diff options
author | Vivek Goyal <vgoyal@redhat.com> | 2016-07-13 11:13:56 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2016-08-08 20:06:53 -0400 |
commit | d8ad8b49618410ddeafd78465b63a6cedd6c9484 (patch) | |
tree | 7e03ed05fdfae31da74e34856d2f9c718f896c6e /security | |
parent | 8b31f456c72e53ee97474a538bcd91bfb1b93fb7 (diff) | |
download | op-kernel-dev-d8ad8b49618410ddeafd78465b63a6cedd6c9484.zip op-kernel-dev-d8ad8b49618410ddeafd78465b63a6cedd6c9484.tar.gz |
security, overlayfs: provide copy up security hook for unioned files
Provide a security hook to label new file correctly when a file is copied
up from lower layer to upper layer of a overlay/union mount.
This hook can prepare a new set of creds which are suitable for new file
creation during copy up. Caller will use new creds to create file and then
revert back to old creds and release new creds.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespace cleanup to appease checkpatch.pl]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/security.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index 4838e7f..f2a7f27 100644 --- a/security/security.c +++ b/security/security.c @@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) call_void_hook(inode_getsecid, inode, secid); } +int security_inode_copy_up(struct dentry *src, struct cred **new) +{ + return call_int_hook(inode_copy_up, 0, src, new); +} +EXPORT_SYMBOL(security_inode_copy_up); + int security_file_permission(struct file *file, int mask) { int ret; @@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), .inode_getsecid = LIST_HEAD_INIT(security_hook_heads.inode_getsecid), + .inode_copy_up = + LIST_HEAD_INIT(security_hook_heads.inode_copy_up), .file_permission = LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = |