| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170310214756.GA17896@mail.hallyn.com>
Date: Fri, 10 Mar 2017 15:47:56 -0600
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Stephen Smalley <sds@...ho.nsa.gov>
Cc: viro@...iv.linux.org.uk, james.l.morris@...cle.com,
serge@...lyn.com, paul@...l-moore.com, john.johansen@...onical.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and
CAP_DAC_READ_SEARCH checks
Quoting Stephen Smalley (sds@...ho.nsa.gov):
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@...ho.nsa.gov>
Lol, not sure if that patch has arranged itself to be as confusing
as possible (for a simple end result) or if it's in my head :), but
I had to read it like 3 times, despite it appearing trivial in the
end.
Reviewed-by: Serge Hallyn <serge@...lyn.com>
> ---
> fs/namei.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>
> if (S_ISDIR(inode->i_mode)) {
> /* DACs are overridable for directories */
> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> - return 0;
> if (!(mask & MAY_WRITE))
> if (capable_wrt_inode_uidgid(inode,
> CAP_DAC_READ_SEARCH))
> return 0;
> - return -EACCES;
> - }
> - /*
> - * Read/write DACs are always overridable.
> - * Executable DACs are overridable when there is
> - * at least one exec bit set.
> - */
> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> return 0;
> + return -EACCES;
> + }
>
> /*
> * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
> if (mask == MAY_READ)
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
> return 0;
> + /*
> + * Read/write DACs are always overridable.
> + * Executable DACs are overridable when there is
> + * at least one exec bit set.
> + */
> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> + return 0;
>
> return -EACCES;
> }
> --
> 2.7.4
Powered by blists - more mailing lists