From patchwork Tue Oct 18 11:56:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 13010348 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F5B1C433FE for ; Tue, 18 Oct 2022 11:58:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230162AbiJRL6c (ORCPT ); Tue, 18 Oct 2022 07:58:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230314AbiJRL5v (ORCPT ); Tue, 18 Oct 2022 07:57:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F8F7BCB82; Tue, 18 Oct 2022 04:57:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4C7286153E; Tue, 18 Oct 2022 11:57:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 22EC7C433C1; Tue, 18 Oct 2022 11:57:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666094265; bh=fSjrzMyq+bpcifIr5JOm4lI4KXzBA9L1pFlvXfjZSmQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UznQOqEcD8kIVpaiUl17ewp+RBLMClDNxkC1kDImHCLkRUi+WmovI4wiFSznjngmH QE+sMtU5A3+5A1bYMgFCu0ghXCyi3nPEWjKiXlRBnomR9VeKkZvt/8mFZL9Fsp7kdT sKYTGTQ/LCD3JeTf6yJAqT0zMoMhDz3HqqdB5z3uYU0P1vsYEFhk2yPkQhJ8YBXS03 3GHtngY7sH1AFl3S1ytDGNUMksfmYoQwzWzhbtfF6x3aWDhKkY9K3IM+1L8DpVHn1n 2NE2XPH3XDjk+2y6kGo77Itf8VNzUlqbOLbiqhho16B+Xk6TWuq0mShv1mdU/xS31T mvydEJToXo3Ew== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , linux-integrity@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 10/30] selinux: implement get, set and remove acl hook Date: Tue, 18 Oct 2022 13:56:40 +0200 Message-Id: <20221018115700.166010-11-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018115700.166010-1-brauner@kernel.org> References: <20221018115700.166010-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3927; i=brauner@kernel.org; h=from:subject; bh=fSjrzMyq+bpcifIr5JOm4lI4KXzBA9L1pFlvXfjZSmQ=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMST7TVHjeGGv+JeDc+5BP8ufs5at+eR5q/p14MGDf/y0Yjn2 X8jW6yhlYRDjYpAVU2RxaDcJl1vOU7HZKFMDZg4rE8gQBi5OAZjIq+cM/7QYgpnOHhBpm3XFy3bf11 Lmtan3HWcfnvBo3jLRstT90bsY/tlebO5uN166/HvUqRlGMcmLE+tWbku/uPX6J1cHAe7rQlwA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current way of setting and getting posix acls through the generic xattr interface is error prone and type unsafe. The vfs needs to interpret and fixup posix acls before storing or reporting it to userspace. Various hacks exist to make this work. The code is hard to understand and difficult to maintain in it's current form. Instead of making this work by hacking posix acls through xattr handlers we are building a dedicated posix acl api around the get and set inode operations. This removes a lot of hackiness and makes the codepaths easier to maintain. A lot of background can be found in [1]. So far posix acls were passed as a void blob to the security and integrity modules. Some of them like evm then proceed to interpret the void pointer and convert it into the kernel internal struct posix acl representation to perform their integrity checking magic. This is obviously pretty problematic as that requires knowledge that only the vfs is guaranteed to have and has lead to various bugs. Add a proper security hook for setting posix acls and pass down the posix acls in their appropriate vfs format instead of hacking it through a void pointer stored in the uapi format. I spent considerate time in the security module infrastructure and audited all codepaths. SELinux has no restrictions based on the posix acl values passed through it. The capability hook doesn't need to be called either because it only has restrictions on security.* xattrs. So these are all fairly simply hooks for SELinux. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Acked-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Add get, and remove acl hook /* v4 */ unchanged /* v5 */ Acked-by: Paul Moore Paul Moore : - Use current_cred() directly in dentry_has_perm() call in selinux_inode_get_acl(). security/selinux/hooks.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f553c370397e..7c5c8d17695c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3240,6 +3240,25 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns, &ad); } +static int selinux_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + +static int selinux_inode_get_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); +} + +static int selinux_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) @@ -7088,6 +7107,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), + LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), + LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), + LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), From patchwork Tue Oct 18 11:56:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 13010349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F2DFC43217 for ; Tue, 18 Oct 2022 11:59:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230339AbiJRL7O (ORCPT ); Tue, 18 Oct 2022 07:59:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230083AbiJRL6b (ORCPT ); Tue, 18 Oct 2022 07:58:31 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E487BCBBB; Tue, 18 Oct 2022 04:57:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 6FC8ACE1D2B; Tue, 18 Oct 2022 11:57:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BAB88C433D6; Tue, 18 Oct 2022 11:57:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666094270; bh=zxEBeoNpcJ52F56qGFE68pwFXRvUhT9+M0PGMy9rgEY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sxpbv8lbxXalhuEPbU400UcefvDj3qrqmgKfI0sy15srU8NPBGcdXpMMI7TVHKF6W PddzcVeq1KBJM29NE0hd1lweWL4EZbOyUkt0qWM1PNWOZ7xNt6SRDcxSyNibI0Xqtf F+v2xoS0XpYurBqo9BxW3uhs/U7eyrH7LEqY63bR2OdYmYfGDLiuQ6WJGrPH3HVVIZ ADJe9o2s42sMMmLEwCPqWjIYCI+hc5scU54QsS5l47U2NQUjI/M8A3tGijev0RF9on YF2gdm/y1cRTBj4maYZf7SVU8kTsi93zHapWkZVBjaT6TZL2Iw/8klpZyCU4n/mOOv bl3ZnctHm2RYQ== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 12/30] integrity: implement get and set acl hook Date: Tue, 18 Oct 2022 13:56:42 +0200 Message-Id: <20221018115700.166010-13-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018115700.166010-1-brauner@kernel.org> References: <20221018115700.166010-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=11599; i=brauner@kernel.org; h=from:subject; bh=zxEBeoNpcJ52F56qGFE68pwFXRvUhT9+M0PGMy9rgEY=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMST7TVFn3cfrE1Q8e9qN/IhjMw+uuPF8wpe/23y9fkw/s/fD 4iuMFh2lLAxiXAyyYoosDu0m4XLLeSo2G2VqwMxhZQIZwsDFKQAT2azL8L/4SgyreaBjxCruDWWikp Kmso4xqf6XPq55epG1+OqMuniG/56r1giZZW2zfcll8bZiKzv3/Ua9TOM307ra9l9bafhwCxcA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current way of setting and getting posix acls through the generic xattr interface is error prone and type unsafe. The vfs needs to interpret and fixup posix acls before storing or reporting it to userspace. Various hacks exist to make this work. The code is hard to understand and difficult to maintain in it's current form. Instead of making this work by hacking posix acls through xattr handlers we are building a dedicated posix acl api around the get and set inode operations. This removes a lot of hackiness and makes the codepaths easier to maintain. A lot of background can be found in [1]. So far posix acls were passed as a void blob to the security and integrity modules. Some of them like evm then proceed to interpret the void pointer and convert it into the kernel internal struct posix acl representation to perform their integrity checking magic. This is obviously pretty problematic as that requires knowledge that only the vfs is guaranteed to have and has lead to various bugs. Add a proper security hook for setting posix acls and pass down the posix acls in their appropriate vfs format instead of hacking it through a void pointer stored in the uapi format. I spent considerate time in the security module and integrity infrastructure and audited all codepaths. EVM is the only part that really has restrictions based on the actual posix acl values passed through it (e.g., i_mode). Before this dedicated hook EVM used to translate from the uapi posix acl format sent to it in the form of a void pointer into the vfs format. This is not a good thing. Instead of hacking around in the uapi struct give EVM the posix acls in the appropriate vfs format and perform sane permissions checks that mirror what it used to to in the generic xattr hook. IMA doesn't have any restrictions on posix acls. When posix acls are changed it just wants to update its appraisal status to trigger an EVM revalidation. The removal of posix acls is equivalent to passing NULL to the posix set acl hooks. This is the same as before through the generic xattr api. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Signed-off-by: Christian Brauner (Microsoft) Acked-by: Paul Moore (LSM) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Add get, and remove acl hook /* v4 */ unchanged /* v5 */ Paul Moore : - Move ifdef out of function body. Mimi Zohar : - Fix details in commit message. - Add more details to kernel-doc for evm_inode_set_acl(). include/linux/evm.h | 23 ++++++++ include/linux/ima.h | 24 ++++++++ security/integrity/evm/evm_main.c | 83 ++++++++++++++++++++++++++- security/integrity/ima/ima_appraise.c | 9 +++ security/security.c | 21 ++++++- 5 files changed, 157 insertions(+), 3 deletions(-) diff --git a/include/linux/evm.h b/include/linux/evm.h index aa63e0b3c0a2..86139be48992 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -35,6 +35,15 @@ extern int evm_inode_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); +extern int evm_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl); +static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL); +} extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); @@ -108,6 +117,20 @@ static inline void evm_inode_post_removexattr(struct dentry *dentry, return; } +static inline int evm_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + return 0; +} + +static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return 0; +} + static inline int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm) diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..5a0b2a285a18 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -187,6 +187,15 @@ extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); +extern int ima_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl); +static inline int ima_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return ima_inode_set_acl(mnt_userns, dentry, acl_name, NULL); +} extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); #else static inline bool is_ima_appraise_enabled(void) @@ -208,11 +217,26 @@ static inline int ima_inode_setxattr(struct dentry *dentry, return 0; } +static inline int ima_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + + return 0; +} + static inline int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { return 0; } + +static inline int ima_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return 0; +} #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 23d484e05e6f..dcc5e704ef70 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -8,7 +8,7 @@ * * File: evm_main.c * implements evm_inode_setxattr, evm_inode_post_setxattr, - * evm_inode_removexattr, and evm_verifyxattr + * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl. */ #define pr_fmt(fmt) "EVM: "fmt @@ -670,6 +670,87 @@ int evm_inode_removexattr(struct user_namespace *mnt_userns, return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0); } +#ifdef CONFIG_FS_POSIX_ACL +static int evm_inode_set_acl_change(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, + struct posix_acl *kacl) +{ + int rc; + + umode_t mode; + struct inode *inode = d_backing_inode(dentry); + + if (!kacl) + return 1; + + rc = posix_acl_update_mode(mnt_userns, inode, &mode, &kacl); + if (rc || (inode->i_mode != mode)) + return 1; + + return 0; +} +#else +static inline int evm_inode_set_acl_change(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *name, + struct posix_acl *kacl) +{ + return 0; +} +#endif + +/** + * evm_inode_set_acl - protect the EVM extended attribute from posix acls + * @mnt_userns: user namespace of the idmapped mount + * @dentry: pointer to the affected dentry + * @acl_name: name of the posix acl + * @kacl: pointer to the posix acls + * + * Prevent modifying posix acls causing the EVM HMAC to be re-calculated + * and 'security.evm' xattr updated, unless the existing 'security.evm' is + * valid. + */ +int evm_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + enum integrity_status evm_status; + + /* Policy permits modification of the protected xattrs even though + * there's no HMAC key loaded + */ + if (evm_initialized & EVM_ALLOW_METADATA_WRITES) + return 0; + + evm_status = evm_verify_current_integrity(dentry); + if ((evm_status == INTEGRITY_PASS) || + (evm_status == INTEGRITY_NOXATTRS)) + return 0; + + /* Exception if the HMAC is not going to be calculated. */ + if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || + evm_status == INTEGRITY_UNKNOWN)) + return 0; + + /* + * Writing other xattrs is safe for portable signatures, as portable + * signatures are immutable and can never be updated. + */ + if (evm_status == INTEGRITY_FAIL_IMMUTABLE) + return 0; + + if (evm_status == INTEGRITY_PASS_IMMUTABLE && + !evm_inode_set_acl_change(mnt_userns, dentry, acl_name, kacl)) + return 0; + + if (evm_status != INTEGRITY_PASS && + evm_status != INTEGRITY_PASS_IMMUTABLE) + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), + dentry->d_name.name, "appraise_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); + return evm_status == INTEGRITY_PASS ? 0 : -EPERM; +} + static void evm_reset_status(struct inode *inode) { struct integrity_iint_cache *iint; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 3e0fbbd99534..3c9af3dc0713 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -774,6 +774,15 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, return result; } +int ima_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + if (evm_revalidate_status(acl_name)) + ima_reset_appraise_flags(d_backing_inode(dentry), 0); + + return 0; +} + int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { int result; diff --git a/security/security.c b/security/security.c index f972ee1f10eb..bdc295ad5fba 100644 --- a/security/security.c +++ b/security/security.c @@ -1376,9 +1376,18 @@ int security_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_set_acl, 0, mnt_userns, dentry, acl_name, kacl); + ret = call_int_hook(inode_set_acl, 0, mnt_userns, dentry, acl_name, + kacl); + if (ret) + return ret; + ret = ima_inode_set_acl(mnt_userns, dentry, acl_name, kacl); + if (ret) + return ret; + return evm_inode_set_acl(mnt_userns, dentry, acl_name, kacl); } int security_inode_get_acl(struct user_namespace *mnt_userns, @@ -1392,9 +1401,17 @@ int security_inode_get_acl(struct user_namespace *mnt_userns, int security_inode_remove_acl(struct user_namespace *mnt_userns, struct dentry *dentry, const char *acl_name) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_remove_acl, 0, mnt_userns, dentry, acl_name); + ret = call_int_hook(inode_remove_acl, 0, mnt_userns, dentry, acl_name); + if (ret) + return ret; + ret = ima_inode_remove_acl(mnt_userns, dentry, acl_name); + if (ret) + return ret; + return evm_inode_remove_acl(mnt_userns, dentry, acl_name); } void security_inode_post_setxattr(struct dentry *dentry, const char *name, From patchwork Tue Oct 18 11:56:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 13010350 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 737D1C4321E for ; Tue, 18 Oct 2022 11:59:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229868AbiJRL7O (ORCPT ); Tue, 18 Oct 2022 07:59:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57882 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230084AbiJRL6c (ORCPT ); Tue, 18 Oct 2022 07:58:32 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B14FBD045; Tue, 18 Oct 2022 04:57:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CFC97B81EBA; Tue, 18 Oct 2022 11:57:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 63840C433C1; Tue, 18 Oct 2022 11:57:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666094273; bh=3O+gPnGHG8TPnDVhxwIEQLRX/A3IPzI7T52+FI1TLFQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jp3IfAWjPn8To25BbWy8FOoVWO8v//uOUhBmZE5YWCoFhEgbk6xiivs8kgasELzs5 12wjTus7RnnUOCIA3r2rzrrp1EjNfYxE/hykS54fGP6Tbh+cK0Moj6juzr3f47ChcR ezjHHTSsLnmv7fI7UX+Pd9iykokL3R/A6DaUDLnavOSh7I6FKTC+cX918JemUO7Ax6 pESZnBfW1YQ9Z/czPBEVshHWd1QflwU7IMu3gCEqBKP1cgiWdy9MSUBOpGS4nxYqUu WSQUOWNBX5xHEQaGU/FOoMOzYYCXId941/7pA03KyqegN6jgkPYBwtKplVO9g3tKiC RrlbIG4bxK2jw== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Moore Subject: [PATCH v5 13/30] evm: add post set acl hook Date: Tue, 18 Oct 2022 13:56:43 +0200 Message-Id: <20221018115700.166010-14-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018115700.166010-1-brauner@kernel.org> References: <20221018115700.166010-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3022; i=brauner@kernel.org; h=from:subject; bh=3O+gPnGHG8TPnDVhxwIEQLRX/A3IPzI7T52+FI1TLFQ=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMST7TVHvu7Tz4YONu9UWGMfGpM+arlh/TWrd1Dec1Q2pT39M yNq0oaOUhUGMi0FWTJHFod0kXG45T8Vmo0wNmDmsTCBDGLg4BWAiOnaMDFsdXELnbNU9aPHS7fwdtw 0XinmNWbY63WFs91ncIuPuEMfIMHFNwdKX+7oi/vtVT2JsyWY793r6qmuqd5f7n2k0fjznAAcA X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The security_inode_post_setxattr() hook is used by security modules to update their own security.* xattrs. Consequently none of the security modules operate on posix acls. So we don't need an additional security hook when post setting posix acls. However, the integrity subsystem wants to be informed about posix acl changes in order to reset the EVM status flag. -> evm_inode_post_setxattr() -> evm_update_evmxattr() -> evm_calc_hmac() -> evm_calc_hmac_or_hash() and evm_cacl_hmac_or_hash() walks the global list of protected xattr names evm_config_xattrnames. This global list can be modified via /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is restricted to security.* xattrs and the default xattrs in evm_config_xattrnames only contains security.* xattrs as well. So the actual value for posix acls is currently completely irrelevant for evm during evm_inode_post_setxattr() and frankly it should stay that way in the future to not cause the vfs any more headaches. But if the actual posix acl values matter then evm shouldn't operate on the binary void blob and try to hack around in the uapi struct anyway. Instead it should then in the future add a dedicated hook which takes a struct posix_acl argument passing the posix acls in the proper vfs format. For now it is sufficient to make evm_inode_post_set_acl() a wrapper around evm_inode_post_setxattr() not passing any actual values down. This will cause the hashes to be updated as before. Reviewed-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Reviewed-by: Paul Moore /* v4 */ unchanged /* v5 */ Mimi Zohar : - Tweak commit message. include/linux/evm.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/linux/evm.h b/include/linux/evm.h index 86139be48992..117ac01b2432 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -44,6 +44,12 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, { return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL); } +static inline void evm_inode_post_set_acl(struct dentry *dentry, + const char *acl_name, + struct posix_acl *kacl) +{ + return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); +} extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); @@ -131,6 +137,13 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, return 0; } +static inline void evm_inode_post_set_acl(struct dentry *dentry, + const char *acl_name, + struct posix_acl *kacl) +{ + return; +} + static inline int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm) From patchwork Tue Oct 18 11:56:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 13010351 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB88EC43219 for ; Tue, 18 Oct 2022 11:59:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229718AbiJRL7x (ORCPT ); Tue, 18 Oct 2022 07:59:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230037AbiJRL7L (ORCPT ); Tue, 18 Oct 2022 07:59:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3737BCBA4; Tue, 18 Oct 2022 04:58:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8D70FB81EBB; Tue, 18 Oct 2022 