mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

vfs: move cap_convert_nscap() call into vfs_setxattr()

Browse source 
cap_convert_nscap() does permission checking as well as conversion of the
xattr value conditionally based on fs's user-ns.

This is needed by overlayfs and probably other layered fs (ecryptfs) and is
what vfs_foo() is supposed to do anyway.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
This commit is contained in:
Miklos Szeredi 2020-12-14 15:26:13 +01:00
parent c11faf3259
commit 7c03e2cda4
3 changed files with 13 additions and 9 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

17
fs/xattr.c
View file

@ -276,8 +276,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
{ {
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct inode *delegated_inode = NULL; struct inode *delegated_inode = NULL;
const void *orig_value = value;
int error; int error;
if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
error = cap_convert_nscap(dentry, &value, size);
if (error < 0)
return error;
size = error;
}
retry_deleg: retry_deleg:
inode_lock(inode); inode_lock(inode);
error = __vfs_setxattr_locked(dentry, name, value, size, flags, error = __vfs_setxattr_locked(dentry, name, value, size, flags,
@ -289,6 +297,9 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
if (!error) if (!error)
goto retry_deleg; goto retry_deleg;
} }
if (value != orig_value)
kfree(value);
return error; return error;
} }
EXPORT_SYMBOL_GPL(vfs_setxattr); EXPORT_SYMBOL_GPL(vfs_setxattr);
@ -537,12 +548,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
posix_acl_fix_xattr_from_user(kvalue, size); posix_acl_fix_xattr_from_user(kvalue, size);
else if (strcmp(kname, XATTR_NAME_CAPS) == 0) {
error = cap_convert_nscap(d, &kvalue, size);
if (error < 0)
goto out;
size = error;
}
} }
error = vfs_setxattr(d, kname, kvalue, size, flags); error = vfs_setxattr(d, kname, kvalue, size, flags);

2
include/linux/capability.h
View file

@ -270,6 +270,6 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
/* audit system wants to get cap info from files as well */ /* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size); extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size);
#endif /* !_LINUX_CAPABILITY_H */ #endif /* !_LINUX_CAPABILITY_H */

3
security/commoncap.c
View file

@ -473,7 +473,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap)
* *
* If all is ok, we return the new size, on error return < 0. * If all is ok, we return the new size, on error return < 0.
*/ */
int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
{ {
struct vfs_ns_cap_data *nscap; struct vfs_ns_cap_data *nscap;
uid_t nsrootid; uid_t nsrootid;
@ -516,7 +516,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
nscap->magic_etc = cpu_to_le32(nsmagic); nscap->magic_etc = cpu_to_le32(nsmagic);
memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
kvfree(*ivalue);
*ivalue = nscap; *ivalue = nscap;
return newsize; return newsize;
} }