Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755511AbdCJVMc (ORCPT ); Fri, 10 Mar 2017 16:12:32 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:58550 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755314AbdCJVMV (ORCPT ); Fri, 10 Mar 2017 16:12:21 -0500 Subject: Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks To: Paul Moore , Stephen Smalley , viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org References: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov> Cc: James Morris , serge@hallyn.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov From: John Johansen Organization: Canonical Message-ID: Date: Fri, 10 Mar 2017 13:12:14 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2862 Lines: 74 On 03/10/2017 11:54 AM, Paul Moore wrote: > On Fri, Mar 10, 2017 at 12:14 PM, Stephen Smalley wrote: >> generic_permission() presently checks CAP_DAC_OVERRIDE prior to >> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when >> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE >> may not be required for the operation. Flip the order of the >> tests so that CAP_DAC_OVERRIDE is only checked when required for >> the operation. >> >> Signed-off-by: Stephen Smalley >> --- >> fs/namei.c | 20 ++++++++++---------- >> 1 file changed, 10 insertions(+), 10 deletions(-) > > This is the second posting of this patch and so far no comment ... if > I don't see any negative responses by next week I'll go ahead and > merge this into the selinux/next tree. > sounds good to me, the patch looks good you can have my acked-by for how this affects apparmor, or hrmm should that be a reviewed-by for the vfs end Acked-by: John Johansen >> diff --git a/fs/namei.c b/fs/namei.c >> index d41fab7..482414a 100644 >> --- a/fs/namei.c >> +++ b/fs/namei.c >> @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) >> >> if (S_ISDIR(inode->i_mode)) { >> /* DACs are overridable for directories */ >> - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) >> - return 0; >> if (!(mask & MAY_WRITE)) >> if (capable_wrt_inode_uidgid(inode, >> CAP_DAC_READ_SEARCH)) >> return 0; >> - return -EACCES; >> - } >> - /* >> - * Read/write DACs are always overridable. >> - * Executable DACs are overridable when there is >> - * at least one exec bit set. >> - */ >> - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) >> if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) >> return 0; >> + return -EACCES; >> + } >> >> /* >> * Searching includes executable on directories, else just read. >> @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) >> if (mask == MAY_READ) >> if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) >> return 0; >> + /* >> + * Read/write DACs are always overridable. >> + * Executable DACs are overridable when there is >> + * at least one exec bit set. >> + */ >> + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) >> + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) >> + return 0; >> >> return -EACCES; >> } >> -- >> 2.7.4 >> > > >