subject:"\[PATCH v5 08\/12\] evm\: Pass user namespace to set\/remove xattr hooks"

Re: [PATCH v5 08/12] evm: Pass user namespace to set/remove xattr hooks

2021-04-07 Thread Christian Brauner

On Wed, Apr 07, 2021 at 12:52:48PM +0200, Roberto Sassu wrote:
> In preparation for 'evm: Allow setxattr() and setattr() for unmodified
> metadata', this patch passes mnt_userns to the inode set/remove xattr hooks
> so that the GID of the inode on an idmapped mount is correctly determined
> by posix_acl_update_mode().
> 
> Cc: Christian Brauner 
> Cc: Andreas Gruenbacher 
> Signed-off-by: Roberto Sassu 
> ---

Looks good,
Reviewed-by: Christian Brauner

[PATCH v5 08/12] evm: Pass user namespace to set/remove xattr hooks

2021-04-07 Thread Roberto Sassu

In preparation for 'evm: Allow setxattr() and setattr() for unmodified
metadata', this patch passes mnt_userns to the inode set/remove xattr hooks
so that the GID of the inode on an idmapped mount is correctly determined
by posix_acl_update_mode().

Cc: Christian Brauner 
Cc: Andreas Gruenbacher 
Signed-off-by: Roberto Sassu 
---
 include/linux/evm.h   | 12 
 security/integrity/evm/evm_main.c | 17 +++--
 security/security.c   |  4 ++--
 3 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/include/linux/evm.h b/include/linux/evm.h
index e5b7bcb152b9..8cad46bcec9d 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -23,13 +23,15 @@ extern enum integrity_status evm_verifyxattr(struct dentry 
*dentry,
 struct integrity_iint_cache *iint);
 extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
 extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
-extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
+extern int evm_inode_setxattr(struct user_namespace *mnt_userns,
+ struct dentry *dentry, const char *name,
  const void *value, size_t size);
 extern void evm_inode_post_setxattr(struct dentry *dentry,
const char *xattr_name,
const void *xattr_value,
size_t xattr_value_len);
-extern int evm_inode_removexattr(struct dentry *dentry, const char 
*xattr_name);
+extern int evm_inode_removexattr(struct user_namespace *mnt_userns,
+struct dentry *dentry, const char *xattr_name);
 extern void evm_inode_post_removexattr(struct dentry *dentry,
   const char *xattr_name);
 extern int evm_inode_init_security(struct inode *inode,
@@ -72,7 +74,8 @@ static inline void evm_inode_post_setattr(struct dentry 
*dentry, int ia_valid)
return;
 }
 
-static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,
+static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,
+struct dentry *dentry, const char *name,
 const void *value, size_t size)
 {
return 0;
@@ -86,7 +89,8 @@ static inline void evm_inode_post_setxattr(struct dentry 
*dentry,
return;
 }
 
-static inline int evm_inode_removexattr(struct dentry *dentry,
+static inline int evm_inode_removexattr(struct user_namespace *mnt_userns,
+   struct dentry *dentry,
const char *xattr_name)
 {
return 0;
diff --git a/security/integrity/evm/evm_main.c 
b/security/integrity/evm/evm_main.c
index eab536fa260f..74f9f3a2ae53 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -340,7 +340,8 @@ static enum integrity_status 
evm_verify_current_integrity(struct dentry *dentry)
  * For posix xattr acls only, permit security.evm, even if it currently
  * doesn't exist, to be updated unless the EVM signature is immutable.
  */
-static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
+static int evm_protect_xattr(struct user_namespace *mnt_userns,
+struct dentry *dentry, const char *xattr_name,
 const void *xattr_value, size_t xattr_value_len)
 {
enum integrity_status evm_status;
@@ -398,6 +399,7 @@ static int evm_protect_xattr(struct dentry *dentry, const 
char *xattr_name,
 
 /**
  * evm_inode_setxattr - protect the EVM extended attribute
+ * @mnt_userns: user namespace of the idmapped mount
  * @dentry: pointer to the affected dentry
  * @xattr_name: pointer to the affected extended attribute name
  * @xattr_value: pointer to the new extended attribute value
@@ -409,8 +411,9 @@ static int evm_protect_xattr(struct dentry *dentry, const 
char *xattr_name,
  * userspace from writing HMAC value.  Writing 'security.evm' requires
  * requires CAP_SYS_ADMIN privileges.
  */
-int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
-  const void *xattr_value, size_t xattr_value_len)
+int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry 
*dentry,
+  const char *xattr_name, const void *xattr_value,
+  size_t xattr_value_len)
 {
const struct evm_ima_xattr_data *xattr_data = xattr_value;
 
@@ -427,19 +430,21 @@ int evm_inode_setxattr(struct dentry *dentry, const char 
*xattr_name,
xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
return -EPERM;
}
-   return evm_protect_xattr(dentry, xattr_name, xattr_value,
+   return evm_protect_xattr(mnt_userns, dentry, xattr_name, xattr_value,
 xattr_value_len);
 }

Re: [PATCH v5 08/12] evm: Pass user namespace to set/remove xattr hooks

[PATCH v5 08/12] evm: Pass user namespace to set/remove xattr hooks

2 matches

Site Navigation

Mail list logo

Footer information