On Thu, Aug 22, 2019 at 04:42:26PM +0900, Tetsuo Handa wrote:
> Eric Biggers wrote:
> > On Thu, Aug 22, 2019 at 03:55:31PM +0900, Tetsuo Handa wrote:
> > > > Also, isn't the same bug in other places too?:
> > > >
> > > > - tomoyo_path_chmod()
> > > > - tomoyo_path_chown()
> > > > - smack_inode_getsecurity()
> > > > - smack_inode_setsecurity()
> > >
> > > What's the bug? The file descriptor returned by open(O_PATH) cannot be
> > > passed to read(2), write(2), fchmod(2), fchown(2), fgetxattr(2), mmap(2) etc.
> > >
> >
> > chmod(2), chown(2), getxattr(2), and setxattr(2) take a path, not a fd.
> >
>
> OK. Then, is the correct fix
>
> inode_lock(inode);
> if (SOCKET_I(inode)->sk) {
> // Can access SOCKET_I(sock)->sk->*
> } else {
> // Already close()d. Don't touch.
> }
> inode_unlock(inode);
>
> thanks to
>
> commit 6d8c50dcb029872b ("socket: close race condition between sock_close() and sockfs_setattr()")
> commit ff7b11aa481f682e ("net: socket: set sock->sk to NULL after calling proto_ops::release()")
>
> changes?
inode_lock() is already held during security_path_chmod(),
security_path_chown(), and security_inode_setxattr().
So you can't just take it again.
- Eric
