Re: [f2fs-dev] [PATCH v15 1/4] Add flags option to get xattr method paired to __vfs_getxattr
On 11/5/19 1:48 AM, Jan Kara wrote: @@ -228,11 +228,11 @@ static int afs_xattr_get_yfs(const struct xattr_handler *handler, break; case 1: data = buf; - dsize = snprintf(buf, sizeof(buf), "%u", yacl->inherit_flag); + dsize = scnprintf(buf, sizeof(buf), "%u", yacl->inherit_flag); break; case 2: data = buf; - dsize = snprintf(buf, sizeof(buf), "%u", yacl->num_cleaned); + dsize = scnprintf(buf, sizeof(buf), "%u", yacl->num_cleaned); break; case 3: These scnprintf() changes (and there are more in the patch) probably shouldn't be here... Otherwise the patch still looks good to me :). Honza Good catch, they were done in locality, I forgot about them, this patch series has been living for almost a year now and time has become its enemy ... will spin this as a separate patch. They strike as a security issue with the possibility of fragile UAF when the code is maintained by future selves. -- Mark ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v15 1/4] Add flags option to get xattr method paired to __vfs_getxattr
From: Mark Salyzyn Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECURITY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECURITY) -> lower_handler->get(lower_dentry...XATTR_NOSECURITY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Reviewed-by: Jan Kara Acked-by: Jan Kara Acked-by: Jeff Layton Acked-by: David Sterba Acked-by: Darrick J. Wong Acked-by: Mike Marshall Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org v15 - revert back to v4 as struct xattr_gs_args was not acceptable by the wider audience. Incorporate any relevant fixes on the way. v14 (new series): - Reincorporate back into the bugfix series for overlayfs v8: - Documentation reported 'struct xattr_gs_flags' rather than 'struct xattr_gs_flags *args' as argument to get and set methods. v7: - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. v6: - kernfs missed a spot v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- Documentation/filesystems/locking.rst | 2 +- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 26 ++- fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 +++-- fs/ecryptfs/mmap.c| 2 +- fs/erofs/xattr.c | 3 ++- fs/ext2/xattr_security.c | 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 +-- fs/fuse/xattr.c | 4 +-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_security.c | 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 ++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c | 6 +++-- fs/ocfs2/xattr.c | 9 --- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 8 +++--- fs/posix_acl.c| 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/ubifs/xattr.c | 3 ++- fs/xattr.c
[f2fs-dev] [PATCH v14 1/5] Add flags option to get xattr method paired to __vfs_getxattr
Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following now common argument structure: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; Which in effect adds a flags option to the get method and __vfs_getxattr function. Add a flag option to get xattr method that has bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> handler->get({dentry...XATTR_NOSECURITY}) -> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> lower_handler->get({lower_dentry...XATTR_NOSECURITY}) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr({...XATTR_NOSECURITY}). Signed-off-by: Mark Salyzyn Reviewed-by: Jan Kara Acked-by: Jan Kara Acked-by: Jeff Layton Acked-by: David Sterba Acked-by: Darrick J. Wong Acked-by: Mike Marshall Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org --- v14 (new series): - Reincorporate back into the bugfix series for overlayfs v8: - Documentation reported 'struct xattr_gs_flags' rather than 'struct xattr_gs_flags *args' as argument to get and set methods. v7: - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. v6: - kernfs missed a spot v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- Documentation/filesystems/locking.rst | 10 +-- fs/9p/acl.c | 51 ++-- fs/9p/xattr.c | 19 ++--- fs/afs/xattr.c| 112 -- fs/btrfs/xattr.c | 36 - fs/ceph/xattr.c | 17 ++-- fs/cifs/xattr.c | 72 + fs/ecryptfs/crypto.c | 20 +++-- fs/ecryptfs/inode.c | 36 + fs/ecryptfs/mmap.c| 39 - fs/erofs/xattr.c | 8 +- fs/ext2/xattr_security.c | 16 ++-- fs/ext2/xattr_trusted.c | 15 ++-- fs/ext2/xattr_user.c | 19 ++--- fs/ext4/xattr_security.c | 15 ++-- fs/ext4/xattr_trusted.c | 15 ++-- fs/ext4/xattr_user.c | 19 ++--- fs/f2fs/xattr.c | 42 +- fs/fuse/xattr.c | 23 +++--- fs/gfs2/xattr.c | 18 ++--- fs/hfs/attr.c | 15 ++-- fs/hfsplus/xattr.c| 17 ++-- fs/hfsplus/xattr_security.c | 13 ++- fs/hfsplus/xattr_trusted.c| 13 ++- fs/hfsplus/xattr_user.c | 13 ++- fs/jffs2/security.c | 16 ++-- fs/jffs2/xattr_trusted.c | 16 ++-- fs/jffs2/xattr_user.c | 16 ++-- fs/jfs/xattr.c| 33 fs/kernfs/inode.c
Re: [f2fs-dev] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr
On 8/28/19 7:24 AM, Christoph Hellwig wrote: On Tue, Aug 27, 2019 at 08:05:15AM -0700, Mark Salyzyn wrote: Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following now common argument structure: Yikes. That looks like a mess. Why can't we pass a kernel-only flag in the existing flags field for ₋>set and add a flags field to ->get? Passing methods by structure always tends to be a mess. This was a response to GregKH@ criticism, an earlier patch set just added a flag as you stated to get method, until complaints of an excessively long argument list and fragility to add or change more arguments. So many ways have been tried to skin this cat ... the risk was taken to please some, and we now have hundreds of stakeholders, when the first patch set was less than a dozen. A recipe for failure? -- Mark ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr
Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following now common argument structure: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; Which in effect adds a flags option to the get method and __vfs_getxattr function. Add a flag option to get xattr method that has bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> handler->get({dentry...XATTR_NOSECURITY}) -> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> lower_handler->get({lower_dentry...XATTR_NOSECURITY}) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr({...XATTR_NOSECURITY}). Signed-off-by: Mark Salyzyn Reviewed-by: Jan Kara Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v8: - Documentation reported 'struct xattr_gs_flags' rather than 'struct xattr_gs_flags *args' as argument to get and set methods. v7: - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. v6: - kernfs missed a spot v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- Documentation/filesystems/Locking | 10 ++- drivers/staging/erofs/xattr.c | 8 +-- fs/9p/acl.c | 51 +++--- fs/9p/xattr.c | 19 +++-- fs/afs/xattr.c| 112 +- fs/btrfs/xattr.c | 36 +- fs/ceph/xattr.c | 40 +-- fs/cifs/xattr.c | 72 +-- fs/ecryptfs/crypto.c | 20 +++--- fs/ecryptfs/inode.c | 36 ++ fs/ecryptfs/mmap.c| 39 ++- fs/ext2/xattr_security.c | 16 ++--- fs/ext2/xattr_trusted.c | 15 ++-- fs/ext2/xattr_user.c | 19 +++-- fs/ext4/xattr_security.c | 15 ++-- fs/ext4/xattr_trusted.c | 15 ++-- fs/ext4/xattr_user.c | 19 +++-- fs/f2fs/xattr.c | 42 +-- fs/fuse/xattr.c | 23 +++--- fs/gfs2/xattr.c | 18 ++--- fs/hfs/attr.c | 15 ++-- fs/hfsplus/xattr.c| 17 +++-- fs/hfsplus/xattr_security.c | 13 ++-- fs/hfsplus/xattr_trusted.c| 13 ++-- fs/hfsplus/xattr_user.c | 13 ++-- fs/jffs2/security.c | 16 ++--- fs/jffs2/xattr_trusted.c | 16 ++--- fs/jffs2/xattr_user.c | 16 ++--- fs/jfs/xattr.c| 33 - fs/kernfs/inode.c | 23 +++--- fs/nfs/nfs4proc.c | 28 fs/ocfs2/xattr.c | 52 ++ fs/orangefs/xattr.c | 19 ++--- fs/overlayfs/inode.c | 43 ++--
Re: [f2fs-dev] [PATCH v7] Add flags option to get xattr method paired to __vfs_getxattr
On 8/27/19 7:19 AM, Jan Kara wrote: On Tue 20-08-19 11:06:48, Mark Salyzyn wrote: diff --git a/Documentation/filesystems/Locking b/Documentation/filesystems/Locking index 204dd3ea36bb..e2687f21c7d6 100644 --- a/Documentation/filesystems/Locking +++ b/Documentation/filesystems/Locking @@ -101,12 +101,10 @@ of the locking scheme for directory operations. --- xattr_handler operations --- prototypes: bool (*list)(struct dentry *dentry); - int (*get)(const struct xattr_handler *handler, struct dentry *dentry, - struct inode *inode, const char *name, void *buffer, - size_t size); - int (*set)(const struct xattr_handler *handler, struct dentry *dentry, - struct inode *inode, const char *name, const void *buffer, - size_t size, int flags); + int (*get)(const struct xattr_handler *handler, + struct xattr_gs_flags); + int (*set)(const struct xattr_handler *handler, + struct xattr_gs_flags); The prototype here is really "struct xattr_gs_flags *args", isn't it? Otherwise feel free to add: Reviewed-by: Jan Kara for the ext2, ext4, ocfs2, reiserfs, and the generic fs/* bits. Honza Thanks and good catch, will respin with a fix to the documentation shortly. -- Mark ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v7] Add flags option to get xattr method paired to __vfs_getxattr
Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following now common argument structure: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; Which in effect adds a flags option to the get method and __vfs_getxattr function. Add a flag option to get xattr method that has bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> handler->get({dentry...XATTR_NOSECURITY}) -> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> lower_handler->get({lower_dentry...XATTR_NOSECURITY}) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr({...XATTR_NOSECURITY}). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v7: - missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c, fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c, security/integrity/evm/evm_main.c and security/smack/smack_lsm.c. v6: - kernfs missed a spot v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. a a --- Documentation/filesystems/Locking | 10 ++- drivers/staging/erofs/xattr.c | 8 +-- fs/9p/acl.c | 51 +++--- fs/9p/xattr.c | 19 +++-- fs/afs/xattr.c| 112 +- fs/btrfs/xattr.c | 36 +- fs/ceph/xattr.c | 40 +-- fs/cifs/xattr.c | 72 +-- fs/ecryptfs/crypto.c | 20 +++--- fs/ecryptfs/inode.c | 36 ++ fs/ecryptfs/mmap.c| 39 ++- fs/ext2/xattr_security.c | 16 ++--- fs/ext2/xattr_trusted.c | 15 ++-- fs/ext2/xattr_user.c | 19 +++-- fs/ext4/xattr_security.c | 15 ++-- fs/ext4/xattr_trusted.c | 15 ++-- fs/ext4/xattr_user.c | 19 +++-- fs/f2fs/xattr.c | 42 +-- fs/fuse/xattr.c | 23 +++--- fs/gfs2/xattr.c | 18 ++--- fs/hfs/attr.c | 15 ++-- fs/hfsplus/xattr.c| 17 +++-- fs/hfsplus/xattr_security.c | 13 ++-- fs/hfsplus/xattr_trusted.c| 13 ++-- fs/hfsplus/xattr_user.c | 13 ++-- fs/jffs2/security.c | 16 ++--- fs/jffs2/xattr_trusted.c | 16 ++--- fs/jffs2/xattr_user.c | 16 ++--- fs/jfs/xattr.c| 33 - fs/kernfs/inode.c | 23 +++--- fs/nfs/nfs4proc.c | 28 fs/ocfs2/xattr.c | 52 ++ fs/orangefs/xattr.c | 19 ++--- fs/overlayfs/inode.c | 43 ++-- fs/overlayfs/overlayfs.h | 6 +- fs/overlayfs/super.c | 53 ++ fs/posix_acl.c| 23 +++---
[f2fs-dev] [PATCH v6] Add flags option to get xattr method paired to __vfs_getxattr
Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following now common argument structure: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; Which in effect adds a flags option to the get method and __vfs_getxattr function. Add a flag option to get xattr method that has bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> handler->get({dentry...XATTR_NOSECURITY}) -> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> lower_handler->get({lower_dentry...XATTR_NOSECURITY}) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr({...XATTR_NOSECURITY}). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v6: - kernfs missed a spot v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. a --- Documentation/filesystems/Locking | 10 ++- drivers/staging/erofs/xattr.c | 8 +-- fs/9p/acl.c | 37 +- fs/9p/xattr.c | 19 +++-- fs/afs/xattr.c| 110 + fs/btrfs/xattr.c | 36 +- fs/ceph/xattr.c | 40 +-- fs/cifs/xattr.c | 72 +-- fs/ecryptfs/crypto.c | 20 +++--- fs/ecryptfs/inode.c | 36 ++ fs/ecryptfs/mmap.c| 39 ++- fs/ext2/xattr_security.c | 16 ++--- fs/ext2/xattr_trusted.c | 15 ++-- fs/ext2/xattr_user.c | 19 +++-- fs/ext4/xattr_security.c | 15 ++-- fs/ext4/xattr_trusted.c | 15 ++-- fs/ext4/xattr_user.c | 19 +++-- fs/f2fs/xattr.c | 42 +-- fs/fuse/xattr.c | 23 +++--- fs/gfs2/xattr.c | 18 ++--- fs/hfs/attr.c | 15 ++-- fs/hfsplus/xattr.c| 17 +++-- fs/hfsplus/xattr_security.c | 13 ++-- fs/hfsplus/xattr_trusted.c| 13 ++-- fs/hfsplus/xattr_user.c | 13 ++-- fs/jffs2/security.c | 16 ++--- fs/jffs2/xattr_trusted.c | 16 ++--- fs/jffs2/xattr_user.c | 16 ++--- fs/jfs/xattr.c| 33 - fs/kernfs/inode.c | 23 +++--- fs/nfs/nfs4proc.c | 28 fs/ocfs2/xattr.c | 52 ++ fs/orangefs/xattr.c | 19 ++--- fs/overlayfs/inode.c | 43 ++-- fs/overlayfs/overlayfs.h | 6 +- fs/overlayfs/super.c | 53 ++ fs/posix_acl.c| 23 +++--- fs/reiserfs/xattr.c | 2 +- fs/reiserfs/xattr_security.c | 22 +++--- fs/reiserfs/xattr_trusted.c | 22 +++--- fs/reiserfs/xattr_user.c | 22 +++---
[f2fs-dev] [PATCH v5] Add flags option to get xattr method paired to __vfs_getxattr
Replace arguments for get and set xattr methods, and __vfs_getxattr and __vfs_setaxtr functions with a reference to the following argument structure: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; Which in effect adds a flags option to the get method and __vfs_getxattr function. Add a flag option to get xattr method that has bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> handler->get({dentry...XATTR_NOSECURITY}) -> __vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) -> lower_handler->get({lower_dentry...XATTR_NOSECURITY}) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr({...XATTR_NOSECURITY}). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v5: - introduce struct xattr_gs_args for get and set methods, __vfs_getxattr and __vfs_setxattr functions. - cover a missing spot in ext2. - switch from snprintf to scnprintf for correctness. v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- Documentation/filesystems/Locking | 10 ++- drivers/staging/erofs/xattr.c | 8 +-- fs/9p/acl.c | 37 +- fs/9p/xattr.c | 19 +++-- fs/afs/xattr.c| 110 + fs/btrfs/xattr.c | 36 +- fs/ceph/xattr.c | 40 +-- fs/cifs/xattr.c | 72 +-- fs/ecryptfs/crypto.c | 20 +++--- fs/ecryptfs/inode.c | 36 ++ fs/ecryptfs/mmap.c| 39 ++- fs/ext2/xattr_security.c | 16 ++--- fs/ext2/xattr_trusted.c | 15 ++-- fs/ext2/xattr_user.c | 19 +++-- fs/ext4/xattr_security.c | 15 ++-- fs/ext4/xattr_trusted.c | 15 ++-- fs/ext4/xattr_user.c | 19 +++-- fs/f2fs/xattr.c | 42 +-- fs/fuse/xattr.c | 23 +++--- fs/gfs2/xattr.c | 18 ++--- fs/hfs/attr.c | 15 ++-- fs/hfsplus/xattr.c| 17 +++-- fs/hfsplus/xattr_security.c | 13 ++-- fs/hfsplus/xattr_trusted.c| 13 ++-- fs/hfsplus/xattr_user.c | 13 ++-- fs/jffs2/security.c | 16 ++--- fs/jffs2/xattr_trusted.c | 16 ++--- fs/jffs2/xattr_user.c | 16 ++--- fs/jfs/xattr.c| 33 - fs/kernfs/inode.c | 21 +++--- fs/nfs/nfs4proc.c | 28 fs/ocfs2/xattr.c | 52 ++ fs/orangefs/xattr.c | 19 ++--- fs/overlayfs/inode.c | 43 ++-- fs/overlayfs/overlayfs.h | 6 +- fs/overlayfs/super.c | 53 ++ fs/posix_acl.c| 23 +++--- fs/reiserfs/xattr.c | 2 +- fs/reiserfs/xattr_security.c | 22 +++--- fs/reiserfs/xattr_trusted.c | 22 +++--- fs/reiserfs/xattr_user.c | 22 +++--- fs/squashfs/xattr.c | 10 +--
