From: Andreas Gruenbacher <agruen@suse.de>
To: Christoph Hellwig <hch@infradead.org>
Cc: jjohansen@suse.de, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, chrisw@sous-sol.org,
Tony Jones <tonyj@suse.de>
Subject: Re: [nameidata 1/2] Don't pass NULL nameidata to vfs_create
Date: Fri, 11 May 2007 17:59:34 +0200 [thread overview]
Message-ID: <200705111759.36069.agruen@suse.de> (raw)
In-Reply-To: <20070416162146.GA8029@infradead.org>
On Monday 16 April 2007 18:21, Christoph Hellwig wrote:
> On Mon, Apr 16, 2007 at 06:11:30PM +0200, Andreas Gruenbacher wrote:
> > On Thursday 12 April 2007 12:06, Christoph Hellwig wrote:
> > > Once again very strong NACK. Every conditional passing of vfsmounts get
> > > my veto. As mentioned last time if you really want this send a patch
> > > series first that passed the vfsmount consistantly.
> >
> > I don't consider it fair to NACK this patch just because some other part
> > of the kernel uses vfs_create() in the wrong way -- those are really
> > independent issues. The bug is not that hard to fix though; here is a
> > proposed patch on top of the other AppArmor patches.
>
> Note that it's not just this particular hunk, all these kinds of conditional
> passing are wrong.
Yes, the vfs uses or passes through a NULL nameidata or vfsmount pointer and
no intent information in several places:
(1) vfs_create() is called with a NULL nameidata in two places,
(2) lookup_one_len() and lookup_one_len_kern() pass a NULL nameidata to
permission(), d_op->d_revalidate(), and i_op->lookup(),
(3) file_permission() passes a NULL nameidata to permission().
(4) permission() is directly called with NULL nameidata in some places, and
In general it is incorrect to use NULL nameidata or vfsmounts because then the
vfsmount->mnt_flags cannot be checked, and no intent information is available.
Intents are an optional optimization for remote filesystems; we can simply
ignore them for local filesystems. There are some cases where we are passing
NULL which are real bugs, but there are also other cases in which the
operations are not mount related: for example, filesystems like pipefs have
the MS_NOUSER flag set which indicates that they cannot be mounted at all. On
filesystems like sysfs, files are created and removed whether or not that
filesystem is mounted.
The places where we should pass a proper nameidata / vfsmount but don't should
be fixed. Those are long-standing issues in the vfs though, and at least some
are not easy to correct. AppArmor is affected by some of the NULL vfsmount
passing, and we found a few more problems when looking into this more
closely, but most of that NULL passing doesn't affect AppArmor:
* In some places, vfs functions are called without nameidata / vfsmount,
followed by calling lsm hooks with a vfsmount. In those cases, the vfs
functions cannot check the vfsmount flags, but the lsm hooks will still
do the appropriate checks.
* In the AppArmor security model, directory searching is always allowed, and
the access check are done once the leaf dentry + vfsmount has been looked
up. For example, granting write access to /var/tmp/foo in a profile is
sufficient to allow that access; search access to /var and /var/tmp does
not need to be specified. (The regular inode permission checks are of
course still performed.)
* For filesystems like nfsd, the concept of pathname based access control
doesn't make sense because of properties of the protocol: there is no
reliable mapping from an nfs file handle to a particular file; aliases
to the same file cannot be distinguished. (The AppArmor techdoc [1]
describes this in more detail.)
Not allowing to confine nfsd by AppArmor doesn't hurt much: nfsd provides
its own export access control mechanisms. Also, nfsd cannot really be
confined in a secure way because of how it is implemented in the kernel.
Gfs2 may have similar properties; I didn't actually look into the protocol.
So I propose to separate the vfs NULL nameidata / vfsmount passing discussion
from the AppArmor discussion. I have no problem working on the vfs fixes --
we could some nice cleanups there -- but that really is independent of
AppArmor.
We almost have the revised AppArmor patches ready. We'll include all the fixes
that are truly necessary, and everything beyond that will be posted
separately.
> But anyway, creating fake nameidata structures is not really helpful.
> If there is a nameidata passed people expect it to be complete, and
> if you pass them to an LSM people will e.g. try to look into lookup
> intents.
Splitting up nameidata helps somewhat here. In cases where we don't have
intent information available we can zero out the intent flags, and so in the
worst case, we won't get the intent optimizations.
