tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

commoncap: handle idmapped mounts

When interacting with user namespace and non-user namespace aware
filesystem capabilities the vfs will perform various security checks to
determine whether or not the filesystem capabilities can be used by the
caller, whether they need to be removed and so on. The main
infrastructure for this resides in the capability codepaths but they are
called through the LSM security infrastructure even though they are not
technically an LSM or optional. This extends the existing security hooks
security_inode_removexattr(), security_inode_killpriv(),
security_inode_getsecurity() to pass down the mount's user namespace and
makes them aware of idmapped mounts.

In order to actually get filesystem capabilities from disk the
capability infrastructure exposes the get_vfs_caps_from_disk() helper.
For user namespace aware filesystem capabilities a root uid is stored
alongside the capabilities.

In order to determine whether the caller can make use of the filesystem
capability or whether it needs to be ignored it is translated according
to the superblock's user namespace. If it can be translated to uid 0
according to that id mapping the caller can use the filesystem
capabilities stored on disk. If we are accessing the inode that holds
the filesystem capabilities through an idmapped mount we map the root
uid according to the mount's user namespace. Afterwards the checks are
identical to non-idmapped mounts: reading filesystem caps from disk
enforces that the root uid associated with the filesystem capability
must have a mapping in the superblock's user namespace and that the
caller is either in the same user namespace or is a descendant of the
superblock's user namespace. For filesystems that are mountable inside
user namespace the caller can just mount the filesystem and won't
usually need to idmap it. If they do want to idmap it they can create an
idmapped mount and mark it with a user namespace they created and which
is thus a descendant of s_user_ns. For filesystems that are not
mountable inside user namespaces the descendant rule is trivially true
because the s_user_ns will be the initial user namespace.

If the initial user namespace is passed nothing changes so non-idmapped
mounts will see identical behavior as before.

Link: https://lore.kernel.org/r/20210121131959.646623-11-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Christian Brauner 71bc356f c7c7a1a1

+146 -74
+1 -1
fs/attr.c
··· 143 143 if (ia_valid & ATTR_KILL_PRIV) { 144 144 int error; 145 145 146 - error = security_inode_killpriv(dentry); 146 + error = security_inode_killpriv(mnt_userns, dentry); 147 147 if (error) 148 148 return error; 149 149 }
+11 -7
fs/xattr.c
··· 262 262 if (error) 263 263 return error; 264 264 265 - error = security_inode_setxattr(dentry, name, value, size, flags); 265 + error = security_inode_setxattr(mnt_userns, dentry, name, value, size, 266 + flags); 266 267 if (error) 267 268 goto out; 268 269 ··· 314 313 EXPORT_SYMBOL_GPL(vfs_setxattr); 315 314 316 315 static ssize_t 317 - xattr_getsecurity(struct inode *inode, const char *name, void *value, 318 - size_t size) 316 + xattr_getsecurity(struct user_namespace *mnt_userns, struct inode *inode, 317 + const char *name, void *value, size_t size) 319 318 { 320 319 void *buffer = NULL; 321 320 ssize_t len; 322 321 323 322 if (!value || !size) { 324 - len = security_inode_getsecurity(inode, name, &buffer, false); 323 + len = security_inode_getsecurity(mnt_userns, inode, name, 324 + &buffer, false); 325 325 goto out_noalloc; 326 326 } 327 327 328 - len = security_inode_getsecurity(inode, name, &buffer, true); 328 + len = security_inode_getsecurity(mnt_userns, inode, name, &buffer, 329 + true); 329 330 if (len < 0) 330 331 return len; 331 332 if (size < len) { ··· 417 414 if (!strncmp(name, XATTR_SECURITY_PREFIX, 418 415 XATTR_SECURITY_PREFIX_LEN)) { 419 416 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 420 - int ret = xattr_getsecurity(inode, suffix, value, size); 417 + int ret = xattr_getsecurity(mnt_userns, inode, suffix, value, 418 + size); 421 419 /* 422 420 * Only overwrite the return value if a security module 423 421 * is actually active. ··· 490 486 if (error) 491 487 return error; 492 488 493 - error = security_inode_removexattr(dentry, name); 489 + error = security_inode_removexattr(mnt_userns, dentry, name); 494 490 if (error) 495 491 goto out; 496 492
+3 -1
include/linux/capability.h
··· 271 271 } 272 272 273 273 /* audit system wants to get cap info from files as well */ 274 - extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); 274 + int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, 275 + const struct dentry *dentry, 276 + struct cpu_vfs_cap_data *cpu_caps); 275 277 276 278 int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, 277 279 const void **ivalue, size_t size);
+9 -6
include/linux/lsm_hook_defs.h
··· 133 133 LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) 134 134 LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) 135 135 LSM_HOOK(int, 0, inode_getattr, const struct path *path) 136 - LSM_HOOK(int, 0, inode_setxattr, struct dentry *dentry, const char *name, 137 - const void *value, size_t size, int flags) 136 + LSM_HOOK(int, 0, inode_setxattr, struct user_namespace *mnt_userns, 137 + struct dentry *dentry, const char *name, const void *value, 138 + size_t size, int flags) 138 139 LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry, 139 140 const char *name, const void *value, size_t size, int flags) 140 141 LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name) 141 142 LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry) 142 - LSM_HOOK(int, 0, inode_removexattr, struct dentry *dentry, const char *name) 143 + LSM_HOOK(int, 0, inode_removexattr, struct user_namespace *mnt_userns, 144 + struct dentry *dentry, const char *name) 143 145 LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry) 144 - LSM_HOOK(int, 0, inode_killpriv, struct dentry *dentry) 145 - LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct inode *inode, 146 - const char *name, void **buffer, bool alloc) 146 + LSM_HOOK(int, 0, inode_killpriv, struct user_namespace *mnt_userns, 147 + struct dentry *dentry) 148 + LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct user_namespace *mnt_userns, 149 + struct inode *inode, const char *name, void **buffer, bool alloc) 147 150 LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, 148 151 const char *name, const void *value, size_t size, int flags) 149 152 LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
+1
include/linux/lsm_hooks.h
··· 444 444 * @inode_killpriv: 445 445 * The setuid bit is being removed. Remove similar security labels. 446 446 * Called with the dentry->d_inode->i_mutex held. 447 + * @mnt_userns: user namespace of the mount 447 448 * @dentry is the dentry being changed. 448 449 * Return 0 on success. If error is returned, then the operation 449 450 * causing setuid bit removal is failed.
+34 -20
include/linux/security.h
··· 145 145 const kernel_cap_t *inheritable, 146 146 const kernel_cap_t *permitted); 147 147 extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file); 148 - extern int cap_inode_setxattr(struct dentry *dentry, const char *name, 149 - const void *value, size_t size, int flags); 150 - extern int cap_inode_removexattr(struct dentry *dentry, const char *name); 151 - extern int cap_inode_need_killpriv(struct dentry *dentry); 152 - extern int cap_inode_killpriv(struct dentry *dentry); 153 - extern int cap_inode_getsecurity(struct inode *inode, const char *name, 154 - void **buffer, bool alloc); 148 + int cap_inode_setxattr(struct dentry *dentry, const char *name, 149 + const void *value, size_t size, int flags); 150 + int cap_inode_removexattr(struct user_namespace *mnt_userns, 151 + struct dentry *dentry, const char *name); 152 + int cap_inode_need_killpriv(struct dentry *dentry); 153 + int cap_inode_killpriv(struct user_namespace *mnt_userns, 154 + struct dentry *dentry); 155 + int cap_inode_getsecurity(struct user_namespace *mnt_userns, 156 + struct inode *inode, const char *name, void **buffer, 157 + bool alloc); 155 158 extern int cap_mmap_addr(unsigned long addr); 156 159 extern int cap_mmap_file(struct file *file, unsigned long reqprot, 157 160 unsigned long prot, unsigned long flags); ··· 348 345 int security_inode_permission(struct inode *inode, int mask); 349 346 int security_inode_setattr(struct dentry *dentry, struct iattr *attr); 350 347 int security_inode_getattr(const struct path *path); 351 - int security_inode_setxattr(struct dentry *dentry, const char *name, 348 + int security_inode_setxattr(struct user_namespace *mnt_userns, 349 + struct dentry *dentry, const char *name, 352 350 const void *value, size_t size, int flags); 353 351 void security_inode_post_setxattr(struct dentry *dentry, const char *name, 354 352 const void *value, size_t size, int flags); 355 353 int security_inode_getxattr(struct dentry *dentry, const char *name); 356 354 int security_inode_listxattr(struct dentry *dentry); 357 - int security_inode_removexattr(struct dentry *dentry, const char *name); 355 + int security_inode_removexattr(struct user_namespace *mnt_userns, 356 + struct dentry *dentry, const char *name); 358 357 int security_inode_need_killpriv(struct dentry *dentry); 359 - int security_inode_killpriv(struct dentry *dentry); 360 - int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc); 358 + int security_inode_killpriv(struct user_namespace *mnt_userns, 359 + struct dentry *dentry); 360 + int security_inode_getsecurity(struct user_namespace *mnt_userns, 361 + struct inode *inode, const char *name, 362 + void **buffer, bool alloc); 361 363 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); 362 364 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); 363 365 void security_inode_getsecid(struct inode *inode, u32 *secid); ··· 839 831 return 0; 840 832 } 841 833 842 - static inline int security_inode_setxattr(struct dentry *dentry, 843 - const char *name, const void *value, size_t size, int flags) 834 + static inline int security_inode_setxattr(struct user_namespace *mnt_userns, 835 + struct dentry *dentry, const char *name, const void *value, 836 + size_t size, int flags) 844 837 { 845 838 return cap_inode_setxattr(dentry, name, value, size, flags); 846 839 } ··· 861 852 return 0; 862 853 } 863 854 864 - static inline int security_inode_removexattr(struct dentry *dentry, 865 - const char *name) 855 + static inline int security_inode_removexattr(struct user_namespace *mnt_userns, 856 + struct dentry *dentry, 857 + const char *name) 866 858 { 867 - return cap_inode_removexattr(dentry, name); 859 + return cap_inode_removexattr(mnt_userns, dentry, name); 868 860 } 869 861 870 862 static inline int security_inode_need_killpriv(struct dentry *dentry) ··· 873 863 return cap_inode_need_killpriv(dentry); 874 864 } 875 865 876 - static inline int security_inode_killpriv(struct dentry *dentry) 866 + static inline int security_inode_killpriv(struct user_namespace *mnt_userns, 867 + struct dentry *dentry) 877 868 { 878 - return cap_inode_killpriv(dentry); 869 + return cap_inode_killpriv(mnt_userns, dentry); 879 870 } 880 871 881 - static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 872 + static inline int security_inode_getsecurity(struct user_namespace *mnt_userns, 873 + struct inode *inode, 874 + const char *name, void **buffer, 875 + bool alloc) 882 876 { 883 - return cap_inode_getsecurity(inode, name, buffer, alloc); 877 + return cap_inode_getsecurity(mnt_userns, inode, name, buffer, alloc); 884 878 } 885 879 886 880 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
+3 -2
kernel/auditsc.c
··· 1930 1930 if (!dentry) 1931 1931 return 0; 1932 1932 1933 - rc = get_vfs_caps_from_disk(dentry, &caps); 1933 + rc = get_vfs_caps_from_disk(&init_user_ns, dentry, &caps); 1934 1934 if (rc) 1935 1935 return rc; 1936 1936 ··· 2481 2481 ax->d.next = context->aux; 2482 2482 context->aux = (void *)ax; 2483 2483 2484 - get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps); 2484 + get_vfs_caps_from_disk(&init_user_ns, 2485 + bprm->file->f_path.dentry, &vcaps); 2485 2486 2486 2487 ax->fcap.permitted = vcaps.permitted; 2487 2488 ax->fcap.inheritable = vcaps.inheritable;
+49 -13
security/commoncap.c
··· 303 303 304 304 /** 305 305 * cap_inode_killpriv - Erase the security markings on an inode 306 - * @dentry: The inode/dentry to alter 306 + * 307 + * @mnt_userns: user namespace of the mount the inode was found from 308 + * @dentry: The inode/dentry to alter 307 309 * 308 310 * Erase the privilege-enhancing security markings on an inode. 309 311 * 312 + * If the inode has been found through an idmapped mount the user namespace of 313 + * the vfsmount must be passed through @mnt_userns. This function will then 314 + * take care to map the inode according to @mnt_userns before checking 315 + * permissions. On non-idmapped mounts or if permission checking is to be 316 + * performed on the raw inode simply passs init_user_ns. 317 + * 310 318 * Returns 0 if successful, -ve on error. 311 319 */ 312 - int cap_inode_killpriv(struct dentry *dentry) 320 + int cap_inode_killpriv(struct user_namespace *mnt_userns, struct dentry *dentry) 313 321 { 314 322 int error; 315 323 316 - error = __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_CAPS); 324 + error = __vfs_removexattr(mnt_userns, dentry, XATTR_NAME_CAPS); 317 325 if (error == -EOPNOTSUPP) 318 326 error = 0; 319 327 return error; ··· 374 366 * by the integrity subsystem, which really wants the unconverted values - 375 367 * so that's good. 376 368 */ 377 - int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, 369 + int cap_inode_getsecurity(struct user_namespace *mnt_userns, 370 + struct inode *inode, const char *name, void **buffer, 378 371 bool alloc) 379 372 { 380 373 int size, ret; ··· 395 386 return -EINVAL; 396 387 397 388 size = sizeof(struct vfs_ns_cap_data); 398 - ret = (int)vfs_getxattr_alloc(&init_user_ns, dentry, XATTR_NAME_CAPS, 389 + ret = (int)vfs_getxattr_alloc(mnt_userns, dentry, XATTR_NAME_CAPS, 399 390 &tmpbuf, size, GFP_NOFS); 400 391 dput(dentry); 401 392 ··· 420 411 nscap = (struct vfs_ns_cap_data *) tmpbuf; 421 412 root = le32_to_cpu(nscap->rootid); 422 413 kroot = make_kuid(fs_ns, root); 414 + 415 + /* If this is an idmapped mount shift the kuid. */ 416 + kroot = kuid_into_mnt(mnt_userns, kroot); 423 417 424 418 /* If the root kuid maps to a valid uid in current ns, then return 425 419 * this as a nscap. */ ··· 607 595 return *effective ? ret : 0; 608 596 } 609 597 610 - /* 598 + /** 599 + * get_vfs_caps_from_disk - retrieve vfs caps from disk 600 + * 601 + * @mnt_userns: user namespace of the mount the inode was found from 602 + * @dentry: dentry from which @inode is retrieved 603 + * @cpu_caps: vfs capabilities 604 + * 611 605 * Extract the on-exec-apply capability sets for an executable file. 606 + * 607 + * If the inode has been found through an idmapped mount the user namespace of 608 + * the vfsmount must be passed through @mnt_userns. This function will then 609 + * take care to map the inode according to @mnt_userns before checking 610 + * permissions. On non-idmapped mounts or if permission checking is to be 611 + * performed on the raw inode simply passs init_user_ns. 612 612 */ 613 - int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 613 + int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, 614 + const struct dentry *dentry, 615 + struct cpu_vfs_cap_data *cpu_caps) 614 616 { 615 617 struct inode *inode = d_backing_inode(dentry); 616 618 __u32 magic_etc; ··· 680 654 /* Limit the caps to the mounter of the filesystem 681 655 * or the more limited uid specified in the xattr. 682 656 */ 657 + rootkuid = kuid_into_mnt(mnt_userns, rootkuid); 683 658 if (!rootid_owns_currentns(rootkuid)) 684 659 return -ENODATA; 685 660 ··· 726 699 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns)) 727 700 return 0; 728 701 729 - rc = get_vfs_caps_from_disk(file->f_path.dentry, &vcaps); 702 + rc = get_vfs_caps_from_disk(file_mnt_user_ns(file), 703 + file->f_path.dentry, &vcaps); 730 704 if (rc < 0) { 731 705 if (rc == -EINVAL) 732 706 printk(KERN_NOTICE "Invalid argument reading file caps for %s\n", ··· 992 964 993 965 /** 994 966 * cap_inode_removexattr - Determine whether an xattr may be removed 995 - * @dentry: The inode/dentry being altered 996 - * @name: The name of the xattr to be changed 967 + * 968 + * @mnt_userns: User namespace of the mount the inode was found from 969 + * @dentry: The inode/dentry being altered 970 + * @name: The name of the xattr to be changed 997 971 * 998 972 * Determine whether an xattr may be removed from an inode, returning 0 if 999 973 * permission is granted, -ve if denied. 1000 974 * 975 + * If the inode has been found through an idmapped mount the user namespace of 976 + * the vfsmount must be passed through @mnt_userns. This function will then 977 + * take care to map the inode according to @mnt_userns before checking 978 + * permissions. On non-idmapped mounts or if permission checking is to be 979 + * performed on the raw inode simply passs init_user_ns. 980 + * 1001 981 * This is used to make sure security xattrs don't get removed by those who 1002 982 * aren't privileged to remove them. 1003 983 */ 1004 - int cap_inode_removexattr(struct dentry *dentry, const char *name) 984 + int cap_inode_removexattr(struct user_namespace *mnt_userns, 985 + struct dentry *dentry, const char *name) 1005 986 { 1006 987 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; 1007 988 ··· 1024 987 struct inode *inode = d_backing_inode(dentry); 1025 988 if (!inode) 1026 989 return -EINVAL; 1027 - if (!capable_wrt_inode_uidgid(&init_user_ns, inode, 1028 - CAP_SETFCAP)) 990 + if (!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_SETFCAP)) 1029 991 return -EPERM; 1030 992 return 0; 1031 993 }
+15 -10
security/security.c
··· 1280 1280 return call_int_hook(inode_getattr, 0, path); 1281 1281 } 1282 1282 1283 - int security_inode_setxattr(struct dentry *dentry, const char *name, 1283 + int security_inode_setxattr(struct user_namespace *mnt_userns, 1284 + struct dentry *dentry, const char *name, 1284 1285 const void *value, size_t size, int flags) 1285 1286 { 1286 1287 int ret; ··· 1292 1291 * SELinux and Smack integrate the cap call, 1293 1292 * so assume that all LSMs supplying this call do so. 1294 1293 */ 1295 - ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size, 1296 - flags); 1294 + ret = call_int_hook(inode_setxattr, 1, mnt_userns, dentry, name, value, 1295 + size, flags); 1297 1296 1298 1297 if (ret == 1) 1299 1298 ret = cap_inode_setxattr(dentry, name, value, size, flags); ··· 1328 1327 return call_int_hook(inode_listxattr, 0, dentry); 1329 1328 } 1330 1329 1331 - int security_inode_removexattr(struct dentry *dentry, const char *name) 1330 + int security_inode_removexattr(struct user_namespace *mnt_userns, 1331 + struct dentry *dentry, const char *name) 1332 1332 { 1333 1333 int ret; 1334 1334 ··· 1339 1337 * SELinux and Smack integrate the cap call, 1340 1338 * so assume that all LSMs supplying this call do so. 1341 1339 */ 1342 - ret = call_int_hook(inode_removexattr, 1, dentry, name); 1340 + ret = call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name); 1343 1341 if (ret == 1) 1344 - ret = cap_inode_removexattr(dentry, name); 1342 + ret = cap_inode_removexattr(mnt_userns, dentry, name); 1345 1343 if (ret) 1346 1344 return ret; 1347 1345 ret = ima_inode_removexattr(dentry, name); ··· 1355 1353 return call_int_hook(inode_need_killpriv, 0, dentry); 1356 1354 } 1357 1355 1358 - int security_inode_killpriv(struct dentry *dentry) 1356 + int security_inode_killpriv(struct user_namespace *mnt_userns, 1357 + struct dentry *dentry) 1359 1358 { 1360 - return call_int_hook(inode_killpriv, 0, dentry); 1359 + return call_int_hook(inode_killpriv, 0, mnt_userns, dentry); 1361 1360 } 1362 1361 1363 - int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 1362 + int security_inode_getsecurity(struct user_namespace *mnt_userns, 1363 + struct inode *inode, const char *name, 1364 + void **buffer, bool alloc) 1364 1365 { 1365 1366 struct security_hook_list *hp; 1366 1367 int rc; ··· 1374 1369 * Only one module will provide an attribute with a given name. 1375 1370 */ 1376 1371 hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) { 1377 - rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc); 1372 + rc = hp->hook.inode_getsecurity(mnt_userns, inode, name, buffer, alloc); 1378 1373 if (rc != LSM_RET_DEFAULT(inode_getsecurity)) 1379 1374 return rc; 1380 1375 }
