| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <75b4746d-d41e-7c9f-4bb0-42a46bda7f17@digikod.net>
Date: Fri, 26 May 2023 18:33:05 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Christian Brauner <brauner@...nel.org>,
Xiu Jianfeng <xiujianfeng@...wei.com>
Cc: gregkh@...uxfoundation.org, rafael@...nel.org,
viro@...iv.linux.org.uk, dhowells@...hat.com, code@...icks.com,
hirofumi@...l.parknet.co.jp, linkinjeon@...nel.org,
sfrench@...ba.org, senozhatsky@...omium.org, tom@...pey.com,
chuck.lever@...cle.com, jlayton@...nel.org, miklos@...redi.hu,
paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
stephen.smalley.work@...il.com, eparis@...isplace.org,
casey@...aufler-ca.com, dchinner@...hat.com,
john.johansen@...onical.com, mcgrof@...nel.org,
mortonm@...omium.org, fred@...udflare.com, mpe@...erman.id.au,
nathanl@...ux.ibm.com, gnoack3000@...il.com,
roberto.sassu@...wei.com, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-cachefs@...hat.com,
ecryptfs@...r.kernel.org, linux-cifs@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-unionfs@...r.kernel.org,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
wangweiyang2@...wei.com
Subject: Re: [PATCH -next 0/2] lsm: Change inode_setattr() to take struct
On 15/05/2023 17:12, Christian Brauner wrote:
> On Fri, May 05, 2023 at 04:11:58PM +0800, Xiu Jianfeng wrote:
>> Hi,
>>
>> I am working on adding xattr/attr support for landlock [1], so we can
>> control fs accesses such as chmod, chown, uptimes, setxattr, etc.. inside
>> landlock sandbox. the LSM hooks as following are invoved:
>> 1.inode_setattr
>> 2.inode_setxattr
>> 3.inode_removexattr
>> 4.inode_set_acl
>> 5.inode_remove_acl
>> which are controlled by LANDLOCK_ACCESS_FS_WRITE_METADATA.
>>
>> and
>> 1.inode_getattr
>> 2.inode_get_acl
>> 3.inode_getxattr
>> 4.inode_listxattr
>> which are controlled by LANDLOCK_ACCESS_FS_READ_METADATA
>
> It would be helpful to get the complete, full picture.
>
> Piecemeal extending vfs helpers with struct path arguments is costly,
> will cause a lot of churn and will require a lot of review time from us.
>
> Please give us the list of all security hooks to which you want to pass
> a struct path (if there are more to come apart from the ones listed
> here). Then please follow all callchains and identify the vfs helpers
> that would need to be updated. Then please figure out where those
> vfs helpers are called from and follow all callchains finding all
> inode_operations that would have to be updated and passed a struct path
> argument. So ultimately we'll end up with a list of vfs helpers and
> inode_operations that would have to be changed.
>
> I'm very reluctant to see anything merged without knowing _exactly_ what
> you're getting us into.
Ultimately we'd like the path-based LSMs to reach parity with the
inode-based LSMs. This proposal's goal is to provide users the ability
to control (in a complete and easy way) file metadata access. For these
we need to extend the inode_*attr hooks and inode_*acl hooks to handle
paths. The chown/chmod hooks are already good.
In the future, I'd also like to be able to control directory traversals
(e.g. chdir), which currently only calls inode_permission().
What would be the best way to reach this goal?
Powered by blists - more mailing lists