From: Al Viro <viro@ZenIV.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [git pull] apparmor fix for __d_path() misuse
Date: Wed, 7 Dec 2011 03:42:38 +0000 [thread overview]
Message-ID: <20111207034238.GX2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <201112070326.pB73QPZo042162@www262.sakura.ne.jp>
On Wed, Dec 07, 2011 at 12:26:25PM +0900, Tetsuo Handa wrote:
> > char *pos = ERR_PTR(-ENOMEM);
> > if (buflen >= 256) {
> > - struct path ns_root = { };
> > /* go to whatever namespace root we are under */
> > - pos = __d_path(path, &ns_root, buffer, buflen - 1);
> > + pos = d_absolute_path(path, buffer, buflen - 1);
> > if (!IS_ERR(pos) && *pos == '/' && pos[1]) {
> > struct inode *inode = path->dentry->d_inode;
> > if (inode && S_ISDIR(inode->i_mode)) {
>
> Currently, TOMOYO assumes that -ENAMETOOLONG is the only error which __d_path()
> might return (and retries with larger buffer size unless kmalloc() fails).
> If d_absolute_path() starts returning -EINVAL, TOMOYO will deny requests even
> if "partial (I mean the result would have been different if reachable)"
> pathname is granted by the policy.
>
> How commonly can conditions that make d_absolute_path() return -EINVAL happen?
Race with umount -l, basically. In that case the pathname is completely
unreliable - if I do umount -l /mnt, pathnames that would be under mnt
may get truncated on *ANY* mountpoint. Not "always cut on /mnt"; not "always
cut on the last mountpoint"; it's "everything from root to arbitrary mountpoint
on that path is not noticed". If your policy really has to deal with such
situations (unexpected umount -l racing with operations in the subtree that
gets dissolved), you do have a problem. Right now, in the mainline kernel.
Because the pathname you are currently getting is unreliable as hell and
making any decisions basing on it is, er, not particulary wise.
If you want to add handling of that -EINVAL in some form, feel free. But
keep in mind that the *ONLY* part of pathname you can really recover at
that point is what dentry_path() would give you - i.e. from fs root to
object in question. Everything prior to that is absolutely unreliable
and is bound to go away in a very short while - ->mnt_parent on the entire
chain is in process of being dissolved when we hit that race.
next prev parent reply other threads:[~2011-12-07 3:42 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-06 15:48 [git pull] apparmor fix for __d_path() misuse Al Viro
2011-12-06 16:41 ` Al Viro
2011-12-06 17:21 ` Linus Torvalds
2011-12-06 19:54 ` Linus Torvalds
2011-12-06 20:53 ` Al Viro
2011-12-06 21:07 ` Linus Torvalds
2011-12-06 21:41 ` Al Viro
2011-12-06 22:48 ` John Johansen
2011-12-06 22:19 ` John Johansen
2011-12-06 22:41 ` Al Viro
2011-12-06 23:12 ` John Johansen
2011-12-06 23:45 ` Linus Torvalds
2011-12-07 0:09 ` John Johansen
2011-12-07 0:16 ` Al Viro
2011-12-07 0:39 ` Al Viro
2011-12-07 0:42 ` Linus Torvalds
2011-12-07 1:10 ` Al Viro
2011-12-07 1:37 ` Al Viro
2011-12-07 1:44 ` Al Viro
2011-12-07 2:21 ` Linus Torvalds
2011-12-07 3:23 ` Al Viro
2011-12-07 3:11 ` John Johansen
2011-12-07 4:26 ` John Johansen
2011-12-07 4:45 ` Al Viro
2011-12-07 4:59 ` Al Viro
2011-12-07 3:26 ` Tetsuo Handa
2011-12-07 3:42 ` Al Viro [this message]
2011-12-07 5:01 ` Tetsuo Handa
2011-12-07 5:19 ` Al Viro
2011-12-07 5:44 ` Tetsuo Handa
2011-12-07 6:54 ` Al Viro
2011-12-07 8:59 ` Tetsuo Handa
2011-12-07 16:32 ` Al Viro
2011-12-07 17:51 ` Al Viro
2011-12-07 0:39 ` Linus Torvalds
2011-12-07 0:52 ` Al Viro
2011-12-07 1:11 ` Linus Torvalds
2011-12-07 1:23 ` Al Viro
2011-12-07 2:02 ` Linus Torvalds
2011-12-07 2:17 ` Al Viro
2011-12-07 2:29 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111207034238.GX2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=john.johansen@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox