time_attrs argument for security_path_truncate

time_attrs argument for security_path_truncate

[Nick Piggin]

It appears like the time_attrs parameter of security_path_truncate is
unused by any security module, so I wonder if we can remove it?

We cannot really get it right for truncate(2) calls anyway without
holding i_mutex over the call (because ATTR_MTIME|ATTR_CTIME is
effectively set iff size changes). So the meaning of this parameter
today is misleading anyway.

Thanks,
Nick

Re: [Security] time_attrs argument for security_path_truncate

[Linus Torvalds]

On Wed, 2 Jun 2010, Nick Piggin wrote:
>
> It appears like the time_attrs parameter of security_path_truncate is
> unused by any security module, so I wonder if we can remove it?

I think we should aggressively remove interfaces that aren't used. The VFS 
side has been complicated several times because of the security hooks, and 
if they ended up not getting used and just complicates logic, we should 
remove it.

> We cannot really get it right for truncate(2) calls anyway without
> holding i_mutex over the call (because ATTR_MTIME|ATTR_CTIME is
> effectively set iff size changes). So the meaning of this parameter
> today is misleading anyway.

Why do we pass it in to do_truncate() at all, btw? Especially as we seem 
to be a bit confused about it. A regular 'truncate()' passes in a 
time_attrs of '0', while a 'ftruncate()' passes ATTR_MTIME|ATTR_CTIME.

That doesn't sound right. And if it is (because I can well imagine some 
strange and subtle POSIX rule wrt ftruncate() and mtime/ctime), I think we 
should add a comment on it, since I've clearly forgotten the reason.

Btw, right now we pass in ATTR_OPEN too to the security_path_truncate() 
call. Which again doesn't seem to be _used_ by any security thing, and 
which also violates the naming of that argument. So there's some 
additional strangeness going on there.

(That ATTR_OPEN case was introduced in commit be6d3e56a6 ("introduce new 
LSM hooks where vfsmount is available"), for what its worth. The ATTR_OPEN 
bit seems to have been copied from the do_truncate() call below it, I 
think it's just a copy-paste error).

		Linus

Re: [Security] time_attrs argument for security_path_truncate

[Nick Piggin]

On Tue, Jun 01, 2010 at 10:04:13AM -0700, Linus Torvalds wrote:
> 
> 
> On Wed, 2 Jun 2010, Nick Piggin wrote:
> >
> > It appears like the time_attrs parameter of security_path_truncate is
> > unused by any security module, so I wonder if we can remove it?
> 
> I think we should aggressively remove interfaces that aren't used. The VFS 
> side has been complicated several times because of the security hooks, and 
> if they ended up not getting used and just complicates logic, we should 
> remove it.

OK, good. I'll put a patch at the head of my queue.

> > We cannot really get it right for truncate(2) calls anyway without
> > holding i_mutex over the call (because ATTR_MTIME|ATTR_CTIME is
> > effectively set iff size changes). So the meaning of this parameter
> > today is misleading anyway.
> 
> Why do we pass it in to do_truncate() at all, btw? Especially as we seem 
> to be a bit confused about it. A regular 'truncate()' passes in a 
> time_attrs of '0', while a 'ftruncate()' passes ATTR_MTIME|ATTR_CTIME.

Yes, and then it relies on the filesystems to update MTIME and CTIME
if size has changed. Many get it wrong (and in my confusion I also
just broke a couple more). So I'm working on fixing it for everyone.

http://marc.info/?l=linux-fsdevel&m=127539956932537&w=2

 
> That doesn't sound right. And if it is (because I can well imagine some 
> strange and subtle POSIX rule wrt ftruncate() and mtime/ctime), I think we 
> should add a comment on it, since I've clearly forgotten the reason.

Yeah a comment would have really helped, since it seems stupid it
must be a typo in the standards document.

6e656be899993f450a765056cdc8d87e58906508

 
> Btw, right now we pass in ATTR_OPEN too to the security_path_truncate() 
> call. Which again doesn't seem to be _used_ by any security thing, and 
> which also violates the naming of that argument. So there's some 
> additional strangeness going on there.
> 
> (That ATTR_OPEN case was introduced in commit be6d3e56a6 ("introduce new 
> LSM hooks where vfsmount is available"), for what its worth. The ATTR_OPEN 
> bit seems to have been copied from the do_truncate() call below it, I 
> think it's just a copy-paste error).

Good point. That'll get nuked when we remove the parameter.

