Pull LSM updates from Paul Moore:
"We only have five patches in the LSM tree, but three of the five are
for an important bugfix relating to overlayfs and the mmap() and
mprotect() access controls for LSMs. Highlights below:
- Fix problems with the mmap() and mprotect() LSM hooks on overlayfs
As we are dealing with problems both in mmap() and mprotect() there
are essentially two components to this fix, spread across three
patches with all marked for stable.
The simplest portion of the fix is the creation of a new LSM hook,
security_mmap_backing_file(), that is used to enforce LSM mmap()
access controls on backing files in the stacked/overlayfs case. The
existing security_mmap_file() does not have visibility past the
user file. You can see from the associated SELinux hook callback
the code is fairly straightforward.
The mprotect() fix is a bit more complicated as there is no way in
the mprotect() code path to inspect both the user and backing
files, and bolting on a second file reference to vm_area_struct
wasn't really an option.
The solution taken here adds a LSM security blob and associated
hooks to the backing_file struct that LSMs can use to capture and
store relevant information from the user file. While the necessary
SELinux information is relatively small, a single u32, I expect
other LSMs to require more than that, and a dedicated backing_file
LSM blob provides a storage mechanism without negatively impacting
other filesystems.
I want to note that other LSMs beyond SELinux have been involved in
the discussion of the fixes presented here and they are working on
their own related changes using these new hooks, but due to other
issues those patches will be coming at a later date.
- Use kstrdup_const()/kfree_const() for securityfs symlink targets
- Resolve a handful of kernel-doc warnings in cred.h"
* tag 'lsm-pr-
20260410' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
selinux: fix overlayfs mmap() and mprotect() access checks
lsm: add backing_file LSM hooks
fs: prepare for adding LSM blob to backing_file
securityfs: use kstrdup_const() to manage symlink targets
cred: fix kernel-doc warnings in cred.h
}
EXPORT_SYMBOL_GPL(backing_file_set_user_path);
- kmem_cache_free(bfilp_cachep, ff);
+ #ifdef CONFIG_SECURITY
+ void *backing_file_security(const struct file *f)
+ {
+ return backing_file(f)->security;
+ }
+
+ void backing_file_set_security(struct file *f, void *security)
+ {
+ backing_file(f)->security = security;
+ }
+ #endif /* CONFIG_SECURITY */
+
+ static inline void backing_file_free(struct backing_file *ff)
+ {
+ security_backing_file_free(&ff->file);
+ path_put(&ff->user_path);
++ kmem_cache_free(bfilp_cache, ff);
+ }
+
static inline void file_free(struct file *f)
{
security_file_free(f);
percpu_counter_dec(&nr_files);
put_cred(f->f_cred);
if (unlikely(f->f_mode & FMODE_BACKING)) {
- path_put(backing_file_user_path(f));
- kmem_cache_free(bfilp_cache, backing_file(f));
+ backing_file_free(backing_file(f));
} else {
- kmem_cache_free(filp_cachep, f);
+ kmem_cache_free(filp_cache, f);
}
}
projects / thirdparty / kernel / linux.git / commitdiff