Thanks,
Andreas
next prev parent reply other threads:[~2007-05-11 16:00 UTC|newest]
Thread overview: 187+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-12 9:08 [AppArmor 00/41] AppArmor security module overview jjohansen
2007-04-12 9:08 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook jjohansen
2007-04-12 10:06 ` Christoph Hellwig
2007-04-16 16:11 ` [nameidata 1/2] Don't pass NULL nameidata to vfs_create Andreas Gruenbacher
2007-04-16 16:21 ` Christoph Hellwig
2007-04-16 16:40 ` Andreas Gruenbacher
2007-04-16 16:45 ` Christoph Hellwig
2007-04-17 12:09 ` Andreas Gruenbacher
2007-05-11 15:59 ` Andreas Gruenbacher [this message]
2007-04-16 16:25 ` Matthew Wilcox
2007-04-16 16:29 ` [nameidata 2/2] Pass no useless nameidata to the create, lookup, and permission IOPs Andreas Gruenbacher
2007-04-16 16:39 ` Christoph Hellwig
2007-04-16 16:42 ` Randy Dunlap
2007-04-16 16:44 ` Andreas Gruenbacher
2007-04-16 16:50 ` Randy Dunlap
2007-04-12 10:12 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook Al Viro
2007-05-23 19:06 ` Andreas Gruenbacher
2007-05-24 1:28 ` James Morris
2007-05-24 9:16 ` Andreas Gruenbacher
2007-05-24 12:51 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook Tetsuo Handa
[not found] ` <200705241112.41101.agruen@suse.de>
2007-05-24 13:19 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook James Morris
2007-05-24 18:10 ` Andreas Gruenbacher
2007-05-24 18:40 ` Al Viro
2007-05-24 21:56 ` Andreas Gruenbacher
2007-05-24 18:58 ` Casey Schaufler
2007-05-25 4:14 ` Andreas Gruenbacher
2007-05-25 5:17 ` Jeremy Maitin-Shepard
2007-05-25 17:43 ` Casey Schaufler
2007-05-25 18:10 ` Jeremy Maitin-Shepard
2007-05-25 18:13 ` Jeremy Maitin-Shepard
2007-05-25 19:06 ` Casey Schaufler
2007-05-26 1:40 ` Tetsuo Handa
2007-05-26 12:10 ` Andreas Gruenbacher
2007-05-26 22:58 ` Casey Schaufler
2007-05-27 1:33 ` Valdis.Kletnieks
2007-05-25 20:00 ` Andreas Gruenbacher
2007-05-25 20:27 ` Casey Schaufler
2007-05-26 5:27 ` Crispin Cowan
2007-05-26 13:34 ` Alan Cox
2007-05-26 14:05 ` Andreas Gruenbacher
2007-05-26 18:41 ` James Morris
2007-05-26 5:20 ` Kyle Moffett
2007-05-26 11:46 ` Andreas Gruenbacher
2007-05-26 12:09 ` Tetsuo Handa
2007-05-26 13:41 ` Andreas Gruenbacher
2007-05-26 14:44 ` Tetsuo Handa
2007-05-26 16:52 ` Andreas Gruenbacher
2007-05-26 18:16 ` Kyle Moffett
2007-05-26 18:45 ` [AppArmor 01/41] " James Morris
2007-05-26 23:08 ` Toshiharu Harada
2007-05-27 2:10 ` Kyle Moffett
2007-05-27 2:37 ` Valdis.Kletnieks
2007-05-27 5:32 ` Kyle Moffett
2007-05-28 20:38 ` Pavel Machek
2007-05-29 2:00 ` Kyle Moffett
2007-05-27 7:25 ` Toshiharu Harada
2007-05-27 13:35 ` Kyle Moffett
2007-05-28 10:41 ` Toshiharu Harada
2007-05-29 1:54 ` Kyle Moffett
2007-05-29 21:17 ` Valdis.Kletnieks
2007-05-30 5:52 ` Crispin Cowan
2007-05-24 14:40 ` Pavel Machek
2007-05-30 10:06 ` Alan Cox
2007-05-30 2:38 ` Toshiharu Harada
2007-05-27 8:34 ` Cliffe
2007-05-27 13:07 ` Kyle Moffett
2007-05-27 16:12 ` Casey Schaufler
[not found] ` <465AE46B.4090109@iinet.net.au>
2007-05-28 22:29 ` Crispin Cowan
2007-05-29 10:46 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook Tetsuo Handa
2007-05-29 15:52 ` Casey Schaufler
2007-05-29 19:58 ` James Morris
2007-05-29 17:07 ` Andreas Gruenbacher
2007-05-29 20:47 ` Tetsuo Handa
2007-05-29 22:10 ` Andreas Gruenbacher
2007-05-30 11:38 ` Tetsuo Handa
2007-05-29 14:45 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook Pavel Machek
2007-05-29 23:25 ` david
2007-05-29 23:30 ` Pavel Machek