Re: [Security] time_attrs argument for security_path_truncate

[Linus Torvalds]

On Wed, 2 Jun 2010, Nick Piggin wrote:
> 
> Yeah a comment would have really helped, since it seems stupid it
> must be a typo in the standards document.
> 
> 6e656be899993f450a765056cdc8d87e58906508

Ahh. Yes, it's stupid. That sadly does _not_ mean that it's necessarily a 
typo, though. It might easily be intentional, due to some random original 
Unix implementation detail.

But yeah, that commit message is wonderful, but a single-line comment 
about crazy POSIX rules in the actual code itself would probably have been 
a good idea too.

		Linus

[PATCH] LSM: Remove unused time_attrs argument.

[Tetsuo Handa]

When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove time_attrs argument.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/namei.c               |    3 +--
 fs/open.c                |    5 ++---
 include/linux/security.h |   10 +++-------
 security/capability.c    |    3 +--
 security/security.c      |    5 ++---
 security/tomoyo/tomoyo.c |    3 +--
 6 files changed, 10 insertions(+), 19 deletions(-)

--- security-testing-2.6.orig/fs/namei.c
+++ security-testing-2.6/fs/namei.c
@@ -1484,8 +1484,7 @@ static int handle_truncate(struct path *
 	 */
 	error = locks_verify_locked(inode);
 	if (!error)
-		error = security_path_truncate(path, 0,
-				       ATTR_MTIME|ATTR_CTIME|ATTR_OPEN);
+		error = security_path_truncate(path, 0);
 	if (!error) {
 		error = do_truncate(path->dentry, 0,
 				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
--- security-testing-2.6.orig/fs/open.c
+++ security-testing-2.6/fs/open.c
@@ -110,7 +110,7 @@ static long do_sys_truncate(const char _
 
 	error = locks_verify_truncate(inode, NULL, length);
 	if (!error)
-		error = security_path_truncate(&path, length, 0);
+		error = security_path_truncate(&path, length);
 	if (!error)
 		error = do_truncate(path.dentry, length, 0, NULL);
 
@@ -165,8 +165,7 @@ static long do_sys_ftruncate(unsigned in
 
 	error = locks_verify_truncate(inode, file, length);
 	if (!error)
-		error = security_path_truncate(&file->f_path, length,
-					       ATTR_MTIME|ATTR_CTIME);
+		error = security_path_truncate(&file->f_path, length);
 	if (!error)
 		error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
 out_putf:
--- security-testing-2.6.orig/include/linux/security.h
+++ security-testing-2.6/include/linux/security.h
@@ -471,7 +471,6 @@ static inline void security_free_mnt_opt
  *	Check permission before truncating a file.
  *	@path contains the path structure for the file.
  *	@length is the new length of the file.
- *	@time_attrs is the flags passed to do_truncate().
  *	Return 0 if permission is granted.
  * @inode_getattr:
  *	Check permission before obtaining file attributes.
@@ -1412,8 +1411,7 @@ struct security_operations {
 	int (*path_rmdir) (struct path *dir, struct dentry *dentry);
 	int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
 			   unsigned int dev);
-	int (*path_truncate) (struct path *path, loff_t length,
-			      unsigned int time_attrs);
+	int (*path_truncate) (struct path *path, loff_t length);
 	int (*path_symlink) (struct path *dir, struct dentry *dentry,
 			     const char *old_name);
 	int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
@@ -2806,8 +2804,7 @@ int security_path_mkdir(struct path *dir
 int security_path_rmdir(struct path *dir, struct dentry *dentry);
 int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
 			unsigned int dev);
-int security_path_truncate(struct path *path, loff_t length,
-			   unsigned int time_attrs);
+int security_path_truncate(struct path *path, loff_t length);
 int security_path_symlink(struct path *dir, struct dentry *dentry,
 			  const char *old_name);
 int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -2841,8 +2838,7 @@ static inline int security_path_mknod(st
 	return 0;
 }
 
-static inline int security_path_truncate(struct path *path, loff_t length,
-					 unsigned int time_attrs)
+static inline int security_path_truncate(struct path *path, loff_t length)
 {
 	return 0;
 }
--- security-testing-2.6.orig/security/capability.c
+++ security-testing-2.6/security/capability.c
@@ -268,8 +268,7 @@ static int cap_path_rename(struct path *
 	return 0;
 }
 
-static int cap_path_truncate(struct path *path, loff_t length,
-			     unsigned int time_attrs)
+static int cap_path_truncate(struct path *path, loff_t length)
 {
 	return 0;
 }
--- security-testing-2.6.orig/security/security.c
+++ security-testing-2.6/security/security.c
@@ -417,12 +417,11 @@ int security_path_rename(struct path *ol
 					 new_dentry);
 }
 
