Received: by 2002:ab2:620c:0:b0:1ef:ffd0:ce49 with SMTP id o12csp1185149lqt; Tue, 19 Mar 2024 15:55:21 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVDJRtDPvxxRLiELzkdh33/Pd1aMYLheVf2ChDKHOWjBahErxArG9tbbsSET2Mf8hC0rDxLMyrv1E3+bHoXYrnEJH4z76Fy48xRATsw8g== X-Google-Smtp-Source: AGHT+IGhZGCLXQKB2TeTMvmWJRhpHvq+q73RIyVlyPDqItKVHO8iCrqLBlYT2kb8NBD7Jqr0tYeL X-Received: by 2002:a17:903:41cf:b0:1df:16b:9cb8 with SMTP id u15-20020a17090341cf00b001df016b9cb8mr679323ple.2.1710888921488; Tue, 19 Mar 2024 15:55:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710888921; cv=pass; d=google.com; s=arc-20160816; b=Pm9RICSnvzrVTYu/TmvL09b9zYb4lU93wBHh9TVaz0LDgGFqSveAkErQxRnzthTSzt DOrlLo+29ShI+pXGashO8Yl08gGIZ7bY9+aEo8NcDawVoTN8X6E350v2SonPBG3JHKYt G+1ZJfcgoBUxBmts0GMnwxE90g6Hmf2IOzD2xdGsAw1G/1dxRbsnDgQh+K8x9ko6nAHv JS3g7yfGPfBssVxtS6EcF5pyOAPPz4SB4ursLVJTbAbE6Hl//d4GZgNvt0PXmVKDdCXv X3TWyCkxFTb99rfKcEKzllCzBMLoL+82VkqVxjcGfiIWoVgDLy6KknhlWL33L2FX9ipz GFyg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date:cc:to :from:subject:message-id:dkim-signature; bh=7X9jcGNPmWLmFdVW41kX9OfYyqZ3FxypITECaxqWny8=; fh=zRnS3F/DUgzFiQ9iXoCHZ8rIhrKzMi22q2ZJNUNMpsw=; b=hmFJy2UCyjYX6TAH7Q+59a62m+UXSs2IqsjyAPEFeKIswBRt9lcRpZVN+IiGSDn8YC yjXFf2ZpuVzTkL9ceYUYJSViRsuUniodTdEoFc7W74r1c6CZdRI3YVleT5LEVTPh4R9J 5v35kDLIC7pw8RQzzDqXaw5x1ogxh/QhIP44FPtzNvWibfPgkZ7Hyl2ggNci3f/UftjF nhezl0d0NwaeBvVKRF8AVFR1z3uqPvcx0nPHNBlR5PcgjeqcNK/zJVD0hlQkynojJSxV lfrwyRgqHyCFSOnNRJePa8gtz2SIFSd9gibueZK5ri/OB+hvKc71iGi3GZDQGTcvGC40 ILeA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=MPAxnsGs; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-108214-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108214-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id im22-20020a170902bb1600b001deef2c7089si9598277plb.354.2024.03.19.15.55.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Mar 2024 15:55:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-108214-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=MPAxnsGs; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-108214-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108214-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1213E2844C9 for ; Tue, 19 Mar 2024 22:55:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B3ACF5FBA4; Tue, 19 Mar 2024 22:54:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="MPAxnsGs" Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A18454BC4; Tue, 19 Mar 2024 22:54:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710888867; cv=none; b=a1r2h5DJ0yYyh9wnoJrMapvtwEo/jTiJXiCUsRaumh1TAlT8CMTvIrkkkCHhtSUQfYxNIEMofZlaujEzxbFcNZSj3vswxNuGMyRw38DVEnOdjc80iXqKnxKII0SxT+H8fTcjYkgV1GxjN2yP55k5CESXf+TQ9FxIcc6F+GQXk6U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710888867; c=relaxed/simple; bh=3UZZ30OA0jA5JUILju1kNyfyf/u621MYz2QjrmvfMq8=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:Mime-Version; b=tU83oo05139r+HjQLAw2yGMou4aWblU0TfemtAlsATpulcVrUUAJO96r8X7gEi14k/2XHyNsLMievywVMvUduqchZ4zMbKumXwv49IKkIGwk9aCO7q5ukBOIA5BbRFanZ0a5NQcL1520lDOP8V+e7/SXkEletoFd25euj1qDqNw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=MPAxnsGs; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42JMkGrN012244; Tue, 19 Mar 