From 5e41ff9e0650f327a6c819841fa412da95d57319 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 9 Sep 2005 13:01:35 -0700 Subject: [PATCH] security: enable atomic inode security labeling The following patch set enables atomic security labeling of newly created inodes by altering the fs code to invoke a new LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state during the inode creation transaction. This parallels the existing processing for setting ACLs on newly created inodes. Otherwise, it is possible for new inodes to be accessed by another thread via the dcache prior to complete security setup (presently handled by the post_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be left unlabeled on the disk in the event of a crash. SELinux presently works around the issue by ensuring that the incore inode security label is initialized to a special SID that is inaccessible to unprivileged processes (in accordance with policy), thereby preventing inappropriate access but potentially causing false denials on legitimate accesses. A simple test program demonstrates such false denials on SELinux, and the patch solves the problem. Similar such false denials have been encountered in real applications. This patch defines a new inode_init_security LSM hook to obtain the security attribute to apply to a newly created inode and to set up the incore inode security state for it, and adds a corresponding hook function implementation to SELinux. Signed-off-by: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/security.h | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index 7aab6ab7c57f..d4f3b7a94ea6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -250,6 +250,25 @@ struct swap_info_struct; * @inode contains the inode structure. * Deallocate the inode security structure and set @inode->i_security to * NULL. + * @inode_init_security: + * Obtain the security attribute name suffix and value to set on a newly + * created inode and set up the incore security field for the new inode. + * This hook is called by the fs code as part of the inode creation + * transaction and provides for atomic labeling of the inode, unlike + * the post_create/mkdir/... hooks called by the VFS. The hook function + * is expected to allocate the name and value via kmalloc, with the caller + * being responsible for calling kfree after using them. + * If the security module does not use security attributes or does + * not wish to put a security attribute on this particular inode, + * then it should return -EOPNOTSUPP to skip this processing. + * @inode contains the inode structure of the newly created inode. + * @dir contains the inode structure of the parent directory. + * @name will be set to the allocated name suffix (e.g. selinux). + * @value will be set to the allocated attribute value. + * @len will be set to the length of the value. + * Returns 0 if @name and @value have been successfully set, + * -EOPNOTSUPP if no security attribute is needed, or + * -ENOMEM on memory allocation failure. * @inode_create: * Check permission to create a regular file. * @dir contains inode structure of the parent of the new file. @@ -1080,6 +1099,8 @@ struct security_operations { int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); + int (*inode_init_security) (struct inode *inode, struct inode *dir, + char **name, void **value, size_t *len); int (*inode_create) (struct inode *dir, struct dentry *dentry, int mode); void (*inode_post_create) (struct inode *dir, @@ -1442,6 +1463,17 @@ static inline void security_inode_free (struct inode *inode) return; security_ops->inode_free_security (inode); } + +static inline int security_inode_init_security (struct inode *inode, + struct inode *dir, + char **name, + void **value, + size_t *len) +{ + if (unlikely (IS_PRIVATE (inode))) + return -EOPNOTSUPP; + return security_ops->inode_init_security (inode, dir, name, value, len); +} static inline int security_inode_create (struct inode *dir, struct dentry *dentry, @@ -2171,6 +2203,15 @@ static inline int security_inode_alloc (struct inode *inode) static inline void security_inode_free (struct inode *inode) { } + +static inline int security_inode_init_security (struct inode *inode, + struct inode *dir, + char **name, + void **value, + size_t *len) +{ + return -EOPNOTSUPP; +} static inline int security_inode_create (struct inode *dir, struct dentry *dentry, -- cgit v1.2.2 From a74574aafea3a63add3251047601611111f44562 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 9 Sep 2005 13:01:44 -0700 Subject: [PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks This patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as they are obsoleted by the new inode_init_security hook that enables atomic inode security labeling. If anyone sees any reason to retain these hooks, please speak now. Also, is anyone using the post_rename/link hooks; if not, those could also be removed. Signed-off-by: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/security.h | 90 ------------------------------------------------ 1 file changed, 90 deletions(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index d4f3b7a94ea6..875225bf8986 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -275,12 +275,6 @@ struct swap_info_struct; * @dentry contains the dentry structure for the file to be created. * @mode contains the file mode of the file to be created. * Return 0 if permission is