[PATCH -next 0/2] lsm: Change inode_setattr() to take struct
Mickaël Salaün
mic at digikod.net
Fri May 26 16:33:05 UTC 2023
On 15/05/2023 17:12, Christian Brauner wrote:
> On Fri, May 05, 2023 at 04:11:58PM +0800, Xiu Jianfeng wrote:
>> Hi,
>>
>> I am working on adding xattr/attr support for landlock [1], so we can
>> control fs accesses such as chmod, chown, uptimes, setxattr, etc.. inside
>> landlock sandbox. the LSM hooks as following are invoved:
>> 1.inode_setattr
>> 2.inode_setxattr
>> 3.inode_removexattr
>> 4.inode_set_acl
>> 5.inode_remove_acl
>> which are controlled by LANDLOCK_ACCESS_FS_WRITE_METADATA.
>>
>> and
>> 1.inode_getattr
>> 2.inode_get_acl
>> 3.inode_getxattr
>> 4.inode_listxattr
>> which are controlled by LANDLOCK_ACCESS_FS_READ_METADATA
>
> It would be helpful to get the complete, full picture.
>
> Piecemeal extending vfs helpers with struct path arguments is costly,
> will cause a lot of churn and will require a lot of review time from us.
>
> Please give us the list of all security hooks to which you want to pass
> a struct path (if there are more to come apart from the ones listed
> here). Then please follow all callchains and identify the vfs helpers
> that would need to be updated. Then please figure out where those
> vfs helpers are called from and follow all callchains finding all
> inode_operations that would have to be updated and passed a struct path
> argument. So ultimately we'll end up with a list of vfs helpers and
> inode_operations that would have to be changed.
>
> I'm very reluctant to see anything merged without knowing _exactly_ what
> you're getting us into.
Ultimately we'd like the path-based LSMs to reach parity with the
inode-based LSMs. This proposal's goal is to provide users the ability
to control (in a complete and easy way) file metadata access. For these
we need to extend the inode_*attr hooks and inode_*acl hooks to handle
paths. The chown/chmod hooks are already good.
In the future, I'd also like to be able to control directory traversals
(e.g. chdir), which currently only calls inode_permission().
What would be the best way to reach this goal?
More information about the Linux-security-module-archive
mailing list