linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
	Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 13/30] evm: implement set acl hook
Date: Tue, 27 Sep 2022 18:56:14 -0400	[thread overview]
Message-ID: <CAHC9VhTKDm-c2JGPv5JBx2EFCRLeAWXcQPS3T_JhyoMJD0-03Q@mail.gmail.com> (raw)
In-Reply-To: <20220926140827.142806-14-brauner@kernel.org>

On Mon, Sep 26, 2022 at 11:24 AM Christian Brauner <brauner@kernel.org> wrote:
>
> The current way of setting and getting posix acls through the generic
> xattr interface is error prone and type unsafe. The vfs needs to
> interpret and fixup posix acls before storing or reporting it to
> userspace. Various hacks exist to make this work. The code is hard to
> understand and difficult to maintain in it's current form. Instead of
> making this work by hacking posix acls through xattr handlers we are
> building a dedicated posix acl api around the get and set inode
> operations. This removes a lot of hackiness and makes the codepaths
> easier to maintain. A lot of background can be found in [1].
>
> So far posix acls were passed as a void blob to the security and
> integrity modules. Some of them like evm then proceed to interpret the
> void pointer and convert it into the kernel internal struct posix acl
> representation to perform their integrity checking magic. This is
> obviously pretty problematic as that requires knowledge that only the
> vfs is guaranteed to have and has lead to various bugs. Add a proper
> security hook for setting posix acls and pass down the posix acls in
> their appropriate vfs format instead of hacking it through a void
> pointer stored in the uapi format.
>
> I spent considerate time in the security module and integrity
> infrastructure and audited all codepaths. EVM is the only part that
> really has restrictions based on the actual posix acl values passed
> through it. Before this dedicated hook EVM used to translate from the
> uapi posix acl format sent to it in the form of a void pointer into the
> vfs format. This is not a good thing. Instead of hacking around in the
> uapi struct give EVM the posix acls in the appropriate vfs format and
> perform sane permissions checks that mirror what it used to to in the
> generic xattr hook.
>
> Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
> ---
>
> Notes:
>     /* v2 */
>     unchanged
>
>  include/linux/evm.h               | 10 +++++
>  security/integrity/evm/evm_main.c | 66 ++++++++++++++++++++++++++++++-
>  security/security.c               |  9 ++++-
>  3 files changed, 83 insertions(+), 2 deletions(-)

Ultimately this is Mimi's call, and it can be done later after this
patchset is merged, but it seems to me that some of the code in
evm_inode_set_acl() could be pulled out into a helper function(s)
shared with evm_protect_xattr().

Reviewed-by: Paul Moore <paul@paul-moore.com>

--
paul-moore.com

  reply	other threads:[~2022-09-27 22:56 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-26 14:07 [PATCH v2 00/30] acl: add vfs posix acl api Christian Brauner
2022-09-26 14:08 ` [PATCH v2 11/30] selinux: implement set acl hook Christian Brauner
2022-09-27 22:55   ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 13/30] evm: " Christian Brauner
2022-09-27 22:56   ` Paul Moore [this message]
2022-09-26 14:08 ` [PATCH v2 15/30] evm: add post " Christian Brauner
2022-09-27 22:56   ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 18/30] evm: simplify evm_xattr_acl_change() Christian Brauner
2022-09-27 22:56   ` Paul Moore
2022-09-28 13:31     ` Christian Brauner
2022-09-27  0:22 ` [PATCH v2 00/30] acl: add vfs posix acl api Casey Schaufler
2022-09-27  7:41   ` Christoph Hellwig
2022-09-27  7:59     ` Christian Brauner
2022-09-27 14:11     ` Casey Schaufler
2022-09-27 15:16       ` Seth Forshee
2022-09-27 15:55         ` Casey Schaufler
2022-09-27 23:24       ` Paul Moore
2022-09-27 23:37         ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhTKDm-c2JGPv5JBx2EFCRLeAWXcQPS3T_JhyoMJD0-03Q@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=brauner@kernel.org \
    --cc=hch@lst.de \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sforshee@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).