From: Christoph Hellwig <hch@lst.de>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>, Ian Kent <raven@themaw.net>,
autofs@vger.kernel.org,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>,
Zdenek Pytela <zpytela@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: Commit 13c164b1a186 - regression for LSMs/SELinux?
Date: Mon, 21 Sep 2020 18:09:22 +0200 [thread overview]
Message-ID: <20200921160922.GA23870@lst.de> (raw)
In-Reply-To: <CAFqZXNsoXr1eA4C8==Nvujs5ONpRnuSqaOQQ0n78R=Dbm-EFGA@mail.gmail.com>
[adding Linus and Al]
On Mon, Sep 21, 2020 at 04:51:35PM +0200, Ondrej Mosnacek wrote:
> Hi folks,
>
> It seems that after commit 13c164b1a186 ("autofs: switch to
> kernel_write") there is now an extra LSM permission required (for the
> current task to write to the automount pipe) for processes accessing
> some yet-to-to-be mounted directory on which an autofs mount is set
> up. The call chain is:
> [...]
> autofs_wait() ->
> autofs_notify_daemon() ->
> autofs_write() ->
> kernel_write() ->
> rw_verify_area() ->
> security_file_permission()
>
> The bug report that led me to this commit is at [1].
>
> Technically, this is a regression for LSM users, since this is a
> kernel-internal operation and an LSM permission for the current task
> shouldn't be required. Can this patch be reverted? Perhaps
> __kernel_{read|write}() could instead be renamed to kernel_*_nocheck()
> so that the name is more descriptive?
So we obviously should not break existing user space and need to fix
this ASAP. The trivial "fix" would be to export __kernel_write again
and switch autofs to use it. The other option would be a FMODE flag
to bypass security checks, only to be set if the callers ensures
they've been valided (i.e. in autofs_prepare_pipe).
Any opinions?
next prev parent reply other threads:[~2020-09-21 16:09 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 14:51 Commit 13c164b1a186 - regression for LSMs/SELinux? Ondrej Mosnacek
2020-09-21 16:09 ` Christoph Hellwig [this message]
2020-09-21 16:27 ` Linus Torvalds
2020-09-21 16:30 ` Al Viro
2020-09-22 0:30 ` Ian Kent
2020-09-22 1:35 ` Ian Kent
2020-09-22 7:33 ` Ondrej Mosnacek
2020-09-22 12:29 ` Stephen Smalley
2020-09-23 1:55 ` Ian Kent
2020-09-24 8:36 ` Ondrej Mosnacek
2020-09-24 9:47 ` Ian Kent
2020-09-24 14:16 ` Stephen Smalley
2020-09-25 3:37 ` Ian Kent
2020-09-25 3:44 ` Ian Kent
2020-09-25 13:37 ` Ondrej Mosnacek
2020-09-25 17:38 ` Linus Torvalds
2020-09-27 3:07 ` Ian Kent
2020-09-29 12:16 ` Ondrej Mosnacek
2020-09-29 17:23 ` Linus Torvalds
2020-09-29 18:00 ` Christoph Hellwig
2020-09-30 5:50 ` Ian Kent
2020-09-30 10:39 ` Ian Kent
2020-09-30 5:42 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921160922.GA23870@lst.de \
--to=hch@lst.de \
--cc=autofs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=raven@themaw.net \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zpytela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.