From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
Date: Thu, 28 Jun 2018 13:28:50 -0500 [thread overview]
Message-ID: <20180628182850.GA12845@mail.hallyn.com> (raw)
In-Reply-To: <CAOQ4uxjOSTvEt5MBmZY7UqrsjuwGF9jKqK-v6YBFQwLt5wZuRg@mail.gmail.com>
Quoting Amir Goldstein (amir73il at gmail.com):
...
> >> Without arguing what the expected behavior should be (I believe
> >
> > Yes, I avoided mentioning that in my first email because I kept
> > waffling. It seems like requiring a package manager that cares
> > to clear the fscaps (maybe just chowning to clear all suid/etc)
> > is the right thing. On the other hand demanding extra work from
> > pre-existing users for a new features is wrong.
> >
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> >
> >> execveat is meant to prevent to exact opposite attack), the change
> >> in this patch does NOT change behavior for ext4 and probably
> >> other local file systems. It *only* changes behavior for overlayfs
> >
> > Hm, I'll have to take your word for it - following the code in
> > vfs_unlink() seems to suggest it's immediately unhashed, and the
> > ext4 orphan list only holds the inode without any hashed dentries.
> > But I'm probably mis-reading.
> >
>
> Hmm, don't take my word for it, but this is what Eddie reported.
> Reproducer works with overlayfs and not with ext4.
> I see that d_delete() prefers to keep the dentry hashed but turn it
> into a negative dentry if "we are the only user",
> which is the case in this reproducer.
> But I don't expect that d_find_alias() will find a negative dentry!,
> so I can't explain why ext4 passes the reproducer.
> Overlayfs OTOH, does explicit d_drop() in file system code,
> so it is positive that d_find_any_alias() is needed for overlayfs
> as the reproducer shows.
Ah - I just tried his reproducer, and in fact got:
0 ? serge at sl ~/test $ getcap execveat
execveat = cap_sys_admin+ep
0 ? serge at sl ~/test $ ./execveat
execveat: Bad file descriptor
on ext4, with 4.15.0-22-generic #24~16.04.1-Ubuntu
Without the filecap, it works.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-06-28 18:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1530082758.30361.7.camel@mtkswgap22>
2018-06-27 8:18 ` [PATCH] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() Amir Goldstein
2018-06-28 15:01 ` Serge E. Hallyn
2018-06-28 16:54 ` Amir Goldstein
2018-06-28 17:26 ` Serge E. Hallyn
2018-06-28 17:57 ` Amir Goldstein
2018-06-28 18:28 ` Serge E. Hallyn [this message]
[not found] ` <1530237431.30361.29.camel@mtkswgap22>
2018-06-29 2:53 ` Serge E. Hallyn
2018-07-03 8:09 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180628182850.GA12845@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).