security: allow finer granularity in permitting copy-up of security xattrs

stefanberger · mimizohar · commit 3253804773c0 · 2024-04-09T17:14:57.000-04:00
Copying up xattrs is solely based on the security xattr name. For finer
granularity add a dentry parameter to the security_inode_copy_up_xattr
hook definition, allowing decisions to be based on the xattr content as
well.

Co-developed-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Acked-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Acked-by: Paul Moore &lt;paul@paul-moore.com&gt; (LSM,SELinux)
Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
@@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de
 		if (ovl_is_private_xattr(sb, name))
 			continue;
 
-		error = security_inode_copy_up_xattr(name);
+		error = security_inode_copy_up_xattr(old, name);
 		if (error < 0 && error != -EOPNOTSUPP)
 			break;
 		if (error == 1) {
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
@@ -176,7 +176,8 @@ LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
 	 size_t buffer_size)
 LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
 LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
-LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name)
+LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src,
+	 const char *name)
 LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
 	 struct kernfs_node *kn)
 LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
diff --git a/include/linux/security.h b/include/linux/security.h
@@ -398,7 +398,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
 void security_inode_getsecid(struct inode *inode, u32 *secid);
 int security_inode_copy_up(struct dentry *src, struct cred **new);
-int security_inode_copy_up_xattr(const char *name);
+int security_inode_copy_up_xattr(struct dentry *src, const char *name);
 int security_kernfs_init_security(struct kernfs_node *kn_dir,
 				  struct kernfs_node *kn);
 int security_file_permission(struct file *file, int mask);
@@ -1016,7 +1016,7 @@ static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,
 	return 0;
 }
 
-static inline int security_inode_copy_up_xattr(const char *name)
+static inline int security_inode_copy_up_xattr(struct dentry *src, const char *name)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
@@ -946,7 +946,7 @@ static void evm_inode_post_setattr(struct mnt_idmap *idmap,
 		evm_update_evmxattr(dentry, NULL, NULL, 0);
 }
 
-static int evm_inode_copy_up_xattr(const char *name)
+static int evm_inode_copy_up_xattr(struct dentry *src, const char *name)
 {
 	if (strcmp(name, XATTR_NAME_EVM) == 0)
 		return 1; /* Discard */
diff --git a/security/security.c b/security/security.c
@@ -2628,6 +2628,7 @@ EXPORT_SYMBOL(security_inode_copy_up);
 
 /**
  * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op
+ * @src: union dentry of copy-up file
  * @name: xattr name
  *
  * Filter the xattrs being copied up when a unioned file is copied up from a
@@ -2638,7 +2639,7 @@ EXPORT_SYMBOL(security_inode_copy_up);
  *         if the security module does not know about attribute, or a negative
  *         error code to abort the copy up.
  */
-int security_inode_copy_up_xattr(const char *name)
+int security_inode_copy_up_xattr(struct dentry *src, const char *name)
 {
 	int rc;
 
@@ -2647,7 +2648,7 @@ int security_inode_copy_up_xattr(const char *name)
 	 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or
 	 * any other error code in case of an error.
 	 */
-	rc = call_int_hook(inode_copy_up_xattr, name);
+	rc = call_int_hook(inode_copy_up_xattr, src, name);
 	if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))
 		return rc;
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -3530,7 +3530,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
 	return 0;
 }
 
-static int selinux_inode_copy_up_xattr(const char *name)
+static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
 {
 	/* The copy_up hook above sets the initial context on an inode, but we
 	 * don't then want to overwrite it by blindly copying all the lower
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
@@ -4885,7 +4885,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
 	return 0;
 }
 
-static int smack_inode_copy_up_xattr(const char *name)
+static int smack_inode_copy_up_xattr(struct dentry *src, const char *name)
 {
 	/*
 	 * Return 1 if this is the smack access Smack attribute.

Original file line number	Diff line number	Diff line change
`@@ -398,7 +398,7 @@ int security_inode_setsecurity(struct inode inode, const char name, const void`
`398`	`398`	`int security_inode_listsecurity(struct inode inode, char buffer, size_t buffer_size);`
`399`	`399`	`void security_inode_getsecid(struct inode inode, u32 secid);`
`400`	`400`	`int security_inode_copy_up(struct dentry src, struct cred *new);`
`401`		`-int security_inode_copy_up_xattr(const char *name);`
	`401`	`+int security_inode_copy_up_xattr(struct dentry src, const char name);`
`402`	`402`	`int security_kernfs_init_security(struct kernfs_node *kn_dir,`
`403`	`403`	`struct kernfs_node *kn);`
`404`	`404`	`int security_file_permission(struct file *file, int mask);`
`@@ -1016,7 +1016,7 @@ static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,`
`1016`	`1016`	`return 0;`
`1017`	`1017`	`}`
`1018`	`1018`
`1019`		`-static inline int security_inode_copy_up_xattr(const char *name)`
	`1019`	`+static inline int security_inode_copy_up_xattr(struct dentry src, const char name)`
`1020`	`1020`	`{`
`1021`	`1021`	`return -EOPNOTSUPP;`
`1022`	`1022`	`}`
Original file line number	Diff line number	Diff line change
`@@ -946,7 +946,7 @@ static void evm_inode_post_setattr(struct mnt_idmap *idmap,`
`946`	`946`	`evm_update_evmxattr(dentry, NULL, NULL, 0);`
`947`	`947`	`}`
`948`	`948`
`949`		`-static int evm_inode_copy_up_xattr(const char *name)`
	`949`	`+static int evm_inode_copy_up_xattr(struct dentry src, const char name)`
`950`	`950`	`{`
`951`	`951`	`if (strcmp(name, XATTR_NAME_EVM) == 0)`
`952`	`952`	`return 1; /* Discard */`
Original file line number	Diff line number	Diff line change
`@@ -3530,7 +3530,7 @@ static int selinux_inode_copy_up(struct dentry src, struct cred *new)`
`3530`	`3530`	`return 0;`
`3531`	`3531`	`}`
`3532`	`3532`
`3533`		`-static int selinux_inode_copy_up_xattr(const char *name)`
	`3533`	`+static int selinux_inode_copy_up_xattr(struct dentry dentry, const char name)`
`3534`	`3534`	`{`
`3535`	`3535`	`/* The copy_up hook above sets the initial context on an inode, but we`
`3536`	`3536`	`* don't then want to overwrite it by blindly copying all the lower`
Original file line number	Diff line number	Diff line change
`@@ -4885,7 +4885,7 @@ static int smack_inode_copy_up(struct dentry dentry, struct cred *new)`
`4885`	`4885`	`return 0;`
`4886`	`4886`	`}`
`4887`	`4887`
`4888`		`-static int smack_inode_copy_up_xattr(const char *name)`
	`4888`	`+static int smack_inode_copy_up_xattr(struct dentry src, const char name)`
`4889`	`4889`	`{`
`4890`	`4890`	`/*`
`4891`	`4891`	`* Return 1 if this is the smack access Smack attribute.`