From patchwork Wed Jun 21 16:53:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9802315 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4A31B6038C for ; Wed, 21 Jun 2017 16:53:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B83D1FE5F for ; Wed, 21 Jun 2017 16:53:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2EC4C1FFB9; Wed, 21 Jun 2017 16:53:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BA7DE1FE5F for ; Wed, 21 Jun 2017 16:53:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752750AbdFUQxK (ORCPT ); Wed, 21 Jun 2017 12:53:10 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:35800 "EHLO mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752081AbdFUQxJ (ORCPT ); Wed, 21 Jun 2017 12:53:09 -0400 Received: by mail-pg0-f44.google.com with SMTP id 132so45769194pgb.2 for ; Wed, 21 Jun 2017 09:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=y0HmeTY33Geei1qvn6cSH0DWT4q6V5MfdSwQv61kA2I=; b=dkUx6caEC/CZsuyjTXvEwLeuWF0Kea2h6BBlK7CBd2YPkX1Gj7U+AxTFwsNtPy8Dae LPtOcaqrfJSsHS65OPZQ6WAsjUhLcd0pJ+ujdGmAcxIx6zH4N/HfMts4JJO13OkLD5po Hfg0QK0XrfILFq6onyY8K6Zvt93Tz3BCjKXJ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=y0HmeTY33Geei1qvn6cSH0DWT4q6V5MfdSwQv61kA2I=; b=J4JprVauPawhiEpB/wqop44OEbLYsHCtg8a1ffYxRSgS78mIsrcc6Eb0xtKfjBj8un /7H4GZpX1SVAIQoiSixZLQVyCvkcqwxClC0nQhDRIa5ZfFprG6T0P+Yv4PjrX+V2NLKn 45UWWEttEA6fXXZeL0L/fYCUbR/HV5hLHpQEPNxGoeCP+U5+VIqrI1pIctoY+ZZkAU/k NIDjquZvkM3PPmxde1wJNG3Hzz5dVONsVpi3oLtAX1CcxsGRO9xM/ERqWsU1KylrSv6a cn8aDOxO8LnIOOUHgoUzAXWbTuKy/XPC7tAGAM19kC+x0nREjEULlopN1E383mVMadxT pddQ== X-Gm-Message-State: AKS2vOwjb/QJI7NKG8iFAvM8v54WO6JkIKtBvF6NsDnuiySuKuTqILTS 7NVK1aHT9HWRgrKl X-Received: by 10.84.141.36 with SMTP id 33mr41520544plu.99.1498063988615; Wed, 21 Jun 2017 09:53:08 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id l72sm16847998pfg.97.2017.06.21.09.53.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jun 2017 09:53:07 -0700 (PDT) Date: Wed, 21 Jun 2017 09:53:06 -0700 From: Kees Cook To: Andrew Morton Cc: Alexander Viro , linux-fsdevel@vger.kernel.org, Solar Designer , Serge Hallyn , Andy Lutomirski , linux-kernel@vger.kernel.org Subject: [PATCH v2] fs: Reorder inode_owner_or_capable() to avoid needless Message-ID: <20170621165306.GA48013@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Checking for capabilities should be the last operation when performing access control tests so that PF_SUPERPRIV is set only when it was required for success (implying that the capability was needed for the operation). Reported-by: Solar Designer Signed-off-by: Kees Cook Acked-by: Serge Hallyn Reviewed-by: Andy Lutomirski --- v2: add acks/reviews, actually include akpm in "To" :) --- fs/inode.c | 2 +- fs/namei.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index db5914783a71..7092debe90cc 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2023,7 +2023,7 @@ bool inode_owner_or_capable(const struct inode *inode) return true; ns = current_user_ns(); - if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid)) + if (kuid_has_mapping(ns, inode->i_uid) && ns_capable(ns, CAP_FOWNER)) return true; return false; } diff --git a/fs/namei.c b/fs/namei.c index 6571a5f5112e..efe53a5d0737 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1008,7 +1008,7 @@ static int may_linkat(struct path *link) /* Source inode owner (or CAP_FOWNER) can hardlink all they like, * otherwise, it must be a safe source. */ - if (inode_owner_or_capable(inode) || safe_hardlink_source(inode)) + if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) return 0; audit_log_link_denied("linkat", link);