From: John Johansen <john.johansen@canonical.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
miklos@szeredi.hu, jmorris@namei.org, selinux@tycho.nsa.gov
Cc: linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
torvalds@linux-foundation.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH (for 3.15) 3/5] AppArmor: Handle the rename flags.
Date: Mon, 19 May 2014 05:28:21 -0700 [thread overview]
Message-ID: <5379F8E5.2070802@canonical.com> (raw)
In-Reply-To: <201405122224.BJB51546.VJOtMSQOLOFFHF@I-love.SAKURA.ne.jp>
On 05/12/2014 06:24 AM, Tetsuo Handa wrote:
>>From 819e94ae3a6d9235196d137a39afa4e0bbd79770 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 12 May 2014 21:54:05 +0900
> Subject: [PATCH (for 3.15) 3/5] AppArmor: Handle the rename flags.
>
> For AppArmor, the RENAME_EXCHANGE flag means "check permissions with
> reversed arguments" and "distinguish condition of source and target".
> Future patches will stop re-calculating pathnames.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
This isn't quite right. For apparmor at this point these paths need to
be still treated like they are separate. The second aa_path_perm, is
checking the permission to move old_inode to new_path.
see below
I've added an updated patch below
> ---
> security/apparmor/lsm.c | 22 ++++++++++++++++++++--
> 1 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index c0b4366..9f21296 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -331,7 +331,14 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
> struct path_cond cond = { old_dentry->d_inode->i_uid,
> old_dentry->d_inode->i_mode
> };
> + struct path_cond new_cond = cond;
>
> + if (flags & RENAME_EXCHANGE) {
> + /* Cross rename requires both inodes to exist. */
> + new_cond.uid = new_dentry->d_inode->i_uid;
> + new_cond.mode = new_dentry->d_inode->i_mode;
> + }
> +retry:
> error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
> MAY_READ | AA_MAY_META_READ | MAY_WRITE |
> AA_MAY_META_WRITE | AA_MAY_DELETE,
> @@ -339,7 +346,18 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
> if (!error)
> error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
> 0, MAY_WRITE | AA_MAY_META_WRITE |
> - AA_MAY_CREATE, &cond);
> + AA_MAY_CREATE, &new_cond);
This isn't new_cond because its the permission to move old_inode to new_path
> + if (!error && (flags & RENAME_EXCHANGE)) {
> + struct path tmp_path = new_path;
> + struct path_cond tmp_cond = new_cond;
> +
> + new_path = old_path;
> + old_path = tmp_path;
> + new_cond = cond;
> + cond = tmp_cond;
> + flags = 0;
> + goto retry;
> + }
>
> }
> return error;
>
>From c07677ce007bbb5689b82bce0fab15a159f59874 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 12 May 2014 21:54:05 +0900
Subject: [PATCH] AppArmor: Handle the rename flags.
For AppArmor, the RENAME_EXCHANGE flag means "check permissions with
reversed arguments" and "distinguish condition of source and target".
Future patches will stop re-calculating pathnames.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/lsm.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index c0b4366..d7d92ad 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -332,6 +332,7 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
old_dentry->d_inode->i_mode
};
+retry:
error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
MAY_READ | AA_MAY_META_READ | MAY_WRITE |
AA_MAY_META_WRITE | AA_MAY_DELETE,
@@ -340,6 +341,16 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
0, MAY_WRITE | AA_MAY_META_WRITE |
AA_MAY_CREATE, &cond);
+ if (!error && (flags & RENAME_EXCHANGE)) {
+ struct path tmp_path = new_path;
+ new_path = old_path;
+ old_path = tmp_path;
+ /* Cross rename requires both inodes to exist. */
+ cond.uid = new_dentry->d_inode->i_uid;
+ cond.mode = new_dentry->d_inode->i_mode;
+ flags = 0;
+ goto retry;
+ }
}
return error;
--
2.0.0.rc0
WARNING: multiple messages have this Message-ID (diff)
From: John Johansen <john.johansen@canonical.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
miklos@szeredi.hu, jmorris@namei.org, selinux@tycho.nsa.gov
Cc: linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
torvalds@linux-foundation.org
Subject: Re: [PATCH (for 3.15) 3/5] AppArmor: Handle the rename flags.
Date: Mon, 19 May 2014 05:28:21 -0700 [thread overview]
Message-ID: <5379F8E5.2070802@canonical.com> (raw)
In-Reply-To: <201405122224.BJB51546.VJOtMSQOLOFFHF@I-love.SAKURA.ne.jp>
On 05/12/2014 06:24 AM, Tetsuo Handa wrote:
>>From 819e94ae3a6d9235196d137a39afa4e0bbd79770 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 12 May 2014 21:54:05 +0900
> Subject: [PATCH (for 3.15) 3/5] AppArmor: Handle the rename flags.
>
> For AppArmor, the RENAME_EXCHANGE flag means "check permissions with
> reversed arguments" and "distinguish condition of source and target".
> Future patches will stop re-calculating pathnames.
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
This isn't quite right. For apparmor at this point these paths need to
be still treated like they are separate. The second aa_path_perm, is
checking the permission to move old_inode to new_path.
see below
I've added an updated patch below
> ---
> security/apparmor/lsm.c | 22 ++++++++++++++++++++--
> 1 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index c0b4366..9f21296 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -331,7 +331,14 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
> struct path_cond cond = { old_dentry->d_inode->i_uid,
> old_dentry->d_inode->i_mode
> };
> + struct path_cond new_cond = cond;
>
> + if (flags & RENAME_EXCHANGE) {
> + /* Cross rename requires both inodes to exist. */
> + new_cond.uid = new_dentry->d_inode->i_uid;
> + new_cond.mode = new_dentry->d_inode->i_mode;
> + }
> +retry:
> error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
> MAY_READ | AA_MAY_META_READ | MAY_WRITE |
> AA_MAY_META_WRITE | AA_MAY_DELETE,
> @@ -339,7 +346,18 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
> if (!error)
> error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
> 0, MAY_WRITE | AA_MAY_META_WRITE |
> - AA_MAY_CREATE, &cond);
> + AA_MAY_CREATE, &new_cond);
This isn't new_cond because its the permission to move old_inode to new_path
> + if (!error && (flags & RENAME_EXCHANGE)) {
> + struct path tmp_path = new_path;
> + struct path_cond tmp_cond = new_cond;
> +
> + new_path = old_path;
> + old_path = tmp_path;
> + new_cond = cond;
> + cond = tmp_cond;
> + flags = 0;
> + goto retry;
> + }
>
> }
> return error;
>
>From c07677ce007bbb5689b82bce0fab15a159f59874 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 12 May 2014 21:54:05 +0900
Subject: [PATCH] AppArmor: Handle the rename flags.
For AppArmor, the RENAME_EXCHANGE flag means "check permissions with
reversed arguments" and "distinguish condition of source and target".
Future patches will stop re-calculating pathnames.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/lsm.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index c0b4366..d7d92ad 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -332,6 +332,7 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
old_dentry->d_inode->i_mode
};
+retry:
error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
MAY_READ | AA_MAY_META_READ | MAY_WRITE |
AA_MAY_META_WRITE | AA_MAY_DELETE,
@@ -340,6 +341,16 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
0, MAY_WRITE | AA_MAY_META_WRITE |
AA_MAY_CREATE, &cond);
+ if (!error && (flags & RENAME_EXCHANGE)) {
+ struct path tmp_path = new_path;
+ new_path = old_path;
+ old_path = tmp_path;
+ /* Cross rename requires both inodes to exist. */
+ cond.uid = new_dentry->d_inode->i_uid;
+ cond.mode = new_dentry->d_inode->i_mode;
+ flags = 0;
+ goto retry;
+ }
}
return error;
--
2.0.0.rc0
next prev parent reply other threads:[~2014-05-19 12:28 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-08 22:10 [PATCH 00/11] cross rename v3 Miklos Szeredi
2014-01-08 22:10 ` [PATCH 01/11] vfs: add d_is_dir() Miklos Szeredi
2014-01-08 22:10 ` [PATCH 02/11] vfs: rename: move d_move() up Miklos Szeredi
2014-01-08 22:10 ` [PATCH 03/11] vfs: rename: use common code for dir and non-dir Miklos Szeredi
2014-01-08 22:10 ` [PATCH 04/11] vfs: add renameat2 syscall Miklos Szeredi
2014-01-14 22:11 ` Tetsuo Handa
2014-01-15 10:30 ` Miklos Szeredi
2014-01-15 13:50 ` Miklos Szeredi
2014-01-18 10:40 ` Tetsuo Handa
2014-01-08 22:10 ` [PATCH 05/11] vfs: add RENAME_NOREPLACE flag Miklos Szeredi
2014-01-15 18:19 ` J. Bruce Fields
2014-01-15 18:26 ` Andy Lutomirski
2014-01-15 23:33 ` J. Bruce Fields
2014-01-16 10:45 ` Miklos Szeredi
2014-01-15 18:35 ` Miklos Szeredi
2014-01-15 23:31 ` J. Bruce Fields
