On Mon, Sep 26, 2022 at 11:24 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > The current way of setting and getting posix acls through the generic > xattr interface is error prone and type unsafe. The vfs needs to > interpret and fixup posix acls before storing or reporting it to > userspace. Various hacks exist to make this work. The code is hard to > understand and difficult to maintain in it's current form. Instead of > making this work by hacking posix acls through xattr handlers we are > building a dedicated posix acl api around the get and set inode > operations. This removes a lot of hackiness and makes the codepaths > easier to maintain. A lot of background can be found in [1]. > > So far posix acls were passed as a void blob to the security and > integrity modules. Some of them like evm then proceed to interpret the > void pointer and convert it into the kernel internal struct posix acl > representation to perform their integrity checking magic. This is > obviously pretty problematic as that requires knowledge that only the > vfs is guaranteed to have and has lead to various bugs. Add a proper > security hook for setting posix acls and pass down the posix acls in > their appropriate vfs format instead of hacking it through a void > pointer stored in the uapi format. > > I spent considerate time in the security module and integrity > infrastructure and audited all codepaths. EVM is the only part that > really has restrictions based on the actual posix acl values passed > through it. Before this dedicated hook EVM used to translate from the > uapi posix acl format sent to it in the form of a void pointer into the > vfs format. This is not a good thing. Instead of hacking around in the > uapi struct give EVM the posix acls in the appropriate vfs format and > perform sane permissions checks that mirror what it used to to in the > generic xattr hook. > > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@xxxxxxxxxx [1] > Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx> > --- > > Notes: > /* v2 */ > unchanged > > include/linux/evm.h | 10 +++++ > security/integrity/evm/evm_main.c | 66 ++++++++++++++++++++++++++++++- > security/security.c | 9 ++++- > 3 files changed, 83 insertions(+), 2 deletions(-) Ultimately this is Mimi's call, and it can be done later after this patchset is merged, but it seems to me that some of the code in evm_inode_set_acl() could be pulled out into a helper function(s) shared with evm_protect_xattr(). Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
