From: Christian Brauner <brauner@kernel.org>
To: Kentaro Takeda <takedakn@nttdata.co.jp>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Christian Brauner <brauner@kernel.org>,
tomoyo-dev-en@lists.osdn.me, stable@vger.kernel.org
Subject: [PATCH] tomoyo: fix handling of path{1,2}.parent.* conditions
Date: Tue, 7 Jun 2022 14:27:16 +0200 [thread overview]
Message-ID: <20220607122716.1704591-1-brauner@kernel.org> (raw)
When path conditions are specified tomoyo tries to retrieve information about
the parent dentry. It currently assumes that the parent dentry is always
reachable from the child dentry's mount. This assumption is wrong when
bind-mounts are in play:
mkdir /foo
touch /foo/file1
mkdir /bar
touch /bar/file2
mount --bind /bar/file2 /foo/file1
file read /foo/file1 path1.parent.uid=12
Tomoyo will now call dget_parent(file1). This will yield "bar". But "bar" isn't
reachable from the bind-mount of "file1". Handle this case by ensuring that the
parent dentry is actually reachable from the child dentry's mount and if not
skip it.
Fixes: 8761afd49ebf ("TOMOYO: Allow using owner/group etc. of file objects as conditions.")
Cc: stable@vger.kernel.org # 4.9+
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: tomoyo-dev-en@lists.osdn.me
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
---
Hey everyone,
Spotted this while working on some other fixes.
Just an fyi, I'm not subscribed on the mailing list.
Thanks!
Christian
---
security/tomoyo/condition.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c
index f8bcc083bb0d..7e14f8fadbeb 100644
--- a/security/tomoyo/condition.c
+++ b/security/tomoyo/condition.c
@@ -714,25 +714,35 @@ void tomoyo_get_attributes(struct tomoyo_obj_info *obj)
{
u8 i;
struct dentry *dentry = NULL;
+ struct vfsmount *mnt = NULL;
for (i = 0; i < TOMOYO_MAX_PATH_STAT; i++) {
struct inode *inode;
+ struct dentry *parent;
switch (i) {
case TOMOYO_PATH1:
dentry = obj->path1.dentry;
if (!dentry)
continue;
+ mnt = obj->path1.mnt;
break;
case TOMOYO_PATH2:
dentry = obj->path2.dentry;
if (!dentry)
continue;
+ mnt = obj->path2.mnt;
break;
default:
if (!dentry)
continue;
- dentry = dget_parent(dentry);
+ parent = dget_parent(dentry);
+
+ /* Ensure that parent dentry is reachable. */
+ if (mnt->mnt_root != dentry->d_sb->s_root &&
+ !is_subdir(dentry, mnt->mnt_root))
+ continue;
+ dentry = parent;
break;
}
inode = d_backing_inode(dentry);
base-commit: f2906aa863381afb0015a9eb7fefad885d4e5a56
--
2.34.1
next reply other threads:[~2022-06-07 12:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 12:27 Christian Brauner [this message]
2022-06-07 14:22 ` [PATCH] tomoyo: fix handling of path{1,2}.parent.* conditions Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607122716.1704591-1-brauner@kernel.org \
--to=brauner@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@vger.kernel.org \
--cc=takedakn@nttdata.co.jp \
--cc=tomoyo-dev-en@lists.osdn.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox