From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
To: Eric Paris <eparis@redhat.com>
Cc: Amerigo Wang <amwang@redhat.com>,
linux-kernel@vger.kernel.org, esandeen@redhat.com,
eteo@redhat.com, linux-fsdevel@vger.kernel.org,
akpm@linux-foundation.org, viro@zeniv.linux.org.uk,
sds@tycho.nsa.gov, linux-security-module@vger.kernel.org
Subject: Re: [Patch v3] vfs: allow file truncations when both suid and write permissions set
Date: Sat, 08 Aug 2009 05:53:04 +0900 [thread overview]
Message-ID: <87eirnqrbj.fsf@devron.myhome.or.jp> (raw)
In-Reply-To: <1249677481.2694.22.camel@dhcp231-106.rdu.redhat.com> (Eric Paris's message of "Fri, 07 Aug 2009 16:38:01 -0400")
Eric Paris <eparis@redhat.com> writes:
>> > I was thinking about this and kept telling myself I was going to test v2
>> > before I ack/nak. Clearly we shouldn't for the dropping of SUID if the
>> > process didn't have permission to change the ATTR_SIZE.
>> >
>> > Acked-by: Eric Paris <eparis@redhat.com>
>>
>> BTW, Do you know why doesn't security modules fix the handling of
>> do_truncate() (i.e. ATTR_MODE | ATTR_SIZE). And why doesn't it allow to
>> pass ATTR_FORCE for it?
>
> I'm not sure what you mean. I understood ATTR_FORCE to mean 'I am magic
> and get to override all security checks." Which is why nothing should
> ever be using ATTR_FORCE with things other than SUID.
>
> I guess we could somehow force logic into the LSM to make it only apply
> to SUID and friends but I'm not sure it buys us anything.
Yes, I think it's good way. Don't we want to do the following?
if (permission check of job)
return error;
if (do job at once)
return error;
But currently way is,
if (permission check of first part)
return error
if (do first part of job)
return error
if (permission check of second part)
return error
if (do second part of job)
return error
So, if second part was error, we may want to undo the job of first part
in theory. But, to undo is just hard and strange.
This is why I think ATTR_FORCE is good way. What do you think?
Thanks.
--
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
next prev parent reply other threads:[~2009-08-07 20:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-07 10:05 [Patch v3] vfs: allow file truncations when both suid and write permissions set Amerigo Wang
2009-08-07 19:57 ` Eric Paris
2009-08-07 20:23 ` OGAWA Hirofumi
2009-08-07 20:38 ` Eric Paris
2009-08-07 20:53 ` OGAWA Hirofumi [this message]
2009-08-10 2:30 ` Amerigo Wang
2009-08-10 4:59 ` OGAWA Hirofumi
2009-08-10 11:49 ` Stephen Smalley
2009-08-10 12:43 ` OGAWA Hirofumi
2009-08-10 12:57 ` Stephen Smalley
2009-08-10 13:10 ` OGAWA Hirofumi
2009-08-12 9:03 ` Amerigo Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eirnqrbj.fsf@devron.myhome.or.jp \
--to=hirofumi@mail.parknet.co.jp \
--cc=akpm@linux-foundation.org \
--cc=amwang@redhat.com \
--cc=eparis@redhat.com \
--cc=esandeen@redhat.com \
--cc=eteo@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox