2017-03-10 17:11:22

by Stephen Smalley

[permalink] [raw]
Subject: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.

Signed-off-by: Stephen Smalley <[email protected]>
---
fs/namei.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index d41fab7..482414a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)

if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- return 0;
if (!(mask & MAY_WRITE))
if (capable_wrt_inode_uidgid(inode,
CAP_DAC_READ_SEARCH))
return 0;
- return -EACCES;
- }
- /*
- * Read/write DACs are always overridable.
- * Executable DACs are overridable when there is
- * at least one exec bit set.
- */
- if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
+ return -EACCES;
+ }

/*
* Searching includes executable on directories, else just read.
@@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
if (mask == MAY_READ)
if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0;
+ /*
+ * Read/write DACs are always overridable.
+ * Executable DACs are overridable when there is
+ * at least one exec bit set.
+ */
+ if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+ return 0;

return -EACCES;
}
--
2.7.4


2017-03-10 19:54:26

by Paul Moore

[permalink] [raw]
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <[email protected]> wrote:
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <[email protected]>
> ---
> fs/namei.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)

This is the second posting of this patch and so far no comment ... if
I don't see any negative responses by next week I'll go ahead and
merge this into the selinux/next tree.

> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>
> if (S_ISDIR(inode->i_mode)) {
> /* DACs are overridable for directories */
> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> - return 0;
> if (!(mask & MAY_WRITE))
> if (capable_wrt_inode_uidgid(inode,
> CAP_DAC_READ_SEARCH))
> return 0;
> - return -EACCES;
> - }
> - /*
> - * Read/write DACs are always overridable.
> - * Executable DACs are overridable when there is
> - * at least one exec bit set.
> - */
> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> return 0;
> + return -EACCES;
> + }
>
> /*
> * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
> if (mask == MAY_READ)
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
> return 0;
> + /*
> + * Read/write DACs are always overridable.
> + * Executable DACs are overridable when there is
> + * at least one exec bit set.
> + */
> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> + return 0;
>
> return -EACCES;
> }
> --
> 2.7.4
>



--
paul moore
http://www.paul-moore.com

2017-03-10 21:12:32

by John Johansen

[permalink] [raw]
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On 03/10/2017 11:54 AM, Paul Moore wrote:
> On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <[email protected]> wrote:
>> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
>> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
>> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
>> may not be required for the operation. Flip the order of the
>> tests so that CAP_DAC_OVERRIDE is only checked when required for
>> the operation.
>>
>> Signed-off-by: Stephen Smalley <[email protected]>
>> ---
>> fs/namei.c | 20 ++++++++++----------
>> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> This is the second posting of this patch and so far no comment ... if
> I don't see any negative responses by next week I'll go ahead and
> merge this into the selinux/next tree.
>
sounds good to me, the patch looks good you can have my acked-by for how
this affects apparmor, or hrmm should that be a reviewed-by for the vfs
end

Acked-by: John Johansen <[email protected]>

>> diff --git a/fs/namei.c b/fs/namei.c
>> index d41fab7..482414a 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>>
>> if (S_ISDIR(inode->i_mode)) {
>> /* DACs are overridable for directories */
>> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> - return 0;
>> if (!(mask & MAY_WRITE))
>> if (capable_wrt_inode_uidgid(inode,
>> CAP_DAC_READ_SEARCH))
>> return 0;
>> - return -EACCES;
>> - }
>> - /*
>> - * Read/write DACs are always overridable.
>> - * Executable DACs are overridable when there is
>> - * at least one exec bit set.
>> - */
>> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> return 0;
>> + return -EACCES;
>> + }
>>
>> /*
>> * Searching includes executable on directories, else just read.
>> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
>> if (mask == MAY_READ)
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
>> return 0;
>> + /*
>> + * Read/write DACs are always overridable.
>> + * Executable DACs are overridable when there is
>> + * at least one exec bit set.
>> + */
>> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> + return 0;
>>
>> return -EACCES;
>> }
>> --
>> 2.7.4
>>
>
>
>

2017-03-10 21:55:27

by Serge E. Hallyn

[permalink] [raw]
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

Quoting Stephen Smalley ([email protected]):
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <[email protected]>

Lol, not sure if that patch has arranged itself to be as confusing
as possible (for a simple end result) or if it's in my head :), but
I had to read it like 3 times, despite it appearing trivial in the
end.

Reviewed-by: Serge Hallyn <[email protected]>

> ---
> fs/namei.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index d41fab7..482414a 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>
> if (S_ISDIR(inode->i_mode)) {
> /* DACs are overridable for directories */
> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> - return 0;
> if (!(mask & MAY_WRITE))
> if (capable_wrt_inode_uidgid(inode,
> CAP_DAC_READ_SEARCH))
> return 0;
> - return -EACCES;
> - }
> - /*
> - * Read/write DACs are always overridable.
> - * Executable DACs are overridable when there is
> - * at least one exec bit set.
> - */
> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> return 0;
> + return -EACCES;
> + }
>
> /*
> * Searching includes executable on directories, else just read.
> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
> if (mask == MAY_READ)
> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
> return 0;
> + /*
> + * Read/write DACs are always overridable.
> + * Executable DACs are overridable when there is
> + * at least one exec bit set.
> + */
> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
> + return 0;
>
> return -EACCES;
> }
> --
> 2.7.4

2017-03-11 01:05:55

by James Morris

[permalink] [raw]
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, 10 Mar 2017, Stephen Smalley wrote:

> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <[email protected]>


Acked-by: James Morris <[email protected]>


--
James Morris
<[email protected]>

2017-03-29 21:36:47

by Paul Moore

[permalink] [raw]
Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

On Fri, Mar 10, 2017 at 2:54 PM, Paul Moore <[email protected]> wrote:
> On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley <[email protected]> wrote:
>> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
>> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
>> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
>> may not be required for the operation. Flip the order of the
>> tests so that CAP_DAC_OVERRIDE is only checked when required for
>> the operation.
>>
>> Signed-off-by: Stephen Smalley <[email protected]>
>> ---
>> fs/namei.c | 20 ++++++++++----------
>> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> This is the second posting of this patch and so far no comment ... if
> I don't see any negative responses by next week I'll go ahead and
> merge this into the selinux/next tree.

No objections, but plenty of ACKs and Reviewed-bys so I just merged
this into the selinux/next tree.

Thanks all.

>> diff --git a/fs/namei.c b/fs/namei.c
>> index d41fab7..482414a 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
>>
>> if (S_ISDIR(inode->i_mode)) {
>> /* DACs are overridable for directories */
>> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> - return 0;
>> if (!(mask & MAY_WRITE))
>> if (capable_wrt_inode_uidgid(inode,
>> CAP_DAC_READ_SEARCH))
>> return 0;
>> - return -EACCES;
>> - }
>> - /*
>> - * Read/write DACs are always overridable.
>> - * Executable DACs are overridable when there is
>> - * at least one exec bit set.
>> - */
>> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> return 0;
>> + return -EACCES;
>> + }
>>
>> /*
>> * Searching includes executable on directories, else just read.
>> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
>> if (mask == MAY_READ)
>> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
>> return 0;
>> + /*
>> + * Read/write DACs are always overridable.
>> + * Executable DACs are overridable when there is
>> + * at least one exec bit set.
>> + */
>> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
>> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
>> + return 0;
>>
>> return -EACCES;
>> }
>> --
>> 2.7.4
>>
>
>
>
> --
> paul moore
> http://www.paul-moore.com



--
paul moore
http://www.paul-moore.com