From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@parisplace.org>
Subject: Re: [PATCH 1/3] SECURITY: Move exec_permission RCU checks into
 security modules
Date: Thu, 21 Apr 2011 20:46:53 -0400
Message-ID: <BANLkTikG-fO2sDupADgPws2guWTy86_wFw@mail.gmail.com>
References: <1303431801-10540-1-git-send-email-andi@firstfloor.org>
	<1303431801-10540-2-git-send-email-andi@firstfloor.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org,
	torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
	npiggin@kernel.dk, shaohua.li@intel.com, sds@tycho.nsa.gov,
	jmorris@namei.org, linux-security-module@vger.kernel.org,
	Andi Kleen <ak@linux.intel.com>
To: Andi Kleen <andi@firstfloor.org>
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <1303431801-10540-2-git-send-email-andi@firstfloor.org>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On Thu, Apr 21, 2011 at 8:23 PM, Andi Kleen <andi@firstfloor.org> wrote=
:
> From: Andi Kleen <ak@linux.intel.com>
>
> Right now all RCU walks fall back to reference walk when CONFIG_SECUR=
ITY
> is enabled, even though just the standard capability module is active=
=2E
> This is because security_inode_exec_permission unconditionally fails
> RCU walks.
>
> Move this decision to the low level security module. This requires
> passing the RCU flags down the security hook. This way at least
> the capability module and a few easy cases in selinux/smack work
> with RCU walks with CONFIG_SECURITY=3Dy
>
> Signed-off-by: Andi Kleen <ak@linux.intel.com>

Acked-by: Eric Paris <eparis@redhat.com>

> ---
> =A0include/linux/security.h =A0 | =A0 =A02 +-
> =A0security/capability.c =A0 =A0 =A0| =A0 =A02 +-
> =A0security/security.c =A0 =A0 =A0 =A0| =A0 =A06 ++----
> =A0security/selinux/hooks.c =A0 | =A0 =A06 +++++-
> =A0security/smack/smack_lsm.c | =A0 =A06 +++++-
> =A05 files changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ca02f17..8ce59ef 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1456,7 +1456,7 @@ struct security_operations {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 struct inode =
*new_dir, struct dentry *new_dentry);
> =A0 =A0 =A0 =A0int (*inode_readlink) (struct dentry *dentry);
> =A0 =A0 =A0 =A0int (*inode_follow_link) (struct dentry *dentry, struc=
t nameidata *nd);
> - =A0 =A0 =A0 int (*inode_permission) (struct inode *inode, int mask)=
;
> + =A0 =A0 =A0 int (*inode_permission) (struct inode *inode, int mask,=
 unsigned flags);
> =A0 =A0 =A0 =A0int (*inode_setattr) =A0 =A0(struct dentry *dentry, st=
ruct iattr *attr);
> =A0 =A0 =A0 =A0int (*inode_getattr) (struct vfsmount *mnt, struct den=
try *dentry);
> =A0 =A0 =A0 =A0int (*inode_setxattr) (struct dentry *dentry, const ch=
ar *name,
> diff --git a/security/capability.c b/security/capability.c
> index 2984ea4..bbb5115 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -181,7 +181,7 @@ static int cap_inode_follow_link(struct dentry *d=
entry,
> =A0 =A0 =A0 =A0return 0;
> =A0}
>
> -static int cap_inode_permission(struct inode *inode, int mask)
> +static int cap_inode_permission(struct inode *inode, int mask, unsig=
ned flags)
> =A0{
> =A0 =A0 =A0 =A0return 0;
> =A0}
> diff --git a/security/security.c b/security/security.c
> index 1011423..4ba6d4c 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -518,16 +518,14 @@ int security_inode_permission(struct inode *ino=
de, int mask)
> =A0{
> =A0 =A0 =A0 =A0if (unlikely(IS_PRIVATE(inode)))
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return 0;
> - =A0 =A0 =A0 return security_ops->inode_permission(inode, mask);
> + =A0 =A0 =A0 return security_ops->inode_permission(inode, mask, 0);
> =A0}
>
> =A0int security_inode_exec_permission(struct inode *inode, unsigned i=
nt flags)
> =A0{
> =A0 =A0 =A0 =A0if (unlikely(IS_PRIVATE(inode)))
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return 0;
> - =A0 =A0 =A0 if (flags)
> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 return -ECHILD;
> - =A0 =A0 =A0 return security_ops->inode_permission(inode, MAY_EXEC);
> + =A0 =A0 =A0 return security_ops->inode_permission(inode, MAY_EXEC, =
flags);
> =A0}
>
> =A0int security_inode_setattr(struct dentry *dentry, struct iattr *at=
tr)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f9c3764..a73f4e4 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2635,7 +2635,7 @@ static int selinux_inode_follow_link(struct den=
try *dentry, struct nameidata *na
> =A0 =A0 =A0 =A0return dentry_has_perm(cred, NULL, dentry, FILE__READ)=
;
> =A0}
>
> -static int selinux_inode_permission(struct inode *inode, int mask)
> +static int selinux_inode_permission(struct inode *inode, int mask, u=
nsigned flags)
> =A0{
> =A0 =A0 =A0 =A0const struct cred *cred =3D current_cred();
> =A0 =A0 =A0 =A0struct common_audit_data ad;
> @@ -2649,6 +2649,10 @@ static int selinux_inode_permission(struct ino=
de *inode, int mask)
> =A0 =A0 =A0 =A0if (!mask)
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return 0;
>
> + =A0 =A0 =A0 /* May be droppable after audit */
> + =A0 =A0 =A0 if (flags & IPERM_FLAG_RCU)
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return -ECHILD;
> +
> =A0 =A0 =A0 =A0COMMON_AUDIT_DATA_INIT(&ad, FS);
> =A0 =A0 =A0 =A0ad.u.fs.inode =3D inode;
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c6f8fca..400a5d5 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -686,7 +686,7 @@ static int smack_inode_rename(struct inode *old_i=
node,
> =A0*
> =A0* Returns 0 if access is permitted, -EACCES otherwise
> =A0*/
> -static int smack_inode_permission(struct inode *inode, int mask)
> +static int smack_inode_permission(struct inode *inode, int mask, uns=
igned flags)
> =A0{
> =A0 =A0 =A0 =A0struct smk_audit_info ad;
>
> @@ -696,6 +696,10 @@ static int smack_inode_permission(struct inode *=
inode, int mask)
> =A0 =A0 =A0 =A0 */
> =A0 =A0 =A0 =A0if (mask =3D=3D 0)
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return 0;
> +
> + =A0 =A0 =A0 /* May be droppable after audit */
> + =A0 =A0 =A0 if (flags & IPERM_FLAG_RCU)
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return -ECHILD;
> =A0 =A0 =A0 =A0smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
> =A0 =A0 =A0 =A0smk_ad_setfield_u_fs_inode(&ad, inode);
> =A0 =A0 =A0 =A0return smk_curacc(smk_of_inode(inode), mask, &ad);
> --
> 1.7.4.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-secur=
ity-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-securit=
y-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html