security,overlayfs: Provide security hook for copy up of xattrs for overlay file (121ab822) · Commits · 戴 / test

fs/overlayfs/copy_up.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -103,6 +103,13 @@ retry:
		goto retry;
		}

		error = security_inode_copy_up_xattr(name);
		if (error < 0 && error != -EOPNOTSUPP)
		break;
		if (error == 1) {
		error = 0;
		continue; /* Discard */
		}
		error = vfs_setxattr(new, name, value, size, 0);
		if (error)
		break;

+10 −0

Original line number	Diff line number	Diff line
		@@ -410,6 +410,14 @@
		* @src indicates the union dentry of file that is being copied up.
		* @new pointer to pointer to return newly allocated creds.
		* Returns 0 on success or a negative error code on error.
		* @inode_copy_up_xattr:
		* Filter the xattrs being copied up when a unioned file is copied
		* up from a lower layer to the union/overlay layer.
		* @name indicates the name of the xattr.
		* Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
		* security module does not know about attribute or a negative error code
		* to abort the copy up. Note that the caller is responsible for reading
		* and writing the xattrs as this hook is merely a filter.
		*
		* Security hooks for file operations
		*
		@@ -1435,6 +1443,7 @@ union security_list_options {
		size_t buffer_size);
		void (inode_getsecid)(struct inode inode, u32 *secid);
		int (inode_copy_up)(struct dentry src, struct cred **new);
		int (inode_copy_up_xattr)(const char name);

		int (file_permission)(struct file file, int mask);
		int (file_alloc_security)(struct file file);
		@@ -1707,6 +1716,7 @@ struct security_hook_heads {
		struct list_head inode_listsecurity;
		struct list_head inode_getsecid;
		struct list_head inode_copy_up;
		struct list_head inode_copy_up_xattr;
		struct list_head file_permission;
		struct list_head file_alloc_security;
		struct list_head file_free_security;

+6 −0

Original line number	Diff line number	Diff line
		@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode inode, const char name, const void
		int security_inode_listsecurity(struct inode inode, char buffer, size_t buffer_size);
		void security_inode_getsecid(struct inode inode, u32 secid);
		int security_inode_copy_up(struct dentry src, struct cred *new);
		int security_inode_copy_up_xattr(const char *name);
		int security_file_permission(struct file *file, int mask);
		int security_file_alloc(struct file *file);
		void security_file_free(struct file *file);
		@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry src, struct cred *new)
		return 0;
		}

		static inline int security_inode_copy_up_xattr(const char *name)
		{
		return -EOPNOTSUPP;
		}

		static inline int security_file_permission(struct file *file, int mask)
		{
		return 0;

+8 −0

Original line number	Diff line number	Diff line
		@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry src, struct cred *new)
		}
		EXPORT_SYMBOL(security_inode_copy_up);

		int security_inode_copy_up_xattr(const char *name)
		{
		return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
		}
		EXPORT_SYMBOL(security_inode_copy_up_xattr);

		int security_file_permission(struct file *file, int mask)
		{
		int ret;
		@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
		.inode_copy_up =
		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
		.inode_copy_up_xattr =
		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
		.file_permission =
		LIST_HEAD_INIT(security_hook_heads.file_permission),
		.file_alloc_security =