Re: [git pull] apparmor fix for __d_path() misuse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 07, 2011 at 12:26:25PM +0900, Tetsuo Handa wrote:
> >         char *pos = ERR_PTR(-ENOMEM);
> >         if (buflen >= 256) {
> > -               struct path ns_root = { };
> >                 /* go to whatever namespace root we are under */
> > -               pos = __d_path(path, &ns_root, buffer, buflen - 1);
> > +               pos = d_absolute_path(path, buffer, buflen - 1);
> >                 if (!IS_ERR(pos) && *pos == '/' && pos[1]) {
> >                         struct inode *inode = path->dentry->d_inode;
> >                         if (inode && S_ISDIR(inode->i_mode)) {
> 
> Currently, TOMOYO assumes that -ENAMETOOLONG is the only error which __d_path()
> might return (and retries with larger buffer size unless kmalloc() fails).
> If d_absolute_path() starts returning -EINVAL, TOMOYO will deny requests even
> if "partial (I mean the result would have been different if reachable)"
> pathname is granted by the policy.
> 
> How commonly can conditions that make d_absolute_path() return -EINVAL happen?

Race with umount -l, basically.  In that case the pathname is completely
unreliable - if I do umount -l /mnt, pathnames that would be under mnt
may get truncated on *ANY* mountpoint.  Not "always cut on /mnt"; not "always
cut on the last mountpoint"; it's "everything from root to arbitrary mountpoint
on that path is not noticed".  If your policy really has to deal with such
situations (unexpected umount -l racing with operations in the subtree that
gets dissolved), you do have a problem.  Right now, in the mainline kernel.
Because the pathname you are currently getting is unreliable as hell and
making any decisions basing on it is, er, not particulary wise.

If you want to add handling of that -EINVAL in some form, feel free.  But
keep in mind that the *ONLY* part of pathname you can really recover at
that point is what dentry_path() would give you - i.e. from fs root to
object in question.  Everything prior to that is absolutely unreliable
and is bound to go away in a very short while - ->mnt_parent on the entire
chain is in process of being dissolved when we hit that race.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux