From: Paul Moore <paul@paul-moore.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH] security: fix no-op hook logic in security_inode_{set,remove}xattr()
Date: Thu, 1 Feb 2024 18:52:38 -0500 [thread overview]
Message-ID: <CAHC9VhSyNPd4rK+oZE6cDwZTCb3Km_eu-+K8s+X73BJwt8ynuA@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhRa5q3fvWUD-Dh-d5Udq18XqFwR4AGUzSow6Ur+_TmFrQ@mail.gmail.com>
On Tue, Jan 30, 2024 at 9:19 PM Paul Moore <paul@paul-moore.com> wrote:
>
> I'll come back to this tomorrow with some fresh eyes.
My apologies, "tomorrow" turned into "the day after tomorrow" (as it
often does) ...
I've been struggling with the idea that there are individual LSMs
still calling into the capability hooks instead of leveraging the LSM
stacking infrastructure, and the "magic" involved to make it all work.
While your patch looks like it should restore proper behavior - that's
good! - I keep thinking that we can, and should, do better.
The only thing that I coming up with is to create two new LSM hooks,
in addition to the existing 'inode_setxattr' hook. The new LSM hooks
would be 'inode_setxattr_owned' and 'inode_setxattr_cap'. The _owned
hook would simply check the xattr name and return a positive value if
the LSM "owned" the xattr, e.g. XATTR_NAME_SELINUX for SELinux, and
zero otherwise. The _cap hook would only be used by the capabilities
code (or something similar), and would match up with
cap_inode_setxattr(). With these two new hooks I think we could do
something like this:
int security_inode_setxattr(...)
{
owned = false
hook_loop(inode_setxattr_owned) {
trc = hook->inode_setxattr_owned(name);
if (trc > 0) {
owned = true;
break;
}
}
if (owned) {
hook_loop(inode_setxattr) {
/* run the existing inode_setxattr hooks, e.g. SELinux and Smack */
}
} else {
hook_loop(inode_setxattr_cap) {
/* run the capability setxattr hooks, e.g. commoncap.c */
}
}
}
... with security_inode_removexattr() following a similar pattern.
I will admit that there is some duplication in having to check the
xattr twice (once in _owned, again in inode_setxattr), and the
multiple hook approach is less than ideal, but this seems much less
fragile to me.
Thoughts?
--
paul-moore.com
next prev parent reply other threads:[~2024-02-01 23:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-29 13:30 [PATCH] security: fix no-op hook logic in security_inode_{set,remove}xattr() Ondrej Mosnacek
2024-01-31 0:09 ` Paul Moore
2024-01-31 0:33 ` Paul Moore
2024-01-31 2:19 ` Paul Moore
2024-02-01 23:52 ` Paul Moore [this message]
2024-02-02 0:10 ` Casey Schaufler
2024-02-02 2:50 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSyNPd4rK+oZE6cDwZTCb3Km_eu-+K8s+X73BJwt8ynuA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.