lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100924152342.502728c0@tlielax.poochiereds.net>
Date:	Fri, 24 Sep 2010 15:23:42 -0400
From:	Jeff Layton <jlayton@...hat.com>
To:	"Aneesh Kumar K. V" <aneesh.kumar@...ux.vnet.ibm.com>
Cc:	sfrench@...ibm.com, ffilz@...ibm.com, agruen@...e.de,
	adilger@....com, sandeen@...hat.com, tytso@....edu,
	bfields@...i.umich.edu, linux-fsdevel@...r.kernel.org,
	nfsv4@...ux-nfs.org, linux-ext4@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH -V4 08/11] vfs: Add new file and directory create
 permission flags

On Sat, 25 Sep 2010 00:46:03 +0530
"Aneesh Kumar K. V" <aneesh.kumar@...ux.vnet.ibm.com> wrote:

> On Fri, 24 Sep 2010 11:54:23 -0400, Jeff Layton <jlayton@...hat.com> wrote:
> > On Fri, 24 Sep 2010 18:18:11 +0530
> > "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com> wrote:
> > 
> > > From: Andreas Gruenbacher <agruen@...e.de>
> > > 
> > > Some permission models distinguish between the permission to create a
> > > non-directory and a directory.  Pass this information down to
> > > inode_permission() as mask flags
> > > 
> > > Signed-off-by: Andreas Gruenbacher <agruen@...e.de>
> > > Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@...ux.vnet.ibm.com>
> > > ---
> > >  fs/namei.c         |   21 ++++++++++++---------
> > >  include/linux/fs.h |    2 ++
> > >  2 files changed, 14 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/fs/namei.c b/fs/namei.c
> > > index b0b8a71..ed786b2 100644
> > > --- a/fs/namei.c
> > > +++ b/fs/namei.c
> > > @@ -253,7 +253,8 @@ int generic_permission(struct inode *inode, int mask,
> > >   * for filesystem access without changing the "normal" uids which
> > >   * are used for other things.
> > >   *
> > > - * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
> > > + * When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
> > > + * MAY_WRITE must also be set in @mask.
> > >   */
> > >  int inode_permission(struct inode *inode, int mask)
> > >  {
> > > @@ -1337,13 +1338,15 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
> > >   *  3. We should have write and exec permissions on dir
> > >   *  4. We can't do it if dir is immutable (done in permission())
> > >   */
> > > -static inline int may_create(struct inode *dir, struct dentry *child)
> > > +static inline int may_create(struct inode *dir, struct dentry *child, int isdir)
> > 									^^^^^
> > 								nit: maybe saner as a bool?
> > >  {
> > > +	int mask = isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE;
> > > +
> > >  	if (child->d_inode)
> > >  		return -EEXIST;
> > >  	if (IS_DEADDIR(dir))
> > >  		return -ENOENT;
> > > -	return inode_permission(dir, MAY_WRITE | MAY_EXEC);
> > > +	return inode_permission(dir, MAY_WRITE | MAY_EXEC | mask);
> > >  }
> > >  
> > >  /*
> > > @@ -1391,7 +1394,7 @@ void unlock_rename(struct dentry *p1, struct dentry *p2)
> > >  int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
> > >  		struct nameidata *nd)
> > >  {
> > > -	int error = may_create(dir, dentry);
> > > +	int error = may_create(dir, dentry, 0);
> > >  
> > >  	if (error)
> > >  		return error;
> > > @@ -1953,7 +1956,7 @@ EXPORT_SYMBOL_GPL(lookup_create);
> > >  
> > >  int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
> > >  {
> > > -	int error = may_create(dir, dentry);
> > > +	int error = may_create(dir, dentry, 0);
> > >  
> > >  	if (error)
> > >  		return error;
> > > @@ -2057,7 +2060,7 @@ SYSCALL_DEFINE3(mknod, const char __user *, filename, int, mode, unsigned, dev)
> > >  
> > >  int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
> > >  {
> > > -	int error = may_create(dir, dentry);
> > > +	int error = may_create(dir, dentry, 1);
> > >  
> > >  	if (error)
> > >  		return error;
> > > @@ -2342,7 +2345,7 @@ SYSCALL_DEFINE1(unlink, const char __user *, pathname)
> > >  
> > >  int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
> > >  {
> > > -	int error = may_create(dir, dentry);
> > > +	int error = may_create(dir, dentry, 0);
> > >  
> > >  	if (error)
> > >  		return error;
> > > @@ -2415,7 +2418,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
> > >  	if (!inode)
> > >  		return -ENOENT;
> > >  
> > > -	error = may_create(dir, new_dentry);
> > > +	error = may_create(dir, new_dentry, S_ISDIR(inode->i_mode));
> > 
> > 						^^^^ this is a little
> > 						scary, but even if it's
> > 						a directory, it'll get
> > 						kicked out in a later
> > 						check. Would it be
> > 						clearer to move up the
> > 						S_ISDIR() check in this
> > 						function and then pass
> > 						this in as false?
> 
> Can you elaborate on this ? 
> 
> -aneesh
> 

Hardlinked directories are a no-no, of course. So when I first saw this
patch, it gave me pause. There's a later check in vfs_link though that
explicitly rejects hardlinking directories, so the above is harmless.
It may be more efficient to go ahead and return error if the target
is a directory however and bypass the permission check.

OTOH, maybe there's good reason to do it this way or I'm just being
excessively nitpicky.

-- 
Jeff Layton <jlayton@...hat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