Re: [PATCH v3] security: Place security_path_post_mknod() where the original IMA call was
From: Paul Moore
Date: Wed Apr 03 2024 - 10:59:16 EST
On Wed, Apr 3, 2024 at 3:57 AM Roberto Sassu
<roberto.sassu@xxxxxxxxxxxxxxx> wrote:
>
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Commit 08abce60d63f ("security: Introduce path_post_mknod hook")
> introduced security_path_post_mknod(), to replace the IMA-specific call to
> ima_post_path_mknod().
>
> For symmetry with security_path_mknod(), security_path_post_mknod() was
> called after a successful mknod operation, for any file type, rather than
> only for regular files at the time there was the IMA call.
>
> However, as reported by VFS maintainers, successful mknod operation does
> not mean that the dentry always has an inode attached to it (for example,
> not for FIFOs on a SAMBA mount).
>
> If that condition happens, the kernel crashes when
> security_path_post_mknod() attempts to verify if the inode associated to
> the dentry is private.
>
> Move security_path_post_mknod() where the ima_post_path_mknod() call was,
> which is obviously correct from IMA/EVM perspective. IMA/EVM are the only
> in-kernel users, and only need to inspect regular files.
>
> Reported-by: Steve French <smfrench@xxxxxxxxx>
> Closes: https://lore.kernel.org/linux-kernel/CAH2r5msAVzxCUHHG8VKrMPUKQHmBpE6K9_vjhgDa1uAvwx4ppw@xxxxxxxxxxxxxx/
> Suggested-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> Fixes: 08abce60d63f ("security: Introduce path_post_mknod hook")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
> fs/namei.c | 7 ++-----
> security/security.c | 4 ++--
> 2 files changed, 4 insertions(+), 7 deletions(-)
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
--
paul-moore.com