Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp41440rdb; Wed, 21 Feb 2024 16:28:53 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXV+vKiRquj5UIE2SlEwmcEGzLkdOAABBNqtIPB3kHG41EvYg9s7S/tm/LBdlynIGWN8qiq5JZeApQRH4VhVOvqbhdMRZwz3T9WgtDKwQ== X-Google-Smtp-Source: AGHT+IHhQA29RJhumZMzz+yULOl+jUubB51rF7x9EzW3hc3OFC/+wp2hzgHe/U72rLhLgKYFpAi7 X-Received: by 2002:a17:906:3a8f:b0:a3f:79c:e54e with SMTP id y15-20020a1709063a8f00b00a3f079ce54emr4237682ejd.5.1708561733649; Wed, 21 Feb 2024 16:28:53 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708561733; cv=pass; d=google.com; s=arc-20160816; b=BD8u8PrVgv6JfVBFpLTc1oIj7nnc+JDCXHZ02jJJopCKCN3Gm7rjlEWZFZ785uh95/ i7vmxIfVTPEAcrLZoYg+BQUHWU8eF6+ay5oZf7a4twTT2dW2//QwidRG3z/E4zXcztqk /Uihpznet1TL3JYCTiVJEKbpqwApoGNqq/lw57bSTfjRivc8OF0+lkuECb7aPTE7iBRm b9wpNVnZo0qaUlG3uriRCxYi+4mvbG/KPZFn8Kqr2jpEb2BE0aEkCjT2lztJKAlFmSGD t+HTwyt9P2g/mIZLSK0RmzYtVp6Mn2STW3Xg8a9Rcri7zkXPoKp8fQve7buLXVdY7xAU zALQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=SqWZV3+8sorIrN8OZJVfZwTmQynd4Mk0UWGiwyCImK4=; fh=EzATVX8pnNokhAQWwBZNNKko/nTsiJ3PsvxHE99Bc8Q=; b=OMU+CEb0eSxchwKEw9eZaAGxddv4LzwzYX4adZ8dWCRYjyOWVoA1VE5PuA4qCxetqN UoLYQSSX4DXXE+U4fbRc4wrwjNEhqA3vJIpM8L5mPqMweCwd0Q36khzT/of/d73JwcAc n9zwWEMJqVKRnUnKmW+Mx+VTiX8mDkrW5v0MRVTizsj4uUt2lAPmqLs5dVvI8zEtuFpT CrhoLQWTpc/Gnq1IFHQNHglWAY7gw2KV4x5NMKS1GJjMIEFn6wB8/8MQLNO7wXIJSwaW kETJRpQhofy9cjlBwuK4DoSVfrTDT+Fb3mm3jhmNFFAeS8sgRDTuosfCBd9l1/c7Vs0h 6JtQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U0PJSx2M; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-75724-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-75724-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id lz18-20020a170906fb1200b00a3f4b55ba00si786887ejb.733.2024.02.21.16.28.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 16:28:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-75724-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U0PJSx2M; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-75724-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-75724-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 630A11F23797 for ; Thu, 22 Feb 2024 00:28:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 74FEAF512; Thu, 22 Feb 2024 00:28:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="U0PJSx2M" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76DE41FB2; Thu, 22 Feb 2024 00:28:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708561717; cv=none; b=kVYCnTKJOdRP4FDZDURu01Vuvs+7/rLRFQb13FNjiRifP8LC+9zeoFBFkmbWGBeDXmL/pxwB3OixNu3diINVud5EpHlf9G+lgqKjyy7u6RTyWZS5IFfFfycy8lhjYFpxaUI1zNmk4KUZRo1TIncRgJbEH2eIyoMVJJfvM+jZSpk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708561717; c=relaxed/simple; bh=YZ6+Xgmd8ooFkzhBG9c/UeFWshDJf3VAD1VW9Z88ago=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=tc5o29c2otw3LGW9W7ZIAL/o0ZsIQdoHtvDoP8nx43ALzT76CHvU1aeNaB7FM1ezluGK12cAt5r+4Vmdgiw0/rwGbdb+yUAjriE+orwLxeC5uPMzGzl/DGuZnfuTwGSSqwho8rkA2SQh2tWlKuzulMLOh9YSJl3UVXTQd1lGvf4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=U0PJSx2M; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0293C433C7; Thu, 22 Feb 2024 00:28:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708561717; bh=YZ6+Xgmd8ooFkzhBG9c/UeFWshDJf3VAD1VW9Z88ago=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=U0PJSx2Mz6286a4r+SQm5k63aQj3YfF5fZkikW5JGMjY7DY9Mepu1R4gTud+GdZ37 18QHjW/eJOc1BatX/jPWovN2DRaQMrnQYwYeNb1tOQt25rV1iQ9544SMYb1Nrx3B23 XWaglwyE01VhOgYIqEjlL7XDKJRxSJkTj5LXZCSKGCFRe+sN7xci9HsrdUq8viYrL3 eaXZxRG53al8uCTEv0YDq6b43NmD7KsUbALRD5Jf+aFQOzWjmFj/nlqwRGRSFGWS7Q 8dBzfdwqmFBWENVNo2vZu2wx7e/ON0mKxmGJ1h+vmFFsEzYLoZgPili1Y6Ma9UymAO mPzznB3H5hTjQ== Date: Wed, 21 Feb 2024 18:28:35 -0600 From: "Seth Forshee (DigitalOcean)" To: Paul Moore Cc: Christian Brauner , Serge Hallyn , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org Subject: Re: [PATCH v2 12/25] selinux: add hooks for fscaps operations Message-ID: References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> <20240221-idmap-fscap-refactor-v2-12-3039364623bd@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Wed, Feb 21, 2024 at 07:19:07PM -0500, Paul Moore wrote: > On Wed, Feb 21, 2024 at 7:10 PM Seth Forshee (DigitalOcean) > wrote: > > On Wed, Feb 21, 2024 at 06:38:33PM -0500, Paul Moore wrote: > > > On Wed, Feb 21, 2024 at 4:25 PM Seth Forshee (DigitalOcean) > > > wrote: > > > > > > > > Add hooks for set/get/remove fscaps operations which perform the same > > > > checks as the xattr hooks would have done for XATTR_NAME_CAPS. > > > > > > > > Signed-off-by: Seth Forshee (DigitalOcean) > > > > --- > > > > security/selinux/hooks.c | 26 ++++++++++++++++++++++++++ > > > > 1 file changed, 26 insertions(+) > > > > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > > index a6bf90ace84c..da129a387b34 100644 > > > > --- a/security/selinux/hooks.c > > > > +++ b/security/selinux/hooks.c > > > > @@ -3367,6 +3367,29 @@ static int selinux_inode_removexattr(struct mnt_idmap *idmap, > > > > return -EACCES; > > > > } > > > > > > > > +static int selinux_inode_set_fscaps(struct mnt_idmap *idmap, > > > > + struct dentry *dentry, > > > > + const struct vfs_caps *caps, int flags) > > > > +{ > > > > + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); > > > > +} > > > > > > The selinux_inode_setxattr() code also has a cap_inode_setxattr() > > > check which is missing here. Unless you are handling this somewhere > > > else, I would expect the function above to look similar to > > > selinux_inode_remove_fscaps(), but obviously tweaked for setting the > > > fscaps and not removing them. > > > > Right, but cap_inode_setxattr() doesn't do anything for fscaps, so I > > omitted the call. Unless you think the call should be included in case > > cap_inode_setxattr() changes in the future, which is a reasonable > > position. > > Fair enough, but I'd be a lot happier if you included the call in case > something changes in the future. I worry that omitting the call would > make it easier for us to forget about this if/when things change and > suddenly we have a security issue. If you are morally opposed to > that, at the very least put a comment in selinux_inode_set_fscaps() > about this so we know who to yell at in the future ;) Makes sense, no objection from me. I'll add it in for v3.