From 1a93a6eac32a2853177f10e274b9b761b42356eb Mon Sep 17 00:00:00 2001

From: Javier Martinez Canillas <javier@osg.samsung.com>

Date: Mon, 8 Aug 2016 13:08:25 -0400

Subject: [PATCH 01/10] security: Use IS_ENABLED() instead of checking for

 built-in or module

The IS_ENABLED() macro checks if a Kconfig symbol has been enabled

either built-in or as a module, use that macro instead of open coding

the same.

Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 security/lsm_audit.c             |  2 +-

 security/selinux/hooks.c         | 12 ++++++------

 security/smack/smack_netfilter.c |  4 ++--

 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/security/lsm_audit.c b/security/lsm_audit.c

index cccbf30..5369036 100644

--- a/security/lsm_audit.c

+++ b/security/lsm_audit.c

@@ -99,7 +99,7 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,

 	}

 	return ret;

 }

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 /**

  * ipv6_skb_to_auditdata : fill auditdata from skb

  * @skb : the skb

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 13185a6..880f953 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -3984,7 +3984,7 @@ out:

 	return ret;

 }

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 /* Returns error only if unable to parse addresses */

 static int selinux_parse_skb_ipv6(struct sk_buff *skb,

@@ -4075,7 +4075,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,

 				       &ad->u.net->v4info.daddr);

 		goto okay;

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 	case PF_INET6:

 		ret = selinux_parse_skb_ipv6(skb, ad, proto);

 		if (ret)

@@ -5029,7 +5029,7 @@ static unsigned int selinux_ipv4_forward(void *priv,

 	return selinux_ip_forward(skb, state->in, PF_INET);

 }

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 static unsigned int selinux_ipv6_forward(void *priv,

 					 struct sk_buff *skb,

 					 const struct nf_hook_state *state)

@@ -5087,7 +5087,7 @@ static unsigned int selinux_ipv4_output(void *priv,

 	return selinux_ip_output(skb, PF_INET);

 }

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 static unsigned int selinux_ipv6_output(void *priv,

 					struct sk_buff *skb,

 					const struct nf_hook_state *state)

@@ -5273,7 +5273,7 @@ static unsigned int selinux_ipv4_postroute(void *priv,

 	return selinux_ip_postroute(skb, state->out, PF_INET);

 }

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 static unsigned int selinux_ipv6_postroute(void *priv,

 					   struct sk_buff *skb,

 					   const struct nf_hook_state *state)

@@ -6317,7 +6317,7 @@ static struct nf_hook_ops selinux_nf_ops[] = {

 		.hooknum =	NF_INET_LOCAL_OUT,

 		.priority =	NF_IP_PRI_SELINUX_FIRST,

 	},

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 	{

 		.hook =		selinux_ipv6_postroute,

 		.pf =		NFPROTO_IPV6,

diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c

index aa6bf1b..205b785 100644

--- a/security/smack/smack_netfilter.c

+++ b/security/smack/smack_netfilter.c

@@ -20,7 +20,7 @@

 #include <net/inet_sock.h>

 #include "smack.h"

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 static unsigned int smack_ipv6_output(void *priv,

 					struct sk_buff *skb,

@@ -64,7 +64,7 @@ static struct nf_hook_ops smack_nf_ops[] = {

 		.hooknum =	NF_INET_LOCAL_OUT,

 		.priority =	NF_IP_PRI_SELINUX_FIRST,

 	},

-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

+#if IS_ENABLED(CONFIG_IPV6)

 	{

 		.hook =		smack_ipv6_output,

 		.pf =		NFPROTO_IPV6,

-- 

2.7.4

From 8b31f456c72e53ee97474a538bcd91bfb1b93fb7 Mon Sep 17 00:00:00 2001

From: William Roberts <william.c.roberts@intel.com>

Date: Mon, 8 Aug 2016 13:08:34 -0400

Subject: [PATCH 02/10] selinux: print leading 0x on ioctlcmd audits

ioctlcmd is currently printing hex numbers, but their is no leading

0x. Thus things like ioctlcmd=1234 are misleading, as the base is

not evident.

Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes

ioctlcmd=0x1234.

Signed-off-by: William Roberts <william.c.roberts@intel.com>

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 security/lsm_audit.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/lsm_audit.c b/security/lsm_audit.c

index 5369036..9bf8518 100644

--- a/security/lsm_audit.c

+++ b/security/lsm_audit.c

@@ -257,7 +257,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,

 			audit_log_format(ab, " ino=%lu", inode->i_ino);

 		}

-		audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);

+		audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);

 		break;

 	}

 	case LSM_AUDIT_DATA_DENTRY: {

-- 

2.7.4

From d8ad8b49618410ddeafd78465b63a6cedd6c9484 Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 11:13:56 -0400

Subject: [PATCH 03/10] security, overlayfs: provide copy up security hook for

 unioned files

Provide a security hook to label new file correctly when a file is copied

up from lower layer to upper layer of a overlay/union mount.

This hook can prepare a new set of creds which are suitable for new file

creation during copy up. Caller will use new creds to create file and then

revert back to old creds and release new creds.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

[PM: whitespace cleanup to appease checkpatch.pl]

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 fs/overlayfs/copy_up.c    | 15 +++++++++++++++

 include/linux/lsm_hooks.h | 11 +++++++++++

 include/linux/security.h  |  6 ++++++

 security/security.c       |  8 ++++++++

 4 files changed, 40 insertions(+)

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c

index 54e5d66..c297b1f 100644

--- a/fs/overlayfs/copy_up.c

+++ b/fs/overlayfs/copy_up.c

@@ -246,6 +246,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,

 	struct dentry *upper = NULL;

 	umode_t mode = stat->mode;

 	int err;

+	const struct cred *old_creds = NULL;

+	struct cred *new_creds = NULL;

 	newdentry = ovl_lookup_temp(workdir, dentry);

 	err = PTR_ERR(newdentry);

@@ -258,10 +260,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,

 	if (IS_ERR(upper))

 		goto out1;

+	err = security_inode_copy_up(dentry, &new_creds);

+	if (err < 0)

+		goto out2;

+

+	if (new_creds)

+		old_creds = override_creds(new_creds);

+

 	/* Can't properly set mode on creation because of the umask */

 	stat->mode &= S_IFMT;

 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);

 	stat->mode = mode;

+

+	if (new_creds) {

+		revert_creds(old_creds);

+		put_cred(new_creds);

+	}

+

 	if (err)

 		goto out2;

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h

index 101bf19..cb69fc8 100644

--- a/include/linux/lsm_hooks.h

+++ b/include/linux/lsm_hooks.h

@@ -401,6 +401,15 @@

  *	@inode contains a pointer to the inode.

  *	@secid contains a pointer to the location where result will be saved.

  *	In case of failure, @secid will be set to zero.

+ * @inode_copy_up:

+ *	A file is about to be copied up from lower layer to upper layer of

+ *	overlay filesystem. Security module can prepare a set of new creds

+ *	and modify as need be and return new creds. Caller will switch to

+ *	new creds temporarily to create new file and release newly allocated

+ *	creds.

+ *	@src indicates the union dentry of file that is being copied up.

+ *	@new pointer to pointer to return newly allocated creds.

+ *	Returns 0 on success or a negative error code on error.

  *

  * Security hooks for file operations

  *

@@ -1425,6 +1434,7 @@ union security_list_options {

 	int (*inode_listsecurity)(struct inode *inode, char *buffer,

 					size_t buffer_size);

 	void (*inode_getsecid)(struct inode *inode, u32 *secid);

+	int (*inode_copy_up)(struct dentry *src, struct cred **new);

 	int (*file_permission)(struct file *file, int mask);

 	int (*file_alloc_security)(struct file *file);

@@ -1696,6 +1706,7 @@ struct security_hook_heads {

 	struct list_head inode_setsecurity;

 	struct list_head inode_listsecurity;

 	struct list_head inode_getsecid;

+	struct list_head inode_copy_up;

 	struct list_head file_permission;

 	struct list_head file_alloc_security;

 	struct list_head file_free_security;

diff --git a/include/linux/security.h b/include/linux/security.h

index 7831cd5..c5b0ccd 100644

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf

 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);

 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);

 void security_inode_getsecid(struct inode *inode, u32 *secid);

+int security_inode_copy_up(struct dentry *src, struct cred **new);

 int security_file_permission(struct file *file, int mask);

 int security_file_alloc(struct file *file);

 void security_file_free(struct file *file);

@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)

 	*secid = 0;

 }

+static inline int security_inode_copy_up(struct dentry *src, struct cred **new)

+{

+	return 0;

+}

+

 static inline int security_file_permission(struct file *file, int mask)

 {

 	return 0;

diff --git a/security/security.c b/security/security.c

index 4838e7f..f2a7f27 100644

--- a/security/security.c

+++ b/security/security.c

@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)

 	call_void_hook(inode_getsecid, inode, secid);

 }

+int security_inode_copy_up(struct dentry *src, struct cred **new)

+{

+	return call_int_hook(inode_copy_up, 0, src, new);

+}

+EXPORT_SYMBOL(security_inode_copy_up);

+

 int security_file_permission(struct file *file, int mask)

 {

 	int ret;

@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {

 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),

 	.inode_getsecid =

 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),

+	.inode_copy_up =

+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),

 	.file_permission =

 		LIST_HEAD_INIT(security_hook_heads.file_permission),

 	.file_alloc_security =

-- 

2.7.4

From 56909eb3f559103196ecbf2c08c923e0804980fb Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 10:44:48 -0400

Subject: [PATCH 04/10] selinux: Implementation for inode_copy_up() hook

A file is being copied up for overlay file system. Prepare a new set of

creds and set create_sid appropriately so that new file is created with

appropriate label.

Overlay inode has right label for both context and non-context mount

cases. In case of non-context mount, overlay inode will have the label

of lower file and in case of context mount, overlay inode will have

the label from context= mount option.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 security/selinux/hooks.c | 21 +++++++++++++++++++++

 1 file changed, 21 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 880f953..40597ed 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)

 	*secid = isec->sid;

 }

+static int selinux_inode_copy_up(struct dentry *src, struct cred **new)

+{

+	u32 sid;

+	struct task_security_struct *tsec;

+	struct cred *new_creds = *new;

+

+	if (new_creds == NULL) {

+		new_creds = prepare_creds();

+		if (!new_creds)

+			return -ENOMEM;

+	}

+

+	tsec = new_creds->security;

+	/* Get label from overlay inode and set it in create_sid */

+	selinux_inode_getsecid(d_inode(src), &sid;;

+	tsec->create_sid = sid;

+	*new = new_creds;

+	return 0;

+}

+

 /* file security operations */

 static int selinux_revalidate_file_permission(struct file *file, int mask)

@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {

 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),

 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),

 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),

+	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),

 	LSM_HOOK_INIT(file_permission, selinux_file_permission),

 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),

-- 

2.7.4

From 121ab822ef21914adac2fa3730efeeb8fd762473 Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 10:44:49 -0400

Subject: [PATCH 05/10] security,overlayfs: Provide security hook for copy up

 of xattrs for overlay file

Provide a security hook which is called when xattrs of a file are being

copied up. This hook is called once for each xattr and LSM can return

0 if the security module wants the xattr to be copied up, 1 if the

security module wants the xattr to be discarded on the copy, -EOPNOTSUPP

if the security module does not handle/manage the xattr, or a -errno

upon an error.

Signed-off-by: David Howells <dhowells@redhat.com>

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

[PM: whitespace cleanup for checkpatch.pl]

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 fs/overlayfs/copy_up.c    |  7 +++++++

 include/linux/lsm_hooks.h | 10 ++++++++++

 include/linux/security.h  |  6 ++++++

 security/security.c       |  8 ++++++++

 4 files changed, 31 insertions(+)

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c

index c297b1f..cd65f12 100644

--- a/fs/overlayfs/copy_up.c

+++ b/fs/overlayfs/copy_up.c

@@ -103,6 +103,13 @@ retry:

 			goto retry;

 		}

+		error = security_inode_copy_up_xattr(name);

+		if (error < 0 && error != -EOPNOTSUPP)

+			break;

+		if (error == 1) {

+			error = 0;

+			continue; /* Discard */

+		}

 		error = vfs_setxattr(new, name, value, size, 0);

 		if (error)

 			break;

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h

index cb69fc8..5797122 100644

--- a/include/linux/lsm_hooks.h

+++ b/include/linux/lsm_hooks.h

@@ -410,6 +410,14 @@

  *	@src indicates the union dentry of file that is being copied up.

  *	@new pointer to pointer to return newly allocated creds.

  *	Returns 0 on success or a negative error code on error.

+ * @inode_copy_up_xattr:

+ *	Filter the xattrs being copied up when a unioned file is copied

+ *	up from a lower layer to the union/overlay layer.

+ *	@name indicates the name of the xattr.

+ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if

+ *	security module does not know about attribute or a negative error code

+ *	to abort the copy up. Note that the caller is responsible for reading

+ *	and writing the xattrs as this hook is merely a filter.

  *

  * Security hooks for file operations

  *

@@ -1435,6 +1443,7 @@ union security_list_options {

 					size_t buffer_size);

 	void (*inode_getsecid)(struct inode *inode, u32 *secid);

 	int (*inode_copy_up)(struct dentry *src, struct cred **new);

+	int (*inode_copy_up_xattr)(const char *name);

 	int (*file_permission)(struct file *file, int mask);

 	int (*file_alloc_security)(struct file *file);

@@ -1707,6 +1716,7 @@ struct security_hook_heads {

 	struct list_head inode_listsecurity;

 	struct list_head inode_getsecid;

 	struct list_head inode_copy_up;

+	struct list_head inode_copy_up_xattr;

 	struct list_head file_permission;

 	struct list_head file_alloc_security;

 	struct list_head file_free_security;

diff --git a/include/linux/security.h b/include/linux/security.h

index c5b0ccd..536fafd 100644

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void

 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);

 void security_inode_getsecid(struct inode *inode, u32 *secid);

 int security_inode_copy_up(struct dentry *src, struct cred **new);

+int security_inode_copy_up_xattr(const char *name);

 int security_file_permission(struct file *file, int mask);

 int security_file_alloc(struct file *file);

 void security_file_free(struct file *file);

@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)

 	return 0;

 }

+static inline int security_inode_copy_up_xattr(const char *name)

+{

+	return -EOPNOTSUPP;

+}

+

 static inline int security_file_permission(struct file *file, int mask)

 {

 	return 0;

diff --git a/security/security.c b/security/security.c

index f2a7f27..a9e2bb9 100644

--- a/security/security.c

+++ b/security/security.c

@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)

 }

 EXPORT_SYMBOL(security_inode_copy_up);

+int security_inode_copy_up_xattr(const char *name)

+{

+	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);

+}

+EXPORT_SYMBOL(security_inode_copy_up_xattr);

+

 int security_file_permission(struct file *file, int mask)

 {

 	int ret;

@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {

 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),

 	.inode_copy_up =

 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),

+	.inode_copy_up_xattr =

+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),

 	.file_permission =

 		LIST_HEAD_INIT(security_hook_heads.file_permission),

 	.file_alloc_security =

-- 

2.7.4

From 19472b69d639d58415866bf127d5f9005038c105 Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 10:44:50 -0400

Subject: [PATCH 06/10] selinux: Implementation for inode_copy_up_xattr() hook

When a file is copied up in overlay, we have already created file on

upper/ with right label and there is no need to copy up selinux

label/xattr from lower file to upper file. In fact in case of context

mount, we don't want to copy up label as newly created file got its label

from context= option.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 security/selinux/hooks.c | 16 ++++++++++++++++

 1 file changed, 16 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 40597ed..a2d5108 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)

 	return 0;

 }

+static int selinux_inode_copy_up_xattr(const char *name)

+{

+	/* The copy_up hook above sets the initial context on an inode, but we

+	 * don't then want to overwrite it by blindly copying all the lower

+	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.

+	 */

+	if (strcmp(name, XATTR_NAME_SELINUX) == 0)

+		return 1; /* Discard */

+	/*

+	 * Any other attribute apart from SELINUX is not claimed, supported

+	 * by selinux.

+	 */

+	return -EOPNOTSUPP;

+}

+

 /* file security operations */

 static int selinux_revalidate_file_permission(struct file *file, int mask)

@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {

 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),

 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),

 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),

+	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),

 	LSM_HOOK_INIT(file_permission, selinux_file_permission),

 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),

-- 

2.7.4

From c957f6df52c509ccfbb96659fd1a0f7812de333f Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 10:44:51 -0400

Subject: [PATCH 07/10] selinux: Pass security pointer to

 determine_inode_label()

Right now selinux_determine_inode_label() works on security pointer of

current task. Soon I need this to work on a security pointer retrieved

from a set of creds. So start passing in a pointer and caller can

decide where to fetch security pointer from.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 security/selinux/hooks.c | 19 ++++++++++---------

 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index a2d5108..f9d398b 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -1808,13 +1808,13 @@ out:

 /*

  * Determine the label for an inode that might be unioned.

  */

-static int selinux_determine_inode_label(struct inode *dir,

-					 const struct qstr *name,

-					 u16 tclass,

-					 u32 *_new_isid)

+static int

+selinux_determine_inode_label(const struct task_security_struct *tsec,

+				 struct inode *dir,

+				 const struct qstr *name, u16 tclass,

+				 u32 *_new_isid)

 {

 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;

-	const struct task_security_struct *tsec = current_security();

 	if ((sbsec->flags & SE_SBINITIALIZED) &&

 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {

@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,

 	if (rc)

 		return rc;

-	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,

-					   &newsid);

+	rc = selinux_determine_inode_label(current_security(), dir,

+					   &dentry->d_name, tclass, &newsid);

 	if (rc)

 		return rc;

@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,

 	u32 newsid;

 	int rc;

-	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,

+	rc = selinux_determine_inode_label(current_security(),

+					   d_inode(dentry->d_parent), name,

 					   inode_mode_to_security_class(mode),

 					   &newsid);

 	if (rc)

@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,

 	sid = tsec->sid;

 	newsid = tsec->create_sid;

-	rc = selinux_determine_inode_label(

+	rc = selinux_determine_inode_label(current_security(),

 		dir, qstr,

 		inode_mode_to_security_class(inode->i_mode),

 		&newsid);

-- 

2.7.4

From 2602625b7e46576b00db619ac788c508ba3bcb2c Mon Sep 17 00:00:00 2001

From: Vivek Goyal <vgoyal@redhat.com>

Date: Wed, 13 Jul 2016 10:44:52 -0400

Subject: [PATCH 08/10] security, overlayfs: Provide hook to correctly label

 newly created files

During a new file creation we need to make sure new file is created with the

right label. New file is created in upper/ so effectively file should get

label as if task had created file in upper/.

We switched to mounter's creds for actual file creation. Also if there is a

whiteout present, then file will be created in work/ dir first and then

renamed in upper. In none of the cases file will be labeled as we want it to

be.

This patch introduces a new hook dentry_create_files_as(), which determines

the label/context dentry will get if it had been created by task in upper

and modify passed set of creds appropriately. Caller makes use of these new

creds for file creation.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

[PM: fix whitespace issues found with checkpatch.pl]

[PM: changes to use stat->mode in ovl_create_or_link()]

Signed-off-by: Paul Moore <paul@paul-moore.com>

---

 fs/overlayfs/dir.c        | 10 ++++++++++

 include/linux/lsm_hooks.h | 15 +++++++++++++++

 include/linux/security.h  | 12 ++++++++++++

 security/security.c       | 11 +++++++++++

 4 files changed, 48 insertions(+)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c

index 12bcd07..a155e52 100644

--- a/fs/overlayfs/dir.c

+++ b/fs/overlayfs/dir.c

@@ -435,6 +435,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,

 	if (override_cred) {

 		override_cred->fsuid = inode->i_uid;

 		override_cred->fsgid = inode->i_gid;

+		if (!hardlink) {

+			err = security_dentry_create_files_as(dentry,

+					stat->mode, &dentry->d_name, old_cred,

+					override_cred);

+			if (err) {

+				put_cred(override_cred);

+				goto out_revert_creds;

+			}

+		}

 		put_cred(override_creds(override_cred));

 		put_cred(override_cred);

@@ -445,6 +454,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,

 			err = ovl_create_over_whiteout(dentry, inode, stat,

 							link, hardlink);

 	}

+out_revert_creds:

 	revert_creds(old_cred);

 	if (!err) {

 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h

index 5797122..f2af2af 100644

--- a/include/linux/lsm_hooks.h

+++ b/include/linux/lsm_hooks.h

@@ -151,6 +151,16 @@

  *	@name name of the last path component used to create file

  *	@ctx pointer to place the pointer to the resulting context in.

  *	@ctxlen point to place the length of the resulting context.

+ * @dentry_create_files_as:

+ *	Compute a context for a dentry as the inode is not yet available

+ *	and set that context in passed in creds so that new files are

+ *	created using that context. Context is calculated using the

+ *	passed in creds and not the creds of the caller.

+ *	@dentry dentry to use in calculating the context.

+ *	@mode mode used to determine resource type.

+ *	@name name of the last path component used to create file

+ *	@old creds which should be used for context calculation

+ *	@new creds to modify

  *

  *

  * Security hooks for inode operations.

@@ -1375,6 +1385,10 @@ union security_list_options {

 	int (*dentry_init_security)(struct dentry *dentry, int mode,

 					const struct qstr *name, void **ctx,

 					u32 *ctxlen);

+	int (*dentry_create_files_as)(struct dentry *dentry, int mode,

+					struct qstr *name,

+					const struct cred *old,

+					struct cred *new);

 #ifdef CONFIG_SECURITY_PATH

@@ -1675,6 +1689,7 @@ struct security_hook_heads {