[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

Serge E. Hallyn serge at hallyn.com
Fri Mar 10 21:47:56 UTC 2017 

Quoting Stephen Smalley (sds at tycho.nsa.gov):
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH.  This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation.  Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
> 
> Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>

Lol, not sure if that patch has arranged itself to be as confusing
as possible (for a simple end result) or if it's in my head :), but
I had to read it like 3 times, despite it appearing trivial in the
end.

Reviewed-by: Serge Hallyn <serge at hallyn.com>

> ---
>  fs/namei.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>  
>  	if (S_ISDIR(inode->i_mode)) {
>  		/* DACs are overridable for directories */
> -		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> -			return 0;
>  		if (!(mask & MAY_WRITE))
>  			if (capable_wrt_inode_uidgid(inode,
>  						     CAP_DAC_READ_SEARCH))
>  				return 0;
> -		return -EACCES;
> -	}
> -	/*
> -	 * Read/write DACs are always overridable.
> -	 * Executable DACs are overridable when there is
> -	 * at least one exec bit set.
> -	 */
> -	if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>  		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>  			return 0;
> +		return -EACCES;
> +	}
>  
>  	/*
>  	 * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
>  	if (mask == MAY_READ)
>  		if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
>  			return 0;
> +	/*
> +	 * Read/write DACs are always overridable.
> +	 * Executable DACs are overridable when there is
> +	 * at least one exec bit set.
> +	 */
> +	if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> +		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> +			return 0;
>  
>  	return -EACCES;
>  }
> -- 
> 2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list