Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/series b/queue-4.19/series
index ec4ea6848911ad324ed8834a7a8e3f60a5eab768..e62527673e0761417651cfdb15db8deb4379fbb1 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -49,3 +49,6 @@ net-fix-unwanted-sign-extension-in-netdev_stats_to_s.patch
 usb-typec-wcove-use-le-to-cpu-conversion-when-access.patch
 usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-i.patch
 scsi-megaraid_sas-enable-msix_load_balance-for-invad.patch
+smack-use-overlay-inode-label-in-smack_inode_copy_up.patch
+smack-retrieve-transmuting-information-in-smack_inod.patch
+smack-record-transmuting-in-smk_transmuted.patch

diff --git a/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch b/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch
new file mode 100644 (file)
index 0000000..edadb6a
--- /dev/null
+++ b/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch
@@ -0,0 +1,129 @@
+From 362fa309bfeb5d9906153a3834e1ff3fc36336a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 18:51:38 -0700
+Subject: smack: Record transmuting in smk_transmuted
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 2c085f3a8f23c9b444e8b99d93c15d7ce870fc4e upstream.
+
+smack_dentry_create_files_as() determines whether transmuting should occur
+based on the label of the parent directory the new inode will be added to,
+and not the label of the directory where it is created.
+
+This helps for example to do transmuting on overlayfs, since the latter
+first creates the inode in the working directory, and then moves it to the
+correct destination.
+
+However, despite smack_dentry_create_files_as() provides the correct label,
+smack_inode_init_security() does not know from passed information whether
+or not transmuting occurred. Without this information,
+smack_inode_init_security() cannot set SMK_INODE_CHANGED in smk_flags,
+which will result in the SMACK64TRANSMUTE xattr not being set in
+smack_d_instantiate().
+
+Thus, add the smk_transmuted field to the task_smack structure, and set it
+in smack_dentry_create_files_as() to smk_task if transmuting occurred. If
+smk_task is equal to smk_transmuted in smack_inode_init_security(), act as
+if transmuting was successful but without taking the label from the parent
+directory (the inode label was already set correctly from the current
+credentials in smack_inode_alloc_security()).
+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+[4.19: adjusted for the lack of helper functions]
+Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs")
+Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack.h     |  1 +
+ security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++++-----------
+ 2 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index f7db791fb5660..62aa4bc25426c 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -120,6 +120,7 @@ struct inode_smack {
+ struct task_smack {
+       struct smack_known      *smk_task;      /* label for access control */
+       struct smack_known      *smk_forked;    /* label when forked */
++      struct smack_known      *smk_transmuted;/* label when transmuted */
+       struct list_head        smk_rules;      /* per task access rules */
+       struct mutex            smk_rules_lock; /* lock for the rules */
+       struct list_head        smk_relabel;    /* transit allowed labels */
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index db729834d8ba9..266eb8ca33818 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1032,8 +1032,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
+                                    const struct qstr *qstr, const char **name,
+                                    void **value, size_t *len)
+ {
++      struct task_smack *tsp = current_security();
+       struct inode_smack *issp = inode->i_security;
+-      struct smack_known *skp = smk_of_current();
++      struct smack_known *skp = smk_of_task(tsp);
+       struct smack_known *isp = smk_of_inode(inode);
+       struct smack_known *dsp = smk_of_inode(dir);
+       int may;
+@@ -1042,20 +1043,34 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
+               *name = XATTR_SMACK_SUFFIX;
+ 
+       if (value && len) {
+-              rcu_read_lock();
+-              may = smk_access_entry(skp->smk_known, dsp->smk_known,
+-                                     &skp->smk_rules);
+-              rcu_read_unlock();
++              /*
++               * If equal, transmuting already occurred in
++               * smack_dentry_create_files_as(). No need to check again.
++               */
++              if (tsp->smk_task != tsp->smk_transmuted) {
++                      rcu_read_lock();
++                      may = smk_access_entry(skp->smk_known, dsp->smk_known,
++                                             &skp->smk_rules);
++                      rcu_read_unlock();
++              }
+ 
+               /*
+-               * If the access rule allows transmutation and
+-               * the directory requests transmutation then
+-               * by all means transmute.
++               * In addition to having smk_task equal to smk_transmuted,
++               * if the access rule allows transmutation and the directory
++               * requests transmutation then by all means transmute.
+                * Mark the inode as changed.
+                */
+-              if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
+-                  smk_inode_transmutable(dir)) {
+-                      isp = dsp;
++              if ((tsp->smk_task == tsp->smk_transmuted) ||
++                  (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
++                   smk_inode_transmutable(dir))) {
++                      /*
++                       * The caller of smack_dentry_create_files_as()
++                       * should have overridden the current cred, so the
++                       * inode label was already set correctly in
++                       * smack_inode_alloc_security().
++                       */
++                      if (tsp->smk_task != tsp->smk_transmuted)
++                              isp = dsp;
+                       issp->smk_flags |= SMK_INODE_CHANGED;
+               }
+ 
+@@ -4677,8 +4692,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
+                * providing access is transmuting use the containing
+                * directory label instead of the process label.
+                */
+-              if (may > 0 && (may & MAY_TRANSMUTE))
++              if (may > 0 && (may & MAY_TRANSMUTE)) {
+                       ntsp->smk_task = isp->smk_inode;
++                      ntsp->smk_transmuted = ntsp->smk_task;
++              }
+       }
+       return 0;
+ }
+-- 
+2.40.1
+