2024 22:54:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=7X9jcGNPmWLmFdVW41kX9OfYyqZ3FxypITECaxqWny8=; b=MPAxnsGszLC0JaO5tUKgNkkVWy5Wf/WHKe5FOHM/hE44evEShvlyeMs853t/2PLU17wW ZGxB8S6z0XbzYve4emDewGK102lfAMZU4+3W2K+uQz+uwTfa7wwnDo6Tq6pHIeDx68EY g2ANFaUlTuIXWcDxonEfM63o1wiLnHMhsp/Zxo2ST09GIqcq52rhqcbuoecwisBQrg0w SDMz8mmWaHtMiEVsGNnDW4b9AzvijxgNiiB+W2VfwEjxU6pswrRlvzsGIZV2Bl6tyhHS i06Y/f1hfnw9y1elRplcp0XnEmywd3VFX3giHKQ6BkO6YwoAv9XQwsr7EuISbwueq+Zq 9A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3wykner0sf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Mar 2024 22:54:09 +0000 Received: from m0356517.ppops.net (m0356517.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 42JMs9hr023631; Tue, 19 Mar 2024 22:54:09 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3wykner0rp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Mar 2024 22:54:09 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 42JKoR03010061; Tue, 19 Mar 2024 22:51:55 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3wxvauykmy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Mar 2024 22:51:55 +0000 Received: from smtpav04.wdc07v.mail.ibm.com (smtpav04.wdc07v.mail.ibm.com [10.39.53.231]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 42JMpqs039977548 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Mar 2024 22:51:55 GMT Received: from smtpav04.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A24E95805E; Tue, 19 Mar 2024 22:51:52 +0000 (GMT) Received: from smtpav04.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8B4A858052; Tue, 19 Mar 2024 22:51:51 +0000 (GMT) Received: from li-5cd3c5cc-21f9-11b2-a85c-a4381f30c2f3.ibm.com (unknown [9.61.80.83]) by smtpav04.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 19 Mar 2024 22:51:51 +0000 (GMT) Message-ID: <17b17f3ba8ce7af3bccda15bf81535950fa78a48.camel@linux.ibm.com> Subject: Re: [PATCH v3 02/10] security: allow finer granularity in permitting copy-up of security xattrs From: Mimi Zohar To: Stefan Berger , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, amir73il@gmail.com, brauner@kernel.org, miklos@szeredi.hu Date: Tue, 19 Mar 2024 18:51:51 -0400 In-Reply-To: <20240223172513.4049959-3-stefanb@linux.ibm.com> References: <20240223172513.4049959-1-stefanb@linux.ibm.com> <20240223172513.4049959-3-stefanb@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-23.el8_9) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: rfWDJbAYl7ce7tdpLkNmdGwaITZT7433 X-Proofpoint-GUID: SwMPlrKBIgxhT5FE2UTZjN7qpE3X_svk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-19_09,2024-03-18_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=620 bulkscore=0 impostorscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 suspectscore=0 clxscore=1015 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2403140000 definitions=main-2403190176 On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Copying up xattrs is solely based on the security xattr name. For finer > granularity add a dentry parameter to the security_inode_copy_up_xattr > hook definition, allowing decisions to be based on the xattr content as > well. > > Co-developed-by: Mimi Zohar > Signed-off-by: Stefan Berger > Acked-by: Amir Goldstein Signed-off-by: Mimi Zohar