[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5582DC0F.7090800@tycho.nsa.gov>
Date: Thu, 18 Jun 2015 10:56:15 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: David Howells <dhowells@...hat.com>, viro@...iv.linux.org.uk,
miklos@...redi.hu
CC: linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org,
SELinux <selinux@...ho.nsa.gov>, Paul Moore <paul@...l-moore.com>
Subject: Re: [PATCH 7/8] SELinux: Create a common helper to determine an inode
label
On 06/18/2015 09:33 AM, David Howells wrote:
> Create a common helper function to determine the label for a new inode. This
> is then used by:
>
> - may_create()
> - selinux_dentry_init_security()
> - selinux_inode_init_security()
> - selinux_file_open_union()
>
> This will change the behaviour of the first two functions slightly, bringing
> them into line with the third. The fourth function is newly created in a
> preceding patch and applied only in the case of a filesystem union or overlay.
>
> Suggested-by: Stephen Smalley <sds@...ho.nsa.gov>
> Signed-off-by: David Howells <dhowells@...hat.com>
> ---
>
> security/selinux/hooks.c | 124 ++++++++++++++++++++++------------------------
> 1 file changed, 60 insertions(+), 64 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c4495a797eb1..7eef1032c11a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1684,6 +1684,42 @@ out:
> return rc;
> }
>
> +/*
> + * Determine the label for an inode that might be unioned.
> + */
> +static int selinux_determine_inode_label(const struct inode *dir,
> + const struct qstr *name,
> + const char *caller,
> + u16 tclass,
> + u32 *_new_isid)
> +{
> + const struct superblock_security_struct *sbsec;
> + const struct inode_security_struct *dsec;
> + const struct task_security_struct *tsec = current_security();
> + int rc;
> +
> + sbsec = dir->i_sb->s_security;
> +
> + if ((sbsec->flags & SE_SBINITIALIZED) &&
> + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
> + *_new_isid = sbsec->mntpoint_sid;
> + } else if (tsec->create_sid) {
This doesn't quite match the logic in inode_init_security today, see its
checking of SBLABEL_MNT.
> + *_new_isid = tsec->create_sid;
> + } else {
> + dsec = dir->i_security;
> +
> + rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
> + name, _new_isid);
> + if (rc) {
> + pr_warn("%s: security_transition_sid failed, rc=%d (name=%*.*s)\n",
> + caller, -rc, name->len, name->len, name->name);
Let's drop this pr_warn call.
> + return rc;
> + }
> + }
> +
> + return 0;
> +}
> +
> /* Check whether a task can create a file. */
> static int may_create(struct inode *dir,
> struct dentry *dentry,
> @@ -1700,7 +1736,6 @@ static int may_create(struct inode *dir,
> sbsec = dir->i_sb->s_security;
>
> sid = tsec->sid;
> - newsid = tsec->create_sid;
>
> ad.type = LSM_AUDIT_DATA_DENTRY;
> ad.u.dentry = dentry;
> @@ -1711,12 +1746,10 @@ static int may_create(struct inode *dir,
> if (rc)
> return rc;
>
> - if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
> - rc = security_transition_sid(sid, dsec->sid, tclass,
> - &dentry->d_name, &newsid);
> - if (rc)
> - return rc;
> - }
> + rc = selinux_determine_inode_label(dir, &dentry->d_name, __func__,
> + tclass, &newsid);
> + if (rc)
> + return rc;
>
> rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
> if (rc)
> @@ -2723,32 +2756,14 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
> struct qstr *name, void **ctx,
> u32 *ctxlen)
> {
> - const struct cred *cred = current_cred();
> - struct task_security_struct *tsec;
> - struct inode_security_struct *dsec;
> - struct superblock_security_struct *sbsec;
> - struct inode *dir = d_backing_inode(dentry->d_parent);
> u32 newsid;
> int rc;
>
> - tsec = cred->security;
> - dsec = dir->i_security;
> - sbsec = dir->i_sb->s_security;
> -
> - if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
> - newsid = tsec->create_sid;
> - } else {
> - rc = security_transition_sid(tsec->sid, dsec->sid,
> - inode_mode_to_security_class(mode),
> - name,
> - &newsid);
> - if (rc) {
> - printk(KERN_WARNING
> - "%s: security_transition_sid failed, rc=%d\n",
> - __func__, -rc);
> - return rc;
> - }
> - }
> + rc = selinux_determine_inode_label(d_inode(dentry), name, __func__,
> + inode_mode_to_security_class(mode),
> + &newsid);
> + if (rc)
> + return rc;
>
> return security_sid_to_context(newsid, (char **)ctx, ctxlen);
> }
> @@ -2771,22 +2786,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
> sid = tsec->sid;
> newsid = tsec->create_sid;
>
> - if ((sbsec->flags & SE_SBINITIALIZED) &&
> - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
> - newsid = sbsec->mntpoint_sid;
> - else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
> - rc = security_transition_sid(sid, dsec->sid,
> - inode_mode_to_security_class(inode->i_mode),
> - qstr, &newsid);
> - if (rc) {
> - printk(KERN_WARNING "%s: "
> - "security_transition_sid failed, rc=%d (dev=%s "
> - "ino=%ld)\n",
> - __func__,
> - -rc, inode->i_sb->s_id, inode->i_ino);
> - return rc;
> - }
> - }
> + rc = selinux_determine_inode_label(
> + dir, qstr, __func__,
> + inode_mode_to_security_class(inode->i_mode),
> + &newsid);
> + if (rc)
> + return rc;
>
> /* Possibly defer initialization to selinux_complete_init. */
> if (sbsec->flags & SE_SBINITIALIZED) {
> @@ -3502,9 +3507,7 @@ static int selinux_file_open_union(struct file *file,
> struct file_security_struct *fsec,
> const struct cred *cred)
> {
> - const struct superblock_security_struct *sbsec;
> - const struct inode_security_struct *isec, *dsec, *fisec;
> - const struct task_security_struct *tsec = current_security();
> + const struct inode_security_struct *isec, *fisec;
> struct common_audit_data ad;
> struct dentry *union_dentry = file->f_path.dentry;
> const struct inode *union_inode = d_inode(union_dentry);
> @@ -3512,29 +3515,22 @@ static int selinux_file_open_union(struct file *file,
> struct dentry *dir;
> int rc;
>
> - sbsec = union_dentry->d_sb->s_security;
> -
> if (union_inode) {
> + /* If we're opening an overlay inode, use the label from that
> + * in preference to the label on a lower inode which we might
> + * actually be opening.
> + */
> isec = union_inode->i_security;
> fsec->union_isid = isec->sid;
> - } else if ((sbsec->flags & SE_SBINITIALIZED) &&
> - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
> - fsec->union_isid = sbsec->mntpoint_sid;
> } else {
> dir = dget_parent(union_dentry);
> - dsec = d_inode(dir)->i_security;
> -
> - rc = security_transition_sid(
> - tsec->sid, dsec->sid,
> - inode_mode_to_security_class(lower_inode->i_mode),
> + rc = selinux_determine_inode_label(
> + d_inode(dir),
> &union_dentry->d_name,
> + __func__,
> + inode_mode_to_security_class(lower_inode->i_mode),
> &fsec->union_isid);
> dput(dir);
> - if (rc) {
> - pr_warn("%s: security_transition_sid failed, rc=%d (name=%pD)\n",
> - __func__, -rc, file);
> - return rc;
> - }
> }
>
> /* We need to check that the union file is allowed to be opened as well
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists