[77/97] LSM: Correct handling of ENOSYS in inode_setxattr

Message ID	20190228224356.2608-8-casey@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com Subject: [PATCH 77/97] LSM: Correct handling of ENOSYS in inode_setxattr Date: Thu, 28 Feb 2019 14:43:36 -0800 Message-Id: <20190228224356.2608-8-casey@schaufler-ca.com> In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com> References: <20190228224356.2608-1-casey@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Complete module stacking \| expand [00/97] LSM: Complete module stacking [71/97] LSM: Add secmark refcounting to call_one list [72/97] LSM: Add secmark refcounting to call_one list - part 2 [73/97] LSM: refactor security_setprocattr [74/97] Smack: Detect if secmarks can be safely used [75/97] LSM: Support multiple LSMs using inode_init_security [76/97] LSM: Use full security context in security_inode_setsecctx [77/97] LSM: Correct handling of ENOSYS in inode_setxattr [78/97] LSM: Infrastructure security blobs for mount options [79/97] LSM: Fix for security_init_inode_security [80/97] Smack: Advertise the secid to netlabel [81/97] LSM: Change error detection for UDP peer security [82/97] Smack: Fix setting of the CIPSO MLS_CAT flags [83/97] Smack: Set netlabel flags properly on new label import [84/97] Netlabel: Add a secattr comparison API function [85/97] Smack: Let netlabel do the work on the ambient domain [86/97] Smack: Don't set the socket label on each send [87/97] Smack: Let netlabel do the work on connections [88/97] Netlabel: Return the labeling type on socket [89/97] Netlabel: Return the labeling type on socket [90/97] Netlabel: Return the labeling type on socket [91/97] Netlabel: Return the labeling type on socket [92/97] LSM: Remember the NLTYPE of netlabel sockets [93/97] Smack: Use the NLTYPE on output [94/97] LSM: Hook for netlabel reconciliation [95/97] LSM: Avoid network conflicts in SELinux and Smack [96/97] LSM: Apply Netlabel consitancy checks on send and connect [97/97] Smack: Remove the exclusive bit

Message ID

20190228224356.2608-8-casey@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: jmorris@namei.org, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: [PATCH 77/97] LSM: Correct handling of ENOSYS in inode_setxattr
Date: Thu, 28 Feb 2019 14:43:36 -0800
Message-Id: <20190228224356.2608-8-casey@schaufler-ca.com>
In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com>
References: <20190228224356.2608-1-casey@schaufler-ca.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Complete module stacking | expand

Commit Message

Casey Schaufler Feb. 28, 2019, 10:43 p.m. UTC

The usual "bail on fail" behavior of LSM hooks doesn't
work for security_inode_setxattr(). Modules are allowed
to return -ENOSYS if the attribute specifed isn't one
they manage. Fix the code to accomodate this unusal case.
This requires changes to the hooks in SELinux and Smack.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c        | 28 ++++++++++++++--------------
 security/selinux/hooks.c   |  7 ++-----
 security/smack/smack_lsm.c | 10 +++++-----
 3 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/security/security.c b/security/security.c
index bb0eea873a7e..105b5ee22bcf 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1343,24 +1343,24 @@  int security_inode_getattr(const struct path *path)
 int security_inode_setxattr(struct dentry *dentry, const char *name,
 			    const void *value, size_t size, int flags)
 {
-	int ret;
+	struct security_hook_list *hp;
+	int rc = -ENOSYS;
 
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return 0;
-	/*
-	 * SELinux and Smack integrate the cap call,
-	 * so assume that all LSMs supplying this call do so.
-	 */
-	ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
-				flags);
 
-	if (ret == 1)
-		ret = cap_inode_setxattr(dentry, name, value, size, flags);
-	if (ret)
-		return ret;
-	ret = ima_inode_setxattr(dentry, name, value, size);
-	if (ret)
-		return ret;
+	hlist_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) {
+		rc = hp->hook.inode_setxattr(dentry, name, value, size, flags);
+		if (rc != -ENOSYS)
+			break;
+	}
+	if (rc == -ENOSYS)
+		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+	if (rc)
+		return rc;
+	rc = ima_inode_setxattr(dentry, name, value, size);
+	if (rc)
+		return rc;
 	return evm_inode_setxattr(dentry, name, value, size);
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f58c96e2b6c1..501aed18f100 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2998,13 +2998,10 @@  static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 	int rc = 0;
 
 	if (strcmp(name, XATTR_NAME_SELINUX)) {
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
-		if (rc)
-			return rc;
-
 		/* Not an attribute we recognize, so just check the
 		   ordinary setattr permission. */
-		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		rc = dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		return rc ? rc : -ENOSYS;
 	}
 
 	sbsec = selinux_superblock(inode->i_sb);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c45e2dc3f959..c84c71a31b80 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1194,7 +1194,7 @@  static int smack_inode_setxattr(struct dentry *dentry, const char *name,
 		    strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
 			rc = -EINVAL;
 	} else
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+		rc = -ENOSYS;
 
 	if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
 		rc = -EPERM;
@@ -1208,11 +1208,11 @@  static int smack_inode_setxattr(struct dentry *dentry, const char *name,
 			rc = -EINVAL;
 	}
 
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
-	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
-
 	if (rc == 0) {
-		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
+		smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
+		smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)),
+				MAY_WRITE, &ad);
 		rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
 	}

[77/97] LSM: Correct handling of ENOSYS in inode_setxattr

Commit Message

Patch