Re: [TOMOYO #8 (2.6.25-mm1) 1/7] Introduce new LSM hooks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2008-05-02 at 00:07 +0900, Tetsuo Handa wrote:
> Hello.
> 
> Chris Wright wrote:
> > * Toshiharu Harada (haradats@xxxxxxxxxxxxx) wrote:
> > > This patch allows LSM to check permission using "struct vfsmount"
> > > without passing "struct vfsmount" to VFS helper functions.
> > 
> > This is simply duplicating many of the existing checks.
> > I don't see how this is an improvement.
> > 
> > > --- mm.orig/fs/namei.c
> > > +++ mm/fs/namei.c
> > > @@ -1595,6 +1595,9 @@ int vfs_create(struct inode *dir, struct
> > >  	error = security_inode_create(dir, dentry, mode);
> > >  	if (error)
> > >  		return error;
> > > +	error = security_path_create(dir, dentry, mode, nd);
> > > +	if (error)
> > > +		return error;
> > 
> > Pure duplication (of course adding nameidata, although I think you just
> > want path).
> 
> Stephen Smalley advised me to add parameter to existing hook rather than
> introducing a new hook if the location of existing hook is appropriate.
> OK. I'd like to add "struct nameidata" to security_inode_create()
> rather than introducing security_path_create() in the next patch.

I had thought you were going to add new hooks in the callers, not try to
use the nameidata here.  And I wouldn't pass the nameidata there, just
what you actually need (e.g. the vfsmount).

> > 
> > >  	DQUOT_INIT(dir);
> > >  	error = dir->i_op->create(dir, dentry, mode, nd);
> > >  	if (!error)
> > > @@ -1650,6 +1653,17 @@ int may_open(struct nameidata *nd, int a
> > 	...
> > 	error = vfs_permission(nd, acc_mode);
> > 	if (error)
> > 		return error;
> > 	...
> > >  			return -EPERM;
> > >  
> > >  	/*
> > > +	 * security_inode_permission() called from vfs_permission()
> > > +	 * can't know that the file is going to be truncated when
> > > +	 * open(filename, O_WRONLY | O_TRUNC | O_APPEND) is used.
> > > +	 * So, this hook checks O_APPEND and O_TRUNC flags as well
> > > +	 * as MAY_READ and MAY_WRITE flags.
> > > +	 */
> > > +	error = security_path_open(nd->path.dentry, nd->path.mnt, flag);
> > > +	if (error)
> > > +		return error;
> > 
> > Also duplication.  And why the unique flag handling, you don't seem to
> > ever check?
> 
> The MAY_WRITE flag is not passed to security_inode_permission()
> if security_inode_permission() is called from __open_namei_create().
> Since TOMOYO Linux doesn't check MAY_READ/MAY_WRITE permissions for individual
> read()/write() requests, the permission checks at open() time (i.e. may_open())
> is the only chance to check MAY_WRITE flag. If I can't check MAY_WRITE flag
> here, TOMOYO Linux can't control open(O_WRONLY | O_CREATE | O_EXCL).

You can apply whatever checks you want from your hook in the create
path, right?

> > > @@ -2021,7 +2035,12 @@ fail:
> > >  }
> > >  EXPORT_SYMBOL_GPL(lookup_create);
> > >  
> > > -int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
> > > +/*
> > > + * These pre_vfs_*() functions are separated from vfs_*() functions so that
> > > + * LSM's security_path_*() functions can do DAC checks before MAC checks
> > > + * without duplicating may_create()/may_delete() functions.
> > > + */
> > > +int pre_vfs_mknod(struct inode *dir, struct dentry *dentry, int mode)
> > >  {
> > >  	int error = may_create(dir, dentry, NULL);
> > >  
> > > @@ -2033,6 +2052,14 @@ int vfs_mknod(struct inode *dir, struct 
> > >  
> > >  	if (!dir->i_op || !dir->i_op->mknod)
> > >  		return -EPERM;
> > > +	return 0;
> > > +}
> > > +
> > > +int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
> > > +{
> > > +	int error = pre_vfs_mknod(dir, dentry, mode);
> > > +	if (error)
> > > +		return error;
> > 
> > More duplication, you'll get a call chain like:
> > 
> > sys_mknod
> >   security_path_mknod
> >     pre_vfs_mknod
> >   vfs_mknod
> >    pre_vfs_mknod
> >    security_inode_mknod
> > 
> This is an inevitable duplication since I want to do conventional checks
> (DAC checks and inode operation existence checks) before TOMOYO Linux's check.
> 
> By the way, Stephen Smalley thinks it is better to copy codes which is needed by
> pre_vfs_*() (i.e. may_create()/may_delete()/check_sticky()) into
> security/tomoyo/ directory and leave vfs_*() untouched rather than
> extract pre_vfs_*() from vfs_*() and call pre_vfs_*() from vfs_*().
> Question to Al Viro: Do you prefer "copying may_create()/may_delete()/
> check_sticky() functions into security/tomoyo/ directory and leaving vfs_*()
> untouched" to "extracting pre_vfs_*() and making them accessible from
> security/tomoyo/ directory"? If you prefer copying, I'd like to copy them and
> remove pre_vfs_*() in the next patch.

I don't see how splitting out the parts that you are putting in the pre_
functions is especially useful.  Making the may_create()/may_delete()
helpers non-static might make sense.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux