From: Christian Brauner <brauner@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Paul Moore" <paul@paul-moore.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
gnoack@google.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: f_modown and LSM inconsistency (was [PATCH v2 1/4] Landlock: Add signal control)
Date: Fri, 9 Aug 2024 16:44:57 +0200 [thread overview]
Message-ID: <20240809-explosionsartig-ablesen-b039dbc6ce82@brauner> (raw)
In-Reply-To: <CAG48ez3HSE3WcvA6Yn9vZp_GzutLwAih-gyYM0QF5udRvefwxg@mail.gmail.com>
On Fri, Aug 09, 2024 at 04:00:41PM GMT, Jann Horn wrote:
> On Fri, Aug 9, 2024 at 3:18 PM Mickaël Salaün <mic@digikod.net> wrote:
> > Talking about f_modown() and security_file_set_fowner(), it looks like
> > there are some issues:
> >
> > On Fri, Aug 09, 2024 at 02:44:06PM +0200, Jann Horn wrote:
> > > On Fri, Aug 9, 2024 at 12:59 PM Mickaël Salaün <mic@digikod.net> wrote:
> >
> > [...]
> >
> > > > BTW, I don't understand why neither SELinux nor Smack use (explicit)
> > > > atomic operations nor lock.
> > >
> > > Yeah, I think they're sloppy and kinda wrong - but it sorta works in
> > > practice mostly because they don't have to do any refcounting around
> > > this?
> > >
> > > > And it looks weird that
> > > > security_file_set_fowner() isn't called by f_modown() with the same
> > > > locking to avoid races.
> > >
> > > True. I imagine maybe the thought behind this design could have been
> > > that LSMs should have their own locking, and that calling an LSM hook
> > > with IRQs off is a little weird? But the way the LSMs actually use the
> > > hook now, it might make sense to call the LSM with the lock held and
> > > IRQs off...
> > >
> >
> > Would it be OK (for VFS, SELinux, and Smack maintainers) to move the
> > security_file_set_fowner() call into f_modown(), especially where
> > UID/EUID are populated. That would only call security_file_set_fowner()
> > when the fown is actually set, which I think could also fix a bug for
> > SELinux and Smack.
> >
> > Could we replace the uid and euid fields with a pointer to the current
> > credentials? This would enables LSMs to not copy the same kind of
> > credential informations and save some memory, simplify credential
> > management, and improve consistency.
>
> To clarify: These two paragraphs are supposed to be two alternative
> options, right? One option is to call security_file_set_fowner() with
> the lock held, the other option is to completely rip out the
> security_file_set_fowner() hook and instead let the VFS provide LSMs
> with the creds they need for the file_send_sigiotask hook?
I think it would be fine to stash the credentials in struct fown_struct
same as we do for struct file itself. Calling security_file_set_fowner()
with the irq lock held seems suboptimal to me. Plus, this also means one
less LSM hook and that seems like a win too.
next prev parent reply other threads:[~2024-08-09 14:45 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-06 18:10 [PATCH v2 0/4] Landlock: Signal Scoping Support Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 1/4] Landlock: Add signal control Tahera Fahimi
2024-08-06 18:56 ` Jann Horn
2024-08-06 21:55 ` Jann Horn
2024-08-07 18:16 ` Mickaël Salaün
2024-08-07 23:36 ` Tahera Fahimi
2024-08-08 1:10 ` Jann Horn
2024-08-08 14:09 ` Mickaël Salaün
2024-08-08 14:42 ` Jann Horn
2024-08-09 10:59 ` Mickaël Salaün
2024-08-09 12:40 ` Mickaël Salaün
2024-08-09 12:45 ` Mickaël Salaün
2024-08-09 12:44 ` Jann Horn
2024-08-09 13:17 ` f_modown and LSM inconsistency (was [PATCH v2 1/4] Landlock: Add signal control) Mickaël Salaün
2024-08-09 14:00 ` Jann Horn
2024-08-09 14:44 ` Christian Brauner [this message]
2024-08-11 22:04 ` Paul Moore
2024-08-12 13:09 ` Jann Horn
2024-08-12 14:55 ` Mickaël Salaün
2024-08-12 14:57 ` Paul Moore
2024-08-12 15:06 ` Jann Horn
2024-08-12 16:30 ` Paul Moore
2024-08-12 17:27 ` Mickaël Salaün
2024-08-12 18:17 ` Paul Moore
2024-08-12 14:49 ` [PATCH] fs,security: Fix file_set_fowner LSM hook inconsistencies Mickaël Salaün
2024-08-12 15:00 ` Paul Moore
2024-08-13 1:32 ` kernel test robot
2024-08-13 1:42 ` kernel test robot
2024-08-13 1:42 ` kernel test robot
2024-08-13 11:44 ` kernel test robot
2024-08-09 13:37 ` [PATCH v2 1/4] Landlock: Add signal control Mickaël Salaün
2024-08-09 13:57 ` Jann Horn
2024-08-06 22:00 ` Tahera Fahimi
2024-08-06 22:55 ` Jann Horn
2024-08-06 18:10 ` [PATCH v2 2/4] selftest/Landlock: Signal restriction tests Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 3/4] sample/Landlock: Support signal scoping restriction Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 4/4] Landlock: Document LANDLOCK_SCOPED_SIGNAL Tahera Fahimi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240809-explosionsartig-ablesen-b039dbc6ce82@brauner \
--to=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).