commoncap: handle idmapped mounts
When interacting with user namespace and non-user namespace aware filesystem capabilities the vfs will perform various security checks to determine whether or not the filesystem capabilities can be used by the caller, whether they need to be removed and so on. The main infrastructure for this resides in the capability codepaths but they are called through the LSM security infrastructure even though they are not technically an LSM or optional. This extends the existing security hooks security_inode_removexattr(), security_inode_killpriv(), security_inode_getsecurity() to pass down the mount's user namespace and makes them aware of idmapped mounts. In order to actually get filesystem capabilities from disk the capability infrastructure exposes the get_vfs_caps_from_disk() helper. For user namespace aware filesystem capabilities a root uid is stored alongside the capabilities. In order to determine whether the caller can make use of the filesystem capability or whether it needs to be ignored it is translated according to the superblock's user namespace. If it can be translated to uid 0 according to that id mapping the caller can use the filesystem capabilities stored on disk. If we are accessing the inode that holds the filesystem capabilities through an idmapped mount we map the root uid according to the mount's user namespace. Afterwards the checks are identical to non-idmapped mounts: reading filesystem caps from disk enforces that the root uid associated with the filesystem capability must have a mapping in the superblock's user namespace and that the caller is either in the same user namespace or is a descendant of the superblock's user namespace. For filesystems that are mountable inside user namespace the caller can just mount the filesystem and won't usually need to idmap it. If they do want to idmap it they can create an idmapped mount and mark it with a user namespace they created and which is thus a descendant of s_user_ns. For filesystems that are not mountable inside user namespaces the descendant rule is trivially true because the s_user_ns will be the initial user namespace. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-11-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Christoph Hellwig <hch@lst.de> Acked-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
parent
c7c7a1a18a
commit
71bc356f93
|
@ -143,7 +143,7 @@ kill_priv:
|
||||||
if (ia_valid & ATTR_KILL_PRIV) {
|
if (ia_valid & ATTR_KILL_PRIV) {
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
error = security_inode_killpriv(dentry);
|
error = security_inode_killpriv(mnt_userns, dentry);
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
18
fs/xattr.c
18
fs/xattr.c
|
@ -262,7 +262,8 @@ __vfs_setxattr_locked(struct user_namespace *mnt_userns, struct dentry *dentry,
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
||||||
error = security_inode_setxattr(dentry, name, value, size, flags);
|
error = security_inode_setxattr(mnt_userns, dentry, name, value, size,
|
||||||
|
flags);
|
||||||
if (error)
|
if (error)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
@ -313,18 +314,20 @@ retry_deleg:
|
||||||
EXPORT_SYMBOL_GPL(vfs_setxattr);
|
EXPORT_SYMBOL_GPL(vfs_setxattr);
|
||||||
|
|
||||||
static ssize_t
|
static ssize_t
|
||||||
xattr_getsecurity(struct inode *inode, const char *name, void *value,
|
xattr_getsecurity(struct user_namespace *mnt_userns, struct inode *inode,
|
||||||
size_t size)
|
const char *name, void *value, size_t size)
|
||||||
{
|
{
|
||||||
void *buffer = NULL;
|
void *buffer = NULL;
|
||||||
ssize_t len;
|
ssize_t len;
|
||||||
|
|
||||||
if (!value || !size) {
|
if (!value || !size) {
|
||||||
len = security_inode_getsecurity(inode, name, &buffer, false);
|
len = security_inode_getsecurity(mnt_userns, inode, name,
|
||||||
|
&buffer, false);
|
||||||
goto out_noalloc;
|
goto out_noalloc;
|
||||||
}
|
}
|
||||||
|
|
||||||
len = security_inode_getsecurity(inode, name, &buffer, true);
|
len = security_inode_getsecurity(mnt_userns, inode, name, &buffer,
|
||||||
|
true);
|
||||||
if (len < 0)
|
if (len < 0)
|
||||||
return len;
|
return len;
|
||||||
if (size < len) {
|
if (size < len) {
|
||||||
|
@ -414,7 +417,8 @@ vfs_getxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
||||||
if (!strncmp(name, XATTR_SECURITY_PREFIX,
|
if (!strncmp(name, XATTR_SECURITY_PREFIX,
|
||||||
XATTR_SECURITY_PREFIX_LEN)) {
|
XATTR_SECURITY_PREFIX_LEN)) {
|
||||||
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
||||||
int ret = xattr_getsecurity(inode, suffix, value, size);
|
int ret = xattr_getsecurity(mnt_userns, inode, suffix, value,
|
||||||
|
size);
|
||||||
/*
|
/*
|
||||||
* Only overwrite the return value if a security module
|
* Only overwrite the return value if a security module
|
||||||
* is actually active.
|
* is actually active.
|
||||||
|
@ -486,7 +490,7 @@ __vfs_removexattr_locked(struct user_namespace *mnt_userns,
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
||||||
error = security_inode_removexattr(dentry, name);
|
error = security_inode_removexattr(mnt_userns, dentry, name);
|
||||||
if (error)
|
if (error)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
|
|
@ -271,7 +271,9 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* audit system wants to get cap info from files as well */
|
/* audit system wants to get cap info from files as well */
|
||||||
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
|
int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
|
||||||
|
const struct dentry *dentry,
|
||||||
|
struct cpu_vfs_cap_data *cpu_caps);
|
||||||
|
|
||||||
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
|
int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
|
||||||
const void **ivalue, size_t size);
|
const void **ivalue, size_t size);
|
||||||
|
|
|
@ -133,17 +133,20 @@ LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
|
||||||
LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
|
LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
|
||||||
LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
|
LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
|
||||||
LSM_HOOK(int, 0, inode_getattr, const struct path *path)
|
LSM_HOOK(int, 0, inode_getattr, const struct path *path)
|
||||||
LSM_HOOK(int, 0, inode_setxattr, struct dentry *dentry, const char *name,
|
LSM_HOOK(int, 0, inode_setxattr, struct user_namespace *mnt_userns,
|
||||||
const void *value, size_t size, int flags)
|
struct dentry *dentry, const char *name, const void *value,
|
||||||
|
size_t size, int flags)
|
||||||
LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry,
|
LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry,
|
||||||
const char *name, const void *value, size_t size, int flags)
|
const char *name, const void *value, size_t size, int flags)
|
||||||
LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name)
|
LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name)
|
||||||
LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry)
|
LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry)
|
||||||
LSM_HOOK(int, 0, inode_removexattr, struct dentry *dentry, const char *name)
|
LSM_HOOK(int, 0, inode_removexattr, struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name)
|
||||||
LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
|
LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
|
||||||
LSM_HOOK(int, 0, inode_killpriv, struct dentry *dentry)
|
LSM_HOOK(int, 0, inode_killpriv, struct user_namespace *mnt_userns,
|
||||||
LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct inode *inode,
|
struct dentry *dentry)
|
||||||
const char *name, void **buffer, bool alloc)
|
LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name, void **buffer, bool alloc)
|
||||||
LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
|
LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
|
||||||
const char *name, const void *value, size_t size, int flags)
|
const char *name, const void *value, size_t size, int flags)
|
||||||
LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
|
LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
|
||||||
|
|
|
@ -444,6 +444,7 @@
|
||||||
* @inode_killpriv:
|
* @inode_killpriv:
|
||||||
* The setuid bit is being removed. Remove similar security labels.
|
* The setuid bit is being removed. Remove similar security labels.
|
||||||
* Called with the dentry->d_inode->i_mutex held.
|
* Called with the dentry->d_inode->i_mutex held.
|
||||||
|
* @mnt_userns: user namespace of the mount
|
||||||
* @dentry is the dentry being changed.
|
* @dentry is the dentry being changed.
|
||||||
* Return 0 on success. If error is returned, then the operation
|
* Return 0 on success. If error is returned, then the operation
|
||||||
* causing setuid bit removal is failed.
|
* causing setuid bit removal is failed.
|
||||||
|
|
|
@ -145,13 +145,16 @@ extern int cap_capset(struct cred *new, const struct cred *old,
|
||||||
const kernel_cap_t *inheritable,
|
const kernel_cap_t *inheritable,
|
||||||
const kernel_cap_t *permitted);
|
const kernel_cap_t *permitted);
|
||||||
extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);
|
extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);
|
||||||
extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags);
|
const void *value, size_t size, int flags);
|
||||||
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
int cap_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
extern int cap_inode_need_killpriv(struct dentry *dentry);
|
struct dentry *dentry, const char *name);
|
||||||
extern int cap_inode_killpriv(struct dentry *dentry);
|
int cap_inode_need_killpriv(struct dentry *dentry);
|
||||||
extern int cap_inode_getsecurity(struct inode *inode, const char *name,
|
int cap_inode_killpriv(struct user_namespace *mnt_userns,
|
||||||
void **buffer, bool alloc);
|
struct dentry *dentry);
|
||||||
|
int cap_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name, void **buffer,
|
||||||
|
bool alloc);
|
||||||
extern int cap_mmap_addr(unsigned long addr);
|
extern int cap_mmap_addr(unsigned long addr);
|
||||||
extern int cap_mmap_file(struct file *file, unsigned long reqprot,
|
extern int cap_mmap_file(struct file *file, unsigned long reqprot,
|
||||||
unsigned long prot, unsigned long flags);
|
unsigned long prot, unsigned long flags);
|
||||||
|
@ -345,16 +348,21 @@ int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
|
||||||
int security_inode_permission(struct inode *inode, int mask);
|
int security_inode_permission(struct inode *inode, int mask);
|
||||||
int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
|
int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
|
||||||
int security_inode_getattr(const struct path *path);
|
int security_inode_getattr(const struct path *path);
|
||||||
int security_inode_setxattr(struct dentry *dentry, const char *name,
|
int security_inode_setxattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags);
|
const void *value, size_t size, int flags);
|
||||||
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
|
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags);
|
const void *value, size_t size, int flags);
|
||||||
int security_inode_getxattr(struct dentry *dentry, const char *name);
|
int security_inode_getxattr(struct dentry *dentry, const char *name);
|
||||||
int security_inode_listxattr(struct dentry *dentry);
|
int security_inode_listxattr(struct dentry *dentry);
|
||||||
int security_inode_removexattr(struct dentry *dentry, const char *name);
|
int security_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name);
|
||||||
int security_inode_need_killpriv(struct dentry *dentry);
|
int security_inode_need_killpriv(struct dentry *dentry);
|
||||||
int security_inode_killpriv(struct dentry *dentry);
|
int security_inode_killpriv(struct user_namespace *mnt_userns,
|
||||||
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc);
|
struct dentry *dentry);
|
||||||
|
int security_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name,
|
||||||
|
void **buffer, bool alloc);
|
||||||
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
|
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
|
||||||
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
|
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
|
||||||
void security_inode_getsecid(struct inode *inode, u32 *secid);
|
void security_inode_getsecid(struct inode *inode, u32 *secid);
|
||||||
|
@ -831,8 +839,9 @@ static inline int security_inode_getattr(const struct path *path)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_setxattr(struct dentry *dentry,
|
static inline int security_inode_setxattr(struct user_namespace *mnt_userns,
|
||||||
const char *name, const void *value, size_t size, int flags)
|
struct dentry *dentry, const char *name, const void *value,
|
||||||
|
size_t size, int flags)
|
||||||
{
|
{
|
||||||
return cap_inode_setxattr(dentry, name, value, size, flags);
|
return cap_inode_setxattr(dentry, name, value, size, flags);
|
||||||
}
|
}
|
||||||
|
@ -852,10 +861,11 @@ static inline int security_inode_listxattr(struct dentry *dentry)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_removexattr(struct dentry *dentry,
|
static inline int security_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
const char *name)
|
struct dentry *dentry,
|
||||||
|
const char *name)
|
||||||
{
|
{
|
||||||
return cap_inode_removexattr(dentry, name);
|
return cap_inode_removexattr(mnt_userns, dentry, name);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_need_killpriv(struct dentry *dentry)
|
static inline int security_inode_need_killpriv(struct dentry *dentry)
|
||||||
|
@ -863,14 +873,18 @@ static inline int security_inode_need_killpriv(struct dentry *dentry)
|
||||||
return cap_inode_need_killpriv(dentry);
|
return cap_inode_need_killpriv(dentry);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_killpriv(struct dentry *dentry)
|
static inline int security_inode_killpriv(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry)
|
||||||
{
|
{
|
||||||
return cap_inode_killpriv(dentry);
|
return cap_inode_killpriv(mnt_userns, dentry);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
|
static inline int security_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode,
|
||||||
|
const char *name, void **buffer,
|
||||||
|
bool alloc)
|
||||||
{
|
{
|
||||||
return cap_inode_getsecurity(inode, name, buffer, alloc);
|
return cap_inode_getsecurity(mnt_userns, inode, name, buffer, alloc);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
|
static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
|
||||||
|
|
|
@ -1930,7 +1930,7 @@ static inline int audit_copy_fcaps(struct audit_names *name,
|
||||||
if (!dentry)
|
if (!dentry)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
rc = get_vfs_caps_from_disk(dentry, &caps);
|
rc = get_vfs_caps_from_disk(&init_user_ns, dentry, &caps);
|
||||||
if (rc)
|
if (rc)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
|
@ -2481,7 +2481,8 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
||||||
ax->d.next = context->aux;
|
ax->d.next = context->aux;
|
||||||
context->aux = (void *)ax;
|
context->aux = (void *)ax;
|
||||||
|
|
||||||
get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
|
get_vfs_caps_from_disk(&init_user_ns,
|
||||||
|
bprm->file->f_path.dentry, &vcaps);
|
||||||
|
|
||||||
ax->fcap.permitted = vcaps.permitted;
|
ax->fcap.permitted = vcaps.permitted;
|
||||||
ax->fcap.inheritable = vcaps.inheritable;
|
ax->fcap.inheritable = vcaps.inheritable;
|
||||||
|
|
|
@ -303,17 +303,25 @@ int cap_inode_need_killpriv(struct dentry *dentry)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cap_inode_killpriv - Erase the security markings on an inode
|
* cap_inode_killpriv - Erase the security markings on an inode
|
||||||
* @dentry: The inode/dentry to alter
|
*
|
||||||
|
* @mnt_userns: user namespace of the mount the inode was found from
|
||||||
|
* @dentry: The inode/dentry to alter
|
||||||
*
|
*
|
||||||
* Erase the privilege-enhancing security markings on an inode.
|
* Erase the privilege-enhancing security markings on an inode.
|
||||||
*
|
*
|
||||||
|
* If the inode has been found through an idmapped mount the user namespace of
|
||||||
|
* the vfsmount must be passed through @mnt_userns. This function will then
|
||||||
|
* take care to map the inode according to @mnt_userns before checking
|
||||||
|
* permissions. On non-idmapped mounts or if permission checking is to be
|
||||||
|
* performed on the raw inode simply passs init_user_ns.
|
||||||
|
*
|
||||||
* Returns 0 if successful, -ve on error.
|
* Returns 0 if successful, -ve on error.
|
||||||
*/
|
*/
|
||||||
int cap_inode_killpriv(struct dentry *dentry)
|
int cap_inode_killpriv(struct user_namespace *mnt_userns, struct dentry *dentry)
|
||||||
{
|
{
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
error = __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_CAPS);
|
error = __vfs_removexattr(mnt_userns, dentry, XATTR_NAME_CAPS);
|
||||||
if (error == -EOPNOTSUPP)
|
if (error == -EOPNOTSUPP)
|
||||||
error = 0;
|
error = 0;
|
||||||
return error;
|
return error;
|
||||||
|
@ -366,7 +374,8 @@ static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
|
||||||
* by the integrity subsystem, which really wants the unconverted values -
|
* by the integrity subsystem, which really wants the unconverted values -
|
||||||
* so that's good.
|
* so that's good.
|
||||||
*/
|
*/
|
||||||
int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
|
int cap_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name, void **buffer,
|
||||||
bool alloc)
|
bool alloc)
|
||||||
{
|
{
|
||||||
int size, ret;
|
int size, ret;
|
||||||
|
@ -386,7 +395,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
size = sizeof(struct vfs_ns_cap_data);
|
size = sizeof(struct vfs_ns_cap_data);
|
||||||
ret = (int)vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_CAPS,
|
ret = (int)vfs_getxattr_alloc(mnt_userns, dentry, XATTR_NAME_CAPS,
|
||||||
&tmpbuf, size, GFP_NOFS);
|
&tmpbuf, size, GFP_NOFS);
|
||||||
dput(dentry);
|
dput(dentry);
|
||||||
|
|
||||||
|
@ -412,6 +421,9 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
|
||||||
root = le32_to_cpu(nscap->rootid);
|
root = le32_to_cpu(nscap->rootid);
|
||||||
kroot = make_kuid(fs_ns, root);
|
kroot = make_kuid(fs_ns, root);
|
||||||
|
|
||||||
|
/* If this is an idmapped mount shift the kuid. */
|
||||||
|
kroot = kuid_into_mnt(mnt_userns, kroot);
|
||||||
|
|
||||||
/* If the root kuid maps to a valid uid in current ns, then return
|
/* If the root kuid maps to a valid uid in current ns, then return
|
||||||
* this as a nscap. */
|
* this as a nscap. */
|
||||||
mappedroot = from_kuid(current_user_ns(), kroot);
|
mappedroot = from_kuid(current_user_ns(), kroot);
|
||||||
|
@ -595,10 +607,24 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
|
||||||
return *effective ? ret : 0;
|
return *effective ? ret : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/**
|
||||||
|
* get_vfs_caps_from_disk - retrieve vfs caps from disk
|
||||||
|
*
|
||||||
|
* @mnt_userns: user namespace of the mount the inode was found from
|
||||||
|
* @dentry: dentry from which @inode is retrieved
|
||||||
|
* @cpu_caps: vfs capabilities
|
||||||
|
*
|
||||||
* Extract the on-exec-apply capability sets for an executable file.
|
* Extract the on-exec-apply capability sets for an executable file.
|
||||||
|
*
|
||||||
|
* If the inode has been found through an idmapped mount the user namespace of
|
||||||
|
* the vfsmount must be passed through @mnt_userns. This function will then
|
||||||
|
* take care to map the inode according to @mnt_userns before checking
|
||||||
|
* permissions. On non-idmapped mounts or if permission checking is to be
|
||||||
|
* performed on the raw inode simply passs init_user_ns.
|
||||||
*/
|
*/
|
||||||
int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
|
int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
|
||||||
|
const struct dentry *dentry,
|
||||||
|
struct cpu_vfs_cap_data *cpu_caps)
|
||||||
{
|
{
|
||||||
struct inode *inode = d_backing_inode(dentry);
|
struct inode *inode = d_backing_inode(dentry);
|
||||||
__u32 magic_etc;
|
__u32 magic_etc;
|
||||||
|
@ -654,6 +680,7 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
|
||||||
/* Limit the caps to the mounter of the filesystem
|
/* Limit the caps to the mounter of the filesystem
|
||||||
* or the more limited uid specified in the xattr.
|
* or the more limited uid specified in the xattr.
