The inode_follow_link LSM hook is called in bind mount situations as
well as for symlink situations, so we must explicitly check for the
inode being a symlink to not reject bind mounts in 1777 directories,
which seems to be a common NFSv4 configuration.
Signed-off-by: Kees Cook <[email protected]>
---
security/yama/yama_lsm.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 3b76386..c70eb10 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -116,6 +116,10 @@ static int yama_inode_follow_link(struct dentry *dentry,
if (!protected_sticky_symlinks)
return 0;
+ /* if inode isn't a symlink, don't try to evaluate blocking it */
+ if (!S_ISLNK(inode->i_mode))
+ return 0;
+
/* owner and follower match? */
cred = current_cred();
inode = dentry->d_inode;
--
1.7.1
--
Kees Cook
Ubuntu Security Team
Quoting Kees Cook ([email protected]):
> The inode_follow_link LSM hook is called in bind mount situations as
> well as for symlink situations, so we must explicitly check for the
> inode being a symlink to not reject bind mounts in 1777 directories,
Are you sure about that??
If that's true, you might also expand the comment in
include/linux/security.h.
> which seems to be a common NFSv4 configuration.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> security/yama/yama_lsm.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> index 3b76386..c70eb10 100644
> --- a/security/yama/yama_lsm.c
> +++ b/security/yama/yama_lsm.c
> @@ -116,6 +116,10 @@ static int yama_inode_follow_link(struct dentry *dentry,
> if (!protected_sticky_symlinks)
> return 0;
>
> + /* if inode isn't a symlink, don't try to evaluate blocking it */
> + if (!S_ISLNK(inode->i_mode))
> + return 0;
> +
> /* owner and follower match? */
> cred = current_cred();
> inode = dentry->d_inode;
> --
> 1.7.1
>
>
> --
> Kees Cook
> Ubuntu Security Team
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jul 13, 2010 at 03:30:21PM -0700, Kees Cook wrote:
> The inode_follow_link LSM hook is called in bind mount situations as
> well as for symlink situations, so we must explicitly check for the
> inode being a symlink to not reject bind mounts in 1777 directories,
> which seems to be a common NFSv4 configuration.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> security/yama/yama_lsm.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> index 3b76386..c70eb10 100644
> --- a/security/yama/yama_lsm.c
> +++ b/security/yama/yama_lsm.c
> @@ -116,6 +116,10 @@ static int yama_inode_follow_link(struct dentry *dentry,
> if (!protected_sticky_symlinks)
> return 0;
>
> + /* if inode isn't a symlink, don't try to evaluate blocking it */
> + if (!S_ISLNK(inode->i_mode))
> + return 0;
> +
> /* owner and follower match? */
> cred = current_cred();
> inode = dentry->d_inode;
Erg, please ignore this -- I tested a slightly different version of this
patch. This version doesn't have inode set yet. I will follow up with the
correct one in a moment...
-Kees
--
Kees Cook
Ubuntu Security Team
On Tue, Jul 13, 2010 at 09:30:48PM -0500, Serge E. Hallyn wrote:
> Quoting Kees Cook ([email protected]):
> > The inode_follow_link LSM hook is called in bind mount situations as
> > well as for symlink situations, so we must explicitly check for the
> > inode being a symlink to not reject bind mounts in 1777 directories,
>
> Are you sure about that??
>
> If that's true, you might also expand the comment in
> include/linux/security.h.
>
> > which seems to be a common NFSv4 configuration.
Well, the issue is how the NFSv4 client deals with it. It seems to treat
the mounts from the NFSv4 root as a symlink when the server is using bind
mounts. It's kind of weird:
https://launchpad.net/bugs/604407
--
Kees Cook
Ubuntu Security Team