From patchwork Mon Jul 24 15:13:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 125071 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1881862vqg; Mon, 24 Jul 2023 08:40:15 -0700 (PDT) X-Google-Smtp-Source: APBJJlGTvi++loiec3iU63tuLOQ69eis3w1QUmhGm2PCdJE7K0Zf4Q/y2a/ApWfaCgfOLR/vcv7n X-Received: by 2002:a05:6a20:88:b0:131:dc49:13eb with SMTP id 8-20020a056a20008800b00131dc4913ebmr11049030pzg.35.1690213215112; Mon, 24 Jul 2023 08:40:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690213215; cv=none; d=google.com; s=arc-20160816; b=tb+ytTiD1AWxFntinALUixidVNlI+cvM8buY5hWp77phyT0xBlanMA1vMVcl47S2LH nRDTjIGIDh6zR4rQzYsXyzS6YRE5GEcE4Sxpv2MKpugkhpychQPN8id68aK9BxnnIhJg FPVg/gt0Nl9BU0Sjzp+VdJP1K1ysYWrOzi1pG/EG+O11Ta9x47bVvCa8PBgdWTqhiMSE KiYk1EXeREp3njgcZ0Lm9tpztxyrCKh6F7WH/vxpm7szmjbJCldAw6IKacMtECIkIgVf g3AcwjWyBWqZ1u/68wyS7gSnPZAccH9ZAMuHKL/RIP18cenShR643o3Y2PDcFw2JtEQ7 eDYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=s9ET0lG7gwYTYGmXFA0OxoH2hzuuWG+wdn/BJW8zUPg=; fh=ZKWcyA0kesGCMzuKNl8fCcnARFCiY872iRD37qc+xr4=; b=fDFdIaZWPxiskqOylL5yaxLOIOeEN4QZ9VBFCM3mLrcX3I7wu3/bYwDJetz0Rpq1fU uxTh0q2b36MOQ8gGhYx6terXW5j6KlnBV/9cizsXQg6HiTV1dOkxe2cuzPQRs6z5lNN5 EMsPD2Ps7vjsxM7dCtiRW8KtrQ0rd5chImK5/HHMyt/pBSYPuQN1tFa+UW+K8LZIpixY q7xPBq1OVC01mLRib8SR8rxDi7EIm8WoZclS47WGeHjMV9UBroLybuCeNQYR8jQpq9vq TPmTdrYVlre1bm3xSTykDF+Oj/sw1qJscIUI7Q9m06cFstD/kM13cDH7qsSxzYsV4LLo 2MyQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a123-20020a636681000000b0055bbc6e2c6csi8829742pgc.491.2023.07.24.08.40.02; Mon, 24 Jul 2023 08:40:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230408AbjGXPTA (ORCPT + 99 others); Mon, 24 Jul 2023 11:19:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230309AbjGXPSs (ORCPT ); Mon, 24 Jul 2023 11:18:48 -0400 Received: from frasgout13.his.huawei.com (unknown [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFA0E1B3; Mon, 24 Jul 2023 08:18:46 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4R8k6R1vxDzB0hnC; Mon, 24 Jul 2023 23:07:27 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHTlU3lr5kJcTzBA--.28220S3; Mon, 24 Jul 2023 16:18:33 +0100 (CET) From: Roberto Sassu To: casey@schaufler-ca.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Roberto Sassu , stable@vger.kernel.org Subject: [PATCH v2 1/5] smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() Date: Mon, 24 Jul 2023 17:13:37 +0200 Message-Id: <20230724151341.538889-2-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> References: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwCHTlU3lr5kJcTzBA--.28220S3 X-Coremail-Antispam: 1UD129KBjvdXoWrtw1UKryUCFW8Gry7Jw4Utwb_yoWDCrb_Ka 40yas5JrZ8Aa17Zw4xCwnYqrn2g348Xr1rG3Waya9Iya4rXr1rZa15GFyfAFZ8ur17Ga95 uFn8Ga4Yy347XjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbsAYFVCjjxCrM7AC8VAFwI0_Xr0_Wr1l1xkIjI8I6I8E6xAIw20E Y4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l82xGYIkIc2x26280x7IE14v26r18M2 8IrcIa0xkI8VCY1x0267AKxVWUCVW8JwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK 021l84ACjcxK6xIIjxv20xvE14v26r1j6r1xM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r 4j6F4UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v26F4U JVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7V C0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j 6r4UM4x0Y48IcxkI7VAKI48JMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2 z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnU UI43ZEXa7IU1M7K7UUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAIBF1jj4zfVAAEs8 X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, MAY_BE_FORGED,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772317012218547135 X-GMAIL-MSGID: 1772317012218547135 From: Roberto Sassu Since the SMACK64TRANSMUTE xattr makes sense only for directories, enforce this restriction in smack_inode_setxattr(). Cc: stable@vger.kernel.org Fixes: 5c6d1125f8db ("Smack: Transmute labels on specified directories") # v2.6.38.x Signed-off-by: Roberto Sassu --- security/smack/smack_lsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 679156601a1..e599ce9453c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1262,7 +1262,8 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap, check_star = 1; } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { check_priv = 1; - if (size != TRANS_TRUE_SIZE || + if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || + size != TRANS_TRUE_SIZE || strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) rc = -EINVAL; } else From patchwork Mon Jul 24 15:13:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 125068 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1881467vqg; Mon, 24 Jul 2023 08:39:32 -0700 (PDT) X-Google-Smtp-Source: APBJJlF5HdA7BC1zq11H7NvobjEic5THLKgmfpGjv+5w37wBa87T/d3vGL/nyTzIkDOdDT3je458 X-Received: by 2002:a05:6a21:99a5:b0:13a:43e8:3fa6 with SMTP id ve37-20020a056a2199a500b0013a43e83fa6mr5319478pzb.23.1690213172156; Mon, 24 Jul 2023 08:39:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690213172; cv=none; d=google.com; s=arc-20160816; b=P/Fg8CtUTkx5HkzIhZVHXYrIDMVi6gwSmLHtR36hRUPWMZETSnDfdJZiwVXxLt8lEc 6JEWlyPArleYy5OXmFur+/yStIHvqpDLdc6cFK8jSalxpgI0ar5bwtkuh6a3twwkuao3 y/zctGTmtZLRapzPl8mNGmO/dSN+2seKJkXSHFWk6FnrMjDW0hE32ZycVuNZUXtC1Bk6 7aQeDq7mCbuIYUqJMQjpuS2INkmO2pb1VcgYiRy9mrkK7N6ZPiMBFzzEteWijvqrR1RC olOD/flS0+0V/1z0taohpV2EVSEj0Qbt/LrKQ5YQVnu8CA046/gviC5mftYjKOk1UuPV 4tzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Db25gBuWGl7dYsXhriAf38OhpNNBwS/d3RS2RRiH6S0=; fh=ZKWcyA0kesGCMzuKNl8fCcnARFCiY872iRD37qc+xr4=; b=rSes9f1tmzrnHC+Rg5x6YXTTVTvUWJ0u7NfrbpGF/jSQGvRI1FH8QbTQapcIQWhyiD R8LJFYDVsHWexpito0wDEIIQneGYl3sv79IqZ4pcmV/501vWcQTyU80ExAvAT2qgJM31 /P4NFRAvy5QGPSLp/7todidohy3IyfUtTEWcgo3BOGi+o5kEDMsSPnLW5v1DSagpcOTU wOPg+qlZrLvF2xSsCTawPEOE58bmaKhDdB5yW/OsUxqCNPcsgIwxZVALnzwHR0dSqZgx qS18GhH8H8NudGlL/DHTnQH5OCpKd3MK1LLcnIUgoNr/CorVSUx3L5cr879xjxcOEzzj 0rZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x12-20020aa793ac000000b00666e4a4656asi8710976pff.335.2023.07.24.08.39.18; Mon, 24 Jul 2023 08:39:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231140AbjGXPTD (ORCPT + 99 others); Mon, 24 Jul 2023 11:19:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231131AbjGXPS5 (ORCPT ); Mon, 24 Jul 2023 11:18:57 -0400 Received: from frasgout11.his.huawei.com (unknown [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C2DA10EC; Mon, 24 Jul 2023 08:18:51 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4R8k6V1swTz9yGhH; Mon, 24 Jul 2023 23:07:30 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHTlU3lr5kJcTzBA--.28220S4; Mon, 24 Jul 2023 16:18:38 +0100 (CET) From: Roberto Sassu To: casey@schaufler-ca.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Roberto Sassu , stable@vger.kernel.org Subject: [PATCH v2 2/5] smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() Date: Mon, 24 Jul 2023 17:13:38 +0200 Message-Id: <20230724151341.538889-3-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> References: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwCHTlU3lr5kJcTzBA--.28220S4 X-Coremail-Antispam: 1UD129KBjvdXoW7Wr15tF17uw4xtrWfZFyxXwb_yoWkZFg_Wr 1jya4kXrs8A3W3Wa97Ar1Fvr92g3y8Xr1rW3Wft343Za4rXr1kta15Jry5WFW5Zw1xJ397 CFn8WFyfJw12qjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbsAYFVCjjxCrM7AC8VAFwI0_Wr0E3s1l1xkIjI8I6I8E6xAIw20E Y4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l82xGYIkIc2x26280x7IE14v26r15M2 8IrcIa0xkI8VCY1x0267AKxVW8JVW5JwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK 021l84ACjcxK6xIIjxv20xvE14v26r1j6r1xM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r 4j6F4UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v26F4U JVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7V C0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j 6r4UM4x0Y48IcxkI7VAKI48JMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2 z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnU UI43ZEXa7IU8fcTPUUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAIBF1jj5DcNQAAsF X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, MAY_BE_FORGED,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L3,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772316966752421578 X-GMAIL-MSGID: 1772316966752421578 From: Roberto Sassu If the SMACK64TRANSMUTE xattr is provided, and the inode is a directory, update the in-memory inode flags by setting SMK_INODE_TRANSMUTE. Cc: stable@vger.kernel.org Fixes: 5c6d1125f8db ("Smack: Transmute labels on specified directories") # v2.6.38.x Signed-off-by: Roberto Sassu --- security/smack/smack_lsm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e599ce9453c..9eae830527d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2804,6 +2804,15 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (value == NULL || size > SMK_LONGLABEL || size == 0) return -EINVAL; + if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { + if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || + strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) + return -EINVAL; + + nsp->smk_flags |= SMK_INODE_TRANSMUTE; + return 0; + } + skp = smk_import_entry(value, size); if (IS_ERR(skp)) return PTR_ERR(skp); From patchwork Mon Jul 24 15:13:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 125072 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1882315vqg; Mon, 24 Jul 2023 08:41:01 -0700 (PDT) X-Google-Smtp-Source: APBJJlHssIqYlkQtPwE0uH699Y+bZBPZQ+21NdfLY/bJHoz9YU+QkCLUehcySfGdwEJWm13Q9hmm X-Received: by 2002:a05:6a20:4908:b0:134:14b1:9e0b with SMTP id ft8-20020a056a20490800b0013414b19e0bmr12948155pzb.36.1690213261031; Mon, 24 Jul 2023 08:41:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690213261; cv=none; d=google.com; s=arc-20160816; b=Vl274Pf9ivJTxYc1+1NX1Af2HyJX1VaYwST1nuQibVC3Y0zAMPdxPOqgfpcQUFNQ3Z UAsk/EGa0gigvK0a/ObvTqTQHV4L0781yM+EV7N6Vk4aHc0WDe1laNVWBYg/jTf9r5HA Gjkh85/3xDBxS/yAzaZh8SPt57IdNCkY+31V1Kea5RLOF15n+cBFImRpUja6yGavnMmw Rk74qJxoBaeC/X9KClQBdp7dgAdLH4AFTcZS36/TtjO7KU7EwH1RfeV51YUqD04hfNqm mepo14EcjqTXC+CfjICv2QKuNO6TOGqM/BqJqMcx0/K5srv/vnaTNoB9XBQxxjNkN6Cd 3siQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=FLiv6LObhm0kzNMpF/n8nmHt/zmfUrbfmVmhVVsrnfg=; fh=z7vPyysRJOxh1U4ufKlXD98Auu6H+pYIEt5RTGBgBtQ=; b=ZR8rUUXm1YJf+S1hY9XC0cVxVzeqREyBvTZhyTQDCuuqbJ8pKAoo9cIUITbLvmrej7 ctivnV4yCXij+XM/hmcGPKC/NbjlQ4mjHyhRFFFQKO+wm+sUJ15zHz+PXBnmCwk28PBu 302pidhZojIoAiEwYkPVW4Apg5LRmyMNWh1XxkPy8REVUC+fqlYimmq7YB5RXqkXbZ4p tmouYkqc6r3N/A6+BbTmS6uVemoEAqIfa59Bod39KGfsyBXqiD/wnuszSKR+/xDdl/OS fqw5zmECryr6Tw1pBQUKV+ugPbG6d7m7az4oViBqQdcsga9vfA10MLYWAU9hQgt+a29A qhzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x12-20020aa793ac000000b00666e4a4656asi8710976pff.335.2023.07.24.08.40.47; Mon, 24 Jul 2023 08:41:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231387AbjGXPTM (ORCPT + 99 others); Mon, 24 Jul 2023 11:19:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230008AbjGXPTG (ORCPT ); Mon, 24 Jul 2023 11:19:06 -0400 Received: from frasgout12.his.huawei.com (unknown [14.137.139.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F2C51729; Mon, 24 Jul 2023 08:18:56 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.18.147.227]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4R8k4N5s47z9ycNT; Mon, 24 Jul 2023 23:05:40 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHTlU3lr5kJcTzBA--.28220S5; Mon, 24 Jul 2023 16:18:42 +0100 (CET) From: Roberto Sassu To: casey@schaufler-ca.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Roberto Sassu Subject: [PATCH v2 3/5] smack: Always determine inode labels in smack_inode_init_security() Date: Mon, 24 Jul 2023 17:13:39 +0200 Message-Id: <20230724151341.538889-4-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> References: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwCHTlU3lr5kJcTzBA--.28220S5 X-Coremail-Antispam: 1UD129KBjvJXoWxJFWkWr1rKry7tr1xGF1rJFb_yoWrGr17pa yUWa9xCF1DtFnxu3y0yF47Ww4a9as5Cr4UWr9Fqr9avFsrtryIgFW0qryYgFyxXr97Zrn0 qr4avryrZ3WY9wUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvlb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVWx Jr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJV W8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF 1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6x IIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvE x4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvj DU0xZFpf9x07UAkuxUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAIBF1jj4zfjQAAsh X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, MAY_BE_FORGED,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L3,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772317060160704193 X-GMAIL-MSGID: 1772317060160704193 From: Roberto Sassu The inode_init_security hook is already a good place to initialize the in-memory inode. And that is also what SELinux does. In preparation for this, move the existing smack_inode_init_security() code outside the 'if (xattr)' condition, and set the xattr, if provided. This change does not have any impact on the current code, since every time security_inode_init_security() is called, the initxattr() callback is passed and, thus, xattr is non-NULL. Signed-off-by: Roberto Sassu --- security/smack/smack_lsm.c | 80 +++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 9eae830527d..5a31d005c6d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -948,51 +948,51 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); int may; - if (xattr) { - /* - * If equal, transmuting already occurred in - * smack_dentry_create_files_as(). No need to check again. - */ - if (tsp->smk_task != tsp->smk_transmuted) { - rcu_read_lock(); - may = smk_access_entry(skp->smk_known, dsp->smk_known, - &skp->smk_rules); - rcu_read_unlock(); - } + /* + * If equal, transmuting already occurred in + * smack_dentry_create_files_as(). No need to check again. + */ + if (tsp->smk_task != tsp->smk_transmuted) { + rcu_read_lock(); + may = smk_access_entry(skp->smk_known, dsp->smk_known, + &skp->smk_rules); + rcu_read_unlock(); + } + + /* + * In