[PATCH kernel-4.19] vfs: move cap_convert_nscap() call into vfs_setxattr() - Kernel

8 Nov 2021

mainline inclusion
category: feature
bugzilla:https://gitee.com/openeuler/kernel/issues/I4GVH3?from=project-issue
CVE: NA
cap_convert_nscap() does permission checking as well as conversion of
the
xattr value conditionally based on fs's user-ns.
This is needed by overlayfs and probably other layered fs (ecryptfs) and
is
what vfs_foo() is supposed to do anyway.
Signed-off-by: Miklos Szeredi mszeredi@redhat.com
Acked-by: James Morris jamorris@linux.microsoft.com
Signed-off-by: zhangyue zhangyue1@kylinos.cn
---
 fs/xattr.c                 | 18 ++++++++++++------
 include/linux/capability.h |  2 +-
 security/commoncap.c       |  3 +--
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/fs/xattr.c b/fs/xattr.c
index adb11cb82be5..653e12d6060f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -263,8 +263,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
 {
    struct inode *inode = dentry->d_inode;
    struct inode *delegated_inode = NULL;
+	const void  *orig_value = value;
    int error;
+	if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
+		error = cap_convert_nscap(dentry, &value, size);
+		if (error < 0)
+			return error;
+		size = error;
+	}
+
 retry_deleg:
    inode_lock(inode);
    error = __vfs_setxattr_locked(dentry, name, value, size, flags,
@@ -276,6 +284,10 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
    	if (!error)
    		goto retry_deleg;
    }
+
+	if (value != orig_value)
+		kfree(value);
+
    return error;
 }
 EXPORT_SYMBOL_GPL(vfs_setxattr);
@@ -530,12 +542,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
    	if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
    	    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
    		posix_acl_fix_xattr_from_user(kvalue, size);
-		else if (strcmp(kname, XATTR_NAME_CAPS) == 0) {
-			error = cap_convert_nscap(d, &kvalue, size);
-			if (error < 0)
-				goto out;
-			size = error;
-		}
    }
error = vfs_setxattr(d, kname, kvalue, size, flags);
diff --git a/include/linux/capability.h b/include/linux/capability.h
index f640dcbc880c..9fee9a86505c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -249,6 +249,6 @@ extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
 /* audit system wants to get cap info from files as well */
 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
-extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size);
+extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size);
#endif /* !_LINUX_CAPABILITY_H */
diff --git a/security/commoncap.c b/security/commoncap.c
index 876cfe01d939..83546a782796 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -498,7 +498,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap)
  *
  * If all is ok, we return the new size, on error return < 0.
  */
-int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
+int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
 {
    struct vfs_ns_cap_data *nscap;
    uid_t nsrootid;
@@ -541,7 +541,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
    nscap->magic_etc = cpu_to_le32(nsmagic);
    memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
-	kvfree(*ivalue);
    *ivalue = nscap;
    return newsize;
 }
-- 
2.30.0

    