Add SELinux OverlayFS support

1 files changed, 931 insertions, 0 deletions

diff --git a/security-selinux-overlayfs-support.patch b/security-selinux-overlayfs-support.patch
new file mode 100644
index 000000000..7149e4566
--- /dev/null
+++ b/security-selinux-overlayfs-support.patch
@@ -0,0 +1,931 @@
+From 1a93a6eac32a2853177f10e274b9b761b42356eb Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Mon, 8 Aug 2016 13:08:25 -0400
+Subject: [PATCH 01/10] security: Use IS_ENABLED() instead of checking for
+ built-in or module
+
+The IS_ENABLED() macro checks if a Kconfig symbol has been enabled
+either built-in or as a module, use that macro instead of open coding
+the same.
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/lsm_audit.c             |  2 +-
+ security/selinux/hooks.c         | 12 ++++++------
+ security/smack/smack_netfilter.c |  4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/security/lsm_audit.c b/security/lsm_audit.c
+index cccbf30..5369036 100644
+--- a/security/lsm_audit.c
++++ b/security/lsm_audit.c
+@@ -99,7 +99,7 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
+ 	}
+ 	return ret;
+ }
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ /**
+  * ipv6_skb_to_auditdata : fill auditdata from skb
+  * @skb : the skb
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 13185a6..880f953 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3984,7 +3984,7 @@ out:
+ 	return ret;
+ }
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+
+ /* Returns error only if unable to parse addresses */
+ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
+@@ -4075,7 +4075,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
+ 				       &ad->u.net->v4info.daddr);
+ 		goto okay;
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ 	case PF_INET6:
+ 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
+ 		if (ret)
+@@ -5029,7 +5029,7 @@ static unsigned int selinux_ipv4_forward(void *priv,
+ 	return selinux_ip_forward(skb, state->in, PF_INET);
+ }
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ static unsigned int selinux_ipv6_forward(void *priv,
+ 					 struct sk_buff *skb,
+ 					 const struct nf_hook_state *state)
+@@ -5087,7 +5087,7 @@ static unsigned int selinux_ipv4_output(void *priv,
+ 	return selinux_ip_output(skb, PF_INET);
+ }
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ static unsigned int selinux_ipv6_output(void *priv,
+ 					struct sk_buff *skb,
+ 					const struct nf_hook_state *state)
+@@ -5273,7 +5273,7 @@ static unsigned int selinux_ipv4_postroute(void *priv,
+ 	return selinux_ip_postroute(skb, state->out, PF_INET);
+ }
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ static unsigned int selinux_ipv6_postroute(void *priv,
+ 					   struct sk_buff *skb,
+ 					   const struct nf_hook_state *state)
+@@ -6317,7 +6317,7 @@ static struct nf_hook_ops selinux_nf_ops[] = {
+ 		.hooknum =	NF_INET_LOCAL_OUT,
+ 		.priority =	NF_IP_PRI_SELINUX_FIRST,
+ 	},
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ 	{
+ 		.hook =		selinux_ipv6_postroute,
+ 		.pf =		NFPROTO_IPV6,
+diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
+index aa6bf1b..205b785 100644
+--- a/security/smack/smack_netfilter.c
++++ b/security/smack/smack_netfilter.c
+@@ -20,7 +20,7 @@
+ #include <net/inet_sock.h>
+ #include "smack.h"
+
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+
+ static unsigned int smack_ipv6_output(void *priv,
+ 					struct sk_buff *skb,
+@@ -64,7 +64,7 @@ static struct nf_hook_ops smack_nf_ops[] = {
+ 		.hooknum =	NF_INET_LOCAL_OUT,
+ 		.priority =	NF_IP_PRI_SELINUX_FIRST,
+ 	},
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++#if IS_ENABLED(CONFIG_IPV6)
+ 	{
+ 		.hook =		smack_ipv6_output,
+ 		.pf =		NFPROTO_IPV6,
+-- 
+2.7.4
+
+From 8b31f456c72e53ee97474a538bcd91bfb1b93fb7 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Mon, 8 Aug 2016 13:08:34 -0400
+Subject: [PATCH 02/10] selinux: print leading 0x on ioctlcmd audits
+
+ioctlcmd is currently printing hex numbers, but their is no leading
+0x. Thus things like ioctlcmd=1234 are misleading, as the base is
+not evident.
+
+Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
+ioctlcmd=0x1234.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/lsm_audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/lsm_audit.c b/security/lsm_audit.c
+index 5369036..9bf8518 100644
+--- a/security/lsm_audit.c
++++ b/security/lsm_audit.c
+@@ -257,7 +257,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
+ 			audit_log_format(ab, " ino=%lu", inode->i_ino);
+ 		}
+
+-		audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
++		audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
+ 		break;
+ 	}
+ 	case LSM_AUDIT_DATA_DENTRY: {
+-- 
+2.7.4
+
+From d8ad8b49618410ddeafd78465b63a6cedd6c9484 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 11:13:56 -0400
+Subject: [PATCH 03/10] security, overlayfs: provide copy up security hook for
+ unioned files
+
+Provide a security hook to label new file correctly when a file is copied
+up from lower layer to upper layer of a overlay/union mount.
+
+This hook can prepare a new set of creds which are suitable for new file
+creation during copy up. Caller will use new creds to create file and then
+revert back to old creds and release new creds.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: whitespace cleanup to appease checkpatch.pl]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ fs/overlayfs/copy_up.c    | 15 +++++++++++++++
+ include/linux/lsm_hooks.h | 11 +++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 40 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 54e5d66..c297b1f 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -246,6 +246,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	struct dentry *upper = NULL;
+ 	umode_t mode = stat->mode;
+ 	int err;
++	const struct cred *old_creds = NULL;
++	struct cred *new_creds = NULL;
+
+ 	newdentry = ovl_lookup_temp(workdir, dentry);
+ 	err = PTR_ERR(newdentry);
+@@ -258,10 +260,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	if (IS_ERR(upper))
+ 		goto out1;
+
++	err = security_inode_copy_up(dentry, &new_creds);
++	if (err < 0)
++		goto out2;
++
++	if (new_creds)
++		old_creds = override_creds(new_creds);
++
+ 	/* Can't properly set mode on creation because of the umask */
+ 	stat->mode &= S_IFMT;
+ 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
+ 	stat->mode = mode;
++
++	if (new_creds) {
++		revert_creds(old_creds);
++		put_cred(new_creds);
++	}
++
+ 	if (err)
+ 		goto out2;
+
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 101bf19..cb69fc8 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -401,6 +401,15 @@
+  *	@inode contains a pointer to the inode.
+  *	@secid contains a pointer to the location where result will be saved.
+  *	In case of failure, @secid will be set to zero.
++ * @inode_copy_up:
++ *	A file is about to be copied up from lower layer to upper layer of
++ *	overlay filesystem. Security module can prepare a set of new creds
++ *	and modify as need be and return new creds. Caller will switch to
++ *	new creds temporarily to create new file and release newly allocated
++ *	creds.
++ *	@src indicates the union dentry of file that is being copied up.
++ *	@new pointer to pointer to return newly allocated creds.
++ *	Returns 0 on success or a negative error code on error.
+  *
+  * Security hooks for file operations
+  *
+@@ -1425,6 +1434,7 @@ union security_list_options {
+ 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
++	int (*inode_copy_up)(struct dentry *src, struct cred **new);
+
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1696,6 +1706,7 @@ struct security_hook_heads {
+ 	struct list_head inode_setsecurity;
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
++	struct list_head inode_copy_up;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 7831cd5..c5b0ccd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
+ int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
++int security_inode_copy_up(struct dentry *src, struct cred **new);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = 0;
+ }
+
++static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return 0;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index 4838e7f..f2a7f27 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	call_void_hook(inode_getsecid, inode, secid);
+ }
+
++int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return call_int_hook(inode_copy_up, 0, src, new);
++}
++EXPORT_SYMBOL(security_inode_copy_up);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
+ 	.inode_getsecid =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
++	.inode_copy_up =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.7.4
+
+From 56909eb3f559103196ecbf2c08c923e0804980fb Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:48 -0400
+Subject: [PATCH 04/10] selinux: Implementation for inode_copy_up() hook
+
+A file is being copied up for overlay file system. Prepare a new set of
+creds and set create_sid appropriately so that new file is created with
+appropriate label.
+
+Overlay inode has right label for both context and non-context mount
+cases. In case of non-context mount, overlay inode will have the label
+of lower file and in case of context mount, overlay inode will have
+the label from context= mount option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 880f953..40597ed 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = isec->sid;
+ }
+
++static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	u32 sid;
++	struct task_security_struct *tsec;
++	struct cred *new_creds = *new;
++
++	if (new_creds == NULL) {
++		new_creds = prepare_creds();
++		if (!new_creds)
++			return -ENOMEM;
++	}
++
++	tsec = new_creds->security;
++	/* Get label from overlay inode and set it in create_sid */
++	selinux_inode_getsecid(d_inode(src), &sid);
++	tsec->create_sid = sid;
++	*new = new_creds;
++	return 0;
++}
++
+ /* file security operations */
+
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
++	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
+
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.7.4
+
+From 121ab822ef21914adac2fa3730efeeb8fd762473 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:49 -0400
+Subject: [PATCH 05/10] security,overlayfs: Provide security hook for copy up
+ of xattrs for overlay file
+
+Provide a security hook which is called when xattrs of a file are being
+copied up. This hook is called once for each xattr and LSM can return
+0 if the security module wants the xattr to be copied up, 1 if the
+security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
+if the security module does not handle/manage the xattr, or a -errno
+upon an error.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: whitespace cleanup for checkpatch.pl]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ fs/overlayfs/copy_up.c    |  7 +++++++
+ include/linux/lsm_hooks.h | 10 ++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 31 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index c297b1f..cd65f12 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -103,6 +103,13 @@ retry:
+ 			goto retry;
+ 		}
+
++		error = security_inode_copy_up_xattr(name);
++		if (error < 0 && error != -EOPNOTSUPP)
++			break;
++		if (error == 1) {
++			error = 0;
++			continue; /* Discard */
++		}
+ 		error = vfs_setxattr(new, name, value, size, 0);
+ 		if (error)
+ 			break;
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index cb69fc8..5797122 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -410,6 +410,14 @@
+  *	@src indicates the union dentry of file that is being copied up.
+  *	@new pointer to pointer to return newly allocated creds.
+  *	Returns 0 on success or a negative error code on error.
++ * @inode_copy_up_xattr:
++ *	Filter the xattrs being copied up when a unioned file is copied
++ *	up from a lower layer to the union/overlay layer.
++ *	@name indicates the name of the xattr.
++ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
++ *	security module does not know about attribute or a negative error code
++ *	to abort the copy up. Note that the caller is responsible for reading
++ *	and writing the xattrs as this hook is merely a filter.
+  *
+  * Security hooks for file operations
+  *
+@@ -1435,6 +1443,7 @@ union security_list_options {
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
+ 	int (*inode_copy_up)(struct dentry *src, struct cred **new);
++	int (*inode_copy_up_xattr)(const char *name);
+
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1707,6 +1716,7 @@ struct security_hook_heads {
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
+ 	struct list_head inode_copy_up;
++	struct list_head inode_copy_up_xattr;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index c5b0ccd..536fafd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
+ int security_inode_copy_up(struct dentry *src, struct cred **new);
++int security_inode_copy_up_xattr(const char *name);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+
++static inline int security_inode_copy_up_xattr(const char *name)
++{
++	return -EOPNOTSUPP;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index f2a7f27..a9e2bb9 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
+ }
+ EXPORT_SYMBOL(security_inode_copy_up);
+
++int security_inode_copy_up_xattr(const char *name)
++{
++	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
++}
++EXPORT_SYMBOL(security_inode_copy_up_xattr);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+ 	.inode_copy_up =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
++	.inode_copy_up_xattr =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.7.4
+
+From 19472b69d639d58415866bf127d5f9005038c105 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:50 -0400
+Subject: [PATCH 06/10] selinux: Implementation for inode_copy_up_xattr() hook
+
+When a file is copied up in overlay, we have already created file on
+upper/ with right label and there is no need to copy up selinux
+label/xattr from lower file to upper file. In fact in case of context
+mount, we don't want to copy up label as newly created file got its label
+from context= option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 40597ed..a2d5108 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+
++static int selinux_inode_copy_up_xattr(const char *name)
++{
++	/* The copy_up hook above sets the initial context on an inode, but we
++	 * don't then want to overwrite it by blindly copying all the lower
++	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
++	 */
++	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
++		return 1; /* Discard */
++	/*
++	 * Any other attribute apart from SELINUX is not claimed, supported
++	 * by selinux.
++	 */
++	return -EOPNOTSUPP;
++}
++
+ /* file security operations */
+
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+ 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
++	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
+
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.7.4
+
+From c957f6df52c509ccfbb96659fd1a0f7812de333f Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:51 -0400
+Subject: [PATCH 07/10] selinux: Pass security pointer to
+ determine_inode_label()
+
+Right now selinux_determine_inode_label() works on security pointer of
+current task. Soon I need this to work on a security pointer retrieved
+from a set of creds. So start passing in a pointer and caller can
+decide where to fetch security pointer from.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index a2d5108..f9d398b 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1808,13 +1808,13 @@ out:
+ /*
+  * Determine the label for an inode that might be unioned.
+  */
+-static int selinux_determine_inode_label(struct inode *dir,
+-					 const struct qstr *name,
+-					 u16 tclass,
+-					 u32 *_new_isid)
++static int
++selinux_determine_inode_label(const struct task_security_struct *tsec,
++				 struct inode *dir,
++				 const struct qstr *name, u16 tclass,
++				 u32 *_new_isid)
+ {
+ 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+-	const struct task_security_struct *tsec = current_security();
+
+ 	if ((sbsec->flags & SE_SBINITIALIZED) &&
+ 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
+@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
+ 	if (rc)
+ 		return rc;
+
+-	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
+-					   &newsid);
++	rc = selinux_determine_inode_label(current_security(), dir,
++					   &dentry->d_name, tclass, &newsid);
+ 	if (rc)
+ 		return rc;
+
+@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	u32 newsid;
+ 	int rc;
+
+-	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
++	rc = selinux_determine_inode_label(current_security(),
++					   d_inode(dentry->d_parent), name,
+ 					   inode_mode_to_security_class(mode),
+ 					   &newsid);
+ 	if (rc)
+@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 	sid = tsec->sid;
+ 	newsid = tsec->create_sid;
+
+-	rc = selinux_determine_inode_label(
++	rc = selinux_determine_inode_label(current_security(),
+ 		dir, qstr,
+ 		inode_mode_to_security_class(inode->i_mode),
+ 		&newsid);
+-- 
+2.7.4
+
+From 2602625b7e46576b00db619ac788c508ba3bcb2c Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:52 -0400
+Subject: [PATCH 08/10] security, overlayfs: Provide hook to correctly label
+ newly created files
+
+During a new file creation we need to make sure new file is created with the
+right label. New file is created in upper/ so effectively file should get
+label as if task had created file in upper/.
+
+We switched to mounter's creds for actual file creation. Also if there is a
+whiteout present, then file will be created in work/ dir first and then
+renamed in upper. In none of the cases file will be labeled as we want it to
+be.