addition to having smk_task equal to smk_transmuted, + * if the access rule allows transmutation and the directory + * requests transmutation then by all means transmute. + * Mark the inode as changed. + */ + if ((tsp->smk_task == tsp->smk_transmuted) || + (may > 0 && ((may & MAY_TRANSMUTE) != 0) && + smk_inode_transmutable(dir))) { + struct xattr *xattr_transmute; /* - * In addition to having smk_task equal to smk_transmuted, - * if the access rule allows transmutation and the directory - * requests transmutation then by all means transmute. - * Mark the inode as changed. + * The caller of smack_dentry_create_files_as() + * should have overridden the current cred, so the + * inode label was already set correctly in + * smack_inode_alloc_security(). */ - if ((tsp->smk_task == tsp->smk_transmuted) || - (may > 0 && ((may & MAY_TRANSMUTE) != 0) && - smk_inode_transmutable(dir))) { - struct xattr *xattr_transmute; - - /* - * The caller of smack_dentry_create_files_as() - * should have overridden the current cred, so the - * inode label was already set correctly in - * smack_inode_alloc_security(). - */ - if (tsp->smk_task != tsp->smk_transmuted) - isp = dsp; - xattr_transmute = lsm_get_xattr_slot(xattrs, - xattr_count); - if (xattr_transmute) { - xattr_transmute->value = kmemdup(TRANS_TRUE, - TRANS_TRUE_SIZE, - GFP_NOFS); - if (!xattr_transmute->value) - return -ENOMEM; - - xattr_transmute->value_len = TRANS_TRUE_SIZE; - xattr_transmute->name = XATTR_SMACK_TRANSMUTE; - } + if (tsp->smk_task != tsp->smk_transmuted) + isp = dsp; + xattr_transmute = lsm_get_xattr_slot(xattrs, + xattr_count); + if (xattr_transmute) { + xattr_transmute->value = kmemdup(TRANS_TRUE, + TRANS_TRUE_SIZE, + GFP_NOFS); + if (!xattr_transmute->value) + return -ENOMEM; + + xattr_transmute->value_len = TRANS_TRUE_SIZE; + xattr_transmute->name = XATTR_SMACK_TRANSMUTE; } + } + if (xattr) { xattr->value = kstrdup(isp->smk_known, GFP_NOFS); if (!xattr->value) return -ENOMEM; From patchwork Mon Jul 24 15:13:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 125065 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1874283vqg; Mon, 24 Jul 2023 08:27:41 -0700 (PDT) X-Google-Smtp-Source: APBJJlFdbWeRGt0Jop4ssvTkA6PVHi3F2fTEjHQqAbFxGOmbzWMpJ05LYIYnelp6J7BvFAmExOrh X-Received: by 2002:a05:6a20:12c9:b0:133:c9d0:75ff with SMTP id v9-20020a056a2012c900b00133c9d075ffmr8603589pzg.42.1690212461328; Mon, 24 Jul 2023 08:27:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690212461; cv=none; d=google.com; s=arc-20160816; b=UGMgjF8g5Bk8xM8awnIIynFViVDttcPse13mWU8CyNGBF7jiPvqG8/pHXnPnhaLTSZ OwQoO9B8Ak0HSaR0XVtso+W05+tCD5McxTnHMwh6debT4OyeZGycUunr2hn+Yw43yRKU lupBdgsLtlVwfXAyuN5XO9PXBeBi0F5lCl283WfMbHmMdbTAyOYYCjSVkPOKYQDIPHhR YepAtOBkIG9hVFJ4/QxA9AyLTN82uS5jJrqCHYC7YIP5/DYpHKHW1o9ETfA2DXTf9icS 74Lbro751gFV+UMWMDyAWjZsKNqQ/pLuSeP0VxqP6pCi4geyMFABf+2epidstfBKbi/j VXmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=dEX9C+O3A7zp6w4uV/lnzOUVvtTIX4GjrhvlDBBokFA=; fh=z7vPyysRJOxh1U4ufKlXD98Auu6H+pYIEt5RTGBgBtQ=; b=YduQI3Aj+vJ4LcC81N1zAO+pbzDa8nwpTb6WRDiHy36bSVOGqauLcETgLhYOB51dbi uCt0e+oYgri6JP+24MPppHWkRPVatpw2d26stRJ36l8ZrsainkN03eb34oIjW+QSlmHq 2lCfmV49nO2HQbafJT4EahwtjUPIMu6hWb3bl9G+rMI/GCUOjzwsVe8sJ2sdwcSAYIAo WkmQeky/YqSj+MvdIP4jIdADFyZ5xXUOR/FDl/rmsBNRYFj3grI/M2OU1VIvujE1exsE 4dJhX0lylLJt/VI5nSy7GGPjJLvX1ZTykPRI270DzNh6yYtsM44DrmyTzlp/tlwxYVXz i6KA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m1-20020a656a01000000b00548e140a1a4si9953760pgu.644.2023.07.24.08.27.21; Mon, 24 Jul 2023 08:27:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230286AbjGXPTQ (ORCPT + 99 others); Mon, 24 Jul 2023 11:19:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231180AbjGXPTI (ORCPT ); Mon, 24 Jul 2023 11:19:08 -0400 Received: from frasgout11.his.huawei.com (unknown [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 649FC10E7; Mon, 24 Jul 2023 08:19:00 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4R8k6f6xTgz9yM9x; Mon, 24 Jul 2023 23:07:38 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHTlU3lr5kJcTzBA--.28220S6; Mon, 24 Jul 2023 16:18:47 +0100 (CET) From: Roberto Sassu To: casey@schaufler-ca.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Roberto Sassu Subject: [PATCH v2 4/5] smack: Initialize the in-memory inode in smack_inode_init_security() Date: Mon, 24 Jul 2023 17:13:40 +0200 Message-Id: <20230724151341.538889-5-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> References: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwCHTlU3lr5kJcTzBA--.28220S6 X-Coremail-Antispam: 1UD129KBjvJXoWxCry8WFWfGF4kAw18GFW5Awb_yoW5Zw1UpF Zxt3W7KwnYyF97urW0yF47Ww1SkayrKr4UGrZ8Jw17A3ZFqwn7KF18Zr45ZF15Wr4kZa1Y vF4j9ry3WFn0y3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvKb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AK xVWxJr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2 WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE bVWUJVW8JwACjcxG0xvY0x0EwIxGrwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbV WUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF 67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42 IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF 0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxh VjvjDU0xZFpf9x07UZo7tUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAIBF1jj4zfjQABsg X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, MAY_BE_FORGED,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L3,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772316221923151326 X-GMAIL-MSGID: 1772316221923151326 From: Roberto Sassu Currently, Smack initializes in-memory new inodes in three steps. It first sets the xattrs in smack_inode_init_security(), fetches them in smack_d_instantiate() and finally, in the same function, sets the in-memory inodes depending on xattr values, unless they are in specially-handled filesystems. Other than being inefficient, this also prevents filesystems not supporting xattrs from working properly since, without xattrs, there is no way to pass the label determined in smack_inode_init_security() to smack_d_instantiate(). Since the LSM infrastructure allows setting and getting the security field without xattrs through the inode_setsecurity and inode_getsecurity hooks, make the inode creation work too, by initializing the in-memory inode earlier in smack_inode_init_security(). Also mark the inode as instantiated, to prevent smack_d_instantiate() from overwriting the security field. As mentioned above, this potentially has impact for inodes in specially-handled filesystems in smack_d_instantiate(), if they are not handled in the same way in smack_inode_init_security(). Filesystems other than tmpfs don't call security_inode_init_security(), so they would be always initialized in smack_d_instantiate(), as before. For tmpfs, the current behavior is to assign to inodes the label '*', but actually that label is overwritten with the one fetched from the SMACK64 xattr, set in smack_inode_init_security() (default: '_'). Initializing the in-memory inode is straightforward: if not transmuting, nothing more needs to be done; if transmuting, overwrite the current inode label with the one from the parent directory, and set SMK_INODE_TRANSMUTE. Finally, set SMK_INODE_INSTANT for all cases, to mark the inode as instantiated. Signed-off-by: Roberto Sassu --- security/smack/smack_lsm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5a31d005c6d..f3946778192 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -942,6 +942,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, struct xattr *xattrs, int *xattr_count) { struct task_smack *tsp = smack_cred(current_cred()); + struct inode_smack *issp = smack_inode(inode); struct smack_known *skp = smk_of_task(tsp); struct smack_known *isp = smk_of_inode(inode); struct smack_known *dsp = smk_of_inode(dir); @@ -977,7 +978,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, * smack_inode_alloc_security(). */ if (tsp->smk_task != tsp->smk_transmuted) - isp = dsp; + isp = issp->smk_inode = dsp; + + issp->smk_flags |= SMK_INODE_TRANSMUTE; xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count); if (xattr_transmute) { @@ -992,6 +995,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, } } + issp->smk_flags |= SMK_INODE_INSTANT; + if (xattr) { xattr->value = kstrdup(isp->smk_known, GFP_NOFS); if (!xattr->value) From patchwork Mon Jul 24 15:13:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 125067 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp1881231vqg; Mon, 24 Jul 2023 08:39:03 -0700 (PDT) X-Google-Smtp-Source: APBJJlFSpcBV/t6VXAj9kXe3H4YdSY3Davle0Bcoy7plhVlrcQsn7N/VB8JGtgfYHhBEmrBJiYpr X-Received: by 2002:a17:906:1c5:b0:988:fb2f:274e with SMTP id 5-20020a17090601c500b00988fb2f274emr9543734ejj.27.1690213143343; Mon, 24 Jul 2023 08:39:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690213143; cv=none; d=google.com; s=arc-20160816; b=kc4acB0CtYXdkkwl+IPZMiV409FRMYHrY1iwWlQun1TQtg4+oL9Uu6U/Dwhr+G/vvH nsaeZtje05cjHvqkvkB05nGFNw+FWFrLpX1dPsUm/F0mBsofhGG6M/0RTbViqEMD3BLP 5qajHqRachsImRHS5zDD3O5hFcexkaURedvAtPzAHUVuJpiDTXFEj/l8qUXZDbnFXasn V1d4UYNfa3JN9iWhLaVEs5wU7IyYcW5p/rmvDjdW9/3AU1/Vcyo1G1yrnU0Khx2PRS5P Re4pAjNChwzm8PSTUDnF0Og1AkOHI4Tmd8Q776sgOn+9FKKTabjkIkrkqfEJxbGyWPun 27QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=p1t8kNyoaLvZI8oyJeRqI9PLO4T6nlwE4JyeuwRTnv4=; fh=z7vPyysRJOxh1U4ufKlXD98Auu6H+pYIEt5RTGBgBtQ=; b=EV9LNKyYiYxbV28XjjfHvuxlPR/WrD0Ta4WFKkSMsZArQtwaCdamSxw3pQ1BT9K/RE OrxgUpO0iiwHfYN4uBzZD5CaxvhTIHVSlpm+YEkiRJY4KZwxVGFYceT0F1HrBbBY25B5 3LO5Y3TAli/IVU5tD/bZ+ZkFhstjQyyBoHLBJxxjLMZBeRCLX3o+4jDF2R8VSZXrL60z JitiVVaAKxOnzKstVrZzVuLOt1F9RzKJmwScXAxUquM12G0VBLiW9/zTrHzTtN3r6cVc 9QdF4sdJyihfUtiz/09Mdzsc5jP9rFlPZ7W3BGs87NBCLAHncDTKkXljKRzb8F0nD3Ed hdWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qo12-20020a170907212c00b00977e4a1fe32si6486999ejb.539.2023.07.24.08.38.38; Mon, 24 Jul 2023 08:39:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231299AbjGXPT1 (ORCPT + 99 others); Mon, 24 Jul 2023 11:19:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230161AbjGXPTL (ORCPT ); Mon, 24 Jul 2023 11:19:11 -0400 Received: from frasgout11.his.huawei.com (unknown [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1793A19B7; Mon, 24 Jul 2023 08:19:04 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4R8k6l34txz9yGhK; Mon, 24 Jul 2023 23:07:43 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHTlU3lr5kJcTzBA--.28220S7; Mon, 24 Jul 2023 16:18:51 +0100 (CET) From: Roberto Sassu To: casey@schaufler-ca.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Roberto Sassu Subject: [PATCH v2 5/5] ramfs: Initialize security of in-memory inodes Date: Mon, 24 Jul 2023 17:13:41 +0200 Message-Id: <20230724151341.538889-6-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> References: <20230724151341.538889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwCHTlU3lr5kJcTzBA--.28220S7 X-Coremail-Antispam: 1UD129KBjvJXoW7WrWUKFWkXw13Jry5AF13Jwb_yoW8uw15pF 42qasxGwn5WFZ7Wr1ftF4Uuw1ftayfKr4DJws7Zw17A3Z7Jw1Utr4Syr13CFyfGrW8Gw1S qF45ur45C3W7A3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvKb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AK xVWxJr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2 WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE bVWUJVW8JwACjcxG0xvY0x0EwIxGrwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbV WUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF 67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42 IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF 0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxh VjvjDU0xZFpf9x07UZo7tUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAIBF1jj5DcNgAAsG X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, MAY_BE_FORGED,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L3,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772316937031687345 X-GMAIL-MSGID: 1772316937031687345 From: Roberto Sassu Add a call security_inode_init_security() after ramfs_get_inode(), to let LSMs initialize the inode security field. Skip ramfs_fill_super(), as the initialization is done through the sb_set_mnt_opts hook. Calling security_inode_init_security() call inside ramfs_get_inode() is not possible since, for CONFIG_SHMEM=n, tmpfs also calls the former after the latter. Pass NULL as initxattrs() callback to security_inode_init_security(), since the purpose of the call is only to initialize the in-memory inodes. Signed-off-by: Roberto Sassu --- fs/ramfs/inode.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/fs/ramfs/inode.c b/fs/ramfs/inode.c index fef477c7810..ac90ebd9dbd 100644 --- a/fs/ramfs/inode.c +++ b/fs/ramfs/inode.c @@ -102,6 +102,14 @@ ramfs_mknod(struct mnt_idmap *idmap, struct inode *dir, int error = -ENOSPC; if (inode) { + error = security_inode_init_security(inode, dir, + &dentry->d_name, NULL, + NULL); + if (error) { + iput(inode); + return error; + } + d_instantiate(dentry, inode); dget(dentry); /* Extra count - pin the dentry in core */ error = 0; @@ -134,6 +142,15 @@ static int ramfs_symlink(struct mnt_idmap *idmap, struct inode *dir, inode = ramfs_get_inode(dir->i_sb, dir, S_IFLNK|S_IRWXUGO, 0); if (inode) { int l = strlen(symname)+1; + + error = security_inode_init_security(inode, dir, + &dentry->d_name, NULL, + NULL); + if (error) { + iput(inode); + return error; + } + error = page_symlink(inode, symname, l); if (!error) { d_instantiate(dentry, inode); @@ -149,10 +166,20 @@ static int ramfs_tmpfile(struct mnt_idmap *idmap, struct inode *dir, struct file *file, umode_t mode) { struct inode *inode; + int error; inode = ramfs_get_inode(dir->i_sb, dir, mode, 0); if (!inode) return -ENOSPC; + + error = security_inode_init_security(inode, dir, + &file_dentry(file)->d_name, NULL, + NULL); + if (error) { + iput(inode); + return error; + } + d_tmpfile(file, inode); return finish_open_simple(file, 0); }