All of lore.kernel.org
 help / color / mirror / Atom feed
From: Miklos Szeredi <miklos@szeredi.hu>
To: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Christoph Hellwig <hch@infradead.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	"J. Bruce Fields" <bfields@fieldses.org>,
	Jeff Layton <jlayton@poochiereds.net>,
	Trond Myklebust <trond.myklebust@primarydata.com>,
	Anna Schumaker <anna.schumaker@netapp.com>,
	Dave Chinner <david@fromorbit.com>,
	linux-ext4@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
	linux-api@vger.kernel.org
Subject: Re: [PATCH v27 03/21] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD permission flags
Date: Fri, 2 Dec 2016 10:57:42 +0100	[thread overview]
Message-ID: <CAELBmZCgttywPy3EtkFao7SPESaw8VB5K6x7PTRk7gwSk7sXqg@mail.gmail.com> (raw)
In-Reply-To: <1476190256-1677-4-git-send-email-agruenba@redhat.com>

On Tue, Oct 11, 2016 at 2:50 PM, Andreas Gruenbacher
<agruenba@redhat.com> wrote:
> Normally, deleting a file requires MAY_WRITE access to the parent
> directory.  With richacls, a file may be deleted with MAY_DELETE_CHILD access
> to the parent directory or with MAY_DELETE_SELF access to the file.
>
> To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission()
> when checking for delete access inside a directory, and MAY_DELETE_SELF
> when checking for delete access to a file itself.
>
> The MAY_DELETE_SELF permission overrides the sticky directory check.

And MAY_DELETE_SELF seems totally inappropriate to any kind of rename,
since from the point of view of the inode we are not doing anything at
all.  The modifications are all in the parent(s), and that's where the
permission checks need to be.

> @@ -2780,14 +2780,20 @@ static int may_delete_or_replace(struct inode *dir, struct dentry *victim,
>         BUG_ON(victim->d_parent->d_inode != dir);
>         audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
>
> -       error = inode_permission(dir, mask);
> +       error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD);
> +       if (!error && check_sticky(dir, inode))
> +               error = -EPERM;
> +       if (error && IS_RICHACL(inode) &&
> +           inode_permission(inode, MAY_DELETE_SELF) == 0 &&
> +           inode_permission(dir, mask) == 0)
> +               error = 0;

Why is MAY_WRITE missing here?  Everything not aware of
MAY_DELETE_SELF (e.g. LSMs) will still need MAY_WRITE otherwise this
is going to be a loophole.

Thanks,
Miklos

  reply	other threads:[~2016-12-02  9:57 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-11 12:50 [PATCH v27 00/21] Richacls (Core and Ext4) Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 01/21] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
     [not found] ` <1476190256-1677-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-10-11 12:50   ` [PATCH v27 02/21] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-12-02  9:22     ` Miklos Szeredi
2017-02-13 15:34       ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 03/21] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-12-02  9:57     ` Miklos Szeredi [this message]
2016-12-06 20:15       ` J. Bruce Fields
     [not found]         ` <20161206201529.GA1203-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2016-12-06 21:13           ` Jeremy Allison
2016-12-06 21:13             ` Jeremy Allison
2016-12-06 21:25             ` Miklos Szeredi
     [not found]               ` <CAJfpegsvoZfzUXyCJrxXAG6dxk8HMCGMEKA0E-6FzWNGkM17Tw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 21:36                 ` Jeremy Allison
2016-12-06 21:36                   ` Jeremy Allison
2017-02-13 15:40                 ` Andreas Gruenbacher
2017-02-13 15:40                   ` Andreas Gruenbacher
     [not found]       ` <CAELBmZCgttywPy3EtkFao7SPESaw8VB5K6x7PTRk7gwSk7sXqg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-13 15:42         ` Andreas Gruenbacher
2017-02-13 15:42           ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 04/21] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 05/21] richacl: In-memory representation and helper functions Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 06/21] richacl: Permission mapping functions Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 13/21] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 14/21] richacl: Create-time inheritance Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 16/21] richacl: xattr mapping functions Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50   ` [PATCH v27 21/21] ext4: Add richacl feature flag Andreas Gruenbacher
2016-10-11 12:50     ` Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 07/21] richacl: Permission check algorithm Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 08/21] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 09/21] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 10/21] vfs: Add get_richacl and set_richacl inode operations Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 11/21] vfs: Cache richacl in struct inode Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 12/21] richacl: Update the file masks in chmod() Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 15/21] richacl: Automatic Inheritance Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 17/21] richacl: Add richacl xattr handler Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 18/21] vfs: Add richacl permission checking Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 19/21] vfs: Move check_posix_acl and check_richacl out of fs/namei.c Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 20/21] ext4: Add richacl support Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAELBmZCgttywPy3EtkFao7SPESaw8VB5K6x7PTRk7gwSk7sXqg@mail.gmail.com \
    --to=miklos@szeredi.hu \
    --cc=adilger.kernel@dilger.ca \
    --cc=agruenba@redhat.com \
    --cc=anna.schumaker@netapp.com \
    --cc=bfields@fieldses.org \
    --cc=david@fromorbit.com \
    --cc=hch@infradead.org \
    --cc=jlayton@poochiereds.net \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.