Re: [PATCH] security: Fix hook iteration and default value for inode_copy_up_xattr

From: James Morris <jmorris@namei.org>
To: KP Singh <kpsingh@chromium.org>
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Jann Horn <jannh@google.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] security: Fix hook iteration and default value for inode_copy_up_xattr
Date: Wed, 24 Jun 2020 09:40:40 +1000 (AEST)	[thread overview]
Message-ID: <alpine.LRH.2.21.2006240940080.8534@namei.org> (raw)
In-Reply-To: <20200621222135.9136-1-kpsingh@chromium.org>

On Mon, 22 Jun 2020, KP Singh wrote:

> From: KP Singh <kpsingh@google.com>
> 
> inode_copy_up_xattr returns 0 to indicate the acceptance of the xattr
> and 1 to reject it. If the LSM does not know about the xattr, it's
> expected to return -EOPNOTSUPP, which is the correct default value for
> this hook. BPF LSM, currently, uses 0 as the default value and thereby
> falsely allows all overlay fs xattributes to be copied up.
> 
> The iteration logic is also updated from the "bail-on-fail"
> call_int_hook to continue on the non-decisive -EOPNOTSUPP and bail out
> on other values.
> 
> Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
> Signed-off-by: KP Singh <kpsingh@google.com>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-v5.8

> ---
>  include/linux/lsm_hook_defs.h |  2 +-
>  security/security.c           | 17 ++++++++++++++++-
>  2 files changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 6791813cd439..f4b2e54162ae 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -150,7 +150,7 @@ LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
>  	 size_t buffer_size)
>  LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
>  LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
> -LSM_HOOK(int, 0, inode_copy_up_xattr, const char *name)
> +LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name)
>  LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
>  	 struct kernfs_node *kn)
>  LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
> diff --git a/security/security.c b/security/security.c
> index 0ce3e73edd42..70a7ad357bc6 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1414,7 +1414,22 @@ EXPORT_SYMBOL(security_inode_copy_up);
>  
>  int security_inode_copy_up_xattr(const char *name)
>  {
> -	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
> +	struct security_hook_list *hp;
> +	int rc;
> +
> +	/*
> +	 * The implementation can return 0 (accept the xattr), 1 (discard the
> +	 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or
> +	 * any other error code incase of an error.
> +	 */
> +	hlist_for_each_entry(hp,
> +		&security_hook_heads.inode_copy_up_xattr, list) {
> +		rc = hp->hook.inode_copy_up_xattr(name);
> +		if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))
> +			return rc;
> +	}
> +
> +	return LSM_RET_DEFAULT(inode_copy_up_xattr);
>  }
>  EXPORT_SYMBOL(security_inode_copy_up_xattr);
>  
> 

-- 
James Morris
<jmorris@namei.org>