Date: Wed, 21 Jan 2015 10:17:29 +1100 (AEDT) From: James Morris <jmorris@...ei.org> To: Ben Hutchings <ben@...adent.org.uk> cc: Alexander Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, 770492@...s.debian.org, Ben Harris <bjh21@....ac.uk>, oss-security@...ts.openwall.com, John Johansen <john.johansen@...onical.com>, Paul Moore <paul@...l-moore.com>, Stephen Smalley <sds@...ho.nsa.gov>, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks On Sat, 17 Jan 2015, Ben Hutchings wrote: > chown() and write() should clear all privilege attributes on > a file - setuid, setgid, setcap and any other extended > privilege attributes. > > However, any attributes beyond setuid and setgid are managed by the > LSM and not directly by the filesystem, so they cannot be set along > with the other attributes. > > Currently we call security_inode_killpriv() in notify_change(), > but in case of a chown() this is too early - we have not called > inode_change_ok() or made any filesystem-specific permission/sanity > checks. > > Add a new function setattr_killpriv() which calls > security_inode_killpriv() if necessary, and change the setattr() > implementation to call this in each filesystem that supports xattrs. > This assumes that extended privilege attributes are always stored in > xattrs. It'd be useful to get some input from LSM module maintainers on this. e.g. doesn't SELinux already handle this via policy directives? -- James Morris <jmorris@...ei.org>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