On Sat, 17 Jan 2015, Ben Hutchings wrote: > chown() and write() should clear all privilege attributes on > a file - setuid, setgid, setcap and any other extended > privilege attributes. > > However, any attributes beyond setuid and setgid are managed by the > LSM and not directly by the filesystem, so they cannot be set along > with the other attributes. > > Currently we call security_inode_killpriv() in notify_change(), > but in case of a chown() this is too early - we have not called > inode_change_ok() or made any filesystem-specific permission/sanity > checks. > > Add a new function setattr_killpriv() which calls > security_inode_killpriv() if necessary, and change the setattr() > implementation to call this in each filesystem that supports xattrs. > This assumes that extended privilege attributes are always stored in > xattrs. It'd be useful to get some input from LSM module maintainers on this. e.g. doesn't SELinux already handle this via policy directives? -- James Morris <jmorris@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