+
+This patch introduces a new hook dentry_create_files_as(), which determines
+the label/context dentry will get if it had been created by task in upper
+and modify passed set of creds appropriately. Caller makes use of these new
+creds for file creation.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: fix whitespace issues found with checkpatch.pl]
+[PM: changes to use stat->mode in ovl_create_or_link()]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ fs/overlayfs/dir.c        | 10 ++++++++++
+ include/linux/lsm_hooks.h | 15 +++++++++++++++
+ include/linux/security.h  | 12 ++++++++++++
+ security/security.c       | 11 +++++++++++
+ 4 files changed, 48 insertions(+)
+
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 12bcd07..a155e52 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -435,6 +435,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 	if (override_cred) {
+ 		override_cred->fsuid = inode->i_uid;
+ 		override_cred->fsgid = inode->i_gid;
++		if (!hardlink) {
++			err = security_dentry_create_files_as(dentry,
++					stat->mode, &dentry->d_name, old_cred,
++					override_cred);
++			if (err) {
++				put_cred(override_cred);
++				goto out_revert_creds;
++			}
++		}
+ 		put_cred(override_creds(override_cred));
+ 		put_cred(override_cred);
+
+@@ -445,6 +454,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 			err = ovl_create_over_whiteout(dentry, inode, stat,
+ 							link, hardlink);
+ 	}
++out_revert_creds:
+ 	revert_creds(old_cred);
+ 	if (!err) {
+ 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 5797122..f2af2af 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -151,6 +151,16 @@
+  *	@name name of the last path component used to create file
+  *	@ctx pointer to place the pointer to the resulting context in.
+  *	@ctxlen point to place the length of the resulting context.
++ * @dentry_create_files_as:
++ *	Compute a context for a dentry as the inode is not yet available
++ *	and set that context in passed in creds so that new files are
++ *	created using that context. Context is calculated using the
++ *	passed in creds and not the creds of the caller.
++ *	@dentry dentry to use in calculating the context.
++ *	@mode mode used to determine resource type.
++ *	@name name of the last path component used to create file
++ *	@old creds which should be used for context calculation
++ *	@new creds to modify
+  *
+  *
+  * Security hooks for inode operations.
+@@ -1375,6 +1385,10 @@ union security_list_options {
+ 	int (*dentry_init_security)(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+
+
+ #ifdef CONFIG_SECURITY_PATH
+@@ -1675,6 +1689,7 @@ struct security_hook_heads {
+ 	struct list_head sb_clone_mnt_opts;
+ 	struct list_head sb_parse_opts_str;
+ 	struct list_head dentry_init_security;
++	struct list_head dentry_create_files_as;
+ #ifdef CONFIG_SECURITY_PATH
+ 	struct list_head path_unlink;
+ 	struct list_head path_mkdir;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 536fafd..a6c6d5d 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+ int security_dentry_init_security(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+
+ int security_inode_alloc(struct inode *inode);
+ void security_inode_free(struct inode *inode);
+@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
+ 	return -EOPNOTSUPP;
+ }
+
++static inline int security_dentry_create_files_as(struct dentry *dentry,
++						  int mode, struct qstr *name,
++						  const struct cred *old,
++						  struct cred *new)
++{
++	return 0;
++}
++
+
+ static inline int security_inode_init_security(struct inode *inode,
+ 						struct inode *dir,
+diff --git a/security/security.c b/security/security.c
+index a9e2bb9..f825304 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
+ }
+ EXPORT_SYMBOL(security_dentry_init_security);
+
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++				    struct qstr *name,
++				    const struct cred *old, struct cred *new)
++{
++	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
++				name, old, new);
++}
++EXPORT_SYMBOL(security_dentry_create_files_as);
++
+ int security_inode_init_security(struct inode *inode, struct inode *dir,
+ 				 const struct qstr *qstr,
+ 				 const initxattrs initxattrs, void *fs_data)
+@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
+ 	.dentry_init_security =
+ 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
++	.dentry_create_files_as =
++		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
+ #ifdef CONFIG_SECURITY_PATH
+ 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
+ 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
+-- 
+2.7.4
+
+From a518b0a5b0d7f3397e065acb956bca9635aa892d Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Wed, 13 Jul 2016 10:44:53 -0400
+Subject: [PATCH 09/10] selinux: Implement dentry_create_files_as() hook
+
+Calculate what would be the label of newly created file and set that
+secid in the passed creds.
