The function dentry_open() requires to pass the credentials of the acting process as parameter. These credentials are actually used for example in SELinux to verify if the process is allowed to access the inode bound to the dentry by calling the function inode_has_perm(). Despite the fact the verification is done using the passed credentials, the 'file' object created by calling dentry_open() is labeled with the credentials of the 'current' process which may differ from the former. An example of such behavior comes from the ecryptfs filesystem which calls dentry_open() in order to obtain an unique file descriptor of the inode in the lower filesystem to serve concurrent requests made on the related ecryptfs inode. Recently, i made a patch, not yet merged in the mainline, in order to provide to the dentry_open() function the credentials of the kernel kthread service instead of those related to the current process. This allows to assign to the ecryptfs filesystem a privileged role in that it can perform all privileged operations with its own assigned label, letting the access control to operate only on objects exposed by ecryptfs. This patch set is a proposal to modify the labeling behavior of the file descriptor structure by, first, passing the supplied credentials to the get_empty_filp() function, then initializing the 'f_cred' field with the former, and finally, telling LSM security modules which implement the security_file_alloc() hook (SELinux and SMACK) to use such information to append the correct label to the file descriptor. Last note, it seems that Apparmor does not need to be modified because in the mentioned hook it only allocates its specific structure without assignments. The patch set applies to the latest released kernel v2.6.37-rc3. Reference of the released ecryptfs patch: http://git.kernel.org/?p=linux/kernel/git/ecryptfs/ecryptfs-2.6.git;a= commit;h=0903acc555955ff7bbe1b8324028fe44e5c16a91 Roberto Sassu (4): fs: passing task credentials to get_empty_filp() fs: move file->f_cred initialization before security_file_alloc() selinux: use file->f_cred to determine task's SID smack: modified file->f_security assignment in smack_file_alloc_security() fs/file_table.c | 8 ++++---- fs/internal.h | 2 +- fs/namei.c | 2 +- fs/open.c | 2 +- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) -- 1.7.2.3
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