-int security_path_truncate(struct path *path, loff_t length,
-			   unsigned int time_attrs)
+int security_path_truncate(struct path *path, loff_t length)
 {
 	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->path_truncate(path, length, time_attrs);
+	return security_ops->path_truncate(path, length);
 }
 
 int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
--- security-testing-2.6.orig/security/tomoyo/tomoyo.c
+++ security-testing-2.6/security/tomoyo/tomoyo.c
@@ -93,8 +93,7 @@ static int tomoyo_bprm_check_security(st
 	return tomoyo_check_open_permission(domain, &bprm->file->f_path, O_RDONLY);
 }
 
-static int tomoyo_path_truncate(struct path *path, loff_t length,
-				unsigned int time_attrs)
+static int tomoyo_path_truncate(struct path *path, loff_t length)
 {
 	return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path);
 }

Re: [PATCH] LSM: Remove unused time_attrs argument.

[Nick Piggin]

On Wed, Jun 02, 2010 at 12:28:24PM +0900, Tetsuo Handa wrote:
> When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
> where vfsmount is available." was proposed, regarding security_path_truncate(),
> only "struct file *" argument (which AppArmor wanted to use) was removed.
> But length and time_attrs arguments are not used by TOMOYO nor AppArmor.

Well if length is not used either, can we remove that too seeing as
we're changing the API anyway.

Length would also be an iffy thing to use here because we're not
holding the i_mutex, so it may change between being checked and
truncate checking it.


> Thus, let's remove time_attrs argument.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  fs/namei.c               |    3 +--
>  fs/open.c                |    5 ++---
>  include/linux/security.h |   10 +++-------
>  security/capability.c    |    3 +--
>  security/security.c      |    5 ++---
>  security/tomoyo/tomoyo.c |    3 +--
>  6 files changed, 10 insertions(+), 19 deletions(-)

Re: [PATCH] LSM: Remove unused time_attrs argument.

[Nick Piggin]

On Wed, Jun 02, 2010 at 01:50:12PM +1000, Nick Piggin wrote:
> On Wed, Jun 02, 2010 at 12:28:24PM +0900, Tetsuo Handa wrote:
> > When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
> > where vfsmount is available." was proposed, regarding security_path_truncate(),
> > only "struct file *" argument (which AppArmor wanted to use) was removed.
> > But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
> 
> Well if length is not used either, can we remove that too seeing as
> we're changing the API anyway.
> 
> Length would also be an iffy thing to use here because we're not
> holding the i_mutex, so it may change between being checked and
> truncate checking it.

To clarify, not the length of course, but the i_size. That could
be a problem if a security module thought it could allow only expanding
truncates by checking i_size, for example.

Re: [PATCH] LSM: Remove unused time_attrs argument.

[Tetsuo Handa]

Nick Piggin wrote:
> On Wed, Jun 02, 2010 at 12:28:24PM +0900, Tetsuo Handa wrote:
> > When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
> > where vfsmount is available." was proposed, regarding security_path_truncate(),
> > only "struct file *" argument (which AppArmor wanted to use) was removed.
> > But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
> 
> Well if length is not used either, can we remove that too seeing as
> we're changing the API anyway.
Yes. Here is the updated patch.
----------
[PATCH] LSM: Remove unused arguments from security_path_truncate().

When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove these arguments.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/namei.c               |    3 +--
 fs/open.c                |    5 ++---
 include/linux/security.h |   11 +++--------
 security/capability.c    |    3 +--
 security/security.c      |    5 ++---
 security/tomoyo/tomoyo.c |    3 +--
 6 files changed, 10 insertions(+), 20 deletions(-)

--- security-testing-2.6.orig/fs/namei.c
+++ security-testing-2.6/fs/namei.c
@@ -1484,8 +1484,7 @@ static int handle_truncate(struct path *
 	 */
 	error = locks_verify_locked(inode);
 	if (!error)
-		error = security_path_truncate(path, 0,
-				       ATTR_MTIME|ATTR_CTIME|ATTR_OPEN);
+		error = security_path_truncate(path);
 	if (!error) {
 		error = do_truncate(path->dentry, 0,
 				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
--- security-testing-2.6.orig/fs/open.c
+++ security-testing-2.6/fs/open.c
@@ -110,7 +110,7 @@ static long do_sys_truncate(const char _
 
 	error = locks_verify_truncate(inode, NULL, length);
 	if (!error)
-		error = security_path_truncate(&path, length, 0);
+		error = security_path_truncate(&path);
 	if (!error)
 		error = do_truncate(path.dentry, length, 0, NULL);
 
