ovl: call secutiry hook in ovl_real_ioctl()

BugLink: https://bugs.launchpad.net/bugs/1894980
Verify LSM permissions for underlying file, since vfs_ioctl() doesn't do
it.

[Stephen Rothwell] export security_file_ioctl

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(backported from commit 292f902a40c11f043a5ca1305a114da0e523eaa3)
[ saf: trivial conflict resolution ]
CVE-2020-16120
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com>
Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 0c738f194c57adbf1c0f1d58adaaae9bf48537b6..830741ad5477c8827d89ebb5674340afead91244 100644 (file)
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -9,6 +9,7 @@
 #include <linux/xattr.h>
 #include <linux/uio.h>
 #include <linux/uaccess.h>
+#include <linux/security.h>
 #include "overlayfs.h"
 
 static char ovl_whatisit(struct inode *inode, struct inode *realinode)
@@ -406,7 +407,9 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd,
                return ret;
 
        old_cred = ovl_override_creds(file_inode(file)->i_sb);
-       ret = vfs_ioctl(real.file, cmd, arg);
+       ret = security_file_ioctl(real.file, cmd, arg);
+       if (!ret)
+               ret = vfs_ioctl(real.file, cmd, arg);
        revert_creds(old_cred);
 
        fdput(real);

diff --git a/security/security.c b/security/security.c
index b1b440e8414e4f366c7d9bfeed6485ce23e3eb96..cad87c8800189023bd54b8504abf9a26181579eb 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -1494,6 +1494,7 @@ int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
        return call_int_hook(file_ioctl, 0, file, cmd, arg);
 }
+EXPORT_SYMBOL_GPL(security_file_ioctl);
 
 static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
 {