From: Sasha Levin Date: Wed, 4 Oct 2023 10:27:50 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.5.6~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f5b52a2882d509f9a6f7aa77a119a9abaeb2217c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/series b/queue-5.10/series index 17db4329e66..b7e158ab6be 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -143,3 +143,6 @@ perf-metric-return-early-if-no-cpu-pmu-table-exists.patch netfilter-nft_exthdr-search-chunks-in-sctp-packets-o.patch netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch +smack-record-transmuting-in-smk_transmuted.patch +smack-retrieve-transmuting-information-in-smack_inod.patch +smack-use-overlay-inode-label-in-smack_inode_copy_up.patch diff --git a/queue-5.10/smack-record-transmuting-in-smk_transmuted.patch b/queue-5.10/smack-record-transmuting-in-smk_transmuted.patch new file mode 100644 index 00000000000..afbd906669d --- /dev/null +++ b/queue-5.10/smack-record-transmuting-in-smk_transmuted.patch @@ -0,0 +1,126 @@ +From 5e0d2f1b34213d8a086d78bcba3c7b1a6c6e2b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 19:02:34 +0200 +Subject: smack: Record transmuting in smk_transmuted + +From: Roberto Sassu + +[ Upstream commit 2c085f3a8f23c9b444e8b99d93c15d7ce870fc4e ] + +smack_dentry_create_files_as() determines whether transmuting should occur +based on the label of the parent directory the new inode will be added to, +and not the label of the directory where it is created. + +This helps for example to do transmuting on overlayfs, since the latter +first creates the inode in the working directory, and then moves it to the +correct destination. + +However, despite smack_dentry_create_files_as() provides the correct label, +smack_inode_init_security() does not know from passed information whether +or not transmuting occurred. Without this information, +smack_inode_init_security() cannot set SMK_INODE_CHANGED in smk_flags, +which will result in the SMACK64TRANSMUTE xattr not being set in +smack_d_instantiate(). + +Thus, add the smk_transmuted field to the task_smack structure, and set it +in smack_dentry_create_files_as() to smk_task if transmuting occurred. If +smk_task is equal to smk_transmuted in smack_inode_init_security(), act as +if transmuting was successful but without taking the label from the parent +directory (the inode label was already set correctly from the current +credentials in smack_inode_alloc_security()). + +Signed-off-by: Roberto Sassu +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack.h | 1 + + security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++++----------- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index a9768b12716bf..b5187915e074e 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -120,6 +120,7 @@ struct inode_smack { + struct task_smack { + struct smack_known *smk_task; /* label for access control */ + struct smack_known *smk_forked; /* label when forked */ ++ struct smack_known *smk_transmuted;/* label when transmuted */ + struct list_head smk_rules; /* per task access rules */ + struct mutex smk_rules_lock; /* lock for the rules */ + struct list_head smk_relabel; /* transit allowed labels */ +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b36b8668f1f4a..e7f6f55bbae24 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -972,8 +972,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, const char **name, + void **value, size_t *len) + { ++ struct task_smack *tsp = smack_cred(current_cred()); + struct inode_smack *issp = smack_inode(inode); +- struct smack_known *skp = smk_of_current(); ++ struct smack_known *skp = smk_of_task(tsp); + struct smack_known *isp = smk_of_inode(inode); + struct smack_known *dsp = smk_of_inode(dir); + int may; +@@ -982,20 +983,34 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, + *name = XATTR_SMACK_SUFFIX; + + if (value && len) { +- rcu_read_lock(); +- may = smk_access_entry(skp->smk_known, dsp->smk_known, +- &skp->smk_rules); +- rcu_read_unlock(); ++ /* ++ * If equal, transmuting already occurred in ++ * smack_dentry_create_files_as(). No need to check again. ++ */ ++ if (tsp->smk_task != tsp->smk_transmuted) { ++ rcu_read_lock(); ++ may = smk_access_entry(skp->smk_known, dsp->smk_known, ++ &skp->smk_rules); ++ rcu_read_unlock(); ++ } + + /* +- * If the access rule allows transmutation and +- * the directory requests transmutation then +- * by all means transmute. ++ * In addition to having smk_task equal to smk_transmuted, ++ * if the access rule allows transmutation and the directory ++ * requests transmutation then by all means transmute. + * Mark the inode as changed. + */ +- if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && +- smk_inode_transmutable(dir)) { +- isp = dsp; ++ if ((tsp->smk_task == tsp->smk_transmuted) || ++ (may > 0 && ((may & MAY_TRANSMUTE) != 0) && ++ smk_inode_transmutable(dir))) { ++ /* ++ * The caller of smack_dentry_create_files_as() ++ * should have overridden the current cred, so the ++ * inode label was already set correctly in ++ * smack_inode_alloc_security(). ++ */ ++ if (tsp->smk_task != tsp->smk_transmuted) ++ isp = dsp; + issp->smk_flags |= SMK_INODE_CHANGED; + } + +@@ -4685,8 +4700,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, + * providing access is transmuting use the containing + * directory label instead of the process label. + */ +- if (may > 0 && (may & MAY_TRANSMUTE)) ++ if (may > 0 && (may & MAY_TRANSMUTE)) { + ntsp->smk_task = isp->smk_inode; ++ ntsp->smk_transmuted = ntsp->smk_task; ++ } + } + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/smack-retrieve-transmuting-information-in-smack_inod.patch b/queue-5.10/smack-retrieve-transmuting-information-in-smack_inod.patch new file mode 100644 index 00000000000..e0501594e22 --- /dev/null +++ b/queue-5.10/smack-retrieve-transmuting-information-in-smack_inod.patch @@ -0,0 +1,72 @@ +From 843f28c63f978888ee9f63c2092f610c1267068e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 19:02:33 +0200 +Subject: smack: Retrieve transmuting information in smack_inode_getsecurity() + +From: Roberto Sassu + +[ Upstream commit 3a3d8fce31a49363cc31880dce5e3b0617c9c38b ] + +Enhance smack_inode_getsecurity() to retrieve the value for +SMACK64TRANSMUTE from the inode security blob, similarly to SMACK64. + +This helps to display accurate values in the situation where the security +labels come from mount options and not from xattrs. + +Signed-off-by: Roberto Sassu +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index e7f6f55bbae24..6bfc3c8d93102 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1444,10 +1444,19 @@ static int smack_inode_getsecurity(struct inode *inode, + struct super_block *sbp; + struct inode *ip = (struct inode *)inode; + struct smack_known *isp; ++ struct inode_smack *ispp; ++ size_t label_len; ++ char *label = NULL; + +- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) ++ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { + isp = smk_of_inode(inode); +- else { ++ } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { ++ ispp = smack_inode(inode); ++ if (ispp->smk_flags & SMK_INODE_TRANSMUTE) ++ label = TRANS_TRUE; ++ else ++ label = ""; ++ } else { + /* + * The rest of the Smack xattrs are only on sockets. + */ +@@ -1469,13 +1478,18 @@ static int smack_inode_getsecurity(struct inode *inode, + return -EOPNOTSUPP; + } + ++ if (!label) ++ label = isp->smk_known; ++ ++ label_len = strlen(label); ++ + if (alloc) { +- *buffer = kstrdup(isp->smk_known, GFP_KERNEL); ++ *buffer = kstrdup(label, GFP_KERNEL); + if (*buffer == NULL) + return -ENOMEM; + } + +- return strlen(isp->smk_known); ++ return label_len; + } + + +-- +2.40.1 + diff --git a/queue-5.10/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch b/queue-5.10/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch new file mode 100644 index 00000000000..e5d87be17f6 --- /dev/null +++ b/queue-5.10/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch @@ -0,0 +1,41 @@ +From 53637dc837a91ce88e98eca01f8f76a5ea0cb42e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 13:08:14 +0530 +Subject: Smack:- Use overlay inode label in smack_inode_copy_up() + +From: Vishal Goel + +[ Upstream commit 387ef964460f14fe1c1ea29aba70e22731ea7cf7 ] + +Currently in "smack_inode_copy_up()" function, process label is +changed with the label on parent inode. Due to which, +process is assigned directory label and whatever file or directory +created by the process are also getting directory label +which is wrong label. + +Changes has been done to use label of overlay inode instead +of parent inode. + +Signed-off-by: Vishal Goel +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 6bfc3c8d93102..814518ad4402b 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4663,7 +4663,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) + /* + * Get label from overlay inode and set it in create_sid + */ +- isp = smack_inode(d_inode(dentry->d_parent)); ++ isp = smack_inode(d_inode(dentry)); + skp = isp->smk_inode; + tsp->smk_task = skp; + *new = new_creds; +-- +2.40.1 +