From: Christian Brauner <brauner@kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: Christian Brauner <brauner@kernel.org>,
Seth Forshee <sforshee@kernel.org>,
Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH v5 13/30] evm: add post set acl hook
Date: Tue, 18 Oct 2022 13:56:43 +0200 [thread overview]
Message-ID: <20221018115700.166010-14-brauner@kernel.org> (raw)
In-Reply-To: <20221018115700.166010-1-brauner@kernel.org>
The security_inode_post_setxattr() hook is used by security modules to
update their own security.* xattrs. Consequently none of the security
modules operate on posix acls. So we don't need an additional security
hook when post setting posix acls.
However, the integrity subsystem wants to be informed about posix acl
changes in order to reset the EVM status flag.
-> evm_inode_post_setxattr()
-> evm_update_evmxattr()
-> evm_calc_hmac()
-> evm_calc_hmac_or_hash()
and evm_cacl_hmac_or_hash() walks the global list of protected xattr
names evm_config_xattrnames. This global list can be modified via
/sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is
restricted to security.* xattrs and the default xattrs in
evm_config_xattrnames only contains security.* xattrs as well.
So the actual value for posix acls is currently completely irrelevant
for evm during evm_inode_post_setxattr() and frankly it should stay that
way in the future to not cause the vfs any more headaches. But if the
actual posix acl values matter then evm shouldn't operate on the binary
void blob and try to hack around in the uapi struct anyway. Instead it
should then in the future add a dedicated hook which takes a struct
posix_acl argument passing the posix acls in the proper vfs format.
For now it is sufficient to make evm_inode_post_set_acl() a wrapper
around evm_inode_post_setxattr() not passing any actual values down.
This will cause the hashes to be updated as before.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
---
Notes:
/* v2 */
unchanged
/* v3 */
Reviewed-by: Paul Moore <paul@paul-moore.com>
/* v4 */
unchanged
/* v5 */
Mimi Zohar <zohar@linux.ibm.com>:
- Tweak commit message.
include/linux/evm.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/linux/evm.h b/include/linux/evm.h
index 86139be48992..117ac01b2432 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -44,6 +44,12 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns,
{
return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL);
}
+static inline void evm_inode_post_set_acl(struct dentry *dentry,
+ const char *acl_name,
+ struct posix_acl *kacl)
+{
+ return evm_inode_post_setxattr(dentry, acl_name, NULL, 0);
+}
extern int evm_inode_init_security(struct inode *inode,
const struct xattr *xattr_array,
struct xattr *evm);
@@ -131,6 +137,13 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns,
return 0;
}
+static inline void evm_inode_post_set_acl(struct dentry *dentry,
+ const char *acl_name,
+ struct posix_acl *kacl)
+{
+ return;
+}
+
static inline int evm_inode_init_security(struct inode *inode,
const struct xattr *xattr_array,
struct xattr *evm)
--
2.34.1
next prev parent reply other threads:[~2022-10-18 11:59 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 11:56 [PATCH v5 00/30] acl: add vfs posix acl api Christian Brauner
2022-10-18 11:56 ` [PATCH v5 01/30] orangefs: rework posix acl handling when creating new filesystem objects Christian Brauner
2022-10-18 11:56 ` [PATCH v5 02/30] fs: pass dentry to set acl method Christian Brauner
2022-11-18 10:09 ` Mickaël Salaün
2022-11-18 10:33 ` Christian Brauner
2022-11-18 12:32 ` Mickaël Salaün
2022-10-18 11:56 ` [PATCH v5 03/30] fs: rename current get " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 04/30] fs: add new " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 05/30] cifs: implement " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 06/30] cifs: implement set " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 07/30] 9p: implement get " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 08/30] 9p: implement set " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 09/30] security: add get, remove and set acl hook Christian Brauner
2022-10-18 11:56 ` [PATCH v5 10/30] selinux: implement get, set and remove " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 11/30] smack: " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 12/30] integrity: implement get and set " Christian Brauner
2022-10-18 19:17 ` Paul Moore
2022-10-18 11:56 ` Christian Brauner [this message]
2022-10-18 11:56 ` [PATCH v5 14/30] internal: add may_write_xattr() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 15/30] acl: add vfs_set_acl() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 16/30] acl: add vfs_get_acl() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 17/30] acl: add vfs_remove_acl() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 18/30] ksmbd: use vfs_remove_acl() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 19/30] ecryptfs: implement get acl method Christian Brauner
2022-10-18 11:56 ` [PATCH v5 20/30] ecryptfs: implement set " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 21/30] ovl: implement get " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 22/30] ovl: implement set " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 23/30] ovl: use posix acl api Christian Brauner
2022-10-18 11:56 ` [PATCH v5 24/30] xattr: " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 25/30] evm: remove evm_xattr_acl_change() Christian Brauner
2022-10-18 11:56 ` [PATCH v5 26/30] ecryptfs: use stub posix acl handlers Christian Brauner
2022-10-18 11:56 ` [PATCH v5 27/30] ovl: " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 28/30] cifs: " Christian Brauner
2022-10-18 11:56 ` [PATCH v5 29/30] 9p: " Christian Brauner
2022-10-18 11:57 ` [PATCH v5 30/30] acl: remove a slew of now unused helpers Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221018115700.166010-14-brauner@kernel.org \
--to=brauner@kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sforshee@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).