Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 953

kernel-2.6.18-238.el5.src.rpm

From: Eric Sandeen <sandeen@redhat.com>
Date: Thu, 19 Nov 2009 22:29:09 -0500
Subject: [fs] ecryptfs: copy lower attrs before dentry instantiate
Message-id: <4B05C6B5.6060800@redhat.com>
Patchwork-id: 21445
O-Subject: [PATCH RHEL5.5] eCryptfs: Copy lower inode attrs before dentry
	instantiation
Bugzilla: 489774
RH-Acked-by: Rik van Riel <riel@redhat.com>
RH-Acked-by: Jarod Wilson <jarod@redhat.com>

This is for
https://bugzilla.redhat.com/show_bug.cgi?id=489774
Bug 489774 - AVC denied 0x100000 for a directory with eCryptFS and Apache

It's a straightforward upstream commit backport.

Thanks,
-Eric

From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Date: Thu, 12 Mar 2009 05:19:46 +0000 (-0500)
Subject: eCryptfs: Copy lower inode attrs before dentry instantiation
X-Git-Tag: v2.6.30-rc4~55^2~6
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ae6e84596e7b321d9a08e81679c6a3f799634636

eCryptfs: Copy lower inode attrs before dentry instantiation

Copies the lower inode attributes to the upper inode before passing the
upper inode to d_instantiate().  This is important for
security_d_instantiate().

The problem was discovered by a user seeing SELinux denials like so:

type=AVC msg=audit(1236812817.898:47): avc:  denied  { 0x100000 } for
pid=3584 comm="httpd" name="testdir" dev=ecryptfs ino=943872
scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=file

Notice target class is file while testdir is really a directory,
confusing the permission translation (0x100000) due to the wrong i_mode.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>

diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index ff49fe1..c8af6cc 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -193,14 +193,14 @@ int ecryptfs_interpose(struct dentry *lower_dentry, struct dentry *dentry,
 		init_special_inode(inode, lower_inode->i_mode,
 				   lower_inode->i_rdev);
 	dentry->d_op = &ecryptfs_dops;
-	if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD)
-		d_add(dentry, inode);
-	else
-		d_instantiate(dentry, inode);
 	fsstack_copy_attr_all(inode, lower_inode, NULL);
 	/* This size will be overwritten for real files w/ headers and
 	 * other metadata */
 	fsstack_copy_inode_size(inode, lower_inode);
+	if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD)
+		d_add(dentry, inode);
+	else
+		d_instantiate(dentry, inode);
 out:
 	return rc;
 }