* [PATCH] fs: hardlink creation restriction cleanup
@ 2012-02-22 1:21 Kees Cook
2012-02-22 10:23 ` Ingo Molnar
0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2012-02-22 1:21 UTC (permalink / raw)
To: Andrew Morton
Cc: Ingo Molnar, Marcin Slusarz, linux-kernel, Randy Dunlap,
Alexander Viro, linux-doc, linux-fsdevel, kernel-hardening
Clean-up of hardlink restriction logic, as suggested by Andrew Morton.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/namei.c | 59 +++++++++++++++++++++++++++++++++++++++++------------------
1 files changed, 41 insertions(+), 18 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 8ed4e00..a4a21a5 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -693,46 +693,69 @@ static inline int may_follow_link(struct path *link)
}
/**
+ * safe_hardlink_source - Check for safe hardlink conditions
+ * @inode: the source inode to hardlink from
+ *
+ * Return false if at least one of the following conditions:
+ * - inode is not a regular file
+ * - inode is setuid
+ * - inode is setgid and group-exec
+ * - access failure for read and write
+ *
+ * Otherwise returns true.
+ */
+static bool safe_hardlink_source(struct inode *inode)
+{
+ mode_t mode = inode->i_mode;
+
+ /* Special files should not get pinned to the filesystem. */
+ if (!S_ISREG(mode))
+ return false;
+ /* Setuid files should not get pinned to the filesystem. */
+ if (mode & S_ISUID)
+ return false;
+ /* Executable setgid files should not get pinned to the filesystem. */
+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
+ return false;
+ /* Hardlinking to unreadable or unwritable sources is dangerous. */
+ if (inode_permission(inode, MAY_READ | MAY_WRITE))
+ return false;
+
+ return true;
+}
+
+/**
* may_linkat - Check permissions for creating a hardlink
* @link: the source to hardlink from
*
* Block hardlink when all of:
* - sysctl_protected_hardlinks enabled
* - fsuid does not match inode
- * - at least one of:
- * - inode is not a regular file
- * - inode is setuid
- * - inode is setgid and group-exec
- * - access failure for read and write
+ * - hardlink source is unsafe (see safe_hardlink_source() above)
* - not CAP_FOWNER
*
* Returns 0 if successful, -ve on error.
*/
static int may_linkat(struct path *link)
{
- int error = 0;
const struct cred *cred;
struct inode *inode;
- int mode;
if (!sysctl_protected_hardlinks)
return 0;
cred = current_cred();
inode = link->dentry->d_inode;
- mode = inode->i_mode;
- if (cred->fsuid != inode->i_uid &&
- (!S_ISREG(mode) || (mode & S_ISUID) ||
- ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
- (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
- !capable(CAP_FOWNER))
- error = -EPERM;
-
- if (error)
- audit_log_link_denied("linkat", link);
+ /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
+ * otherwise, it must be a safe source.
+ */
+ if (cred->fsuid == inode->i_uid || safe_hardlink_source(inode) ||
+ capable(CAP_FOWNER))
+ return 0;
- return error;
+ audit_log_link_denied("linkat", link);
+ return -EPERM;
}
#else
static inline int may_follow_link(struct path *link)
--
1.7.0.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] fs: hardlink creation restriction cleanup
2012-02-22 1:21 [PATCH] fs: hardlink creation restriction cleanup Kees Cook
@ 2012-02-22 10:23 ` Ingo Molnar
2012-02-22 19:10 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Ingo Molnar @ 2012-02-22 10:23 UTC (permalink / raw)
To: Kees Cook
Cc: Andrew Morton, Marcin Slusarz, linux-kernel, Randy Dunlap,
Alexander Viro, linux-doc, linux-fsdevel, kernel-hardening
* Kees Cook <keescook@chromium.org> wrote:
> Clean-up of hardlink restriction logic, as suggested by Andrew Morton.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> fs/namei.c | 59 +++++++++++++++++++++++++++++++++++++++++------------------
> 1 files changed, 41 insertions(+), 18 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 8ed4e00..a4a21a5 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -693,46 +693,69 @@ static inline int may_follow_link(struct path *link)
> }
>
> /**
> + * safe_hardlink_source - Check for safe hardlink conditions
> + * @inode: the source inode to hardlink from
> + *
> + * Return false if at least one of the following conditions:
> + * - inode is not a regular file
> + * - inode is setuid
> + * - inode is setgid and group-exec
> + * - access failure for read and write
> + *
> + * Otherwise returns true.
