From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Layton Subject: Re: [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr Date: Tue, 27 Aug 2019 11:49:41 -0400 Message-ID: References: <20190827150544.151031-1-salyzyn@android.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: cluster-devel-bounces@redhat.com Errors-To: cluster-devel-bounces@redhat.com To: Mark Salyzyn , linux-kernel@vger.kernel.org Cc: Latchesar Ionkov , Hugh Dickins , Marshall , James Morris , devel@lists.orangefs.org, Eric Van Hensbergen , Anna Schumaker , Trond Myklebust , Mathieu Malaterre , Greg Kroah-Hartman , Jan Kara , Casey Schaufler , Andrew Morton , Kleikamp , linux-doc@vger.kernel.org, Chao Yu , Mimi Zohar , linux-cifs@vger.kernel.org, Paul Moore , "Darrick J. Wong" , Eric Sandeen , kernel-team@android.com, selinux@vger.kernel.org, Brian Foster , reiserfs-devel@vger.kernel.org, Tejun List-Id: ceph-devel.vger.kernel.org On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > Cc: linux-security-module@vger.kernel.org > Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Layton Date: Tue, 27 Aug 2019 11:49:41 -0400 Subject: [Cluster-devel] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> References: <20190827150544.151031-1-salyzyn@android.com> Message-ID: List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel at vger.kernel.org > Cc: kernel-team at android.com > Cc: linux-security-module at vger.kernel.org > Cc: stable at vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0413C3A5A3 for ; Tue, 27 Aug 2019 15:50:05 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 347E4214DA for ; Tue, 27 Aug 2019 15:50:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="L2rOWfFT" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 347E4214DA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-erofs-bounces+linux-erofs=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 46Htc85L5FzDqw6 for ; Wed, 28 Aug 2019 01:50:00 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=kernel.org (client-ip=198.145.29.99; helo=mail.kernel.org; envelope-from=jlayton@kernel.org; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="L2rOWfFT"; dkim-atps=neutral Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 46Htc01Jj6zDqsv for ; Wed, 28 Aug 2019 01:49:51 +1000 (AEST) Received: from tleilax.poochiereds.net (68-20-15-154.lightspeed.rlghnc.sbcglobal.net [68.20.15.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 833FF2184D; Tue, 27 Aug 2019 15:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566920989; bh=bbgW62YNwOw6nr0OoLy9qjvU2nnCXSu3OBPYD+Bupp4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=L2rOWfFTV9ZENo9sY6rTomCTkAVi6eVgtVnTG5LG9plQ1qzOy8kmqkEIkcKlJccsb 6oQCfNdLugesaJKgynlWsJQg7kb5LVkyYTK4cR8c58Kwfjmh9eQhwGZ7v/8NIZG3RI XOEmwVN1iC+LyMlqc3dSWBw7KJ+TXshlVw7j4UqM= Message-ID: Subject: Re: [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr From: Jeff Layton To: Mark Salyzyn , linux-kernel@vger.kernel.org Date: Tue, 27 Aug 2019 11:49:41 -0400 In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> References: <20190827150544.151031-1-salyzyn@android.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: linux-erofs@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development of Linux EROFS file system List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Latchesar Ionkov , Hugh Dickins , Mike Marshall , James Morris , devel@lists.orangefs.org, Eric Van Hensbergen , Joel Becker , Anna Schumaker , Trond Myklebust , Mathieu Malaterre , Greg Kroah-Hartman , Jan Kara , Casey Schaufler , Andrew Morton , Dave Kleikamp , linux-doc@vger.kernel.org, Mimi Zohar , linux-cifs@vger.kernel.org, Paul Moore , "Darrick J. Wong" , Eric Sandeen , kernel-team@android.com, selinux@vger.kernel.org, Brian Foster , reiserfs-devel@vger.kernel.org, Tejun Heo , Jaegeuk Kim , Theodore Ts'o , Miklos Szeredi , linux-f2fs-devel@lists.sourceforge.net, Benjamin Coddington , linux-integrity@vger.kernel.org, Martin Brandenburg , Chris Mason , linux-mtd@lists.infradead.org, linux-afs@lists.infradead.org, Jonathan Corbet , Vyacheslav Dubeyko , Allison Henderson , Ilya Dryomov , linux-ext4@vger.kernel.org, Stephen Smalley , Serge Hallyn , Eric Paris , ceph-devel@vger.kernel.org, linux-nfs@vger.kernel.org, Joseph Qi , samba-technical@lists.samba.org, linux-xfs@vger.kernel.org, Bob Peterson , linux-fsdevel@vger.kernel.org, linux-erofs@lists.ozlabs.org, "David S. Miller" , ocfs2-devel@oss.oracle.com, jfs-discussion@lists.sourceforge.net, Jan Kara , Eric Biggers , Dominique Martinet , Adrian Hunter , David Howells , linux-mm@kvack.org, Andreas Dilger , devel@driverdev.osuosl.org, "J. Bruce Fields" , Andreas Gruenbacher , Sage Weil , Richard Weinberger , Mark Fasheh , cluster-devel@redhat.com, Steve French , v9fs-developer@lists.sourceforge.net, Bharath Vedartham , Jann Horn , ecryptfs@vger.kernel.org, Josef Bacik , Dave Chinner , David Sterba , Artem Bityutskiy , netdev@vger.kernel.org, linux-unionfs@vger.kernel.org, stable@vger.kernel.org, Tyler Hicks , linux-security-module@vger.kernel.org, Phillip Lougher , David Woodhouse , linux-btrfs@vger.kernel.org, Alexander Viro Errors-To: linux-erofs-bounces+linux-erofs=archiver.kernel.org@lists.ozlabs.org Sender: "Linux-erofs" On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > Cc: linux-security-module@vger.kernel.org > Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E43EC3A5A3 for ; Tue, 27 Aug 2019 15:50:01 +0000 (UTC) Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 46197214DA; Tue, 27 Aug 2019 15:50:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=sourceforge.net header.i=@sourceforge.net header.b="kfii6Bto"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=sf.net header.i=@sf.net header.b="mfvpok+q"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="L2rOWfFT" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 46197214DA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-f2fs-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1i2djM-0002O6-Ka; Tue, 27 Aug 2019 15:50:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1i2djL-0002Nt-Lg; Tue, 27 Aug 2019 15:49:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Content-Type :References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jMLcBSO0LFyDi/jJAIJFfbTSqNnqrbR5Cc7lwlSQoT4=; b=kfii6BtoGhbBP/kpK5wYGgmK9T hw9zuWhniGRE52Zad1Se2oE7cF/wedwvyqsPxnwczxmigu9vrBO+agb8MHMX48xEfE/7ReoRuQkE7 ryaVgGE3W+qHRnT1FpxIh1ur0p9oqB0h0eNiMcSMskjeQLX7z0tBC4LU5zaBRLsEeZPA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jMLcBSO0LFyDi/jJAIJFfbTSqNnqrbR5Cc7lwlSQoT4=; b=mfvpok+qMsztoAO99lts1BuKhz 3BklRtUnC7h5BfxY5cMkhu4f8VprNowOHNUjlXWavSaGZo1wBCX3bvu+hPiLVsKna8TF33Gh4VhzI zMK5tL5QPHJF4h3XJgTiLvw/IkSwYd+7zRbu1KXN7ypkSyaYMrq7CKBd8JLc5TSEloL8=; Received: from mail.kernel.org ([198.145.29.99]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1i2djH-0051tN-6l; Tue, 27 Aug 2019 15:49:59 +0000 Received: from tleilax.poochiereds.net (68-20-15-154.lightspeed.rlghnc.sbcglobal.net [68.20.15.