2007-05-30 1:46 ` David Wagner
2007-05-24 14:47 ` Pavel Machek
2007-06-01 17:44 ` Valdis.Kletnieks
2007-06-01 18:00 ` david
2007-06-04 11:07 ` Pavel Machek
2007-06-02 4:30 ` David Wagner
2007-06-02 7:40 ` Valdis.Kletnieks
2007-06-02 14:27 ` david
2007-06-02 19:14 ` Valdis.Kletnieks
2007-06-02 19:51 ` david
2007-06-03 4:52 ` Valdis.Kletnieks
2007-06-08 20:24 ` Pavel Machek
2007-06-08 21:54 ` Casey Schaufler
2007-05-30 5:42 ` Crispin Cowan
2007-05-25 8:01 ` Toshiharu Harada
2007-04-12 9:08 ` [AppArmor 02/41] Remove redundant check from proc_setattr() jjohansen
2007-04-12 9:08 ` [AppArmor 03/41] Remove redundant check from proc_sys_setattr() jjohansen
2007-04-12 10:10 ` Alan Cox
2007-04-12 9:08 ` [AppArmor 04/41] Pass struct file down to remove_suid and children jjohansen
2007-04-12 9:08 ` [AppArmor 05/41] Add a vfsmount parameter to notify_change() jjohansen
2007-04-12 9:08 ` [AppArmor 06/41] Pass struct vfsmount to the inode_setattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 07/41] Add struct vfsmount parameter to vfs_mkdir() jjohansen
2007-04-12 9:08 ` [AppArmor 08/41] Pass struct vfsmount to the inode_mkdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 09/41] Add a struct vfsmount parameter to vfs_mknod() jjohansen
2007-04-12 9:08 ` [AppArmor 10/41] Pass struct vfsmount to the inode_mknod LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 11/41] Add a struct vfsmount parameter to vfs_symlink() jjohansen
2007-04-12 9:08 ` [AppArmor 12/41] Pass struct vfsmount to the inode_symlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 13/41] Pass struct vfsmount to the inode_readlink " jjohansen
2007-04-12 9:08 ` [AppArmor 14/41] Add struct vfsmount parameters to vfs_link() jjohansen
2007-04-12 9:08 ` [AppArmor 15/41] Pass the struct vfsmounts to the inode_link LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 16/41] Add a struct vfsmount parameter to vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 17/41] Pass struct vfsmount to the inode_rmdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 18/41] call lsm hook before unhashing dentry in vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 19/41] Add a struct vfsmount parameter to vfs_unlink() jjohansen
2007-04-12 9:08 ` [AppArmor 20/41] Pass struct vfsmount to the inode_unlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 21/41] Add struct vfsmount parameters to vfs_rename() jjohansen
2007-04-12 9:08 ` [AppArmor 22/41] Pass struct vfsmount to the inode_rename LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 23/41] Add a struct vfsmount parameter to vfs_setxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 24/41] Pass struct vfsmount to the inode_setxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 25/41] Add a struct vfsmount parameter to vfs_getxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 26/41] Pass struct vfsmount to the inode_getxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 27/41] Add a struct vfsmount parameter to vfs_listxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 28/41] Pass struct vfsmount to the inode_listxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 29/41] Add a struct vfsmount parameter to vfs_removexattr() jjohansen
2007-04-12 9:08 ` [AppArmor 30/41] Pass struct vfsmount to the inode_removexattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts jjohansen
2007-04-12 9:58 ` Alan Cox
2007-04-15 17:40 ` Andreas Gruenbacher
2007-04-16 21:57 ` Alan Cox
