Re: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs

From: Stefan Berger
Date: Thu Feb 01 2024 - 10:41:57 EST

Next message: Huang, Kai: "Re: [PATCH v2 2/2] x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers"
Previous message: Greg KH: "Re: [PATCH] dma-coherent: add support for multi coherent rmems per dev"
In reply to: Christian Brauner: "Re: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/31/24 08:25, Amir Goldstein wrote:

On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:

Copying up xattrs is solely based on the security xattr name. For finer
granularity add a dentry parameter to the security_inode_copy_up_xattr
hook definition, allowing decisions to be based on the xattr content as
well.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
fs/overlayfs/copy_up.c | 2 +-
include/linux/evm.h | 2 +-
include/linux/lsm_hook_defs.h | 3 ++-
include/linux/security.h | 4 ++--
security/integrity/evm/evm_main.c | 2 +-
security/security.c | 7 ++++---
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
8 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index b8e25ca51016..bd9ddcefb7a7 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de
if (ovl_is_private_xattr(sb, name))
continue;

- error = security_inode_copy_up_xattr(name);
+ error = security_inode_copy_up_xattr(old, name);

What do you think about:

error = security_inode_copy_up_xattr(name, NULL, 0);

We need 'old'.

and then later...

error = security_inode_copy_up_xattr(name, value, size);

Are these parameter used to first query for the necessary size of the buffer and then provide the buffer to fill it? Or should the function rather take an existing buffer and realloc it if necessary and place the value of the xattr into it? Unfortunately this function currently returns '1' for 'discard', so returning the size of the xattr value from it maybe not ideal but it would require maybe yet another parameter that indicates what the size of the xattr value is.

Stefan

I am asking because overlayfs uses mnt_idmap(path->mnt) and you
have used nop_mnt_idmap inside evm hook.
this does not look right to me?

Thanks,
Amir.

Next message: Huang, Kai: "Re: [PATCH v2 2/2] x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers"
Previous message: Greg KH: "Re: [PATCH] dma-coherent: add support for multi coherent rmems per dev"
In reply to: Christian Brauner: "Re: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]