[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1249909031.2422.37.camel@moss-pluto.epoch.ncsc.mil>
Date: Mon, 10 Aug 2009 08:57:11 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
Cc: Eric Paris <eparis@...hat.com>, Amerigo Wang <amwang@...hat.com>,
linux-kernel@...r.kernel.org, esandeen@...hat.com, eteo@...hat.com,
linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org,
viro@...iv.linux.org.uk, linux-security-module@...r.kernel.org
Subject: Re: [Patch v3] vfs: allow file truncations when both suid and
write permissions set
On Mon, 2009-08-10 at 21:43 +0900, OGAWA Hirofumi wrote:
> Stephen Smalley <sds@...ho.nsa.gov> writes:
>
> >> > > I was thinking about this and kept telling myself I was going to test v2
> >> > > before I ack/nak. Clearly we shouldn't for the dropping of SUID if the
> >> > > process didn't have permission to change the ATTR_SIZE.
> >> > >
> >> > > Acked-by: Eric Paris <eparis@...hat.com>
> >> >
> >> > BTW, Do you know why doesn't security modules fix the handling of
> >> > do_truncate() (i.e. ATTR_MODE | ATTR_SIZE). And why doesn't it allow to
> >> > pass ATTR_FORCE for it?
> >>
> >> I'm not sure what you mean. I understood ATTR_FORCE to mean 'I am magic
> >> and get to override all security checks." Which is why nothing should
> >> ever be using ATTR_FORCE with things other than SUID.
> >>
> >> I guess we could somehow force logic into the LSM to make it only apply
> >> to SUID and friends but I'm not sure it buys us anything.
> >
> > SELinux shouldn't apply a permission check for the clearing of the suid
> > bit on write or truncate. It should only apply a permission check for
> > the actual truncate or write operation, and then the clearing of the
> > suid bit should always be forced if that check passed.
>
> Ok. Yes. So, to do it efficiently without problem, I'm suggesting the
> following or something (I don't know whether LSM should do this or not).
>
> selinux_inode_setattr(),
>
> ia_valid = iattr->ia_valid;
> if (!(ia_valid & ATTR_FORCE) && (ia_valid & ATTR_FORCE_MASK)) {
> err = dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
> if (err)
> return err;
> ia_valid &= ~ATTR_FORCE_MASK;
> }
> if (ia_valid & ATTR_NOT_FORCE_MASK)
> err = dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
> return err;
>
> I guess ATTR_FORCE_MASK would be (ATTR_MODE | ATTR_UID | ATTR_GID |
> ATTR_ATIME_SET | ATTR_MTIME_SET) or something,
> and ATTR_NOT_FORCE_MASK would be ATTR_SIZE or something.
>
> I'm not sure this is the right code what selinux want to do though, but,
> I hope it is clear what I want to say. (I'm assuming FILE__WRITE is for
> check of ATTR_SIZE)
The logic is supposed to map certain attribute changes (mode, owner,
group, explicit setting of atime or mtime to a specific value rather
than the current time) to the SELinux setattr permission, while mapping
other attribute changes that occur naturally on a write (size, setting
of mtime to current time) to the SELinux write permission. That doesn't
seem clear from using ATTR_FORCE_MASK vs ATTR_NOT_FORCE_MASK above - I'd
use different naming conventions for clarity.
>
> With this change, the caller can pass "(ATTR_SIZE | ATTR_MODE)" or
> "(ATTR_SIZE | ATTR_MODE | ATTR_FORCE)" etc. for truncate().
>
> [btw, "(ATTR_SIZE | ATTR_MODE)" is what do_truncate() does currently].
That was a change in do_truncate(), commit
7b82dc0e64e93f430182f36b46b79fcee87d3532.
It makes sense, but no one ever updated selinux_inode_setattr() to match
that change.
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists