diff mbox series

[RFC] Set SMK_INODE_CHANGED inside smack_dentry_create_files_as

Message ID 20230419231829.881830-1-mengcc@amazon.com (mailing list archive)
State Handled Elsewhere
Headers show
Series [RFC] Set SMK_INODE_CHANGED inside smack_dentry_create_files_as | expand

Commit Message

Mengchi Cheng April 19, 2023, 11:18 p.m. UTC 
On the overlay fs with smack lsm enabled, new subdir did not inherit
transmute xattr form parent dir.

One solution that can solve it is passing inode into
smack_dentry_create_files_as. And Set SMK_INODE_CHANGED to smak_flags
if directory has transmute xattr.

Reported-by: Ryan Yoon <yoonjaeh@amazon.com>
---
 fs/overlayfs/dir.c            | 2 +-
 include/linux/lsm_hook_defs.h | 2 +-
 include/linux/security.h      | 4 ++--
 security/security.c           | 4 ++--
 security/selinux/hooks.c      | 2 +-
 security/smack/smack_lsm.c    | 8 ++++++--
 6 files changed, 13 insertions(+), 9 deletions(-)
diff mbox series

Patch

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index fc25fb95d5fc..1b3f7f3a5468 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -598,7 +598,7 @@  static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
 		override_cred->fsgid = inode->i_gid;
 		err = security_dentry_create_files_as(dentry,
 				attr->mode, &dentry->d_name, old_cred,
-				override_cred);
+				override_cred, inode);
 		if (err) {
 			put_cred(override_cred);
 			goto out_revert_creds;
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 094b76dc7164..96f1fdc21cbc 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -84,7 +84,7 @@  LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
 	 int mode, const struct qstr *name, const char **xattr_name,
 	 void **ctx, u32 *ctxlen)
 LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
-	 struct qstr *name, const struct cred *old, struct cred *new)
+	 struct qstr *name, const struct cred *old, struct cred *new, struct inode *inode)
 
 #ifdef CONFIG_SECURITY_PATH
 LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry)
diff --git a/include/linux/security.h b/include/linux/security.h
index 5984d0d550b4..354d68dc69c5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -325,7 +325,7 @@  int security_dentry_init_security(struct dentry *dentry, int mode,
 int security_dentry_create_files_as(struct dentry *dentry, int mode,
 					struct qstr *name,
 					const struct cred *old,
-					struct cred *new);
+					struct cred *new, struct inode *inode);
 int security_path_notify(const struct path *path, u64 mask,
 					unsigned int obj_type);
 int security_inode_alloc(struct inode *inode);
@@ -756,7 +756,7 @@  static inline int security_dentry_init_security(struct dentry *dentry,
 static inline int security_dentry_create_files_as(struct dentry *dentry,
 						  int mode, struct qstr *name,
 						  const struct cred *old,
-						  struct cred *new)
+						  struct cred *new, struct inode *inode)
 {
 	return 0;
 }
diff --git a/security/security.c b/security/security.c
index cf6cc576736f..0ffe98cc57fe 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1110,10 +1110,10 @@  EXPORT_SYMBOL(security_dentry_init_security);
 
 int security_dentry_create_files_as(struct dentry *dentry, int mode,
 				    struct qstr *name,
-				    const struct cred *old, struct cred *new)
+				    const struct cred *old, struct cred *new, struct inode *inode)
 {
 	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
-				name, old, new);
+				name, old, new, inode);
 }
 EXPORT_SYMBOL(security_dentry_create_files_as);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a5bdfc21314..2addc513bbb0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2848,7 +2848,7 @@  static int selinux_dentry_init_security(struct dentry *dentry, int mode,
 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
 					  struct qstr *name,
 					  const struct cred *old,
-					  struct cred *new)
+					  struct cred *new, struct inode *inode)
 {
 	u32 newsid;
 	int rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cfcbb748da25..e929e3e131c2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4739,12 +4739,14 @@  static int smack_inode_copy_up_xattr(const char *name)
 static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
 					struct qstr *name,
 					const struct cred *old,
-					struct cred *new)
+					struct cred *new,
+					struct inode *inode)
 {
 	struct task_smack *otsp = smack_cred(old);
 	struct task_smack *ntsp = smack_cred(new);
 	struct inode_smack *isp;
 	int may;
+	struct inode_smack *issp = smack_inode(inode);
 
 	/*
 	 * Use the process credential unless all of
@@ -4769,8 +4771,10 @@  static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
 		 * providing access is transmuting use the containing
 		 * directory label instead of the process label.
 		 */
-		if (may > 0 && (may & MAY_TRANSMUTE))
+		if (may > 0 && (may & MAY_TRANSMUTE)) {
 			ntsp->smk_task = isp->smk_inode;
+			issp->smk_flags |= SMK_INODE_CHANGED;
+		}
 	}
 	return 0;
 }