From: Amerigo Wang <amwang@redhat.com>
To: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: akpm@linux-foundation.org, viro@zeniv.linux.org.uk,
linux-fsdevel@vger.kernel.org, eparis@redhat.com,
esandeen@redhat.com, eteo@redhat.com
Subject: Re: [patch 12/12] vfs: allow file truncations when both suid and write permissions set
Date: Mon, 10 Aug 2009 10:00:14 +0800 [thread overview]
Message-ID: <4A7F7F2E.5070807@redhat.com> (raw)
In-Reply-To: <87ab2bsw6n.fsf@devron.myhome.or.jp>
OGAWA Hirofumi wrote:
> OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> writes:
>
>
>> Amerigo Wang <amwang@redhat.com> writes:
>>
>>
>>>> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
>>>> {
>>>> const struct cred *cred = current_cred();
>>>>
>>>> if (iattr->ia_valid & ATTR_FORCE)
>>>> return 0;
>>>>
>>>> if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
>>>> ATTR_ATIME_SET | ATTR_MTIME_SET))
>>>> return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
>>>>
>>>> return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
>>>> }
>>>>
>>>> I guess it's assuming the ia_valid doesn't have (ATTR_MODE | ATTR_SIZE),
>>>> but truncate() already does it, I don't know whether it's ok.
>>>>
>>> No, here we should only force ATTR_KILL_SUID and/or ATTR_KILL_SGID.
>>> do_truncate() has ATTR_SIZE and ATTR_FILE.
>>>
>> I guess security module should do,
>>
>> ia_valid = iattr->ia_valid;
>> if (!(ia_valid & ATTR_FORCE) && (ia_valid & ATTR_FORCE_MASK)) {
>> err = dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
>> if (err)
>> return err;
>> ia_valid &= ~ATTR_FORCE_MASK;
>> }
>> if (ia_valid & ATTR_NOT_FORCE_MASK)
>> err = dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
>> return err;
>>
>> or something. Because do_truncate() already do (ATTR_MODE | ATTR_SIZE)
>> without ATTR_FORCE.
>>
>
> BTW, it seems original code doesn't check ATTR_SIZE if (ATTR_MODE |
> ATTR_SIZE), right? So, ATTR_FORCE is just forcing ATTR_MODE, but I
> guess that's problem itself.
>
I am not sure if I understand you correctly... You must be referring
notify_change(), it seems to do what you said.
But clearly ATTR_FORCE is the way to bypass the security module on
purpose. I agree that we perhaps should have some wrapper function to do
this (instead of calling notify_change() twice), but currently this is fine.
next prev parent reply other threads:[~2009-08-10 1:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-06 23:10 [patch 12/12] vfs: allow file truncations when both suid and write permissions set akpm
2009-08-07 2:32 ` OGAWA Hirofumi
2009-08-07 3:21 ` Amerigo Wang
2009-08-07 4:17 ` OGAWA Hirofumi
2009-08-07 5:49 ` OGAWA Hirofumi
2009-08-07 9:20 ` Amerigo Wang
2009-08-07 11:06 ` OGAWA Hirofumi
2009-08-07 9:27 ` Amerigo Wang
2009-08-07 11:02 ` OGAWA Hirofumi
2009-08-07 11:25 ` OGAWA Hirofumi
2009-08-10 2:00 ` Amerigo Wang [this message]
2009-08-10 4:34 ` OGAWA Hirofumi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A7F7F2E.5070807@redhat.com \
--to=amwang@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=esandeen@redhat.com \
--cc=eteo@redhat.com \
--cc=hirofumi@mail.parknet.co.jp \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox