Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1694606imm;
        Tue, 2 Oct 2018 12:21:06 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62dRYHm6hE7nvhBtTItAc86CeKjkt5WBkPO1SgNj1OPMoYpIB7eNMu6m3RxuoLlfoiIj4ey
X-Received: by 2002:a17:902:7d8b:: with SMTP id a11-v6mr6660847plm.171.1538508066307;
        Tue, 02 Oct 2018 12:21:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538508066; cv=none;
        d=google.com; s=arc-20160816;
        b=TECmlQN99mm7cA7t49UTFFkl3EXGPm9WLNM64DuD4llXY8s0fAA4H895dzBanbyov7
         Axlh50zsspGu2ymW0ulSKjzfXPcvTnA20riNTFoJGDUM0ekeWiH4zLhVQ56rVFyd+PIt
         52xOQQbkKzkzoRLSwHNd8d3GZHykZZUOee9X65HF0BEaAkFQE8ETXjbKUimIYEl4JAqR
         dgJFr8QmKq5xyH462EHu1UY/eWkCv4XBf96bokM0Qdmi1MxZLmdGE32CxUGv0TQzdn9I
         czyACXhLE8ZspmUd3lLFi08mcZo8yYcR7Ea2IWBfMqm5e0vMmtYQqQOxG1inWN5kF8TJ
         ixHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=+885VhqDsjQE7bNx2j75FJyibVzQm/kjMM9L+E7YQwg=;
        b=JTEWOizV8KLL+ZfzP/qzN6d8r3wghVSRMwt/Y+BxkHyYKq62wqHcC+aFABv7k05LbD
         LTh3augZkXbMygwK1MlJuQwbZh64LJL36g7fjidb5I+VdI0dFY0DYOOT2AkUucSh0y+c
         5JDcxmRQSc9VbmbH64flcSOR++q5yEsRMQZW6dEseoalN3j4SfY3py3GPuZ61hm1t3UB
         gGodyCVWIvlvhb58KKpNFLC0snziyw261ADg4/z5Hgsml4vIcpZpCYgRa3+XtxXnlnnC
         S3x507+9BBMwEId2Dv5mY1Amk0rsHTIJ315IsSbElymJrF+/ZTwcyWQWTdAeqxpQBHQE
         GkRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i124-v6si16798995pfc.110.2018.10.02.12.20.50;
        Tue, 02 Oct 2018 12:21:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727974AbeJCCFe (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 2 Oct 2018 22:05:34 -0400
Received: from namei.org ([65.99.196.166]:35070 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726946AbeJCCFd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Oct 2018 22:05:33 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id w92JKVAN019036;
        Tue, 2 Oct 2018 19:20:31 GMT
Date:   Wed, 3 Oct 2018 05:20:31 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Dave Chinner <david@fromorbit.com>
cc:     "Darrick J. Wong" <darrick.wong@oracle.com>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        TongZhang <ztong@vt.edu>, linux-xfs@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        linux-security-module@vger.kernel.org,
        Wenbo Shen <shenwenbosmile@gmail.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Paul Moore <paul@paul-moore.com>
Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check)
In-Reply-To: <20181001224528.GI18567@dastard>
Message-ID: <alpine.LRH.2.21.1810030518240.17817@namei.org>
References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard>
 <20181001160442.47c798bc@alans-desktop> <20181001154459.GB5872@magnolia> <alpine.LRH.2.21.1810020608090.14406@namei.org> <20181001224528.GI18567@dastard>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2 Oct 2018, Dave Chinner wrote:

> On Tue, Oct 02, 2018 at 06:08:16AM +1000, James Morris wrote:
> > On Mon, 1 Oct 2018, Darrick J. Wong wrote:
> > 
> > > If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks,
> > 
> > Not sure we'd need a pile of hooks, what about just "read" and "write" 
> > storage admin?
> > 
> > Or even two new capabilities along these lines, which we convert existing 
> > CAP_SYS_ADMIN etc. to?
> 
> So instead of having hundreds of management ioctls under
> CAP_SYS_ADMIN, we'd now have hundreds of non-storage ioctls under
> CAP_SYS_ADMIN and hundreds of storage ioctls under
> CAP_SYS_STORAGE_ADMIN?
> 
> Maybe I'm missing something, but I don't see how that improves the
> situation w.r.t. locked down LSM configurations?

I'm not sure about capabilities, but having two specific LSM hooks for 
storage admin would allow SELinux et al to explicitly control privileged 
access to these interfaces.  Storage admin seems to be a special case of 
its own which we want to be able to mediate as such.



-- 
James Morris
<jmorris@namei.org>