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 833FF2184D; Tue, 27 Aug 2019 15:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566920989; bh=bbgW62YNwOw6nr0OoLy9qjvU2nnCXSu3OBPYD+Bupp4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=L2rOWfFTV9ZENo9sY6rTomCTkAVi6eVgtVnTG5LG9plQ1qzOy8kmqkEIkcKlJccsb 6oQCfNdLugesaJKgynlWsJQg7kb5LVkyYTK4cR8c58Kwfjmh9eQhwGZ7v/8NIZG3RI XOEmwVN1iC+LyMlqc3dSWBw7KJ+TXshlVw7j4UqM= Message-ID: From: Jeff Layton To: Mark Salyzyn , linux-kernel@vger.kernel.org Date: Tue, 27 Aug 2019 11:49:41 -0400 In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> References: <20190827150544.151031-1-salyzyn@android.com> User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 X-Headers-End: 1i2djH-0051tN-6l Subject: Re: [f2fs-dev] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Latchesar Ionkov , Hugh Dickins , Mike Marshall , James Morris , devel@lists.orangefs.org, Eric Van Hensbergen , Joel Becker , Anna Schumaker , Trond Myklebust , Mathieu Malaterre , Greg Kroah-Hartman , Jan Kara , Casey Schaufler , Andrew Morton , Dave Kleikamp , linux-doc@vger.kernel.org, Mimi Zohar , linux-cifs@vger.kernel.org, Paul Moore , "Darrick J. Wong" , Eric Sandeen , kernel-team@android.com, selinux@vger.kernel.org, Brian Foster , reiserfs-devel@vger.kernel.org, Tejun Heo , Jaegeuk Kim , Theodore Ts'o , Miklos Szeredi , linux-f2fs-devel@lists.sourceforge.net, Benjamin Coddington , linux-integrity@vger.kernel.org, Martin Brandenburg , Chris Mason , linux-mtd@lists.infradead.org, linux-afs@lists.infradead.org, Jonathan Corbet , Vyacheslav Dubeyko , Allison Henderson , Ilya Dryomov , linux-ext4@vger.kernel.org, Stephen Smalley , Serge Hallyn , Eric Paris , ceph-devel@vger.kernel.org, linux-nfs@vger.kernel.org, Joseph Qi , samba-technical@lists.samba.org, linux-xfs@vger.kernel.org, Bob Peterson , linux-fsdevel@vger.kernel.org, linux-erofs@lists.ozlabs.org, "David S. Miller" , ocfs2-devel@oss.oracle.com, jfs-discussion@lists.sourceforge.net, Jan Kara , Eric Biggers , Dominique Martinet , Adrian Hunter , David Howells , linux-mm@kvack.org, Andreas Dilger , devel@driverdev.osuosl.org, "J. Bruce Fields" , Andreas Gruenbacher , Sage Weil , Richard Weinberger , Mark Fasheh , cluster-devel@redhat.com, Steve French , v9fs-developer@lists.sourceforge.net, Bharath Vedartham , Jann Horn , ecryptfs@vger.kernel.org, Josef Bacik , Dave Chinner , David Sterba , Artem Bityutskiy , netdev@vger.kernel.org, linux-unionfs@vger.kernel.org, stable@vger.kernel.org, Tyler Hicks , linux-security-module@vger.kernel.org, Phillip Lougher , David Woodhouse , linux-btrfs@vger.kernel.org, Alexander Viro Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > Cc: linux-security-module@vger.kernel.org > Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74515C3A5A3 for ; Tue, 27 Aug 2019 15:50:11 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4999B214DA for ; Tue, 27 Aug 2019 15:50:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="TGvfqFQB"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="L2rOWfFT" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4999B214DA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Date:To:From:Subject:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=zXIkeNBGW07MuObnrYNYlfB2uLqoPoHOksdfpBs+bNs=; b=TGvfqFQBjtn7AK BT011LmYq/pJViWv/srdKqtGJSUGyzCWp1Rnoh4v+Y7seBBUTiIjIFy1G8v7YPkemfvv2UEeM0BB5 mrmARNneFfzVckJybydH9ZOroOme7eXmz8sEGvnz8sPXK93RRZ3yfGQ5ujf+8PAQazTFSNB2+1xSn LAI2s4cpSqBK9ph/vZt1Rk81oE/cILPHm2T/i2Y62WB4ZXN+nopeIIlcXEWXAbpJzu/AokFN+hbWA TY9LzutIBJzgA6ZdZtbsoVgbE8CO+Hc7yldgsqE6/f5rscXws73jRyeME5PjJJXqQiarQPfuLMqId 4n0VLkdHdWhK8BLK9CAA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1i2djG-0002j9-Af; Tue, 27 Aug 2019 15:49:54 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1i2djC-0002hv-Au; Tue, 27 Aug 2019 15:49:52 +0000 Received: from tleilax.poochiereds.net (68-20-15-154.lightspeed.rlghnc.sbcglobal.net [68.20.15.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 833FF2184D; Tue, 27 Aug 2019 15:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566920989; bh=bbgW62YNwOw6nr0OoLy9qjvU2nnCXSu3OBPYD+Bupp4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=L2rOWfFTV9ZENo9sY6rTomCTkAVi6eVgtVnTG5LG9plQ1qzOy8kmqkEIkcKlJccsb 6oQCfNdLugesaJKgynlWsJQg7kb5LVkyYTK4cR8c58Kwfjmh9eQhwGZ7v/8NIZG3RI XOEmwVN1iC+LyMlqc3dSWBw7KJ+TXshlVw7j4UqM= Message-ID: Subject: Re: [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr From: Jeff Layton To: Mark Salyzyn , linux-kernel@vger.kernel.org Date: Tue, 27 Aug 2019 11:49:41 -0400 In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> References: <20190827150544.151031-1-salyzyn@android.com> User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190827_084950_562036_78FB68D5 X-CRM114-Status: GOOD ( 32.82 ) X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Latchesar Ionkov , Hugh Dickins , Mike Marshall , James Morris , devel@lists.orangefs.org, Eric Van Hensbergen , Joel Becker , Anna Schumaker , Trond Myklebust , Mathieu Malaterre , Greg Kroah-Hartman , Jan Kara , Casey Schaufler , Andrew Morton , Dave Kleikamp , linux-doc@vger.kernel.org, Chao Yu , Mimi Zohar , linux-cifs@vger.kernel.org, Paul Moore , "Darrick J. Wong" , Eric Sandeen , kernel-team@android.com, selinux@vger.kernel.org, Brian Foster , reiserfs-devel@vger.kernel.org, Tejun Heo , Jaegeuk Kim , Theodore Ts'o , Miklos Szeredi , linux-f2fs-devel@lists.sourceforge.net, Benjamin Coddington , linux-integrity@vger.kernel.org, Martin Brandenburg , Chris Mason , linux-mtd@lists.infradead.org, linux-afs@lists.infradead.org, Jonathan Corbet , Vyacheslav Dubeyko , Allison Henderson , Ilya Dryomov , linux-ext4@vger.kernel.org, Stephen Smalley , Serge Hallyn , Gao Xiang , Eric Paris , ceph-devel@vger.kernel.org, linux-nfs@vger.kernel.org, Joseph Qi , samba-technical@lists.samba.org, linux-xfs@vger.kernel.org, Bob Peterson , linux-fsdevel@vger.kernel.org, linux-erofs@lists.ozlabs.org, "David S. Miller" , ocfs2-devel@oss.oracle.com, jfs-discussion@lists.sourceforge.net, Jan Kara , Eric Biggers , Dominique Martinet , Adrian Hunter , David Howells , linux-mm@kvack.org, Andreas Dilger , devel@driverdev.osuosl.org, "J. Bruce Fields" , Andreas Gruenbacher , Sage Weil , Richard Weinberger , Mark Fasheh , cluster-devel@redhat.com, Steve French , v9fs-developer@lists.sourceforge.net, Bharath Vedartham , Jann Horn , ecryptfs@vger.kernel.org, Josef Bacik , Dave Chinner , David Sterba , Artem Bityutskiy , netdev@vger.kernel.org, linux-unionfs@vger.kernel.org, stable@vger.kernel.org, Tyler Hicks , linux-security-module@vger.kernel.org, Phillip Lougher , David Woodhouse , linux-btrfs@vger.kernel.org, Alexander Viro Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" Errors-To: linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > Cc: linux-security-module@vger.kernel.org > Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDDF5C3A5A3 for ; Tue, 27 Aug 2019 15:51:16 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5CF47214DA for ; Tue, 27 Aug 2019 15:51:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="L2rOWfFT" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5CF47214DA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id ED9046B0008; Tue, 27 Aug 2019 11:51:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EAE856B000A; Tue, 27 Aug 2019 11:51:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D9CE16B000C; Tue, 27 Aug 2019 11:51:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0126.hostedemail.com [216.40.44.126]) by kanga.kvack.org (Postfix) with ESMTP id AEF1F6B0008 for ; Tue, 27 Aug 2019 11:51:15 -0400 (EDT) Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with SMTP id 0BB4D758E for ; Tue, 27 Aug 2019 15:51:03 +0000 (UTC) X-FDA: 75868646406.19.shock40_90671a5a7c24 X-HE-Tag: shock40_90671a5a7c24 X-Filterd-Recvd-Size: 15157 Received: from smtprelay.test.hostedemail.com (mail.test.hostedemail.com [216.40.41.5]) by imf15.hostedemail.com (Postfix) with ESMTP for ; Tue, 27 Aug 2019 15:51:01 +0000 (UTC) Received: from forelay.test.hostedemail.com (10.5.29.251.rfc1918.com [10.5.29.251]) by smtprelay01.test.hostedemail.com (Postfix) with ESMTP id A3C9211D54 for ; Tue, 27 Aug 2019 15:51:01 +0000 (UTC) Received: from forelay.prod.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by fograve01.test.hostedemail.com (Postfix) with ESMTP id 7D27023810 for ; Tue, 27 Aug 2019 15:51:01 +0000 (UTC) Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id 72B43181AC9C6 for ; Tue, 27 Aug 2019 15:49:51 +0000 (UTC) X-FDA: 75868643382.23.crate26_902a07b520846 X-HE-Tag: crate26_902a07b520846 X-Filterd-Recvd-Size: 14164 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf40.hostedemail.com (Postfix) with ESMTP for ; Tue, 27 Aug 2019 15:49:50 +0000 (UTC) Received: from tleilax.poochiereds.net (68-20-15-154.lightspeed.rlghnc.sbcglobal.net [68.20.15.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 833FF2184D; Tue, 27 Aug 2019 15:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566920989; bh=bbgW62YNwOw6nr0OoLy9qjvU2nnCXSu3OBPYD+Bupp4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=L2rOWfFTV9ZENo9sY6rTomCTkAVi6eVgtVnTG5LG9plQ1qzOy8kmqkEIkcKlJccsb 6oQCfNdLugesaJKgynlWsJQg7kb5LVkyYTK4cR8c58Kwfjmh9eQhwGZ7v/8NIZG3RI XOEmwVN1iC+LyMlqc3dSWBw7KJ+TXshlVw7j4UqM= Message-ID: Subject: Re: [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr From: Jeff Layton To: Mark Salyzyn , linux-kernel@vger.kernel.org Cc: kernel-team@android.com, Jan Kara , Stephen Smalley , linux-security-module@vger.kernel.org, stable@vger.kernel.org, Jonathan Corbet , Gao Xiang , Chao Yu , Greg Kroah-Hartman , Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , David Howells , Chris Mason , Josef Bacik , David Sterba , Sage Weil , Ilya Dryomov , Steve French , Tyler Hicks , Jan Kara , Theodore Ts'o , Andreas Dilger , Jaegeuk Kim , Miklos Szeredi , Bob Peterson , Andreas Gruenbacher , David Woodhouse , Richard Weinberger , Dave Kleikamp , Tejun Heo , Trond Myklebust , Anna Schumaker , Mark Fasheh , Joel Becker , Joseph Qi , Mike Marshall , Martin Brandenburg , Alexander Viro , Phillip Lougher , Artem Bityutskiy , Adrian Hunter , "Darrick J. Wong" , linux-xfs@vger.kernel.org, Hugh Dickins , "David S. Miller" , Serge Hallyn , James Morris , Mimi Zohar , Paul Moore , Eric Paris , Casey Schaufler , "J. Bruce Fields" , Eric Biggers , Benjamin Coddington , Andrew Morton , Mathieu Malaterre , Vyacheslav Dubeyko , Bharath Vedartham , Jann Horn , Dave Chinner , Allison Henderson , Brian Foster , Eric Sandeen , linux-doc@vger.kernel.org, linux-erofs@lists.ozlabs.org, devel@driverdev.osuosl.org, v9fs-developer@lists.sourceforge.net, linux-afs@lists.infradead.org, linux-btrfs@vger.kernel.org, ceph-devel@vger.kernel.org, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, ecryptfs@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-fsdevel@vger.kernel.org, cluster-devel@redhat.com, linux-mtd@lists.infradead.org, jfs-discussion@lists.sourceforge.net, linux-nfs@vger.kernel.org, ocfs2-devel@oss.oracle.com, devel@lists.orangefs.org, linux-unionfs@vger.kernel.org, reiserfs-devel@vger.kernel.org, linux-mm@kvack.org, netdev@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Date: Tue, 27 Aug 2019 11:49:41 -0400 In-Reply-To: <20190827150544.151031-1-salyzyn@android.com> References: <20190827150544.151031-1-salyzyn@android.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, 2019-08-27 at 08:05 -0700, Mark Salyzyn wrote: > Replace arguments for get and set xattr methods, and __vfs_getxattr > and __vfs_setaxtr functions with a reference to the following now > common argument structure: > > struct xattr_gs_args { > struct dentry *dentry; > struct inode *inode; > const char *name; > union { > void *buffer; > const void *value; > }; > size_t size; > int flags; > }; > > Which in effect adds a flags option to the get method and > __vfs_getxattr function. > > Add a flag option to get xattr method that has bit flag of > XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then > set in the __vfs_getxattr path when called by security > infrastructure. > > This handles the case of a union filesystem driver that is being > requested by the security layer to report back the xattr data. > > For the use case where access is to be blocked by the security layer. > > The path then could be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> > lower_handler->get({lower_dentry...XATTR_NOSECURITY}) > which would report back through the chain data and success as > expected, the logging security layer at the top would have the > data to determine the access permissions and report back the target > context that was blocked. > > Without the get handler flag, the path on a union filesystem would be > the errant security(dentry) -> __vfs_getxattr(dentry) -> > handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> > security(lower_dentry, log off) -> lower_handler->get(lower_dentry) > which would report back through the chain no data, and -EACCES. > > For selinux for both cases, this would translate to a correctly > determined blocked access. In the first case with this change a correct avc > log would be reported, in the second legacy case an incorrect avc log > would be reported against an uninitialized u:object_r:unlabeled:s0 > context making the logs cosmetically useless for audit2allow. > > This patch series is inert and is the wide-spread addition of the > flags option for xattr functions, and a replacement of __vfs_getxattr > with __vfs_getxattr({...XATTR_NOSECURITY}). > > Signed-off-by: Mark Salyzyn > Reviewed-by: Jan Kara > Cc: Stephen Smalley > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > Cc: linux-security-module@vger.kernel.org > Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 > --- > v8: > - Documentation reported 'struct xattr_gs_flags' rather than > 'struct xattr_gs_flags *args' as argument to get and set methods. > > v7: > - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, > fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, > security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. > > v6: > - kernfs missed a spot > > v5: > - introduce struct xattr_gs_args for get and set methods, > __vfs_getxattr and __vfs_setxattr functions. > - cover a missing spot in ext2. > - switch from snprintf to scnprintf for correctness. > > v4: > - ifdef __KERNEL__ around XATTR_NOSECURITY to > keep it colocated in uapi headers. > > v3: > - poor aim on ubifs not ubifs_xattr_get, but static xattr_get > > v2: > - Missed a spot: ubifs, erofs and afs. > > v1: > - Removed from an overlayfs patch set, and made independent. > Expect this to be the basis of some security improvements. > --- > Documentation/filesystems/Locking | 10 ++- > drivers/staging/erofs/xattr.c | 8 +-- > fs/9p/acl.c | 51 +++++++------- > fs/9p/xattr.c | 19 +++-- > fs/afs/xattr.c | 112 +++++++++++++----------------- > fs/btrfs/xattr.c | 36 +++++----- > fs/ceph/xattr.c | 40 +++++------ > fs/cifs/xattr.c | 72 +++++++++---------- > fs/ecryptfs/crypto.c | 20 +++--- > fs/ecryptfs/inode.c | 36 ++++++---- > fs/ecryptfs/mmap.c | 39 ++++++----- > fs/ext2/xattr_security.c | 16 ++--- > fs/ext2/xattr_trusted.c | 15 ++-- > fs/ext2/xattr_user.c | 19 +++-- > fs/ext4/xattr_security.c | 15 ++-- > fs/ext4/xattr_trusted.c | 15 ++-- > fs/ext4/xattr_user.c | 19 +++-- > fs/f2fs/xattr.c | 42 +++++------ > fs/fuse/xattr.c | 23 +++--- > fs/gfs2/xattr.c | 18 ++--- > fs/hfs/attr.c | 15 ++-- > fs/hfsplus/xattr.c | 17 +++-- > fs/hfsplus/xattr_security.c | 13 ++-- > fs/hfsplus/xattr_trusted.c | 13 ++-- > fs/hfsplus/xattr_user.c | 13 ++-- > fs/jffs2/security.c | 16 ++--- > fs/jffs2/xattr_trusted.c | 16 ++--- > fs/jffs2/xattr_user.c | 16 ++--- > fs/jfs/xattr.c | 33 ++++----- > fs/kernfs/inode.c | 23 +++--- > fs/nfs/nfs4proc.c | 28 ++++---- > fs/ocfs2/xattr.c | 52 ++++++-------- > fs/orangefs/xattr.c | 19 ++--- > fs/overlayfs/inode.c | 43 ++++++------ > fs/overlayfs/overlayfs.h | 6 +- > fs/overlayfs/super.c | 53 ++++++-------- > fs/posix_acl.c | 23 +++--- > fs/reiserfs/xattr.c | 2 +- > fs/reiserfs/xattr_security.c | 22 +++--- > fs/reiserfs/xattr_trusted.c | 22 +++--- > fs/reiserfs/xattr_user.c | 22 +++--- > fs/squashfs/xattr.c | 10 +-- > fs/ubifs/xattr.c | 33 +++++---- > fs/xattr.c | 112 ++++++++++++++++++------------ > fs/xfs/libxfs/xfs_attr.c | 4 +- > fs/xfs/libxfs/xfs_attr.h | 2 +- > fs/xfs/xfs_xattr.c | 35 +++++----- > include/linux/xattr.h | 26 ++++--- > include/uapi/linux/xattr.h | 7 +- > mm/shmem.c | 21 +++--- > net/socket.c | 16 ++--- > security/commoncap.c | 29 +++++--- > security/integrity/evm/evm_main.c | 13 +++- > security/selinux/hooks.c | 28 ++++++-- > security/smack/smack_lsm.c | 38 ++++++---- > 55 files changed, 732 insertions(+), 734 deletions(-) > > [...] > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 939eab7aa219..c4fee624291b 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -1179,22 +1179,21 @@ int __ceph_setxattr(struct inode *inode, const char *name, > } > > static int ceph_get_xattr_handler(const struct xattr_handler *handler, > - struct dentry *dentry, struct inode *inode, > - const char *name, void *value, size_t size) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_getxattr(inode, name, value, size); > + return __ceph_getxattr(args->inode, args->name, > + args->buffer, args->size); > } > > static int ceph_set_xattr_handler(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *name, const void *value, > - size_t size, int flags) > + struct xattr_gs_args *args) > { > - if (!ceph_is_valid_xattr(name)) > + if (!ceph_is_valid_xattr(args->name)) > return -EOPNOTSUPP; > - return __ceph_setxattr(inode, name, value, size, flags); > + return __ceph_setxattr(args->inode, args->name, > + args->value, args->size, args->flags); > } > > static const struct xattr_handler ceph_other_xattr_handler = { > @@ -1300,25 +1299,22 @@ void ceph_security_invalidate_secctx(struct inode *inode) > } > > static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_setxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->value, args->size, args->flags); > return -EOPNOTSUPP; > } > > static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > + struct xattr_gs_args *args) > { > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > + if (security_ismaclabel(args->name)) > + return __ceph_getxattr(args->inode, > + xattr_full_name(handler, args->name), > + args->buffer, args->size); > return -EOPNOTSUPP; > } > The ceph bits look fine to me. Note that we do have some patches queued up for v5.4 that might have some merge conflicts here. Shouldn't be too hard to fix it up though. Acked-by: Jeff Layton