On Wed 14-08-19 07:54:16, Mark Salyzyn wrote:
> On 8/14/19 4:00 AM, Jan Kara wrote:
> > On Tue 13-08-19 07:55:06, Mark Salyzyn wrote:
> > ...
> > > diff --git a/fs/xattr.c b/fs/xattr.c
> > > index 90dd78f0eb27..71f887518d6f 100644
> > > --- a/fs/xattr.c
> > > +++ b/fs/xattr.c
> > ...
> > > ssize_t
> > > __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
> > > - void *value, size_t size)
> > > + void *value, size_t size, int flags)
> > > {
> > > const struct xattr_handler *handler;
> > > -
> > > - handler = xattr_resolve_name(inode, &name);
> > > - if (IS_ERR(handler))
> > > - return PTR_ERR(handler);
> > > - if (!handler->get)
> > > - return -EOPNOTSUPP;
> > > - return handler->get(handler, dentry, inode, name, value, size);
> > > -}
> > > -EXPORT_SYMBOL(__vfs_getxattr);
> > > -
> > > -ssize_t
> > > -vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
> > > -{
> > > - struct inode *inode = dentry->d_inode;
> > > int error;
> > > + if (flags & XATTR_NOSECURITY)
> > > + goto nolsm;
> > Hum, is it OK for XATTR_NOSECURITY to skip even the xattr_permission()
> > check? I understand that for reads of security xattrs it actually does not
> > matter in practice but conceptually that seems wrong to me as
> > XATTR_NOSECURITY is supposed to skip just security-module checks to avoid
> > recursion AFAIU.
>
> Good catch I think.
>
> I was attempting to make this change purely inert, no change in
> functionality, only a change in API. Adding a call to xattr_permission would
> incur a change in overall functionality, as it would introduce into the
> current and original __vfs_getxattr a call to xattr_permission that was not
> there before.
>
> (I will have to defer the real answer and requirements to the security
> folks)
>
> AFAIK you are correct, and to make the call would reduce the attack surface,
> trading a very small amount of CPU utilization, for a much larger amount of
> trust.
>
> Given the long history of this patch set (for overlayfs) and the large
> amount of stakeholders, I would _prefer_ to submit a followup independent
> functionality/security change to _vfs_get_xattr _after_ this makes it in.
You're right. The problem was there before. So ack to changing this later.
> > > diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
> > > index c1395b5bd432..1216d777d210 100644
> > > --- a/include/uapi/linux/xattr.h
> > > +++ b/include/uapi/linux/xattr.h
> > > @@ -17,8 +17,9 @@
> > > #if __UAPI_DEF_XATTR
> > > #define __USE_KERNEL_XATTR_DEFS
> > > -#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
> > > -#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */
> > > +#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
> > > +#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */
> > > +#define XATTR_NOSECURITY 0x4 /* get value, do not involve security check */
> > > #endif
> > It seems confusing to export XATTR_NOSECURITY definition to userspace when
> > that is kernel-internal flag. I'd just define it in include/linux/xattr.h
> > somewhere from the top of flags space (like 0x40000000).
> >
> > Otherwise the patch looks OK to me (cannot really comment on the security
> > module aspect of this whole thing though).
>
> Good point. However, we do need to keep these flags together to reduce
> maintenance risk, I personally abhor two locations for flags bits even if
> one comes from the opposite bit-side; collisions are undetectable at build
> time. Although I have not gone through the entire thought experiment, I am
> expecting that fuse could possibly benefit from this flag (if exposed) since
> it also has a security recursion. That said, fuse is probably the example of
> a gaping wide attack surface if user space had access to it ... your
> xattr_permissions call addition requested above would be realistically, not
> just pedantically, required!
Yeah, flags bits in two places are bad as well. So maybe at least
#ifdef __KERNEL__ bit around the definitiona and a comment that it is
kernel internal flag?
Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
Re: [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr
- From: Jan Kara <jack@xxxxxxx>
- Date: Thu, 15 Aug 2019 17:30:24 +0200
- Cc: Latchesar Ionkov <lucho@xxxxxxxxxx>, Dave Kleikamp <shaggy@xxxxxxxxxx>, jfs-discussion@xxxxxxxxxxxxxxxxxxxxx, Phillip Lougher <phillip@xxxxxxxxxxxxxxx>, Jan Kara <jack@xxxxxxx>, linux-integrity@xxxxxxxxxxxxxxx, Martin Brandenburg <martin@xxxxxxxxxxxx>, samba-technical@xxxxxxxxxxxxxxx, Dominique Martinet <asmadeus@xxxxxxxxxxxxx>, Chao Yu <yuchao0@xxxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, Adrian Hunter <adrian.hunter@xxxxxxxxx>, linux-mm@xxxxxxxxx, Chris Mason <clm@xxxxxx>, netdev@xxxxxxxxxxxxxxx, Andreas Dilger <adilger.kernel@xxxxxxxxx>, linux-xfs@xxxxxxxxxxxxxxx, Eric Paris <eparis@xxxxxxxxxxxxxx>, linux-f2fs-devel@xxxxxxxxxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, Stephen Smalley <sds@xxxxxxxxxxxxx>, Mike Marshall <hubcap@xxxxxxxxxxxx>, devel@xxxxxxxxxxxxxxxxxxxx, linux-cifs@xxxxxxxxxxxxxxx, Paul Moore <paul@xxxxxxxxxxxxxx>, Sage Weil <sage@xxxxxxxxxx>, "Darrick J. Wong" <darrick.wong@xxxxxxxxxx>, Richard Weinberger <richard@xxxxxx>, Mark Fasheh <mark@xxxxxxxxxx>, linux-unionfs@xxxxxxxxxxxxxxx, Hugh Dickins <hughd@xxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, cluster-devel@xxxxxxxxxx, Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>, Vyacheslav Dubeyko <slava@xxxxxxxxxxx>, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, v9fs-developer@xxxxxxxxxxxxxxxxxxxxx, Ilya Dryomov <idryomov@xxxxxxxxx>, linux-ext4@xxxxxxxxxxxxxxx, kernel-team@xxxxxxxxxxx, devel@xxxxxxxxxxxxxxxxxx, Serge Hallyn <serge@xxxxxxxxxx>, Gao Xiang <gaoxiang25@xxxxxxxxxx>, Eric Van Hensbergen <ericvh@xxxxxxxxx>, ecryptfs@xxxxxxxxxxxxxxx, linux-erofs@xxxxxxxxxxxxxxxx, Josef Bacik <josef@xxxxxxxxxxxxxx>, reiserfs-devel@xxxxxxxxxxxxxxx, Bob Peterson <rpeterso@xxxxxxxxxx>, Joel Becker <jlbec@xxxxxxxxxxxx>, Anna Schumaker <anna.schumaker@xxxxxxxxxx>, David Sterba <dsterba@xxxxxxxx>, Jaegeuk Kim <jaegeuk@xxxxxxxxxx>, ceph-devel@xxxxxxxxxxxxxxx, selinux@xxxxxxxxxxxxxxx, Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>, Andreas Gruenbacher <agruenba@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, linux-nfs@xxxxxxxxxxxxxxx, "Theodore Ts'o" <tytso@xxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx, Artem Bityutskiy <dedekind1@xxxxxxxxx>, Mathieu Malaterre <malat@xxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Miklos Szeredi <miklos@xxxxxxxxxx>, Jeff Layton <jlayton@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, Tyler Hicks <tyhicks@xxxxxxxxxxxxx>, Steve French <sfrench@xxxxxxxxx>, Ernesto A. Fernández <ernesto.mnd.fernandez@xxxxxxxxx>, linux-btrfs@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, Jan Kara <jack@xxxxxxxx>, Tejun Heo <tj@xxxxxxxxxx>, linux-mtd@xxxxxxxxxxxxxxxxxxx, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, David Woodhouse <dwmw2@xxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, ocfs2-devel@xxxxxxxxxxxxxx, Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
- In-reply-to: <71d66fd1-cc94-fd0c-dfa7-115ba8a6b95a@android.com>
- References: <20190813145527.26289-1-salyzyn@android.com> <20190814110022.GB26273@quack2.suse.cz> <71d66fd1-cc94-fd0c-dfa7-115ba8a6b95a@android.com>
- User-agent: Mutt/1.10.1 (2018-07-13)
- References:
- Prev by Date: Re: [PATCH] mtd: spi-nor: Fix an error code in spi_nor_read_raw()
- Next by Date: [PATCH v4] Add flags option to get xattr method paired to __vfs_getxattr
- Previous by thread: Re: [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr
- Next by thread: Re: [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr
- Index(es):
 |