Re: [PATCH v1] security: Add a new hook: inode_touch_atime
From: Casey Schaufler
Date: Wed Dec 21 2016 - 18:33:35 EST
On 12/21/2016 3:15 PM, MickaÃl SalaÃn wrote:
> Add a new LSM hook named inode_touch_atime which is needed to deny
> indirect update of extended file attributes (i.e. access time) which are
> not catched by the inode_setattr hook. By creating a new hook instead of
> calling inode_setattr, we avoid to simulate a useless struct iattr.
>
> This hook allows to create read-only environments as with read-only
> mount points. It can also take care of anonymous inodes.
What security module would use this?
>
> Signed-off-by: MickaÃl SalaÃn <mic@xxxxxxxxxxx>
> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Cc: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxxxxxx>
> Cc: James Morris <james.l.morris@xxxxxxxxxx>
> Cc: John Johansen <john.johansen@xxxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Kentaro Takeda <takedakn@xxxxxxxxxxxxx>
> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
> Cc: Serge E. Hallyn <serge@xxxxxxxxxx>
> Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
> Cc: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> ---
> fs/inode.c | 5 ++++-
> include/linux/lsm_hooks.h | 8 ++++++++
> include/linux/security.h | 8 ++++++++
> security/security.c | 9 +++++++++
> 4 files changed, 29 insertions(+), 1 deletion(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 88110fd0b282..8e7519196942 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1706,6 +1706,10 @@ void touch_atime(const struct path *path)
> if (!__atime_needs_update(path, inode, false))
> return;
>
> + now = current_time(inode);
> + if (security_inode_touch_atime(path, &now))
> + return;
> +
> if (!sb_start_write_trylock(inode->i_sb))
> return;
>
> @@ -1720,7 +1724,6 @@ void touch_atime(const struct path *path)
> * We may also fail on filesystems that have the ability to make parts
> * of the fs read only, e.g. subvolumes in Btrfs.
> */
> - now = current_time(inode);
> update_time(inode, &now, S_ATIME);
> __mnt_drop_write(mnt);
> skip_update:
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 558adfa5c8a8..e77051715e6b 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -428,6 +428,11 @@
> * security module does not know about attribute or a negative error code
> * to abort the copy up. Note that the caller is responsible for reading
> * and writing the xattrs as this hook is merely a filter.
> + * @inode_touch_atime:
> + * Check permission before updating access time.
> + * @path contains the path structure for the file.
> + * @ts contains the current time.
> + * Return 0 if permission is granted.
> *
> * Security hooks for file operations
> *
> @@ -1458,6 +1463,8 @@ union security_list_options {
> void (*inode_getsecid)(struct inode *inode, u32 *secid);
> int (*inode_copy_up)(struct dentry *src, struct cred **new);
> int (*inode_copy_up_xattr)(const char *name);
> + int (*inode_touch_atime)(const struct path *path,
> + const struct timespec *ts);
>
> int (*file_permission)(struct file *file, int mask);
> int (*file_alloc_security)(struct file *file);
> @@ -1731,6 +1738,7 @@ struct security_hook_heads {
> struct list_head inode_getsecid;
> struct list_head inode_copy_up;
> struct list_head inode_copy_up_xattr;
> + struct list_head inode_touch_atime;
> struct list_head file_permission;
> struct list_head file_alloc_security;
> struct list_head file_free_security;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c2125e9093e8..619f44c290a5 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -30,6 +30,7 @@
> #include <linux/string.h>
> #include <linux/mm.h>
> #include <linux/fs.h>
> +#include <linux/time.h>
>
> struct linux_binprm;
> struct cred;
> @@ -288,6 +289,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
> void security_inode_getsecid(struct inode *inode, u32 *secid);
> int security_inode_copy_up(struct dentry *src, struct cred **new);
> int security_inode_copy_up_xattr(const char *name);
> +int security_inode_touch_atime(const struct path *path, const struct timespec *ts);
> int security_file_permission(struct file *file, int mask);
> int security_file_alloc(struct file *file);
> void security_file_free(struct file *file);
> @@ -781,6 +783,12 @@ static inline int security_inode_copy_up_xattr(const char *name)
> return -EOPNOTSUPP;
> }
>
> +static inline int security_inode_touch_atime(const struct path *path, const
> + struct timespec *ts)
> +{
> + return 0;
> +}
> +
> static inline int security_file_permission(struct file *file, int mask)
> {
> return 0;
> diff --git a/security/security.c b/security/security.c
> index f825304f04a7..cd093c4b4115 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -769,6 +769,13 @@ int security_inode_copy_up_xattr(const char *name)
> }
> EXPORT_SYMBOL(security_inode_copy_up_xattr);
>
> +int security_inode_touch_atime(const struct path *path,
> + const struct timespec *ts)
> +{
> + return call_int_hook(inode_touch_atime, 0, path, ts);
> +}
> +EXPORT_SYMBOL(security_inode_touch_atime);
> +
> int security_file_permission(struct file *file, int mask)
> {
> int ret;
> @@ -1711,6 +1718,8 @@ struct security_hook_heads security_hook_heads = {
> LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
> .inode_copy_up_xattr =
> LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
> + .inode_touch_atime =
> + LIST_HEAD_INIT(security_hook_heads.inode_touch_atime),
> .file_permission =
> LIST_HEAD_INIT(security_hook_heads.file_permission),
> .file_alloc_security =