summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorVivek Goyal <vgoyal@redhat.com>2016-07-13 17:13:56 +0200
committerPaul Moore <paul@paul-moore.com>2016-08-09 02:06:53 +0200
commitd8ad8b49618410ddeafd78465b63a6cedd6c9484 (patch)
tree7e03ed05fdfae31da74e34856d2f9c718f896c6e /security
parentselinux: print leading 0x on ioctlcmd audits (diff)
downloadlinux-d8ad8b49618410ddeafd78465b63a6cedd6c9484.tar.xz
linux-d8ad8b49618410ddeafd78465b63a6cedd6c9484.zip
security, overlayfs: provide copy up security hook for unioned files
Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union mount. This hook can prepare a new set of creds which are suitable for new file creation during copy up. Caller will use new creds to create file and then revert back to old creds and release new creds. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup to appease checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 4838e7fefa1f..f2a7f27bd3e9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
call_void_hook(inode_getsecid, inode, secid);
}
+int security_inode_copy_up(struct dentry *src, struct cred **new)
+{
+ return call_int_hook(inode_copy_up, 0, src, new);
+}
+EXPORT_SYMBOL(security_inode_copy_up);
+
int security_file_permission(struct file *file, int mask)
{
int ret;
@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
.inode_getsecid =
LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+ .inode_copy_up =
+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
.file_permission =
LIST_HEAD_INIT(security_hook_heads.file_permission),
.file_alloc_security =