|
||||||
*/
|
*/
|
||||||
|
rootkuid = kuid_into_mnt(mnt_userns, rootkuid);
|
||||||
if (!rootid_owns_currentns(rootkuid))
|
if (!rootid_owns_currentns(rootkuid))
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
|
|
||||||
|
@ -699,7 +726,8 @@ static int get_file_caps(struct linux_binprm *bprm, struct file *file,
|
||||||
if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
|
if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
rc = get_vfs_caps_from_disk(file->f_path.dentry, &vcaps);
|
rc = get_vfs_caps_from_disk(file_mnt_user_ns(file),
|
||||||
|
file->f_path.dentry, &vcaps);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
if (rc == -EINVAL)
|
if (rc == -EINVAL)
|
||||||
printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
|
printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
|
||||||
|
@ -964,16 +992,25 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cap_inode_removexattr - Determine whether an xattr may be removed
|
* cap_inode_removexattr - Determine whether an xattr may be removed
|
||||||
* @dentry: The inode/dentry being altered
|
*
|
||||||
* @name: The name of the xattr to be changed
|
* @mnt_userns: User namespace of the mount the inode was found from
|
||||||
|
* @dentry: The inode/dentry being altered
|
||||||
|
* @name: The name of the xattr to be changed
|
||||||
*
|
*
|
||||||
* Determine whether an xattr may be removed from an inode, returning 0 if
|
* Determine whether an xattr may be removed from an inode, returning 0 if
|
||||||
* permission is granted, -ve if denied.
|
* permission is granted, -ve if denied.
|
||||||
*
|
*
|
||||||
|
* If the inode has been found through an idmapped mount the user namespace of
|
||||||
|
* the vfsmount must be passed through @mnt_userns. This function will then
|
||||||
|
* take care to map the inode according to @mnt_userns before checking
|
||||||
|
* permissions. On non-idmapped mounts or if permission checking is to be
|
||||||
|
* performed on the raw inode simply passs init_user_ns.
|
||||||
|
*
|
||||||
* This is used to make sure security xattrs don't get removed by those who
|
* This is used to make sure security xattrs don't get removed by those who
|
||||||
* aren't privileged to remove them.
|
* aren't privileged to remove them.
|
||||||
*/
|
*/
|
||||||
int cap_inode_removexattr(struct dentry *dentry, const char *name)
|
int cap_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name)
|
||||||
{
|
{
|
||||||
struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
|
struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
|
||||||
|
|
||||||
|
@ -987,8 +1024,7 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
struct inode *inode = d_backing_inode(dentry);
|
struct inode *inode = d_backing_inode(dentry);
|
||||||
if (!inode)
|
if (!inode)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
if (!capable_wrt_inode_uidgid(&init_user_ns, inode,
|
if (!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_SETFCAP))
|
||||||
CAP_SETFCAP))
|
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1280,7 +1280,8 @@ int security_inode_getattr(const struct path *path)
|
||||||
return call_int_hook(inode_getattr, 0, path);
|
return call_int_hook(inode_getattr, 0, path);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_setxattr(struct dentry *dentry, const char *name,
|
int security_inode_setxattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags)
|
const void *value, size_t size, int flags)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
|
@ -1291,8 +1292,8 @@ int security_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
* SELinux and Smack integrate the cap call,
|
* SELinux and Smack integrate the cap call,
|
||||||
* so assume that all LSMs supplying this call do so.
|
* so assume that all LSMs supplying this call do so.
|
||||||
*/
|
*/
|
||||||
ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
|
ret = call_int_hook(inode_setxattr, 1, mnt_userns, dentry, name, value,
|
||||||
flags);
|
size, flags);
|
||||||
|
|
||||||
if (ret == 1)
|
if (ret == 1)
|
||||||
ret = cap_inode_setxattr(dentry, name, value, size, flags);
|
ret = cap_inode_setxattr(dentry, name, value, size, flags);
|
||||||
|
@ -1327,7 +1328,8 @@ int security_inode_listxattr(struct dentry *dentry)
|
||||||
return call_int_hook(inode_listxattr, 0, dentry);
|
return call_int_hook(inode_listxattr, 0, dentry);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_removexattr(struct dentry *dentry, const char *name)
|
int security_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
|
@ -1337,9 +1339,9 @@ int security_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
* SELinux and Smack integrate the cap call,
|
* SELinux and Smack integrate the cap call,
|
||||||
* so assume that all LSMs supplying this call do so.
|
* so assume that all LSMs supplying this call do so.
|
||||||
*/
|
*/
|
||||||
ret = call_int_hook(inode_removexattr, 1, dentry, name);
|
ret = call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name);
|
||||||
if (ret == 1)
|
if (ret == 1)
|
||||||
ret = cap_inode_removexattr(dentry, name);
|
ret = cap_inode_removexattr(mnt_userns, dentry, name);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
ret = ima_inode_removexattr(dentry, name);
|
ret = ima_inode_removexattr(dentry, name);
|
||||||
|
@ -1353,12 +1355,15 @@ int security_inode_need_killpriv(struct dentry *dentry)
|
||||||
return call_int_hook(inode_need_killpriv, 0, dentry);
|
return call_int_hook(inode_need_killpriv, 0, dentry);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_killpriv(struct dentry *dentry)
|
int security_inode_killpriv(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry)
|
||||||
{
|
{
|
||||||
return call_int_hook(inode_killpriv, 0, dentry);
|
return call_int_hook(inode_killpriv, 0, mnt_userns, dentry);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
|
int security_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name,
|
||||||
|
void **buffer, bool alloc)
|
||||||
{
|
{
|
||||||
struct security_hook_list *hp;
|
struct security_hook_list *hp;
|
||||||
int rc;
|
int rc;
|
||||||
|
@ -1369,7 +1374,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
|
||||||
* Only one module will provide an attribute with a given name.
|
* Only one module will provide an attribute with a given name.
|
||||||
*/
|
*/
|
||||||
hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
|
hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
|
||||||
rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
|
rc = hp->hook.inode_getsecurity(mnt_userns, inode, name, buffer, alloc);
|
||||||
if (rc != LSM_RET_DEFAULT(inode_getsecurity))
|
if (rc != LSM_RET_DEFAULT(inode_getsecurity))
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
|
@ -3119,7 +3119,8 @@ static bool has_cap_mac_admin(bool audit)
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags)
|
const void *value, size_t size, int flags)
|
||||||
{
|
{
|
||||||
struct inode *inode = d_backing_inode(dentry);
|
struct inode *inode = d_backing_inode(dentry);
|
||||||
|
@ -3140,13 +3141,13 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!selinux_initialized(&selinux_state))
|
if (!selinux_initialized(&selinux_state))
|
||||||
return (inode_owner_or_capable(&init_user_ns, inode) ? 0 : -EPERM);
|
return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
|
||||||
|
|
||||||
sbsec = inode->i_sb->s_security;
|
sbsec = inode->i_sb->s_security;
|
||||||
if (!(sbsec->flags & SBLABEL_MNT))
|
if (!(sbsec->flags & SBLABEL_MNT))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
if (!inode_owner_or_capable(&init_user_ns, inode))
|
if (!inode_owner_or_capable(mnt_userns, inode))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
|
@ -3267,10 +3268,11 @@ static int selinux_inode_listxattr(struct dentry *dentry)
|
||||||
return dentry_has_perm(cred, dentry, FILE__GETATTR);
|
return dentry_has_perm(cred, dentry, FILE__GETATTR);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
|
static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name)
|
||||||
{
|
{
|
||||||
if (strcmp(name, XATTR_NAME_SELINUX)) {
|
if (strcmp(name, XATTR_NAME_SELINUX)) {
|
||||||
int rc = cap_inode_removexattr(dentry, name);
|
int rc = cap_inode_removexattr(mnt_userns, dentry, name);
|
||||||
if (rc)
|
if (rc)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
|
@ -3336,7 +3338,9 @@ static int selinux_path_notify(const struct path *path, u64 mask,
|
||||||
*
|
*
|
||||||
* Permission check is handled by selinux_inode_getxattr hook.