+12 -8
security/selinux/hooks.c
··· 3119 3119 return true; 3120 3120 } 3121 3121 3122 - static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3122 + static int selinux_inode_setxattr(struct user_namespace *mnt_userns, 3123 + struct dentry *dentry, const char *name, 3123 3124 const void *value, size_t size, int flags) 3124 3125 { 3125 3126 struct inode *inode = d_backing_inode(dentry); ··· 3141 3140 } 3142 3141 3143 3142 if (!selinux_initialized(&selinux_state)) 3144 - return (inode_owner_or_capable(&init_user_ns, inode) ? 0 : -EPERM); 3143 + return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM); 3145 3144 3146 3145 sbsec = inode->i_sb->s_security; 3147 3146 if (!(sbsec->flags & SBLABEL_MNT)) 3148 3147 return -EOPNOTSUPP; 3149 3148 3150 - if (!inode_owner_or_capable(&init_user_ns, inode)) 3149 + if (!inode_owner_or_capable(mnt_userns, inode)) 3151 3150 return -EPERM; 3152 3151 3153 3152 ad.type = LSM_AUDIT_DATA_DENTRY; ··· 3268 3267 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3269 3268 } 3270 3269 3271 - static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3270 + static int selinux_inode_removexattr(struct user_namespace *mnt_userns, 3271 + struct dentry *dentry, const char *name) 3272 3272 { 3273 3273 if (strcmp(name, XATTR_NAME_SELINUX)) { 3274 - int rc = cap_inode_removexattr(dentry, name); 3274 + int rc = cap_inode_removexattr(mnt_userns, dentry, name); 3275 3275 if (rc) 3276 3276 return rc; 3277 3277 ··· 3338 3336 * 3339 3337 * Permission check is handled by selinux_inode_getxattr hook. 3340 3338 */ 3341 - static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3339 + static int selinux_inode_getsecurity(struct user_namespace *mnt_userns, 3340 + struct inode *inode, const char *name, 3341 + void **buffer, bool alloc) 3342 3342 { 3343 3343 u32 size; 3344 3344 int error; ··· 6537 6533 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6538 6534 { 6539 6535 int len = 0; 6540 - len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6541 - ctx, true); 6536 + len = selinux_inode_getsecurity(&init_user_ns, inode, 6537 + XATTR_SELINUX_SUFFIX, ctx, true); 6542 6538 if (len < 0) 6543 6539 return len; 6544 6540 *ctxlen = len;
+8 -6
security/smack/smack_lsm.c
··· 1240 1240 * 1241 1241 * Returns 0 if access is permitted, an error code otherwise 1242 1242 */ 1243 - static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1243 + static int smack_inode_setxattr(struct user_namespace *mnt_userns, 1244 + struct dentry *dentry, const char *name, 1244 1245 const void *value, size_t size, int flags) 1245 1246 { 1246 1247 struct smk_audit_info ad; ··· 1363 1362 * 1364 1363 * Returns 0 if access is permitted, an error code otherwise 1365 1364 */ 1366 - static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1365 + static int smack_inode_removexattr(struct user_namespace *mnt_userns, 1366 + struct dentry *dentry, const char *name) 1367 1367 { 1368 1368 struct inode_smack *isp; 1369 1369 struct smk_audit_info ad; ··· 1379 1377 if (!smack_privileged(CAP_MAC_ADMIN)) 1380 1378 rc = -EPERM; 1381 1379 } else 1382 - rc = cap_inode_removexattr(dentry, name); 1380 + rc = cap_inode_removexattr(mnt_userns, dentry, name); 1383 1381 1384 1382 if (rc != 0) 1385 1383 return rc; ··· 1422 1420 * 1423 1421 * Returns the size of the attribute or an error code 1424 1422 */ 1425 - static int smack_inode_getsecurity(struct inode *inode, 1426 - const char *name, void **buffer, 1427 - bool alloc) 1423 + static int smack_inode_getsecurity(struct user_namespace *mnt_userns, 1424 + struct inode *inode, const char *name, 1425 + void **buffer, bool alloc) 1428 1426 { 1429 1427 struct socket_smack *ssp; 1430 1428 struct socket *sock;