Calls to vfs_setlease() from NFSD code cause unnecessary CAP_LEASE security checks

Jeff Layton jlayton at kernel.org
Fri Feb 2 16:05:06 UTC 2024


On Fri, 2024-02-02 at 16:31 +0100, Ondrej Mosnacek wrote:
> Hello,
> 
> In [1] a user reports seeing SELinux denials from NFSD when it writes
> into /proc/fs/nfsd/threads with the following kernel backtrace:
>  => trace_event_raw_event_selinux_audited
>  => avc_audit_post_callback
>  => common_lsm_audit
>  => slow_avc_audit
>  => cred_has_capability.isra.0
>  => security_capable
>  => capable
>  => generic_setlease
>  => destroy_unhashed_deleg
>  => __destroy_client
>  => nfs4_state_shutdown_net
>  => nfsd_shutdown_net
>  => nfsd_last_thread
>  => nfsd_svc
>  => write_threads
>  => nfsctl_transaction_write
>  => vfs_write
>  => ksys_write
>  => do_syscall_64
>  => entry_SYSCALL_64_after_hwframe
> 
> It seems to me that the security checks in generic_setlease() should
> be skipped (at least) when called through this codepath, since the
> userspace process merely writes into /proc/fs/nfsd/threads and it's
> just the kernel's internal code that releases the lease as a side
> effect. For example, for vfs_write() there is kernel_write(), which
> provides a no-security-check equivalent. Should there be something
> similar for vfs_setlease() that could be utilized for this purpose?
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2248830
> 

Thanks for the bug report!

Am I correct that we only want to do this check when someone from
userland tries to set a lease via fcntl? The rest of the callers are all
in-kernel callers and I don't think we need to check for any of them. It
may be simpler to just push this check into the appropriate callers of
generic_setlease instead.

Hmm now that I look too...it looks like we aren't checking CAP_LEASE on
filesystems that have their own ->setlease operation. I'll have a look
at that soon too.

Thanks,
-- 
Jeff Layton <jlayton at kernel.org>



More information about the Linux-security-module-archive mailing list