lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140416111402.GA32350@infradead.org>
Date:	Wed, 16 Apr 2014 04:14:02 -0700
From:	Christoph Hellwig <hch@...radead.org>
To:	Andreas Gruenbacher <andreas.gruenbacher@...bit.com>
Cc:	Brian Foster <bfoster@...hat.com>, linux-man@...r.kernel.org,
	xfs@....sgi.com, linux-security-module@...r.kernel.org,
	Al Viro <viro@...iv.linux.org.uk>,
	linux-fsdevel@...r.kernel.org, linux-ext4@...r.kernel.org
Subject: Re: [PATCH v2 1/2] xfs: fix tmpfile/selinux deadlock and initialize
 security/acl

On Tue, Apr 15, 2014 at 09:31:02PM +0200, Andreas Gruenbacher wrote:
> from how O_TMPFILE is documented right now [*], creating such a file and
> then linking it into the namespace is one of the obvious use cases.

Btw, I think the man page is wrong - given that the tmpfile is not
visible in the namespace it is obviously not created in the directory.
The directory passed in is just a handle for the filesystem it should be
created in.

Michael, should I send you an update for this, or do you want to do it
yourself as you can probably come up with better language anyway?

> The
> intent seems to be to make it seem like the file was created and populated
> atomically, possibly with inherited permissions and all.
> I think this
> behavior require that the O_TMPFILE file inherits from the directory it
> was "created" in.
> 
> Adding code to achieve the effect of create-time inheritance at link
> time, only for O_TMPFILE files or files without any links, doesn't seem 
> reasonable to me: it would duplicate create code in the link code path,
> and it would make it harder to override inherited permissions or labels.

Inheriting any ACL on creating an anonymous file seems utterly wrong.
Inheriting on link seems somewhat more sensible and not too bad in terms
of code, but very confusing in terms of semantics.  I think the best
method is to make sure it simply does not inherit any ACL and document
that clearly.

> (Trying to fake inheritance by reimplementing it in user space seems like
> a much worse idea still.)

We don't fake inheritance when linking any other file either.  And
creating a file in a /tmp without any ACL and then linking it into the
filesystem already is very common today.

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