Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932843AbdCJRLW (ORCPT ); Fri, 10 Mar 2017 12:11:22 -0500 Received: from smtp.nsa.gov ([8.44.101.9]:54727 "EHLO emsm-gh1-uea11.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755049AbdCJRLK (ORCPT ); Fri, 10 Mar 2017 12:11:10 -0500 X-IronPort-AV: E=Sophos;i="5.36,141,1486425600"; d="scan'208";a="3873537" IronPort-PHdr: =?us-ascii?q?9a23=3ACQ5AEh+yZTQ3hP9uRHKM819IXTAuvvDOBiVQ1KB+?= =?us-ascii?q?0OsXIJqq85mqBkHD//Il1AaPBtSGra4UwLuI+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFIiTanbr5/Lxq6oAHQu8ILnYZsN6E9xwfTrHBVYe?= =?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?= =?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qlkSAXsiC?= =?us-ascii?q?waKTA39m/ZgdF0gK5Cvh6tuxlzzojJa4+XKfV+ZLvQc9MES2RcUMhfVCtPD5ig?= =?us-ascii?q?Y4cTFecNIfxVo5Xhq1YIsBCwBROsBOTqyjJQm3H2wbM10/whEQ7Y2gwrAs8AsH?= =?us-ascii?q?HOo9XxMKcdT+C0x7TPwDXYcvxWwizw6JTIcx89ofGMWqh8cczKyUY1DQ/FgVKQ?= =?us-ascii?q?qZL8Mj6Ty+8DsHCb4vJ9We+ghGMrsQF8riW1yssyhYTFmJgZxk3C+C5k2og6P8?= =?us-ascii?q?e4R1R+YdO8FZtQsDyVOJVuT8M5RmFopD46yrobuZ6nZCQKyIooxxrYa/Gfb4iH?= =?us-ascii?q?+AjjVOeMITdjnn5lZLK+iAqy8Uin0OH8UNW70E1WoSZfl9nMt3QN2wTS6siBVP?= =?us-ascii?q?R94l+s1SuA2g3c8O1JIV04mbDFJ5Mu3LI8jIcfvVzGHiDsmUX2iKGWdl8j+uit?= =?us-ascii?q?8+nneajppoSHOo9oigDxLqQumsulDeQ+KQgBRXKX+eu71L395UH5WqlFjuUqkq?= =?us-ascii?q?nFt5DXPcAbpq+/Aw9I3Ycv8g2/ACm639QFh3kHLU5FeRKeg4jsPFHBPe34DfOh?= =?us-ascii?q?jFm3jjdryO7JPqf7DpXOMHfDirHhcqh560JGzwoz199f7YpOCr4dOPLzRlPxtN?= =?us-ascii?q?vAAx89Mgy0xfvnCdpk2oMdR22PGKmZP73WsVKT+OIvLPeDZJUPtDb+Nfcl/fju?= =?us-ascii?q?gmE9mVMHeqmpx5QXYmiiHvt6O0WZfWbsgtAZHGcOvwo+SvHqiVKbXT5dfHa9Qr?= =?us-ascii?q?wz5i8lB4KiForDWI+tj6Kb3CuhHZ1ZeHpGClaSHnfsbYmEXO0MaC2KKM97jjME?= =?us-ascii?q?TaShS5Mm1Ry2tg/6zLpnLuzO9i0aspLj1MJ65+vIlR4s8zx5FNiS3HuLT2FzmG?= =?us-ascii?q?MIRiM507p7oUBn1liD1q14ieRCFdNP//NJThs6NZnEwuxiEd/yRwbBc8yRSFm8?= =?us-ascii?q?X9WmBSg9Ttc2w98JeUZyBc+ugQzE3yqvG7UVjaCEBIQo8qLA2Hj8P919xGjc1K?= =?us-ascii?q?kukVYrWctPOneihq579wnTAZTFnFmel6avba4cxjLC9H+fzWqSu0FVSAxwXr/A?= =?us-ascii?q?XX8BfUvat9D56lnHT7+pE7QnKApBydWZJ6tNcN3ml0lJRPP9N9jEf22xnGKwDw?= =?us-ascii?q?6SxryQdIrqZ3kd3CLFBUgakgAT53GGOBM/Byi/pWLeDSJuGUjrY0Pt9+l+tXy6?= =?us-ascii?q?QlUzzwGQYE1tzae1+h1GzcCbHu0SxLUsqionqisyGFe7wsKQDMCP4RdiOO1eaN?= =?us-ascii?q?Yw+xFDk2ferRZ8JbSnNalpglNYeANy+wv12g94B61AmMwuvXVsxw13beqA2U5F?= =?us-ascii?q?XyuRwJS1P7rQMGS09xeqL+bU3VHYltSR+q4J8/k+g17qugavF0Er9zNs1NwG/W?= =?us-ascii?q?Gb48DxEAcKUZ/3Gn0y/hx+qqCSNjIx/KvIxHZsNu+yqTaE1NU3Urh2gi28dstS?= =?us-ascii?q?ZfvXXDT5FNcXUo30cOE=3D?= X-IPAS-Result: =?us-ascii?q?A2HOBwDT3MJY/wHyM5BdHAEBBAEBCgEBFgEBAQMBAQEJAQE?= =?us-ascii?q?BgyaBa54PAQEBAQEBBpIHgkWEHRqEXYErgkNXAQEBAQEBAQECAQJoKIIzIoJuU?= =?us-ascii?q?iiBFxKJcw2zXzomAopCATGGCYxUDIMNBYkahz6LZIoeiBoCgXmIbQyGLgJIgxu?= =?us-ascii?q?PXViBAxkJAhQIHQ+HMiI1ihoBAQE?= From: Stephen Smalley To: viro@zeniv.linux.org.uk, james.l.morris@oracle.com, serge@hallyn.com, paul@paul-moore.com, john.johansen@canonical.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Stephen Smalley Subject: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Date: Fri, 10 Mar 2017 12:14:18 -0500 Message-Id: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1789 Lines: 58 generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only checked when required for the operation. Signed-off-by: Stephen Smalley --- fs/namei.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index d41fab7..482414a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) if (S_ISDIR(inode->i_mode)) { /* DACs are overridable for directories */ - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) - return 0; if (!(mask & MAY_WRITE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; - return -EACCES; - } - /* - * Read/write DACs are always overridable. - * Executable DACs are overridable when there is - * at least one exec bit set. - */ - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; + return -EACCES; + } /* * Searching includes executable on directories, else just read. @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) if (mask == MAY_READ) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; + /* + * Read/write DACs are always overridable. + * Executable DACs are overridable when there is + * at least one exec bit set. + */ + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) + return 0; return -EACCES; } -- 2.7.4