2014-01-08 22:10 ` [PATCH 06/11] security: add flags to rename hooks Miklos Szeredi
2014-01-08 22:10 ` [PATCH 07/11] vfs: add cross-rename Miklos Szeredi
2014-01-13 7:52 ` Jan Kara
2014-01-14 10:31 ` Miklos Szeredi
2014-01-14 12:47 ` Jan Kara
2014-01-08 22:10 ` [PATCH 08/11] ext4: rename: create ext4_renament structure for local vars Miklos Szeredi
2014-01-08 22:10 ` [PATCH 09/11] ext4: rename: move EMLINK check up Miklos Szeredi
2014-01-08 22:10 ` [PATCH 10/11] ext4: rename: split out helper functions Miklos Szeredi
2014-01-08 22:10 ` [PATCH 11/11] ext4: add cross rename support Miklos Szeredi
2014-01-13 12:25 ` Jan Kara
2014-01-14 10:35 ` Miklos Szeredi
2014-01-15 18:23 ` J. Bruce Fields
2014-01-15 18:31 ` Miklos Szeredi
2014-01-16 10:54 ` Miklos Szeredi
2014-01-16 14:48 ` J. Bruce Fields
2014-01-17 10:53 ` Michael Kerrisk (man-pages)
2014-01-17 14:41 ` Miklos Szeredi
[not found] ` <20140117144126.GG24171-nYI/l+Q8b4r16c5iV7KQqR1Qg9XOENNVk/YoNI2nt5o@public.gmane.org>
2014-04-19 9:08 ` Michael Kerrisk (man-pages)
2014-04-19 9:08 ` Michael Kerrisk (man-pages)
2014-04-19 12:08 ` Tetsuo Handa
2014-04-23 14:24 ` Miklos Szeredi
2014-04-24 11:20 ` [PATCH (for 3.15) 0/5] Fix cross rename race window for LSM Tetsuo Handa
2014-04-24 11:22 ` [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module Tetsuo Handa
2014-04-25 20:49 ` Casey Schaufler
2014-04-24 11:23 ` [PATCH (for 3.15) 2/5] SELinux: Handle the rename flags Tetsuo Handa
2014-04-24 11:24 ` [PATCH (for 3.15) 3/5] AppArmor: " Tetsuo Handa
2014-04-24 11:25 ` [PATCH (for 3.15) 4/5] TOMOYO: " Tetsuo Handa
2014-04-24 11:26 ` [PATCH (for 3.15) 5/5] LSM: Remove duplicated rename handling Tetsuo Handa
2014-05-01 11:58 ` [PATCH (for 3.15) 0/5] Fix cross rename race window for LSM Tetsuo Handa
2014-05-05 5:49 ` Tetsuo Handa
2014-05-05 5:49 ` Tetsuo Handa
2014-05-11 15:53 ` Tetsuo Handa
2014-05-11 15:53 ` Tetsuo Handa
2014-05-12 13:21 ` [PATCH (for 3.15) 0/5] Fix cross rename regressions " Tetsuo Handa
2014-05-12 13:21 ` Tetsuo Handa
2014-05-12 13:22 ` [PATCH (for 3.15) 1/5] LSM: Pass the rename flags to each LSM module Tetsuo Handa
2014-05-12 13:22 ` Tetsuo Handa
2014-05-19 12:19 ` John Johansen
2014-05-19 12:19 ` John Johansen
2014-05-12 13:23 ` [PATCH (for 3.15) 2/5] SELinux: Handle the rename flags Tetsuo Handa
2014-05-12 13:23 ` Tetsuo Handa
2014-05-12 13:24 ` [PATCH (for 3.15) 3/5] AppArmor: " Tetsuo Handa
2014-05-12 13:24 ` Tetsuo Handa
2014-05-19 12:28 ` John Johansen [this message]
2014-05-19 12:28 ` John Johansen
2014-05-12 13:25 ` [PATCH (for 3.15) 4/5] TOMOYO: " Tetsuo Handa
2014-05-12 13:25 ` Tetsuo Handa
2014-05-12 13:25 ` [PATCH (for 3.15) 5/5] LSM: Remove duplicated rename handling Tetsuo Handa
2014-05-12 13:25 ` Tetsuo Handa
2014-05-19 12:34 ` John Johansen
2014-05-19 12:34 ` John Johansen
2014-04-23 14:21 ` [PATCH 11/11] ext4: add cross rename support Miklos Szeredi
[not found] ` <CAJfpegsdUwxHOGxhiLtkMHzB==UGzbj+rAVOJGX4nb6z1Urzpw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-23 19:01 ` Michael Kerrisk (man-pages)
2014-04-23 19:01 ` Michael Kerrisk (man-pages)
2014-01-17 22:08 ` J. Bruce Fields
2014-01-18 6:49 ` Miklos Szeredi
2014-01-18 16:27 ` J. Bruce Fields
2014-01-20 11:39 ` Miklos Szeredi
2014-01-20 11:50 ` Michael Kerrisk (man-pages)
2014-01-13 12:46 ` [PATCH 00/11] cross rename v3 Tetsuo Handa
2014-01-13 17:08 ` Miklos Szeredi
2014-01-13 22:03 ` Tetsuo Handa
2014-01-13 22:03 ` Tetsuo Handa
2014-01-14 9:58 ` Miklos Szeredi
2014-01-14 9:58 ` Miklos Szeredi
2014-01-14 13:03 ` Tetsuo Handa
2014-01-14 20:10 ` John Johansen
2014-01-14 20:53 ` Tetsuo Handa
2014-01-15 10:10 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5379F8E5.2070802@canonical.com \
--to=john.johansen@canonical.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=selinux@tycho.nsa.gov \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.