Re: [PATCH v4 11/30] smack: implement get, set and remove acl hook

[Christian Brauner <brauner@kernel.org>]

On Thu, Sep 29, 2022 at 03:15:09PM -0400, Paul Moore wrote:
> On Thu, Sep 29, 2022 at 11:31 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > The current way of setting and getting posix acls through the generic
> > xattr interface is error prone and type unsafe. The vfs needs to
> > interpret and fixup posix acls before storing or reporting it to
> > userspace. Various hacks exist to make this work. The code is hard to
> > understand and difficult to maintain in it's current form. Instead of
> > making this work by hacking posix acls through xattr handlers we are
> > building a dedicated posix acl api around the get and set inode
> > operations. This removes a lot of hackiness and makes the codepaths
> > easier to maintain. A lot of background can be found in [1].
> >
> > So far posix acls were passed as a void blob to the security and
> > integrity modules. Some of them like evm then proceed to interpret the
> > void pointer and convert it into the kernel internal struct posix acl
> > representation to perform their integrity checking magic. This is
> > obviously pretty problematic as that requires knowledge that only the
> > vfs is guaranteed to have and has lead to various bugs. Add a proper
> > security hook for setting posix acls and pass down the posix acls in
> > their appropriate vfs format instead of hacking it through a void
> > pointer stored in the uapi format.
> >
> > I spent considerate time in the security module infrastructure and
> > audited all codepaths. Smack has no restrictions based on the posix
> > acl values passed through it. The capability hook doesn't need to be
> > called either because it only has restrictions on security.* xattrs. So
> > these all becomes very simple hooks for smack.
> >
> > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
> > ---
> >
> > Notes:
> >     /* v2 */
> >     unchanged
> >
> >     /* v3 */
> >     Paul Moore <paul@paul-moore.com>:
> >     - Add get, and remove acl hook
> >
> >     /* v4 */
> >     Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> >
> >  security/smack/smack_lsm.c | 69 ++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 69 insertions(+)
> 
> Two nit-picky comments below, only worth considering if you are
> respinning for other reasons.
> 
> Reviewed-by: Paul Moore <paul@paul-moore.com>
> 
> > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> > index 001831458fa2..8247e8fd43d0 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -1393,6 +1393,72 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns,
> >         return 0;
> >  }
> >
> > +/**
> > + * smack_inode_set_acl - Smack check for setting posix acls
> > + * @mnt_userns: the userns attached to the mnt this request came from
> > + * @dentry: the object
> > + * @acl_name: name of the posix acl
> > + * @kacl: the posix acls
> > + *
> > + * Returns 0 if access is permitted, an error code otherwise
> > + */
> > +static int smack_inode_set_acl(struct user_namespace *mnt_userns,
> > +                              struct dentry *dentry, const char *acl_name,
> > +                              struct posix_acl *kacl)
> > +{
> > +       struct smk_audit_info ad;
> > +       int rc;
> > +
> > +       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
> > +       smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
> > +       rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
> > +       rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
> > +       return rc;
> > +}
> 
> Smack tends to add a line of vertical whitespace between the
> smk_ad_setfield_...(...) call and the smk_curacc(...) call in the
> xattr functions, consistency here might be nice.
> 
> > +/**
> > + * smack_inode_remove_acl - Smack check for getting posix acls
> > + * @mnt_userns: the userns attached to the mnt this request came from
> > + * @dentry: the object
> > + * @acl_name: name of the posix acl
> > + *
> > + * Returns 0 if access is permitted, an error code otherwise
> > + */
> > +static int smack_inode_remove_acl(struct user_namespace *mnt_userns,
> > +                                 struct dentry *dentry, const char *acl_name)
> > +{
> > +       struct smk_audit_info ad;
> > +       int rc;
> > +
> > +       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
> > +       smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
> > +       rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
> > +       rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
> > +       return rc;
> > +}
> 
> Same comment about the vertical whitespace applies here.

Ok.