* [PATCH] vfs: new FROM_ACCESS flag
@ 2009-09-21 1:30 Eric Paris
2009-09-21 8:20 ` Jamie Lokier
2009-09-22 13:56 ` Christoph Hellwig
0 siblings, 2 replies; 6+ messages in thread
From: Eric Paris @ 2009-09-21 1:30 UTC (permalink / raw)
To: linux-kernel, linux-fsdevel; +Cc: viro, hch
This new acc_mode flag is just to tell the security system this inode
permission check is from the access system call. The security system can
use this information as it finds appropriete. In particular SELinux plans to
use this flag to alter what we choose to audit and what we do not choose to
audit.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
fs/open.c | 2 +-
include/linux/fs.h | 5 +++++
2 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index 1940498..ad9e17f 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -495,7 +495,7 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
goto out_path_release;
}
- res = inode_permission(inode, mode | MAY_ACCESS);
+ res = inode_permission(inode, mode | MAY_ACCESS | FROM_ACCESS);
/* SuS v2 requires we report a read only fs too */
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
goto out_path_release;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 5df69f0..7ff00dc 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -60,6 +60,11 @@ struct inodes_stat_t {
*/
#define MAY_ACCESS 16
#define MAY_OPEN 32
+/*
+ * This flag is only set in the access() and accessat() syscalls and can
+ * be used by the security system as it deems reasonable.
+ */
+#define FROM_ACCESS 64
/*
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] vfs: new FROM_ACCESS flag
2009-09-21 1:30 [PATCH] vfs: new FROM_ACCESS flag Eric Paris
@ 2009-09-21 8:20 ` Jamie Lokier
2009-09-22 13:56 ` Christoph Hellwig
1 sibling, 0 replies; 6+ messages in thread
From: Jamie Lokier @ 2009-09-21 8:20 UTC (permalink / raw)
To: Eric Paris; +Cc: linux-kernel, linux-fsdevel, viro, hch
Eric Paris wrote:
> This new acc_mode flag is just to tell the security system this
> inode permission check is from the access system call. The security
> system can use this information as it finds appropriete. In
> particular SELinux plans to use this flag to alter what we choose to
> audit and what we do not choose to audit.
Does "as it finds appropriate" mean robust applications should try an
operation anyway even if access() says no from now on?
Btw, since you're looking at access(), the kernel could do with
euidaccess() or a flag ACCESS_EUID. (Either would be trivial to implement).
Glibc provides eaccess/euidaccess functions, but they work by calling
stat() and checking the mode bits when euid != ruid || egid != rgid,
which is clearly not very nice with ACLs, and perhaps not ideal for
SELinux's auditing of access calls either.
-- Jamie
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vfs: new FROM_ACCESS flag
2009-09-21 1:30 [PATCH] vfs: new FROM_ACCESS flag Eric Paris
2009-09-21 8:20 ` Jamie Lokier
@ 2009-09-22 13:56 ` Christoph Hellwig
2009-09-22 17:28 ` Eric Paris
1 sibling, 1 reply; 6+ messages in thread
From: Christoph Hellwig @ 2009-09-22 13:56 UTC (permalink / raw)
To: Eric Paris; +Cc: linux-kernel, linux-fsdevel, viro, hch
On Sun, Sep 20, 2009 at 09:30:48PM -0400, Eric Paris wrote:
> This new acc_mode flag is just to tell the security system this inode
> permission check is from the access system call. The security system can
> use this information as it finds appropriete. In particular SELinux plans to
> use this flag to alter what we choose to audit and what we do not choose to
> audit.
I think you're better off splitting the existing MAY_ACCESS flag and
only using MAY_ACCESS for calles from access() insteaf of introducing
a FROM_ACCESS flag and causing lots of naming confusion.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vfs: new FROM_ACCESS flag
2009-09-22 13:56 ` Christoph Hellwig
@ 2009-09-22 17:28 ` Eric Paris
2009-09-22 20:06 ` Christoph Hellwig
0 siblings, 1 reply; 6+ messages in thread
From: Eric Paris @ 2009-09-22 17:28 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: linux-kernel, linux-fsdevel, viro
On Tue, 2009-09-22 at 09:56 -0400, Christoph Hellwig wrote:
> On Sun, Sep 20, 2009 at 09:30:48PM -0400, Eric Paris wrote:
> > This new acc_mode flag is just to tell the security system this inode
> > permission check is from the access system call. The security system can
> > use this information as it finds appropriete. In particular SELinux plans to
> > use this flag to alter what we choose to audit and what we do not choose to
> > audit.
>
> I think you're better off splitting the existing MAY_ACCESS flag and
> only using MAY_ACCESS for calles from access() insteaf of introducing
> a FROM_ACCESS flag and causing lots of naming confusion.
What would you think of a new, MUST_REVALIDATE_PERMS which will do what
MAY_ACCESS does today. MAY_ACCESS would be just for access(2) and would
be the flag that I use for SELinux?
-Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vfs: new FROM_ACCESS flag
2009-09-22 17:28 ` Eric Paris
@ 2009-09-22 20:06 ` Christoph Hellwig
2009-09-23 8:48 ` Jamie Lokier
0 siblings, 1 reply; 6+ messages in thread
From: Christoph Hellwig @ 2009-09-22 20:06 UTC (permalink / raw)
To: Eric Paris; +Cc: Christoph Hellwig, linux-kernel, linux-fsdevel, viro
On Tue, Sep 22, 2009 at 01:28:46PM -0400, Eric Paris wrote:
> > only using MAY_ACCESS for calles from access() insteaf of introducing
> > a FROM_ACCESS flag and causing lots of naming confusion.
>
> What would you think of a new, MUST_REVALIDATE_PERMS which will do what
> MAY_ACCESS does today. MAY_ACCESS would be just for access(2) and would
> be the flag that I use for SELinux?
Yeah, something like this. I don't like the MUST_REVALIDATE_PERMS name
too much, but unless someone comes up with a better one I can live with
it.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] vfs: new FROM_ACCESS flag
2009-09-22 20:06 ` Christoph Hellwig
@ 2009-09-23 8:48 ` Jamie Lokier
0 siblings, 0 replies; 6+ messages in thread
From: Jamie Lokier @ 2009-09-23 8:48 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: Eric Paris, linux-kernel, linux-fsdevel, viro
Christoph Hellwig wrote:
> On Tue, Sep 22, 2009 at 01:28:46PM -0400, Eric Paris wrote:
> > > only using MAY_ACCESS for calles from access() insteaf of introducing
> > > a FROM_ACCESS flag and causing lots of naming confusion.
> >
> > What would you think of a new, MUST_REVALIDATE_PERMS which will do what
> > MAY_ACCESS does today. MAY_ACCESS would be just for access(2) and would
> > be the flag that I use for SELinux?
>
> Yeah, something like this. I don't like the MUST_REVALIDATE_PERMS name
> too much, but unless someone comes up with a better one I can live with
> it.
MAY_ACCESS is used in only these places:
- access/faccessat
- chdir/fchdir
- chroot
And it is checked in only two easy to change places: nfs/dir.c and
fuse/dir.c.
Therefore how about MAY_CHDIR.
-- Jamie
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-09-23 8:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-21 1:30 [PATCH] vfs: new FROM_ACCESS flag Eric Paris
2009-09-21 8:20 ` Jamie Lokier
2009-09-22 13:56 ` Christoph Hellwig
2009-09-22 17:28 ` Eric Paris
2009-09-22 20:06 ` Christoph Hellwig
2009-09-23 8:48 ` Jamie Lokier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.