[PATCH v4 11/30] smack: implement get, set and remove acl hook

Paul Moore paul at paul-moore.com
Thu Sep 29 19:15:09 UTC 2022 

On Thu, Sep 29, 2022 at 11:31 AM Christian Brauner <brauner at kernel.org> wrote:
>
> The current way of setting and getting posix acls through the generic
> xattr interface is error prone and type unsafe. The vfs needs to
> interpret and fixup posix acls before storing or reporting it to
> userspace. Various hacks exist to make this work. The code is hard to
> understand and difficult to maintain in it's current form. Instead of
> making this work by hacking posix acls through xattr handlers we are
> building a dedicated posix acl api around the get and set inode
> operations. This removes a lot of hackiness and makes the codepaths
> easier to maintain. A lot of background can be found in [1].
>
> So far posix acls were passed as a void blob to the security and
> integrity modules. Some of them like evm then proceed to interpret the
> void pointer and convert it into the kernel internal struct posix acl
> representation to perform their integrity checking magic. This is
> obviously pretty problematic as that requires knowledge that only the
> vfs is guaranteed to have and has lead to various bugs. Add a proper
> security hook for setting posix acls and pass down the posix acls in
> their appropriate vfs format instead of hacking it through a void
> pointer stored in the uapi format.
>
> I spent considerate time in the security module infrastructure and
> audited all codepaths. Smack has no restrictions based on the posix
> acl values passed through it. The capability hook doesn't need to be
> called either because it only has restrictions on security.* xattrs. So
> these all becomes very simple hooks for smack.
>
> Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com>
> Signed-off-by: Christian Brauner (Microsoft) <brauner at kernel.org>
> ---
>
> Notes:
>     /* v2 */
>     unchanged
>
>     /* v3 */
>     Paul Moore <paul at paul-moore.com>:
>     - Add get, and remove acl hook
>
>     /* v4 */
>     Reviewed-by: Casey Schaufler <casey at schaufler-ca.com>
>
>  security/smack/smack_lsm.c | 69 ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 69 insertions(+)

Two nit-picky comments below, only worth considering if you are
respinning for other reasons.

Reviewed-by: Paul Moore <paul at paul-moore.com>

> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 001831458fa2..8247e8fd43d0 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1393,6 +1393,72 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns,
>         return 0;
>  }
>
> +/**
> + * smack_inode_set_acl - Smack check for setting posix acls
> + * @mnt_userns: the userns attached to the mnt this request came from
> + * @dentry: the object
> + * @acl_name: name of the posix acl
> + * @kacl: the posix acls
> + *
> + * Returns 0 if access is permitted, an error code otherwise
> + */
> +static int smack_inode_set_acl(struct user_namespace *mnt_userns,
> +                              struct dentry *dentry, const char *acl_name,
> +                              struct posix_acl *kacl)
> +{
> +       struct smk_audit_info ad;
> +       int rc;
> +
> +       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
> +       smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
> +       rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
> +       rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
> +       return rc;
> +}

Smack tends to add a line of vertical whitespace between the
smk_ad_setfield_...(...) call and the smk_curacc(...) call in the
xattr functions, consistency here might be nice.

> +/**
> + * smack_inode_remove_acl - Smack check for getting posix acls
> + * @mnt_userns: the userns attached to the mnt this request came from
> + * @dentry: the object
> + * @acl_name: name of the posix acl
> + *
> + * Returns 0 if access is permitted, an error code otherwise
> + */
> +static int smack_inode_remove_acl(struct user_namespace *mnt_userns,
> +                                 struct dentry *dentry, const char *acl_name)
> +{
> +       struct smk_audit_info ad;
> +       int rc;
> +
> +       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
> +       smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
> +       rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
> +       rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
> +       return rc;
> +}

Same comment about the vertical whitespace applies here.


--
paul-moore.com

More information about the Linux-security-module-archive mailing list