Commit 7e135dc7 authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar
Browse files

evm: Pass user namespace to set/remove xattr hooks 



In preparation for 'evm: Allow setxattr() and setattr() for unmodified
metadata', this patch passes mnt_userns to the inode set/remove xattr hooks
so that the GID of the inode on an idmapped mount is correctly determined
by posix_acl_update_mode().

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent cdef685b

include/linux/evm.h

+8 −4
Original line number Diff line number Diff line
@@ -23,13 +23,15 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, 
					     struct integrity_iint_cache *iint);

extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);

extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);

extern int evm_inode_setxattr(struct dentry *dentry, const char *name,

extern int evm_inode_setxattr(struct user_namespace *mnt_userns,

			      struct dentry *dentry, const char *name,

			      const void *value, size_t size);

extern void evm_inode_post_setxattr(struct dentry *dentry,

				    const char *xattr_name,

				    const void *xattr_value,

				    size_t xattr_value_len);

extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);

extern int evm_inode_removexattr(struct user_namespace *mnt_userns,

				 struct dentry *dentry, const char *xattr_name);

extern void evm_inode_post_removexattr(struct dentry *dentry,

				       const char *xattr_name);

extern int evm_inode_init_security(struct inode *inode,
@@ -72,7 +74,8 @@ static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 
	return;

}



static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,

static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,

				     struct dentry *dentry, const char *name,

				     const void *value, size_t size)

{

	return 0;
@@ -86,7 +89,8 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry, 
	return;

}



static inline int evm_inode_removexattr(struct dentry *dentry,

static inline int evm_inode_removexattr(struct user_namespace *mnt_userns,

					struct dentry *dentry,

					const char *xattr_name)

{

	return 0;

security/integrity/evm/evm_main.c

+11 −6
Original line number Diff line number Diff line
@@ -342,7 +342,8 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) 
 * For posix xattr acls only, permit security.evm, even if it currently

 * doesn't exist, to be updated unless the EVM signature is immutable.

 */

static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,

static int evm_protect_xattr(struct user_namespace *mnt_userns,

			     struct dentry *dentry, const char *xattr_name,

			     const void *xattr_value, size_t xattr_value_len)

{

	enum integrity_status evm_status;
@@ -406,6 +407,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 


/**

 * evm_inode_setxattr - protect the EVM extended attribute

 * @mnt_userns: user namespace of the idmapped mount

 * @dentry: pointer to the affected dentry

 * @xattr_name: pointer to the affected extended attribute name

 * @xattr_value: pointer to the new extended attribute value
@@ -417,8 +419,9 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 
 * userspace from writing HMAC value.  Writing 'security.evm' requires

 * requires CAP_SYS_ADMIN privileges.

 */

int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,

		       const void *xattr_value, size_t xattr_value_len)

int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,

		       const char *xattr_name, const void *xattr_value,

		       size_t xattr_value_len)

{

	const struct evm_ima_xattr_data *xattr_data = xattr_value;
@@ -435,19 +438,21 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, 
		    xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)

			return -EPERM;

	}

	return evm_protect_xattr(dentry, xattr_name, xattr_value,

	return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,

				 xattr_value_len);

}



/**

 * evm_inode_removexattr - protect the EVM extended attribute

 * @mnt_userns: user namespace of the idmapped mount

 * @dentry: pointer to the affected dentry

 * @xattr_name: pointer to the affected extended attribute name

 *

 * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that

 * the current value is valid.

 */

int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)

int evm_inode_removexattr(struct user_namespace *mnt_userns,

			  struct dentry *dentry, const char *xattr_name)

{

	/* Policy permits modification of the protected xattrs even though

	 * there's no HMAC key loaded
@@ -455,7 +460,7 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 
	if (evm_initialized & EVM_ALLOW_METADATA_WRITES)

		return 0;



	return evm_protect_xattr(dentry, xattr_name, NULL, 0);

	return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);

}



static void evm_reset_status(struct inode *inode)

security/security.c

+2 −2
Original line number Diff line number Diff line
@@ -1354,7 +1354,7 @@ int security_inode_setxattr(struct user_namespace *mnt_userns, 
	ret = ima_inode_setxattr(dentry, name, value, size);

	if (ret)

		return ret;

	return evm_inode_setxattr(dentry, name, value, size);

	return evm_inode_setxattr(mnt_userns, dentry, name, value, size);

}



void security_inode_post_setxattr(struct dentry *dentry, const char *name,
@@ -1399,7 +1399,7 @@ int security_inode_removexattr(struct user_namespace *mnt_userns, 
	ret = ima_inode_removexattr(dentry, name);

	if (ret)

		return ret;

	return evm_inode_removexattr(dentry, name);

	return evm_inode_removexattr(mnt_userns, dentry, name);

}



int security_inode_need_killpriv(struct dentry *dentry)