2007-04-17 1:35 ` Andreas Gruenbacher
2007-04-17 17:21 ` Alan Cox
2007-04-19 23:23 ` [d_path 0/7] Fixes to d_path: Respin Andreas Gruenbacher
2007-04-20 9:30 ` Alan Cox
2007-04-20 11:45 ` Andreas Gruenbacher
2007-04-20 15:15 ` Ulrich Drepper
2007-04-20 15:21 ` Andreas Gruenbacher
2007-04-20 15:24 ` Ulrich Drepper
2007-04-20 16:40 ` Andreas Gruenbacher
2007-04-20 19:17 ` Ulrich Drepper
2007-04-20 20:44 ` Miklos Szeredi
2007-04-21 19:04 ` Andreas Gruenbacher
2007-04-21 19:46 ` Ulrich Drepper
2007-04-22 9:10 ` Christoph Hellwig
2007-04-22 15:48 ` Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 1/7] Fix __d_path() for lazy unmounts and make it unambiguous Andreas Gruenbacher
2007-04-20 9:32 ` Alan Cox
2007-04-19 23:23 ` [d_path 2/7] Make d_path() consistent across mount operations Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 3/7] Add d_namespace_path() to compute namespace relative pathnames Andreas Gruenbacher
2007-04-21 12:57 ` Tetsuo Handa
2007-04-21 16:16 ` Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 4/7] Make getcwd() only return valid paths Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 5/7] Remove duplicate proc code Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 6/7] Filter out disconnected paths from /proc/mounts Andreas Gruenbacher
2007-04-20 9:34 ` Alan Cox
2007-04-19 23:23 ` [d_path 7/7] Distinguish between connected and disconnected paths in d_path() Andreas Gruenbacher
2007-04-17 6:30 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts Rob Meijer
2007-04-12 9:08 ` [AppArmor 32/41] Make d_path() consistent across mount operations jjohansen
2007-04-12 9:08 ` [AppArmor 33/41] Add d_namespace_path() to obtain namespace relative pathnames jjohansen
2007-04-12 10:49 ` Al Viro
2007-04-12 9:08 ` [AppArmor 34/41] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames jjohansen
2007-04-12 9:08 ` [AppArmor 35/41] Pass struct file down the inode_*xattr security LSM hooks jjohansen
2007-04-12 9:08 ` [AppArmor 36/41] Export audit subsystem for use by modules jjohansen
2007-04-12 9:08 ` [AppArmor 37/41] AppArmor: Main Part jjohansen
2007-04-12 10:37 ` Alan Cox
2007-04-13 8:17 ` Andreas Gruenbacher
2007-04-13 8:48 ` Andreas Gruenbacher
2007-04-13 8:52 ` Nick Piggin
2007-04-12 9:08 ` [AppArmor 38/41] AppArmor: Module and LSM hooks jjohansen
2007-04-12 10:21 ` Alan Cox
2007-04-16 21:37 ` John Johansen
2007-04-12 9:08 ` [AppArmor 39/41] AppArmor: Profile loading and manipulation, pathname matching jjohansen
2007-04-12 10:28 ` Alan Cox
2007-04-12 13:46 ` Andi Kleen
2007-04-15 14:21 ` Andreas Gruenbacher
2007-04-16 6:27 ` Andi Kleen
2007-04-16 20:56 ` John Johansen
2007-04-16 7:39 ` Pavel Machek
2007-04-16 22:00 ` Alan Cox
2007-04-16 22:11 ` John Johansen
2007-04-12 9:08 ` [AppArmor 40/41] AppArmor: all the rest jjohansen
2007-04-12 10:32 ` Al Viro
2007-04-12 11:32 ` Al Viro
2007-04-12 9:08 ` [AppArmor 41/41] Add AppArmor LSM to security/Makefile jjohansen
2007-04-12 10:33 ` [AppArmor 00/41] AppArmor security module overview Shaya Potter
2007-04-12 13:50 ` Pavel Machek
2007-04-12 21:13 ` David Wagner
2007-04-16 7:46 ` Pavel Machek
2007-04-16 18:24 ` David Wagner
2007-04-13 8:04 ` Rob Meijer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200705111759.36069.agruen@suse.de \
--to=agruen@suse.de \
--cc=chrisw@sous-sol.org \
--cc=hch@infradead.org \
--cc=jjohansen@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tonyj@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox