Received: by 2002:a05:6358:111d:b0:dc:6189:e246 with SMTP id f29csp1727009rwi; Thu, 3 Nov 2022 08:25:28 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Y3CBNPzoRBKtnpy0yPYnXbkAU8v6kR3MyxQhO1foVTaoCplK11j/isYLrMWBze+FEzETR X-Received: by 2002:a05:6402:42c7:b0:461:bea2:8a70 with SMTP id i7-20020a05640242c700b00461bea28a70mr31827246edc.261.1667489127844; Thu, 03 Nov 2022 08:25:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667489127; cv=none; d=google.com; s=arc-20160816; b=TsAQQbExfNGEBD+ptz7TapjZaaTePfIlDl1wPkWb0V59XMFWVQbemq1RCR6uNSN5QT Xuntu+7mU4QThFPoqXIcgCup7GbtRm0wz8uPliy+ZcHRKEzpFgygdNUQJWTupYh5nI4S r5ZxRqPM9Wj7AG+fEBB1s3tLrTAKFZ0uPfJNzPN968a1aBg7rlV+alyXF0Di9xZczw5c YSLCGutzqrYA6KJt0JS4ADN1SD6kutQA4Pfd3dt/PuyzHxLDUAcWuQTOHjmchid6PZe2 J4hKAzWH4H/H4WZHnTOGMg6h215MTT2mofIuCi6tfgN44s/HFtbOsqvhlgAYhzG4RuRa Lk7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=LWgxR1F68mKVnmdpW8+jJqPrx2L99twB8sOEHi9u21s=; b=GD2zwN7qN0w0kbWUbtF4WfKAKGlFv6U5C3mfORU5oi2EJXhu3+TmCtA/KLBrkP/O8p dky8Og56HnozRN0mQJzKoa47z6lsluMKTVPowUgljP3x8E9U2rrMs+X7TkpUUKzwMFe5 v8H2CNvC3yAj0D857DV/CwCc9reBwQ6irJv6c/N2uhq6tx1DoOYs9VFfjhMgbLxfPQlJ dcUYPRxynRLU5xcZk+IY4tTWncTeM0CD828FDSer8EUy7HjroU4iyQWDNehdY6tUygzo IV114eYu1cqWc9AbTbV5aWTCuHOKyF4mi70VuNepiE9k2CcArQu/yajj8GBmV2xKQ8zn R1zA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qg5VK+kJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o21-20020a170906975500b0073d9ea386d4si1651487ejy.983.2022.11.03.08.25.03; Thu, 03 Nov 2022 08:25:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qg5VK+kJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231978AbiKCPNl (ORCPT + 97 others); Thu, 3 Nov 2022 11:13:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49516 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231906AbiKCPNj (ORCPT ); Thu, 3 Nov 2022 11:13:39 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31E081ADA3 for ; Thu, 3 Nov 2022 08:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1667488345; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=LWgxR1F68mKVnmdpW8+jJqPrx2L99twB8sOEHi9u21s=; b=Qg5VK+kJDV1AvuF4vpvSlthMjyXT6t8cYda16ca+QhjIegqF4P1JXO8oqbjL6o9YZu9K9z r3lcs2x2BsV9OA7XMfZUzKLJ/A8QdG4Bjnnzp0j1RFEX4qGijU7Dhn80yzuuxhooEggNql va55PwRHbcSwecxNgfOEqcjC/NzJ6kE= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-581-N5Bxsbx3Pdm9R1QKpj6-Gw-1; Thu, 03 Nov 2022 11:12:24 -0400 X-MC-Unique: N5Bxsbx3Pdm9R1QKpj6-Gw-1 Received: by mail-wm1-f71.google.com with SMTP id v191-20020a1cacc8000000b003bdf7b78dccso992368wme.3 for ; Thu, 03 Nov 2022 08:12:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LWgxR1F68mKVnmdpW8+jJqPrx2L99twB8sOEHi9u21s=; b=ITyx+C+OltTtzSicDX7itflxPXhhzAylaCyT0eMk8FhSgH4tF7SnkqiLqC+XbMBytb wQWl7tkoNLqauerGbAYPYqoxhkpDELTFYPvgGyzef19DYbyunKDppdcbaCDKHmP0YjXi 5UXuWSP9lMDp8uCv05Wq0LpzkCQ7l3Fr4OvECJoIEi1X8bWQ4AzZweZVcZeO8nGNpmjO khnAOJkogdVEwszaBk69sn+3tirq2I0+nc8oC1aonxBjMrBOulIKFUfKnD63FoVLjVPL vlrZy699W5T0Ue883bGZ9SkQ1hDtD1PQ/uZ+MEylBhEND8fYAYJLWuT63Y15l2qlirrP 7y+g== X-Gm-Message-State: ACrzQf3tjOKMtHw3IQSC8iXCoJI1HF72gdmgZ5n9NapqdGRaJArbJ6FI lxD4c2FDMdUDvouR5AXTmIYVGfLwdvi90LvczTP4S20//w574OtonWp2jLvl4UzaKYkWjgX3aoa LBGubD3izbb1eQjBLJAtkrbpM X-Received: by 2002:a05:600c:3655:b0:3cf:7082:dc18 with SMTP id y21-20020a05600c365500b003cf7082dc18mr15530762wmq.36.1667488327463; Thu, 03 Nov 2022 08:12:07 -0700 (PDT) X-Received: by 2002:a05:600c:3655:b0:3cf:7082:dc18 with SMTP id y21-20020a05600c365500b003cf7082dc18mr15530746wmq.36.1667488327247; Thu, 03 Nov 2022 08:12:07 -0700 (PDT) Received: from localhost.localdomain (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id v4-20020a5d6784000000b00235da296623sm1104080wru.31.2022.11.03.08.12.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Nov 2022 08:12:06 -0700 (PDT) From: Ondrej Mosnacek To: Alexander Viro Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, Martin Pitt , Christian Brauner Subject: [PATCH v2] fs: don't audit the capability check in simple_xattr_list() Date: Thu, 3 Nov 2022 16:12:05 +0100 Message-Id: <20221103151205.702826-1-omosnace@redhat.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The check being unconditional may lead to unwanted denials reported by LSMs when a process has the capability granted by DAC, but denied by an LSM. In the case of SELinux such denials are a problem, since they can't be effectively filtered out via the policy and when not silenced, they produce noise that may hide a true problem or an attack. Checking for the capability only if any trusted xattr is actually present wouldn't really address the issue, since calling listxattr(2) on such node on its own doesn't indicate an explicit attempt to see the trusted xattrs. Additionally, it could potentially leak the presence of trusted xattrs to an unprivileged user if they can check for the denials (e.g. through dmesg). Therefore, it's best (and simplest) to keep the check unconditional and instead use ns_capable_noaudit() that will silence any associated LSM denials. Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs") Reported-by: Martin Pitt Suggested-by: Christian Brauner (Microsoft) Signed-off-by: Ondrej Mosnacek --- v1 -> v2: switch to simpler and better solution as suggested by Christian v1: https://lore.kernel.org/selinux/CAFqZXNuC7c0Ukx_okYZ7rsKycQY5P1zpMPmmq_T5Qyzbg-x7yQ@mail.gmail.com/T/ fs/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xattr.c b/fs/xattr.c index 61107b6bbed2..427b8cea1f96 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -1140,7 +1140,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size, ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, char *buffer, size_t size) { - bool trusted = capable(CAP_SYS_ADMIN); + bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); struct simple_xattr *xattr; ssize_t remaining_size = size; int err = 0; -- 2.38.1