xfs
[Top] [All Lists]

Re: [PATCH v3 2/4] xfs: initialize inode security on tmpfile creation

To: Christoph Hellwig <hch@xxxxxxxxxxxxx>, Brian Foster <bfoster@xxxxxxxxxx>
Subject: Re: [PATCH v3 2/4] xfs: initialize inode security on tmpfile creation
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Tue, 15 Apr 2014 16:16:25 -0400
Cc: xfs@xxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, Eric Paris <eparis@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <534D90D0.9090805@xxxxxxxxxxxxx>
Organization: National Security Agency
References: <1397578706-5385-1-git-send-email-bfoster@xxxxxxxxxx> <1397578706-5385-3-git-send-email-bfoster@xxxxxxxxxx> <20140415175033.GB26404@xxxxxxxxxxxxx> <534D90D0.9090805@xxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
On 04/15/2014 04:04 PM, Stephen Smalley wrote:
> On 04/15/2014 01:50 PM, Christoph Hellwig wrote:
>> On Tue, Apr 15, 2014 at 12:18:24PM -0400, Brian Foster wrote:
>>> +   error = xfs_init_security(inode, dir, &dentry->d_name);
>>> +   if (unlikely(error)) {
>>> +           iput(inode);
>>> +           return -error;
>>> +   }
>>> +
>>>     d_tmpfile(dentry, inode);
>>>  
>>
>> I'd really love to hear from the LSM people who they plan to deal with
>> O_TMPFILE inodes.    But given that this seems to fix a real life bug
>> let's go with it for now.
> 
> Is there a reason that xfs_init_security() isn't called from the inode
> allocation function (e.g. xfs_ialloc), as in ext4 (__ext4_new_inode
> calls ext4_init_security and also calls ext4_init_acl)?  That would have
> ensured that tmpfile inodes would have been labeled without requiring a
> separate change and more generally ensures complete coverage for all inodes.
> 
> For SELinux, we need the tmpfile inodes to be labeled at creation time,
> not just if linked into the namespace, since they may be shared via
> local socket IPC or inherited across a label-changing exec and since we
> revalidate access on transfer or use.
> 
> Labeling based on the provided directory could be a bit random, although
> it will work out with current policy if the provided directory
> corresponds to existing tmpfile locations (e.g. /tmp, /var/tmp) and
> therefore already has a label associated with temporary files.
> Otherwise we might want some indication that it is a tmpfile passed into
> security_inode_init_security() so that we can always select a stable
> label irrespective of the directory.

Hmm...wondering if we can use the qstr as a distinguisher; pass NULL for
tmpfile and not for others as in ext4?

<Prev in Thread] Current Thread [Next in Thread>