Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755357AbYGVK7Z (ORCPT ); Tue, 22 Jul 2008 06:59:25 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753382AbYGVK7O (ORCPT ); Tue, 22 Jul 2008 06:59:14 -0400 Received: from wine.ocn.ne.jp ([122.1.235.145]:54793 "EHLO smtp.wine.ocn.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751998AbYGVK7L (ORCPT ); Tue, 22 Jul 2008 06:59:11 -0400 To: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC] Add a counter in task_struct for skipping permission check. (Was: Should LSM hooks be called by filesystem's requests?) From: Tetsuo Handa References: <200807142020.BCC17654.SMtQFVFOFOHOJL@I-love.SAKURA.ne.jp> <487C22A2.9090402@schaufler-ca.com> In-Reply-To: <487C22A2.9090402@schaufler-ca.com> Message-Id: <200807221959.HDJ90154.FFLMOtVOOQJFSH@I-love.SAKURA.ne.jp> X-Mailer: Winbiff [Version 2.50 PL2] X-Accept-Language: ja,en Date: Tue, 22 Jul 2008 19:59:04 +0900 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 18870 Lines: 567 Hello. I have a problem with unionfs and LSM. The unionfs causes NULL pointer dereference if copyup_dentry() failed by LSM's decision, so I'm searching for a solution. http://marc.info/?l=linux-security-module&m=121609490418118&w=2 It seems that the unionfs is not handling error paths correctly. But since the unionfs's operation is not always atomic, there is no guarantee that unionfs can rollback unionfs's internal operations properly. For example, unionfs is trying to create a rw copy of a ro file. Request by unionfs Decision by LSM "I want to create a rw file." "OK. You can create the file." "I want to copy the ro file's attribute" "No. You must not." "I have to delete the rw file." "No. You must not." Then, it might be better to completely disable LSM for unionfs's internal operations. At least, I think we need to disable LSM for rollback operation so that the rw file in the above example is properly deleted. I think this patch can disable LSM checks if vfs_*() and notify_change() is called by unionfs's internal operations. This patch is just an idea, not tested at all. Does somebody have a solution? Signed-off-by: Tetsuo Handa --- fs/unionfs/commonfops.c | 2 ++ fs/unionfs/copyup.c | 14 ++++++++++++++ fs/unionfs/dirfops.c | 6 ++++++ fs/unionfs/dirhelper.c | 4 ++++ fs/unionfs/file.c | 8 ++++++++ fs/unionfs/inode.c | 18 ++++++++++++++++++ fs/unionfs/rename.c | 8 ++++++++ fs/unionfs/sioq.c | 10 ++++++++++ fs/unionfs/subr.c | 4 ++++ fs/unionfs/super.c | 2 ++ fs/unionfs/unlink.c | 4 ++++ fs/unionfs/xattr.c | 8 ++++++++ include/linux/fs.h | 3 ++- include/linux/sched.h | 1 + 14 files changed, 91 insertions(+), 1 deletion(-) --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/commonfops.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/commonfops.c @@ -88,7 +88,9 @@ retry: lower_dentry->d_inode); } lower_dir_dentry = lock_parent(lower_dentry); + current->no_perm_check++; err = vfs_unlink(lower_dir_dentry->d_inode, lower_dentry); + current->no_perm_check--; unlock_dir(lower_dir_dentry); out: --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/copyup.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/copyup.c @@ -35,7 +35,9 @@ static int copyup_xattrs(struct dentry * char *name_list_buf = NULL; /* query the actual size of the xattr list */ + current->no_perm_check++; list_size = vfs_listxattr(old_lower_dentry, NULL, 0); + current->no_perm_check--; if (list_size <= 0) { err = list_size; goto out; @@ -51,7 +53,9 @@ static int copyup_xattrs(struct dentry * name_list_buf = name_list; /* save for kfree at end */ /* now get the actual xattr list of the source file */ + current->no_perm_check++; list_size = vfs_listxattr(old_lower_dentry, name_list, list_size); + current->no_perm_check--; if (list_size <= 0) { err = list_size; goto out; @@ -70,8 +74,10 @@ static int copyup_xattrs(struct dentry * /* Lock here since vfs_getxattr doesn't lock for us */ mutex_lock(&old_lower_dentry->d_inode->i_mutex); + current->no_perm_check++; size = vfs_getxattr(old_lower_dentry, name_list, attr_value, XATTR_SIZE_MAX); + current->no_perm_check--; mutex_unlock(&old_lower_dentry->d_inode->i_mutex); if (size < 0) { err = size; @@ -82,8 +88,10 @@ static int copyup_xattrs(struct dentry * goto out; } /* Don't lock here since vfs_setxattr does it for us. */ + current->no_perm_check++; err = vfs_setxattr(new_lower_dentry, name_list, attr_value, size, 0); + current->no_perm_check--; /* * Selinux depends on "security.*" xattrs, so to maintain * the security of copied-up files, if Selinux is active, @@ -93,8 +101,10 @@ static int copyup_xattrs(struct dentry * */ if (err == -EPERM && !capable(CAP_FOWNER)) { cap_raise(current->cap_effective, CAP_FOWNER); + current->no_perm_check++; err = vfs_setxattr(new_lower_dentry, name_list, attr_value, size, 0); + current->no_perm_check--; cap_lower(current->cap_effective, CAP_FOWNER); } if (err < 0) @@ -136,6 +146,7 @@ static int copyup_permissions(struct sup ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_FORCE | ATTR_GID | ATTR_UID; mutex_lock(&new_lower_dentry->d_inode->i_mutex); + current->no_perm_check++; err = notify_change(new_lower_dentry, &newattrs); if (err) goto out; @@ -153,6 +164,7 @@ static int copyup_permissions(struct sup } out: + current->no_perm_check--; mutex_unlock(&new_lower_dentry->d_inode->i_mutex); return err; } @@ -488,7 +500,9 @@ out_unlink: * quota, or something else happened so let's unlink; we don't * really care about the return value of vfs_unlink */ + current->no_perm_check++; vfs_unlink(new_lower_parent_dentry->d_inode, new_lower_dentry); + current->no_perm_check--; if (copyup_file) { /* need to close the file */ --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/dirfops.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/dirfops.c @@ -149,15 +149,21 @@ static int unionfs_readdir(struct file * buf.sb = inode->i_sb; /* Read starting from where we last left off. */ + current->no_perm_check++; offset = vfs_llseek(lower_file, uds->dirpos, SEEK_SET); + current->no_perm_check--; if (offset < 0) { err = offset; goto out; } + current->no_perm_check++; err = vfs_readdir(lower_file, unionfs_filldir, &buf); + current->no_perm_check--; /* Save the position for when we continue. */ + current->no_perm_check++; offset = vfs_llseek(lower_file, 0, SEEK_CUR); + current->no_perm_check--; if (offset < 0) { err = offset; goto out; --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/dirhelper.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/dirhelper.c @@ -69,8 +69,10 @@ int do_delete_whiteouts(struct dentry *d err = PTR_ERR(lower_dentry); break; } + current->no_perm_check++; if (lower_dentry->d_inode) err = vfs_unlink(lower_dir, lower_dentry); + current->no_perm_check--; dput(lower_dentry); if (err) break; @@ -239,8 +241,10 @@ int check_empty(struct dentry *dentry, s do { buf->filldir_called = 0; buf->rdstate->bindex = bindex; + current->no_perm_check++; err = vfs_readdir(lower_file, readdir_util_callback, buf); + current->no_perm_check--; if (buf->err) err = buf->err; } while ((err >= 0) && buf->filldir_called); --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/file.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/file.c @@ -32,7 +32,9 @@ static ssize_t unionfs_read(struct file goto out; lower_file = unionfs_lower_file(file); + current->no_perm_check++; err = vfs_read(lower_file, buf, count, ppos); + current->no_perm_check--; /* update our inode atime upon a successful lower read */ if (err >= 0) { fsstack_copy_attr_atime(dentry->d_inode, @@ -62,7 +64,9 @@ static ssize_t unionfs_write(struct file goto out; lower_file = unionfs_lower_file(file); + current->no_perm_check++; err = vfs_write(lower_file, buf, count, ppos); + current->no_perm_check--; /* update our inode times+sizes upon a successful lower write */ if (err >= 0) { fsstack_copy_inode_size(dentry->d_inode, @@ -279,7 +283,9 @@ static ssize_t unionfs_splice_read(struc goto out; lower_file = unionfs_lower_file(file); + current->no_perm_check++; err = vfs_splice_to(lower_file, ppos, pipe, len, flags); + current->no_perm_check--; /* update our inode atime upon a successful lower splice-read */ if (err >= 0) { fsstack_copy_attr_atime(dentry->d_inode, @@ -308,7 +314,9 @@ static ssize_t unionfs_splice_write(stru goto out; lower_file = unionfs_lower_file(file); + current->no_perm_check++; err = vfs_splice_from(pipe, lower_file, ppos, len, flags); + current->no_perm_check--; /* update our inode times+sizes upon a successful lower write */ if (err >= 0) { fsstack_copy_inode_size(dentry->d_inode, --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/inode.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/inode.c @@ -62,7 +62,9 @@ static int check_for_whiteout(struct den lower_dir_dentry = lock_parent_wh(wh_dentry); /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); + current->no_perm_check++; err = vfs_unlink(lower_dir_dentry->d_inode, wh_dentry); + current->no_perm_check--; lockdep_on(); unlock_dir(lower_dir_dentry); @@ -208,8 +210,10 @@ static int unionfs_create(struct inode * err = init_lower_nd(&lower_nd, LOOKUP_CREATE); if (unlikely(err < 0)) goto out; + current->no_perm_check++; err = vfs_create(lower_parent_dentry->d_inode, lower_dentry, mode, &lower_nd); + current->no_perm_check--; release_lower_nd(&lower_nd, err); if (!err) { @@ -348,8 +352,10 @@ static int unionfs_link(struct dentry *o if (!err) { /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); + current->no_perm_check++; err = vfs_unlink(lower_dir_dentry->d_inode, whiteout_dentry); + current->no_perm_check--; lockdep_on(); } @@ -381,8 +387,10 @@ static int unionfs_link(struct dentry *o if (!err) { /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); + current->no_perm_check++; err = vfs_link(lower_old_dentry, lower_dir_dentry->d_inode, lower_new_dentry); + current->no_perm_check--; lockdep_on(); } unlock_dir(lower_dir_dentry); @@ -409,9 +417,11 @@ docopyup: /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); /* do vfs_link */ + current->no_perm_check++; err = vfs_link(lower_old_dentry, lower_dir_dentry->d_inode, lower_new_dentry); + current->no_perm_check--; lockdep_on(); unlock_dir(lower_dir_dentry); goto check_link; @@ -498,8 +508,10 @@ static int unionfs_symlink(struct inode } mode = S_IALLUGO; + current->no_perm_check++; err = vfs_symlink(lower_parent_dentry->d_inode, lower_dentry, symname, mode); + current->no_perm_check--; if (!err) { err = PTR_ERR(unionfs_interpose(dentry, parent->i_sb, 0)); if (!err) { @@ -629,8 +641,10 @@ static int unionfs_mkdir(struct inode *p goto out; } + current->no_perm_check++; err = vfs_mkdir(lower_parent_dentry->d_inode, lower_dentry, mode); + current->no_perm_check--; unlock_dir(lower_parent_dentry); @@ -733,7 +747,9 @@ static int unionfs_mknod(struct inode *p goto out; } + current->no_perm_check++; err = vfs_mknod(lower_parent_dentry->d_inode, lower_dentry, mode, dev); + current->no_perm_check--; if (!err) { err = PTR_ERR(unionfs_interpose(dentry, parent->i_sb, 0)); if (!err) { @@ -1043,7 +1059,9 @@ static int unionfs_setattr(struct dentry /* notify the (possibly copied-up) lower inode */ mutex_lock(&lower_dentry->d_inode->i_mutex); + current->no_perm_check++; err = notify_change(lower_dentry, ia); + current->no_perm_check--; mutex_unlock(&lower_dentry->d_inode->i_mutex); if (err) goto out; --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/rename.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/rename.c @@ -79,9 +79,11 @@ static int __unionfs_rename(struct inode lower_wh_dir_dentry = lock_parent_wh(lower_wh_dentry); err = is_robranch_super(old_dentry->d_sb, bindex); + current->no_perm_check++; if (!err) err = vfs_unlink(lower_wh_dir_dentry->d_inode, lower_wh_dentry); + current->no_perm_check--; dput(lower_wh_dentry); unlock_dir(lower_wh_dir_dentry); @@ -135,8 +137,10 @@ static int __unionfs_rename(struct inode err = -ENOTEMPTY; goto out_err_unlock; } + current->no_perm_check++; err = vfs_rename(lower_old_dir_dentry->d_inode, lower_old_dentry, lower_new_dir_dentry->d_inode, lower_new_dentry); + current->no_perm_check--; out_err_unlock: if (!err) { /* update parent dir times */ @@ -220,9 +224,11 @@ static int do_unionfs_rename(struct inod unlink_dir_dentry = lock_parent(unlink_dentry); err = is_robranch_super(old_dir->i_sb, bindex); + current->no_perm_check++; if (!err) err = vfs_unlink(unlink_dir_dentry->d_inode, unlink_dentry); + current->no_perm_check--; fsstack_copy_attr_times(new_dentry->d_parent->d_inode, unlink_dir_dentry->d_inode); @@ -294,8 +300,10 @@ static int do_unionfs_rename(struct inod if (unlikely(err < 0)) goto out; lower_parent = lock_parent_wh(wh_old); + current->no_perm_check++; local_err = vfs_create(lower_parent->d_inode, wh_old, S_IRUGO, &nd); + current->no_perm_check--; unlock_dir(lower_parent); if (!local_err) { set_dbopaque(old_dentry, bwh_old); --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/sioq.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/sioq.c @@ -60,7 +60,9 @@ void __unionfs_create(struct work_struct struct sioq_args *args = container_of(work, struct sioq_args, work); struct create_args *c = &args->create; + current->no_perm_check++; args->err = vfs_create(c->parent, c->dentry, c->mode, c->nd); + current->no_perm_check--; complete(&args->comp); } @@ -69,7 +71,9 @@ void __unionfs_mkdir(struct work_struct struct sioq_args *args = container_of(work, struct sioq_args, work); struct mkdir_args *m = &args->mkdir; + current->no_perm_check++; args->err = vfs_mkdir(m->parent, m->dentry, m->mode); + current->no_perm_check--; complete(&args->comp); } @@ -78,7 +82,9 @@ void __unionfs_mknod(struct work_struct struct sioq_args *args = container_of(work, struct sioq_args, work); struct mknod_args *m = &args->mknod; + current->no_perm_check++; args->err = vfs_mknod(m->parent, m->dentry, m->mode, m->dev); + current->no_perm_check--; complete(&args->comp); } @@ -87,7 +93,9 @@ void __unionfs_symlink(struct work_struc struct sioq_args *args = container_of(work, struct sioq_args, work); struct symlink_args *s = &args->symlink; + current->no_perm_check++; args->err = vfs_symlink(s->parent, s->dentry, s->symbuf, s->mode); + current->no_perm_check--; complete(&args->comp); } @@ -96,7 +104,9 @@ void __unionfs_unlink(struct work_struct struct sioq_args *args = container_of(work, struct sioq_args, work); struct unlink_args *u = &args->unlink; + current->no_perm_check++; args->err = vfs_unlink(u->parent, u->dentry); + current->no_perm_check--; complete(&args->comp); } --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/subr.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/subr.c @@ -92,11 +92,13 @@ int create_whiteout(struct dentry *dentr goto out; lower_dir_dentry = lock_parent_wh(lower_wh_dentry); err = is_robranch_super(dentry->d_sb, bindex); + current->no_perm_check++; if (!err) err = vfs_create(lower_dir_dentry->d_inode, lower_wh_dentry, ~current->fs->umask & S_IRWXUGO, &nd); + current->no_perm_check--; unlock_dir(lower_dir_dentry); dput(lower_wh_dentry); release_lower_nd(&nd, err); @@ -192,8 +194,10 @@ int make_dir_opaque(struct dentry *dentr err = init_lower_nd(&nd, LOOKUP_CREATE); if (unlikely(err < 0)) goto out; + current->no_perm_check++; if (!diropq->d_inode) err = vfs_create(lower_dir, diropq, S_IRUGO, &nd); + current->no_perm_check--; if (!err) set_dbopaque(dentry, bindex); release_lower_nd(&nd, err); --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/super.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/super.c @@ -163,7 +163,9 @@ static int unionfs_statfs(struct dentry unionfs_check_dentry(dentry); lower_dentry = unionfs_lower_dentry(sb->s_root); + current->no_perm_check++; err = vfs_statfs(lower_dentry, buf); + current->no_perm_check--; /* set return buf to our f/s to avoid confusing user-level utils */ buf->f_type = UNIONFS_SUPER_MAGIC; --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/unlink.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/unlink.c @@ -69,12 +69,14 @@ static int unionfs_unlink_whiteout(struc if (!err) { /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); + current->no_perm_check++; if (!S_ISDIR(lower_dentry->d_inode->i_mode)) err = vfs_unlink(lower_dir_dentry->d_inode, lower_dentry); else err = vfs_rmdir(lower_dir_dentry->d_inode, lower_dentry); + current->no_perm_check--; lockdep_on(); } @@ -193,7 +195,9 @@ static int unionfs_rmdir_first(struct in if (!err) { /* see Documentation/filesystems/unionfs/issues.txt */ lockdep_off(); + current->no_perm_check++; err = vfs_rmdir(lower_dir_dentry->d_inode, lower_dentry); + current->no_perm_check--; lockdep_on(); } dput(lower_dentry); --- linux-2.6.26-rc8-mm1.orig/fs/unionfs/xattr.c +++ linux-2.6.26-rc8-mm1/fs/unionfs/xattr.c @@ -55,7 +55,9 @@ ssize_t unionfs_getxattr(struct dentry * lower_dentry = unionfs_lower_dentry(dentry); + current->no_perm_check++; err = vfs_getxattr(lower_dentry, (char *) name, value, size); + current->no_perm_check--; out: unionfs_check_dentry(dentry); @@ -84,8 +86,10 @@ int unionfs_setxattr(struct dentry *dent lower_dentry = unionfs_lower_dentry(dentry); + current->no_perm_check++; err = vfs_setxattr(lower_dentry, (char *) name, (void *) value, size, flags); + current->no_perm_check--; out: unionfs_check_dentry(dentry); @@ -113,7 +117,9 @@ int unionfs_removexattr(struct dentry *d lower_dentry = unionfs_lower_dentry(dentry); + current->no_perm_check++; err = vfs_removexattr(lower_dentry, (char *) name); + current->no_perm_check--; out: unionfs_check_dentry(dentry); @@ -143,7 +149,9 @@ ssize_t unionfs_listxattr(struct dentry lower_dentry = unionfs_lower_dentry(dentry); encoded_list = list; + current->no_perm_check++; err = vfs_listxattr(lower_dentry, encoded_list, size); + current->no_perm_check--; out: unionfs_check_dentry(dentry); --- linux-2.6.26-rc8-mm1.orig/include/linux/fs.h +++ linux-2.6.26-rc8-mm1/include/linux/fs.h @@ -190,7 +190,8 @@ extern int dir_notify_enable; #define IS_DEADDIR(inode) ((inode)->i_flags & S_DEAD) #define IS_NOCMTIME(inode) ((inode)->i_flags & S_NOCMTIME) #define IS_SWAPFILE(inode) ((inode)->i_flags & S_SWAPFILE) -#define IS_PRIVATE(inode) ((inode)->i_flags & S_PRIVATE) +#define IS_PRIVATE(inode) (((inode)->i_flags & S_PRIVATE) || \ + current->no_perm_check) /* the read-only stuff doesn't really belong here, but any other place is probably as bad and I don't want to create yet another include file. */ --- linux-2.6.26-rc8-mm1.orig/include/linux/sched.h +++ linux-2.6.26-rc8-mm1/include/linux/sched.h @@ -1296,6 +1296,7 @@ struct task_struct { int latency_record_count; struct latency_record latency_record[LT_SAVECOUNT]; #endif + u8 no_perm_check; /* Skip permission check. */ }; /* -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/