* [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
@ 2017-03-10 17:14 Stephen Smalley
2017-03-10 19:54 ` Paul Moore
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Stephen Smalley @ 2017-03-10 17:14 UTC (permalink / raw)
To: viro, james.l.morris, serge, paul, john.johansen
Cc: linux-fsdevel, linux-kernel, linux-security-module, selinux,
Stephen Smalley
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
fs/namei.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index d41fab7..482414a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- return 0;
if (!(mask & MAY_WRITE))
if (capable_wrt_inode_uidgid(inode,
CAP_DAC_READ_SEARCH))
return 0;
- return -EACCES;
- }
- /*
- * Read/write DACs are always overridable.
- * Executable DACs are overridable when there is
- * at least one exec bit set.
- */
- if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
+ return -EACCES;
+ }
/*
* Searching includes executable on directories, else just read.
@@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
if (mask == MAY_READ)
if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0;
+ /*
+ * Read/write DACs are always overridable.
+ * Executable DACs are overridable when there is
+ * at least one exec bit set.
+ */
+ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ return 0;
return -EACCES;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
2017-03-10 17:14 [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Stephen Smalley
@ 2017-03-10 19:54 ` Paul Moore
2017-03-10 21:12 ` John Johansen
2017-03-29 21:36 ` Paul Moore
2017-03-10 21:47 ` Serge E. Hallyn
2017-03-11 1:05 ` James Morris
2 siblings, 2 replies; 7+ messages in thread
From: Paul Moore @ 2017-03-10 19:54 UTC (permalink / raw)
To: Stephen Smalley, viro, linux-fsdevel
Cc: James Morris, serge, john.johansen, linux-kernel,
linux-security-module, selinux
On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> fs/namei.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
This is the second posting of this patch and so far no comment ... if
I don't see any negative responses by next week I'll go ahead and
merge this into the selinux/next tree.
> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>
> if (S_ISDIR(inode->i_mode)) {
> /* DACs are overridable for directories */
> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> - return 0;
> if (!(mask & MAY_WRITE))
> if (capable_wrt_inode_uidgid(inode,
> CAP_DAC_READ_SEARCH))
> return 0;
> - return -EACCES;
> - }
> - /*
> - * Read/write DACs are always overridable.
> - * Executable DACs are overridable when there is
> - * at least one exec bit set.
> - */
> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> return 0;
> + return -EACCES;
> + }
>
> /*
> * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
> if (mask == MAY_READ)
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
> return 0;
> + /*
> + * Read/write DACs are always overridable.
> + * Executable DACs are overridable when there is
> + * at least one exec bit set.
> + */
> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> + return 0;
>
> return -EACCES;
> }
> --
> 2.7.4
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
2017-03-10 19:54 ` Paul Moore
@ 2017-03-10 21:12 ` John Johansen
2017-03-29 21:36 ` Paul Moore
1 sibling, 0 replies; 7+ messages in thread
From: John Johansen @ 2017-03-10 21:12 UTC (permalink / raw)
To: Paul Moore, Stephen Smalley, viro, linux-fsdevel
Cc: James Morris, serge, linux-kernel, linux-security-module, selinux
On 03/10/2017 11:54 AM, Paul Moore wrote:
> On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
>> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
>> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
>> may not be required for the operation. Flip the order of the
>> tests so that CAP_DAC_OVERRIDE is only checked when required for
>> the operation.
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>> fs/namei.c | 20 ++++++++++----------
>> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> This is the second posting of this patch and so far no comment ... if
> I don't see any negative responses by next week I'll go ahead and
> merge this into the selinux/next tree.
>
sounds good to me, the patch looks good you can have my acked-by for how
this affects apparmor, or hrmm should that be a reviewed-by for the vfs
end
Acked-by: John Johansen <john.johansen@canonical.com>
>> diff --git a/fs/namei.c b/fs/namei.c
>> index d41fab7..482414a 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>>
>> if (S_ISDIR(inode->i_mode)) {
>> /* DACs are overridable for directories */
>> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> - return 0;
>> if (!(mask & MAY_WRITE))
>> if (capable_wrt_inode_uidgid(inode,
>> CAP_DAC_READ_SEARCH))
>> return 0;
>> - return -EACCES;
>> - }
>> - /*
>> - * Read/write DACs are always overridable.
>> - * Executable DACs are overridable when there is
>> - * at least one exec bit set.
>> - */
>> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> return 0;
>> + return -EACCES;
>> + }
>>
>> /*
>> * Searching includes executable on directories, else just read.
>> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
>> if (mask == MAY_READ)
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
>> return 0;
>> + /*
>> + * Read/write DACs are always overridable.
>> + * Executable DACs are overridable when there is
>> + * at least one exec bit set.
>> + */
>> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> + return 0;
>>
>> return -EACCES;
>> }
>> --
>> 2.7.4
>>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
2017-03-10 17:14 [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Stephen Smalley
2017-03-10 19:54 ` Paul Moore
@ 2017-03-10 21:47 ` Serge E. Hallyn
2017-03-11 1:05 ` James Morris
2 siblings, 0 replies; 7+ messages in thread
From: Serge E. Hallyn @ 2017-03-10 21:47 UTC (permalink / raw)
To: Stephen Smalley
Cc: viro, james.l.morris, serge, paul, john.johansen, linux-fsdevel,
linux-kernel, linux-security-module, selinux
Quoting Stephen Smalley (sds@tycho.nsa.gov):
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Lol, not sure if that patch has arranged itself to be as confusing
as possible (for a simple end result) or if it's in my head :), but
I had to read it like 3 times, despite it appearing trivial in the
end.
Reviewed-by: Serge Hallyn <serge@hallyn.com>
> ---
> fs/namei.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>
> if (S_ISDIR(inode->i_mode)) {
> /* DACs are overridable for directories */
> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> - return 0;
> if (!(mask & MAY_WRITE))
> if (capable_wrt_inode_uidgid(inode,
> CAP_DAC_READ_SEARCH))
> return 0;
> - return -EACCES;
> - }
> - /*
> - * Read/write DACs are always overridable.
> - * Executable DACs are overridable when there is
> - * at least one exec bit set.
> - */
> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> return 0;
> + return -EACCES;
> + }
>
> /*
> * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
> if (mask == MAY_READ)
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
> return 0;
> + /*
> + * Read/write DACs are always overridable.
> + * Executable DACs are overridable when there is
> + * at least one exec bit set.
> + */
> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> + return 0;
>
> return -EACCES;
> }
> --
> 2.7.4
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
2017-03-10 17:14 [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Stephen Smalley
2017-03-10 19:54 ` Paul Moore
2017-03-10 21:47 ` Serge E. Hallyn
@ 2017-03-11 1:05 ` James Morris
2 siblings, 0 replies; 7+ messages in thread
From: James Morris @ 2017-03-11 1:05 UTC (permalink / raw)
To: Stephen Smalley
Cc: viro, james.l.morris, serge, paul, john.johansen, linux-fsdevel,
linux-kernel, linux-security-module, selinux
On Fri, 10 Mar 2017, Stephen Smalley wrote:
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <james.l.morris@oracle.com>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
2017-03-10 19:54 ` Paul Moore
2017-03-10 21:12 ` John Johansen
@ 2017-03-29 21:36 ` Paul Moore
1 sibling, 0 replies; 7+ messages in thread
From: Paul Moore @ 2017-03-29 21:36 UTC (permalink / raw)
To: Stephen Smalley, viro, linux-fsdevel
Cc: James Morris, serge, john.johansen, linux-kernel,
linux-security-module, selinux
On Fri, Mar 10, 2017 at 2:54 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
>> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
>> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
>> may not be required for the operation. Flip the order of the
>> tests so that CAP_DAC_OVERRIDE is only checked when required for
>> the operation.
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>> fs/namei.c | 20 ++++++++++----------
>> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> This is the second posting of this patch and so far no comment ... if
> I don't see any negative responses by next week I'll go ahead and
> merge this into the selinux/next tree.
No objections, but plenty of ACKs and Reviewed-bys so I just merged
this into the selinux/next tree.
Thanks all.
>> diff --git a/fs/namei.c b/fs/namei.c
>> index d41fab7..482414a 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>>
>> if (S_ISDIR(inode->i_mode)) {
>> /* DACs are overridable for directories */
>> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> - return 0;
>> if (!(mask & MAY_WRITE))
>> if (capable_wrt_inode_uidgid(inode,
>> CAP_DAC_READ_SEARCH))
>> return 0;
>> - return -EACCES;
>> - }
>> - /*
>> - * Read/write DACs are always overridable.
>> - * Executable DACs are overridable when there is
>> - * at least one exec bit set.
>> - */
>> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> return 0;
>> + return -EACCES;
>> + }
>>
>> /*
>> * Searching includes executable on directories, else just read.
>> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
>> if (mask == MAY_READ)
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
>> return 0;
>> + /*
>> + * Read/write DACs are always overridable.
>> + * Executable DACs are overridable when there is
>> + * at least one exec bit set.
>> + */
>> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> + return 0;
>>
>> return -EACCES;
>> }
>> --
>> 2.7.4
>>
>
>
>
> --
> paul moore
> www.paul-moore.com
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
@ 2017-02-17 18:24 Stephen Smalley
0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2017-02-17 18:24 UTC (permalink / raw)
To: viro
Cc: linux-fsdevel, linux-kernel, linux-security-module, selinux,
Stephen Smalley
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
fs/namei.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index ad74877..8736e4a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- return 0;
if (!(mask & MAY_WRITE))
if (capable_wrt_inode_uidgid(inode,
CAP_DAC_READ_SEARCH))
return 0;
- return -EACCES;
- }
- /*
- * Read/write DACs are always overridable.
- * Executable DACs are overridable when there is
- * at least one exec bit set.
- */
- if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
+ return -EACCES;
+ }
/*
* Searching includes executable on directories, else just read.
@@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
if (mask == MAY_READ)
if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0;
+ /*
+ * Read/write DACs are always overridable.
+ * Executable DACs are overridable when there is
+ * at least one exec bit set.
+ */
+ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ return 0;
return -EACCES;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-03-29 21:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-10 17:14 [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Stephen Smalley
2017-03-10 19:54 ` Paul Moore
2017-03-10 21:12 ` John Johansen
2017-03-29 21:36 ` Paul Moore
2017-03-10 21:47 ` Serge E. Hallyn
2017-03-11 1:05 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2017-02-17 18:24 Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).