From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
David Howells <dhowells@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Eric Paris <eparis@parisplace.org>,
Fabian Frederick <fabf@skynet.be>,
Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Jiri Slaby <jslaby@suse.com>, Joe Perches <joe@perches.com>,
John Johansen <john.johansen@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
NeilBrown <neilb@suse.de>, Oleg Nesterov <oleg@redhat.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Zefan Li <lizefan@huawei.com>,
linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
havner@gmail.com
Subject: Re: [PATCH v3 04/11] lsm: inode_pre_setxattr hook
Date: Fri, 31 Jul 2015 11:43:25 +0200 [thread overview]
Message-ID: <1438335805.2081.11.camel@samsung.com> (raw)
In-Reply-To: <20150730215648.GD13589@mail.hallyn.com>
On czw, 2015-07-30 at 16:56 -0500, Serge E. Hallyn wrote:
> On Fri, Jul 24, 2015 at 12:04:38PM +0200, Lukasz Pawelczyk wrote:
> > Add a new LSM hook called before inode's setxattr. It is required
> > for
> > LSM to be able to reliably replace the xattr's value to be set to
> > filesystem in __vfs_setxattr_noperm(). Useful for mapped values,
> > like in
> > the upcoming Smack namespace patches.
> >
> > Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
>
> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
>
> Could get confusing if userspace passes in 1 char and gets ENOSPC
> because
> the unmapped label is too long :)
I would consider such a case a bug in LSM module. If there exists a
mapping "very_very_long_label" -> "l" the module needs to know that the
very long label is possible to get written. After all it would be
written on the host directly.
Smack has a limit for max label name and importing longer label (which
also means creating a mapping with a longer label) will get refused.
At least that's my understanding, but thanks, that's an interesting
remark :-)
>
> > ---
> > fs/xattr.c | 10 ++++++++++
> > include/linux/lsm_hooks.h | 9 +++++++++
> > include/linux/security.h | 10 ++++++++++
> > security/security.c | 12 ++++++++++++
> > 4 files changed, 41 insertions(+)
> >
> > diff --git a/fs/xattr.c b/fs/xattr.c
> > index 072fee1..cbc8d19 100644
> > --- a/fs/xattr.c
> > +++ b/fs/xattr.c
> > @@ -100,12 +100,22 @@ int __vfs_setxattr_noperm(struct dentry
> > *dentry, const char *name,
> > if (issec)
> > inode->i_flags &= ~S_NOSEC;
> > if (inode->i_op->setxattr) {
> > + bool alloc = false;
> > +
> > + error = security_inode_pre_setxattr(dentry, name,
> > &value,
> > + &size, flags,
> > &alloc);
> > + if (error)
> > + return error;
> > +
> > error = inode->i_op->setxattr(dentry, name, value,
> > size, flags);
> > if (!error) {
> > fsnotify_xattr(dentry);
> > security_inode_post_setxattr(dentry, name,
> > value,
> > size, flags);
> > }
> > +
> > + if (alloc)
> > + kfree(value);
> > } else if (issec) {
> > const char *suffix = name +
> > XATTR_SECURITY_PREFIX_LEN;
> > error = security_inode_setsecurity(inode, suffix,
> > value,
> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> > index 1751864..0aeed91 100644
> > --- a/include/linux/lsm_hooks.h
> > +++ b/include/linux/lsm_hooks.h
> > @@ -349,6 +349,11 @@
> > * Check permission before setting the extended attributes
> > * @value identified by @name for @dentry.
> > * Return 0 if permission is granted.
> > + * @inode_pre_setxattr:
> > + * Be able to do some operation before setting the @value
> > identified
> > + * by @name on the filesystem. Replacing the @value and its
> > @size is
> > + * possible. Useful for mapped values. Set @alloc to true
> > if @value
> > + * needs to be kfreed afterwards.
> > * @inode_post_setxattr:
> > * Update inode security field after successful setxattr
> > operation.
> > * @value identified by @name for @dentry.
> > @@ -1448,6 +1453,9 @@ union security_list_options {
> > int (*inode_getattr)(const struct path *path);
> > int (*inode_setxattr)(struct dentry *dentry, const char
> > *name,
> > const void *value, size_t size,
> > int flags);
> > + int (*inode_pre_setxattr)(struct dentry *dentry, const
> > char *name,
> > + const void **value, size_t
> > *size,
> > + int flags, bool *alloc);
> > void (*inode_post_setxattr)(struct dentry *dentry, const
> > char *name,
> > const void *value, size_t
> > size,
> > int flags);
> > @@ -1730,6 +1738,7 @@ struct security_hook_heads {
> > struct list_head inode_setattr;
> > struct list_head inode_getattr;
> > struct list_head inode_setxattr;
> > + struct list_head inode_pre_setxattr;
> > struct list_head inode_post_setxattr;
> > struct list_head inode_getxattr;
> > struct list_head inode_listxattr;
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index f0d2914..24f91e0 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -263,6 +263,9 @@ int security_inode_setattr(struct dentry
> > *dentry, struct iattr *attr);
> > int security_inode_getattr(const struct path *path);
> > int security_inode_setxattr(struct dentry *dentry, const char
> > *name,
> > const void *value, size_t size, int
> > flags);
> > +int security_inode_pre_setxattr(struct dentry *dentry, const char
> > *name,
> > + const void **value, size_t *size,
> > int flags,
> > + bool *alloc);
> > void security_inode_post_setxattr(struct dentry *dentry, const
> > char *name,
> > const void *value, size_t size,
> > int flags);
> > int security_inode_getxattr(struct dentry *dentry, const char
> > *name);
> > @@ -691,6 +694,13 @@ static inline int
> > security_inode_setxattr(struct dentry *dentry,
> > return cap_inode_setxattr(dentry, name, value, size,
> > flags);
> > }
> >
> > +static inline int security_inode_pre_setxattr(struct dentry
> > *dentry,
> > + const char *name, const void
> > **value,
> > + size_t *size, int flags, bool
> > *alloc)
> > +{
> > + return 0;
> > +}
> > +
> > static inline void security_inode_post_setxattr(struct dentry
> > *dentry,
> > const char *name, const void *value, size_t size,
> > int flags)
> > { }
> > diff --git a/security/security.c b/security/security.c
> > index 88a3b78..e1d2c6f 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -649,6 +649,16 @@ int security_inode_setxattr(struct dentry
> > *dentry, const char *name,
> > return evm_inode_setxattr(dentry, name, value, size);
> > }
> >
> > +int security_inode_pre_setxattr(struct dentry *dentry, const char
> > *name,
> > + const void **value, size_t *size,
> > int flags,
> > + bool *alloc)
> > +{
> > + if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
> > + return 0;
> > + return call_int_hook(inode_pre_setxattr, 0, dentry, name,
> > value, size,
> > + flags, alloc);
> > +}
> > +
> > void security_inode_post_setxattr(struct dentry *dentry, const
> > char *name,
> > const void *value, size_t size,
> > int flags)
> > {
> > @@ -1666,6 +1676,8 @@ struct security_hook_heads
> > security_hook_heads = {
> > LIST_HEAD_INIT(security_hook_heads.inode_getattr),
> > .inode_setxattr =
> > LIST_HEAD_INIT(security_hook_heads.inode_setxattr)
> > ,
> > + .inode_pre_setxattr =
> > + LIST_HEAD_INIT(security_hook_heads.inode_pre_setxa
> > ttr),
> > .inode_post_setxattr =
> > LIST_HEAD_INIT(security_hook_heads.inode_post_setx
> > attr),
> > .inode_getxattr =
--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics
next prev parent reply other threads:[~2015-07-31 9:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-24 10:04 [PATCH v3 00/11] Smack namespace Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 01/11] user_ns: 3 new LSM hooks for user namespace operations Lukasz Pawelczyk
2015-07-30 21:30 ` Serge E. Hallyn
2015-07-31 9:28 ` Lukasz Pawelczyk
2015-08-01 3:48 ` Serge E. Hallyn
2015-08-03 11:34 ` Lukasz Pawelczyk
2015-08-04 1:38 ` Kees Cook
2015-08-21 5:04 ` Paul Moore
2015-08-21 15:56 ` Paul Moore
2015-07-24 10:04 ` [PATCH v3 02/11] lsm: /proc/$PID/attr/label_map file and getprocattr_seq hook Lukasz Pawelczyk
2015-07-30 21:49 ` Serge E. Hallyn
2015-08-21 5:14 ` Paul Moore
2015-08-21 9:30 ` Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 03/11] lsm: add file opener's cred to a setprocattr arguments Lukasz Pawelczyk
2015-07-30 21:50 ` Serge E. Hallyn
2015-07-24 10:04 ` [PATCH v3 04/11] lsm: inode_pre_setxattr hook Lukasz Pawelczyk
2015-07-30 21:56 ` Serge E. Hallyn
2015-07-31 9:43 ` Lukasz Pawelczyk [this message]
2015-07-24 10:04 ` [PATCH v3 05/11] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-07-30 22:10 ` Serge E. Hallyn
2015-07-24 10:04 ` [PATCH v3 06/11] smack: don't use implicit star to display smackfs/syslog Lukasz Pawelczyk
2015-07-30 22:42 ` Serge E. Hallyn
2015-07-24 10:04 ` [PATCH v3 07/11] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 08/11] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 09/11] smack: namespace groundwork Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 10/11] smack: namespace implementation Lukasz Pawelczyk
2015-07-24 10:04 ` [PATCH v3 11/11] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-07-29 15:25 ` Serge E. Hallyn
2015-07-29 16:13 ` Lukasz Pawelczyk
2015-07-29 16:24 ` Lukasz Pawelczyk
2015-07-29 16:37 ` Serge E. Hallyn
2015-07-29 17:05 ` Lukasz Pawelczyk
2015-07-30 19:11 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438335805.2081.11.camel@samsung.com \
--to=l.pawelczyk@samsung.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=eparis@parisplace.org \
--cc=fabf@skynet.be \
--cc=gregkh@linuxfoundation.org \
--cc=havner@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=joe@perches.com \
--cc=john.johansen@canonical.com \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=mchehab@osg.samsung.com \
--cc=neilb@suse.de \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox