From patchwork Mon May 30 13:59:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Gruenbacher X-Patchwork-Id: 9144745 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 943D160757 for ; Tue, 31 May 2016 12:48:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8643C272D8 for ; Tue, 31 May 2016 12:48:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7ABF127B89; Tue, 31 May 2016 12:48:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FBF0272D8 for ; Tue, 31 May 2016 12:48:07 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,395,1459814400"; d="scan'208";a="16515942" IronPort-PHdr: =?us-ascii?q?9a23=3A+Y+6FxHoWsfIMb8E4BmaWJ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7/p8SwAkXT6L1XgUPTWs2DsrQf27uQ7v2rBDBIyK3CmU5BWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/nhqbvptaOP01hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4iAPH?= =?us-ascii?q?BTeryjNcFzxO00kAPw+QxRX3Tp73vibg/tR8wi7SadP3V7ccSzmk7rktTB7ulT?= =?us-ascii?q?dBMCQ2tnzU3Ig4tKtGpFqEoBtlzsaAeIiIMNJmd77ZONYdQnBMGM1WUnoFSrig?= =?us-ascii?q?YpMPAuxJBuNRq43wthNathelLRW9D+PojDlTjzn52rNsl6wMCwDNlDQpBdMV+C?= =?us-ascii?q?DZtNzvNbw6SemvzbLQyTzIYrVRwziru6bSdRV0iPeAR795aoL+01QiEQnMhVWd?= =?us-ascii?q?s8SxNjyPy+kLuWGz9edsVeuzzWUgrlci8XCU2s4wh9yR1couwVfe+HA8md9tKA?= =?us-ascii?q?=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HQBAAih01X/wHyM5BbHAEBgx6BU7wJH4c6TAEBAQEBAQI?= =?us-ascii?q?CYieCMIIWAgQBAiQTFCALAwMJAQEXKQgIAwEtFREGAQcLBRgEiA69GgEBAQcBA?= =?us-ascii?q?QEBAQEhhieIXxEBhX4FiASFYYpSjiACiVaFRI9MYoIGHIFNbIkDgTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 May 2016 12:48:04 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u4VCm4uj004090; Tue, 31 May 2016 08:48:04 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u4UDxHxa272983 for ; Mon, 30 May 2016 09:59:17 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u4UDxB4m004876; Mon, 30 May 2016 09:59:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1A7AgCDRkxXgBy3hNFdHAEBhHG8C4YRAoEvTAEBAQEBARMBAQsLCQkhhHUCAQMnUhBRVwYBEogvvCsBAQEHJ4Ynjm8FiASFYYpSjiACjxqPTIJoHIFNOjKJPQEBAQ X-IPAS-Result: A1A7AgCDRkxXgBy3hNFdHAEBhHG8C4YRAoEvTAEBAQEBARMBAQsLCQkhhHUCAQMnUhBRVwYBEogvvCsBAQEHJ4Ynjm8FiASFYYpSjiACjxqPTIJoHIFNOjKJPQEBAQ X-IronPort-AV: E=Sophos;i="5.26,389,1459828800"; d="scan'208";a="5476248" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 30 May 2016 09:59:16 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AVd6erRIxXsLCG+6rGtmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgVI/jxwZ3uMQTl6Ol3ixeRBMOAu6MC1rGd7fCocFdDyKjCmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWC3oLqjKvsq9X6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4DDH?= =?us-ascii?q?QBuG4HcRSC0okwBPS1zb7Qv9doX8tCrk8O583jSKe8rsQvYpWmLmp59iVRugrS?= =?us-ascii?q?AALTNxpHnel8hYlKtGpFekoBtlzsjfZ4TDcLJFYq7Ffd4cDVFEV8JVWj0JVpiw?= =?us-ascii?q?dKMTHuEBOqBetIC7qFwQ+1/2KBOtD6vXwyVJnTei0LUzyeU6ORnPxg07B9YHu3?= =?us-ascii?q?mSq8/6YvQ8S+ewmYDOwS/OZuge9i3g5Y7CexshrOvECbt/a9fcz0MmPxnIglWZ?= =?us-ascii?q?tcruODbDhbdFiHSS8+c1DbHnsGUgsQwk52H3nso=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GdAgAKRkxXgBy3hNFdHAEBhHG8C4YRA?= =?us-ascii?q?oEvTAEBAQEBAQICDwEBCwsJCSEvgjCCFgIBAydSEFFXBgESiC+8KAEBAQcCASS?= =?us-ascii?q?GJ45vBYgEhWGKUo4gAo8aj0yCaByBTToyiT0BAQE?= X-IPAS-Result: =?us-ascii?q?A0GdAgAKRkxXgBy3hNFdHAEBhHG8C4YRAoEvTAEBAQEBAQI?= =?us-ascii?q?CDwEBCwsJCSEvgjCCFgIBAydSEFFXBgESiC+8KAEBAQcCASSGJ45vBYgEhWGKU?= =?us-ascii?q?o4gAo8aj0yCaByBTToyiT0BAQE?= X-IronPort-AV: E=Sophos;i="5.26,389,1459814400"; d="scan'208";a="14144903" Received: from mx1.redhat.com ([209.132.183.28]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 May 2016 13:59:15 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C990D7F340; Mon, 30 May 2016 13:59:14 +0000 (UTC) Received: from nux.redhat.com (vpn1-6-85.ams2.redhat.com [10.36.6.85]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4UDx3ae014420; Mon, 30 May 2016 09:59:11 -0400 From: Andreas Gruenbacher To: Alexander Viro , Paul Moore , Stephen Smalley , Eric Paris Subject: [RFC 2/2] overlayfs: Make getxattr work with inode only Date: Mon, 30 May 2016 15:59:02 +0200 Message-Id: <1464616742-29271-3-git-send-email-agruenba@redhat.com> In-Reply-To: <1464616742-29271-1-git-send-email-agruenba@redhat.com> References: <1464616742-29271-1-git-send-email-agruenba@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 30 May 2016 13:59:15 +0000 (UTC) X-Mailman-Approved-At: Tue, 31 May 2016 08:44:13 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-fsdevel@vger.kernel.org, Andreas Gruenbacher , selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Change the getxattr inode operation to only use its inode argument, and ignore the dentry. This is possible because on overlayfs, each dentry has a separate inode and inodes are not shared among dentries. Allows SELinux to work on top of overlayfs. Signed-off-by: Andreas Gruenbacher --- fs/overlayfs/inode.c | 26 +++++++++++++++----------- fs/overlayfs/overlayfs.h | 1 + fs/overlayfs/super.c | 10 +++++++--- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 8c3f985..7acc145 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -238,29 +238,32 @@ out: return err; } -static bool ovl_need_xattr_filter(struct dentry *dentry, +static bool ovl_need_xattr_filter(struct inode *inode, enum ovl_path_type type) { if ((type & (__OVL_PATH_PURE | __OVL_PATH_UPPER)) == __OVL_PATH_UPPER) - return S_ISDIR(dentry->d_inode->i_mode); + return S_ISDIR(inode->i_mode); else return false; } -ssize_t ovl_getxattr(struct dentry *dentry, struct inode *inode, +ssize_t ovl_getxattr(struct dentry *unused, struct inode *inode, const char *name, void *value, size_t size) { - struct path realpath; + struct ovl_entry *oe = inode->i_private; enum ovl_path_type type; + struct dentry *realdentry; + bool is_upper; - if (!dentry) - return -ECHILD; + realdentry = ovl_entry_real(oe, &is_upper); + if (!realdentry->d_inode) + return -ENOENT; - type = ovl_path_real(dentry, &realpath); - if (ovl_need_xattr_filter(dentry, type) && ovl_is_private_xattr(name)) + type = __ovl_path_type(oe, inode->i_mode); + if (ovl_need_xattr_filter(inode, type) && ovl_is_private_xattr(name)) return -ENODATA; - return vfs_getxattr(realpath.dentry, name, value, size); + return vfs_getxattr(realdentry, name, value, size); } ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) @@ -274,7 +277,7 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) if (res <= 0 || size == 0) return res; - if (!ovl_need_xattr_filter(dentry, type)) + if (!ovl_need_xattr_filter(dentry->d_inode, type)) return res; /* filter out private xattrs */ @@ -306,7 +309,8 @@ int ovl_removexattr(struct dentry *dentry, const char *name) goto out; err = -ENODATA; - if (ovl_need_xattr_filter(dentry, type) && ovl_is_private_xattr(name)) + if (ovl_need_xattr_filter(dentry->d_inode, type) && + ovl_is_private_xattr(name)) goto out_drop_write; if (!OVL_TYPE_UPPER(type)) { diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index 4bd9b5b..0d1430f 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -131,6 +131,7 @@ static inline int ovl_do_whiteout(struct inode *dir, struct dentry *dentry) return err; } +enum ovl_path_type __ovl_path_type(struct ovl_entry *oe, umode_t mode); enum ovl_path_type ovl_path_type(struct dentry *dentry); u64 ovl_dentry_version_get(struct dentry *dentry); void ovl_dentry_version_inc(struct dentry *dentry); diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index ce02f46..d04546e 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -70,9 +70,8 @@ static struct dentry *__ovl_dentry_lower(struct ovl_entry *oe) return oe->numlower ? oe->lowerstack[0].dentry : NULL; } -enum ovl_path_type ovl_path_type(struct dentry *dentry) +enum ovl_path_type __ovl_path_type(struct ovl_entry *oe, umode_t mode) { - struct ovl_entry *oe = dentry->d_fsdata; enum ovl_path_type type = 0; if (oe->__upperdentry) { @@ -82,7 +81,7 @@ enum ovl_path_type ovl_path_type(struct dentry *dentry) * Non-dir dentry can hold lower dentry from previous * location. Its purity depends only on opaque flag. */ - if (oe->numlower && S_ISDIR(dentry->d_inode->i_mode)) + if (oe->numlower && S_ISDIR(mode)) type |= __OVL_PATH_MERGE; else if (!oe->opaque) type |= __OVL_PATH_PURE; @@ -93,6 +92,11 @@ enum ovl_path_type ovl_path_type(struct dentry *dentry) return type; } +enum ovl_path_type ovl_path_type(struct dentry *dentry) +{ + return __ovl_path_type(dentry->d_fsdata, dentry->d_inode->i_mode); +} + static struct dentry *ovl_upperdentry_dereference(struct ovl_entry *oe) { return lockless_dereference(oe->__upperdentry);