From: Amerigo Wang <amwang@redhat.com>
To: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
linux-kernel@vger.kernel.org, esandeen@redhat.com,
eteo@redhat.com, eparis@redhat.com,
linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org,
viro@zeniv.linux.org.uk
Subject: Re: [Patch 1/2] selinux: ajust rules for ATTR_FORCE
Date: Tue, 18 Aug 2009 14:56:45 +0800 [thread overview]
Message-ID: <4A8A50AD.7030004@redhat.com> (raw)
In-Reply-To: <87my5yxidt.fsf@devron.myhome.or.jp>
OGAWA Hirofumi wrote:
> Could you review this? I've added ATTR_TIMES_SET to check explicit
> utimes(), and tried it with minimum change.
>
> [I'm not sure this handles notify_change() usage of nfsd (and perhaps
> other network fs too) correctly, and whether selinux may want to check
> it. I guess network fs _may_ try to change the multiple attributes at a
> time. Well, even if it's true, it would be another topic...]
>
>
Ah, according to the discussion here, I know I misunderstood
ATTR_FORCE... sorry.
> OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
>
>
> From: Amerigo Wang <amwang@redhat.com>
>
> As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132,
> we should let selinux_inode_setattr() to match our ATTR_* rules.
> ATTR_FORCE should not force things like ATTR_SIZE.
>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Cc: Eric Paris <eparis@redhat.com>
> Signed-off-by: WANG Cong <amwang@redhat.com>
> [tweaks]
> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
>
Great!
Some comments below.
> ---
>
> security/selinux/hooks.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff -puN security/selinux/hooks.c~selinux-truncate-fix security/selinux/hooks.c
> --- linux-2.6/security/selinux/hooks.c~selinux-truncate-fix 2009-08-18 03:50:09.000000000 +0900
> +++ linux-2.6-hirofumi/security/selinux/hooks.c 2009-08-18 05:35:11.000000000 +0900
> @@ -2711,12 +2711,17 @@ static int selinux_inode_permission(stru
> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> {
> const struct cred *cred = current_cred();
> + unsigned int ia_valid = iattr->ia_valid;
>
> - if (iattr->ia_valid & ATTR_FORCE)
> - return 0;
> + /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
> + if (ia_valid & ATTR_FORCE) {
> + ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE);
> + if (!ia_valid)
> + return 0;
>
So if I read this correctly, (ATTR_FORCE| ATTR_KILL_SUID|ATTR_MODE) will
not return here, since 'ia_valid' will be ATTR_FORCE finally.
I think you forgot to clear ATTR_FORCE here...
> + }
>
> - if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
> - ATTR_ATIME_SET | ATTR_MTIME_SET))
> + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
> + ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
> return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
>
> return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
> _
>
>
I am not sure about ATTR_TIMES_SET here, but looks fine. :-/
next prev parent reply other threads:[~2009-08-18 6:54 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-17 7:07 [V4 Patch 0/2] fix file truncations when both suid and write permissions set Amerigo Wang
2009-08-17 7:07 ` [Patch 1/2] selinux: ajust rules for ATTR_FORCE Amerigo Wang
2009-08-17 8:46 ` Amerigo Wang
2009-08-17 12:15 ` Stephen Smalley
2009-08-17 18:46 ` OGAWA Hirofumi
2009-08-17 19:07 ` Stephen Smalley
2009-08-17 19:46 ` OGAWA Hirofumi
2009-08-17 19:56 ` Stephen Smalley
2009-08-17 20:11 ` OGAWA Hirofumi
2009-08-17 21:03 ` OGAWA Hirofumi
2009-08-18 6:56 ` Amerigo Wang [this message]
2009-08-18 7:39 ` OGAWA Hirofumi
2009-08-18 8:46 ` Amerigo Wang
2009-08-18 12:15 ` Stephen Smalley
2009-08-18 17:26 ` OGAWA Hirofumi
2009-08-19 2:34 ` Amerigo Wang
2009-08-17 7:07 ` [Patch 2/2] vfs: allow file truncations when both suid and write permissions set Amerigo Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A8A50AD.7030004@redhat.com \
--to=amwang@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=esandeen@redhat.com \
--cc=eteo@redhat.com \
--cc=hirofumi@mail.parknet.co.jp \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.