[Ocfs2-devel] [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andreas Gruenbacher <agruenba@redhat.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
	selinux@tycho.nsa.gov, ocfs2-devel@oss.oracle.com,
	David Howells <dhowells@redhat.com>
Subject: [Ocfs2-devel] [PATCH v3 3/7] selinux: Get rid of file_path_has_perm
Date: Wed, 28 Oct 2015 13:31:55 -0400	[thread overview]
Message-ID: <5631068B.3060803@tycho.nsa.gov> (raw)
In-Reply-To: <CAHc6FU5w6Znxs=xa6TPgG0QJkAsx3=AwUn4KXNAiHMDQ1PsV2A@mail.gmail.com>

On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>> commit 13f8e9810bff12d01807b6f92329111f45218235
>> Author: David Howells <dhowells@redhat.com>
>> Date:   Thu Jun 13 23:37:55 2013 +0100
>>
>>     SELinux: Institute file_path_has_perm()
>>
>>     Create a file_path_has_perm() function that is like path_has_perm() but
>>     instead takes a file struct that is the source of both the path and the
>>     inode (rather than getting the inode from the dentry in the path).  This
>>     is then used where appropriate.
>>
>>     This will be useful for situations like unionmount where it will be
>>     possible to have an apparently-negative dentry (eg. a fallthrough) that
>> is
>>     open with the file struct pointing to an inode on the lower fs.
>>
>>     Signed-off-by: David Howells <dhowells@redhat.com>
>>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>>
>> which I think David was intending to use as part of his SELinux/overlayfs
>> support.
> 
> Okay. As long as overlayfs support in SELinux is in half-finished
> state, let's leave this alone.

Also, the caller is holding a spinlock (tty_files_lock), so you can't call inode_doinit from
here.

Try stress testing your patch series by just always setting isec->initialized to LABEL_INVALID.
Previously the *has_perm functions could be called under essentially any condition, with the exception
of when in a RCU walk and needing to audit the dname (but they did not previously block/sleep).

WARNING: multiple messages have this Message-ID (diff)

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andreas Gruenbacher <agruenba@redhat.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
	selinux@tycho.nsa.gov, ocfs2-devel@oss.oracle.com,
	David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v3 3/7] selinux: Get rid of file_path_has_perm
Date: Wed, 28 Oct 2015 13:31:55 -0400	[thread overview]
Message-ID: <5631068B.3060803@tycho.nsa.gov> (raw)
In-Reply-To: <CAHc6FU5w6Znxs=xa6TPgG0QJkAsx3=AwUn4KXNAiHMDQ1PsV2A@mail.gmail.com>

On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>> commit 13f8e9810bff12d01807b6f92329111f45218235
>> Author: David Howells <dhowells@redhat.com>
>> Date:   Thu Jun 13 23:37:55 2013 +0100
>>
>>     SELinux: Institute file_path_has_perm()
>>
>>     Create a file_path_has_perm() function that is like path_has_perm() but
>>     instead takes a file struct that is the source of both the path and the
>>     inode (rather than getting the inode from the dentry in the path).  This
>>     is then used where appropriate.
>>
>>     This will be useful for situations like unionmount where it will be
>>     possible to have an apparently-negative dentry (eg. a fallthrough) that
>> is
>>     open with the file struct pointing to an inode on the lower fs.
>>
>>     Signed-off-by: David Howells <dhowells@redhat.com>
>>     Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>>
>> which I think David was intending to use as part of his SELinux/overlayfs
>> support.
> 
> Okay. As long as overlayfs support in SELinux is in half-finished
> state, let's leave this alone.

Also, the caller is holding a spinlock (tty_files_lock), so you can't call inode_doinit from
here.

Try stress testing your patch series by just always setting isec->initialized to LABEL_INVALID.
Previously the *has_perm functions could be called under essentially any condition, with the exception
of when in a RCU walk and needing to audit the dname (but they did not previously block/sleep).

next prev parent reply	other threads:[~2015-10-28 17:31 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-26 21:15 [PATCH v3 0/7] Inode security label invalidation Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 1/7] selinux: Remove unused variable in selinux_inode_init_security Andreas Gruenbacher
2015-10-27 13:11   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 13:11     ` Stephen Smalley
2015-10-26 21:15 ` [PATCH v3 2/7] selinux: Add accessor functions for inode->i_security Andreas Gruenbacher
2015-10-27 17:20   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 17:20     ` Stephen Smalley
2015-10-28 13:36     ` Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 3/7] selinux: Get rid of file_path_has_perm Andreas Gruenbacher
2015-10-27 16:40   ` [Ocfs2-devel] " Stephen Smalley
2015-10-27 16:40     ` Stephen Smalley
2015-10-28 11:48     ` Andreas Gruenbacher
2015-10-28 17:31       ` Stephen Smalley [this message]
2015-10-28 17:31         ` Stephen Smalley
2015-10-28 18:56         ` [Ocfs2-devel] " Stephen Smalley
2015-10-28 18:56           ` Stephen Smalley
2015-10-29  0:22           ` Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 4/7] selinux: Push dentry down from {dentry, path, file}_has_perm Andreas Gruenbacher
2015-10-26 21:15 ` [PATCH v3 5/7] security: Add hook to invalidate inode security labels Andreas Gruenbacher
2015-10-28  6:08   ` [Ocfs2-devel] " James Morris
2015-10-28  6:08     ` James Morris
2015-10-28  6:09   ` [Ocfs2-devel] " James Morris
2015-10-28  6:09     ` James Morris
2015-10-26 21:15 ` [PATCH v3 6/7] selinux: Revalidate invalid " Andreas Gruenbacher
2015-10-26 21:15 ` [Cluster-devel] [PATCH v3 7/7] gfs2: Invalide security labels of inodes when they go invalid Andreas Gruenbacher
2015-10-26 21:15   ` Andreas Gruenbacher
2015-10-27 12:32 ` [Ocfs2-devel] [PATCH v3 0/7] Inode security label invalidation Stephen Smalley
2015-10-27 12:32   ` Stephen Smalley
2015-10-28 21:12 ` Paul Moore
2015-10-28 21:30   ` Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5631068B.3060803@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=agruenba@redhat.com \
    --cc=dhowells@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=ocfs2-devel@oss.oracle.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.