[PATCH] Introduce v3 namespaced file capabilities
Eric W. Biederman
ebiederm at xmission.com
Sun Apr 23 01:14:11 UTC 2017
"Serge E. Hallyn" <serge at hallyn.com> writes:
> Quoting Eric W. Biederman (ebiederm at xmission.com):
>>
>> "Serge E. Hallyn" <serge at hallyn.com> writes:
>>
>> Overall this looks quite reasonable.
>>
>> My only big concern was the lack of verifying of magic_etc. As without
>
> Yes, I was relying too much on the size check.
>
>> that the code might not be future compatible with new versions of the
>> capability xattrs. It it tends to be nice to be able to boot old
>> kernels when regression testing etc. Even if they can't make use of
>> all of the features of a new filesystem.
>
> That certainly was my intent.
>
>> > diff --git a/fs/xattr.c b/fs/xattr.c
>> > index 7e3317c..75cc65a 100644
>> > --- a/fs/xattr.c
>> > +++ b/fs/xattr.c
>> > @@ -170,12 +170,29 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
>> > const void *value, size_t size, int flags)
>> > {
>> > struct inode *inode = dentry->d_inode;
>> > - int error = -EAGAIN;
>> > + int error;
>> > + void *wvalue = NULL;
>> > + size_t wsize = 0;
>> > int issec = !strncmp(name, XATTR_SECURITY_PREFIX,
>> > XATTR_SECURITY_PREFIX_LEN);
>> >
>> > - if (issec)
>> > + if (issec) {
>> > inode->i_flags &= ~S_NOSEC;
>> > +
>> > + if (!strcmp(name, "security.capability")) {
>> > + error = cap_setxattr_convert_nscap(dentry, value, size,
>> > + &wvalue, &wsize);
>> > + if (error < 0)
>> > + return error;
>> > + if (wvalue) {
>> > + value = wvalue;
>> > + size = wsize;
>> > + }
>> > + }
>> > + }
>> > +
>> > + error = -EAGAIN;
>> > +
>>
>> Why is the conversion in __vfs_setxattr_noperm and not in setattr as
>> was done for posix_acl_fix_xattr_from_user?
>
> I think I was thinking I wanted to catch all the vfs_setxattr operations,
> but I don't think that's right. Moving to setxattr seems right. I'll
> look around a bit more.
Thanks. This is one of these little details that we want a good answer
to why there. If you can document that in your patch description when
you resend I would appreciate it.
>> Missing version checks on the magic_etc field.
>> And the wrong error code when the code deliberately refuses to return a
>> capability.
>
> Thanks, all looks good. Did you want to just squash these yourself and
> move on, keep them as separate patches, or have me incorporate into mine
> and resend?
Given that there is an outstanding question I would appreciate a resend
with an updated patch description, the changes squashed and possibly a
change in where cap_setxattr_convert_nscap is called.
I have the untested version on my for-testing branch and except for
a small increase in the binary size of the kernel all seems well.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list