From patchwork Wed Sep 28 16:08:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 12992501 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A193AC04A95 for ; Wed, 28 Sep 2022 16:13:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234534AbiI1QNe (ORCPT ); Wed, 28 Sep 2022 12:13:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234457AbiI1QNU (ORCPT ); Wed, 28 Sep 2022 12:13:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 191668683A; Wed, 28 Sep 2022 09:13:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AA147B8214D; Wed, 28 Sep 2022 16:13:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 00496C433D7; Wed, 28 Sep 2022 16:13:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664381596; bh=n55Uy3v4zGJJiKbXY2RW8eOQMf7e2bWtM0CE5ysw6BM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jPgGeoFt2AZsjM0qb8W4plVawIbkdiMVFRX/SXji47JENYdbepA5+i5vj6U39mk06 5nW9OycDEva5rNCoHZ5EGtnuo95Aqwc3CTji/9WokQ9927N9NNpRgAw/tppxSH8iAk 1JszKWq4nnTJWrUM6aPQSKUQBmn0EwE+IC3qkBqTWBb/pyVJAiq3zHKqAUBK+nCs7N trZDXvIeefX53Ae/b05iN73qnqUECR2V2CDTxdkDwVEbaeRRzkoWmEh8POHE8yn0xq pGYqc6OijtHnnCV/v4DU59iAn+XndKNzAdGi0fplDRPLZ2v7vqNv549gClhXOHQYH1 Z/nEDrt9EI9Rw== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , linux-integrity@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 10/29] selinux: implement get, set and remove acl hook Date: Wed, 28 Sep 2022 18:08:24 +0200 Message-Id: <20220928160843.382601-11-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220928160843.382601-1-brauner@kernel.org> References: <20220928160843.382601-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3679; i=brauner@kernel.org; h=from:subject; bh=n55Uy3v4zGJJiKbXY2RW8eOQMf7e2bWtM0CE5ysw6BM=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMSSbFFYfvfBMvEWfv1s7NblE8QdrffjDE1IJLb4S2+xkn6e3 PcjtKGVhEONikBVTZHFoNwmXW85TsdkoUwNmDisTyBAGLk4BmEhDMcM/dVE934Z1Dcar7hw8OuUYk2 d5UvOT7vSvos0eM9TatgkvY/ifxG6qkN8Yk+HlsOR5/W9ly7M2e+cL3FCQNlqVsFqKPZARAA== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current way of setting and getting posix acls through the generic xattr interface is error prone and type unsafe. The vfs needs to interpret and fixup posix acls before storing or reporting it to userspace. Various hacks exist to make this work. The code is hard to understand and difficult to maintain in it's current form. Instead of making this work by hacking posix acls through xattr handlers we are building a dedicated posix acl api around the get and set inode operations. This removes a lot of hackiness and makes the codepaths easier to maintain. A lot of background can be found in [1]. So far posix acls were passed as a void blob to the security and integrity modules. Some of them like evm then proceed to interpret the void pointer and convert it into the kernel internal struct posix acl representation to perform their integrity checking magic. This is obviously pretty problematic as that requires knowledge that only the vfs is guaranteed to have and has lead to various bugs. Add a proper security hook for setting posix acls and pass down the posix acls in their appropriate vfs format instead of hacking it through a void pointer stored in the uapi format. I spent considerate time in the security module infrastructure and audited all codepaths. SELinux has no restrictions based on the posix acl values passed through it. The capability hook doesn't need to be called either because it only has restrictions on security.* xattrs. So these are all fairly simply hooks for SELinux. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Add get, and remove acl hook security/selinux/hooks.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 79573504783b..0e3cd67e5e92 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3239,6 +3239,27 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns, &ad); } +static int selinux_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + +static int selinux_inode_get_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + const struct cred *cred = current_cred(); + + return dentry_has_perm(cred, dentry, FILE__GETATTR); +} + +static int selinux_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +} + static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) @@ -7063,6 +7084,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), + LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), + LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), + LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), From patchwork Wed Sep 28 16:08:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 12992503 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20373C6FA90 for ; Wed, 28 Sep 2022 16:13:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234580AbiI1QNh (ORCPT ); Wed, 28 Sep 2022 12:13:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234481AbiI1QNY (ORCPT ); Wed, 28 Sep 2022 12:13:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77C6396FF1; Wed, 28 Sep 2022 09:13:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B0D3461F29; Wed, 28 Sep 2022 16:13:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E7DDC433D7; Wed, 28 Sep 2022 16:13:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664381601; bh=4rZdwFtSQG2QKwWsuW858MHTw3Eht5G7s1fQQA7XZVM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bG5xkaMQ/r/nt/Hms/V2iduapj/W6chicOPo+Wd1UCJdGRwMSq0k2NLsqgUfAGCW0 /jkefnbjQE/JUooycXcqaQAxVw0nA8GAHXwOUrIvCCPZb7Mtir0I9RUKYGUk8p0zlc 5XD7H1LJi1UUXvKua5Wc7Oa+bz8SuvkA6LHoKgFF4W8BwkQiHONOjGsqQ0Q/YA1kxV rJ+wb1DCPuvx6qnspOancPPiRVh1pl/Xi5aj26QjpOKRlkh2LXuuiMgsgRaEio8mgK ymkd3o4L6UKSWlaNjY7ANA2/4pQzB08tZJSm11LAgWRLbBFBBs+60Dv9U0gLXGOeCh 42mvdT0b6H8ZQ== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 12/29] integrity: implement get and set acl hook Date: Wed, 28 Sep 2022 18:08:26 +0200 Message-Id: <20220928160843.382601-13-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220928160843.382601-1-brauner@kernel.org> References: <20220928160843.382601-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10861; i=brauner@kernel.org; h=from:subject; bh=4rZdwFtSQG2QKwWsuW858MHTw3Eht5G7s1fQQA7XZVM=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMSSbFNZsVGSakyl/6LyNcd2RKbObahy1r3Aeexx8667axH31 Sls0OkpZGMS4GGTFFFkc2k3C5ZbzVGw2ytSAmcPKBDKEgYtTACay+iQjw3wGIZ3aDkd5w7SF7WZJXN 0+RTo1PpZhLi9s/tsdZQ7QZ2T4xLDfxc6TYctDo0spt6wOrvze+7np6b7JxzadX2XU/caNHQA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current way of setting and getting posix acls through the generic xattr interface is error prone and type unsafe. The vfs needs to interpret and fixup posix acls before storing or reporting it to userspace. Various hacks exist to make this work. The code is hard to understand and difficult to maintain in it's current form. Instead of making this work by hacking posix acls through xattr handlers we are building a dedicated posix acl api around the get and set inode operations. This removes a lot of hackiness and makes the codepaths easier to maintain. A lot of background can be found in [1]. So far posix acls were passed as a void blob to the security and integrity modules. Some of them like evm then proceed to interpret the void pointer and convert it into the kernel internal struct posix acl representation to perform their integrity checking magic. This is obviously pretty problematic as that requires knowledge that only the vfs is guaranteed to have and has lead to various bugs. Add a proper security hook for setting posix acls and pass down the posix acls in their appropriate vfs format instead of hacking it through a void pointer stored in the uapi format. I spent considerate time in the security module and integrity infrastructure and audited all codepaths. EVM is the only part that really has restrictions based on the actual posix acl values passed through it. Before this dedicated hook EVM used to translate from the uapi posix acl format sent to it in the form of a void pointer into the vfs format. This is not a good thing. Instead of hacking around in the uapi struct give EVM the posix acls in the appropriate vfs format and perform sane permissions checks that mirror what it used to to in the generic xattr hook. IMA doesn't have any restrictions on posix acls. When posix acls are changed it just wants to update its appraisal status. The removal of posix acls is equivalent to passing NULL to the posix set acl hooks. This is the same as before through the generic xattr api. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Add get, and remove acl hook include/linux/evm.h | 23 +++++++++ include/linux/ima.h | 21 ++++++++ security/integrity/evm/evm_main.c | 70 ++++++++++++++++++++++++++- security/integrity/ima/ima_appraise.c | 9 ++++ security/security.c | 21 +++++++- 5 files changed, 141 insertions(+), 3 deletions(-) diff --git a/include/linux/evm.h b/include/linux/evm.h index aa63e0b3c0a2..86139be48992 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -35,6 +35,15 @@ extern int evm_inode_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); +extern int evm_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl); +static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL); +} extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); @@ -108,6 +117,20 @@ static inline void evm_inode_post_removexattr(struct dentry *dentry, return; } +static inline int evm_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ + return 0; +} + +static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return 0; +} + static inline int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm) diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..ad4353947cdf 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -187,6 +187,15 @@ extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); +extern int ima_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl); +static inline int ima_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, + const char *acl_name) +{ + return ima_inode_set_acl(mnt_userns, dentry, acl_name, NULL); +} extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); #else static inline bool is_ima_appraise_enabled(void) @@ -208,11 +217,23 @@ static inline int ima_inode_setxattr(struct dentry *dentry, return 0; } +static inline int ima_inode_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name, + struct posix_acl *kacl) +{ +} + static inline int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { return 0; } + +static inline ima_inode_remove_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *acl_name) +{ + return 0; +} #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 23d484e05e6f..7904786b610f 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -8,7 +8,7 @@ * * File: evm_main.c * implements evm_inode_setxattr, evm_inode_post_setxattr, - * evm_inode_removexattr, and evm_verifyxattr + * evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl. */ #define pr_fmt(fmt) "EVM: "fmt @@ -670,6 +670,74 @@ int evm_inode_removexattr(struct user_namespace *mnt_userns, return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0); } +static int evm_inode_set_acl_change(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, + struct posix_acl *kacl) +{ +#ifdef CONFIG_FS_POSIX_ACL + int rc; + + umode_t mode; + struct inode *inode = d_backing_inode(dentry); + + if (!kacl) + return 1; + + rc = posix_acl_update_mode(mnt_userns, inode, &mode, &kacl); + if (rc || (inode->i_mode != mode)) + return 1; +#endif + return 0; +} + +/** + * evm_inode_set_acl - protect the EVM extended attribute for posix acls + * @mnt_userns: user namespace of the idmapped mount + * @dentry: pointer to the affected dentry + * @acl_name: name of the posix acl + * @kacl: pointer to the posix acls + */ +int evm_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + enum integrity_status evm_status; + + /* Policy permits modification of the protected xattrs even though + * there's no HMAC key loaded + */ + if (evm_initialized & EVM_ALLOW_METADATA_WRITES) + return 0; + + evm_status = evm_verify_current_integrity(dentry); + if ((evm_status == INTEGRITY_PASS) || + (evm_status == INTEGRITY_NOXATTRS)) + return 0; + + /* Exception if the HMAC is not going to be calculated. */ + if (evm_hmac_disabled() && (evm_status == INTEGRITY_NOLABEL || + evm_status == INTEGRITY_UNKNOWN)) + return 0; + + /* + * Writing other xattrs is safe for portable signatures, as portable + * signatures are immutable and can never be updated. + */ + if (evm_status == INTEGRITY_FAIL_IMMUTABLE) + return 0; + + if (evm_status == INTEGRITY_PASS_IMMUTABLE && + !evm_inode_set_acl_change(mnt_userns, dentry, acl_name, kacl)) + return 0; + + if (evm_status != INTEGRITY_PASS && + evm_status != INTEGRITY_PASS_IMMUTABLE) + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry), + dentry->d_name.name, "appraise_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); + return evm_status == INTEGRITY_PASS ? 