lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4901FE29.3090600@redhat.com>
Date:	Fri, 24 Oct 2008 11:56:09 -0500
From:	Eric Sandeen <sandeen@...hat.com>
To:	Eric Paris <eparis@...hat.com>
CC:	linux-ext4@...r.kernel.org, selinux@...ho.nsa.gov,
	sds@...ho.nsa.gov, esandeen@...hat.com, tytso@....edu,
	dwalsh@...hat.com, linux-security-module@...r.kernel.org
Subject: Re: ext4_has_free_blocks always checks cap_sys_resource and makes
 SELinux unhappy

Eric Paris wrote:
> I'm running an ext4 root filesystem and regularly get SELinux denials
> like:
> 
> Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.076:5):
> avc: denied  { sys_resource } for  pid=1624 comm="dbus-daemon"
> capability=24 scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=467216
> 
> Since this doesn't happen with people who have ext3 filesystems but
> everything else the same it lead me to look at ext4.  I see that
> ext?_has_free_blocks() has changed since ext3 and now we always check
> for capable(CAP_SYS_RESOUCE).  If a process actually has the capability
> in pE (as many root processes would) but doesn't have the capability in
> SELinux policy we will get a denial.
> 
> I can think of a couple ways to fix this:
> 
> the first (and one I like) is to change ext4 to stop checking
> CAP_SYS_RESOURCE all the time.  It's not really 'pretty' but I think you
> would actually get a better performing function.  Just always calculate
> root_blocks and if we don't have enough room then then do the whole
> check to see if are root and recalculate without root_blocks.  I'd guess
> that a great majority of the time operations will succeed even with a
> non-zero root_blocks and I would guess that most process aren't going to
> be root processes and so we would be calculating root_blocks anyway.
> This would (like ext3) only cause these denials when it was filled up.
> We've been living with that forever, so I don't see a problem there...

Thanks Eric, I'll look into this.  It seems that ext4_has_free_blocks is
now overly complex; it used to return how many blocks are available, if
that number is < nblocks, but the single caller now only checks
success/failure for having nblocks free.  I'll see if I can simplify it
and delay the cap check as you suggest.

-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