Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8984094ybi; Tue, 23 Jul 2019 19:27:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqyoywesaGPR+GJ7oxHQD3B1xcyTjg+/Ao6MvTiZ3EuRPaA2U1xWGlE6RZKA0DyCQfGWNTNt X-Received: by 2002:a63:6c7:: with SMTP id 190mr78114028pgg.7.1563935278764; Tue, 23 Jul 2019 19:27:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563935278; cv=none; d=google.com; s=arc-20160816; b=CJr2NsM3w8QM3TNj3kt78tD5+UUv9aWtVSDq4Qg1kfwhuyVBgcdwG6xLUDDkEUkVoq npIwNACSxvNtVlX+wsRMJJjBntBiRjNU4Gq+6xUltYLEbf0EvnpBJKa3Ahk3I/1QoMHX hqVg6b4BXdvluOX/Fa3+O/voTNdfS4FQMJxfk8FN10eP8bp0EwdB8WinbggpQ0pgUwxO JLb4pA4+yN/RLVzRpajzNc7e4hsDf7oVye0JrhIlA+aI9wzkTb3XLJKhsfg81VzDfy56 TlNgVV8O+Zfrs2TcoqX/6JHltycTFcBwX2DEFG2bVDmM9bJQ+Jg6Xd80UjGWsVbKY/QE X0cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=K+nFMmvAHZoKKuRIumqq+vH7ksKEN4lOKs7AKbTh4l4=; b=cnSF/WHeYhFL7WX02TfDGYqBkvfgtSDqIWj7H+2CBETndOk9Cb3BOhDaxlfRWJ6Q1I tSwWWR0+PxomsciHP1SkoBXiaP//QdZNdSlwrM7eXQV50STNsTf+TJmivh7p4abmdgd0 SXu6pCXwDwA54C4Rp1C5YfK/cFbMRWUs9yH3Yb/ZLVaH1rRg6Uhi5gGtwaUmlZmRHDtT Uc/1Ah+APoYVlQwGgvSPYVPvu/qlGEtEJ6u44+fBCXxniU6Sg8zEYWcR0j7uEfcMWChd QX3t25AuOSc08f707rBmMGv/mItJ8tt1xOhn6pXroId/ttrJq0Bvu2zctXpRrxMj72BW 8eOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jt33w5IV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h4si14689017plt.30.2019.07.23.19.27.43; Tue, 23 Jul 2019 19:27:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jt33w5IV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403870AbfGWStp (ORCPT + 99 others); Tue, 23 Jul 2019 14:49:45 -0400 Received: from mail-yb1-f195.google.com ([209.85.219.195]:40215 "EHLO mail-yb1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728243AbfGWStp (ORCPT ); Tue, 23 Jul 2019 14:49:45 -0400 Received: by mail-yb1-f195.google.com with SMTP id j6so7977080ybm.7; Tue, 23 Jul 2019 11:49:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K+nFMmvAHZoKKuRIumqq+vH7ksKEN4lOKs7AKbTh4l4=; b=jt33w5IV6DWsAGM+LMH+YDHLbJpJqVixE2xMhd1uVHq8PsomZRkwrzLVKP1nD1E75b r8ka4tFp+NsDUuP0Qm0Ltk+odrIMq8QmrfnZZ/FX1HqCdwZHxoFCAjBocDBJqQu1lsOI SHYUNvZByTrqHt+7suuHfFcL/t+giXYnmMRWRPeBP64KiNm0Pl/cbg3MwqVeUzEsWY4L 9H5v5vCUDRo9BvuF5R0gFSqLuVs1cvL0xkr1lMnXPDqfWENaqdNet9odGI9m690c7VET 7Gp7qDZkMXaDIToSOSA0bvJ2liXalmUnpwwBn0F1ahe7GMap2Nfik3Wzp3rH5Ab7fsuW IEmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K+nFMmvAHZoKKuRIumqq+vH7ksKEN4lOKs7AKbTh4l4=; b=Ys3kr74XAgsY8plfKMiBTjVAIvaZ7pjiwsy5oU6DNpalqDErFJKjCZ2/slABGakqT1 AakfCNGOcGv+kJbCtZTJTQpR4MpXqoqM5PTXd39nx/PjKZ50uckiap3mo3jlBdUECjfE p8V0aFHZwE37xNkRs8O0RhYHCAqaxx+Lv3+Zu4gzym/xkYscxOncowxvvU2J2HPnn/z/ sV3HS/91lWGnPvTDU/R8gf12RCjPVbjuaXKa1gYEWr5KB2OW2k7o/1T3I4NlNI4aroip sOvjkpUsljWyyjdDskwWmnOLobGnFmvkYqt7DrK/prZmGwn2HEE7wyI2VRIpYZ8MSpg8 av8g== X-Gm-Message-State: APjAAAXU4V8rLrcpy3xSSmf3Y9brYbHKiR2SEn20+4pqhqYVIkbikadu DHS2oxswdc5307j4dWdk2sfSYhxruDxCIoetChHHjg== X-Received: by 2002:a25:aaea:: with SMTP id t97mr46227201ybi.126.1563907783784; Tue, 23 Jul 2019 11:49:43 -0700 (PDT) MIME-Version: 1.0 References: <20190718143042.11059-1-acgoide@tycho.nsa.gov> In-Reply-To: From: Amir Goldstein Date: Tue, 23 Jul 2019 21:49:32 +0300 Message-ID: Subject: Re: [Non-DoD Source] Re: [RFC PATCH v2] fanotify, inotify, dnotify, security: add security hook for fs notifications To: Aaron Goidel Cc: Paul Moore , selinux@vger.kernel.org, LSM List , linux-fsdevel , David Howells , Jan Kara , James Morris , Stephen Smalley , linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 23, 2019 at 7:17 PM Aaron Goidel wrote: > > On 7/18/19 12:16 PM, Amir Goldstein wrote: > > On Thu, Jul 18, 2019 at 5:31 PM Aaron Goidel wrote: > >> > >> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c > >> index a90bb19dcfa2..9e3137badb6b 100644 > >> --- a/fs/notify/fanotify/fanotify_user.c > >> +++ b/fs/notify/fanotify/fanotify_user.c > >> @@ -528,9 +528,10 @@ static const struct file_operations fanotify_fops = { > >> }; > >> > >> static int fanotify_find_path(int dfd, const char __user *filename, > >> - struct path *path, unsigned int flags) > >> + struct path *path, unsigned int flags, __u64 mask) > >> { > >> int ret; > >> + unsigned int mark_type; > >> > >> pr_debug("%s: dfd=%d filename=%p flags=%x\n", __func__, > >> dfd, filename, flags); > >> @@ -567,8 +568,30 @@ static int fanotify_find_path(int dfd, const char __user *filename, > >> > >> /* you can only watch an inode if you have read permissions on it */ > >> ret = inode_permission(path->dentry->d_inode, MAY_READ); > >> + if (ret) { > >> + path_put(path); > >> + goto out; > >> + } > >> + > >> + switch (flags & FANOTIFY_MARK_TYPE_BITS) { > >> + case FAN_MARK_MOUNT: > >> + mark_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT; > >> + break; > >> + case FAN_MARK_FILESYSTEM: > >> + mark_type = FSNOTIFY_OBJ_TYPE_SB; > >> + break; > >> + case FAN_MARK_INODE: > >> + mark_type = FSNOTIFY_OBJ_TYPE_INODE; > >> + break; > >> + default: > >> + ret = -EINVAL; > >> + goto out; > >> + } > >> + > >> + ret = security_inode_notify(path->dentry->d_inode, mask, mark_type); > > > > If you prefer 3 hooks security_{inode,mount,sb}_notify() > > please place them in fanotify_add_{inode,mount,sb}_mark(). > > > > If you prefer single hook with path argument, please pass path > > down to fanotify_add_mark() and call security_path_notify() from there, > > where you already have the object type argument. > > > I'm not clear on why you want me to move the hook call down to > fanotify_add_mark(). I'd prefer to keep it adjacent to the existing > inode_permission() call so that all the security checking occurs from > one place. Fine. > Moving it down requires adding a path arg to that entire call > chain, even though it wouldn't otherwise be needed. That doesn't matter. > And that raises the > question of whether to continue passing the mnt_sb, mnt, or inode > separately or just extract all those from the path inside of > fanotify_add_*_mark(). You lost me. The major issue I have is with passing @inode argument to hook for adding a mount watch. Makes no sense to me as @inode may be accessed from any mount and without passing @path to hook this information is lost. > > It also seems to destroy the parallelism with fanotify_remove_*_mark(). I don't know what that means. > I also don't see any real benefit in splitting into three separate > hooks, especially as some security modules will want the path or inode > even for the mount or superblock cases, since they may have no relevant > security information for vfsmounts or superblocks. OK. that is an argument for single hook with @path argument. That is fine by me. Thanks, Amir.