Re: [f2fs-dev] [PATCH v15 1/4] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

On 11/5/19 1:48 AM, Jan Kara wrote:

@@ -228,11 +228,11 @@ static int afs_xattr_get_yfs(const struct xattr_handler 
*handler,
break;
case 1:
data = buf;
-   dsize = snprintf(buf, sizeof(buf), "%u", yacl->inherit_flag);
+   dsize = scnprintf(buf, sizeof(buf), "%u", yacl->inherit_flag);
break;
case 2:
data = buf;
-   dsize = snprintf(buf, sizeof(buf), "%u", yacl->num_cleaned);
+   dsize = scnprintf(buf, sizeof(buf), "%u", yacl->num_cleaned);
break;
case 3:

These scnprintf() changes (and there are more in the patch) probably
shouldn't be here... Otherwise the patch still looks good to me :).

Honza

Good catch, they were done in locality, I forgot about them, this patch 
series has been living for almost a year now and time has become its 
enemy ... will spin this as a separate patch. They strike as a security 
issue with the possibility of fragile UAF when the code is maintained by 
future selves.


-- Mark



___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v15 1/4] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

From: Mark Salyzyn 

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECURITY) ->
lower_handler->get(lower_dentry...XATTR_NOSECURITY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Reviewed-by: Jan Kara 
Acked-by: Jan Kara 
Acked-by: Jeff Layton 
Acked-by: David Sterba 
Acked-by: Darrick J. Wong 
Acked-by: Mike Marshall 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org

v15
- revert back to v4 as struct xattr_gs_args was not acceptable by the
  wider audience. Incorporate any relevant fixes on the way.

v14 (new series):
- Reincorporate back into the bugfix series for overlayfs

v8:
- Documentation reported 'struct xattr_gs_flags' rather than
'struct xattr_gs_flags *args' as argument to get and set methods.

v7:
- missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c,
fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c,
security/integrity/evm/evm_main.c and security/smack/smack_lsm.c.

v6:
- kernfs missed a spot

v5:
- introduce struct xattr_gs_args for get and set methods,
__vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.
---
 Documentation/filesystems/locking.rst |  2 +-
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c| 26 ++-
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 +++--
 fs/ecryptfs/mmap.c|  2 +-
 fs/erofs/xattr.c  |  3 ++-
 fs/ext2/xattr_security.c  |  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 +--
 fs/fuse/xattr.c   |  4 +--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_security.c   |  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 ++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c |  6 +++--
 fs/ocfs2/xattr.c  |  9 ---
 fs/orangefs/xattr.c   |  3 ++-
 fs/overlayfs/super.c  |  8 +++---
 fs/posix_acl.c|  2 +-
 fs/reiserfs/xattr_security.c  |  3 ++-
 fs/reiserfs/xattr_trusted.c   |  3 ++-
 fs/reiserfs/xattr_user.c  |  3 ++-
 fs/squashfs/xattr.c   |  2 +-
 fs/ubifs/xattr.c  |  3 ++-
 fs/xattr.c  

[f2fs-dev] [PATCH v14 1/5] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following now
common argument structure:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

Which in effect adds a flags option to the get method and
__vfs_getxattr function.

Add a flag option to get xattr method that has bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
handler->get({dentry...XATTR_NOSECURITY}) ->
__vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
lower_handler->get({lower_dentry...XATTR_NOSECURITY})
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr({...XATTR_NOSECURITY}).

Signed-off-by: Mark Salyzyn 
Reviewed-by: Jan Kara 
Acked-by: Jan Kara 
Acked-by: Jeff Layton 
Acked-by: David Sterba 
Acked-by: Darrick J. Wong 
Acked-by: Mike Marshall 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org

---
v14 (new series):
- Reincorporate back into the bugfix series for overlayfs

v8:
- Documentation reported 'struct xattr_gs_flags' rather than
  'struct xattr_gs_flags *args' as argument to get and set methods.

v7:
- missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c,
  fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c,
  security/integrity/evm/evm_main.c and security/smack/smack_lsm.c.

v6:
- kernfs missed a spot

v5:
- introduce struct xattr_gs_args for get and set methods,
  __vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.

---
 Documentation/filesystems/locking.rst |  10 +--
 fs/9p/acl.c   |  51 ++--
 fs/9p/xattr.c |  19 ++---
 fs/afs/xattr.c| 112 --
 fs/btrfs/xattr.c  |  36 -
 fs/ceph/xattr.c   |  17 ++--
 fs/cifs/xattr.c   |  72 +
 fs/ecryptfs/crypto.c  |  20 +++--
 fs/ecryptfs/inode.c   |  36 +
 fs/ecryptfs/mmap.c|  39 -
 fs/erofs/xattr.c  |   8 +-
 fs/ext2/xattr_security.c  |  16 ++--
 fs/ext2/xattr_trusted.c   |  15 ++--
 fs/ext2/xattr_user.c  |  19 ++---
 fs/ext4/xattr_security.c  |  15 ++--
 fs/ext4/xattr_trusted.c   |  15 ++--
 fs/ext4/xattr_user.c  |  19 ++---
 fs/f2fs/xattr.c   |  42 +-
 fs/fuse/xattr.c   |  23 +++---
 fs/gfs2/xattr.c   |  18 ++---
 fs/hfs/attr.c |  15 ++--
 fs/hfsplus/xattr.c|  17 ++--
 fs/hfsplus/xattr_security.c   |  13 ++-
 fs/hfsplus/xattr_trusted.c|  13 ++-
 fs/hfsplus/xattr_user.c   |  13 ++-
 fs/jffs2/security.c   |  16 ++--
 fs/jffs2/xattr_trusted.c  |  16 ++--
 fs/jffs2/xattr_user.c |  16 ++--
 fs/jfs/xattr.c|  33 
 fs/kernfs/inode.c  

Re: [f2fs-dev] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

On 8/28/19 7:24 AM, Christoph Hellwig wrote:

On Tue, Aug 27, 2019 at 08:05:15AM -0700, Mark Salyzyn wrote:

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following now
common argument structure:

Yikes.  That looks like a mess.  Why can't we pass a kernel-only
flag in the existing flags field for ₋>set and add a flags field
to ->get?  Passing methods by structure always tends to be a mess.


This was a response to GregKH@ criticism, an earlier patch set just 
added a flag as you stated to get method, until complaints of an 
excessively long argument list and fragility to add or change more 
arguments.


So many ways have been tried to skin this cat ... the risk was taken to 
please some, and we now have hundreds of stakeholders, when the first 
patch set was less than a dozen. A recipe for failure?


-- Mark



___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v8] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following now
common argument structure:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

Which in effect adds a flags option to the get method and
__vfs_getxattr function.

Add a flag option to get xattr method that has bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
handler->get({dentry...XATTR_NOSECURITY}) ->
__vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
lower_handler->get({lower_dentry...XATTR_NOSECURITY})
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr({...XATTR_NOSECURITY}).

Signed-off-by: Mark Salyzyn 
Reviewed-by: Jan Kara 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v8:
- Documentation reported 'struct xattr_gs_flags' rather than
  'struct xattr_gs_flags *args' as argument to get and set methods.

v7:
- missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c,
  fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c,
  security/integrity/evm/evm_main.c and security/smack/smack_lsm.c.

v6:
- kernfs missed a spot

v5:
- introduce struct xattr_gs_args for get and set methods,
  __vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.
---
 Documentation/filesystems/Locking |  10 ++-
 drivers/staging/erofs/xattr.c |   8 +--
 fs/9p/acl.c   |  51 +++---
 fs/9p/xattr.c |  19 +++--
 fs/afs/xattr.c| 112 +-
 fs/btrfs/xattr.c  |  36 +-
 fs/ceph/xattr.c   |  40 +--
 fs/cifs/xattr.c   |  72 +--
 fs/ecryptfs/crypto.c  |  20 +++---
 fs/ecryptfs/inode.c   |  36 ++
 fs/ecryptfs/mmap.c|  39 ++-
 fs/ext2/xattr_security.c  |  16 ++---
 fs/ext2/xattr_trusted.c   |  15 ++--
 fs/ext2/xattr_user.c  |  19 +++--
 fs/ext4/xattr_security.c  |  15 ++--
 fs/ext4/xattr_trusted.c   |  15 ++--
 fs/ext4/xattr_user.c  |  19 +++--
 fs/f2fs/xattr.c   |  42 +--
 fs/fuse/xattr.c   |  23 +++---
 fs/gfs2/xattr.c   |  18 ++---
 fs/hfs/attr.c |  15 ++--
 fs/hfsplus/xattr.c|  17 +++--
 fs/hfsplus/xattr_security.c   |  13 ++--
 fs/hfsplus/xattr_trusted.c|  13 ++--
 fs/hfsplus/xattr_user.c   |  13 ++--
 fs/jffs2/security.c   |  16 ++---
 fs/jffs2/xattr_trusted.c  |  16 ++---
 fs/jffs2/xattr_user.c |  16 ++---
 fs/jfs/xattr.c|  33 -
 fs/kernfs/inode.c |  23 +++---
 fs/nfs/nfs4proc.c |  28 
 fs/ocfs2/xattr.c  |  52 ++
 fs/orangefs/xattr.c   |  19 ++---
 fs/overlayfs/inode.c  |  43 ++--
 

Re: [f2fs-dev] [PATCH v7] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

On 8/27/19 7:19 AM, Jan Kara wrote:

On Tue 20-08-19 11:06:48, Mark Salyzyn wrote:

diff --git a/Documentation/filesystems/Locking 
b/Documentation/filesystems/Locking
index 204dd3ea36bb..e2687f21c7d6 100644
--- a/Documentation/filesystems/Locking
+++ b/Documentation/filesystems/Locking
@@ -101,12 +101,10 @@ of the locking scheme for directory operations.
  --- xattr_handler operations ---
  prototypes:
bool (*list)(struct dentry *dentry);
-   int (*get)(const struct xattr_handler *handler, struct dentry *dentry,
-  struct inode *inode, const char *name, void *buffer,
-  size_t size);
-   int (*set)(const struct xattr_handler *handler, struct dentry *dentry,
-  struct inode *inode, const char *name, const void *buffer,
-  size_t size, int flags);
+   int (*get)(const struct xattr_handler *handler,
+  struct xattr_gs_flags);
+   int (*set)(const struct xattr_handler *handler,
+  struct xattr_gs_flags);

The prototype here is really "struct xattr_gs_flags *args", isn't it?
Otherwise feel free to add:

Reviewed-by: Jan Kara 

for the ext2, ext4, ocfs2, reiserfs, and the generic fs/* bits.

Honza


 Thanks and good catch, will respin with a fix to the 
documentation shortly.


-- Mark



___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v7] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following now
common argument structure:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

Which in effect adds a flags option to the get method and
__vfs_getxattr function.

Add a flag option to get xattr method that has bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
handler->get({dentry...XATTR_NOSECURITY}) ->
__vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
lower_handler->get({lower_dentry...XATTR_NOSECURITY})
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr({...XATTR_NOSECURITY}).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v7:
- missed spots in fs/9p/acl.c, fs/afs/xattr.c, fs/ecryptfs/crypto.c,
  fs/ubifs/xattr.c, fs/xfs/libxfs/xfs_attr.c,
  security/integrity/evm/evm_main.c and security/smack/smack_lsm.c.

v6:
- kernfs missed a spot

v5:
- introduce struct xattr_gs_args for get and set methods,
  __vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.

a

a
---
 Documentation/filesystems/Locking |  10 ++-
 drivers/staging/erofs/xattr.c |   8 +--
 fs/9p/acl.c   |  51 +++---
 fs/9p/xattr.c |  19 +++--
 fs/afs/xattr.c| 112 +-
 fs/btrfs/xattr.c  |  36 +-
 fs/ceph/xattr.c   |  40 +--
 fs/cifs/xattr.c   |  72 +--
 fs/ecryptfs/crypto.c  |  20 +++---
 fs/ecryptfs/inode.c   |  36 ++
 fs/ecryptfs/mmap.c|  39 ++-
 fs/ext2/xattr_security.c  |  16 ++---
 fs/ext2/xattr_trusted.c   |  15 ++--
 fs/ext2/xattr_user.c  |  19 +++--
 fs/ext4/xattr_security.c  |  15 ++--
 fs/ext4/xattr_trusted.c   |  15 ++--
 fs/ext4/xattr_user.c  |  19 +++--
 fs/f2fs/xattr.c   |  42 +--
 fs/fuse/xattr.c   |  23 +++---
 fs/gfs2/xattr.c   |  18 ++---
 fs/hfs/attr.c |  15 ++--
 fs/hfsplus/xattr.c|  17 +++--
 fs/hfsplus/xattr_security.c   |  13 ++--
 fs/hfsplus/xattr_trusted.c|  13 ++--
 fs/hfsplus/xattr_user.c   |  13 ++--
 fs/jffs2/security.c   |  16 ++---
 fs/jffs2/xattr_trusted.c  |  16 ++---
 fs/jffs2/xattr_user.c |  16 ++---
 fs/jfs/xattr.c|  33 -
 fs/kernfs/inode.c |  23 +++---
 fs/nfs/nfs4proc.c |  28 
 fs/ocfs2/xattr.c  |  52 ++
 fs/orangefs/xattr.c   |  19 ++---
 fs/overlayfs/inode.c  |  43 ++--
 fs/overlayfs/overlayfs.h  |   6 +-
 fs/overlayfs/super.c  |  53 ++
 fs/posix_acl.c|  23 +++---
 

[f2fs-dev] [PATCH v6] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following now
common argument structure:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

Which in effect adds a flags option to the get method and
__vfs_getxattr function.

Add a flag option to get xattr method that has bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
handler->get({dentry...XATTR_NOSECURITY}) ->
__vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
lower_handler->get({lower_dentry...XATTR_NOSECURITY})
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr({...XATTR_NOSECURITY}).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v6:
- kernfs missed a spot

v5:
- introduce struct xattr_gs_args for get and set methods,
  __vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.

a
---
 Documentation/filesystems/Locking |  10 ++-
 drivers/staging/erofs/xattr.c |   8 +--
 fs/9p/acl.c   |  37 +-
 fs/9p/xattr.c |  19 +++--
 fs/afs/xattr.c| 110 +
 fs/btrfs/xattr.c  |  36 +-
 fs/ceph/xattr.c   |  40 +--
 fs/cifs/xattr.c   |  72 +--
 fs/ecryptfs/crypto.c  |  20 +++---
 fs/ecryptfs/inode.c   |  36 ++
 fs/ecryptfs/mmap.c|  39 ++-
 fs/ext2/xattr_security.c  |  16 ++---
 fs/ext2/xattr_trusted.c   |  15 ++--
 fs/ext2/xattr_user.c  |  19 +++--
 fs/ext4/xattr_security.c  |  15 ++--
 fs/ext4/xattr_trusted.c   |  15 ++--
 fs/ext4/xattr_user.c  |  19 +++--
 fs/f2fs/xattr.c   |  42 +--
 fs/fuse/xattr.c   |  23 +++---
 fs/gfs2/xattr.c   |  18 ++---
 fs/hfs/attr.c |  15 ++--
 fs/hfsplus/xattr.c|  17 +++--
 fs/hfsplus/xattr_security.c   |  13 ++--
 fs/hfsplus/xattr_trusted.c|  13 ++--
 fs/hfsplus/xattr_user.c   |  13 ++--
 fs/jffs2/security.c   |  16 ++---
 fs/jffs2/xattr_trusted.c  |  16 ++---
 fs/jffs2/xattr_user.c |  16 ++---
 fs/jfs/xattr.c|  33 -
 fs/kernfs/inode.c |  23 +++---
 fs/nfs/nfs4proc.c |  28 
 fs/ocfs2/xattr.c  |  52 ++
 fs/orangefs/xattr.c   |  19 ++---
 fs/overlayfs/inode.c  |  43 ++--
 fs/overlayfs/overlayfs.h  |   6 +-
 fs/overlayfs/super.c  |  53 ++
 fs/posix_acl.c|  23 +++---
 fs/reiserfs/xattr.c   |   2 +-
 fs/reiserfs/xattr_security.c  |  22 +++---
 fs/reiserfs/xattr_trusted.c   |  22 +++---
 fs/reiserfs/xattr_user.c  |  22 +++---
 

[f2fs-dev] [PATCH v5] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Replace arguments for get and set xattr methods, and __vfs_getxattr
and __vfs_setaxtr functions with a reference to the following
argument structure:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

Which in effect adds a flags option to the get method and
__vfs_getxattr function.

Add a flag option to get xattr method that has bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr({dentry...XATTR_NOSECURITY}) ->
handler->get({dentry...XATTR_NOSECURITY}) ->
__vfs_getxattr({lower_dentry...XATTR_NOSECURITY}) ->
lower_handler->get({lower_dentry...XATTR_NOSECURITY})
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr({...XATTR_NOSECURITY}).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v5:
- introduce struct xattr_gs_args for get and set methods,
  __vfs_getxattr and __vfs_setxattr functions.
- cover a missing spot in ext2.
- switch from snprintf to scnprintf for correctness.

v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.
---
 Documentation/filesystems/Locking |  10 ++-
 drivers/staging/erofs/xattr.c |   8 +--
 fs/9p/acl.c   |  37 +-
 fs/9p/xattr.c |  19 +++--
 fs/afs/xattr.c| 110 +
 fs/btrfs/xattr.c  |  36 +-
 fs/ceph/xattr.c   |  40 +--
 fs/cifs/xattr.c   |  72 +--
 fs/ecryptfs/crypto.c  |  20 +++---
 fs/ecryptfs/inode.c   |  36 ++
 fs/ecryptfs/mmap.c|  39 ++-
 fs/ext2/xattr_security.c  |  16 ++---
 fs/ext2/xattr_trusted.c   |  15 ++--
 fs/ext2/xattr_user.c  |  19 +++--
 fs/ext4/xattr_security.c  |  15 ++--
 fs/ext4/xattr_trusted.c   |  15 ++--
 fs/ext4/xattr_user.c  |  19 +++--
 fs/f2fs/xattr.c   |  42 +--
 fs/fuse/xattr.c   |  23 +++---
 fs/gfs2/xattr.c   |  18 ++---
 fs/hfs/attr.c |  15 ++--
 fs/hfsplus/xattr.c|  17 +++--
 fs/hfsplus/xattr_security.c   |  13 ++--
 fs/hfsplus/xattr_trusted.c|  13 ++--
 fs/hfsplus/xattr_user.c   |  13 ++--
 fs/jffs2/security.c   |  16 ++---
 fs/jffs2/xattr_trusted.c  |  16 ++---
 fs/jffs2/xattr_user.c |  16 ++---
 fs/jfs/xattr.c|  33 -
 fs/kernfs/inode.c |  21 +++---
 fs/nfs/nfs4proc.c |  28 
 fs/ocfs2/xattr.c  |  52 ++
 fs/orangefs/xattr.c   |  19 ++---
 fs/overlayfs/inode.c  |  43 ++--
 fs/overlayfs/overlayfs.h  |   6 +-
 fs/overlayfs/super.c  |  53 ++
 fs/posix_acl.c|  23 +++---
 fs/reiserfs/xattr.c   |   2 +-
 fs/reiserfs/xattr_security.c  |  22 +++---
 fs/reiserfs/xattr_trusted.c   |  22 +++---
 fs/reiserfs/xattr_user.c  |  22 +++---
 fs/squashfs/xattr.c   |  10 +--
 

Re: [f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

On 8/15/19 3:27 PM, James Morris wrote:

On Thu, 15 Aug 2019, Mark Salyzyn wrote:


Good Idea, but using the same argument structure for set and get I would be
concerned about the loss of compiler protection for the buffer argument;

Agreed, I missed that.


Sadly, the pattern of

struct getxattr_args args;

memset(, 0, sizeof(args));

args. = ...

__vfs_getxattr(};

...

__vfs_setxattr();

would be nice, so maybe we need to cool our jets and instead:

struct xattr_gs_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
union {
void *buffer;
const void *value;
};
size_t size;
int flags;
};

value _must_ be referenced for all setxattr operations, buffer for getxattr 
operations (how can we enforce that?).


struct getxattr_args {
struct dentry *dentry;
struct inode *inode;
const char *name;
void *buffer;
size_t size;
int flags;

Does 'get' need flags?

:-) That was the _whole_ point of the patch, flags is how we pass in the 
recursion so that a security/internal getxattr call has the rights to 
acquire the data in the lower layer(s).


-- Mark



___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v4] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECUIRTY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) ->
lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of _vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: Jan Kara 
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v4:
- ifdef __KERNEL__ around XATTR_NOSECURITY to
  keep it colocated in uapi headers.

v3:
- poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
- Missed a spot: ubifs, erofs and afs.

v1:
- Removed from an overlayfs patch set, and made independent.
  Expect this to be the basis of some security improvements.
---
 drivers/staging/erofs/xattr.c |  3 ++-
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c|  8 +++
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 --
 fs/ecryptfs/mmap.c|  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 ++--
 fs/fuse/xattr.c   |  4 ++--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 +++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c |  6 --
 fs/ocfs2/xattr.c  |  9 +---
 fs/orangefs/xattr.c   |  3 ++-
 fs/overlayfs/super.c  |  8 ---
 fs/posix_acl.c|  2 +-
 fs/reiserfs/xattr_security.c  |  3 ++-
 fs/reiserfs/xattr_trusted.c   |  3 ++-
 fs/reiserfs/xattr_user.c  |  3 ++-
 fs/squashfs/xattr.c   |  2 +-
 fs/ubifs/xattr.c  |  3 ++-
 fs/xattr.c| 36 +++
 fs/xfs/xfs_xattr.c|  3 ++-
 include/linux/xattr.h |  9 
 include/uapi/linux/xattr.h|  7 --
 mm/shmem.c|  3 ++-
 net/socket.c  |  3 ++-
 security/commoncap.c  |  6 --
 security/integrity/evm/evm_main.c |  3 ++-
 security/selinux/hooks.c  | 11 ++
 security/smack/smack_lsm.c|  5 +++--
 46 files changed, 126 insertions(+), 84 deletions(-)

diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c
index df40654b9fbb..69440065432c 100644
--- a/drivers/staging/erofs/xattr.c
+++ b/drivers/staging/erofs/xattr.c
@@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index,
 
 static int erofs_xattr_generic_get(const struct xattr_handler *handler,
   struct dentry *unused, struct inode *inode,
-  const char *name, void *buffer, size_t size)
+  const char *name, void *buffer, size_t size,
+  int flags)
 {
struct 

[f2fs-dev] [PATCH v3] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECUIRTY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) ->
lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of _vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v3:
poor aim on ubifs not ubifs_xattr_get, but static xattr_get

v2:
Missed a spot: ubifs, erofs and afs.

v1:
Removed from an overlayfs patch set, and made independent.
Expect this to be the basis of some security improvements.
---
 drivers/staging/erofs/xattr.c |  3 ++-
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c|  8 +++
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 --
 fs/ecryptfs/mmap.c|  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 ++--
 fs/fuse/xattr.c   |  4 ++--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 +++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c |  6 --
 fs/ocfs2/xattr.c  |  9 +---
 fs/orangefs/xattr.c   |  3 ++-
 fs/overlayfs/super.c  |  8 ---
 fs/posix_acl.c|  2 +-
 fs/reiserfs/xattr_security.c  |  3 ++-
 fs/reiserfs/xattr_trusted.c   |  3 ++-
 fs/reiserfs/xattr_user.c  |  3 ++-
 fs/squashfs/xattr.c   |  2 +-
 fs/ubifs/xattr.c  |  3 ++-
 fs/xattr.c| 36 +++
 fs/xfs/xfs_xattr.c|  3 ++-
 include/linux/xattr.h |  9 
 include/uapi/linux/xattr.h|  5 +++--
 mm/shmem.c|  3 ++-
 net/socket.c  |  3 ++-
 security/commoncap.c  |  6 --
 security/integrity/evm/evm_main.c |  3 ++-
 security/selinux/hooks.c  | 11 ++
 security/smack/smack_lsm.c|  5 +++--
 46 files changed, 124 insertions(+), 84 deletions(-)

diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c
index df40654b9fbb..69440065432c 100644
--- a/drivers/staging/erofs/xattr.c
+++ b/drivers/staging/erofs/xattr.c
@@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index,
 
 static int erofs_xattr_generic_get(const struct xattr_handler *handler,
   struct dentry *unused, struct inode *inode,
-  const char *name, void *buffer, size_t size)
+  const char *name, void *buffer, size_t size,
+  int flags)
 {
struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
 
diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 

[f2fs-dev] [PATCH v2] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data from a
lower layer.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECUIRTY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) ->
lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of _vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v2:
Missed a spot: ubifs, erofs and afs.

v1:
Removed from an overlayfs patch set, and made independent.
Expect this to be the basis of some security improvements.
---
 drivers/staging/erofs/xattr.c |  3 ++-
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c|  8 +++
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 --
 fs/ecryptfs/mmap.c|  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 ++--
 fs/fuse/xattr.c   |  4 ++--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 +++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c |  6 --
 fs/ocfs2/xattr.c  |  9 +---
 fs/orangefs/xattr.c   |  3 ++-
 fs/overlayfs/super.c  |  8 ---
 fs/posix_acl.c|  2 +-
 fs/reiserfs/xattr_security.c  |  3 ++-
 fs/reiserfs/xattr_trusted.c   |  3 ++-
 fs/reiserfs/xattr_user.c  |  3 ++-
 fs/squashfs/xattr.c   |  2 +-
 fs/ubifs/xattr.c  |  2 +-
 fs/xattr.c| 36 +++
 fs/xfs/xfs_xattr.c|  3 ++-
 include/linux/xattr.h |  9 
 include/uapi/linux/xattr.h|  5 +++--
 mm/shmem.c|  3 ++-
 net/socket.c  |  3 ++-
 security/commoncap.c  |  6 --
 security/integrity/evm/evm_main.c |  3 ++-
 security/selinux/hooks.c  | 11 ++
 security/smack/smack_lsm.c|  5 +++--
 46 files changed, 123 insertions(+), 84 deletions(-)

diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c
index df40654b9fbb..69440065432c 100644
--- a/drivers/staging/erofs/xattr.c
+++ b/drivers/staging/erofs/xattr.c
@@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index,
 
 static int erofs_xattr_generic_get(const struct xattr_handler *handler,
   struct dentry *unused, struct inode *inode,
-  const char *name, void *buffer, size_t size)
+  const char *name, void *buffer, size_t size,
+  int flags)
 {
struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
 
diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 6261719f6f2a..cb14e8b312bc 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ 

Re: [f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

On 8/13/19 1:48 AM, Greg Kroah-Hartman wrote:

On Mon, Aug 12, 2019 at 12:32:49PM -0700, Mark Salyzyn wrote:

--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -30,10 +30,10 @@ struct xattr_handler {
const char *prefix;
int flags;  /* fs private flags */
bool (*list)(struct dentry *dentry);
-   int (*get)(const struct xattr_handler *, struct dentry *dentry,
+   int (*get)(const struct xattr_handler *handler, struct dentry *dentry,
   struct inode *inode, const char *name, void *buffer,
-  size_t size);
-   int (*set)(const struct xattr_handler *, struct dentry *dentry,
+  size_t size, int flags);
+   int (*set)(const struct xattr_handler *handler, struct dentry *dentry,
   struct inode *inode, const char *name, const void *buffer,
   size_t size, int flags);

Wow, 7 arguments.  Isn't there some nice rule of thumb that says once
you get more then 5, a function becomes impossible to understand?


This is a method with a pot-pourri of somewhat intuitive useful, but not 
always necessary, arguments, the additional argument does not complicate 
the function(s) AFAIK, but maybe its usage. Most functions do not even 
reference handler, the inode is typically a derivative of dentry, The 
arguments most used are the name of the attribute and the buffer/size 
the results are to be placed into.


The addition of flags is actually a pattern borrowed from the [.]set 
method, which provides at least 32 bits of 'control' (of which we added 
only one). Before, it was an anti-pattern.



Surely this could be a structure passed in here somehow, that way when
you add the 8th argument in the future, you don't have to change
everything yet again?  :)
Just be happy I provided int flags, instead of bool no_security ;-> 
there are a few bits there that can be used in the future.

I don't have anything concrete to offer as a replacement fix for this,
but to me this just feels really wrong...


I went through 6 different alternatives (in the overlayfs security fix 
patch set) until I found this one that resonated with the security and 
filesystem stakeholders. The one was a direct result of trying to reduce 
the security attack surface. This code was created by threading a 
needle, and evolution. I am game for a 7th alternative to solve the 
unionfs set of recursive calls into acquiring the extended attributes.


-- Mark


___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECUIRTY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) ->
lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of _vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Cc: Stephen Smalley 
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
Removed from an overlayfs patch set, and made independent.
Expect this to be the basis of some security improvements.
---
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c|  6 +++---
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 --
 fs/ecryptfs/mmap.c|  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 ++--
 fs/fuse/xattr.c   |  4 ++--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 +++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c |  6 --
 fs/ocfs2/xattr.c  |  9 +---
 fs/orangefs/xattr.c   |  3 ++-
 fs/overlayfs/super.c  |  8 ---
 fs/posix_acl.c|  2 +-
 fs/reiserfs/xattr_security.c  |  3 ++-
 fs/reiserfs/xattr_trusted.c   |  3 ++-
 fs/reiserfs/xattr_user.c  |  3 ++-
 fs/squashfs/xattr.c   |  2 +-
 fs/xattr.c| 36 +++
 fs/xfs/xfs_xattr.c|  3 ++-
 include/linux/xattr.h |  9 
 include/uapi/linux/xattr.h|  5 +++--
 mm/shmem.c|  3 ++-
 net/socket.c  |  3 ++-
 security/commoncap.c  |  6 --
 security/integrity/evm/evm_main.c |  3 ++-
 security/selinux/hooks.c  | 11 ++
 security/smack/smack_lsm.c|  5 +++--
 44 files changed, 119 insertions(+), 81 deletions(-)

diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 6261719f6f2a..cb14e8b312bc 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -214,7 +214,8 @@ int v9fs_acl_mode(struct inode *dir, umode_t *modep,
 
 static int v9fs_xattr_get_acl(const struct xattr_handler *handler,
  struct dentry *dentry, struct inode *inode,
- const char *name, void *buffer, size_t size)
+ const char *name, void *buffer, size_t size,
+ int flags)
 {
struct v9fs_session_info *v9ses;
struct posix_acl *acl;
diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c
index ac8ff8ca4c11..5cfa772452fd 100644
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -139,7 +139,8 @@ ssize_t v9fs_listxattr(struct dentry *dentry, char *buffer, 
size_t buffer_size)
 
 static int v9fs_xattr_handler_get(const struct xattr_handler *handler,
  struct dentry *dentry, 

[f2fs-dev] [PATCH v13 3/5] overlayfs: handle XATTR_NOSECURITY flag for get xattr method

[Mark Salyzyn via Linux-f2fs-devel]

Because of the overlayfs getxattr recursion, the incoming inode fails
to update the selinux sid resulting in avc denials being reported
against a target context of u:object_r:unlabeled:s0.

Solution is to respond to the XATTR_NOSECURITY flag in get xattr
method that calls the __vfs_getxattr handler instead so that the
context can be read in, rather than being denied with an -EACCES
when vfs_getxattr handler is called.

For the use case where access is to be blocked by the security layer.

The path then would be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(realdentry...XATTR_NOSECURITY) ->
lower_handler->get(realdentry...XATTR_NOSECURITY) which
would report back through the chain data and success as expected,
the logging security layer at the top would have the data to
determine the access permissions and report back to the logs and
the caller that the target context was blocked.

For selinux this would solve the cosmetic issue of the selinux log
and allow audit2allow to correctly report the rule needed to address
the access problem.

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13 - rebase to use __vfs_getxattr flags option.

v12 - Added back to patch series as get xattr with flag option.

v11 - Squashed out of patch series and replaced with per-thread flag
  solution.

v10 - Added to patch series as __get xattr method.
---
 fs/overlayfs/inode.c | 5 +++--
 fs/overlayfs/overlayfs.h | 2 +-
 fs/overlayfs/super.c | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 7663aeb85fa3..1bf11ae44313 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -363,7 +363,7 @@ int ovl_xattr_set(struct dentry *dentry, struct inode 
*inode, const char *name,
 }
 
 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
- void *value, size_t size)
+ void *value, size_t size, int flags)
 {
ssize_t res;
const struct cred *old_cred;
@@ -371,7 +371,8 @@ int ovl_xattr_get(struct dentry *dentry, struct inode 
*inode, const char *name,
ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry);
 
old_cred = ovl_override_creds(dentry->d_sb);
-   res = vfs_getxattr(realdentry, name, value, size);
+   res = __vfs_getxattr(realdentry, d_inode(realdentry), name,
+value, size, flags);
revert_creds(old_cred);
return res;
 }
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index 6934bcf030f0..ab3d031c422b 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -356,7 +356,7 @@ int ovl_permission(struct inode *inode, int mask);
 int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
  const void *value, size_t size, int flags);
 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
- void *value, size_t size);
+ void *value, size_t size, int flags);
 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size);
 struct posix_acl *ovl_get_acl(struct inode 

[f2fs-dev] [PATCH v13 2/5] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the data that is the
target label or context embedded into wrapped filesystem's xattr.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECUIRTY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) ->
lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)
which would report back through the chain data and success as
expected, but the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first corrected case a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of _vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13 - added flags to __vfs_getxattr call, and moved all the security
  code from vfs_getxattr into it.

v12 - Added back to patch series as get xattr with flag option.

v11 - Squashed out of patch series and replaced with per-thread flag
  solution.

v10 - Added to patch series as __get xattr method.
---
 fs/9p/acl.c   |  3 ++-
 fs/9p/xattr.c |  3 ++-
 fs/afs/xattr.c|  6 +++---
 fs/btrfs/xattr.c  |  3 ++-
 fs/ceph/xattr.c   |  3 ++-
 fs/cifs/xattr.c   |  2 +-
 fs/ecryptfs/inode.c   |  6 --
 fs/ecryptfs/mmap.c|  2 +-
 fs/ext2/xattr_trusted.c   |  2 +-
 fs/ext2/xattr_user.c  |  2 +-
 fs/ext4/xattr_security.c  |  2 +-
 fs/ext4/xattr_trusted.c   |  2 +-
 fs/ext4/xattr_user.c  |  2 +-
 fs/f2fs/xattr.c   |  4 ++--
 fs/fuse/xattr.c   |  4 ++--
 fs/gfs2/xattr.c   |  3 ++-
 fs/hfs/attr.c |  2 +-
 fs/hfsplus/xattr.c|  3 ++-
 fs/hfsplus/xattr_trusted.c|  3 ++-
 fs/hfsplus/xattr_user.c   |  3 ++-
 fs/jffs2/security.c   |  3 ++-
 fs/jffs2/xattr_trusted.c  |  3 ++-
 fs/jffs2/xattr_user.c |  3 ++-
 fs/jfs/xattr.c|  5 +++--
 fs/kernfs/inode.c |  3 ++-
 fs/nfs/nfs4proc.c 

[f2fs-dev] [PATCH v13 5/5] overlayfs: override_creds=off option bypass creator_cred

[Mark Salyzyn via Linux-f2fs-devel]

By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials.  The incoming accesses are
checked against the caller's credentials.

If the principles of least privilege are applied, the mounter's
credentials might not overlap the credentials of the caller's when
accessing the overlayfs filesystem.  For example, a file that a lower
DAC privileged caller can execute, is MAC denied to the generally
higher DAC privileged mounter, to prevent an attack vector.

We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials.  The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/override_creds.

It was not always this way.  Circa 4.6 there was no recorded mounter's
credentials, instead privileged access to upper or work directories
were temporarily increased to perform the operations.  The MAC
(selinux) policies were caller's in all cases.  override_creds=off
partially returns us to this older access model minus the insecure
temporary credential increases.  This is to permit use in a system
with non-overlapping security models for each executable including
the agent that mounts the overlayfs filesystem.  In Android
this is the case since init, which performs the mount operations,
has a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules).  The caveats are not a problem in
the Android usage model, however they should be fixed for
completeness and for general use in time.

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 NB: this is a desired feature
---
v12 + v13:
- Rebase

v11:
- add sb argument to ovl_revert_creds to match future work

v10:
- Rebase (and expand because of increased revert_cred usage)

v9:
- Add to the caveats

v8:
- drop pr_warn message after straw poll to remove it.
- added a use case in the commit message

v7:
- change name of internal parameter to ovl_override_creds_def
- report override_creds only if different than default

v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation.
- pr_warn message adjusted to report consequences.

v5:
- beefed up the caveats in the Documentation
- Is dependent on
  "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
  "overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off

v4:
- spelling and grammar errors in text

v3:
- Change name from caller_credentials / creator_credentials to the
  boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS

v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.
---
 Documentation/filesystems/overlayfs.txt | 23 +++
 fs/overlayfs/copy_up.c  |  2 +-
 fs/overlayfs/dir.c  | 11 ++-
 

[f2fs-dev] [PATCH v13 0/5] overlayfs override_creds=off

[Mark Salyzyn via Linux-f2fs-devel]

Patch series:

overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
Add flags option to get xattr method paired to __vfs_getxattr
overlayfs: handle XATTR_NOSECURITY flag for get xattr method
overlayfs: internal getxattr operations without sepolicy checking
overlayfs: override_creds=off option bypass creator_cred

The first four patches address fundamental security issues that should
be solved regardless of the override_creds=off feature.
on them).

The fifth adds the feature depends on these other fixes.

By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials.  The incoming accesses are
checked against the caller's credentials.

If the principles of least privilege are applied for sepolicy, the
mounter's credentials might not overlap the credentials of the caller's
when accessing the overlayfs filesystem.  For example, a file that a
lower DAC privileged caller can execute, is MAC denied to the
generally higher DAC privileged mounter, to prevent an attack vector.

We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials.  The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernandez 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13:
- add flags argument to __vfs_getxattr
- drop GFP_NOFS side-effect

v12:
- Restore squished out patch 2 and 3 in the series,
  then change algorithm to add flags argument.
  Per-thread flag is a large security surface.

v11:
- Squish out v10 introduced patch 2 and 3 in the series,
  then and use per-thread flag instead for nesting.
- Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper.
- Add sb argument to ovl_revert_creds to match future work.

v10:
- Return NULL on CAP_DAC_READ_SEARCH
- Add __get xattr method to solve sepolicy logging issue
- Drop unnecessary sys_admin sepolicy checking for administrative
  driver internal xattr functions.

v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation, drop rationalizations.
- pr_warn message adjusted to report consequences.

v5:
- beefed up the caveats in the Documentation
- Is dependent on
  "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
  "overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off

v4:
- spelling and grammar errors in text

v3:
- Change name from caller_credentials / creator_credentials to the
  boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS

v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.


___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v13 4/5] overlayfs: internal getxattr operations without sepolicy checking

[Mark Salyzyn via Linux-f2fs-devel]

Check impure, opaque, origin & meta xattr with no sepolicy audit
(using __vfs_getxattr) since these operations are internal to
overlayfs operations and do not disclose any data.  This became
an issue for credential override off since sys_admin would have
been required by the caller; whereas would have been inherently
present for the creator since it performed the mount.

This is a change in operations since we do not check in the new
ovl_do_vfs_getxattr function if the credential override is off or
not.  Reasoning is that the sepolicy check is unnecessary overhead,
especially since the check can be expensive.

Because for override credentials off, this affects _everyone_ that
underneath performs private xattr calls without the appropriate
sepolicy permissions and sys_admin capability.  Providing blanket
support for sys_admin would be bad for all possible callers.

For the override credentials on, this will affect only the mounter,
should it lack sepolicy permissions. Not considered a security
problem since mounting by definition has sys_admin capabilities,
but sepolicy contexts would still need to be crafted.

It should be noted that there is precedence, __vfs_getxattr is used
in other filesystems for their own internal trusted xattr management.

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13 - rebase to use __vfs_getxattr flags option

v12 - rebase

v11 - switch name to ovl_do_vfs_getxattr, fortify comment

v10 - added to patch series
---
 fs/overlayfs/namei.c | 12 +++-
 fs/overlayfs/overlayfs.h |  2 ++
 fs/overlayfs/util.c  | 25 -
 3 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 9702f0d5309d..a4a452c489fa 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -106,10 +106,11 @@ int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
 
 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
 {
-   int res, err;
+   ssize_t res;
+   int err;
struct ovl_fh *fh = NULL;
 
-   res = vfs_getxattr(dentry, name, NULL, 0);
+   res = ovl_do_vfs_getxattr(dentry, name, NULL, 0);
if (res < 0) {
if (res == -ENODATA || res == -EOPNOTSUPP)
return NULL;
@@ -123,7 +124,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, 
const char *name)
if (!fh)
return ERR_PTR(-ENOMEM);
 
-   res = vfs_getxattr(dentry, name, fh, res);
+   res = ovl_do_vfs_getxattr(dentry, name, fh, res);
if (res < 0)
goto fail;
 
@@ -141,10 +142,11 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, 
const char *name)
return NULL;
 
 fail:
-   pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res);
+   pr_warn_ratelimited("overlayfs: failed to get origin (%zi)\n", res);
goto out;
 invalid:
-   pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh);
+   pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n",
+   (int)res, fh);
goto out;
 }
 
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index ab3d031c422b..9d26d8758513 100644

[f2fs-dev] [PATCH v13 0/5] overlayfs override_creds=off

[Mark Salyzyn via Linux-f2fs-devel]

Patch series:

overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
Add flags option to get xattr method paired to __vfs_getxattr
overlayfs: handle XATTR_NOSECURITY flag for get xattr method
overlayfs: internal getxattr operations without sepolicy checking
overlayfs: override_creds=off option bypass creator_cred

The first four patches address fundamental security issues that should
be solved regardless of the override_creds=off feature.
on them).

The fifth adds the feature depends on these other fixes.

By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials.  The incoming accesses are
checked against the caller's credentials.

If the principles of least privilege are applied for sepolicy, the
mounter's credentials might not overlap the credentials of the caller's
when accessing the overlayfs filesystem.  For example, a file that a
lower DAC privileged caller can execute, is MAC denied to the
generally higher DAC privileged mounter, to prevent an attack vector.

We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials.  The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13:
- add flags argument to __vfs_getxattr
- drop GFP_NOFS side-effect

v12:
- Restore squished out patch 2 and 3 in the series,
  then change algorithm to add flags argument.
  Per-thread flag is a large security surface.

v11:
- Squish out v10 introduced patch 2 and 3 in the series,
  then and use per-thread flag instead for nesting.
- Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper.
- Add sb argument to ovl_revert_creds to match future work.

v10:
- Return NULL on CAP_DAC_READ_SEARCH
- Add __get xattr method to solve sepolicy logging issue
- Drop unnecessary sys_admin sepolicy checking for administrative
  driver internal xattr functions.

v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation, drop rationalizations.
- pr_warn message adjusted to report consequences.

v5:
- beefed up the caveats in the Documentation
- Is dependent on
  "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
  "overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off

v4:
- spelling and grammar errors in text

v3:
- Change name from caller_credentials / creator_credentials to the
  boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS

v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.


___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v13 1/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh

[Mark Salyzyn via Linux-f2fs-devel]

Assumption never checked, should fail if the mounter creds are not
sufficient.

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen 
Cc: Latchesar Ionkov 
Cc: Dominique Martinet 
Cc: David Howells 
Cc: Chris Mason 
Cc: Josef Bacik 
Cc: David Sterba 
Cc: Jeff Layton 
Cc: Sage Weil 
Cc: Ilya Dryomov 
Cc: Steve French 
Cc: Tyler Hicks 
Cc: Jan Kara 
Cc: Theodore Ts'o 
Cc: Andreas Dilger 
Cc: Jaegeuk Kim 
Cc: Chao Yu 
Cc: Bob Peterson 
Cc: Andreas Gruenbacher 
Cc: David Woodhouse 
Cc: Richard Weinberger 
Cc: Dave Kleikamp 
Cc: Greg Kroah-Hartman 
Cc: Tejun Heo 
Cc: Trond Myklebust 
Cc: Anna Schumaker 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Joseph Qi 
Cc: Mike Marshall 
Cc: Martin Brandenburg 
Cc: Alexander Viro 
Cc: Phillip Lougher 
Cc: Darrick J. Wong 
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins 
Cc: David S. Miller 
Cc: Andrew Morton 
Cc: Mathieu Malaterre 
Cc: Ernesto A. Fernández 
Cc: Vyacheslav Dubeyko 
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-de...@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v11 + v12 + v13 - rebase

v10:
- return NULL rather than ERR_PTR(-EPERM)
- did _not_ add it ovl_can_decode_fh() because of changes since last
  review, suspect needs to be added to ovl_lower_uuid_ok()?

v8 + v9:
- rebase

v7:
- This time for realz

v6:
- rebase

v5:
- dependency of "overlayfs: override_creds=off option bypass creator_cred"
---
 fs/overlayfs/namei.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index e9717c2f7d45..9702f0d5309d 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -161,6 +161,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct 
vfsmount *mnt,
if (!uuid_equal(>uuid, >mnt_sb->s_uuid))
return NULL;
 
+   if (!capable(CAP_DAC_READ_SEARCH))
+   return NULL;
+
bytes = (fh->len - offsetof(struct ovl_fh, fid));
real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
  bytes >> 2, (int)fh->type,
-- 
2.22.0.770.g0f2c4a37fd-goog



___
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [PATCH v12 2/5] Add flags option to get xattr method paired to __vfs_getxattr

[Mark Salyzyn via Linux-f2fs-devel]

Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is set in the
__vfs_getxattr path.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the data that is the
target label or context embedded into wrapped filesystem's xattr.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry) -> lower_handler->get(lower_dentry)
which would report back through the chain data and success as
expected, but the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first corrected case a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

Signed-off-by: Mark Salyzyn 
Cc: Miklos Szeredi 
Cc: Jonathan Corbet 
Cc: Vivek Goyal 
Cc: Eric W. Biederman 
Cc: Amir Goldstein 
Cc: Randy Dunlap 
Cc: Stephen Smalley 
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
---
v12 - Added back to patch series as get xattr with flag option.

v11 - Squashed out of patch series and replaced with per-thread flag
  solution.

v10 - Added to patch series as __get xattr method.
---
 fs/9p/acl.c  |  3 ++-
 fs/9p/xattr.c|  3 ++-
 fs/afs/xattr.c   |  6 +++---
 fs/btrfs/xattr.c |  3 ++-
 fs/ceph/xattr.c  |  3 ++-
 fs/cifs/xattr.c  |  2 +-
 fs/ecryptfs/inode.c  |  3 ++-
 fs/ext2/xattr_trusted.c  |  2 +-
 fs/ext2/xattr_user.c |  2 +-
 fs/ext4/xattr_security.c |  2 +-
 fs/ext4/xattr_trusted.c  |  2 +-
 fs/ext4/xattr_user.c |  2 +-
 fs/f2fs/xattr.c  |  4 ++--
 fs/fuse/xattr.c  |  4 ++--
 fs/gfs2/xattr.c  |  3 ++-
 fs/hfs/attr.c|  2 +-
 fs/hfsplus/xattr.c   |  3 ++-
 fs/hfsplus/xattr_trusted.c   |  3 ++-
 fs/hfsplus/xattr_user.c  |  3 ++-
 fs/jffs2/security.c  |  3 ++-
 fs/jffs2/xattr_trusted.c |  3 ++-
 fs/jffs2/xattr_user.c|  3 ++-
 fs/jfs/xattr.c   |  5 +++--
 fs/kernfs/inode.c|  1 +
 fs/nfs/nfs4proc.c|  6 --
 fs/ocfs2/xattr.c |  9 ++---
 fs/orangefs/xattr.c  |  3 ++-
 fs/overlayfs/super.c |  5 +++--
 fs/posix_acl.c   |  2 +-
 fs/reiserfs/xattr_security.c |  3 ++-
 fs/reiserfs/xattr_trusted.c  |  3 ++-
 fs/reiserfs/xattr_user.c |  3 ++-
 fs/squashfs/xattr.c  |  2 +-
 fs/xattr.c   | 19 ++-
 fs/xfs/xfs_xattr.c   |  3 ++-
 include/linux/xattr.h|  6 +++---
 include/uapi/linux/xattr.h   |  5 +++--
 mm/shmem.c   |  3 ++-
 net/socket.c |  3 ++-
 39 files changed, 91 insertions(+), 54 deletions(-)

diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 6261719f6f2a..cb14e8b312bc 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -214,7 +214,8 @@ int v9fs_acl_mode(struct inode *dir, umode_t *modep,
 
 static int v9fs_xattr_get_acl(const struct xattr_handler *handler,
  struct dentry *dentry, struct inode *inode,
- const char *name, void *buffer, size_t size)
+ const char *name, void *buffer, size_t size,
+ int flags)
 {
struct v9fs_session_info *v9ses;
struct posix_acl *acl;
diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c
index ac8ff8ca4c11..5cfa772452fd 100644
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -139,7 +139,8 @@ ssize_t v9fs_listxattr(struct dentry *dentry, char *buffer, 
size_t buffer_size)
 
 static int v9fs_xattr_handler_get(const struct xattr_handler *handler,
  struct dentry *dentry, struct inode *inode,
- const char *name, void *buffer, size_t size)
+ const char *name, void *buffer, size_t size,
+ int flags)
 {
const char *full_name = xattr_full_name(handler, name);
 
diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
index 5552d034090a..e6509c21f08a 100644
--- a/fs/afs/xattr.c
+++ b/fs/afs/xattr.c
@@ -334,7 +334,7 @@ static const