From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-fsdevel@vger.kernel.org,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
John Johansen <john.johansen@canonical.com>
Subject: Re: [PATCH v8 1/9] security: Create file_truncate hook from path_truncate hook
Date: Sat, 8 Oct 2022 09:45:15 +0200 [thread overview]
Message-ID: <Y0Eqi8WSKtgTvOz+@nuc> (raw)
In-Reply-To: <f1f25fa2-565f-635c-1477-4036f64588e1@digikod.net>
On Wed, Oct 05, 2022 at 08:53:35PM +0200, Mickaël Salaün wrote:
> Thanks for the doc.
>
> On 01/10/2022 17:49, Günther Noack wrote:
> > Like path_truncate, the file_truncate hook also restricts file
> > truncation, but is called in the cases where truncation is attempted
> > on an already-opened file.
> >
> > This is required in a subsequent commit to handle ftruncate()
> > operations differently to truncate() operations.
> >
> > Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Acked-by: John Johansen <john.johansen@canonical.com>
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> > fs/namei.c | 2 +-
> > fs/open.c | 2 +-
> > include/linux/lsm_hook_defs.h | 1 +
> > include/linux/lsm_hooks.h | 10 +++++++++-
> > include/linux/security.h | 6 ++++++
> > security/apparmor/lsm.c | 6 ++++++
> > security/security.c | 5 +++++
> > security/tomoyo/tomoyo.c | 13 +++++++++++++
> > 8 files changed, 42 insertions(+), 3 deletions(-)
> >
> > diff --git a/fs/namei.c b/fs/namei.c
> > index 53b4bc094db2..0e419bd30f8e 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -3211,7 +3211,7 @@ static int handle_truncate(struct user_namespace *mnt_userns, struct file *filp)
> > if (error)
> > return error;
> > - error = security_path_truncate(path);
> > + error = security_file_truncate(filp);
> > if (!error) {
> > error = do_truncate(mnt_userns, path->dentry, 0,
> > ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
> > diff --git a/fs/open.c b/fs/open.c
> > index cf7e5c350a54..0fa861873245 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -188,7 +188,7 @@ long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
> > if (IS_APPEND(file_inode(f.file)))
> > goto out_putf;
> > sb_start_write(inode->i_sb);
> > - error = security_path_truncate(&f.file->f_path);
> > + error = security_file_truncate(f.file);
> > if (!error)
> > error = do_truncate(file_mnt_user_ns(f.file), dentry, length,
> > ATTR_MTIME | ATTR_CTIME, f.file);
> > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> > index 60fff133c0b1..dee35ab253ba 100644
> > --- a/include/linux/lsm_hook_defs.h
> > +++ b/include/linux/lsm_hook_defs.h
> > @@ -177,6 +177,7 @@ LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
> > struct fown_struct *fown, int sig)
> > LSM_HOOK(int, 0, file_receive, struct file *file)
> > LSM_HOOK(int, 0, file_open, struct file *file)
> > +LSM_HOOK(int, 0, file_truncate, struct file *file)
> > LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
> > unsigned long clone_flags)
> > LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> > index 3aa6030302f5..4acc975f28d9 100644
> > --- a/include/linux/lsm_hooks.h
> > +++ b/include/linux/lsm_hooks.h
> > @@ -409,7 +409,9 @@
> > * @attr is the iattr structure containing the new file attributes.
> > * Return 0 if permission is granted.
> > * @path_truncate:
> > - * Check permission before truncating a file.
> > + * Check permission before truncating the file indicated by path.
> > + * Note that truncation permissions may also be checked based on
> > + * already opened files, using the @file_truncate hook.
>
> The documentation comments (mostly) use tabs, not spaces.
Oops, well spotted. Done.
> > * @path contains the path structure for the file.
> > * Return 0 if permission is granted.
> > * @inode_getattr:
> > @@ -598,6 +600,12 @@
> > * to receive an open file descriptor via socket IPC.
> > * @file contains the file structure being received.
> > * Return 0 if permission is granted.
> > + * @file_truncate:
> > + * Check permission before truncating a file, i.e. using ftruncate.
> > + * Note that truncation permission may also be checked based on the path,
> > + * using the @path_truncate hook.
>
> Same here.
Done.
> > + * @file contains the file structure for the file.
> > + * Return 0 if permission is granted.
