xfs
[Top] [All Lists]

Re: [PATCH v3 2/4] xfs: initialize inode security on tmpfile creation

To: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Subject: Re: [PATCH v3 2/4] xfs: initialize inode security on tmpfile creation
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Tue, 15 Apr 2014 16:21:56 -0400
Cc: Brian Foster <bfoster@xxxxxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, xfs@xxxxxxxxxxx
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <20140415202222.GA10928@xxxxxxxxxxxxx>
Organization: National Security Agency
References: <1397578706-5385-1-git-send-email-bfoster@xxxxxxxxxx> <1397578706-5385-3-git-send-email-bfoster@xxxxxxxxxx> <20140415175033.GB26404@xxxxxxxxxxxxx> <534D90D0.9090805@xxxxxxxxxxxxx> <20140415202222.GA10928@xxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
On 04/15/2014 04:22 PM, Christoph Hellwig wrote:
> On Tue, Apr 15, 2014 at 04:04:32PM -0400, Stephen Smalley wrote:
>> Is there a reason that xfs_init_security() isn't called from the inode
>> allocation function (e.g. xfs_ialloc), as in ext4 (__ext4_new_inode
>> calls ext4_init_security and also calls ext4_init_acl)?  That would have
>> ensured that tmpfile inodes would have been labeled without requiring a
>> separate change and more generally ensures complete coverage for all inodes.
> 
> Really just code structuring - we don't like callouts to high level VFS
> functions from deep down in the guts of the filesystem.
> 
>> For SELinux, we need the tmpfile inodes to be labeled at creation time,
>> not just if linked into the namespace, since they may be shared via
>> local socket IPC or inherited across a label-changing exec and since we
>> revalidate access on transfer or use.
>>
>> Labeling based on the provided directory could be a bit random, although
>> it will work out with current policy if the provided directory
>> corresponds to existing tmpfile locations (e.g. /tmp, /var/tmp) and
>> therefore already has a label associated with temporary files.
>> Otherwise we might want some indication that it is a tmpfile passed into
>> security_inode_init_security() so that we can always select a stable
>> label irrespective of the directory.
> 
> Just check for I_LINKABLE in i_flags.

Thanks, that should allow us to handle it cleanly in the security modules!


<Prev in Thread] Current Thread [Next in Thread>