Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp480381imm;
        Mon, 1 Oct 2018 13:08:42 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63eZzB9gfRSXPbThWvgWec493uT936zV7qTBV5tU+W4bM+naj7gysiyQU+cnbKPBuyTTPtO
X-Received: by 2002:a17:902:b03:: with SMTP id 3-v6mr13647876plq.156.1538424522444;
        Mon, 01 Oct 2018 13:08:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538424522; cv=none;
        d=google.com; s=arc-20160816;
        b=Shy4LQZTPT9xdCFDT6y9KulcC5akgYPYxn6WhSKvaCFQZn9nFz0BX8lpfxPpjjBzn1
         dHalsMSpwHz6IZeF+5su5yl/bZpAbKNA+kRSIyvVxiQa7QNgeG/z1LaAa2caXLRwSxKH
         HwHRR1jbL3rlCEBicFCtROoEonlx314+lninUbKEAb++IaR4htyWYo/Emv2bFauy4PE/
         7ZGRWwHMTfgwenrpzEEU9BCaPzOGqKIGKb3JdItzagNfi7RI3+BOIOf3yofwQRuuYUmU
         dSJHrq8nMEF4Y9v3Sr7D/gfCmLZPdGJAL8n9qovK6vp3+Z1URwJ7xRBppGPCeaRahXKg
         fIKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=GpbtIZPpmVEVfeAmbQGsdRZ9h5IDiX8GkPwGoWpL2e8=;
        b=nA7SGZzlJaERmmAaxCYSdhSZGm64S2jHwz2RNUqPM9vFokWDIIMtSN/wn9cu0dow22
         l1O4vbt7AldT87Rd2L9DrBcT31bpsG6BBXzm/OFX1Kq0v88Oh49RWlhtk25rrxUUL5+J
         jjfcd9jSVlpmMVL437rjn5csXLOsGAczVIOyyeVMYKQutBLDjkXYQdr5xkieSFLSP0iG
         BGwaXSiEdrZ/PBWkABs68WlBNs/dARFG7WzFG0zo03rAJKP0tcTnYONJHYX/iQak2UJY
         ops2It/r1w8VoXUFS85/VGKWbNBPD+rwSoTfAR1BEbeiDgNLs0Wq31GLuB73T9L/nCnU
         B+dg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 97-v6si14985163plb.495.2018.10.01.13.08.26;
        Mon, 01 Oct 2018 13:08:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726313AbeJBCrt (ORCPT <rfc822;tnerolf.eriarrach@gmail.com>
        + 99 others); Mon, 1 Oct 2018 22:47:49 -0400
Received: from namei.org ([65.99.196.166]:34604 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726149AbeJBCrt (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Oct 2018 22:47:49 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id w91K8GDP015566;
        Mon, 1 Oct 2018 20:08:16 GMT
Date:   Tue, 2 Oct 2018 06:08:16 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     "Darrick J. Wong" <darrick.wong@oracle.com>
cc:     Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Dave Chinner <david@fromorbit.com>, TongZhang <ztong@vt.edu>,
        linux-xfs@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        linux-security-module@vger.kernel.org,
        Wenbo Shen <shenwenbosmile@gmail.com>
Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check)
In-Reply-To: <20181001154459.GB5872@magnolia>
Message-ID: <alpine.LRH.2.21.1810020608090.14406@namei.org>
References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard>
 <20181001160442.47c798bc@alans-desktop> <20181001154459.GB5872@magnolia>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 1 Oct 2018, Darrick J. Wong wrote:

> If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks,

Not sure we'd need a pile of hooks, what about just "read" and "write" 
storage admin?

Or even two new capabilities along these lines, which we convert existing 
CAP_SYS_ADMIN etc. to?

> how do we make sure that we (XFS) avoid breaking existing XFS tools?  I 
> guess the default compatibility handler for all of those new hooks would 
> be "return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;" and then other LSMs 
> could restrict that further if so configured.
> 
> Seriously, I don't know that much about how LSMs actually perform
> security checks -- it looks like a number of them can be active
> simultaneously, and we just call each of them in a chain until one of
> them denies permission or we run out of LSMs and allow it?
> 

Correct.

> FWIW I didn't have a particular security or threat model in mind when I
> made the above list; all I did was break up the existing CAP_SYS_ADMIN
> into rough functional areas.  Maybe it makes sense, but maybe I'm
> rambling. :)
> 
> --D
> 
> > You can build that model where for example only an administrative
> > login from a trusted console may launch processes to do that
> > management.
> > 
> > Or you could - if things were not going around the LSM hooks.
> > 
> > Alan
> 

-- 
James Morris
<jmorris@namei.org>