From: Paul Moore <paul@paul-moore.com>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
linux-integrity@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v4 10/30] selinux: implement get, set and remove acl hook
Date: Thu, 29 Sep 2022 15:15:17 -0400 [thread overview]
Message-ID: <CAHC9VhSHSk9MNK+FmydGTZDzDOuwF0b1A3SqYhG+X0NSCwoUEg@mail.gmail.com> (raw)
In-Reply-To: <20220929153041.500115-11-brauner@kernel.org>
On Thu, Sep 29, 2022 at 11:31 AM Christian Brauner <brauner@kernel.org> wrote:
>
> The current way of setting and getting posix acls through the generic
> xattr interface is error prone and type unsafe. The vfs needs to
> interpret and fixup posix acls before storing or reporting it to
> userspace. Various hacks exist to make this work. The code is hard to
> understand and difficult to maintain in it's current form. Instead of
> making this work by hacking posix acls through xattr handlers we are
> building a dedicated posix acl api around the get and set inode
> operations. This removes a lot of hackiness and makes the codepaths
> easier to maintain. A lot of background can be found in [1].
>
> So far posix acls were passed as a void blob to the security and
> integrity modules. Some of them like evm then proceed to interpret the
> void pointer and convert it into the kernel internal struct posix acl
> representation to perform their integrity checking magic. This is
> obviously pretty problematic as that requires knowledge that only the
> vfs is guaranteed to have and has lead to various bugs. Add a proper
> security hook for setting posix acls and pass down the posix acls in
> their appropriate vfs format instead of hacking it through a void
> pointer stored in the uapi format.
>
> I spent considerate time in the security module infrastructure and
> audited all codepaths. SELinux has no restrictions based on the posix
> acl values passed through it. The capability hook doesn't need to be
> called either because it only has restrictions on security.* xattrs. So
> these are all fairly simply hooks for SELinux.
>
> Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
> ---
>
> Notes:
> /* v2 */
> unchanged
>
> /* v3 */
> Paul Moore <paul@paul-moore.com>:
> - Add get, and remove acl hook
>
> /* v4 */
> unchanged
>
> security/selinux/hooks.c | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
One small nitpick below, but looks good regardless.
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 79573504783b..0e3cd67e5e92 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3239,6 +3239,27 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
> &ad);
> }
>
> +static int selinux_inode_set_acl(struct user_namespace *mnt_userns,
> + struct dentry *dentry, const char *acl_name,
> + struct posix_acl *kacl)
> +{
> + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
> +}
> +
> +static int selinux_inode_get_acl(struct user_namespace *mnt_userns,
> + struct dentry *dentry, const char *acl_name)
> +{
> + const struct cred *cred = current_cred();
> +
> + return dentry_has_perm(cred, dentry, FILE__GETATTR);
> +}
Both the set and remove hooks use current_cred() directly in the call
to dentry_has_perm(), you might as well do the same in the get hook.
> +static int selinux_inode_remove_acl(struct user_namespace *mnt_userns,
> + struct dentry *dentry, const char *acl_name)
> +{
> + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
> +}
--
paul-moore.com
next prev parent reply other threads:[~2022-09-29 19:15 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 15:30 [PATCH v4 00/30] acl: add vfs posix acl api Christian Brauner
2022-09-29 15:30 ` [PATCH v4 01/30] orangefs: rework posix acl handling when creating new filesystem objects Christian Brauner
2022-09-29 15:30 ` [PATCH v4 02/30] fs: pass dentry to set acl method Christian Brauner
2022-09-29 15:30 ` [PATCH v4 03/30] fs: rename current get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 04/30] fs: add new " Christian Brauner
2022-09-30 8:53 ` Miklos Szeredi
2022-09-30 9:09 ` Christian Brauner
2022-09-30 9:43 ` Miklos Szeredi
2022-09-30 10:05 ` Christian Brauner
2022-09-30 12:24 ` Miklos Szeredi
2022-09-30 12:49 ` Christian Brauner
2022-09-30 13:01 ` Miklos Szeredi
2022-09-30 13:51 ` Christian Brauner
2022-10-04 19:53 ` Steve French
2022-10-05 7:15 ` Christian Brauner
2022-10-06 6:31 ` Miklos Szeredi
2022-10-06 7:40 ` Christian Brauner
2022-10-06 9:07 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 05/30] cifs: implement " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 06/30] cifs: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 07/30] 9p: implement get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 08/30] 9p: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 09/30] security: add get, remove and set acl hook Christian Brauner
2022-09-29 19:15 ` Paul Moore
2022-09-29 15:30 ` [PATCH v4 10/30] selinux: implement get, set and remove " Christian Brauner
2022-09-29 19:15 ` Paul Moore [this message]
2022-09-30 8:38 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 11/30] smack: " Christian Brauner
2022-09-29 19:15 ` Paul Moore
2022-09-30 8:40 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 12/30] integrity: implement get and set " Christian Brauner
2022-09-29 19:14 ` Paul Moore
2022-09-30 3:19 ` Mimi Zohar
2022-09-30 14:11 ` Paul Moore
2022-09-30 8:11 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 13/30] evm: add post " Christian Brauner
2022-09-30 1:44 ` Mimi Zohar
2022-09-30 2:51 ` Mimi Zohar
2022-09-30 8:44 ` Christian Brauner
2022-09-30 11:48 ` Mimi Zohar
2022-10-04 7:04 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 14/30] internal: add may_write_xattr() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 15/30] acl: add vfs_set_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 16/30] acl: add vfs_get_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 17/30] acl: add vfs_remove_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 18/30] ksmbd: use vfs_remove_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 19/30] ecryptfs: implement get acl method Christian Brauner
2022-09-29 15:30 ` [PATCH v4 20/30] ecryptfs: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 21/30] ovl: implement get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 22/30] ovl: implement set " Christian Brauner
2022-10-06 12:39 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 23/30] ovl: use posix acl api Christian Brauner
2022-10-06 12:50 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 24/30] xattr: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 25/30] evm: remove evm_xattr_acl_change() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 26/30] ecryptfs: use stub posix acl handlers Christian Brauner
2022-09-29 15:30 ` [PATCH v4 27/30] ovl: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 28/30] cifs: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 29/30] 9p: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 30/30] acl: remove a slew of now unused helpers Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSHSk9MNK+FmydGTZDzDOuwF0b1A3SqYhG+X0NSCwoUEg@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=brauner@kernel.org \
--cc=eparis@parisplace.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=sforshee@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).