0 : -EPERM; +} + static void evm_reset_status(struct inode *inode) { struct integrity_iint_cache *iint; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index bde74fcecee3..698a8ae2fe3e 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -770,6 +770,15 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, return result; } +int ima_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + if (evm_revalidate_status(acl_name)) + ima_reset_appraise_flags(d_backing_inode(dentry), 0); + + return 0; +} + int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { int result; diff --git a/security/security.c b/security/security.c index 0fc9aff39f63..f28725a06f94 100644 --- a/security/security.c +++ b/security/security.c @@ -1374,9 +1374,18 @@ int security_inode_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_set_acl, 0, mnt_userns, dentry, acl_name, kacl); + ret = call_int_hook(inode_set_acl, 0, mnt_userns, dentry, acl_name, + kacl); + if (ret) + return ret; + ret = ima_inode_set_acl(mnt_userns, dentry, acl_name, kacl); + if (ret) + return ret; + return evm_inode_set_acl(mnt_userns, dentry, acl_name, kacl); } int security_inode_get_acl(struct user_namespace *mnt_userns, @@ -1390,9 +1399,17 @@ int security_inode_get_acl(struct user_namespace *mnt_userns, int security_inode_remove_acl(struct user_namespace *mnt_userns, struct dentry *dentry, const char *acl_name) { + int ret; + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; - return call_int_hook(inode_remove_acl, 0, mnt_userns, dentry, acl_name); + ret = call_int_hook(inode_remove_acl, 0, mnt_userns, dentry, acl_name); + if (ret) + return ret; + ret = ima_inode_remove_acl(mnt_userns, dentry, acl_name); + if (ret) + return ret; + return evm_inode_remove_acl(mnt_userns, dentry, acl_name); } void security_inode_post_setxattr(struct dentry *dentry, const char *name, From patchwork Wed Sep 28 16:08:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 12992502 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0C16C6FA92 for ; Wed, 28 Sep 2022 16:13:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234299AbiI1QNg (ORCPT ); Wed, 28 Sep 2022 12:13:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234550AbiI1QNb (ORCPT ); Wed, 28 Sep 2022 12:13:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7145B97528; Wed, 28 Sep 2022 09:13:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 198CDB820FA; Wed, 28 Sep 2022 16:13:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96668C43470; Wed, 28 Sep 2022 16:13:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664381603; bh=b3gB2/tZ/ar0HvnCiBSOOYD4rc846nc+lFia47BkhEo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Makb5PoEjneSPYFcsETWp9IkEg+vtGVQ2l3yZxa3KvEWvLNMymPvmSwQhcmlPnStX /86Gx9Swas++rKJmQOL+etYFAvxfIHZI0+xoZ4rLC5Ayw14CVk5HlDvQ89bqu4qGCZ /bHB60s0J1itFOGhVpixveecw9TrVLnMY//2aGN8vMRK4T3rsPy8jziR8cXidAFlKH NWd5/8dz//BKg0xWCGDdnnaFPgUp+cDm/XypqoPB6T95Nbt/ZltIBhDTrHQnQB+nVX SDuo4GadGhmn1+UsjL2JH/SGaD3gEWfXTexo2FfSBLUuXfcEuCZwzaqWkKQPDup1+f a2J8pXOjflyWQ== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Moore Subject: [PATCH v3 13/29] evm: add post set acl hook Date: Wed, 28 Sep 2022 18:08:27 +0200 Message-Id: <20220928160843.382601-14-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220928160843.382601-1-brauner@kernel.org> References: <20220928160843.382601-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2983; i=brauner@kernel.org; h=from:subject; bh=b3gB2/tZ/ar0HvnCiBSOOYD4rc846nc+lFia47BkhEo=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMSSbFNas1+0w1k0xnHCIj8NU51PuVeZE1hs3bmmlTaxaJdqz m+lKRykLgxgXg6yYIotDu0m43HKeis1GmRowc1iZQIYwcHEKwERYpBkZfvxWO+biPyWZY+/OVRw8zJ O2T0xdF9TxzSr7XLCsvXYCHyPDtDyZtCXyLHOsLj06z6T2ftbpe8v+Jyc/fH6+ZJPAsvmt3AA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The security_inode_post_setxattr() hook is used by security modules to update their own security.* xattrs. Consequently none of the security modules operate on posix acls. So we don't need an additional security hook when post setting posix acls. However, the integrity subsystem wants to be informed about posix acl changes and specifically evm to update their hashes when the xattrs change. The callchain for evm_inode_post_setxattr() is: -> evm_inode_post_setxattr() -> evm_update_evmxattr() -> evm_calc_hmac() -> evm_calc_hmac_or_hash() and evm_cacl_hmac_or_hash() walks the global list of protected xattr names evm_config_xattrnames. This global list can be modified via /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is restricted to security.* xattrs and the default xattrs in evm_config_xattrnames only contains security.* xattrs as well. So the actual value for posix acls is currently completely irrelevant for evm during evm_inode_post_setxattr() and frankly it should stay that way in the future to not cause the vfs any more headaches. But if the actual posix acl values matter then evm shouldn't operate on the binary void blob and try to hack around in the uapi struct anyway. Instead it should then in the future add a dedicated hook which takes a struct posix_acl argument passing the posix acls in the proper vfs format. For now it is sufficient to make evm_inode_post_set_acl() a wrapper around evm_inode_post_setxattr() not passing any actual values down. This will still cause the hashes to be updated as before. Reviewed-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Reviewed-by: Paul Moore include/linux/evm.