Message ID | 20220929153041.500115-12-brauner@kernel.org (mailing list archive) |
---|---|
State | Handled Elsewhere |
Delegated to: | Paul Moore |
Headers | show |
Series | acl: add vfs posix acl api | expand |
On Thu, Sep 29, 2022 at 11:31 AM Christian Brauner <brauner@kernel.org> wrote: > > The current way of setting and getting posix acls through the generic > xattr interface is error prone and type unsafe. The vfs needs to > interpret and fixup posix acls before storing or reporting it to > userspace. Various hacks exist to make this work. The code is hard to > understand and difficult to maintain in it's current form. Instead of > making this work by hacking posix acls through xattr handlers we are > building a dedicated posix acl api around the get and set inode > operations. This removes a lot of hackiness and makes the codepaths > easier to maintain. A lot of background can be found in [1]. > > So far posix acls were passed as a void blob to the security and > integrity modules. Some of them like evm then proceed to interpret the > void pointer and convert it into the kernel internal struct posix acl > representation to perform their integrity checking magic. This is > obviously pretty problematic as that requires knowledge that only the > vfs is guaranteed to have and has lead to various bugs. Add a proper > security hook for setting posix acls and pass down the posix acls in > their appropriate vfs format instead of hacking it through a void > pointer stored in the uapi format. > > I spent considerate time in the security module infrastructure and > audited all codepaths. Smack has no restrictions based on the posix > acl values passed through it. The capability hook doesn't need to be > called either because it only has restrictions on security.* xattrs. So > these all becomes very simple hooks for smack. > > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> > --- > > Notes: > /* v2 */ > unchanged > > /* v3 */ > Paul Moore <paul@paul-moore.com>: > - Add get, and remove acl hook > > /* v4 */ > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> > > security/smack/smack_lsm.c | 69 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 69 insertions(+) Two nit-picky comments below, only worth considering if you are respinning for other reasons. Reviewed-by: Paul Moore <paul@paul-moore.com> > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 001831458fa2..8247e8fd43d0 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -1393,6 +1393,72 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns, > return 0; > } > > +/** > + * smack_inode_set_acl - Smack check for setting posix acls > + * @mnt_userns: the userns attached to the mnt this request came from > + * @dentry: the object > + * @acl_name: name of the posix acl > + * @kacl: the posix acls > + * > + * Returns 0 if access is permitted, an error code otherwise > + */ > +static int smack_inode_set_acl(struct user_namespace *mnt_userns, > + struct dentry *dentry, const char *acl_name, > + struct posix_acl *kacl) > +{ > + struct smk_audit_info ad; > + int rc; > + > + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); > + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); > + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); > + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); > + return rc; > +} Smack tends to add a line of vertical whitespace between the smk_ad_setfield_...(...) call and the smk_curacc(...) call in the xattr functions, consistency here might be nice. > +/** > + * smack_inode_remove_acl - Smack check for getting posix acls > + * @mnt_userns: the userns attached to the mnt this request came from > + * @dentry: the object > + * @acl_name: name of the posix acl > + * > + * Returns 0 if access is permitted, an error code otherwise > + */ > +static int smack_inode_remove_acl(struct user_namespace *mnt_userns, > + struct dentry *dentry, const char *acl_name) > +{ > + struct smk_audit_info ad; > + int rc; > + > + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); > + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); > + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); > + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); > + return rc; > +} Same comment about the vertical whitespace applies here. -- paul-moore.com
On Thu, Sep 29, 2022 at 03:15:09PM -0400, Paul Moore wrote: > On Thu, Sep 29, 2022 at 11:31 AM Christian Brauner <brauner@kernel.org> wrote: > > > > The current way of setting and getting posix acls through the generic > > xattr interface is error prone and type unsafe. The vfs needs to > > interpret and fixup posix acls before storing or reporting it to > > userspace. Various hacks exist to make this work. The code is hard to > > understand and difficult to maintain in it's current form. Instead of > > making this work by hacking posix acls through xattr handlers we are > > building a dedicated posix acl api around the get and set inode > > operations. This removes a lot of hackiness and makes the codepaths > > easier to maintain. A lot of background can be found in [1]. > > > > So far posix acls were passed as a void blob to the security and > > integrity modules. Some of them like evm then proceed to interpret the > > void pointer and convert it into the kernel internal struct posix acl > > representation to perform their integrity checking magic. This is > > obviously pretty problematic as that requires knowledge that only the > > vfs is guaranteed to have and has lead to various bugs. Add a proper > > security hook for setting posix acls and pass down the posix acls in > > their appropriate vfs format instead of hacking it through a void > > pointer stored in the uapi format. > > > > I spent considerate time in the security module infrastructure and > > audited all codepaths. Smack has no restrictions based on the posix > > acl values passed through it. The capability hook doesn't need to be > > called either because it only has restrictions on security.* xattrs. So > > these all becomes very simple hooks for smack. > > > > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] > > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> > > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> > > --- > > > > Notes: > > /* v2 */ > > unchanged > > > > /* v3 */ > > Paul Moore <paul@paul-moore.com>: > > - Add get, and remove acl hook > > > > /* v4 */ > > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> > > > > security/smack/smack_lsm.c | 69 ++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 69 insertions(+) > > Two nit-picky comments below, only worth considering if you are > respinning for other reasons. > > Reviewed-by: Paul Moore <paul@paul-moore.com> > > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > > index 001831458fa2..8247e8fd43d0 100644 > > --- a/security/smack/smack_lsm.c > > +++ b/security/smack/smack_lsm.c > > @@ -1393,6 +1393,72 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns, > > return 0; > > } > > > > +/** > > + * smack_inode_set_acl - Smack check for setting posix acls > > + * @mnt_userns: the userns attached to the mnt this request came from > > + * @dentry: the object > > + * @acl_name: name of the posix acl > > + * @kacl: the posix acls > > + * > > + * Returns 0 if access is permitted, an error code otherwise > > + */ > > +static int smack_inode_set_acl(struct user_namespace *mnt_userns, > > + struct dentry *dentry, const char *acl_name, > > + struct posix_acl *kacl) > > +{ > > + struct smk_audit_info ad; > > + int rc; > > + > > + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); > > + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); > > + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); > > + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); > > + return rc; > > +} > > Smack tends to add a line of vertical whitespace between the > smk_ad_setfield_...(...) call and the smk_curacc(...) call in the > xattr functions, consistency here might be nice. > > > +/** > > + * smack_inode_remove_acl - Smack check for getting posix acls > > + * @mnt_userns: the userns attached to the mnt this request came from > > + * @dentry: the object > > + * @acl_name: name of the posix acl > > + * > > + * Returns 0 if access is permitted, an error code otherwise > > + */ > > +static int smack_inode_remove_acl(struct user_namespace *mnt_userns, > > + struct dentry *dentry, const char *acl_name) > > +{ > > + struct smk_audit_info ad; > > + int rc; > > + > > + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); > > + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); > > + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); > > + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); > > + return rc; > > +} > > Same comment about the vertical whitespace applies here. Ok.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 001831458fa2..8247e8fd43d0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1393,6 +1393,72 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns, return 0; } +/** + * smack_inode_set_acl - Smack check for setting posix acls + * @mnt_userns: the userns attached to the mnt this request came from + * @dentry: the object + * @acl_name: name of the posix acl + * @kacl: the posix acls + * + * Returns 0 if access is permitted, an error code otherwise + */ +static int smack_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + struct smk_audit_info ad; + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); + return rc; +} + +/** + * smack_inode_get_acl - Smack check for getting posix acls + * @mnt_userns: the userns attached to the mnt this request came from + * @dentry: the object + * @acl_name: name of the posix acl + * + * Returns 0 if access is permitted, an error code otherwise + */ +static int smack_inode_get_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + struct smk_audit_info ad; + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); + return rc; +} + +/** + * smack_inode_remove_acl - Smack check for getting posix acls + * @mnt_userns: the userns attached to the mnt this request came from + * @dentry: the object + * @acl_name: name of the posix acl + * + * Returns 0 if access is permitted, an error code otherwise + */ +static int smack_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + struct smk_audit_info ad; + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); + rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); + return rc; +} + /** * smack_inode_getsecurity - get smack xattrs * @mnt_userns: active user namespace @@ -4772,6 +4838,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), + LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), + LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), + LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),