Re: [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Johansen <john.johansen@canonical.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
Date: Mon, 23 Nov 2009 02:09:50 -0800	[thread overview]
Message-ID: <4B0A5F6E.2080400@canonical.com> (raw)
In-Reply-To: <200911221149.HCF73996.FSLtOOHVJFQOFM@I-love.SAKURA.ne.jp>

Tetsuo Handa wrote:
> [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
> 
> We should call security_path_chmod()/security_path_chown() after mutex_lock()
> in order to avoid races.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Acked-by: John Johansen <john.johansen@canonical.com>

> ---
>  fs/open.c |   36 +++++++++++++++---------------------
>  1 file changed, 15 insertions(+), 21 deletions(-)
> 
> --- security-testing-2.6.orig/fs/open.c
> +++ security-testing-2.6/fs/open.c
> @@ -619,17 +619,17 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
>  	err = mnt_want_write_file(file);
>  	if (err)
>  		goto out_putf;
> +	mutex_lock(&inode->i_mutex);
>  	err = security_path_chmod(dentry, file->f_vfsmnt, mode);
>  	if (err)
> -		goto out_drop_write;
> -	mutex_lock(&inode->i_mutex);
> +		goto out_unlock;
>  	if (mode == (mode_t) -1)
>  		mode = inode->i_mode;
>  	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
>  	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
>  	err = notify_change(dentry, &newattrs);
> +out_unlock:
>  	mutex_unlock(&inode->i_mutex);
> -out_drop_write:
>  	mnt_drop_write(file->f_path.mnt);
>  out_putf:
>  	fput(file);
> @@ -652,17 +652,17 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto dput_and_out;
> +	mutex_lock(&inode->i_mutex);
>  	error = security_path_chmod(path.dentry, path.mnt, mode);
>  	if (error)
> -		goto out_drop_write;
> -	mutex_lock(&inode->i_mutex);
> +		goto out_unlock;
>  	if (mode == (mode_t) -1)
>  		mode = inode->i_mode;
>  	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
>  	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
>  	error = notify_change(path.dentry, &newattrs);
> +out_unlock:
>  	mutex_unlock(&inode->i_mutex);
> -out_drop_write:
>  	mnt_drop_write(path.mnt);
>  dput_and_out:
>  	path_put(&path);
> @@ -675,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user
>  	return sys_fchmodat(AT_FDCWD, filename, mode);
>  }
>  
> -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
> +static int chown_common(struct path *path, uid_t user, gid_t group)
>  {
> -	struct inode *inode = dentry->d_inode;
> +	struct inode *inode = path->dentry->d_inode;
>  	int error;
>  	struct iattr newattrs;
>  
> @@ -694,7 +694,9 @@ static int chown_common(struct dentry * 
>  		newattrs.ia_valid |=
>  			ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
>  	mutex_lock(&inode->i_mutex);
> -	error = notify_change(dentry, &newattrs);
> +	error = security_path_chown(path, user, group);
> +	if (!error)
> +		error = notify_change(path->dentry, &newattrs);
>  	mutex_unlock(&inode->i_mutex);
>  
>  	return error;
> @@ -711,9 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -738,9 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -759,9 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __use
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -784,9 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
>  		goto out_fput;
>  	dentry = file->f_path.dentry;
>  	audit_inode(NULL, dentry);
> -	error = security_path_chown(&file->f_path, user, group);
> -	if (!error)
> -		error = chown_common(dentry, user, group);
> +	error = chown_common(&file->f_path, user, group);
>  	mnt_drop_write(file->f_path.mnt);
>  out_fput:
>  	fput(file);
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2009-11-23 10:09 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-04 12:49 [TOMOYO #16 00/25] Starting TOMOYO 2.3 Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Tetsuo Handa
2009-10-08 17:10   ` John Johansen
2009-10-12  1:04     ` James Morris
2009-10-13 11:34       ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-10-13 11:37         ` [PATCH] TOMOYO: Add recursive directory matching operator support Tetsuo Handa
2009-10-13 11:39           ` [PATCH] TOMOYO: Use RCU primitives for list operation Tetsuo Handa
2009-10-13 11:41             ` [PATCH] TOMOYO: Bring memory allocation to outside semaphore Tetsuo Handa
2009-10-29  5:40             ` [PATCH] TOMOYO: Use RCU primitives for list operation Serge E. Hallyn
2009-12-04 12:34               ` Tetsuo Handa
2009-10-29  5:12   ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Serge E. Hallyn
2009-10-29 15:56     ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-11-22  2:49       ` [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock() Tetsuo Handa
2009-11-23 10:09         ` John Johansen [this message]
2009-11-23 21:50           ` James Morris
2009-10-04 12:49 ` [TOMOYO #16 02/25] LSM: Add security_path_chroot() Tetsuo Handa
2009-10-08 17:12   ` John Johansen
2009-10-29  5:32   ` Serge E. Hallyn
2009-10-04 12:49 ` [TOMOYO #16 03/25] LSM: Pass original mount flags to security_sb_mount() Tetsuo Handa
2009-10-08 17:22   ` John Johansen
2009-10-04 12:49 ` [TOMOYO #16 04/25] TOMOYO: Add header file Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 05/25] TOMOYO: Add per task_struct variables Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 06/25] TOMOYO: Add LSM adaptor Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 07/25] TOMOYO: Add path_group keyword support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 08/25] TOMOYO: Add number_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 09/25] TOMOYO: Add address_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 10/25] TOMOYO: Add conditional ACL support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 11/25] TOMOYO: Add auditing support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 12/25] TOMOYO: Memory management support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 13/25] TOMOYO: Add garbage collector support Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 14/25] TOMOYO: Add network restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 15/25] TOMOYO: Add mount restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 16/25] TOMOYO: Add environment variables restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 17/25] TOMOYO: Add capability support Tetsuo Handa
2009-10-29  5:23   ` Serge E. Hallyn
2009-10-04 12:50 ` [TOMOYO #16 18/25] TOMOYO: Add utility functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 19/25] TOMOYO: Add policy I/O handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 20/25] TOMOYO: Add policy loader launcher Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 21/25] TOMOYO: Add securityfs interface Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 22/25] TOMOYO: Add pathname calculation functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 23/25] TOMOYO: Add file access restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 24/25] TOMOYO: Add domain transition handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 25/25] TOMOYO: Update Kconfig and Makefile Tetsuo Handa
2009-10-06  9:39 ` [TOMOYO #16 00/25] Starting TOMOYO 2.3 Pavel Machek
2009-10-07  4:09   ` Tetsuo Handa
2009-10-07  7:38     ` Pavel Machek
2009-10-07 13:30       ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0A5F6E.2080400@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.