Calls to vfs_setlease() from NFSD code cause unnecessary CAP_LEASE security checks
Ondrej Mosnacek
omosnace at redhat.com
Fri Feb 2 15:31:51 UTC 2024
Hello,
In [1] a user reports seeing SELinux denials from NFSD when it writes
into /proc/fs/nfsd/threads with the following kernel backtrace:
=> trace_event_raw_event_selinux_audited
=> avc_audit_post_callback
=> common_lsm_audit
=> slow_avc_audit
=> cred_has_capability.isra.0
=> security_capable
=> capable
=> generic_setlease
=> destroy_unhashed_deleg
=> __destroy_client
=> nfs4_state_shutdown_net
=> nfsd_shutdown_net
=> nfsd_last_thread
=> nfsd_svc
=> write_threads
=> nfsctl_transaction_write
=> vfs_write
=> ksys_write
=> do_syscall_64
=> entry_SYSCALL_64_after_hwframe
It seems to me that the security checks in generic_setlease() should
be skipped (at least) when called through this codepath, since the
userspace process merely writes into /proc/fs/nfsd/threads and it's
just the kernel's internal code that releases the lease as a side
effect. For example, for vfs_write() there is kernel_write(), which
provides a no-security-check equivalent. Should there be something
similar for vfs_setlease() that could be utilized for this purpose?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2248830
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
More information about the Linux-security-module-archive
mailing list