From 2e61b3d0613ff94cfed2c5dea2ce936696794a7c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 4 Oct 2023 06:27:52 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- queue-4.19/series | 3 + ...record-transmuting-in-smk_transmuted.patch | 129 ++++++++++++++++++ ...ransmuting-information-in-smack_inod.patch | 75 ++++++++++ ...y-inode-label-in-smack_inode_copy_up.patch | 44 ++++++ 4 files changed, 251 insertions(+) create mode 100644 queue-4.19/smack-record-transmuting-in-smk_transmuted.patch create mode 100644 queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch create mode 100644 queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch diff --git a/queue-4.19/series b/queue-4.19/series index ec4ea684891..e62527673e0 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -49,3 +49,6 @@ net-fix-unwanted-sign-extension-in-netdev_stats_to_s.patch usb-typec-wcove-use-le-to-cpu-conversion-when-access.patch usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-i.patch scsi-megaraid_sas-enable-msix_load_balance-for-invad.patch +smack-use-overlay-inode-label-in-smack_inode_copy_up.patch +smack-retrieve-transmuting-information-in-smack_inod.patch +smack-record-transmuting-in-smk_transmuted.patch diff --git a/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch b/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch new file mode 100644 index 00000000000..edadb6a76f9 --- /dev/null +++ b/queue-4.19/smack-record-transmuting-in-smk_transmuted.patch @@ -0,0 +1,129 @@ +From 362fa309bfeb5d9906153a3834e1ff3fc36336a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 18:51:38 -0700 +Subject: smack: Record transmuting in smk_transmuted + +From: Roberto Sassu + +commit 2c085f3a8f23c9b444e8b99d93c15d7ce870fc4e upstream. + +smack_dentry_create_files_as() determines whether transmuting should occur +based on the label of the parent directory the new inode will be added to, +and not the label of the directory where it is created. + +This helps for example to do transmuting on overlayfs, since the latter +first creates the inode in the working directory, and then moves it to the +correct destination. + +However, despite smack_dentry_create_files_as() provides the correct label, +smack_inode_init_security() does not know from passed information whether +or not transmuting occurred. Without this information, +smack_inode_init_security() cannot set SMK_INODE_CHANGED in smk_flags, +which will result in the SMACK64TRANSMUTE xattr not being set in +smack_d_instantiate(). + +Thus, add the smk_transmuted field to the task_smack structure, and set it +in smack_dentry_create_files_as() to smk_task if transmuting occurred. If +smk_task is equal to smk_transmuted in smack_inode_init_security(), act as +if transmuting was successful but without taking the label from the parent +directory (the inode label was already set correctly from the current +credentials in smack_inode_alloc_security()). + +Signed-off-by: Roberto Sassu +Signed-off-by: Casey Schaufler +[4.19: adjusted for the lack of helper functions] +Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs") +Signed-off-by: Munehisa Kamata +Signed-off-by: Sasha Levin +--- + security/smack/smack.h | 1 + + security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++++----------- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index f7db791fb5660..62aa4bc25426c 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -120,6 +120,7 @@ struct inode_smack { + struct task_smack { + struct smack_known *smk_task; /* label for access control */ + struct smack_known *smk_forked; /* label when forked */ ++ struct smack_known *smk_transmuted;/* label when transmuted */ + struct list_head smk_rules; /* per task access rules */ + struct mutex smk_rules_lock; /* lock for the rules */ + struct list_head smk_relabel; /* transit allowed labels */ +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index db729834d8ba9..266eb8ca33818 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1032,8 +1032,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, const char **name, + void **value, size_t *len) + { ++ struct task_smack *tsp = current_security(); + struct inode_smack *issp = inode->i_security; +- struct smack_known *skp = smk_of_current(); ++ struct smack_known *skp = smk_of_task(tsp); + struct smack_known *isp = smk_of_inode(inode); + struct smack_known *dsp = smk_of_inode(dir); + int may; +@@ -1042,20 +1043,34 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, + *name = XATTR_SMACK_SUFFIX; + + if (value && len) { +- rcu_read_lock(); +- may = smk_access_entry(skp->smk_known, dsp->smk_known, +- &skp->smk_rules); +- rcu_read_unlock(); ++ /* ++ * If equal, transmuting already occurred in ++ * smack_dentry_create_files_as(). No need to check again. ++ */ ++ if (tsp->smk_task != tsp->smk_transmuted) { ++ rcu_read_lock(); ++ may = smk_access_entry(skp->smk_known, dsp->smk_known, ++ &skp->smk_rules); ++ rcu_read_unlock(); ++ } + + /* +- * If the access rule allows transmutation and +- * the