Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933720AbdCJTy0 (ORCPT ); Fri, 10 Mar 2017 14:54:26 -0500 Received: from mail-ua0-f193.google.com ([209.85.217.193]:34115 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755485AbdCJTyS (ORCPT ); Fri, 10 Mar 2017 14:54:18 -0500 MIME-Version: 1.0 X-Originating-IP: [108.49.102.27] In-Reply-To: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov> References: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov> From: Paul Moore Date: Fri, 10 Mar 2017 14:54:09 -0500 Message-ID: Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks To: Stephen Smalley , viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org Cc: James Morris , serge@hallyn.com, john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2573 Lines: 70 On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: > generic_permission() presently checks CAP_DAC_OVERRIDE prior to > CAP_DAC_READ_SEARCH. This can cause misleading audit messages when > using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE > may not be required for the operation. Flip the order of the > tests so that CAP_DAC_OVERRIDE is only checked when required for > the operation. > > Signed-off-by: Stephen Smalley > --- > fs/namei.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) This is the second posting of this patch and so far no comment ... if I don't see any negative responses by next week I'll go ahead and merge this into the selinux/next tree. > diff --git a/fs/namei.c b/fs/namei.c > index d41fab7..482414a 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) > > if (S_ISDIR(inode->i_mode)) { > /* DACs are overridable for directories */ > - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) > - return 0; > if (!(mask & MAY_WRITE)) > if (capable_wrt_inode_uidgid(inode, > CAP_DAC_READ_SEARCH)) > return 0; > - return -EACCES; > - } > - /* > - * Read/write DACs are always overridable. > - * Executable DACs are overridable when there is > - * at least one exec bit set. > - */ > - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) > if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) > return 0; > + return -EACCES; > + } > > /* > * Searching includes executable on directories, else just read. > @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) > if (mask == MAY_READ) > if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) > return 0; > + /* > + * Read/write DACs are always overridable. > + * Executable DACs are overridable when there is > + * at least one exec bit set. > + */ > + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) > + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) > + return 0; > > return -EACCES; > } > -- > 2.7.4 > -- paul moore www.paul-moore.com