> + */
> +static bool safe_hardlink_source(struct inode *inode)
> +{
> + mode_t mode = inode->i_mode;
> +
> + /* Special files should not get pinned to the filesystem. */
> + if (!S_ISREG(mode))
> + return false;
> + /* Setuid files should not get pinned to the filesystem. */
> + if (mode & S_ISUID)
> + return false;
> + /* Executable setgid files should not get pinned to the filesystem. */
> + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
> + return false;
> + /* Hardlinking to unreadable or unwritable sources is dangerous. */
> + if (inode_permission(inode, MAY_READ | MAY_WRITE))
> + return false;
> +
> + return true;
A really minor nitpick, could we use this form please:
static bool safe_hardlink_source(struct inode *inode)
{
mode_t mode = inode->i_mode;
/* Special files should not get pinned to the filesystem. */
if (!S_ISREG(mode))
return false;
/* Setuid files should not get pinned to the filesystem. */
if (mode & S_ISUID)
return false;
/* Executable setgid files should not get pinned to the filesystem. */
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
return false;
/* Hardlinking to unreadable or unwritable sources is dangerous. */
if (inode_permission(inode, MAY_READ | MAY_WRITE))
return false;
return true;
}
Those separate blocks of comments and conditions stand out much
nicer this way, making it way easier on the eyes - to my eyes at
least ;-)
Thanks,
Ingo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] fs: hardlink creation restriction cleanup
2012-02-22 10:23 ` Ingo Molnar
@ 2012-02-22 19:10 ` Kees Cook
0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2012-02-22 19:10 UTC (permalink / raw)
To: Ingo Molnar
Cc: Andrew Morton, Marcin Slusarz, linux-kernel, Randy Dunlap,
Alexander Viro, linux-doc, linux-fsdevel, kernel-hardening
On Wed, Feb 22, 2012 at 2:23 AM, Ingo Molnar <mingo@elte.hu> wrote:
>
> * Kees Cook <keescook@chromium.org> wrote:
>
>> Clean-up of hardlink restriction logic, as suggested by Andrew Morton.
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> fs/namei.c | 59 +++++++++++++++++++++++++++++++++++++++++------------------
>> 1 files changed, 41 insertions(+), 18 deletions(-)
>>
>> diff --git a/fs/namei.c b/fs/namei.c
>> index 8ed4e00..a4a21a5 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -693,46 +693,69 @@ static inline int may_follow_link(struct path *link)
>> }
>>
>> /**
>> + * safe_hardlink_source - Check for safe hardlink conditions
>> + * @inode: the source inode to hardlink from
>> + *
>> + * Return false if at least one of the following conditions:
>> + * - inode is not a regular file
>> + * - inode is setuid
>> + * - inode is setgid and group-exec
>> + * - access failure for read and write
>> + *
>> + * Otherwise returns true.
>> + */
>> +static bool safe_hardlink_source(struct inode *inode)
>> +{
>> + mode_t mode = inode->i_mode;
>> +
>> + /* Special files should not get pinned to the filesystem. */
>> + if (!S_ISREG(mode))
>> + return false;
>> + /* Setuid files should not get pinned to the filesystem. */
>> + if (mode & S_ISUID)
>> + return false;
>> + /* Executable setgid files should not get pinned to the filesystem. */
>> + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
>> + return false;
>> + /* Hardlinking to unreadable or unwritable sources is dangerous. */
>> + if (inode_permission(inode, MAY_READ | MAY_WRITE))
>> + return false;
>> +
>> + return true;
>
> A really minor nitpick, could we use this form please:
>
> static bool safe_hardlink_source(struct inode *inode)
> {
> mode_t mode = inode->i_mode;
>
> /* Special files should not get pinned to the filesystem. */
> if (!S_ISREG(mode))
> return false;
>
> /* Setuid files should not get pinned to the filesystem. */
> if (mode & S_ISUID)
> return false;
>
> /* Executable setgid files should not get pinned to the filesystem. */
> if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
> return false;
>
> /* Hardlinking to unreadable or unwritable sources is dangerous. */
> if (inode_permission(inode, MAY_READ | MAY_WRITE))
> return false;
>
> return true;
> }
>
> Those separate blocks of comments and conditions stand out much
> nicer this way, making it way easier on the eyes - to my eyes at
> least ;-)
Heh, sure. I've sent v2 now. :)
-Kees
--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-02-22 19:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-22 1:21 [PATCH] fs: hardlink creation restriction cleanup Kees Cook
2012-02-22 10:23 ` Ingo Molnar
2012-02-22 19:10 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).