From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763363AbcLUXdc (ORCPT ); Wed, 21 Dec 2016 18:33:32 -0500 Received: from nm19-vm1.bullet.mail.ne1.yahoo.com ([98.138.91.56]:37854 "EHLO nm19-vm1.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761658AbcLUXda (ORCPT ); Wed, 21 Dec 2016 18:33:30 -0500 X-Yahoo-Newman-Id: 207702.26459.bm@smtp224.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: IzAuAu4VM1mgKXbH8ZCIx6UuvPEuZrLAq0nfhcEc52CVCsp QK0j_L_Ky0MkH14uYsZf_GHDEgdZLyY2lyY6xVFVK9BTKmFDCIHihit0Zqqr QcYzhLaVVcLCMvnJ8RNxdzw9jNhUnGn5OXIX4EDKdAV2kfnjsZMVpUyQ2Kdl ZzeDQnAnI9CpQBezlJCUahy6Q5k1hVPw2GjXOTEn1A_o5nYxBxRyz_kAPXYy I1mZAIgZu9HzB0OG3wkHtC3RyXX0zYija7ApMjFr6t_BDI.ELdMs0lWW.xvw dypFaYmvlBdfHH3PjjbXwsz66nNsIPf63Kr_rmkY.dJH4mC5gqWfVJt_gdjC N8MLFrMc0RP19FFiET1rocKyGDRyZ2vnzTmzj2R9sR55SMo.LyT0wqOLO0PL OH.KnRzshmnTqb3pKwIlM0EF4kvJaovcTfYerci7a8c_vT6xYXqA68rXiCHg D2NvO9vMUuoA0EFx.grLq9xcE7.7mfmNMG9Le_ird_sr1ad5tF98OLWuS5FW yzcyBKalDMDN08jmxlRKieMIslYnb0L9cJiWqM5OTa2T_BRrA2g-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , linux-kernel@vger.kernel.org References: <20161221231506.19800-1-mic@digikod.net> Cc: Alexander Viro , Andreas Gruenbacher , Andy Lutomirski , Dmitry Kasatkin , Eric Paris , James Morris , John Johansen , Kees Cook , Kentaro Takeda , Mimi Zohar , Paul Moore , "Serge E . Hallyn" , Stephen Smalley , Tetsuo Handa , Vivek Goyal , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org From: Casey Schaufler Message-ID: Date: Wed, 21 Dec 2016 15:33:22 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20161221231506.19800-1-mic@digikod.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/21/2016 3:15 PM, Mickaël Salaün wrote: > Add a new LSM hook named inode_touch_atime which is needed to deny > indirect update of extended file attributes (i.e. access time) which are > not catched by the inode_setattr hook. By creating a new hook instead of > calling inode_setattr, we avoid to simulate a useless struct iattr. > > This hook allows to create read-only environments as with read-only > mount points. It can also take care of anonymous inodes. What security module would use this? > > Signed-off-by: Mickaël Salaün > Cc: Alexander Viro > Cc: Andy Lutomirski > Cc: Casey Schaufler > Cc: Dmitry Kasatkin > Cc: Eric Paris > Cc: James Morris > Cc: John Johansen > Cc: Kees Cook > Cc: Kentaro Takeda > Cc: Mimi Zohar > Cc: Paul Moore > Cc: Serge E. Hallyn > Cc: Stephen Smalley > Cc: Tetsuo Handa > --- > fs/inode.c | 5 ++++- > include/linux/lsm_hooks.h | 8 ++++++++ > include/linux/security.h | 8 ++++++++ > security/security.c | 9 +++++++++ > 4 files changed, 29 insertions(+), 1 deletion(-) > > diff --git a/fs/inode.c b/fs/inode.c > index 88110fd0b282..8e7519196942 100644 > --- a/fs/inode.c > +++ b/fs/inode.c > @@ -1706,6 +1706,10 @@ void touch_atime(const struct path *path) > if (!__atime_needs_update(path, inode, false)) > return; > > + now = current_time(inode); > + if (security_inode_touch_atime(path, &now)) > + return; > + > if (!sb_start_write_trylock(inode->i_sb)) > return; > > @@ -1720,7 +1724,6 @@ void touch_atime(const struct path *path) > * We may also fail on filesystems that have the ability to make parts > * of the fs read only, e.g. subvolumes in Btrfs. > */ > - now = current_time(inode); > update_time(inode, &now, S_ATIME); > __mnt_drop_write(mnt); > skip_update: > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 558adfa5c8a8..e77051715e6b 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -428,6 +428,11 @@ > * security module does not know about attribute or a negative error code > * to abort the copy up. Note that the caller is responsible for reading > * and writing the xattrs as this hook is merely a filter. > + * @inode_touch_atime: > + * Check permission before updating access time. > + * @path contains the path structure for the file. > + * @ts contains the current time. > + * Return 0 if permission is granted. > * > * Security hooks for file operations > * > @@ -1458,6 +1463,8 @@ union security_list_options { > void (*inode_getsecid)(struct inode *inode, u32 *secid); > int (*inode_copy_up)(struct dentry *src, struct cred **new); > int (*inode_copy_up_xattr)(const char *name); > + int (*inode_touch_atime)(const struct path *path, > + const struct timespec *ts); > > int (*file_permission)(struct file *file, int mask); > int (*file_alloc_security)(struct file *file); > @@ -1731,6 +1738,7 @@ struct security_hook_heads { > struct list_head inode_getsecid; > struct list_head inode_copy_up; > struct list_head inode_copy_up_xattr; > + struct list_head inode_touch_atime; > struct list_head file_permission; > struct list_head file_alloc_security; > struct list_head file_free_security; > diff --git a/include/linux/security.h b/include/linux/security.h > index c2125e9093e8..619f44c290a5 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -30,6 +30,7 @@ > #include > #include > #include > +#include > > struct linux_binprm; > struct cred; > @@ -288,6 +289,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer > void security_inode_getsecid(struct inode *inode, u32 *secid); > int security_inode_copy_up(struct dentry *src, struct cred **new); > int security_inode_copy_up_xattr(const char *name); > +int security_inode_touch_atime(const struct path *path, const struct timespec *ts); > int security_file_permission(struct file *file, int mask); > int security_file_alloc(struct file *file); > void security_file_free(struct file *file); > @@ -781,6 +783,12 @@ static inline int security_inode_copy_up_xattr(const char *name) > return -EOPNOTSUPP; > } > > +static inline int security_inode_touch_atime(const struct path *path, const > + struct timespec *ts) > +{ > + return 0; > +} > + > static inline int security_file_permission(struct file *file, int mask) > { > return 0; > diff --git a/security/security.c b/security/security.c > index f825304f04a7..cd093c4b4115 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -769,6 +769,13 @@ int security_inode_copy_up_xattr(const char *name) > } > EXPORT_SYMBOL(security_inode_copy_up_xattr); > > +int security_inode_touch_atime(const struct path *path, > + const struct timespec *ts) > +{ > + return call_int_hook(inode_touch_atime, 0, path, ts); > +} > +EXPORT_SYMBOL(security_inode_touch_atime); > + > int security_file_permission(struct file *file, int mask) > { > int ret; > @@ -1711,6 +1718,8 @@ struct security_hook_heads security_hook_heads = { > LIST_HEAD_INIT(security_hook_heads.inode_copy_up), > .inode_copy_up_xattr = > LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), > + .inode_touch_atime = > + LIST_HEAD_INIT(security_hook_heads.inode_touch_atime), > .file_permission = > LIST_HEAD_INIT(security_hook_heads.file_permission), > .file_alloc_security =