On 7/9/2019 9:23 AM, Mark Salyzyn wrote:
> For EACCES return for getxattr, sid appears to be expected updated in parent
> node. For some accesses purely cosmetic for correct avc logging, and
> depending on kernel vintage for others (older than 4.4) the lack of the
> corrected sid in the parent overlay inode poisons the security cache and
> results in false denials.
>
> The avc denials would contain an (incorrect) unlabelled target references, we
> could fix this by copying up the sid to the parent inode. However the test
> (below) needs to refactored to the pleasure of the security, selinux and
> overlayfs maintainers. The security_socket_accept function is _close_, it
> will copy sid and class from the old socket to the new. Along those lines, we
> probably need to add a new security_copy_to_upper handler that takes the
> upper and lower dentries and ensures that the upper contains all the security
> information associated with the lower.
Please include the LSM (CCed) list on all LSM impacting discussions.
Your mailer mangled the patch. Please resend in plain text.
Thank you.
>
> Prototype adjustment (tested in 3.18 to ToT)
>
> int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char
> *name, { ssize_t res; const struct cred *old_cred; struct dentry *realdentry
> = ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry); old_cred =
> ovl_override_creds(dentry->d_sb); res = vfs_getxattr(realdentry, name, value,
> size); ovl_revert_creds(old_cred); + if (res == -EACCES) { +
> selinux_copy_sid(dentry, realdentry); return res; }
>
> . . .
>
> + void selinux_copy_sid(struct dentry *parent, struct dentry *child) + { +
> struct inode *pinode, *cinode; + struct inode_security_struct *pisec, *cisec;
> + + if (!parent || !child) + return; + pinode = parent->d_inode; + cinode =
> child->d_inode; + if (!pinode || !cinode) + return; + pisec =
> pinode->i_security; + cisec = cinode->i_security; + if (!pisec || !cisec) +
> return; + pisec->sid = cisec->sid; + } + EXPORT_SYMBOL_GPL(selinux_copy_sid);
>
> Sincerely -- Mark Salyzyn
>
>