|
* Permission check is handled by selinux_inode_getxattr hook.
|
||||||
*/
|
*/
|
||||||
static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
|
static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
|
struct inode *inode, const char *name,
|
||||||
|
void **buffer, bool alloc)
|
||||||
{
|
{
|
||||||
u32 size;
|
u32 size;
|
||||||
int error;
|
int error;
|
||||||
|
@ -6533,8 +6537,8 @@ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
|
||||||
static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
|
static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
|
||||||
{
|
{
|
||||||
int len = 0;
|
int len = 0;
|
||||||
len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
|
len = selinux_inode_getsecurity(&init_user_ns, inode,
|
||||||
ctx, true);
|
XATTR_SELINUX_SUFFIX, ctx, true);
|
||||||
if (len < 0)
|
if (len < 0)
|
||||||
return len;
|
return len;
|
||||||
*ctxlen = len;
|
*ctxlen = len;
|
||||||
|
|
|
@ -1240,7 +1240,8 @@ static int smack_inode_getattr(const struct path *path)
|
||||||
*
|
*
|
||||||
* Returns 0 if access is permitted, an error code otherwise
|
* Returns 0 if access is permitted, an error code otherwise
|
||||||
*/
|
*/
|
||||||
static int smack_inode_setxattr(struct dentry *dentry, const char *name,
|
static int smack_inode_setxattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags)
|
const void *value, size_t size, int flags)
|
||||||
{
|
{
|
||||||
struct smk_audit_info ad;
|
struct smk_audit_info ad;
|
||||||
|
@ -1362,7 +1363,8 @@ static int smack_inode_getxattr(struct dentry *dentry, const char *name)
|
||||||
*
|
*
|
||||||
* Returns 0 if access is permitted, an error code otherwise
|
* Returns 0 if access is permitted, an error code otherwise
|
||||||
*/
|
*/
|
||||||
static int smack_inode_removexattr(struct dentry *dentry, const char *name)
|
static int smack_inode_removexattr(struct user_namespace *mnt_userns,
|
||||||
|
struct dentry *dentry, const char *name)
|
||||||
{
|
{
|
||||||
struct inode_smack *isp;
|
struct inode_smack *isp;
|
||||||
struct smk_audit_info ad;
|
struct smk_audit_info ad;
|
||||||
|
@ -1377,7 +1379,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
if (!smack_privileged(CAP_MAC_ADMIN))
|
if (!smack_privileged(CAP_MAC_ADMIN))
|
||||||
rc = -EPERM;
|
rc = -EPERM;
|
||||||
} else
|
} else
|
||||||
rc = cap_inode_removexattr(dentry, name);
|
rc = cap_inode_removexattr(mnt_userns, dentry, name);
|
||||||
|
|
||||||
if (rc != 0)
|
if (rc != 0)
|
||||||
return rc;
|
return rc;
|
||||||
|
@ -1420,9 +1422,9 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
|
||||||
*
|
*
|
||||||
* Returns the size of the attribute or an error code
|
* Returns the size of the attribute or an error code
|
||||||
*/
|
*/
|
||||||
static int smack_inode_getsecurity(struct inode *inode,
|
static int smack_inode_getsecurity(struct user_namespace *mnt_userns,
|
||||||
const char *name, void **buffer,
|
struct inode *inode, const char *name,
|
||||||
bool alloc)
|
void **buffer, bool alloc)
|
||||||
{
|
{
|
||||||
struct socket_smack *ssp;
|
struct socket_smack *ssp;
|
||||||
struct socket *sock;
|
struct socket *sock;
|
||||||
|
|
Loading…
Reference in New Issue