> > * @file_open:
> > * Save open-time permission checking state for later use upon
> > * file_permission, and recheck access if anything has changed
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 7bd0c490703d..f80b23382dd9 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -394,6 +394,7 @@ int security_file_send_sigiotask(struct task_struct *tsk,
> > struct fown_struct *fown, int sig);
> > int security_file_receive(struct file *file);
> > int security_file_open(struct file *file);
> > +int security_file_truncate(struct file *file);
> > int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
> > void security_task_free(struct task_struct *task);
> > int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
> > @@ -1011,6 +1012,11 @@ static inline int security_file_open(struct file *file)
> > return 0;
> > }
> > +static inline int security_file_truncate(struct file *file)
> > +{
> > + return 0;
> > +}
> > +
> > static inline int security_task_alloc(struct task_struct *task,
> > unsigned long clone_flags)
> > {
> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index e29cade7b662..98ecb7f221b8 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -329,6 +329,11 @@ static int apparmor_path_truncate(const struct path *path)
> > return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
> > }
> > +static int apparmor_file_truncate(struct file *file)
> > +{
> > + return apparmor_path_truncate(&file->f_path);
> > +}
> > +
> > static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
> > const char *old_name)
> > {
> > @@ -1232,6 +1237,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
> > LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
> > LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
> > LSM_HOOK_INIT(file_lock, apparmor_file_lock),
> > + LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
> > LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
> > LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
> > diff --git a/security/security.c b/security/security.c
> > index 4b95de24bc8d..d73e423005c3 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -1650,6 +1650,11 @@ int security_file_open(struct file *file)
> > return fsnotify_perm(file, MAY_OPEN);
> > }
> > +int security_file_truncate(struct file *file)
> > +{
> > + return call_int_hook(file_truncate, 0, file);
> > +}
> > +
> > int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
> > {
> > int rc = lsm_task_alloc(task);
> > diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> > index 71e82d855ebf..af04a7b7eb28 100644
> > --- a/security/tomoyo/tomoyo.c
> > +++ b/security/tomoyo/tomoyo.c
> > @@ -134,6 +134,18 @@ static int tomoyo_path_truncate(const struct path *path)
> > return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL);
> > }
> > +/**
> > + * tomoyo_file_truncate - Target for security_file_truncate().
> > + *
> > + * @file: Pointer to "struct file".
> > + *
> > + * Returns 0 on success, negative value otherwise.
> > + */
> > +static int tomoyo_file_truncate(struct file *file)
> > +{
> > + return tomoyo_path_truncate(&file->f_path);
> > +}
> > +
> > /**
> > * tomoyo_path_unlink - Target for security_path_unlink().
> > *
> > @@ -545,6 +557,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
> > LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
> > LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
> > LSM_HOOK_INIT(file_open, tomoyo_file_open),
> > + LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
> > LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
> > LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
> > LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
--
next prev parent reply other threads:[~2022-10-08 7:45 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-01 15:48 [PATCH v8 0/9] landlock: truncate support Günther Noack
2022-10-01 15:49 ` [PATCH v8 1/9] security: Create file_truncate hook from path_truncate hook Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:45 ` Günther Noack [this message]
2022-10-06 1:10 ` Paul Moore
2022-10-01 15:49 ` [PATCH v8 2/9] selftests/landlock: Locally define __maybe_unused Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:47 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 3/9] landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed() Günther Noack
2022-10-05 18:54 ` Mickaël Salaün
2022-10-08 7:54 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 4/9] landlock: Support file truncation Günther Noack
2022-10-04 19:56 ` Nathan Chancellor
2022-10-05 18:52 ` Mickaël Salaün
2022-10-06 20:19 ` Günther Noack
2022-10-05 18:55 ` Mickaël Salaün
2022-10-08 8:08 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 5/9] selftests/landlock: Selftests for file truncation support Günther Noack
2022-10-01 15:49 ` [PATCH v8 6/9] selftests/landlock: Test open() and ftruncate() in multiple scenarios Günther Noack
2022-10-05 18:56 ` Mickaël Salaün
2022-10-01 15:49 ` [PATCH v8 7/9] selftests/landlock: Test FD passing from a Landlock-restricted to an unrestricted process Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:25 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 8/9] samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:47 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 9/9] landlock: Document Landlock's file truncation support Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:49 ` Günther Noack
2022-10-05 19:18 ` [PATCH v8 0/9] landlock: truncate support Mickaël Salaün
2022-10-08 10:20 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0Eqi8WSKtgTvOz+@nuc \
--to=gnoack3000@gmail.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).