From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
linux-security-module@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
miklos@szeredi.hu
Subject: Re: [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module.
Date: Fri, 25 Apr 2014 13:49:58 -0700 [thread overview]
Message-ID: <535ACA76.4030106@schaufler-ca.com> (raw)
In-Reply-To: <201404242022.DDG90163.VFSFLOJOOMFQHt@I-love.SAKURA.ne.jp>
On 4/24/2014 4:22 AM, Tetsuo Handa wrote:
> >From 207346b4153e2b441e0c45d933043e6ba7abb419 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Thu, 24 Apr 2014 20:04:57 +0900
> Subject: [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module.
>
> Commit da1ce067 "vfs: add cross-rename" changed security_inode_rename() and
> security_path_rename() to call LSM module with reversed arguments if the rename
> flags contain RENAME_EXCHANGE. But that commit introduced a race window for
> TOMOYO and AppArmor (users of security_path_rename) because the pathnames may
> have been changed between the first call and the second call.
>
> To fix this race condition, the rename flags should be passed to LSM module
> in order to allow LSM module to avoid re-calculation of pathnames.
> Passing the rename flags allows SMACK (one of users of security_inode_rename)
> to avoid needlessly checking the same permission twice.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
At least for the Smack changes.
> ---
> include/linux/security.h | 8 ++++++--
> security/apparmor/lsm.c | 3 ++-
> security/capability.c | 6 ++++--
> security/security.c | 10 ++++++----
> security/selinux/hooks.c | 3 ++-
> security/smack/smack_lsm.c | 4 +++-
> security/tomoyo/tomoyo.c | 4 +++-
> 7 files changed, 26 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 9c6b972..12770bb 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -446,6 +446,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> * @old_dentry contains the dentry structure of the old link.
> * @new_dir contains the inode structure for parent of the new link.
> * @new_dentry contains the dentry structure of the new link.
> + * @flags contains rename flags.
> * Return 0 if permission is granted.
> * @path_rename:
> * Check for permission to rename a file or directory.
> @@ -453,6 +454,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> * @old_dentry contains the dentry structure of the old link.
> * @new_dir contains the path structure for parent of the new link.
> * @new_dentry contains the dentry structure of the new link.
> + * @flags contains rename flags.
> * Return 0 if permission is granted.
> * @path_chmod:
> * Check for permission to change DAC's permission of a file or directory.
> @@ -1492,7 +1494,8 @@ struct security_operations {
> int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
> struct dentry *new_dentry);
> int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
> - struct path *new_dir, struct dentry *new_dentry);
> + struct path *new_dir, struct dentry *new_dentry,
> + unsigned int flags);
> int (*path_chmod) (struct path *path, umode_t mode);
> int (*path_chown) (struct path *path, kuid_t uid, kgid_t gid);
> int (*path_chroot) (struct path *path);
> @@ -1515,7 +1518,8 @@ struct security_operations {
> int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
> umode_t mode, dev_t dev);
> int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
> - struct inode *new_dir, struct dentry *new_dentry);
> + struct inode *new_dir, struct dentry *new_dentry,
> + unsigned int flags);
> int (*inode_readlink) (struct dentry *dentry);
> int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
> int (*inode_permission) (struct inode *inode, int mask);
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 9981000..c0b4366 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -315,7 +315,8 @@ static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir,
> }
>
> static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
> - struct path *new_dir, struct dentry *new_dentry)
> + struct path *new_dir, struct dentry *new_dentry,
> + unsigned int flags)
> {
> struct aa_profile *profile;
> int error = 0;
> diff --git a/security/capability.c b/security/capability.c
> index e76373d..b3690cc 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -176,7 +176,8 @@ static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
> }
>
> static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
> - struct inode *new_inode, struct dentry *new_dentry)
> + struct inode *new_inode, struct dentry *new_dentry,
> + unsigned int flags)
> {
> return 0;
> }
> @@ -280,7 +281,8 @@ static int cap_path_link(struct dentry *old_dentry, struct path *new_dir,
> }
>
> static int cap_path_rename(struct path *old_path, struct dentry *old_dentry,
> - struct path *new_path, struct dentry *new_dentry)
> + struct path *new_path, struct dentry *new_dentry,
> + unsigned int flags)
> {
> return 0;
> }
> diff --git a/security/security.c b/security/security.c
> index 31614e9..65ceef3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -442,13 +442,14 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
>
> if (flags & RENAME_EXCHANGE) {
> int err = security_ops->path_rename(new_dir, new_dentry,
> - old_dir, old_dentry);
> + old_dir, old_dentry,
> + flags);
> if (err)
> return err;
> }
>
> return security_ops->path_rename(old_dir, old_dentry, new_dir,
> - new_dentry);
> + new_dentry, flags);
> }
> EXPORT_SYMBOL(security_path_rename);
>
> @@ -542,13 +543,14 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
>
> if (flags & RENAME_EXCHANGE) {
> int err = security_ops->inode_rename(new_dir, new_dentry,
> - old_dir, old_dentry);
> + old_dir, old_dentry,
> + flags);
> if (err)
> return err;
> }
>
> return security_ops->inode_rename(old_dir, old_dentry,
> - new_dir, new_dentry);
> + new_dir, new_dentry, flags);
> }
>
> int security_inode_readlink(struct dentry *dentry)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6befc92..d4913d1 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2749,7 +2749,8 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t
> }
>
> static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
> - struct inode *new_inode, struct dentry *new_dentry)
> + struct inode *new_inode, struct dentry *new_dentry,
> + unsigned int flags)
> {
> return may_rename(old_inode, old_dentry, new_inode, new_dentry);
> }
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 8177e7d..41bd059 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -697,6 +697,7 @@ static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
> * @old_dentry: unused
> * @new_inode: the new directory
> * @new_dentry: unused
> + * @flags: unused
> *
> * Read and write access is required on both the old and
> * new directories.
> @@ -706,7 +707,8 @@ static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
> static int smack_inode_rename(struct inode *old_inode,
> struct dentry *old_dentry,
> struct inode *new_inode,
> - struct dentry *new_dentry)
> + struct dentry *new_dentry,
> + unsigned int flags)
> {
> int rc;
> char *isp;
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index f0b756e..ac7dd97 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -287,13 +287,15 @@ static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir,
> * @old_dentry: Pointer to "struct dentry".
> * @new_parent: Pointer to "struct path".
> * @new_dentry: Pointer to "struct dentry".
> + * @flags: Rename flags.
> *
> * Returns 0 on success, negative value otherwise.
> */
> static int tomoyo_path_rename(struct path *old_parent,
> struct dentry *old_dentry,
> struct path *new_parent,
> - struct dentry *new_dentry)
> + struct dentry *new_dentry,
> + unsigned int flags)
> {
> struct path path1 = { old_parent->mnt, old_dentry };
> struct path path2 = { new_parent->mnt, new_dentry };
next prev parent reply other threads:[~2014-04-25 20:49 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-08 22:10 [PATCH 00/11] cross rename v3 Miklos Szeredi
2014-01-08 22:10 ` [PATCH 01/11] vfs: add d_is_dir() Miklos Szeredi
2014-01-08 22:10 ` [PATCH 02/11] vfs: rename: move d_move() up Miklos Szeredi
2014-01-08 22:10 ` [PATCH 03/11] vfs: rename: use common code for dir and non-dir Miklos Szeredi
2014-01-08 22:10 ` [PATCH 04/11] vfs: add renameat2 syscall Miklos Szeredi
2014-01-14 22:11 ` Tetsuo Handa
2014-01-15 10:30 ` Miklos Szeredi
2014-01-15 13:50 ` Miklos Szeredi
2014-01-18 10:40 ` Tetsuo Handa
2014-01-08 22:10 ` [PATCH 05/11] vfs: add RENAME_NOREPLACE flag Miklos Szeredi
2014-01-15 18:19 ` J. Bruce Fields
2014-01-15 18:26 ` Andy Lutomirski
2014-01-15 23:33 ` J. Bruce Fields
2014-01-16 10:45 ` Miklos Szeredi
2014-01-15 18:35 ` Miklos Szeredi
2014-01-15 23:31 ` J. Bruce Fields
2014-01-08 22:10 ` [PATCH 06/11] security: add flags to rename hooks Miklos Szeredi
2014-01-08 22:10 ` [PATCH 07/11] vfs: add cross-rename Miklos Szeredi
2014-01-13 7:52 ` Jan Kara
2014-01-14 10:31 ` Miklos Szeredi
2014-01-14 12:47 ` Jan Kara
2014-01-08 22:10 ` [PATCH 08/11] ext4: rename: create ext4_renament structure for local vars Miklos Szeredi
2014-01-08 22:10 ` [PATCH 09/11] ext4: rename: move EMLINK check up Miklos Szeredi
2014-01-08 22:10 ` [PATCH 10/11] ext4: rename: split out helper functions Miklos Szeredi
2014-01-08 22:10 ` [PATCH 11/11] ext4: add cross rename support Miklos Szeredi
2014-01-13 12:25 ` Jan Kara
2014-01-14 10:35 ` Miklos Szeredi
2014-01-15 18:23 ` J. Bruce Fields
2014-01-15 18:31 ` Miklos Szeredi
2014-01-16 10:54 ` Miklos Szeredi
2014-01-16 14:48 ` J. Bruce Fields
2014-01-17 10:53 ` Michael Kerrisk (man-pages)
2014-01-17 14:41 ` Miklos Szeredi
[not found] ` <20140117144126.GG24171-nYI/l+Q8b4r16c5iV7KQqR1Qg9XOENNVk/YoNI2nt5o@public.gmane.org>
2014-04-19 9:08 ` Michael Kerrisk (man-pages)
2014-04-19 9:08 ` Michael Kerrisk (man-pages)
2014-04-19 12:08 ` Tetsuo Handa
2014-04-23 14:24 ` Miklos Szeredi
2014-04-24 11:20 ` [PATCH (for 3.15) 0/5] Fix cross rename race window for LSM Tetsuo Handa
2014-04-24 11:22 ` [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module Tetsuo Handa
2014-04-25 20:49 ` Casey Schaufler [this message]
2014-04-24 11:23 ` [PATCH (for 3.15) 2/5] SELinux: Handle the rename flags Tetsuo Handa
2014-04-24 11:24 ` [PATCH (for 3.15) 3/5] AppArmor: " Tetsuo Handa
2014-04-24 11:25 ` [PATCH (for 3.15) 4/5] TOMOYO: " Tetsuo Handa
2014-04-24 11:26 ` [PATCH (for 3.15) 5/5] LSM: Remove duplicated rename handling Tetsuo Handa
2014-05-01 11:58 ` [PATCH (for 3.15) 0/5] Fix cross rename race window for LSM Tetsuo Handa
2014-05-05 5:49 ` Tetsuo Handa
2014-05-05 5:49 ` Tetsuo Handa
2014-05-11 15:53 ` Tetsuo Handa
2014-05-11 15:53 ` Tetsuo Handa
2014-05-12 13:21 ` [PATCH (for 3.15) 0/5] Fix cross rename regressions " Tetsuo Handa
2014-05-12 13:21 ` Tetsuo Handa
2014-05-12 13:22 ` [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module Tetsuo Handa
2014-05-12 13:22 ` Tetsuo Handa
2014-05-19 12:19 ` John Johansen
2014-05-19 12:19 ` John Johansen
2014-05-12 13:23 ` [PATCH (for 3.15) 2/5] SELinux: Handle the rename flags Tetsuo Handa
2014-05-12 13:23 ` Tetsuo Handa
2014-05-12 13:24 ` [PATCH (for 3.15) 3/5] AppArmor: " Tetsuo Handa
2014-05-12 13:24 ` Tetsuo Handa
2014-05-19 12:28 ` John Johansen
2014-05-19 12:28 ` John Johansen
2014-05-12 13:25 ` [PATCH (for 3.15) 4/5] TOMOYO: " Tetsuo Handa
2014-05-12 13:25 ` Tetsuo Handa
2014-05-12 13:25 ` [PATCH (for 3.15) 5/5] LSM: Remove duplicated rename handling Tetsuo Handa
2014-05-12 13:25 ` Tetsuo Handa
2014-05-19 12:34 ` John Johansen
2014-05-19 12:34 ` John Johansen
2014-04-23 14:21 ` [PATCH 11/11] ext4: add cross rename support Miklos Szeredi
[not found] ` <CAJfpegsdUwxHOGxhiLtkMHzB==UGzbj+rAVOJGX4nb6z1Urzpw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-23 19:01 ` Michael Kerrisk (man-pages)
2014-04-23 19:01 ` Michael Kerrisk (man-pages)
2014-01-17 22:08 ` J. Bruce Fields
2014-01-18 6:49 ` Miklos Szeredi
2014-01-18 16:27 ` J. Bruce Fields
2014-01-20 11:39 ` Miklos Szeredi
2014-01-20 11:50 ` Michael Kerrisk (man-pages)
2014-01-13 12:46 ` [PATCH 00/11] cross rename v3 Tetsuo Handa
2014-01-13 17:08 ` Miklos Szeredi
2014-01-13 22:03 ` Tetsuo Handa
2014-01-13 22:03 ` Tetsuo Handa
2014-01-14 9:58 ` Miklos Szeredi
2014-01-14 9:58 ` Miklos Szeredi
2014-01-14 13:03 ` Tetsuo Handa
2014-01-14 20:10 ` John Johansen
2014-01-14 20:53 ` Tetsuo Handa
2014-01-15 10:10 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535ACA76.4030106@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.