summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorVivek Goyal <vgoyal@redhat.com>2016-07-13 11:13:56 -0400
committerPaul Moore <paul@paul-moore.com>2016-08-08 20:06:53 -0400
commitd8ad8b49618410ddeafd78465b63a6cedd6c9484 (patch)
tree7e03ed05fdfae31da74e34856d2f9c718f896c6e /security
parent8b31f456c72e53ee97474a538bcd91bfb1b93fb7 (diff)
downloadop-kernel-dev-d8ad8b49618410ddeafd78465b63a6cedd6c9484.zip
op-kernel-dev-d8ad8b49618410ddeafd78465b63a6cedd6c9484.tar.gz
security, overlayfs: provide copy up security hook for unioned files
Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union mount. This hook can prepare a new set of creds which are suitable for new file creation during copy up. Caller will use new creds to create file and then revert back to old creds and release new creds. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup to appease checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 4838e7f..f2a7f27 100644
--- a/security/security.c
+++ b/security/security.c
@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
call_void_hook(inode_getsecid, inode, secid);
}
+int security_inode_copy_up(struct dentry *src, struct cred **new)
+{
+ return call_int_hook(inode_copy_up, 0, src, new);
+}
+EXPORT_SYMBOL(security_inode_copy_up);
+
int security_file_permission(struct file *file, int mask)
{
int ret;
@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
.inode_getsecid =
LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+ .inode_copy_up =
+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
.file_permission =
LIST_HEAD_INIT(security_hook_heads.file_permission),
.file_alloc_security =
OpenPOWER on IntegriCloud