[PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs
Christian Brauner
brauner at kernel.org
Wed Jan 31 14:25:32 UTC 2024
On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote:
> On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb at linux.ibm.com> wrote:
> >
> > Copying up xattrs is solely based on the security xattr name. For finer
> > granularity add a dentry parameter to the security_inode_copy_up_xattr
> > hook definition, allowing decisions to be based on the xattr content as
> > well.
> >
> > Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> > ---
> > fs/overlayfs/copy_up.c | 2 +-
> > include/linux/evm.h | 2 +-
> > include/linux/lsm_hook_defs.h | 3 ++-
> > include/linux/security.h | 4 ++--
> > security/integrity/evm/evm_main.c | 2 +-
> > security/security.c | 7 ++++---
> > security/selinux/hooks.c | 2 +-
> > security/smack/smack_lsm.c | 2 +-
> > 8 files changed, 13 insertions(+), 11 deletions(-)
> >
> > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> > index b8e25ca51016..bd9ddcefb7a7 100644
> > --- a/fs/overlayfs/copy_up.c
> > +++ b/fs/overlayfs/copy_up.c
> > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de
> > if (ovl_is_private_xattr(sb, name))
> > continue;
> >
> > - error = security_inode_copy_up_xattr(name);
> > + error = security_inode_copy_up_xattr(old, name);
>
> What do you think about:
>
> error = security_inode_copy_up_xattr(name, NULL, 0);
>
> and then later...
>
> error = security_inode_copy_up_xattr(name, value, size);
>
> I am asking because overlayfs uses mnt_idmap(path->mnt) and you
> have used nop_mnt_idmap inside evm hook.
> this does not look right to me?
So it's relevant if they interact with xattrs that care about the
idmapping and that's POSIX ACLs and fscaps. And only if they perform
permission checks such as posix_acl_update_mode() or something. IOW, it
depends on what exactly EVM is doing.
IIRC, I already added custom security_*() hooks specifically for POSIX
ACLs as they can't be retrieved through vfs_xattr*() helpers anymore.
More information about the Linux-security-module-archive
mailing list