2010-11-22 15:59:32

by Roberto Sassu

[permalink] [raw]
Subject: [RFC][PATCH 0/4] security label of the file descriptor structure

The function dentry_open() requires to pass the credentials of the acting
process as parameter.
These credentials are actually used for example in SELinux to verify if the
process is allowed to access the inode bound to the dentry by calling the
function inode_has_perm().
Despite the fact the verification is done using the passed credentials,
the 'file' object created by calling dentry_open() is labeled with the
credentials of the 'current' process which may differ from the former.
An example of such behavior comes from the ecryptfs filesystem which calls
dentry_open() in order to obtain an unique file descriptor of the inode in
the lower filesystem to serve concurrent requests made on the related
ecryptfs inode.
Recently, i made a patch, not yet merged in the mainline, in order to
provide to the dentry_open() function the credentials of the kernel kthread
service instead of those related to the current process.
This allows to assign to the ecryptfs filesystem a privileged role in that
it can perform all privileged operations with its own assigned label,
letting the access control to operate only on objects exposed by ecryptfs.
This patch set is a proposal to modify the labeling behavior of the file
descriptor structure by, first, passing the supplied credentials to the
get_empty_filp() function, then initializing the 'f_cred' field with the
former, and finally, telling LSM security modules which implement the
security_file_alloc() hook (SELinux and SMACK) to use such information to
append the correct label to the file descriptor.
Last note, it seems that Apparmor does not need to be modified because in
the mentioned hook it only allocates its specific structure without
assignments.
The patch set applies to the latest released kernel v2.6.37-rc3.

Reference of the released ecryptfs patch:
http://git.kernel.org/?p=linux/kernel/git/ecryptfs/ecryptfs-2.6.git;a=
commit;h=0903acc555955ff7bbe1b8324028fe44e5c16a91

Roberto Sassu (4):
fs: passing task credentials to get_empty_filp()
fs: move file->f_cred initialization before security_file_alloc()
selinux: use file->f_cred to determine task's SID
smack: modified file->f_security assignment in
smack_file_alloc_security()

fs/file_table.c | 8 ++++----
fs/internal.h | 2 +-
fs/namei.c | 2 +-
fs/open.c | 2 +-
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
6 files changed, 9 insertions(+), 9 deletions(-)

--
1.7.2.3


Attachments:
smime.p7s (4.60 kB)