@@ -165,8 +165,7 @@ static long do_sys_ftruncate(unsigned in
 
 	error = locks_verify_truncate(inode, file, length);
 	if (!error)
-		error = security_path_truncate(&file->f_path, length,
-					       ATTR_MTIME|ATTR_CTIME);
+		error = security_path_truncate(&file->f_path);
 	if (!error)
 		error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
 out_putf:
--- security-testing-2.6.orig/include/linux/security.h
+++ security-testing-2.6/include/linux/security.h
@@ -470,8 +470,6 @@ static inline void security_free_mnt_opt
  * @path_truncate:
  *	Check permission before truncating a file.
  *	@path contains the path structure for the file.
- *	@length is the new length of the file.
- *	@time_attrs is the flags passed to do_truncate().
  *	Return 0 if permission is granted.
  * @inode_getattr:
  *	Check permission before obtaining file attributes.
@@ -1412,8 +1410,7 @@ struct security_operations {
 	int (*path_rmdir) (struct path *dir, struct dentry *dentry);
 	int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
 			   unsigned int dev);
-	int (*path_truncate) (struct path *path, loff_t length,
-			      unsigned int time_attrs);
+	int (*path_truncate) (struct path *path);
 	int (*path_symlink) (struct path *dir, struct dentry *dentry,
 			     const char *old_name);
 	int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
@@ -2806,8 +2803,7 @@ int security_path_mkdir(struct path *dir
 int security_path_rmdir(struct path *dir, struct dentry *dentry);
 int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
 			unsigned int dev);
-int security_path_truncate(struct path *path, loff_t length,
-			   unsigned int time_attrs);
+int security_path_truncate(struct path *path);
 int security_path_symlink(struct path *dir, struct dentry *dentry,
 			  const char *old_name);
 int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -2841,8 +2837,7 @@ static inline int security_path_mknod(st
 	return 0;
 }
 
-static inline int security_path_truncate(struct path *path, loff_t length,
-					 unsigned int time_attrs)
+static inline int security_path_truncate(struct path *path)
 {
 	return 0;
 }
--- security-testing-2.6.orig/security/capability.c
+++ security-testing-2.6/security/capability.c
@@ -268,8 +268,7 @@ static int cap_path_rename(struct path *
 	return 0;
 }
 
-static int cap_path_truncate(struct path *path, loff_t length,
-			     unsigned int time_attrs)
+static int cap_path_truncate(struct path *path)
 {
 	return 0;
 }
--- security-testing-2.6.orig/security/security.c
+++ security-testing-2.6/security/security.c
@@ -417,12 +417,11 @@ int security_path_rename(struct path *ol
 					 new_dentry);
 }
 
-int security_path_truncate(struct path *path, loff_t length,
-			   unsigned int time_attrs)
+int security_path_truncate(struct path *path)
 {
 	if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
 		return 0;
-	return security_ops->path_truncate(path, length, time_attrs);
+	return security_ops->path_truncate(path);
 }
 
 int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
--- security-testing-2.6.orig/security/tomoyo/tomoyo.c
+++ security-testing-2.6/security/tomoyo/tomoyo.c
@@ -93,8 +93,7 @@ static int tomoyo_bprm_check_security(st
 	return tomoyo_check_open_permission(domain, &bprm->file->f_path, O_RDONLY);
 }
 
-static int tomoyo_path_truncate(struct path *path, loff_t length,
-				unsigned int time_attrs)
+static int tomoyo_path_truncate(struct path *path)
 {
 	return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path);
 }

Re: [PATCH] LSM: Remove unused time_attrs argument.

[Nick Piggin]

On Wed, Jun 02, 2010 at 01:24:43PM +0900, Tetsuo Handa wrote:
> Nick Piggin wrote:
> > On Wed, Jun 02, 2010 at 12:28:24PM +0900, Tetsuo Handa wrote:
> > > When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
> > > where vfsmount is available." was proposed, regarding security_path_truncate(),
> > > only "struct file *" argument (which AppArmor wanted to use) was removed.
> > > But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
> > 
> > Well if length is not used either, can we remove that too seeing as
> > we're changing the API anyway.
> Yes. Here is the updated patch.

Great, thanks. Ack.

> ----------
> [PATCH] LSM: Remove unused arguments from security_path_truncate().

Re: [PATCH] LSM: Remove unused time_attrs argument.

[James Morris]

On Wed, 2 Jun 2010, Tetsuo Handa wrote:

> ----------
> [PATCH] LSM: Remove unused arguments from security_path_truncate().
> 
> When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
> where vfsmount is available." was proposed, regarding security_path_truncate(),
> only "struct file *" argument (which AppArmor wanted to use) was removed.
> But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
> Thus, let's remove these arguments.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>


Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

-- 
James Morris
<jmorris@namei.org>