lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110326161130.GA2233@localhost.localdomain>
Date:	Sat, 26 Mar 2011 12:11:31 -0400
From:	Josef Bacik <josef@...hat.com>
To:	Casey Schaufler <casey@...aufler-ca.com>
Cc:	Greg KH <gregkh@...e.de>, linux-kernel@...r.kernel.org,
	stable@...nel.org, stable-review@...nel.org,
	torvalds@...ux-foundation.org, akpm@...ux-foundation.org,
	alan@...rguk.ukuu.org.uk, Josef Bacik <josef@...hat.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Chuck Ebbert <cebbert@...hat.com>
Subject: Re: [34/35] fs: call security_d_instantiate in d_obtain_alias V2

On Fri, Mar 25, 2011 at 05:24:56PM -0700, Casey Schaufler wrote:
> On 3/25/2011 5:04 PM, Greg KH wrote:
> > 2.6.33-longterm review patch.  If anyone has any objections, please let us know.
> >
> > ------------------
> >
> > From: Josef Bacik <josef@...hat.com>
> >
> > commit 24ff6663ccfdaf088dfa7acae489cb11ed4f43c4 upstream.
> >
> > While trying to track down some NFS problems with BTRFS, I kept noticing I was
> > getting -EACCESS for no apparent reason.  Eric Paris and printk() helped me
> > figure out that it was SELinux that was giving me grief, with the following
> > denial
> >
> > type=AVC msg=audit(1290013638.413:95): avc:  denied  { 0x800000 } for  pid=1772
> > comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> >
> > Turns out this is because in d_obtain_alias if we can't find an alias we create
> > one and do all the normal instantiation stuff, but we don't do the
> > security_d_instantiate.
> >
> > Usually we are protected from getting a hashed dentry that hasn't yet run
> > security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
> > option there, so in order to deal with the case that a second thread comes in
> > and finds our new dentry before we get to run security_d_instantiate(), we go
> > ahead and call it if we find a dentry already.  Eric assures me that this is ok
> > as the code checks to see if the dentry has been initialized already so calling
> > security_d_instantiate() against the same dentry multiple times is ok.  With
> > this patch I'm no longer getting errant -EACCESS values.
> 
> Not to be a bother, but did you try this with Smack as well as SELinux?
> Smack should be fine with the change, but if you're not going to try
> Smack I need to know.
> 

I only tested SELinux since it's on by default in fedora.  Thanks,

Josef
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