* [PATCH] ovl: filter of trusted xattr results in audit
@ 2019-10-07 16:09 Mark Salyzyn
2019-10-07 16:16 ` Greg Kroah-Hartman
0 siblings, 1 reply; 7+ messages in thread
From: Mark Salyzyn @ 2019-10-07 16:09 UTC (permalink / raw)
To: linux-kernel
Cc: kernel-team, Mark Salyzyn, linux-security-module,
Greg Kroah-Hartman, stable, Miklos Szeredi, linux-unionfs
When filtering xattr list for reading, presence of trusted xattr
results in a security audit log. However, if there is other content
no errno will be set, and if there isn't, the errno will be -ENODATA
and not -EPERM as is usually associated with a lack of capability.
The check does not block the request to list the xattrs present.
Switch to has_capability_noaudit to reflect a more appropriate check.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: linux-security-module@vger.kernel.org
Cc: kernel-team@android.com
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org # v3.18
Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin")
Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin")
---
Replaced ns_capable_noaudit with 3.18.y tree specific
has_capability_noaudit present in original submission to kernel.org
commit 5c2e9f346b815841f9bed6029ebcb06415caf640
("ovl: filter of trusted xattr results in audit")
fs/overlayfs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index a01ec1836a72..1175efa5e956 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s)
return true;
/* Never list trusted.overlay, list other trusted for superuser only */
- return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
+ return !ovl_is_private_xattr(s) &&
+ has_capability_noaudit(current, CAP_SYS_ADMIN);
}
ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
--
2.23.0.581.g78d2f28ef7-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:09 [PATCH] ovl: filter of trusted xattr results in audit Mark Salyzyn @ 2019-10-07 16:16 ` Greg Kroah-Hartman 2019-10-07 16:17 ` Greg Kroah-Hartman 0 siblings, 1 reply; 7+ messages in thread From: Greg Kroah-Hartman @ 2019-10-07 16:16 UTC (permalink / raw) To: Mark Salyzyn Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > When filtering xattr list for reading, presence of trusted xattr > results in a security audit log. However, if there is other content > no errno will be set, and if there isn't, the errno will be -ENODATA > and not -EPERM as is usually associated with a lack of capability. > The check does not block the request to list the xattrs present. > > Switch to has_capability_noaudit to reflect a more appropriate check. > > Signed-off-by: Mark Salyzyn <salyzyn@android.com> > Cc: linux-security-module@vger.kernel.org > Cc: kernel-team@android.com > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: stable@vger.kernel.org # v3.18 > Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin") > Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin") > --- > Replaced ns_capable_noaudit with 3.18.y tree specific > has_capability_noaudit present in original submission to kernel.org > commit 5c2e9f346b815841f9bed6029ebcb06415caf640 > ("ovl: filter of trusted xattr results in audit") > > fs/overlayfs/inode.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > index a01ec1836a72..1175efa5e956 100644 > --- a/fs/overlayfs/inode.c > +++ b/fs/overlayfs/inode.c > @@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) > return true; > > /* Never list trusted.overlay, list other trusted for superuser only */ > - return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); > + return !ovl_is_private_xattr(s) && > + has_capability_noaudit(current, CAP_SYS_ADMIN); > } > > ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) > -- > 2.23.0.581.g78d2f28ef7-goog > Thanks for the backport, this one worked! greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:16 ` Greg Kroah-Hartman @ 2019-10-07 16:17 ` Greg Kroah-Hartman 2019-10-07 16:40 ` Greg Kroah-Hartman 2019-10-07 16:42 ` Mark Salyzyn 0 siblings, 2 replies; 7+ messages in thread From: Greg Kroah-Hartman @ 2019-10-07 16:17 UTC (permalink / raw) To: Mark Salyzyn Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > > When filtering xattr list for reading, presence of trusted xattr > > results in a security audit log. However, if there is other content > > no errno will be set, and if there isn't, the errno will be -ENODATA > > and not -EPERM as is usually associated with a lack of capability. > > The check does not block the request to list the xattrs present. > > > > Switch to has_capability_noaudit to reflect a more appropriate check. > > > > Signed-off-by: Mark Salyzyn <salyzyn@android.com> > > Cc: linux-security-module@vger.kernel.org > > Cc: kernel-team@android.com > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Cc: stable@vger.kernel.org # v3.18 > > Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin") > > Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin") > > --- > > Replaced ns_capable_noaudit with 3.18.y tree specific > > has_capability_noaudit present in original submission to kernel.org > > commit 5c2e9f346b815841f9bed6029ebcb06415caf640 > > ("ovl: filter of trusted xattr results in audit") > > > > fs/overlayfs/inode.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > > index a01ec1836a72..1175efa5e956 100644 > > --- a/fs/overlayfs/inode.c > > +++ b/fs/overlayfs/inode.c > > @@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) > > return true; > > > > /* Never list trusted.overlay, list other trusted for superuser only */ > > - return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); > > + return !ovl_is_private_xattr(s) && > > + has_capability_noaudit(current, CAP_SYS_ADMIN); > > } > > > > ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) > > -- > > 2.23.0.581.g78d2f28ef7-goog > > > > Thanks for the backport, this one worked! I spoke too soon: ERROR: "has_capability_noaudit" [fs/overlayfs/overlay.ko] undefined! That function isn't exported for modules :( greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:17 ` Greg Kroah-Hartman @ 2019-10-07 16:40 ` Greg Kroah-Hartman 2019-10-07 16:43 ` Mark Salyzyn 2019-10-07 16:42 ` Mark Salyzyn 1 sibling, 1 reply; 7+ messages in thread From: Greg Kroah-Hartman @ 2019-10-07 16:40 UTC (permalink / raw) To: Mark Salyzyn Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On Mon, Oct 07, 2019 at 06:17:25PM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > > > When filtering xattr list for reading, presence of trusted xattr > > > results in a security audit log. However, if there is other content > > > no errno will be set, and if there isn't, the errno will be -ENODATA > > > and not -EPERM as is usually associated with a lack of capability. > > > The check does not block the request to list the xattrs present. > > > > > > Switch to has_capability_noaudit to reflect a more appropriate check. > > > > > > Signed-off-by: Mark Salyzyn <salyzyn@android.com> > > > Cc: linux-security-module@vger.kernel.org > > > Cc: kernel-team@android.com > > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > > Cc: stable@vger.kernel.org # v3.18 > > > Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin") > > > Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin") > > > --- > > > Replaced ns_capable_noaudit with 3.18.y tree specific > > > has_capability_noaudit present in original submission to kernel.org > > > commit 5c2e9f346b815841f9bed6029ebcb06415caf640 > > > ("ovl: filter of trusted xattr results in audit") > > > > > > fs/overlayfs/inode.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > > > index a01ec1836a72..1175efa5e956 100644 > > > --- a/fs/overlayfs/inode.c > > > +++ b/fs/overlayfs/inode.c > > > @@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) > > > return true; > > > > > > /* Never list trusted.overlay, list other trusted for superuser only */ > > > - return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); > > > + return !ovl_is_private_xattr(s) && > > > + has_capability_noaudit(current, CAP_SYS_ADMIN); > > > } > > > > > > ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) > > > -- > > > 2.23.0.581.g78d2f28ef7-goog > > > > > > > Thanks for the backport, this one worked! > > I spoke too soon: > > ERROR: "has_capability_noaudit" [fs/overlayfs/overlay.ko] undefined! > > That function isn't exported for modules :( But, if this really is needed, and it fixes the issue, I'll go export that symbol with EXPORT_SYMBOL_GPL() to fix the problem. Any objections? thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:40 ` Greg Kroah-Hartman @ 2019-10-07 16:43 ` Mark Salyzyn 0 siblings, 0 replies; 7+ messages in thread From: Mark Salyzyn @ 2019-10-07 16:43 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On 10/7/19 9:40 AM, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 06:17:25PM +0200, Greg Kroah-Hartman wrote: >> On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: >>> On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: >>>> When filtering xattr list for reading, presence of trusted xattr >>>> results in a security audit log. However, if there is other content >>>> no errno will be set, and if there isn't, the errno will be -ENODATA >>>> and not -EPERM as is usually associated with a lack of capability. >>>> The check does not block the request to list the xattrs present. >>>> >>>> Switch to has_capability_noaudit to reflect a more appropriate check. >>>> >>>> Signed-off-by: Mark Salyzyn <salyzyn@android.com> >>>> Cc: linux-security-module@vger.kernel.org >>>> Cc: kernel-team@android.com >>>> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> >>>> Cc: stable@vger.kernel.org # v3.18 >>>> Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin") >>>> Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin") >>>> --- >>>> Replaced ns_capable_noaudit with 3.18.y tree specific >>>> has_capability_noaudit present in original submission to kernel.org >>>> commit 5c2e9f346b815841f9bed6029ebcb06415caf640 >>>> ("ovl: filter of trusted xattr results in audit") >>>> >>>> fs/overlayfs/inode.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c >>>> index a01ec1836a72..1175efa5e956 100644 >>>> --- a/fs/overlayfs/inode.c >>>> +++ b/fs/overlayfs/inode.c >>>> @@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) >>>> return true; >>>> >>>> /* Never list trusted.overlay, list other trusted for superuser only */ >>>> - return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); >>>> + return !ovl_is_private_xattr(s) && >>>> + has_capability_noaudit(current, CAP_SYS_ADMIN); >>>> } >>>> >>>> ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) >>>> -- >>>> 2.23.0.581.g78d2f28ef7-goog >>>> >>> Thanks for the backport, this one worked! >> I spoke too soon: >> >> ERROR: "has_capability_noaudit" [fs/overlayfs/overlay.ko] undefined! >> >> That function isn't exported for modules :( > But, if this really is needed, and it fixes the issue, I'll go export > that symbol with EXPORT_SYMBOL_GPL() to fix the problem. Any > objections? > > thanks, > > greg k-h Ok, you just answered my question in cross-emails. Yes, EXPORT_SYMBOL_GPL() (my option 2). Thanks -- Mark Salyzyn ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:17 ` Greg Kroah-Hartman 2019-10-07 16:40 ` Greg Kroah-Hartman @ 2019-10-07 16:42 ` Mark Salyzyn 2019-10-07 16:48 ` Greg Kroah-Hartman 1 sibling, 1 reply; 7+ messages in thread From: Mark Salyzyn @ 2019-10-07 16:42 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On 10/7/19 9:17 AM, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: >> On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: >>> When filtering xattr list for reading, presence of trusted xattr >>> results in a security audit log. However, if there is other content >>> no errno will be set, and if there isn't, the errno will be -ENODATA >>> and not -EPERM as is usually associated with a lack of capability. >>> The check does not block the request to list the xattrs present. >>> >>> Switch to has_capability_noaudit to reflect a more appropriate check. >>> >>> Signed-off-by: Mark Salyzyn <salyzyn@android.com> >>> Cc: linux-security-module@vger.kernel.org >>> Cc: kernel-team@android.com >>> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> >>> Cc: stable@vger.kernel.org # v3.18 >>> Fixes: upstream a082c6f680da ("ovl: filter trusted xattr for non-admin") >>> Fixes: 3.18 4bcc9b4b3a0a ("ovl: filter trusted xattr for non-admin") >>> --- >>> Replaced ns_capable_noaudit with 3.18.y tree specific >>> has_capability_noaudit present in original submission to kernel.org >>> commit 5c2e9f346b815841f9bed6029ebcb06415caf640 >>> ("ovl: filter of trusted xattr results in audit") >>> >>> fs/overlayfs/inode.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c >>> index a01ec1836a72..1175efa5e956 100644 >>> --- a/fs/overlayfs/inode.c >>> +++ b/fs/overlayfs/inode.c >>> @@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) >>> return true; >>> >>> /* Never list trusted.overlay, list other trusted for superuser only */ >>> - return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); >>> + return !ovl_is_private_xattr(s) && >>> + has_capability_noaudit(current, CAP_SYS_ADMIN); >>> } >>> >>> ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) >>> -- >>> 2.23.0.581.g78d2f28ef7-goog >>> >> Thanks for the backport, this one worked! > I spoke too soon: > > ERROR: "has_capability_noaudit" [fs/overlayfs/overlay.ko] undefined! > > That function isn't exported for modules :( > > greg k-h <sigh> Now what is the playbook, we have three options in order of preference: 1) #ifdef MODULE use capable() to preserve API, add a short comment about the side effects if overlayfs is used as a module. 2) export has_capability_nodaudit (proc and oom_kill use it, and are both built-in only), but affect the 3.18 API at near EOL. AFAIK no one wants that? 3) Do nothing more. Make this a distro concern only. Leave this posted as a back-port for the record, but never merged, for those that are _interested_ and declare 3.18 stable as noisy for sepolicy and overlayfs under some usage patterns with few user space mitigation unless they explicitly take this back-port into their tree (eg: android common kernel) if used built-in. This way, in 3.18.y at least the module and built-in version behave the _same_ in stable. Looking for feedback. Sincerely -- Mark Salyzyn ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ovl: filter of trusted xattr results in audit 2019-10-07 16:42 ` Mark Salyzyn @ 2019-10-07 16:48 ` Greg Kroah-Hartman 0 siblings, 0 replies; 7+ messages in thread From: Greg Kroah-Hartman @ 2019-10-07 16:48 UTC (permalink / raw) To: Mark Salyzyn Cc: linux-kernel, kernel-team, linux-security-module, stable, Miklos Szeredi, linux-unionfs On Mon, Oct 07, 2019 at 09:42:08AM -0700, Mark Salyzyn wrote: > > <sigh> > > Now what is the playbook, we have three options in order of preference: > > 1) #ifdef MODULE use capable() to preserve API, add a short comment about > the side effects if overlayfs is used as a module. > > 2) export has_capability_nodaudit (proc and oom_kill use it, and are both > built-in only), but affect the 3.18 API at near EOL. AFAIK no one wants > that? I'll just do this. 3.18 is EOL, this is only being done for a distro-specific tree (i.e. AOSP). > 3) Do nothing more. Make this a distro concern only. Leave this posted as a > back-port for the record, but never merged, for those that are _interested_ > and declare 3.18 stable as noisy for sepolicy and overlayfs under some usage > patterns with few user space mitigation unless they explicitly take this > back-port into their tree (eg: android common kernel) if used built-in. This > way, in 3.18.y at least the module and built-in version behave the _same_ in > stable. I'll just add the export to the patch and check this into AOSP, thanks! greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-07 16:48 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-10-07 16:09 [PATCH] ovl: filter of trusted xattr results in audit Mark Salyzyn 2019-10-07 16:16 ` Greg Kroah-Hartman 2019-10-07 16:17 ` Greg Kroah-Hartman 2019-10-07 16:40 ` Greg Kroah-Hartman 2019-10-07 16:43 ` Mark Salyzyn 2019-10-07 16:42 ` Mark Salyzyn 2019-10-07 16:48 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).