Re: [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/14/19 4:00 AM, Jan Kara wrote:
On Tue 13-08-19 07:55:06, Mark Salyzyn wrote:
...
diff --git a/fs/xattr.c b/fs/xattr.c
index 90dd78f0eb27..71f887518d6f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
...
  ssize_t
  __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
-	       void *value, size_t size)
+	       void *value, size_t size, int flags)
  {
  	const struct xattr_handler *handler;
-
-	handler = xattr_resolve_name(inode, &name);
-	if (IS_ERR(handler))
-		return PTR_ERR(handler);
-	if (!handler->get)
-		return -EOPNOTSUPP;
-	return handler->get(handler, dentry, inode, name, value, size);
-}
-EXPORT_SYMBOL(__vfs_getxattr);
-
-ssize_t
-vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
-{
-	struct inode *inode = dentry->d_inode;
  	int error;
+ if (flags & XATTR_NOSECURITY)
+		goto nolsm;
Hum, is it OK for XATTR_NOSECURITY to skip even the xattr_permission()
check? I understand that for reads of security xattrs it actually does not
matter in practice but conceptually that seems wrong to me as
XATTR_NOSECURITY is supposed to skip just security-module checks to avoid
recursion AFAIU.

Good catch I think.

I was attempting to make this change purely inert, no change in functionality, only a change in API. Adding a call to xattr_permission would incur a change in overall functionality, as it would introduce into the current and original __vfs_getxattr a call to xattr_permission that was not there before.

(I will have to defer the real answer and requirements to the security folks)

AFAIK you are correct, and to make the call would reduce the attack surface, trading a very small amount of CPU utilization, for a much larger amount of trust.

Given the long history of this patch set (for overlayfs) and the large amount of stakeholders, I would _prefer_ to submit a followup independent functionality/security change to _vfs_get_xattr _after_ this makes it in.


diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
index c1395b5bd432..1216d777d210 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@@ -17,8 +17,9 @@
  #if __UAPI_DEF_XATTR
  #define __USE_KERNEL_XATTR_DEFS
-#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
-#define XATTR_REPLACE	0x2	/* set value, fail if attr does not exist */
+#define XATTR_CREATE	 0x1	/* set value, fail if attr already exists */
+#define XATTR_REPLACE	 0x2	/* set value, fail if attr does not exist */
+#define XATTR_NOSECURITY 0x4	/* get value, do not involve security check */
  #endif
It seems confusing to export XATTR_NOSECURITY definition to userspace when
that is kernel-internal flag. I'd just define it in include/linux/xattr.h
somewhere from the top of flags space (like 0x40000000).

Otherwise the patch looks OK to me (cannot really comment on the security
module aspect of this whole thing though).

Good point. However, we do need to keep these flags together to reduce maintenance risk, I personally abhor two locations for flags bits even if one comes from the opposite bit-side; collisions are undetectable at build time. Although I have not gone through the entire thought experiment, I am expecting that fuse could possibly benefit from this flag (if exposed) since it also has a security recursion. That said, fuse is probably the example of a gaping wide attack surface if user space had access to it ... your xattr_permissions call addition requested above would be realistically, not just pedantically, required!

I have to respin the patch because of yet another hole in filesystem coverage (I blew the mechanical ubifs adjustment, adjusted the wrong function), so please do tell if my rationalizations above hit a note, or if I _need_ to make the changes in this patch (change it to a series?).

Thanks -- Mark Salyzyn






[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux