Commit 254947d4 authored by David Howells's avatar David Howells
Browse files

cachefiles: Add security derivation 



Implement code to derive a new set of creds for the cachefiles to use when
making VFS or I/O calls and to change the auditing info since the
application interacting with the network filesystem is not accessing the
cache directly.  Cachefiles uses override_creds() to change the effective
creds temporarily.

set_security_override_from_ctx() is called to derive the LSM 'label' that
the cachefiles driver will act with.  set_create_files_as() is called to
determine the LSM 'label' that will be applied to files and directories
created in the cache.  These functions alter the new creds.

Also implement a couple of functions to wrap the calls to begin/end cred
overriding.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
cc: linux-cachefs@redhat.com
Link: https://lore.kernel.org/r/163819627469.215744.3603633690679962985.stgit@warthog.procyon.org.uk/ # v1
Link: https://lore.kernel.org/r/163906928172.143852.15886637013364286786.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/163967138138.1823006.7620933448261939504.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/164021537001.640689.4081334436031700558.stgit@warthog.procyon.org.uk/ # v4
parent 1493bf74

fs/cachefiles/Makefile

+2 −1
Original line number Diff line number Diff line
@@ -4,7 +4,8 @@ 
#



cachefiles-y := \

	main.o

	main.o \

	security.o



cachefiles-$(CONFIG_CACHEFILES_ERROR_INJECTION) += error_inject.o

fs/cachefiles/internal.h

+20 −0
Original line number Diff line number Diff line
@@ -104,6 +104,26 @@ static inline int cachefiles_inject_remove_error(void) 
	return cachefiles_error_injection_state & 2 ? -EIO : 0;

}



/*

 * security.c

 */

extern int cachefiles_get_security_ID(struct cachefiles_cache *cache);

extern int cachefiles_determine_cache_security(struct cachefiles_cache *cache,

					       struct dentry *root,

					       const struct cred **_saved_cred);



static inline void cachefiles_begin_secure(struct cachefiles_cache *cache,

					   const struct cred **_saved_cred)

{

	*_saved_cred = override_creds(cache->cache_cred);

}



static inline void cachefiles_end_secure(struct cachefiles_cache *cache,

					 const struct cred *saved_cred)

{

	revert_creds(saved_cred);

}



/*

 * Error handling

 */

fs/cachefiles/security.c

0 → 100644
+112 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-or-later

/* CacheFiles security management

 *

 * Copyright (C) 2007, 2021 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 */



#include <linux/fs.h>

#include <linux/cred.h>

#include "internal.h"



/*

 * determine the security context within which we access the cache from within

 * the kernel

 */

int cachefiles_get_security_ID(struct cachefiles_cache *cache)

{

	struct cred *new;

	int ret;



	_enter("{%s}", cache->secctx);



	new = prepare_kernel_cred(current);

	if (!new) {

		ret = -ENOMEM;

		goto error;

	}



	if (cache->secctx) {

		ret = set_security_override_from_ctx(new, cache->secctx);

		if (ret < 0) {

			put_cred(new);

			pr_err("Security denies permission to nominate security context: error %d\n",

			       ret);

			goto error;

		}

	}



	cache->cache_cred = new;

	ret = 0;

error:

	_leave(" = %d", ret);

	return ret;

}



/*

 * see if mkdir and create can be performed in the root directory

 */

static int cachefiles_check_cache_dir(struct cachefiles_cache *cache,

				      struct dentry *root)

{

	int ret;



	ret = security_inode_mkdir(d_backing_inode(root), root, 0);

	if (ret < 0) {

		pr_err("Security denies permission to make dirs: error %d",

		       ret);

		return ret;

	}



	ret = security_inode_create(d_backing_inode(root), root, 0);

	if (ret < 0)

		pr_err("Security denies permission to create files: error %d",

		       ret);



	return ret;

}



/*

 * check the security details of the on-disk cache

 * - must be called with security override in force

 * - must return with a security override in force - even in the case of an

 *   error

 */

int cachefiles_determine_cache_security(struct cachefiles_cache *cache,

					struct dentry *root,

					const struct cred **_saved_cred)

{

	struct cred *new;

	int ret;



	_enter("");



	/* duplicate the cache creds for COW (the override is currently in

	 * force, so we can use prepare_creds() to do this) */

	new = prepare_creds();

	if (!new)

		return -ENOMEM;



	cachefiles_end_secure(cache, *_saved_cred);



	/* use the cache root dir's security context as the basis with

	 * which create files */

	ret = set_create_files_as(new, d_backing_inode(root));

	if (ret < 0) {

		abort_creds(new);

		cachefiles_begin_secure(cache, _saved_cred);

		_leave(" = %d [cfa]", ret);

		return ret;

	}



	put_cred(cache->cache_cred);

	cache->cache_cred = new;



	cachefiles_begin_secure(cache, _saved_cred);

	ret = cachefiles_check_cache_dir(cache, root);



	if (ret == -EOPNOTSUPP)

		ret = 0;

	_leave(" = %d", ret);

	return ret;

}