granted. - * @inode_post_create: - * Set the security attributes on a newly created regular file. This hook - * is called after a file has been successfully created. - * @dir contains the inode structure of the parent directory of the new file. - * @dentry contains the the dentry structure for the newly created file. - * @mode contains the file mode. * @inode_link: * Check permission before creating a new hard link to a file. * @old_dentry contains the dentry structure for an existing link to the file. @@ -303,13 +297,6 @@ struct swap_info_struct; * @dentry contains the dentry structure of the symbolic link. * @old_name contains the pathname of file. * Return 0 if permission is granted. - * @inode_post_symlink: - * @dir contains the inode structure of the parent directory of the new link. - * @dentry contains the dentry structure of new symbolic link. - * @old_name contains the pathname of file. - * Set security attributes for a newly created symbolic link. Note that - * @dentry->d_inode may be NULL, since the filesystem might not - * instantiate the dentry (e.g. NFS). * @inode_mkdir: * Check permissions to create a new directory in the existing directory * associated with inode strcture @dir. @@ -317,11 +304,6 @@ struct swap_info_struct; * @dentry contains the dentry structure of new directory. * @mode contains the mode of new directory. * Return 0 if permission is granted. - * @inode_post_mkdir: - * Set security attributes on a newly created directory. - * @dir contains the inode structure of parent of the directory to be created. - * @dentry contains the dentry structure of new directory. - * @mode contains the mode of new directory. * @inode_rmdir: * Check the permission to remove a directory. * @dir contains the inode structure of parent of the directory to be removed. @@ -337,13 +319,6 @@ struct swap_info_struct; * @mode contains the mode of the new file. * @dev contains the the device number. * Return 0 if permission is granted. - * @inode_post_mknod: - * Set security attributes on a newly created special file (or socket or - * fifo file created via the mknod system call). - * @dir contains the inode structure of parent of the new node. - * @dentry contains the dentry structure of the new node. - * @mode contains the mode of the new node. - * @dev contains the the device number. * @inode_rename: * Check for permission to rename a file or directory. * @old_dir contains the inode structure for parent of the old link. @@ -1103,8 +1078,6 @@ struct security_operations { char **name, void **value, size_t *len); int (*inode_create) (struct inode *dir, struct dentry *dentry, int mode); - void (*inode_post_create) (struct inode *dir, - struct dentry *dentry, int mode); int (*inode_link) (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); void (*inode_post_link) (struct dentry *old_dentry, @@ -1112,17 +1085,10 @@ struct security_operations { int (*inode_unlink) (struct inode *dir, struct dentry *dentry); int (*inode_symlink) (struct inode *dir, struct dentry *dentry, const char *old_name); - void (*inode_post_symlink) (struct inode *dir, - struct dentry *dentry, - const char *old_name); int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); - void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry, - int mode); int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); int (*inode_mknod) (struct inode *dir, struct dentry *dentry, int mode, dev_t dev); - void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry, - int mode, dev_t dev); int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry); void (*inode_post_rename) (struct inode *old_dir, @@ -1484,15 +1450,6 @@ static inline int security_inode_create (struct inode *dir, return security_ops->inode_create (dir, dentry, mode); } -static inline void security_inode_post_create (struct inode *dir, - struct dentry *dentry, - int mode) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_create (dir, dentry, mode); -} - static inline int security_inode_link (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@ -1528,15 +1485,6 @@ static inline int security_inode_symlink (struct inode *dir, return security_ops->inode_symlink (dir, dentry, old_name); } -static inline void security_inode_post_symlink (struct inode *dir, - struct dentry *dentry, - const char *old_name) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_symlink (dir, dentry, old_name); -} - static inline int security_inode_mkdir (struct inode *dir, struct dentry *dentry, int mode) @@ -1546,15 +1494,6 @@ static inline int security_inode_mkdir (struct inode *dir, return security_ops->inode_mkdir (dir, dentry, mode); } -static inline void security_inode_post_mkdir (struct inode *dir, - struct dentry *dentry, - int mode) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_mkdir (dir, dentry, mode); -} - static inline int security_inode_rmdir (struct inode *dir, struct dentry *dentry) { @@ -1572,15 +1511,6 @@ static inline int security_inode_mknod (struct inode *dir, return security_ops->inode_mknod (dir, dentry, mode, dev); } -static inline void security_inode_post_mknod (struct inode *dir, - struct dentry *dentry, - int mode, dev_t dev) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_mknod (dir, dentry, mode, dev); -} - static inline int security_inode_rename (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, @@ -2220,11 +2150,6 @@ static inline int security_inode_create (struct inode *dir, return 0; } -static