Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6612112ybi; Wed, 29 May 2019 10:15:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2yS9ojWcLF6OygzSn4gQ9WQ7hyPPiq92BjWEY/M61P5InhgXEN/iUhW+3rK48Rf7AL8af X-Received: by 2002:aa7:9115:: with SMTP id 21mr122276266pfh.14.1559150147823; Wed, 29 May 2019 10:15:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559150147; cv=none; d=google.com; s=arc-20160816; b=pmC7CSmj0pkRy9nZeF9FGFveuNhher8FWTW5gvF3ae0WTcJYz46ZFPi0dX0Ta4O7S7 YVGCCxBvdzxaJQUQWHL6I035aQSQSQA43sNKi1ou71TSQY56dQNTQ3/b80MIyOiXInRR dizjBK1n5pu7kiZj5AblC8I5CHDwyTTn73Fqaruq1wn3pOMlY6zmSb8pe0ugn87cMNKx rQkr/gOZju0LD3yI7gHHFd01EtBI01qOmKqY1wVps9YLZGURHO8XfAr59C4219NnW54C am4tWIAY+o+Zn9UOmch1MYqv7kuKqzn3Z05UkAWOblNPDGdGCjchP8lIYWiI4OcHHMfT Y1ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=+4Eck+CFhCFREBdh4WIXuLZ5kettic1ax4lTFdn88wA=; b=FuND+fB0og6cOihyGP/2DLiawl3sOsqn8FE3X8Sgy3aaAFySEf5JLZQepoSwkqPP61 8DyCQcE/qjdVafVcUs/wjmm3++FjyATRIGbcZchYXc9QkCEoSC9EXQPECaMC+HUP1zBn oFVwU3CzBFw9Xrq093D3g1kqO6ppVp+8SpFRRAsg3yp/zVequE8+GXXeNNXs7qjjiAgh vIoeNHdlLuGLEF4Qh/0ETKGaFQiw9oTnrUgWjqS0GoR1nED01p200wCWmj7oUhUdtYbw OIfwg7pFGMQNv8/5yWpTuA5AeI5nRayZjLXdmq5Wys/uIGxL79HODvptgp2FUASUn/hi j99A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=RJWFuUbm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 6si143882pfe.21.2019.05.29.10.15.31; Wed, 29 May 2019 10:15:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=RJWFuUbm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726875AbfE2ROB (ORCPT + 99 others); Wed, 29 May 2019 13:14:01 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:41917 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726540AbfE2RN5 (ORCPT ); Wed, 29 May 2019 13:13:57 -0400 Received: by mail-pg1-f195.google.com with SMTP id z3so262396pgp.8 for ; Wed, 29 May 2019 10:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+4Eck+CFhCFREBdh4WIXuLZ5kettic1ax4lTFdn88wA=; b=RJWFuUbmbLU9gIBz85ery+5ZrcHRD50gf+QgLi0fsnsFBkSZVVTge0BZRDH214wxlM xR1FFryYZcnL06XkYs3karxylMDI4ZPBxg4hGX0q+kFpGJhWNTcoqbhTjFqwHfWg+0Sh iXq39rEwL79hjOaWNzhZg2UvhqlbHp9V5TGHA46JMpBQT/gKJOQtlUPu6V8LOlAfSTsf TQq70k4ixv5h06DmUpLIrTdS2Xnr//ws3EImfTsBmxGxj7guv7T9fFPcIrWPGl03Byh+ LO4lVCRSICVNoPsP+tTwipnXTg3fYfDIrhTt5EpOw7O+6K9Vafqci5ZdOdTBtWGgCc4t 43Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+4Eck+CFhCFREBdh4WIXuLZ5kettic1ax4lTFdn88wA=; b=YEEN294hD8S5PVujTIf+i8T1nFv9/XBqV55to1ilu/g+4T2uCjgOvn+18LQFrcVhuO sVc3M9yJP9j8WxAkTbIPJk7+SfcMvxOqaOrX/DxZze5e+qHZex7WA4wTkk87tX6W3QiB 3vwu7LcYxElq/XB1j+7QpBTi0ca+U5f/tyZi3qCW8RURcidDr2apD02lcc9NGRruuKj+ d8Vsx7pxIo5FN316SGSyldxJFCbAqigMSUbp9KCTclZaVSo2w60gtO2TIEdEE5eKaiCK xfcn64vjpmqQtXqfkZwarqVt5ZwTfcILrO61roAfL0NPmV2NOG1qoM2n/A7PzacKcVpP gKSw== X-Gm-Message-State: APjAAAUJteAu0Vthg8oahXf4tUtx8uLUZTvCsZded3porJWtyPZSmQjr FY8n0IIwoPHZ+cJje+dRZs+Mlg== X-Received: by 2002:a62:ab10:: with SMTP id p16mr117966777pff.222.1559150037283; Wed, 29 May 2019 10:13:57 -0700 (PDT) Received: from ?IPv6:2600:100f:b10c:ace6:b862:4204:5f4a:fe22? ([2600:100f:b10c:ace6:b862:4204:5f4a:fe22]) by smtp.gmail.com with ESMTPSA id y10sm204418pfm.68.2019.05.29.10.13.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 May 2019 10:13:56 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 3/7] vfs: Add a mount-notification facility From: Andy Lutomirski X-Mailer: iPhone Mail (16E227) In-Reply-To: <312a138c-e5b2-4bfb-b50b-40c82c55773f@schaufler-ca.com> Date: Wed, 29 May 2019 10:13:54 -0700 Cc: David Howells , Jann Horn , Al Viro , raven@themaw.net, linux-fsdevel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module , kernel list Content-Transfer-Encoding: quoted-printable Message-Id: <4552118F-BE9B-4905-BF0F-A53DC13D5A82@amacapital.net> References: <155905930702.7587.7100265859075976147.stgit@warthog.procyon.org.uk> <155905933492.7587.6968545866041839538.stgit@warthog.procyon.org.uk> <14347.1559127657@warthog.procyon.org.uk> <312a138c-e5b2-4bfb-b50b-40c82c55773f@schaufler-ca.com> To: Casey Schaufler Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 29, 2019, at 8:53 AM, Casey Schaufler wrot= e: >=20 >> On 5/29/2019 4:00 AM, David Howells wrote: >> Jann Horn wrote: >>=20 >>>> +void post_mount_notification(struct mount *changed, >>>> + struct mount_notification *notify) >>>> +{ >>>> + const struct cred *cred =3D current_cred(); >>> This current_cred() looks bogus to me. Can't mount topology changes >>> come from all sorts of places? For example, umount_mnt() from >>> umount_tree() from dissolve_on_fput() from __fput(), which could >>> happen pretty much anywhere depending on where the last reference gets >>> dropped? >> IIRC, that's what Casey argued is the right thing to do from a security P= oV. >> Casey? >=20 > You need to identify the credential of the subject that triggered > the event. If it isn't current_cred(), the cred needs to be passed > in to post_mount_notification(), or derived by some other means. Taking a step back, why do we care who triggered the event? It seems to me t= hat we should care whether the event happened and whether the *receiver* is p= ermitted to know that. (And receiver means whoever subscribed, presumably, not whoever called read(= ) or mmap().)