eCryptfs: Copy lower inode attrs before dentry instantiation
authorTyler Hicks <tyhicks@linux.vnet.ibm.com>
Thu, 12 Mar 2009 05:19:46 +0000 (00:19 -0500)
committerTyler Hicks <tyhicks@linux.vnet.ibm.com>
Wed, 22 Apr 2009 08:54:12 +0000 (03:54 -0500)
Copies the lower inode attributes to the upper inode before passing the
upper inode to d_instantiate().  This is important for
security_d_instantiate().

The problem was discovered by a user seeing SELinux denials like so:

type=AVC msg=audit(1236812817.898:47): avc:  denied  { 0x100000 } for
pid=3584 comm="httpd" name="testdir" dev=ecryptfs ino=943872
scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=file

Notice target class is file while testdir is really a directory,
confusing the permission translation (0x100000) due to the wrong i_mode.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
fs/ecryptfs/main.c

index aed56c25539bcdede1c4f6056f44c575baceb87a..7638b0a02c8d98003b4bead8d15ec9529dfabb9b 100644 (file)
@@ -190,14 +190,14 @@ int ecryptfs_interpose(struct dentry *lower_dentry, struct dentry *dentry,
                init_special_inode(inode, lower_inode->i_mode,
                                   lower_inode->i_rdev);
        dentry->d_op = &ecryptfs_dops;
-       if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD)
-               d_add(dentry, inode);
-       else
-               d_instantiate(dentry, inode);
        fsstack_copy_attr_all(inode, lower_inode, NULL);
        /* This size will be overwritten for real files w/ headers and
         * other metadata */
        fsstack_copy_inode_size(inode, lower_inode);
+       if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD)
+               d_add(dentry, inode);
+       else
+               d_instantiate(dentry, inode);
 out:
        return rc;
 }