diff --git a/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch b/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch
new file mode 100644 (file)
index 0000000..8213d56
--- /dev/null
+++ b/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch
@@ -0,0 +1,75 @@
+From 765b103c8d2a7fc0e0188826d760f2436563dff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 18:51:37 -0700
+Subject: smack: Retrieve transmuting information in smack_inode_getsecurity()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 3a3d8fce31a49363cc31880dce5e3b0617c9c38b upstream.
+
+Enhance smack_inode_getsecurity() to retrieve the value for
+SMACK64TRANSMUTE from the inode security blob, similarly to SMACK64.
+
+This helps to display accurate values in the situation where the security
+labels come from mount options and not from xattrs.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+[4.19: adjusted for the lack of helper functions]
+Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs")
+Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index a09a9c6bbdf63..db729834d8ba9 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1490,10 +1490,19 @@ static int smack_inode_getsecurity(struct inode *inode,
+       struct super_block *sbp;
+       struct inode *ip = (struct inode *)inode;
+       struct smack_known *isp;
++      struct inode_smack *ispp;
++      size_t label_len;
++      char *label = NULL;
+ 
+-      if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
++      if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+               isp = smk_of_inode(inode);
+-      else {
++      } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) {
++              ispp = inode->i_security;
++              if (ispp->smk_flags & SMK_INODE_TRANSMUTE)
++                      label = TRANS_TRUE;
++              else
++                      label = "";
++      } else {
+               /*
+                * The rest of the Smack xattrs are only on sockets.
+                */
+@@ -1515,13 +1524,18 @@ static int smack_inode_getsecurity(struct inode *inode,
+                       return -EOPNOTSUPP;
+       }
+ 
++      if (!label)
++              label = isp->smk_known;
++
++      label_len = strlen(label);
++
+       if (alloc) {
+-              *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
++              *buffer = kstrdup(label, GFP_KERNEL);
+               if (*buffer == NULL)
+                       return -ENOMEM;
+       }
+ 
+-      return strlen(isp->smk_known);
++      return label_len;
+ }
+ 
+ 
+-- 
+2.40.1
+

diff --git a/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch b/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch
new file mode 100644 (file)
index 0000000..1cfcf0e
--- /dev/null
+++ b/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch
@@ -0,0 +1,44 @@
+From 0e747ce9666b0ab704b1aee9d3683babc8f468ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 18:51:36 -0700
+Subject: Smack:- Use overlay inode label in smack_inode_copy_up()
+
+From: Vishal Goel <vishal.goel@samsung.com>
+
+commit 387ef964460f14fe1c1ea29aba70e22731ea7cf7 upstream.
+
+Currently in "smack_inode_copy_up()" function, process label is
+changed with the label on parent inode. Due to which,
+process is assigned directory label and whatever file or directory
+created by the process are also getting directory label
+which is wrong label.
+
+Changes has been done to use label of overlay inode instead
+of parent inode.
+
+Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+[4.19: adjusted for the lack of helper functions]
+Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs")
+Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 4f65d953fe318..a09a9c6bbdf63 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4612,7 +4612,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
+       /*
+        * Get label from overlay inode and set it in create_sid
+        */
+-      isp = d_inode(dentry->d_parent)->i_security;
++      isp = d_inode(dentry)->i_security;
+       skp = isp->smk_inode;
+       tsp->smk_task = skp;
+       *new = new_creds;
+-- 
+2.40.1
+