lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 21 Dec 2016 15:33:22 -0800
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Mickaël Salaün <mic@...ikod.net>,
        linux-kernel@...r.kernel.org
Cc:     Alexander Viro <viro@...iv.linux.org.uk>,
        Andreas Gruenbacher <agruenba@...hat.com>,
        Andy Lutomirski <luto@...capital.net>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Eric Paris <eparis@...isplace.org>,
        James Morris <james.l.morris@...cle.com>,
        John Johansen <john.johansen@...onical.com>,
        Kees Cook <keescook@...omium.org>,
        Kentaro Takeda <takedakn@...data.co.jp>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        Paul Moore <paul@...l-moore.com>,
        "Serge E . Hallyn" <serge@...lyn.com>,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
        Vivek Goyal <vgoyal@...hat.com>, linux-fsdevel@...r.kernel.org,
        linux-security-module@...r.kernel.org
Subject: Re: [PATCH v1] security: Add a new hook: inode_touch_atime

On 12/21/2016 3:15 PM, Mickaël Salaün wrote:
> Add a new LSM hook named inode_touch_atime which is needed to deny
> indirect update of extended file attributes (i.e. access time) which are
> not catched by the inode_setattr hook. By creating a new hook instead of
> calling inode_setattr, we avoid to simulate a useless struct iattr.
>
> This hook allows to create read-only environments as with read-only
> mount points. It can also take care of anonymous inodes.

What security module would use this?

>
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Andy Lutomirski <luto@...capital.net>
> Cc: Casey Schaufler <casey@...aufler-ca.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>
> Cc: Eric Paris <eparis@...isplace.org>
> Cc: James Morris <james.l.morris@...cle.com>
> Cc: John Johansen <john.johansen@...onical.com>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Kentaro Takeda <takedakn@...data.co.jp>
> Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: Serge E. Hallyn <serge@...lyn.com>
> Cc: Stephen Smalley <sds@...ho.nsa.gov>
> Cc: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
>  fs/inode.c                | 5 ++++-
>  include/linux/lsm_hooks.h | 8 ++++++++
>  include/linux/security.h  | 8 ++++++++
>  security/security.c       | 9 +++++++++
>  4 files changed, 29 insertions(+), 1 deletion(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 88110fd0b282..8e7519196942 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1706,6 +1706,10 @@ void touch_atime(const struct path *path)
>  	if (!__atime_needs_update(path, inode, false))
>  		return;
>  
> +	now = current_time(inode);
> +	if (security_inode_touch_atime(path, &now))
> +		return;
> +
>  	if (!sb_start_write_trylock(inode->i_sb))
>  		return;
>  
> @@ -1720,7 +1724,6 @@ void touch_atime(const struct path *path)
>  	 * We may also fail on filesystems that have the ability to make parts
>  	 * of the fs read only, e.g. subvolumes in Btrfs.
>  	 */
> -	now = current_time(inode);
>  	update_time(inode, &now, S_ATIME);
>  	__mnt_drop_write(mnt);
>  skip_update:
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 558adfa5c8a8..e77051715e6b 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -428,6 +428,11 @@
>   *	security module does not know about attribute or a negative error code
>   *	to abort the copy up. Note that the caller is responsible for reading
>   *	and writing the xattrs as this hook is merely a filter.
> + * @inode_touch_atime:
> + *	Check permission before updating access time.
> + *	@path contains the path structure for the file.
> + *	@ts contains the current time.
> + *	Return 0 if permission is granted.
>   *
>   * Security hooks for file operations
>   *
> @@ -1458,6 +1463,8 @@ union security_list_options {
>  	void (*inode_getsecid)(struct inode *inode, u32 *secid);
>  	int (*inode_copy_up)(struct dentry *src, struct cred **new);
>  	int (*inode_copy_up_xattr)(const char *name);
> +	int (*inode_touch_atime)(const struct path *path,
> +					const struct timespec *ts);
>  
>  	int (*file_permission)(struct file *file, int mask);
>  	int (*file_alloc_security)(struct file *file);
> @@ -1731,6 +1738,7 @@ struct security_hook_heads {
>  	struct list_head inode_getsecid;
>  	struct list_head inode_copy_up;
>  	struct list_head inode_copy_up_xattr;
> +	struct list_head inode_touch_atime;
>  	struct list_head file_permission;
>  	struct list_head file_alloc_security;
>  	struct list_head file_free_security;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c2125e9093e8..619f44c290a5 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -30,6 +30,7 @@
>  #include <linux/string.h>
>  #include <linux/mm.h>
>  #include <linux/fs.h>
> +#include <linux/time.h>
>  
>  struct linux_binprm;
>  struct cred;
> @@ -288,6 +289,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
>  void security_inode_getsecid(struct inode *inode, u32 *secid);
>  int security_inode_copy_up(struct dentry *src, struct cred **new);
>  int security_inode_copy_up_xattr(const char *name);
> +int security_inode_touch_atime(const struct path *path, const struct timespec *ts);
>  int security_file_permission(struct file *file, int mask);
>  int security_file_alloc(struct file *file);
>  void security_file_free(struct file *file);
> @@ -781,6 +783,12 @@ static inline int security_inode_copy_up_xattr(const char *name)
>  	return -EOPNOTSUPP;
>  }
>  
> +static inline int security_inode_touch_atime(const struct path *path, const
> +					     struct timespec *ts)
> +{
> +	return 0;
> +}
> +
>  static inline int security_file_permission(struct file *file, int mask)
>  {
>  	return 0;
> diff --git a/security/security.c b/security/security.c
> index f825304f04a7..cd093c4b4115 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -769,6 +769,13 @@ int security_inode_copy_up_xattr(const char *name)
>  }
>  EXPORT_SYMBOL(security_inode_copy_up_xattr);
>  
> +int security_inode_touch_atime(const struct path *path,
> +				const struct timespec *ts)
> +{
> +	return call_int_hook(inode_touch_atime, 0, path, ts);
> +}
> +EXPORT_SYMBOL(security_inode_touch_atime);
> +
>  int security_file_permission(struct file *file, int mask)
>  {
>  	int ret;
> @@ -1711,6 +1718,8 @@ struct security_hook_heads security_hook_heads = {
>  		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
>  	.inode_copy_up_xattr =
>  		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
> +	.inode_touch_atime =
> +		LIST_HEAD_INIT(security_hook_heads.inode_touch_atime),
>  	.file_permission =
>  		LIST_HEAD_INIT(security_hook_heads.file_permission),
>  	.file_alloc_security =

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