On Tue, Aug 27, 2019 at 08:05:15AM -0700, Mark Salyzyn wrote:
> Replace arguments for get and set xattr methods, and __vfs_getxattr
> and __vfs_setaxtr functions with a reference to the following now
> common argument structure:
>
> struct xattr_gs_args {
> struct dentry *dentry;
> struct inode *inode;
> const char *name;
> union {
> void *buffer;
> const void *value;
> };
> size_t size;
> int flags;
> };
>
> Which in effect adds a flags option to the get method and
> __vfs_getxattr function.
>
> Add a flag option to get xattr method that has bit flag of
> XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then
> set in the __vfs_getxattr path when called by security
> infrastructure.
>
> This handles the case of a union filesystem driver that is being
> requested by the security layer to report back the xattr data.
>
> For the use case where access is to be blocked by the security layer.
>
> The path then could be security(dentry) ->
> __vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
> handler->get({dentry...XATTR_NOSECURITY}) ->
> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
> lower_handler->get({lower_dentry...XATTR_NOSECURITY})
> which would report back through the chain data and success as
> expected, the logging security layer at the top would have the
> data to determine the access permissions and report back the target
> context that was blocked.
>
> Without the get handler flag, the path on a union filesystem would be
> the errant security(dentry) -> __vfs_getxattr(dentry) ->
> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
> security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
> which would report back through the chain no data, and -EACCES.
>
> For selinux for both cases, this would translate to a correctly
> determined blocked access. In the first case with this change a correct avc
> log would be reported, in the second legacy case an incorrect avc log
> would be reported against an uninitialized u:object_r:unlabeled:s0
> context making the logs cosmetically useless for audit2allow.
>
> This patch series is inert and is the wide-spread addition of the
> flags option for xattr functions, and a replacement of __vfs_getxattr
> with __vfs_getxattr({...XATTR_NOSECURITY}).
>
> Signed-off-by: Mark Salyzyn <saly...@android.com>
> Reviewed-by: Jan Kara <j...@suse.cz>
> Cc: Stephen Smalley <s...@tycho.nsa.gov>
> Cc: linux-ker...@vger.kernel.org
> Cc: kernel-t...@android.com
> Cc: linux-security-mod...@vger.kernel.org
> Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
> ---
> v8:
> - Documentation reported 'struct xattr_gs_flags' rather than
> 'struct xattr_gs_flags *args' as argument to get and set methods.
For btrfs
> fs/btrfs/xattr.c | 36 +++++-----
Acked-by: David Sterba <dste...@suse.com>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
