From: "Mickaël Salaün" <mic@digikod.net>
To: Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Paul Moore <paul@paul-moore.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: Jann Horn <jannh@google.com>,
Tahera Fahimi <fahimitahera@gmail.com>,
gnoack@google.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: f_modown and LSM inconsistency (was [PATCH v2 1/4] Landlock: Add signal control)
Date: Fri, 9 Aug 2024 15:17:59 +0200 [thread overview]
Message-ID: <20240809.se0ha8tiuJai@digikod.net> (raw)
In-Reply-To: <CAG48ez2Cd3sjzv5rKT1YcMi1AzBxwN8r-jTbWy0Lv89iik-Y4Q@mail.gmail.com>
Talking about f_modown() and security_file_set_fowner(), it looks like
there are some issues:
On Fri, Aug 09, 2024 at 02:44:06PM +0200, Jann Horn wrote:
> On Fri, Aug 9, 2024 at 12:59 PM Mickaël Salaün <mic@digikod.net> wrote:
[...]
> > BTW, I don't understand why neither SELinux nor Smack use (explicit)
> > atomic operations nor lock.
>
> Yeah, I think they're sloppy and kinda wrong - but it sorta works in
> practice mostly because they don't have to do any refcounting around
> this?
>
> > And it looks weird that
> > security_file_set_fowner() isn't called by f_modown() with the same
> > locking to avoid races.
>
> True. I imagine maybe the thought behind this design could have been
> that LSMs should have their own locking, and that calling an LSM hook
> with IRQs off is a little weird? But the way the LSMs actually use the
> hook now, it might make sense to call the LSM with the lock held and
> IRQs off...
>
Would it be OK (for VFS, SELinux, and Smack maintainers) to move the
security_file_set_fowner() call into f_modown(), especially where
UID/EUID are populated. That would only call security_file_set_fowner()
when the fown is actually set, which I think could also fix a bug for
SELinux and Smack.
Could we replace the uid and euid fields with a pointer to the current
credentials? This would enables LSMs to not copy the same kind of
credential informations and save some memory, simplify credential
management, and improve consistency.
next prev parent reply other threads:[~2024-08-09 13:25 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-06 18:10 [PATCH v2 0/4] Landlock: Signal Scoping Support Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 1/4] Landlock: Add signal control Tahera Fahimi
2024-08-06 18:56 ` Jann Horn
2024-08-06 21:55 ` Jann Horn
2024-08-07 18:16 ` Mickaël Salaün
2024-08-07 23:36 ` Tahera Fahimi
2024-08-08 1:10 ` Jann Horn
2024-08-08 14:09 ` Mickaël Salaün
2024-08-08 14:42 ` Jann Horn
2024-08-09 10:59 ` Mickaël Salaün
2024-08-09 12:40 ` Mickaël Salaün
2024-08-09 12:45 ` Mickaël Salaün
2024-08-09 12:44 ` Jann Horn
2024-08-09 13:17 ` Mickaël Salaün [this message]
2024-08-09 14:00 ` f_modown and LSM inconsistency (was [PATCH v2 1/4] Landlock: Add signal control) Jann Horn
2024-08-09 14:44 ` Christian Brauner
2024-08-11 22:04 ` Paul Moore
2024-08-12 13:09 ` Jann Horn
2024-08-12 14:55 ` Mickaël Salaün
2024-08-12 14:57 ` Paul Moore
2024-08-12 15:06 ` Jann Horn
2024-08-12 16:30 ` Paul Moore
2024-08-12 17:27 ` Mickaël Salaün
2024-08-12 18:17 ` Paul Moore
2024-08-12 14:49 ` [PATCH] fs,security: Fix file_set_fowner LSM hook inconsistencies Mickaël Salaün
2024-08-12 15:00 ` Paul Moore
2024-08-13 1:32 ` kernel test robot
2024-08-13 1:42 ` kernel test robot
2024-08-13 1:42 ` kernel test robot
2024-08-13 11:44 ` kernel test robot
2024-08-09 13:37 ` [PATCH v2 1/4] Landlock: Add signal control Mickaël Salaün
2024-08-09 13:57 ` Jann Horn
2024-08-06 22:00 ` Tahera Fahimi
2024-08-06 22:55 ` Jann Horn
2024-08-06 18:10 ` [PATCH v2 2/4] selftest/Landlock: Signal restriction tests Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 3/4] sample/Landlock: Support signal scoping restriction Tahera Fahimi
2024-08-06 18:10 ` [PATCH v2 4/4] Landlock: Document LANDLOCK_SCOPED_SIGNAL Tahera Fahimi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240809.se0ha8tiuJai@digikod.net \
--to=mic@digikod.net \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).