inline void security_inode_post_create (struct inode *dir, - struct dentry *dentry, - int mode) -{ } - static inline int security_inode_link (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@ -2250,11 +2175,6 @@ static inline int security_inode_symlink (struct inode *dir, return 0; } -static inline void security_inode_post_symlink (struct inode *dir, - struct dentry *dentry, - const char *old_name) -{ } - static inline int security_inode_mkdir (struct inode *dir, struct dentry *dentry, int mode) @@ -2262,11 +2182,6 @@ static inline int security_inode_mkdir (struct inode *dir, return 0; } -static inline void security_inode_post_mkdir (struct inode *dir, - struct dentry *dentry, - int mode) -{ } - static inline int security_inode_rmdir (struct inode *dir, struct dentry *dentry) { @@ -2280,11 +2195,6 @@ static inline int security_inode_mknod (struct inode *dir, return 0; } -static inline void security_inode_post_mknod (struct inode *dir, - struct dentry *dentry, - int mode, dev_t dev) -{ } - static inline int security_inode_rename (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, -- cgit v1.2.2 From e31e14ec356f36b131576be5bc31d8fef7e95483 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 9 Sep 2005 13:01:45 -0700 Subject: [PATCH] remove the inode_post_link and inode_post_rename LSM hooks This patch removes the inode_post_link and inode_post_rename LSM hooks as they are unused (and likely useless). Signed-off-by: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/security.h | 49 ------------------------------------------------ 1 file changed, 49 deletions(-) (limited to 'include/linux/security.h') diff --git a/include/linux/security.h b/include/linux/security.h index 875225bf8986..55b02e1c73f4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -281,11 +281,6 @@ struct swap_info_struct; * @dir contains the inode structure of the parent directory of the new link. * @new_dentry contains the dentry structure for the new link. * Return 0 if permission is granted. - * @inode_post_link: - * Set security attributes for a new hard link to a file. - * @old_dentry contains the dentry structure for the existing link. - * @dir contains the inode structure of the parent directory of the new file. - * @new_dentry contains the dentry structure for the new file link. * @inode_unlink: * Check the permission to remove a hard link to a file. * @dir contains the inode structure of parent directory of the file. @@ -326,12 +321,6 @@ struct swap_info_struct; * @new_dir contains the inode structure for parent of the new link. * @new_dentry contains the dentry structure of the new link. * Return 0 if permission is granted. - * @inode_post_rename: - * Set security attributes on a renamed file or directory. - * @old_dir contains the inode structure for parent of the old link. - * @old_dentry contains the dentry structure of the old link. - * @new_dir contains the inode structure for parent of the new link. - * @new_dentry contains the dentry structure of the new link. * @inode_readlink: * Check the permission to read the symbolic link. * @dentry contains the dentry structure for the file link. @@ -1080,8 +1069,6 @@ struct security_operations { struct dentry *dentry, int mode); int (*inode_link) (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); - void (*inode_post_link) (struct dentry *old_dentry, - struct inode *dir, struct dentry *new_dentry); int (*inode_unlink) (struct inode *dir, struct dentry *dentry); int (*inode_symlink) (struct inode *dir, struct dentry *dentry, const char *old_name); @@ -1091,10 +1078,6 @@ struct security_operations { int mode, dev_t dev); int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry); - void (*inode_post_rename) (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); @@ -1459,15 +1442,6 @@ static inline int security_inode_link (struct dentry *old_dentry, return security_ops->inode_link (old_dentry, dir, new_dentry); } -static inline void security_inode_post_link (struct dentry *old_dentry, - struct inode *dir, - struct dentry *new_dentry) -{ - if (new_dentry->d_inode && unlikely (IS_PRIVATE (new_dentry->d_inode))) - return; - security_ops->inode_post_link (old_dentry, dir, new_dentry); -} - static inline int security_inode_unlink (struct inode *dir, struct dentry *dentry) { @@ -1523,18 +1497,6 @@ static inline int security_inode_rename (struct inode *old_dir, new_dir, new_dentry); } -static inline void security_inode_post_rename (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ - if (unlikely (IS_PRIVATE (old_dentry->d_inode) || - (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) - return; - security_ops->inode_post_rename (old_dir, old_dentry, - new_dir, new_dentry); -} - static inline int security_inode_readlink (struct dentry *dentry) { if (unlikely (IS_PRIVATE (dentry->d_inode))) @@ -2157,11 +2119,6 @@ static inline int security_inode_link (struct dentry *old_dentry, return 0; } -static inline void security_inode_post_link (struct dentry *old_dentry, - struct inode *dir, - struct dentry *new_dentry) -{ } - static inline int security_inode_unlink (struct inode *dir, struct dentry *dentry) { @@ -2203,12 +2160,6 @@ static inline int security_inode_rename (struct inode *old_dir, return 0; } -static inline void security_inode_post_rename (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ } - static inline int security_inode_readlink (struct dentry *dentry) { return 0; -- cgit v1.2.2