Re: [f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr
On 8/15/19 3:27 PM, James Morris wrote: On Thu, 15 Aug 2019, Mark Salyzyn wrote: Good Idea, but using the same argument structure for set and get I would be concerned about the loss of compiler protection for the buffer argument; Agreed, I missed that. Sadly, the pattern of struct getxattr_args args; memset(, 0, sizeof(args)); args. = ... __vfs_getxattr(}; ... __vfs_setxattr(); would be nice, so maybe we need to cool our jets and instead: struct xattr_gs_args { struct dentry *dentry; struct inode *inode; const char *name; union { void *buffer; const void *value; }; size_t size; int flags; }; value _must_ be referenced for all setxattr operations, buffer for getxattr operations (how can we enforce that?). struct getxattr_args { struct dentry *dentry; struct inode *inode; const char *name; void *buffer; size_t size; int flags; Does 'get' need flags? :-) That was the _whole_ point of the patch, flags is how we pass in the recursion so that a security/internal getxattr call has the rights to acquire the data in the lower layer(s). -- Mark ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v4] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: Jan Kara Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v4: - ifdef __KERNEL__ around XATTR_NOSECURITY to keep it colocated in uapi headers. v3: - poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: - Missed a spot: ubifs, erofs and afs. v1: - Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- drivers/staging/erofs/xattr.c | 3 ++- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 8 +++ fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c | 6 -- fs/ocfs2/xattr.c | 9 +--- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 8 --- fs/posix_acl.c| 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/ubifs/xattr.c | 3 ++- fs/xattr.c| 36 +++ fs/xfs/xfs_xattr.c| 3 ++- include/linux/xattr.h | 9 include/uapi/linux/xattr.h| 7 -- mm/shmem.c| 3 ++- net/socket.c | 3 ++- security/commoncap.c | 6 -- security/integrity/evm/evm_main.c | 3 ++- security/selinux/hooks.c | 11 ++ security/smack/smack_lsm.c| 5 +++-- 46 files changed, 126 insertions(+), 84 deletions(-) diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c index df40654b9fbb..69440065432c 100644 --- a/drivers/staging/erofs/xattr.c +++ b/drivers/staging/erofs/xattr.c @@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index, static int erofs_xattr_generic_get(const struct xattr_handler *handler, struct dentry *unused, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { struct
[f2fs-dev] [PATCH v3] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v3: poor aim on ubifs not ubifs_xattr_get, but static xattr_get v2: Missed a spot: ubifs, erofs and afs. v1: Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- drivers/staging/erofs/xattr.c | 3 ++- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 8 +++ fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c | 6 -- fs/ocfs2/xattr.c | 9 +--- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 8 --- fs/posix_acl.c| 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/ubifs/xattr.c | 3 ++- fs/xattr.c| 36 +++ fs/xfs/xfs_xattr.c| 3 ++- include/linux/xattr.h | 9 include/uapi/linux/xattr.h| 5 +++-- mm/shmem.c| 3 ++- net/socket.c | 3 ++- security/commoncap.c | 6 -- security/integrity/evm/evm_main.c | 3 ++- security/selinux/hooks.c | 11 ++ security/smack/smack_lsm.c| 5 +++-- 46 files changed, 124 insertions(+), 84 deletions(-) diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c index df40654b9fbb..69440065432c 100644 --- a/drivers/staging/erofs/xattr.c +++ b/drivers/staging/erofs/xattr.c @@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index, static int erofs_xattr_generic_get(const struct xattr_handler *handler, struct dentry *unused, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { struct erofs_sb_info *const sbi = EROFS_I_SB(inode); diff --git a/fs/9p/acl.c b/fs/9p/acl.c index
[f2fs-dev] [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data from a lower layer. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v2: Missed a spot: ubifs, erofs and afs. v1: Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- drivers/staging/erofs/xattr.c | 3 ++- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 8 +++ fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c | 6 -- fs/ocfs2/xattr.c | 9 +--- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 8 --- fs/posix_acl.c| 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/ubifs/xattr.c | 2 +- fs/xattr.c| 36 +++ fs/xfs/xfs_xattr.c| 3 ++- include/linux/xattr.h | 9 include/uapi/linux/xattr.h| 5 +++-- mm/shmem.c| 3 ++- net/socket.c | 3 ++- security/commoncap.c | 6 -- security/integrity/evm/evm_main.c | 3 ++- security/selinux/hooks.c | 11 ++ security/smack/smack_lsm.c| 5 +++-- 46 files changed, 123 insertions(+), 84 deletions(-) diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c index df40654b9fbb..69440065432c 100644 --- a/drivers/staging/erofs/xattr.c +++ b/drivers/staging/erofs/xattr.c @@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index, static int erofs_xattr_generic_get(const struct xattr_handler *handler, struct dentry *unused, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { struct erofs_sb_info *const sbi = EROFS_I_SB(inode); diff --git a/fs/9p/acl.c b/fs/9p/acl.c index 6261719f6f2a..cb14e8b312bc 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@
Re: [f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr
On 8/13/19 1:48 AM, Greg Kroah-Hartman wrote: On Mon, Aug 12, 2019 at 12:32:49PM -0700, Mark Salyzyn wrote: --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -30,10 +30,10 @@ struct xattr_handler { const char *prefix; int flags; /* fs private flags */ bool (*list)(struct dentry *dentry); - int (*get)(const struct xattr_handler *, struct dentry *dentry, + int (*get)(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, const char *name, void *buffer, - size_t size); - int (*set)(const struct xattr_handler *, struct dentry *dentry, + size_t size, int flags); + int (*set)(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, const char *name, const void *buffer, size_t size, int flags); Wow, 7 arguments. Isn't there some nice rule of thumb that says once you get more then 5, a function becomes impossible to understand? This is a method with a pot-pourri of somewhat intuitive useful, but not always necessary, arguments, the additional argument does not complicate the function(s) AFAIK, but maybe its usage. Most functions do not even reference handler, the inode is typically a derivative of dentry, The arguments most used are the name of the attribute and the buffer/size the results are to be placed into. The addition of flags is actually a pattern borrowed from the [.]set method, which provides at least 32 bits of 'control' (of which we added only one). Before, it was an anti-pattern. Surely this could be a structure passed in here somehow, that way when you add the 8th argument in the future, you don't have to change everything yet again? :) Just be happy I provided int flags, instead of bool no_security ;-> there are a few bits there that can be used in the future. I don't have anything concrete to offer as a replacement fix for this, but to me this just feels really wrong... I went through 6 different alternatives (in the overlayfs security fix patch set) until I found this one that resonated with the security and filesystem stakeholders. The one was a direct result of trying to reduce the security attack surface. This code was created by threading a needle, and evolution. I am game for a 7th alternative to solve the unionfs set of recursive calls into acquiring the extended attributes. -- Mark ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Stephen Smalley Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- Removed from an overlayfs patch set, and made independent. Expect this to be the basis of some security improvements. --- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 6 +++--- fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c | 6 -- fs/ocfs2/xattr.c | 9 +--- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 8 --- fs/posix_acl.c| 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/xattr.c| 36 +++ fs/xfs/xfs_xattr.c| 3 ++- include/linux/xattr.h | 9 include/uapi/linux/xattr.h| 5 +++-- mm/shmem.c| 3 ++- net/socket.c | 3 ++- security/commoncap.c | 6 -- security/integrity/evm/evm_main.c | 3 ++- security/selinux/hooks.c | 11 ++ security/smack/smack_lsm.c| 5 +++-- 44 files changed, 119 insertions(+), 81 deletions(-) diff --git a/fs/9p/acl.c b/fs/9p/acl.c index 6261719f6f2a..cb14e8b312bc 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@ -214,7 +214,8 @@ int v9fs_acl_mode(struct inode *dir, umode_t *modep, static int v9fs_xattr_get_acl(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { struct v9fs_session_info *v9ses; struct posix_acl *acl; diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c index ac8ff8ca4c11..5cfa772452fd 100644 --- a/fs/9p/xattr.c +++ b/fs/9p/xattr.c @@ -139,7 +139,8 @@ ssize_t v9fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) static int v9fs_xattr_handler_get(const struct xattr_handler *handler, struct dentry *dentry,
[f2fs-dev] [PATCH v13 3/5] overlayfs: handle XATTR_NOSECURITY flag for get xattr method
Because of the overlayfs getxattr recursion, the incoming inode fails to update the selinux sid resulting in avc denials being reported against a target context of u:object_r:unlabeled:s0. Solution is to respond to the XATTR_NOSECURITY flag in get xattr method that calls the __vfs_getxattr handler instead so that the context can be read in, rather than being denied with an -EACCES when vfs_getxattr handler is called. For the use case where access is to be blocked by the security layer. The path then would be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECURITY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(realdentry...XATTR_NOSECURITY) -> lower_handler->get(realdentry...XATTR_NOSECURITY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back to the logs and the caller that the target context was blocked. For selinux this would solve the cosmetic issue of the selinux log and allow audit2allow to correctly report the rule needed to address the access problem. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13 - rebase to use __vfs_getxattr flags option. v12 - Added back to patch series as get xattr with flag option. v11 - Squashed out of patch series and replaced with per-thread flag solution. v10 - Added to patch series as __get xattr method. --- fs/overlayfs/inode.c | 5 +++-- fs/overlayfs/overlayfs.h | 2 +- fs/overlayfs/super.c | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 7663aeb85fa3..1bf11ae44313 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -363,7 +363,7 @@ int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, } int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name, - void *value, size_t size) + void *value, size_t size, int flags) { ssize_t res; const struct cred *old_cred; @@ -371,7 +371,8 @@ int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name, ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry); old_cred = ovl_override_creds(dentry->d_sb); - res = vfs_getxattr(realdentry, name, value, size); + res = __vfs_getxattr(realdentry, d_inode(realdentry), name, +value, size, flags); revert_creds(old_cred); return res; } diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index 6934bcf030f0..ab3d031c422b 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -356,7 +356,7 @@ int ovl_permission(struct inode *inode, int mask); int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, const void *value, size_t size, int flags); int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name, - void *value, size_t size); + void *value, size_t size, int flags); ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size); struct posix_acl *ovl_get_acl(struct inode
[f2fs-dev] [PATCH v13 2/5] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the data that is the target label or context embedded into wrapped filesystem's xattr. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, but the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first corrected case a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13 - added flags to __vfs_getxattr call, and moved all the security code from vfs_getxattr into it. v12 - Added back to patch series as get xattr with flag option. v11 - Squashed out of patch series and replaced with per-thread flag solution. v10 - Added to patch series as __get xattr method. --- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 6 +++--- fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c
[f2fs-dev] [PATCH v13 5/5] overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/override_creds. It was not always this way. Circa 4.6 there was no recorded mounter's credentials, instead privileged access to upper or work directories were temporarily increased to perform the operations. The MAC (selinux) policies were caller's in all cases. override_creds=off partially returns us to this older access model minus the insecure temporary credential increases. This is to permit use in a system with non-overlapping security models for each executable including the agent that mounts the overlayfs filesystem. In Android this is the case since init, which performs the mount operations, has a minimal MAC set of privileges to reduce any attack surface, and services that use the content have a different set of MAC privileges (eg: read, for vendor labelled configuration, execute for vendor libraries and modules). The caveats are not a problem in the Android usage model, however they should be fixed for completeness and for general use in time. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 NB: this is a desired feature --- v12 + v13: - Rebase v11: - add sb argument to ovl_revert_creds to match future work v10: - Rebase (and expand because of increased revert_cred usage) v9: - Add to the caveats v8: - drop pr_warn message after straw poll to remove it. - added a use case in the commit message v7: - change name of internal parameter to ovl_override_creds_def - report override_creds only if different than default v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message. --- Documentation/filesystems/overlayfs.txt | 23 +++ fs/overlayfs/copy_up.c | 2 +- fs/overlayfs/dir.c | 11 ++-
[f2fs-dev] [PATCH v13 0/5] overlayfs override_creds=off
Patch series: overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Add flags option to get xattr method paired to __vfs_getxattr overlayfs: handle XATTR_NOSECURITY flag for get xattr method overlayfs: internal getxattr operations without sepolicy checking overlayfs: override_creds=off option bypass creator_cred The first four patches address fundamental security issues that should be solved regardless of the override_creds=off feature. on them). The fifth adds the feature depends on these other fixes. By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied for sepolicy, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/overlay_creds Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernandez Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13: - add flags argument to __vfs_getxattr - drop GFP_NOFS side-effect v12: - Restore squished out patch 2 and 3 in the series, then change algorithm to add flags argument. Per-thread flag is a large security surface. v11: - Squish out v10 introduced patch 2 and 3 in the series, then and use per-thread flag instead for nesting. - Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper. - Add sb argument to ovl_revert_creds to match future work. v10: - Return NULL on CAP_DAC_READ_SEARCH - Add __get xattr method to solve sepolicy logging issue - Drop unnecessary sys_admin sepolicy checking for administrative driver internal xattr functions. v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation, drop rationalizations. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message. ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v13 4/5] overlayfs: internal getxattr operations without sepolicy checking
Check impure, opaque, origin & meta xattr with no sepolicy audit (using __vfs_getxattr) since these operations are internal to overlayfs operations and do not disclose any data. This became an issue for credential override off since sys_admin would have been required by the caller; whereas would have been inherently present for the creator since it performed the mount. This is a change in operations since we do not check in the new ovl_do_vfs_getxattr function if the credential override is off or not. Reasoning is that the sepolicy check is unnecessary overhead, especially since the check can be expensive. Because for override credentials off, this affects _everyone_ that underneath performs private xattr calls without the appropriate sepolicy permissions and sys_admin capability. Providing blanket support for sys_admin would be bad for all possible callers. For the override credentials on, this will affect only the mounter, should it lack sepolicy permissions. Not considered a security problem since mounting by definition has sys_admin capabilities, but sepolicy contexts would still need to be crafted. It should be noted that there is precedence, __vfs_getxattr is used in other filesystems for their own internal trusted xattr management. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13 - rebase to use __vfs_getxattr flags option v12 - rebase v11 - switch name to ovl_do_vfs_getxattr, fortify comment v10 - added to patch series --- fs/overlayfs/namei.c | 12 +++- fs/overlayfs/overlayfs.h | 2 ++ fs/overlayfs/util.c | 25 - 3 files changed, 25 insertions(+), 14 deletions(-) diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c index 9702f0d5309d..a4a452c489fa 100644 --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -106,10 +106,11 @@ int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) { - int res, err; + ssize_t res; + int err; struct ovl_fh *fh = NULL; - res = vfs_getxattr(dentry, name, NULL, 0); + res = ovl_do_vfs_getxattr(dentry, name, NULL, 0); if (res < 0) { if (res == -ENODATA || res == -EOPNOTSUPP) return NULL; @@ -123,7 +124,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) if (!fh) return ERR_PTR(-ENOMEM); - res = vfs_getxattr(dentry, name, fh, res); + res = ovl_do_vfs_getxattr(dentry, name, fh, res); if (res < 0) goto fail; @@ -141,10 +142,11 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) return NULL; fail: - pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res); + pr_warn_ratelimited("overlayfs: failed to get origin (%zi)\n", res); goto out; invalid: - pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh); + pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", + (int)res, fh); goto out; } diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index ab3d031c422b..9d26d8758513 100644
[f2fs-dev] [PATCH v13 0/5] overlayfs override_creds=off
