From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753119AbcGMOwX (ORCPT ); Wed, 13 Jul 2016 10:52:23 -0400 Received: from smtp.nsa.gov ([8.44.101.8]:56475 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751249AbcGMOwU (ORCPT ); Wed, 13 Jul 2016 10:52:20 -0400 X-IronPort-AV: E=Sophos;i="5.28,357,1464652800"; d="scan'208";a="15530152" IronPort-PHdr: =?us-ascii?q?9a23=3AvdNfohPFx84i1iFmRSAl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0Lvj5rarrMEGX3/hxlliBBdydsKMczbaO+P++EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuS9aU05z8iL760qaQSj0AvCC6b7J2IUf+hiTqne5Sv7FfLL0swADCuHpCdr?= =?us-ascii?q?ce72ppIVWOg0S0vZ/or9ZLuh5dsPM59sNGTb6yP+FhFeQZXwk8NygJwOGj9VyZ?= =?us-ascii?q?FUrcrkcbB1sXjBdLSyfC/Rj+FsPvvSzrv+5VwiSWPcTqC7szXGLmp6JqSxvvkw?= =?us-ascii?q?8cJTMj/W3WzMxtyOpDpRWmvRFX2YPYYIiJcvF5e+eVdtoBSHtpRc1RXjFPBo6m?= =?us-ascii?q?KoAGSeEGOKIQq4j7uktLrhakAwSoLP3gxyUOhXLs26A+leM7HkWO2A0mAsJLrX?= =?us-ascii?q?LVq9P7L48MXu2viqrF1zPOa7VRwzi5oIzJdA0x5OqBVq9qcNbAjEwoGx7Bg32O?= =?us-ascii?q?poH/eTCYzOIAty6c9eUze/iojjsctwxpojWpjvwpg43Ni5NdnkvI7g1l0Y01Ip?= =?us-ascii?q?u+U0c9btm6RsgD/xqGPpd7F5txC1pjvzw3n/hf48a2?= X-IPAS-Result: =?us-ascii?q?A2FACgB8VIZX/wHyM5BbGgEBAQGDIIEAUqN0AQEBAQEBBpJ?= =?us-ascii?q?ZhAmGGAKBLUwBAQEBAQECAmIngjIEARIBghMBAQQjBFIQCw0BCgICJgICVwYBD?= =?us-ascii?q?AYCAQGILLFjjn4BAQEBAQEBAwEBAQEBASGBAYRhgkCCVYdCgloFmRyOV4lmhUl?= =?us-ascii?q?Ij09UggkcgWggMok3AQEB?= Subject: Re: [PATCH 2/9] selinux: Implementation for inode_copy_up() hook To: Vivek Goyal , miklos@szeredi.hu, pmoore@redhat.com, casey@schaufler-ca.com, linux-kernel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org References: <1468421095-22322-1-git-send-email-vgoyal@redhat.com> <1468421095-22322-3-git-send-email-vgoyal@redhat.com> Cc: dwalsh@redhat.com, dhowells@redhat.com, viro@ZenIV.linux.org.uk, linux-fsdevel@vger.kernel.org From: Stephen Smalley Organization: National Security Agency Message-ID: <96e3a1f0-eb87-72c4-5d69-482973a8088f@tycho.nsa.gov> Date: Wed, 13 Jul 2016 10:53:40 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <1468421095-22322-3-git-send-email-vgoyal@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/13/2016 10:44 AM, Vivek Goyal wrote: > A file is being copied up for overlay file system. Prepare a new set of > creds and set create_sid appropriately so that new file is created with > appropriate label. > > Overlay inode has right label for both context and non-context mount > cases. In case of non-context mount, overlay inode will have the label > of lower file and in case of context mount, overlay inode will have > the label from context= mount option. > > Signed-off-by: Vivek Goyal Acked-by: Stephen Smalley > --- > security/selinux/hooks.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index a86d537..c82ee54 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3270,6 +3270,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) > *secid = isec->sid; > } > > +static int selinux_inode_copy_up(struct dentry *src, struct cred **new) > +{ > + u32 sid; > + struct task_security_struct *tsec; > + struct cred *new_creds = *new; > + > + if (new_creds == NULL) { > + new_creds = prepare_creds(); > + if (!new_creds) > + return -ENOMEM; > + } > + > + tsec = new_creds->security; > + /* Get label from overlay inode and set it in create_sid */ > + selinux_inode_getsecid(d_inode(src), &sid); > + tsec->create_sid = sid; > + *new = new_creds; > + return 0; > +} > + > /* file security operations */ > > static int selinux_revalidate_file_permission(struct file *file, int mask) > @@ -6056,6 +6076,7 @@ static struct security_hook_list selinux_hooks[] = { > LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), > LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), > LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), > + LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), > > LSM_HOOK_INIT(file_permission, selinux_file_permission), > LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), >