Re: [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: John Johansen <john.johansen@canonical.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
Date: Mon, 23 Nov 2009 02:09:50 -0800	[thread overview]
Message-ID: <4B0A5F6E.2080400@canonical.com> (raw)
In-Reply-To: <200911221149.HCF73996.FSLtOOHVJFQOFM@I-love.SAKURA.ne.jp>

Tetsuo Handa wrote:
> [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
> 
> We should call security_path_chmod()/security_path_chown() after mutex_lock()
> in order to avoid races.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Acked-by: John Johansen <john.johansen@canonical.com>

> ---
>  fs/open.c |   36 +++++++++++++++---------------------
>  1 file changed, 15 insertions(+), 21 deletions(-)
> 
> --- security-testing-2.6.orig/fs/open.c
> +++ security-testing-2.6/fs/open.c
> @@ -619,17 +619,17 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
>  	err = mnt_want_write_file(file);
>  	if (err)
>  		goto out_putf;
> +	mutex_lock(&inode->i_mutex);
>  	err = security_path_chmod(dentry, file->f_vfsmnt, mode);
>  	if (err)
> -		goto out_drop_write;
> -	mutex_lock(&inode->i_mutex);
> +		goto out_unlock;
>  	if (mode == (mode_t) -1)
>  		mode = inode->i_mode;
>  	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
>  	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
>  	err = notify_change(dentry, &newattrs);
> +out_unlock:
>  	mutex_unlock(&inode->i_mutex);
> -out_drop_write:
>  	mnt_drop_write(file->f_path.mnt);
>  out_putf:
>  	fput(file);
> @@ -652,17 +652,17 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto dput_and_out;
> +	mutex_lock(&inode->i_mutex);
>  	error = security_path_chmod(path.dentry, path.mnt, mode);
>  	if (error)
> -		goto out_drop_write;
> -	mutex_lock(&inode->i_mutex);
> +		goto out_unlock;
>  	if (mode == (mode_t) -1)
>  		mode = inode->i_mode;
>  	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
>  	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
>  	error = notify_change(path.dentry, &newattrs);
> +out_unlock:
>  	mutex_unlock(&inode->i_mutex);
> -out_drop_write:
>  	mnt_drop_write(path.mnt);
>  dput_and_out:
>  	path_put(&path);
> @@ -675,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user
>  	return sys_fchmodat(AT_FDCWD, filename, mode);
>  }
>  
> -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
> +static int chown_common(struct path *path, uid_t user, gid_t group)
>  {
> -	struct inode *inode = dentry->d_inode;
> +	struct inode *inode = path->dentry->d_inode;
>  	int error;
>  	struct iattr newattrs;
>  
> @@ -694,7 +694,9 @@ static int chown_common(struct dentry * 
>  		newattrs.ia_valid |=
>  			ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
>  	mutex_lock(&inode->i_mutex);
> -	error = notify_change(dentry, &newattrs);
> +	error = security_path_chown(path, user, group);
> +	if (!error)
> +		error = notify_change(path->dentry, &newattrs);
>  	mutex_unlock(&inode->i_mutex);
>  
>  	return error;
> @@ -711,9 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -738,9 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -759,9 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __use
>  	error = mnt_want_write(path.mnt);
>  	if (error)
>  		goto out_release;
> -	error = security_path_chown(&path, user, group);
> -	if (!error)
> -		error = chown_common(path.dentry, user, group);
> +	error = chown_common(&path, user, group);
>  	mnt_drop_write(path.mnt);
>  out_release:
>  	path_put(&path);
> @@ -784,9 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
>  		goto out_fput;
>  	dentry = file->f_path.dentry;
>  	audit_inode(NULL, dentry);
> -	error = security_path_chown(&file->f_path, user, group);
> -	if (!error)
> -		error = chown_common(dentry, user, group);
> +	error = chown_common(&file->f_path, user, group);
>  	mnt_drop_write(file->f_path.mnt);
>  out_fput:
>  	fput(file);
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2009-11-23 10:09 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-04 12:49 [TOMOYO #16 00/25] Starting TOMOYO 2.3 Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Tetsuo Handa
2009-10-08 17:10   ` John Johansen
2009-10-12  1:04     ` James Morris
2009-10-13 11:34       ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-10-13 11:37         ` [PATCH] TOMOYO: Add recursive directory matching operator support Tetsuo Handa
2009-10-13 11:39           ` [PATCH] TOMOYO: Use RCU primitives for list operation Tetsuo Handa
2009-10-13 11:41             ` [PATCH] TOMOYO: Bring memory allocation to outside semaphore Tetsuo Handa
2009-10-29  5:40             ` [PATCH] TOMOYO: Use RCU primitives for list operation Serge E. Hallyn
2009-12-04 12:34               ` Tetsuo Handa
2009-10-29  5:12   ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Serge E. Hallyn
2009-10-29 15:56     ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-11-22  2:49       ` [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock() Tetsuo Handa
2009-11-23 10:09         ` John Johansen [this message]
2009-11-23 21:50           ` James Morris
2009-10-04 12:49 ` [TOMOYO #16 02/25] LSM: Add security_path_chroot() Tetsuo Handa
2009-10-08 17:12   ` John Johansen
2009-10-29  5:32   ` Serge E. Hallyn
2009-10-04 12:49 ` [TOMOYO #16 03/25] LSM: Pass original mount flags to security_sb_mount() Tetsuo Handa
2009-10-08 17:22   ` John Johansen
2009-10-04 12:49 ` [TOMOYO #16 04/25] TOMOYO: Add header file Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 05/25] TOMOYO: Add per task_struct variables Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 06/25] TOMOYO: Add LSM adaptor Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 07/25] TOMOYO: Add path_group keyword support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 08/25] TOMOYO: Add number_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 09/25] TOMOYO: Add address_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 10/25] TOMOYO: Add conditional ACL support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 11/25] TOMOYO: Add auditing support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 12/25] TOMOYO: Memory management support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 13/25] TOMOYO: Add garbage collector support Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 14/25] TOMOYO: Add network restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 15/25] TOMOYO: Add mount restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 16/25] TOMOYO: Add environment variables restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 17/25] TOMOYO: Add capability support Tetsuo Handa
2009-10-29  5:23   ` Serge E. Hallyn
2009-10-04 12:50 ` [TOMOYO #16 18/25] TOMOYO: Add utility functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 19/25] TOMOYO: Add policy I/O handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 20/25] TOMOYO: Add policy loader launcher Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 21/25] TOMOYO: Add securityfs interface Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 22/25] TOMOYO: Add pathname calculation functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 23/25] TOMOYO: Add file access restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 24/25] TOMOYO: Add domain transition handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 25/25] TOMOYO: Update Kconfig and Makefile Tetsuo Handa
2009-10-06  9:39 ` [TOMOYO #16 00/25] Starting TOMOYO 2.3 Pavel Machek
2009-10-07  4:09   ` Tetsuo Handa
2009-10-07  7:38     ` Pavel Machek
2009-10-07 13:30       ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0A5F6E.2080400@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox