On Thu, Sep 22, 2022 at 11:18 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > The current way of setting and getting posix acls through the generic > xattr interface is error prone and type unsafe. The vfs needs to > interpret and fixup posix acls before storing or reporting it to > userspace. Various hacks exist to make this work. The code is hard to > understand and difficult to maintain in it's current form. Instead of > making this work by hacking posix acls through xattr handlers we are > building a dedicated posix acl api around the get and set inode > operations. This removes a lot of hackiness and makes the codepaths > easier to maintain. A lot of background can be found in [1]. > > So far posix acls were passed as a void blob to the security and > integrity modules. Some of them like evm then proceed to interpret the > void pointer and convert it into the kernel internal struct posix acl > representation to perform their integrity checking magic. This is > obviously pretty problematic as that requires knowledge that only the > vfs is guaranteed to have and has lead to various bugs. Add a proper > security hook for setting posix acls and pass down the posix acls in > their appropriate vfs format instead of hacking it through a void > pointer stored in the uapi format. > > I spent considerate time in the security module infrastructure and > audited all codepaths. SELinux has no restrictions based on the posix > acl values passed through it. The capability hook doesn't need to be > called either because it only has restrictions on security.* xattrs. So > this all becomes a very simple hook for SELinux. > > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@xxxxxxxxxx [1] > Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx> > --- > security/selinux/hooks.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 79573504783b..bbc0ce3bde35 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3239,6 +3239,13 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns, > &ad); > } > > +static int selinux_inode_set_acl(struct user_namespace *mnt_userns, > + struct dentry *dentry, const char *acl_name, > + struct posix_acl *kacl) > +{ > + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); > +} > + > static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, > const void *value, size_t size, > int flags) > @@ -7063,6 +7070,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), > LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), > LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), > + LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), See my other reply about needing to see the full patchset in order to properly review the changes, but one thing immediately jumped out at me when looking at this: why is the LSM hook "security_inode_set_acl()" when we are passing a dentry instead of an inode? We don't have a lot of them, but there are `security_dentry_*()` LSM hooks in the existing kernel code. -- paul-moore.com
