Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2819791rdb; Wed, 4 Oct 2023 12:23:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHzzELPOd29VEXaJ16T6CJkmZwSIsoTkxO78g4gVeA8+4YO0KYQctt1qwE/4whDrcfKsnjy X-Received: by 2002:a05:6a00:181d:b0:68a:48e7:9deb with SMTP id y29-20020a056a00181d00b0068a48e79debmr939277pfa.2.1696447438778; Wed, 04 Oct 2023 12:23:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696447438; cv=none; d=google.com; s=arc-20160816; b=A3HgID/MvjRHoaclqfmHXbuRWHQynFU7gBxTN0bdUV1AkYHKs8cjK7e4RDjF/FUsam xNKFqRYc9lpifdfQEu4Vk8tQEaFQWqJ0Z+sM23KNW1AJvhb3ztm44zBlvqV0epsasfha qgrIg3mMC5RcM0wmDslZHQRud/lkAv2eJRMe6/ZtpX+sNFHe/l2SCJ2cyz0z4Wkn2OBv 4Ty1bWtZ611rQ9KgrIwHMVB73ng8Ym+glW9MLLfaQF/U+47vVsLD+LXwfnB22Pl4Tezy 9g/v4GvGpT7Yif2rIkOlU6zj0KcC+KtrjYF0DMMqX9NLhFxBE6+OrP3YDOBCPyrsvELb 5kog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Y/ns+6ihjkXsP/aV2Eqg7/uCCGKWdL+RZzqUracZZqM=; fh=gGgOnVRJSbeHkMCadIShu3utPIOSJmfzRtl34BmhVvc=; b=GDLSUkusremAImr0XbQ7wQBX0hEUpLKGwPAECc8JfPm2eS3yH5PeGnkDVuJhjYLidS PZ2Dh6+0fltb7+mGFQUkdxdrMzhnS/blXafbbUsoavlHLHXhVsrmrm3qMRtY9suzyTDZ 2xed+JBFXXigWa3y2mll0kuFhJPkA9nH2kBjPKVf1VyoCdf9S+rmRcrylpSZY8uTEKLj 8xow8EmyPJTfTwe2LRu4XUZTvwLbgB++TKZ49OpVHxMPY4rW3fOomHXT5PgmOBjWtIpH gx8j+WP+ToVMlL0q8OguD6dWn64khHmEEN5PxWIzOpgBqKUFq+NvcCBy+F7ePobwzfC5 CviA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=CBv93kLy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id y15-20020a056a00190f00b006896e2f30f2si4433478pfi.365.2023.10.04.12.23.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 12:23:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=CBv93kLy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id B37038288199; Wed, 4 Oct 2023 12:23:57 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233717AbjJDTXN (ORCPT + 99 others); Wed, 4 Oct 2023 15:23:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233713AbjJDTXK (ORCPT ); Wed, 4 Oct 2023 15:23:10 -0400 Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10958C4 for ; Wed, 4 Oct 2023 12:23:06 -0700 (PDT) Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-d84d883c1b6so1246562276.0 for ; Wed, 04 Oct 2023 12:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1696447385; x=1697052185; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Y/ns+6ihjkXsP/aV2Eqg7/uCCGKWdL+RZzqUracZZqM=; b=CBv93kLy16UJwkedMnfsXcxSCWst2FZsyzIpbWICB9Z8jLO2Kqktnl1kpB39xk7A9E 1csNO4SqtVjPkHx0qYFS9L7qRI972DO0fMfXNULCeLZWfUi8PphJOjdPu2FCHLflgbK8 6vjEwdSjpNPL8DPCECLZxLcbwqm8CQ84BPcfrvMLkpjr3eBAUQDXTGE6t8LaKUSj2PXv tRS5bvfjOpPynjD33bbpTlJB1L9+qswqiyAcLDBTNa/IIb4sR2V820HDVG9d919xYP9X fSy/8ZnpOME5ODFnEycpqLN3R30VGiNgIY8TvTZWba1nU5S0hDYxggNhDA8B2hXXtcUi G+cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696447385; x=1697052185; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y/ns+6ihjkXsP/aV2Eqg7/uCCGKWdL+RZzqUracZZqM=; b=QEyhljR85TTdWqj584sLCb+5mUJxcpRoixd052K4oLeN42pFjBWPyVWwwLH59Hz+F6 ud73gfvr1o/iONKoxQimA/z8H7fbtoWYfdFI9ATFm/maXoBcqNGnhQbUH+MtyoFBB6Vz Fte21V7Mr3YZmPUch4zJUO/8H+9qzgpHhj/ZnHtlm7QlH1e4VUXUsbtlR7C6xt6Wree1 eL/jxaZuM8MwUthxJrwcw+fdE+MwVePEUgbr4GvIe1MQ4147hG4cu/3FfRqav9Cao9UB KyPh75z6Hyo+D12wp1lXhx600++jmcGtXwi3dpnZB1H/Qp1bd/V44DGqYcFkN72Z5auf YiNg== X-Gm-Message-State: AOJu0YwvnzbzissD2Td/dGWxUMGC1/TErnn5cKHawi707DxxhTJu7znL pRTF4NSCKGcjpEqkY1CHFJrCnb9rvudshQ2OiZsD X-Received: by 2002:a25:d381:0:b0:d81:89d4:ffd9 with SMTP id e123-20020a25d381000000b00d8189d4ffd9mr493720ybf.31.1696447385121; Wed, 04 Oct 2023 12:23:05 -0700 (PDT) MIME-Version: 1.0 References: <20230913152238.905247-1-mszeredi@redhat.com> <20230913152238.905247-4-mszeredi@redhat.com> <20230917005419.397938-1-mattlloydhouse@gmail.com> <20230918-einblick-klaut-0a010e0abc70@brauner> In-Reply-To: From: Paul Moore Date: Wed, 4 Oct 2023 15:22:54 -0400 Message-ID: Subject: Re: [RFC PATCH 3/3] add listmnt(2) syscall To: Miklos Szeredi Cc: Christian Brauner , Miklos Szeredi , Matthew House , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-man@vger.kernel.org, linux-security-module@vger.kernel.org, Karel Zak , Ian Kent , David Howells , Linus Torvalds , Al Viro , Christian Brauner , Amir Goldstein Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 04 Oct 2023 12:23:58 -0700 (PDT) On Thu, Sep 28, 2023 at 6:07=E2=80=AFAM Miklos Szeredi = wrote: > On Tue, 19 Sept 2023 at 18:48, Paul Moore wrote: > > > > Ideally we avoid multiple capable(CAP_SYS_ADMIN) calls by only doing = it > > > once and saving the return value. capable() call's aren't that cheap. > > > > Agreed. The capability check doesn't do any subject/object > > comparisons so calling it for each mount is overkill. However, I > > would think we would want the LSM hook called from inside the loop as > > that could involve a subject (@current) and object (individual mount > > point) comparison. My apologies, I was traveling and while I was quickly checking my email each day this message was lost. I'm very sorry for the delay in responding. > The security_sb_statfs() one? Yes. > Should a single failure result in a complete failure? My opinion is that it should only result in the failure of that listing/stat'ing that particular mount; if other mounts are allowed to be queried than the operation should be allowed to continue. > Why is it not enough to check permission on the parent? Each mount has the potential to have a unique security identify in the context of the LSM, and since the LSM access controls are generally intended to support a subject-verb-object access control policy we need to examine the subject and object together (the subject here is @current, the object is the individual mount, and the verb is the stat/list operation). Does that make sense? I'm looking at the v3 patchset right now, I've got some small nits, but I'll add those to that thread. --=20 paul-moore.com