On Mon, Jan 13, 2014 at 11:03 PM, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > Miklos Szeredi wrote: >> Cross rename (A, B) is equivalent to plain rename(A, B) + plain rename >> (B, A) done as a single atomic operation. If security module allows >> both then cross rename is allowed. If at least one is denied then the >> cross rename is denied. > > Yes, the functionality itself is fine. The problem is how LSM users check > their permissions for the functionality. > >> >> This is prepared for in "[PATCH 06/11] security: add flags to rename >> hooks" and actually done in "[PATCH 07/11] vfs: add cross-rename". >> >> Security people are free to implement a explicit security check for >> cross rename, but I don't think that is in the scope of this patchset. >> > I don't know how their permissions are checked, but I think that > swapping /A/B and /C/D should check not only > > Remove a name from directory A > Add a name to directory C > > but also > > Add a name to directory A > Remove a name from directory C > > using their security labels. > > Without making changes to security/*/ directory, SELinux/SMACK/TOMOYO/AppArmor > might fail to check the latter permissions. Those permissions will be checked. Please see security/security.c in patch 07/11 of the series. Of course, review is appreciated. Thanks, Miklos _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