directory requests transmutation then +- * by all means transmute. ++ * In addition to having smk_task equal to smk_transmuted, ++ * if the access rule allows transmutation and the directory ++ * requests transmutation then by all means transmute. + * Mark the inode as changed. + */ +- if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && +- smk_inode_transmutable(dir)) { +- isp = dsp; ++ if ((tsp->smk_task == tsp->smk_transmuted) || ++ (may > 0 && ((may & MAY_TRANSMUTE) != 0) && ++ smk_inode_transmutable(dir))) { ++ /* ++ * The caller of smack_dentry_create_files_as() ++ * should have overridden the current cred, so the ++ * inode label was already set correctly in ++ * smack_inode_alloc_security(). ++ */ ++ if (tsp->smk_task != tsp->smk_transmuted) ++ isp = dsp; + issp->smk_flags |= SMK_INODE_CHANGED; + } + +@@ -4677,8 +4692,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, + * providing access is transmuting use the containing + * directory label instead of the process label. + */ +- if (may > 0 && (may & MAY_TRANSMUTE)) ++ if (may > 0 && (may & MAY_TRANSMUTE)) { + ntsp->smk_task = isp->smk_inode; ++ ntsp->smk_transmuted = ntsp->smk_task; ++ } + } + return 0; + } +-- +2.40.1 + diff --git a/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch b/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch new file mode 100644 index 00000000000..8213d56301c --- /dev/null +++ b/queue-4.19/smack-retrieve-transmuting-information-in-smack_inod.patch @@ -0,0 +1,75 @@ +From 765b103c8d2a7fc0e0188826d760f2436563dff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 18:51:37 -0700 +Subject: smack: Retrieve transmuting information in smack_inode_getsecurity() + +From: Roberto Sassu + +commit 3a3d8fce31a49363cc31880dce5e3b0617c9c38b upstream. + +Enhance smack_inode_getsecurity() to retrieve the value for +SMACK64TRANSMUTE from the inode security blob, similarly to SMACK64. + +This helps to display accurate values in the situation where the security +labels come from mount options and not from xattrs. + +Signed-off-by: Roberto Sassu +Signed-off-by: Casey Schaufler +[4.19: adjusted for the lack of helper functions] +Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs") +Signed-off-by: Munehisa Kamata +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index a09a9c6bbdf63..db729834d8ba9 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1490,10 +1490,19 @@ static int smack_inode_getsecurity(struct inode *inode, + struct super_block *sbp; + struct inode *ip = (struct inode *)inode; + struct smack_known *isp; ++ struct inode_smack *ispp; ++ size_t label_len; ++ char *label = NULL; + +- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) ++ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { + isp = smk_of_inode(inode); +- else { ++ } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { ++ ispp = inode->i_security; ++ if (ispp->smk_flags & SMK_INODE_TRANSMUTE) ++ label = TRANS_TRUE; ++ else ++ label = ""; ++ } else { + /* + * The rest of the Smack xattrs are only on sockets. + */ +@@ -1515,13 +1524,18 @@ static int smack_inode_getsecurity(struct inode *inode, + return -EOPNOTSUPP; + } + ++ if (!label) ++ label = isp->smk_known; ++ ++ label_len = strlen(label); ++ + if (alloc) { +- *buffer = kstrdup(isp->smk_known, GFP_KERNEL); ++ *buffer = kstrdup(label, GFP_KERNEL); + if (*buffer == NULL) + return -ENOMEM; + } + +- return strlen(isp->smk_known); ++ return label_len; + } + + +-- +2.40.1 + diff --git a/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch b/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch new file mode 100644 index 00000000000..1cfcf0e6e05 --- /dev/null +++ b/queue-4.19/smack-use-overlay-inode-label-in-smack_inode_copy_up.patch @@ -0,0 +1,44 @@ +From 0e747ce9666b0ab704b1aee9d3683babc8f468ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 18:51:36 -0700 +Subject: Smack:- Use overlay inode label in smack_inode_copy_up() + +From: Vishal Goel + +commit 387ef964460f14fe1c1ea29aba70e22731ea7cf7 upstream. + +Currently in "smack_inode_copy_up()" function, process label is +changed with the label on parent inode. Due to which, +process is assigned directory label and whatever file or directory +created by the process are also getting directory label +which is wrong label. + +Changes has been done to use label of overlay inode instead +of parent inode. + +Signed-off-by: Vishal Goel +Signed-off-by: Casey Schaufler +[4.19: adjusted for the lack of helper functions] +Fixes: d6d80cb57be4 ("Smack: Base support for overlayfs") +Signed-off-by: Munehisa Kamata +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 4f65d953fe318..a09a9c6bbdf63 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4612,7 +4612,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) + /* + * Get label from overlay inode and set it in create_sid + */ +- isp = d_inode(dentry->d_parent)->i_security; ++ isp = d_inode(dentry)->i_security; + skp = isp->smk_inode; + tsp->smk_task = skp; + *new = new_creds; +-- +2.40.1 + -- 2.47.3