From: Vivek Goyal <vgoyal@redhat.com>
To: miklos@szeredi.hu, sds@tycho.nsa.gov, pmoore@redhat.com,
casey@schaufler-ca.com, linux-kernel@vger.kernel.org,
linux-unionfs@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: dwalsh@redhat.com, dhowells@redhat.com, viro@ZenIV.linux.org.uk,
vgoyal@redhat.com, linux-fsdevel@vger.kernel.org
Subject: [PATCH 7/9] selinux: Implement dentry_create_files_as() hook
Date: Wed, 13 Jul 2016 10:44:53 -0400 [thread overview]
Message-ID: <1468421095-22322-8-git-send-email-vgoyal@redhat.com> (raw)
In-Reply-To: <1468421095-22322-1-git-send-email-vgoyal@redhat.com>
Calculate what would be the label of newly created file and set that secid
in the passed creds.
Context of the task which is actually creating file is retrieved from
set of creds passed in. (old->security).
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
security/selinux/hooks.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ae11fd9..77eb5a8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2825,6 +2825,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
return security_sid_to_context(newsid, (char **)ctx, ctxlen);
}
+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
+ struct qstr *name,
+ const struct cred *old,
+ struct cred *new)
+{
+ u32 newsid;
+ int rc;
+ struct task_security_struct *tsec;
+
+ rc = selinux_determine_inode_label(old->security,
+ d_inode(dentry->d_parent), name,
+ inode_mode_to_security_class(mode),
+ &newsid);
+ if (rc)
+ return rc;
+
+ tsec = new->security;
+ tsec->create_sid = newsid;
+ return 0;
+}
+
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const char **name,
@@ -6066,6 +6087,7 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
+ LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
--
2.7.4
next prev parent reply other threads:[~2016-07-13 14:44 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-13 14:44 [RFC PATCH 0/9][V3] Overlayfs SELinux Support Vivek Goyal
2016-07-13 14:44 ` [PATCH 1/9] security, overlayfs: provide copy up security hook for unioned files Vivek Goyal
2016-07-13 14:52 ` Stephen Smalley
2016-07-13 14:56 ` Vivek Goyal
2016-07-13 15:13 ` Vivek Goyal
2016-07-14 14:32 ` Stephen Smalley
2016-07-13 14:44 ` [PATCH 2/9] selinux: Implementation for inode_copy_up() hook Vivek Goyal
2016-07-13 14:53 ` Stephen Smalley
2016-07-13 14:44 ` [PATCH 3/9] security,overlayfs: Provide security hook for copy up of xattrs for overlay file Vivek Goyal
2016-07-14 14:20 ` Stephen Smalley
2016-07-13 14:44 ` [PATCH 4/9] selinux: Implementation for inode_copy_up_xattr() hook Vivek Goyal
2016-07-13 14:54 ` Stephen Smalley
2016-07-13 14:44 ` [PATCH 5/9] selinux: Pass security pointer to determine_inode_label() Vivek Goyal
2016-07-13 14:56 ` Stephen Smalley
2016-07-13 14:44 ` [PATCH 6/9] security, overlayfs: Provide hook to correctly label newly created files Vivek Goyal
2016-07-13 14:57 ` Stephen Smalley
2016-07-13 14:59 ` Stephen Smalley
2016-07-14 14:29 ` Stephen Smalley
2016-07-13 14:44 ` Vivek Goyal [this message]
2016-07-13 14:59 ` [PATCH 7/9] selinux: Implement dentry_create_files_as() hook Stephen Smalley
2016-07-13 14:44 ` [PATCH 8/9] overlayfs: Dilute permission checks on lower only if not special file Vivek Goyal
2016-07-14 6:51 ` Miklos Szeredi
2016-07-13 14:44 ` [PATCH 9/9] overlayfs: Append MAY_READ when diluting write checks Vivek Goyal
2016-07-14 6:49 ` Miklos Szeredi
2016-07-21 21:16 ` [RFC PATCH 0/9][V3] Overlayfs SELinux Support Paul Moore
2016-07-21 23:09 ` James Morris
2016-07-22 7:05 ` Miklos Szeredi
2016-07-22 15:33 ` Paul Moore
2016-08-08 12:46 ` Miklos Szeredi
2016-08-08 13:18 ` Paul Moore
2016-08-09 1:19 ` Paul Moore
2016-08-10 9:11 ` Miklos Szeredi
2016-08-10 12:32 ` Paul Moore
2016-08-10 12:52 ` Daniel J Walsh
2016-08-11 12:36 ` Paul Moore
2016-08-11 12:39 ` Daniel J Walsh
2016-08-11 14:06 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1468421095-22322-8-git-send-email-vgoyal@redhat.com \
--to=vgoyal@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=dwalsh@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=pmoore@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).