[PATCH] security: fix no-op hook logic in security_inode_{set,remove}xattr()

Casey Schaufler casey at schaufler-ca.com
Fri Feb 2 00:10:59 UTC 2024


On 2/1/2024 3:52 PM, Paul Moore wrote:
> On Tue, Jan 30, 2024 at 9:19 PM Paul Moore <paul at paul-moore.com> wrote:
>> I'll come back to this tomorrow with some fresh eyes.
> My apologies, "tomorrow" turned into "the day after tomorrow" (as it
> often does) ...
>
> I've been struggling with the idea that there are individual LSMs
> still calling into the capability hooks instead of leveraging the LSM
> stacking infrastructure, and the "magic" involved to make it all work.
> While your patch looks like it should restore proper behavior - that's
> good! - I keep thinking that we can, and should, do better.

Apology for attaching a patch rather than inlining it.
I've attached patch #38 from the current stacking set.
It addresses the issue.

>
> The only thing that I coming up with is to create two new LSM hooks,
> in addition to the existing 'inode_setxattr' hook.  The new LSM hooks
> would be 'inode_setxattr_owned' and 'inode_setxattr_cap'.  The _owned
> hook would simply check the xattr name and return a positive value if
> the LSM "owned" the xattr, e.g. XATTR_NAME_SELINUX for SELinux, and
> zero otherwise.  The _cap hook would only be used by the capabilities
> code (or something similar), and would match up with
> cap_inode_setxattr().  With these two new hooks I think we could do
> something like this:
>
> int security_inode_setxattr(...)
> {
>   owned = false
>   hook_loop(inode_setxattr_owned) {
>     trc = hook->inode_setxattr_owned(name);
>     if (trc > 0) {
>       owned = true;
>       break;
>     }
>   }
>   if (owned) {
>     hook_loop(inode_setxattr) {
>       /* run the existing inode_setxattr hooks, e.g. SELinux and Smack */
>     }
>   } else {
>     hook_loop(inode_setxattr_cap) {
>       /* run the capability setxattr hooks, e.g. commoncap.c */
>     }
>   }
> }
>
> .. with security_inode_removexattr() following a similar pattern.
>
> I will admit that there is some duplication in having to check the
> xattr twice (once in _owned, again in inode_setxattr), and the
> multiple hook approach is less than ideal, but this seems much less
> fragile to me.
>
> Thoughts?
>
-------------- next part --------------
From 644ac239cbbdee3d4fc3ba0173c85b34382670c6 Mon Sep 17 00:00:00 2001
From: Casey Schaufler <casey at schaufler-ca.com>
Date: Thu, 26 Oct 2023 12:52:55 -0700
Subject: [PATCH v39 38/42] LSM: Correct handling of ENOSYS in inode_setxattr

The usual "bail on fail" behavior of LSM hooks doesn't
work for security_inode_setxattr(). Modules are allowed
to return -ENOSYS if the attribute specified isn't one
they manage. Fix the code to accommodate this unusal case.
This requires changes to the hooks in SELinux and Smack.

Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
 security/security.c        | 29 +++++++++++++++--------------
 security/selinux/hooks.c   |  7 ++-----
 security/smack/smack_lsm.c | 10 +++++-----
 3 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/security/security.c b/security/security.c
index 64cdf0e09832..b1a849e8589c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2346,24 +2346,25 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
 			    struct dentry *dentry, const char *name,
 			    const void *value, size_t size, int flags)
 {
-	int ret;
+	struct security_hook_list *hp;
+	int rc = -ENOSYS;
 
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return 0;
-	/*
-	 * SELinux and Smack integrate the cap call,
-	 * so assume that all LSMs supplying this call do so.
-	 */
-	ret = call_int_hook(inode_setxattr, 1, idmap, dentry, name, value,
-			    size, flags);
 
-	if (ret == 1)
-		ret = cap_inode_setxattr(dentry, name, value, size, flags);
-	if (ret)
-		return ret;
-	ret = ima_inode_setxattr(dentry, name, value, size);
-	if (ret)
-		return ret;
+	hlist_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) {
+		rc = hp->hook.inode_setxattr(idmap, dentry, name, value, size,
+					     flags);
+		if (rc != -ENOSYS)
+			break;
+	}
+	if (rc == -ENOSYS)
+		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+	if (rc)
+		return rc;
+	rc = ima_inode_setxattr(dentry, name, value, size);
+	if (rc)
+		return rc;
 	return evm_inode_setxattr(idmap, dentry, name, value, size);
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 46dee63eec12..4ac4b536c568 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3207,13 +3207,10 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
 	int rc = 0;
 
 	if (strcmp(name, XATTR_NAME_SELINUX)) {
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
-		if (rc)
-			return rc;
-
 		/* Not an attribute we recognize, so just check the
 		   ordinary setattr permission. */
-		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		rc = dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		return rc ? rc : -ENOSYS;
 	}
 
 	if (!selinux_initialized())
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 61bd3f626e7d..02b9aa200ad4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1340,7 +1340,7 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 		    strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
 			rc = -EINVAL;
 	} else
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+		rc = -ENOSYS;
 
 	if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
 		rc = -EPERM;
@@ -1354,11 +1354,11 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 			rc = -EINVAL;
 	}
 
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
-	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
-
 	if (rc == 0) {
-		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
+		smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
+		smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)),
+				MAY_WRITE, &ad);
 		rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
 	}
 
-- 
2.41.0



More information about the Linux-security-module-archive mailing list