+
+Context of the task which is actually creating file is retrieved from
+set of creds passed in. (old->security).
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/hooks.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index f9d398b..e15e560 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+ }
+
++static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
++					  struct qstr *name,
++					  const struct cred *old,
++					  struct cred *new)
++{
++	u32 newsid;
++	int rc;
++	struct task_security_struct *tsec;
++
++	rc = selinux_determine_inode_label(old->security,
++					   d_inode(dentry->d_parent), name,
++					   inode_mode_to_security_class(mode),
++					   &newsid);
++	if (rc)
++		return rc;
++
++	tsec = new->security;
++	tsec->create_sid = newsid;
++	return 0;
++}
++
+ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 				       const struct qstr *qstr,
+ 				       const char **name,
+@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
+
+ 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
++	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
+
+ 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+ 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
+-- 
+2.7.4
+
+From 348a0db9e69e4c214bf5d7677f17cb99cdc47db0 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Mon, 15 Aug 2016 12:42:12 -0700
+Subject: [PATCH 10/10] selinux: drop SECURITY_SELINUX_POLICYDB_VERSION_MAX
+
+Remove the SECURITY_SELINUX_POLICYDB_VERSION_MAX Kconfig option
+
+Per: https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo
+
+This was only needed on Fedora 3 and 4 and just causes issues now,
+so drop it.
+
+The MAX and MIN should just be whatever the kernel can support.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ security/selinux/Kconfig            | 38 -------------------------------------
+ security/selinux/include/security.h |  4 ----
+ 2 files changed, 42 deletions(-)
+
+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
+index 8691e92..ea7e3ef 100644
+--- a/security/selinux/Kconfig
++++ b/security/selinux/Kconfig
+@@ -93,41 +93,3 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
+ 	  via /selinux/checkreqprot if authorized by policy.
+
+ 	  If you are unsure how to answer this question, answer 0.
+-
+-config SECURITY_SELINUX_POLICYDB_VERSION_MAX
+-	bool "NSA SELinux maximum supported policy format version"
+-	depends on SECURITY_SELINUX
+-	default n
+-	help
+-	  This option enables the maximum policy format version supported
+-	  by SELinux to be set to a particular value.  This value is reported
+-	  to userspace via /selinux/policyvers and used at policy load time.
+-	  It can be adjusted downward to support legacy userland (init) that
+-	  does not correctly handle kernels that support newer policy versions.
+-
+-	  Examples:
+-	  For the Fedora Core 3 or 4 Linux distributions, enable this option
+-	  and set the value via the next option. For Fedora Core 5 and later,
+-	  do not enable this option.
+-
+-	  If you are unsure how to answer this question, answer N.
+-
+-config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
+-	int "NSA SELinux maximum supported policy format version value"
+-	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
+-	range 15 23
+-	default 19
+-	help
+-	  This option sets the value for the maximum policy format version
+-	  supported by SELinux.
+-
+-	  Examples:
+-	  For Fedora Core 3, use 18.
+-	  For Fedora Core 4, use 19.
+-
+-	  If you are unsure how to answer this question, look for the
+-	  policy format version supported by your policy toolchain, by
+-	  running 'checkpolicy -V'. Or look at what policy you have
+-	  installed under /etc/selinux/$SELINUXTYPE/policy, where
+-	  SELINUXTYPE is defined in your /etc/selinux/config.
+-
+diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
+index 38feb55..308a286 100644
+--- a/security/selinux/include/security.h
++++ b/security/selinux/include/security.h
+@@ -39,11 +39,7 @@
+
+ /* Range of policy versions we understand*/
+ #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
+-#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
+-#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
+-#else
+ #define POLICYDB_VERSION_MAX	POLICYDB_VERSION_XPERMS_IOCTL
+-#endif
+
+ /* Mask for just the mount related flags */
+ #define SE_MNTMASK	0x0f
+-- 
+2.7.4
+