From: Christian Brauner <brauner@kernel.org>
Date: Fri, 14 Nov 2025 22:45:22 +0000 (+0100)
Subject: ovl: add copy up credential guard
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81b77b5b0a2984e767674c50a35b71ca218da7e7;p=thirdparty%2Fkernel%2Flinux.git

ovl: add copy up credential guard

Add a credential guard for copy up. This will allows us to waste struct
struct ovl_cu_creds and simplify the code.

Link: https://patch.msgid.link/20251114-work-ovl-cred-guard-copyup-v1-1-ea3fb15cf427@kernel.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
---

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 859e75daff8e4..a7f70dadf94f5 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -752,6 +752,33 @@ static void ovl_revert_cu_creds(struct ovl_cu_creds *cc)
 	}
 }
 
+static const struct cred *ovl_prepare_copy_up_creds(struct dentry *dentry)
+{
+	struct cred *copy_up_cred = NULL;
+	int err;
+
+	err = security_inode_copy_up(dentry, &copy_up_cred);
+	if (err < 0)
+		return ERR_PTR(err);
+
+	if (!copy_up_cred)
+		return NULL;
+
+	return override_creds(copy_up_cred);
+}
+
+static void ovl_revert_copy_up_creds(const struct cred *orig_cred)
+{
+	const struct cred *copy_up_cred;
+
+	copy_up_cred = revert_creds(orig_cred);
+	put_cred(copy_up_cred);
+}
+
+DEFINE_CLASS(copy_up_creds, const struct cred *,
+	     if (!IS_ERR_OR_NULL(_T)) ovl_revert_copy_up_creds(_T),
+	     ovl_prepare_copy_up_creds(dentry), struct dentry *dentry)
+
 /*
  * Copyup using workdir to prepare temp file.  Used when copying up directories,
  * special files or when upper fs doesn't support O_TMPFILE.