From: Amerigo Wang <amwang@redhat.com>
To: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: akpm@linux-foundation.org, viro@zeniv.linux.org.uk,
linux-fsdevel@vger.kernel.org, eparis@redhat.com,
esandeen@redhat.com, eteo@redhat.com
Subject: Re: [patch 12/12] vfs: allow file truncations when both suid and write permissions set
Date: Mon, 10 Aug 2009 10:00:14 +0800 [thread overview]
Message-ID: <4A7F7F2E.5070807@redhat.com> (raw)
In-Reply-To: <87ab2bsw6n.fsf@devron.myhome.or.jp>
OGAWA Hirofumi wrote:
> OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> writes:
>
>
>> Amerigo Wang <amwang@redhat.com> writes:
>>
>>
>>>> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
>>>> {
>>>> const struct cred *cred = current_cred();
>>>>
>>>> if (iattr->ia_valid & ATTR_FORCE)
>>>> return 0;
>>>>
>>>> if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
>>>> ATTR_ATIME_SET | ATTR_MTIME_SET))
>>>> return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
>>>>
>>>> return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
>>>> }
>>>>
>>>> I guess it's assuming the ia_valid doesn't have (ATTR_MODE | ATTR_SIZE),
>>>> but truncate() already does it, I don't know whether it's ok.
>>>>
>>> No, here we should only force ATTR_KILL_SUID and/or ATTR_KILL_SGID.
>>> do_truncate() has ATTR_SIZE and ATTR_FILE.
>>>
>> I guess security module should do,
>>
>> ia_valid = iattr->ia_valid;
>> if (!(ia_valid & ATTR_FORCE) && (ia_valid & ATTR_FORCE_MASK)) {
>> err = dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
>> if (err)
>> return err;
>> ia_valid &= ~ATTR_FORCE_MASK;
>> }
>> if (ia_valid & ATTR_NOT_FORCE_MASK)
>> err = dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
>> return err;
>>
>> or something. Because do_truncate() already do (ATTR_MODE | ATTR_SIZE)
>> without ATTR_FORCE.
>>
>
> BTW, it seems original code doesn't check ATTR_SIZE if (ATTR_MODE |
> ATTR_SIZE), right? So, ATTR_FORCE is just forcing ATTR_MODE, but I
> guess that's problem itself.
>
I am not sure if I understand you correctly... You must be referring
notify_change(), it seems to do what you said.
But clearly ATTR_FORCE is the way to bypass the security module on
purpose. I agree that we perhaps should have some wrapper function to do
this (instead of calling notify_change() twice), but currently this is fine.
next prev parent reply other threads:[~2009-08-10 1:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-06 23:10 [patch 12/12] vfs: allow file truncations when both suid and write permissions set akpm
2009-08-07 2:32 ` OGAWA Hirofumi
2009-08-07 3:21 ` Amerigo Wang
2009-08-07 4:17 ` OGAWA Hirofumi
2009-08-07 5:49 ` OGAWA Hirofumi
2009-08-07 9:20 ` Amerigo Wang
2009-08-07 11:06 ` OGAWA Hirofumi
2009-08-07 9:27 ` Amerigo Wang
2009-08-07 11:02 ` OGAWA Hirofumi
2009-08-07 11:25 ` OGAWA Hirofumi
2009-08-10 2:00 ` Amerigo Wang [this message]
2009-08-10 4:34 ` OGAWA Hirofumi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A7F7F2E.5070807@redhat.com \
--to=amwang@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=esandeen@redhat.com \
--cc=eteo@redhat.com \
--cc=hirofumi@mail.parknet.co.jp \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.