11:57:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A46AC433D6; Tue, 18 Oct 2022 11:57:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666094278; bh=hH35kXVXfsR30Xj7RhQBnMeUbGKABO87HrpwHsFmp60=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B3WJKvUdZ1n0KXeD/YypHD4ZJgIFZ6h9kIxOi/k/Xrgvra+AEEBINCf8AR+G50oES xOyaFg4uqFxHIOMJ18OUb/5aKNmuDSvt03ZvXygwNWBzC5UF9Ll1L8/M2oDZJ5VgXP veg8/TiHi42k7Dcov5wl9ZwgI7FGGsMBx7zZyZMwlXkhI4YiFOUydeygvlBvoHXAaP 23vNGXpdSdiG1i31Q9DQLOAtJIHTyA3FR8cWxpoAfGt9DuvNje9V6oqcA21/VHiJfd CIhxz6lx4QSPyqFOhGuQGYqeUGDgStCMNoUs4OZZAQp+gXJxE/9Q12/qAbB3y/mHwG /6yDVgon4iOZg== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 15/30] acl: add vfs_set_acl() Date: Tue, 18 Oct 2022 13:56:45 +0200 Message-Id: <20221018115700.166010-16-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018115700.166010-1-brauner@kernel.org> References: <20221018115700.166010-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6522; i=brauner@kernel.org; h=from:subject; bh=hH35kXVXfsR30Xj7RhQBnMeUbGKABO87HrpwHsFmp60=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMST7TVG3efBHpnZFm3fHtH/OOu9YKktVShpVfG+GykjuOut4 aM+CjlIWBjEuBlkxRRaHdpNwueU8FZuNMjVg5rAygQxh4OIUgInMsGH4n2ykOHV/4Lmvjy0deBcuvd 37o9P5YnrPnKCLO6w85pRv4GRk2PDQ91WhV+LGjoBZPefYL9v1r93+O90jax3n5KDuSutwZgA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org In previous patches we implemented get and set inode operations for all non-stacking filesystems that support posix acls but didn't yet implement get and/or set acl inode operations. This specifically affected cifs and 9p. Now we can build a posix acl api based solely on get and set inode operations. We add a new vfs_set_acl() api that can be used to set posix acls. This finally removes all type unsafety and type conversion issues explained in detail in [1] that we aim to get rid of. After we finished building the vfs api we can switch stacking filesystems to rely on the new posix api and then finally switch the xattr system calls themselves to rely on the posix acl api. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ unchanged /* v4 */ Christoph Hellwig : - s/EXPORT_SYMBOL/EXPORT_SYMBOL_GPL/ - return -EOPNOTSUPP from vfs_set_acl() if !CONFIG_FS_POSIX_ACL Christian Brauner (Microsoft) : - use newly introduced may_write_xattr() helper /* v5 */ unchanged fs/posix_acl.c | 107 ++++++++++++++++++++++++++++++++ include/linux/posix_acl.h | 10 +++ include/linux/posix_acl_xattr.h | 10 +++ 3 files changed, 127 insertions(+) diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 912faf932781..6a97eec981fe 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -25,6 +25,11 @@ #include #include #include +#include +#include +#include + +#include "internal.h" static struct posix_acl **acl_by_type(struct inode *inode, int type) { @@ -1257,3 +1262,105 @@ int simple_acl_create(struct inode *dir, struct inode *inode) posix_acl_release(acl); return 0; } + +static int vfs_set_acl_idmapped_mnt(struct user_namespace *mnt_userns, + struct user_namespace *fs_userns, + struct posix_acl *acl) +{ + for (int n = 0; n < acl->a_count; n++) { + struct posix_acl_entry *acl_e = &acl->a_entries[n]; + + switch (acl_e->e_tag) { + case ACL_USER: + acl_e->e_uid = from_vfsuid(mnt_userns, fs_userns, + VFSUIDT_INIT(acl_e->e_uid)); + break; + case ACL_GROUP: + acl_e->e_gid = from_vfsgid(mnt_userns, fs_userns, + VFSGIDT_INIT(acl_e->e_gid)); + break; + } + } + + return 0; +} + +/** + * vfs_set_acl - set posix acls + * @mnt_userns: user namespace of the mount + * @dentry: the dentry based on which to set the posix acls + * @acl_name: the name of the posix acl + * @kacl: the posix acls in the appropriate VFS format + * + * This function sets @kacl. The caller must all posix_acl_release() on @kacl + * afterwards. + * + * Return: On success 0, on error negative errno. + */ +int vfs_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + int acl_type; + int error; + struct inode *inode = d_inode(dentry); + struct inode *delegated_inode = NULL; + + acl_type = posix_acl_type(acl_name); + if (acl_type < 0) + return -EINVAL; + + if (kacl) { + /* + * If we're on an idmapped mount translate from mount specific + * vfs{g,u}id_t into global filesystem k{g,u}id_t. + * Afterwards we can cache the POSIX ACLs filesystem wide and - + * if this is a filesystem with a backing store - ultimately + * translate them to backing store values. + */ + error = vfs_set_acl_idmapped_mnt(mnt_userns, i_user_ns(inode), kacl); + if (error) + return error; + } + +retry_deleg: + inode_lock(inode); + + /* + * We only care about restrictions the inode struct itself places upon + * us otherwise POSIX ACLs aren't subject to any VFS restrictions. + */ + error = may_write_xattr(mnt_userns, inode); + if (error) + goto out_inode_unlock; + + error = security_inode_set_acl(mnt_userns, dentry, acl_name, kacl); + if (error) + goto out_inode_unlock; + + error = try_break_deleg(inode, &delegated_inode); + if (error) + goto out_inode_unlock; + + if (inode->i_opflags & IOP_XATTR) + error = set_posix_acl(mnt_userns, dentry, acl_type, kacl); + else if (unlikely(is_bad_inode(inode))) + error = -EIO; + else + error = -EOPNOTSUPP; + if (!error) { + fsnotify_xattr(dentry); + evm_inode_post_set_acl(dentry, acl_name, kacl); + } + +out_inode_unlock: + inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } + + return error; +} +EXPORT_SYMBOL_GPL(vfs_set_acl); diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h index 07e171b4428a..316b05c1dc97 100644 --- a/include/linux/posix_acl.h +++ b/include/linux/posix_acl.h @@ -99,6 +99,9 @@ static inline void cache_no_acl(struct inode *inode) inode->i_acl = NULL; inode->i_default_acl = NULL; } + +int vfs_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl); #else static inline int posix_acl_chmod(struct user_namespace *mnt_userns, struct dentry *dentry, umode_t mode) @@ -126,6 +129,13 @@ static inline int posix_acl_create(struct inode *inode, umode_t *mode, static inline void forget_all_cached_acls(struct inode *inode) { } + +static inline int vfs_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, + struct posix_acl *acl) +{ + return -EOPNOTSUPP; +} #endif /* CONFIG_FS_POSIX_ACL */ struct posix_acl *get_inode_acl(struct inode *inode, int type); diff --git a/include/linux/posix_acl_xattr.h b/include/linux/posix_acl_xattr.h index ebfa11ac7046..b86b7f170d43 100644 --- a/include/linux/posix_acl_xattr.h +++ b/include/linux/posix_acl_xattr.h @@ -72,6 +72,16 @@ static inline const char *posix_acl_xattr_name(int type) return ""; } +static inline int posix_acl_type(const char *name) +{ + if (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) + return ACL_TYPE_ACCESS; + else if (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0) + return ACL_TYPE_DEFAULT; + + return -1; +} + extern const struct xattr_handler posix_acl_access_xattr_handler; extern const struct xattr_handler posix_acl_default_xattr_handler; From patchwork Tue Oct 18 11:56:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 13010394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 664F3C4332F for ; Tue, 18 Oct 2022 12:00:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230398AbiJRMAb (ORCPT ); Tue, 18 Oct 2022 08:00:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229800AbiJRL7f (ORCPT ); Tue, 18 Oct 2022 07:59:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 327B2BE2C7; Tue, 18 Oct 2022 04:58:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C22E16153B; Tue, 18 Oct 2022 11:58:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A997C43470; Tue, 18 Oct 2022 11:58:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666094304; bh=tqHKzPSoL5JMUl6N68cUoyGo4DHsJCIMSdlUIGLtj+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qRmOReillSpWDrbLxV1jjCT53Gf5VI+oKaSX6DDumLpLrFoGrCw1dmsZXB261t2NA F3c5aSZ/2bEYQ5NYbs/YqhdafYHrBHUyMA6SXd5M+8F1ALrC5Pfi0aYcpjawubzsPO O3BW3hZZZoPzlbgIjoOsY/qekMSxtKTLdfQzaxMJEOcqFD3tJc4lFNsOy5n5TRWkBy JpIN2twn1C899EsgQFgTjzGPiwfEM390L3r3+RLRVK9NbVL4iS8gqkaud7c1YIhdwF NTMLbtHB7Df9Sw5mHdbSJ2bIr4+DrpQB/uS+gcy+rcpPKyY1kwIWhE6I21iXNUT+0Y jZCShftqMoJhQ== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Moore Subject: [PATCH v5 25/30] evm: remove evm_xattr_acl_change() Date: Tue, 18 Oct 2022 13:56:55 +0200 Message-Id: <20221018115700.166010-26-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018115700.166010-1-brauner@kernel.org> References: <20221018115700.166010-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3926; i=brauner@kernel.org; h=from:subject; bh=tqHKzPSoL5JMUl6N68cUoyGo4DHsJCIMSdlUIGLtj+w=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMST7TdFsEJxabXfi3MuKCc8dfn/VNVk5v/enhllSVcjBGs8t rTckOkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACZiaMjwT62WR/WfRZaNdeD6gF2HD0 +KKazNDA1X8paffSc/QMHVg+Gf7dys448nOqtdPRZYy/Cpemlk1a2TF4yj376eVNxu/D2EEwA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The security and integrity infrastructure has dedicated hooks now so evm_xattr_acl_change() is dead code. Before this commit the callchain was: evm_protect_xattr() -> evm_xattr_change() -> evm_xattr_acl_change() where evm_protect_xattr() was hit from evm_inode_setxattr() and evm_inode_removexattr(). But now we have evm_inode_set_acl() and evm_inode_remove_acl() and have switched over the vfs to rely on the posix acl api so the code isn't hit anymore. Suggested-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Remove evm_xattr_acl_change() completely. /* v4 */ unchanged /* v5 */ unchanged security/integrity/evm/evm_main.c | 64 ------------------------------- 1 file changed, 64 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index dcc5e704ef70..e074c2b4d499 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -434,66 +434,6 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); } -/* - * evm_xattr_acl_change - check if passed ACL changes the inode mode - * @mnt_userns: user namespace of the idmapped mount - * @dentry: pointer to the affected dentry - * @xattr_name: requested xattr - * @xattr_value: requested xattr value - * @xattr_value_len: requested xattr value length - * - * Check if passed ACL changes the inode mode, which is protected by EVM. - * - * Returns 1 if passed ACL causes inode mode change, 0 otherwise. - */ -static int evm_xattr_acl_change(struct user_namespace *mnt_userns, - struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) -{ -#ifdef CONFIG_FS_POSIX_ACL - umode_t mode; - struct posix_acl *acl = NULL, *acl_res; - struct inode *inode = d_backing_inode(dentry); - int rc; - - /* - * An earlier comment here mentioned that the idmappings for - * ACL_{GROUP,USER} don't matter since EVM is only interested in the - * mode stored as part of POSIX ACLs. Nonetheless, if it must translate - * from the uapi POSIX ACL representation to the VFS internal POSIX ACL - * representation it should do so correctly. There's no guarantee that - * we won't change POSIX ACLs in a way that ACL_{GROUP,USER} matters - * for the mode at some point and it's difficult to keep track of all - * the LSM and integrity modules and what they do to POSIX ACLs. - * - * Frankly, EVM shouldn't try to interpret the uapi struct for POSIX - * ACLs it received. It requires knowledge that only the VFS is - * guaranteed to have. - */ - acl = vfs_set_acl_prepare(mnt_userns, i_user_ns(inode), - xattr_value, xattr_value_len); - if (IS_ERR_OR_NULL(acl)) - return 1; - - acl_res = acl; - /* - * Passing mnt_userns is necessary to correctly determine the GID in - * an idmapped mount, as the GID is used to clear the setgid bit in - * the inode mode. - */ - rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res); - - posix_acl_release(acl); - - if (rc) - return 1; - - if (inode->i_mode != mode) - return 1; -#endif - return 0; -} - /* * evm_xattr_change - check if passed xattr value differs from current value * @mnt_userns: user namespace of the idmapped mount @@ -513,10 +453,6 @@ static int evm_xattr_change(struct user_namespace *mnt_userns, char *xattr_data = NULL; int rc = 0; - if (posix_xattr_acl(xattr_name)) - return evm_xattr_acl_change(mnt_userns, dentry, xattr_name, - xattr_value, xattr_value_len); - rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data, 0, GFP_NOFS); if (rc < 0)