From patchwork Fri Mar 10 17:14:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9617767 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2DA7360414 for ; Fri, 10 Mar 2017 17:11:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1DEB428742 for ; Fri, 10 Mar 2017 17:11:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 125AD28746; Fri, 10 Mar 2017 17:11:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 655C228742 for ; Fri, 10 Mar 2017 17:11:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932672AbdCJRLL (ORCPT ); Fri, 10 Mar 2017 12:11:11 -0500 Received: from smtp.nsa.gov ([8.44.101.9]:54727 "EHLO emsm-gh1-uea11.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755049AbdCJRLK (ORCPT ); Fri, 10 Mar 2017 12:11:10 -0500 X-IronPort-AV: E=Sophos;i="5.36,141,1486425600"; d="scan'208";a="3873537" IronPort-PHdr: =?us-ascii?q?9a23=3ACQ5AEh+yZTQ3hP9uRHKM819IXTAuvvDOBiVQ1KB+?= =?us-ascii?q?0OsXIJqq85mqBkHD//Il1AaPBtSGra4UwLuI+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1?= =?us-ascii?q?Ov71GonPhMiryuy+4ZPebgFIiTanbr5/Lxq6oAHQu8ILnYZsN6E9xwfTrHBVYe?= =?us-ascii?q?pW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbf?= =?us-ascii?q?VwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8qlkSAXsiC?= =?us-ascii?q?waKTA39m/ZgdF0gK5Cvh6tuxlzzojJa4+XKfV+ZLvQc9MES2RcUMhfVCtPD5ig?= =?us-ascii?q?Y4cTFecNIfxVo5Xhq1YIsBCwBROsBOTqyjJQm3H2wbM10/whEQ7Y2gwrAs8AsH?= =?us-ascii?q?HOo9XxMKcdT+C0x7TPwDXYcvxWwizw6JTIcx89ofGMWqh8cczKyUY1DQ/FgVKQ?= =?us-ascii?q?qZL8Mj6Ty+8DsHCb4vJ9We+ghGMrsQF8riW1yssyhYTFmJgZxk3C+C5k2og6P8?= =?us-ascii?q?e4R1R+YdO8FZtQsDyVOJVuT8M5RmFopD46yrobuZ6nZCQKyIooxxrYa/Gfb4iH?= =?us-ascii?q?+AjjVOeMITdjnn5lZLK+iAqy8Uin0OH8UNW70E1WoSZfl9nMt3QN2wTS6siBVP?= =?us-ascii?q?R94l+s1SuA2g3c8O1JIV04mbDFJ5Mu3LI8jIcfvVzGHiDsmUX2iKGWdl8j+uit?= =?us-ascii?q?8+nneajppoSHOo9oigDxLqQumsulDeQ+KQgBRXKX+eu71L395UH5WqlFjuUqkq?= =?us-ascii?q?nFt5DXPcAbpq+/Aw9I3Ycv8g2/ACm639QFh3kHLU5FeRKeg4jsPFHBPe34DfOh?= =?us-ascii?q?jFm3jjdryO7JPqf7DpXOMHfDirHhcqh560JGzwoz199f7YpOCr4dOPLzRlPxtN?= =?us-ascii?q?vAAx89Mgy0xfvnCdpk2oMdR22PGKmZP73WsVKT+OIvLPeDZJUPtDb+Nfcl/fju?= =?us-ascii?q?gmE9mVMHeqmpx5QXYmiiHvt6O0WZfWbsgtAZHGcOvwo+SvHqiVKbXT5dfHa9Qr?= =?us-ascii?q?wz5i8lB4KiForDWI+tj6Kb3CuhHZ1ZeHpGClaSHnfsbYmEXO0MaC2KKM97jjME?= =?us-ascii?q?TaShS5Mm1Ry2tg/6zLpnLuzO9i0aspLj1MJ65+vIlR4s8zx5FNiS3HuLT2FzmG?= =?us-ascii?q?MIRiM507p7oUBn1liD1q14ieRCFdNP//NJThs6NZnEwuxiEd/yRwbBc8yRSFm8?= =?us-ascii?q?X9WmBSg9Ttc2w98JeUZyBc+ugQzE3yqvG7UVjaCEBIQo8qLA2Hj8P919xGjc1K?= =?us-ascii?q?kukVYrWctPOneihq579wnTAZTFnFmel6avba4cxjLC9H+fzWqSu0FVSAxwXr/A?= =?us-ascii?q?XX8BfUvat9D56lnHT7+pE7QnKApBydWZJ6tNcN3ml0lJRPP9N9jEf22xnGKwDw?= =?us-ascii?q?6SxryQdIrqZ3kd3CLFBUgakgAT53GGOBM/Byi/pWLeDSJuGUjrY0Pt9+l+tXy6?= =?us-ascii?q?QlUzzwGQYE1tzae1+h1GzcCbHu0SxLUsqionqisyGFe7wsKQDMCP4RdiOO1eaN?= =?us-ascii?q?Yw+xFDk2ferRZ8JbSnNalpglNYeANy+wv12g94B61AmMwuvXVsxw13beqA2U5F?= =?us-ascii?q?XyuRwJS1P7rQMGS09xeqL+bU3VHYltSR+q4J8/k+g17qugavF0Er9zNs1NwG/W?= =?us-ascii?q?Gb48DxEAcKUZ/3Gn0y/hx+qqCSNjIx/KvIxHZsNu+yqTaE1NU3Urh2gi28dstS?= =?us-ascii?q?ZfvXXDT5FNcXUo30cOE=3D?= X-IPAS-Result: =?us-ascii?q?A2HOBwDT3MJY/wHyM5BdHAEBBAEBCgEBFgEBAQMBAQEJAQE?= =?us-ascii?q?BgyaBa54PAQEBAQEBBpIHgkWEHRqEXYErgkNXAQEBAQEBAQECAQJoKIIzIoJuU?= =?us-ascii?q?iiBFxKJcw2zXzomAopCATGGCYxUDIMNBYkahz6LZIoeiBoCgXmIbQyGLgJIgxu?= =?us-ascii?q?PXViBAxkJAhQIHQ+HMiI1ihoBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 10 Mar 2017 17:11:04 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v2AHAxf7008654; Fri, 10 Mar 2017 12:11:00 -0500 From: Stephen Smalley To: viro@zeniv.linux.org.uk, james.l.morris@oracle.com, serge@hallyn.com, paul@paul-moore.com, john.johansen@canonical.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Stephen Smalley Subject: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks Date: Fri, 10 Mar 2017 12:14:18 -0500 Message-Id: <1489166058-11789-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only checked when required for the operation. Signed-off-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Serge Hallyn Acked-by: James Morris --- fs/namei.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index d41fab7..482414a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) if (S_ISDIR(inode->i_mode)) { /* DACs are overridable for directories */ - if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) - return 0; if (!(mask & MAY_WRITE)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; - return -EACCES; - } - /* - * Read/write DACs are always overridable. - * Executable DACs are overridable when there is - * at least one exec bit set. - */ - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) return 0; + return -EACCES; + } /* * Searching includes executable on directories, else just read. @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) if (mask == MAY_READ) if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; + /* + * Read/write DACs are always overridable. + * Executable DACs are overridable when there is + * at least one exec bit set. + */ + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) + if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) + return 0; return -EACCES; }