcms5p7>
1 sibling, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2021-09-17 16:32 UTC (permalink / raw)
To: Vishal Goel, linux-security-module, linux-kernel
Cc: a.sahrawat, v.narang, Casey Schaufler
On 9/17/2021 12:38 AM, Vishal Goel wrote:
> Currently in "smack_inode_copy_up()" function, process label is
> changed with the label on parent inode. Due to which,
> process is assigned directory label and whatever file or directory
> created by the process are also getting directory label
> which is wrong label.
>
> Changes has been done to use label of overlay inode instead
> of parent inode.
Do you have a test case for this change?
>
> Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
> ---
> security/smack/smack_lsm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index cacbe7518..91e50e5cb 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4634,7 +4634,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
> /*
> * Get label from overlay inode and set it in create_sid
> */
> - isp = smack_inode(d_inode(dentry->d_parent));
> + isp = smack_inode(d_inode(dentry));
> skp = isp->smk_inode;
> tsp->smk_task = skp;
> *new = new_creds;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up()
[not found] ` <20210920080838epcms5p7c2fb342f36db245b350ebda639e4542a@epcms5p7>
@ 2021-09-20 14:55 ` Casey Schaufler
0 siblings, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2021-09-20 14:55 UTC (permalink / raw)
To: vishal.goel, linux-security-module, linux-kernel
Cc: AMIT SAHRAWAT, Vaneet Narang, Casey Schaufler
On 9/20/2021 1:08 AM, Vishal Goel wrote:
>
> Hi,
>
>
>
> Please find below the test binary code and steps to reproduce:-
>
Excellent. I'll verify the correction, and if all seems sane, include it
for 5.16. Thank you.
> void main()
> {
> int fd,pid;
> char cmd[50];
>
> pid = getpid();
> sprintf(cmd,"cat /proc/%d/attr/current",pid);
> system(cmd);
> fd = open("/test_dir/smack_test/tmp/test_file", O_CREAT | O_RDWR, S_IWUSR | S_IRUSR);
>
> if(fd != -1) {
> close(fd);
> }
> }
>
> *Steps:-*
>
> ####### Check default smack labels on files/directories present in the image
> ~$ chsmack /test_dir/smack_test/
> /test_dir/smack_test/ access="!"
>
> ~$ chsmack /test_dir/smack_test/tmp/
> /test_dir/smack_test/tmp/ access="_"
>
>
>
>
> ####### Flash the image on target/board and reboot
>
> sh-3.2# mount | grep overlay
> overlay on / type overlay (rw,relatime,lowerdir=/,upperdir=/opt/overlay/upperdir,workdir=/opt/overlay/workdir)
>
>
>
> ####### Check the smack labels
>
> sh-3.2# chsmack /test_dir/smack_test/
> /test_dir/smack_test/ access="!"
> sh-3.2# chsmack /test_dir/smack_test/tmp
> /test_dir/smack_test/tmp access="_" ====> Same label is present
>
>
>
> ####### Run test binary to create a new file under "/test_dir/smack_test/tmp" directory
>
> During inode creation, smack_inode_copy_up() function is called for each of the directory present in path.
> After that "smack_inode_init_security()" is called for initializing the corresponding overlay inode entry.
> During initialization of "tmp", parent inode label is used which is "!" in this case.
>
>
>
> sh-3.2# ./test_bin
> Test_Label ===> Process label
>
>
> ####### Reboot the target/board
>
> sh-3.2# chsmack /test_dir/smack_test/
> /test_dir/smack_test/ access="!"
>
> sh-3.2# chsmack /test_dir/smack_test/tmp/
> /test_dir/smack_test/tmp/ access="!" ====> Label has been changed from "!" to "_"
>
>
>
> Thanks & Regards
>
> Vishal Goel
>
> --------- *Original Message* ---------
>
> *Sender* : Casey Schaufler <casey@schaufler-ca.com>
>
> *Date* : 2021-09-18 01:32 (GMT+9)
>
> *Title* : Re: [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up()
>
>
>
> On 9/17/2021 12:38 AM, Vishal Goel wrote:
> > Currently in "smack_inode_copy_up()" function, process label is
> > changed with the label on parent inode. Due to which,
> > process is assigned directory label and whatever file or directory
> > created by the process are also getting directory label
> > which is wrong label.
> >
> > Changes has been done to use label of overlay inode instead
> > of parent inode.
>
> Do you have a test case for this change?
>
> >
> > Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
> > ---
> > security/smack/smack_lsm.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> > index cacbe7518..91e50e5cb 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -4634,7 +4634,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
> > /*
> > * Get label from overlay inode and set it in create_sid
> > */
> > - isp = smack_inode(d_inode(dentry->d_parent));
> > + isp = smack_inode(d_inode(dentry));
> > skp = isp->smk_inode;
> > tsp->smk_task = skp;
> > *new = new_creds;
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-20 14:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CGME20210917073827epcas5p11a811c82ba4c748de3923a62f51250ed@epcas5p1.samsung.com>
2021-09-17 7:38 ` [PATCH 1/1] Smack:- Use overlay inode label in smack_inode_copy_up() Vishal Goel
2021-09-17 16:32 ` Casey Schaufler
[not found] ` <CGME20210917073827epcas5p11a811c82ba4c748de3923a62f51250ed@epcms5p7>
[not found] ` <20210920080838epcms5p7c2fb342f36db245b350ebda639e4542a@epcms5p7>
2021-09-20 14:55 ` Casey Schaufler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).