Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932843AbdCJRLW (ORCPT <rfc822;w@1wt.eu>);
        Fri, 10 Mar 2017 12:11:22 -0500
Received: from smtp.nsa.gov ([8.44.101.9]:54727 "EHLO emsm-gh1-uea11.nsa.gov"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755049AbdCJRLK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 10 Mar 2017 12:11:10 -0500
X-IronPort-AV: E=Sophos;i="5.36,141,1486425600"; 
   d="scan'208";a="3873537"
IronPort-PHdr: =?us-ascii?q?9a23=3ACQ5AEh+yZTQ3hP9uRHKM819IXTAuvvDOBiVQ1KB+?=
 =?us-ascii?q?0OsXIJqq85mqBkHD//Il1AaPBtSGra4UwLuI+4nbGkU4qa6bt34DdJEeHzQksu?=
 =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?=
 =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFIiTanbr5/Lxq6oAHQu8ILnYZsN6E9xwfTrHBVYe?=
 =?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?=
 =?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qlkSAXsiC?=
 =?us-ascii?q?waKTA39m/ZgdF0gK5Cvh6tuxlzzojJa4+XKfV+ZLvQc9MES2RcUMhfVCtPD5ig?=
 =?us-ascii?q?Y4cTFecNIfxVo5Xhq1YIsBCwBROsBOTqyjJQm3H2wbM10/whEQ7Y2gwrAs8AsH?=
 =?us-ascii?q?HOo9XxMKcdT+C0x7TPwDXYcvxWwizw6JTIcx89ofGMWqh8cczKyUY1DQ/FgVKQ?=
 =?us-ascii?q?qZL8Mj6Ty+8DsHCb4vJ9We+ghGMrsQF8riW1yssyhYTFmJgZxk3C+C5k2og6P8?=
 =?us-ascii?q?e4R1R+YdO8FZtQsDyVOJVuT8M5RmFopD46yrobuZ6nZCQKyIooxxrYa/Gfb4iH?=
 =?us-ascii?q?+AjjVOeMITdjnn5lZLK+iAqy8Uin0OH8UNW70E1WoSZfl9nMt3QN2wTS6siBVP?=
 =?us-ascii?q?R94l+s1SuA2g3c8O1JIV04mbDFJ5Mu3LI8jIcfvVzGHiDsmUX2iKGWdl8j+uit?=
 =?us-ascii?q?8+nneajppoSHOo9oigDxLqQumsulDeQ+KQgBRXKX+eu71L395UH5WqlFjuUqkq?=
 =?us-ascii?q?nFt5DXPcAbpq+/Aw9I3Ycv8g2/ACm639QFh3kHLU5FeRKeg4jsPFHBPe34DfOh?=
 =?us-ascii?q?jFm3jjdryO7JPqf7DpXOMHfDirHhcqh560JGzwoz199f7YpOCr4dOPLzRlPxtN?=
 =?us-ascii?q?vAAx89Mgy0xfvnCdpk2oMdR22PGKmZP73WsVKT+OIvLPeDZJUPtDb+Nfcl/fju?=
 =?us-ascii?q?gmE9mVMHeqmpx5QXYmiiHvt6O0WZfWbsgtAZHGcOvwo+SvHqiVKbXT5dfHa9Qr?=
 =?us-ascii?q?wz5i8lB4KiForDWI+tj6Kb3CuhHZ1ZeHpGClaSHnfsbYmEXO0MaC2KKM97jjME?=
 =?us-ascii?q?TaShS5Mm1Ry2tg/6zLpnLuzO9i0aspLj1MJ65+vIlR4s8zx5FNiS3HuLT2FzmG?=
 =?us-ascii?q?MIRiM507p7oUBn1liD1q14ieRCFdNP//NJThs6NZnEwuxiEd/yRwbBc8yRSFm8?=
 =?us-ascii?q?X9WmBSg9Ttc2w98JeUZyBc+ugQzE3yqvG7UVjaCEBIQo8qLA2Hj8P919xGjc1K?=
 =?us-ascii?q?kukVYrWctPOneihq579wnTAZTFnFmel6avba4cxjLC9H+fzWqSu0FVSAxwXr/A?=
 =?us-ascii?q?XX8BfUvat9D56lnHT7+pE7QnKApBydWZJ6tNcN3ml0lJRPP9N9jEf22xnGKwDw?=
 =?us-ascii?q?6SxryQdIrqZ3kd3CLFBUgakgAT53GGOBM/Byi/pWLeDSJuGUjrY0Pt9+l+tXy6?=
 =?us-ascii?q?QlUzzwGQYE1tzae1+h1GzcCbHu0SxLUsqionqisyGFe7wsKQDMCP4RdiOO1eaN?=
 =?us-ascii?q?Yw+xFDk2ferRZ8JbSnNalpglNYeANy+wv12g94B61AmMwuvXVsxw13beqA2U5F?=
 =?us-ascii?q?XyuRwJS1P7rQMGS09xeqL+bU3VHYltSR+q4J8/k+g17qugavF0Er9zNs1NwG/W?=
 =?us-ascii?q?Gb48DxEAcKUZ/3Gn0y/hx+qqCSNjIx/KvIxHZsNu+yqTaE1NU3Urh2gi28dstS?=
 =?us-ascii?q?ZfvXXDT5FNcXUo30cOE=3D?=
X-IPAS-Result: =?us-ascii?q?A2HOBwDT3MJY/wHyM5BdHAEBBAEBCgEBFgEBAQMBAQEJAQE?=
 =?us-ascii?q?BgyaBa54PAQEBAQEBBpIHgkWEHRqEXYErgkNXAQEBAQEBAQECAQJoKIIzIoJuU?=
 =?us-ascii?q?iiBFxKJcw2zXzomAopCATGGCYxUDIMNBYkahz6LZIoeiBoCgXmIbQyGLgJIgxu?=
 =?us-ascii?q?PXViBAxkJAhQIHQ+HMiI1ihoBAQE?=
From: Stephen Smalley <sds@tycho.nsa.gov>
To: viro@zeniv.linux.org.uk, james.l.morris@oracle.com, serge@hallyn.com,
        paul@paul-moore.com, john.johansen@canonical.com
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
        Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
Date: Fri, 10 Mar 2017 12:14:18 -0500
Message-Id: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1789
Lines: 58

generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH.  This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation.  Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 fs/namei.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index d41fab7..482414a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)
 
 	if (S_ISDIR(inode->i_mode)) {
 		/* DACs are overridable for directories */
-		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
-			return 0;
 		if (!(mask & MAY_WRITE))
 			if (capable_wrt_inode_uidgid(inode,
 						     CAP_DAC_READ_SEARCH))
 				return 0;
-		return -EACCES;
-	}
-	/*
-	 * Read/write DACs are always overridable.
-	 * Executable DACs are overridable when there is
-	 * at least one exec bit set.
-	 */
-	if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
 		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
 			return 0;
+		return -EACCES;
+	}
 
 	/*
 	 * Searching includes executable on directories, else just read.
@@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
 	if (mask == MAY_READ)
 		if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
 			return 0;
+	/*
+	 * Read/write DACs are always overridable.
+	 * Executable DACs are overridable when there is
+	 * at least one exec bit set.
+	 */
+	if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
+		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
+			return 0;
 
 	return -EACCES;
 }
-- 
2.7.4