Patch series: overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Add flags option to get xattr method paired to __vfs_getxattr overlayfs: handle XATTR_NOSECURITY flag for get xattr method overlayfs: internal getxattr operations without sepolicy checking overlayfs: override_creds=off option bypass creator_cred The first four patches address fundamental security issues that should be solved regardless of the override_creds=off feature. on them). The fifth adds the feature depends on these other fixes. By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied for sepolicy, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/overlay_creds Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13: - add flags argument to __vfs_getxattr - drop GFP_NOFS side-effect v12: - Restore squished out patch 2 and 3 in the series, then change algorithm to add flags argument. Per-thread flag is a large security surface. v11: - Squish out v10 introduced patch 2 and 3 in the series, then and use per-thread flag instead for nesting. - Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper. - Add sb argument to ovl_revert_creds to match future work. v10: - Return NULL on CAP_DAC_READ_SEARCH - Add __get xattr method to solve sepolicy logging issue - Drop unnecessary sys_admin sepolicy checking for administrative driver internal xattr functions. v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation, drop rationalizations. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message. ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v13 1/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
Assumption never checked, should fail if the mounter creds are not sufficient. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-de...@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v11 + v12 + v13 - rebase v10: - return NULL rather than ERR_PTR(-EPERM) - did _not_ add it ovl_can_decode_fh() because of changes since last review, suspect needs to be added to ovl_lower_uuid_ok()? v8 + v9: - rebase v7: - This time for realz v6: - rebase v5: - dependency of "overlayfs: override_creds=off option bypass creator_cred" --- fs/overlayfs/namei.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c index e9717c2f7d45..9702f0d5309d 100644 --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -161,6 +161,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, if (!uuid_equal(>uuid, >mnt_sb->s_uuid)) return NULL; + if (!capable(CAP_DAC_READ_SEARCH)) + return NULL; + bytes = (fh->len - offsetof(struct ovl_fh, fid)); real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, bytes >> 2, (int)fh->type, -- 2.22.0.770.g0f2c4a37fd-goog ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
[f2fs-dev] [PATCH v12 2/5] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the data that is the target label or context embedded into wrapped filesystem's xattr. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry) -> lower_handler->get(lower_dentry) which would report back through the chain data and success as expected, but the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first corrected case a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com --- v12 - Added back to patch series as get xattr with flag option. v11 - Squashed out of patch series and replaced with per-thread flag solution. v10 - Added to patch series as __get xattr method. --- fs/9p/acl.c | 3 ++- fs/9p/xattr.c| 3 ++- fs/afs/xattr.c | 6 +++--- fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 3 ++- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c| 2 +- fs/hfsplus/xattr.c | 3 ++- fs/hfsplus/xattr_trusted.c | 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c| 3 ++- fs/jfs/xattr.c | 5 +++-- fs/kernfs/inode.c| 1 + fs/nfs/nfs4proc.c| 6 -- fs/ocfs2/xattr.c | 9 ++--- fs/orangefs/xattr.c | 3 ++- fs/overlayfs/super.c | 5 +++-- fs/posix_acl.c | 2 +- fs/reiserfs/xattr_security.c | 3 ++- fs/reiserfs/xattr_trusted.c | 3 ++- fs/reiserfs/xattr_user.c | 3 ++- fs/squashfs/xattr.c | 2 +- fs/xattr.c | 19 ++- fs/xfs/xfs_xattr.c | 3 ++- include/linux/xattr.h| 6 +++--- include/uapi/linux/xattr.h | 5 +++-- mm/shmem.c | 3 ++- net/socket.c | 3 ++- 39 files changed, 91 insertions(+), 54 deletions(-) diff --git a/fs/9p/acl.c b/fs/9p/acl.c index 6261719f6f2a..cb14e8b312bc 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@ -214,7 +214,8 @@ int v9fs_acl_mode(struct inode *dir, umode_t *modep, static int v9fs_xattr_get_acl(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { struct v9fs_session_info *v9ses; struct posix_acl *acl; diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c index ac8ff8ca4c11..5cfa772452fd 100644 --- a/fs/9p/xattr.c +++ b/fs/9p/xattr.c @@ -139,7 +139,8 @@ ssize_t v9fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) static int v9fs_xattr_handler_get(const struct xattr_handler *handler, struct dentry *dentry, struct inode *inode, - const char *name, void *buffer, size_t size) + const char *name, void *buffer, size_t size, + int flags) { const char *full_name = xattr_full_name(handler, name); diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c index 5552d034090a..e6509c21f08a 100644 --- a/fs/afs/xattr.c +++ b/fs/afs/xattr.c @@ -334,7 +334,7 @@ static const