On Thu, Jul 21, 2016 at 5:16 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Wed, Jul 13, 2016 at 10:44 AM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: >> Hi All, >> >> Please find attached the V3 of patches. Changes since V2 are as follows. >> >> - Fixed the build issue with CONFIG_SECURITY=n. >> >> - Dan Walsh was writing more tests for selinux-testsuite and noted couple >> of issues. I have fixed those issues and added two more patches in series. >> >> 1. We are resetting MAY_WRITE check for lower inode assuming file will >> be coiped up. But this is not true for special_file() as these files >> are not copied up. So checks should not be reset in case of special >> file. >> >> 2. We are resetting MAY_WRITE check for lower inode assuming file will >> be copied up. But this also should mean that mounter has permission >> to MAY_READ lower file for copy up to succeed. So add MAY_READ >> check while resetting MAY_WRITE. >> >> Original description of patches follows. >> >> Following are RFC patches to support SELinux with overlayfs. I started >> with David Howells's latest posting on this topic and started modifying >> patches. These patches apply on top of overlayfs-next branch of miklos >> vfs git tree. >> >> git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git overlayfs-next >> >> These patches can be pulled from my branch too. >> >> https://github.com/rhvgoyal/linux/commits/overlayfs-selinux-mounter-next >> >> Thanks to Dan Walsh, Stephen Smalley and Miklos Szeredi for numerous >> conversation and ideas in helping figuring out what one reasonable >> implementation might look like. >> >> Dan Walsh has been writing tests for selinux overlayfs in selinux-testsuite. >> These patches pass those tests now >> >> https://github.com/rhatdan/selinux-testsuite/commits/master >> >> Posting these patches for review and comments. >> >> These patches introduce 3 new security hooks. >> >> - security_inode_copy_up(), is called when a file is copied up. This hook >> prepares a new set of cred which is used for copy up operation. And >> new set of creds are prepared so that ->create_sid can be set appropriately >> and newly created file is labeled properly. >> >> When a file is copied up, label of lower file is retained except for the >> case of context= mount where new file gets the label from context= option. >> >> - security_inode_copy_up_xattr(), is called when xattrs of a file are >> being copied up. Before this we already called security_inode_copy_up() >> and created new file and copied up data. That means file already got >> labeled properly and there is no need to take SELINUX xattr of lower >> file and overwrite the upper file xattr. So this hook is used to avoid >> copying up of SELINUX xattr. >> >> - dentry_create_files_as(), is called when a new file is about to be created. >> This hook determines what the label of the file should be if task had >> created that file in upper/ and sets create_sid accordingly in the passed >> in creds. >> >> Normal transition rules don't work for the case of context mounts as >> underlying file system is not aware of context option which only overlay >> layer is aware of. For non-context mounts, creation can happen in work/ >> dir first and then file might be renamed into upper/, and it might get >> label based on work/ dir. So this hooks helps avoiding all these issues. >> >> When a new file is created in upper/, it gets its label based on transition >> rules. For the case of context mount, it gets the label from context= >> option. >> >> Any feedback is welcome. > > Hi Vivek, > > These patches look fine to me, thanks for all your hard work and to > everyone who helped review and provide feedback. I have tagged these > patches for merging into the SELinux next branch after this merge > window. Okay, I just merged these patches into selinux#next. With the exception of some changes to restore the mode argument to ovl_create_or_link() and to fix some whitespace damage the patches were merged cleanly. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