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/linux/evm.h b/include/linux/evm.h index 86139be48992..117ac01b2432 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -44,6 +44,12 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, { return evm_inode_set_acl(mnt_userns, dentry, acl_name, NULL); } +static inline void evm_inode_post_set_acl(struct dentry *dentry, + const char *acl_name, + struct posix_acl *kacl) +{ + return evm_inode_post_setxattr(dentry, acl_name, NULL, 0); +} extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); @@ -131,6 +137,13 @@ static inline int evm_inode_remove_acl(struct user_namespace *mnt_userns, return 0; } +static inline void evm_inode_post_set_acl(struct dentry *dentry, + const char *acl_name, + struct posix_acl *kacl) +{ + return; +} + static inline int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm) From patchwork Wed Sep 28 16:08:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 12992504 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CEE2C54EE9 for ; Wed, 28 Sep 2022 16:13:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234589AbiI1QNi (ORCPT ); Wed, 28 Sep 2022 12:13:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234408AbiI1QNe (ORCPT ); Wed, 28 Sep 2022 12:13:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86B57DF38D; Wed, 28 Sep 2022 09:13:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8A6B6B82154; Wed, 28 Sep 2022 16:13:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49858C433B5; Wed, 28 Sep 2022 16:13:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664381606; bh=EZHlpkz9u6zm0ensyEccWVlo+Xoh2vyGyYeA47Bs7c4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I3SDk29eZMBPbHdenD6Wu1Fzc4P3J1EVoFEZuLoQAidonQzY8QuF/6bVP00C2XqFy dM/+mNIOI+KSpz5YIELEFkSpXxVQORI93FMIlAbtlzNZFsax32mPObVvM6wDG9Y3e0 edrreK887cPvXgK82ytuB2QgMXZUx5AMgJgEunEtRJn/vGV7dOxOztlU1VySttc6wK h2X6tPgfWSAJCorVxDrT7jbe1z+5/TOEGryRGUETpErsdtPOkkQ8Pw82xoHIcyVt67 +o2d5ENCa+yZ/zUbSNjbOAQbadpaLs3YVgd++4h6wbXx9yshodpMF/A2rF2vycLqho cX9LfhBr5/JbQ== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 14/29] acl: add vfs_set_acl() Date: Wed, 28 Sep 2022 18:08:28 +0200 Message-Id: <20220928160843.382601-15-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220928160843.382601-1-brauner@kernel.org> References: <20220928160843.382601-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7018; i=brauner@kernel.org; h=from:subject; bh=EZHlpkz9u6zm0ensyEccWVlo+Xoh2vyGyYeA47Bs7c4=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMSSbFNaw7zq34eXqnQ8+zWJ9O2+Xx9zsN2+OuPw2z+lZLGp0 5H7LvI5SFgYxLgZZMUUWh3aTcLnlPBWbjTI1YOawMoEMYeDiFICJLFvC8D/I//muonq54D3rvl/9tu UF89Rcx6fvhC81c9725fB4s9iSkaH3ojE/j3KjYLL/xtQ37xbd2/H0poH7wf9bup7dzDswexYrAA== X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org In previous patches we implemented get and set inode operations for all non-stacking filesystems that support posix acls but didn't yet implement get and/or set acl inode operations. This specifically affected cifs and 9p. Now we can build a posix acl api based solely on get and set inode operations. We add a new vfs_set_acl() api that can be used to set posix acls. This finally removes all type unsafety and type conversion issues explained in detail in [1] that we aim to get rid of. After we finished building the vfs api we can switch stacking filesystems to rely on the new posix api and then finally switch the xattr system calls themselves to rely on the posix acl api. Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1] Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ unchanged fs/posix_acl.c | 115 ++++++++++++++++++++++++++++++++++++++ fs/xattr.c | 5 +- include/linux/posix_acl.h | 10 ++++ include/linux/xattr.h | 2 + 4 files changed, 129 insertions(+), 3 deletions(-) diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 5b857f59535b..ef0908a4bc46 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -24,6 +24,9 @@ #include #include #include +#include +#include +#include static struct posix_acl **acl_by_type(struct inode *inode, int type) { @@ -1254,3 +1257,115 @@ int simple_acl_create(struct inode *dir, struct inode *inode) posix_acl_release(acl); return 0; } + +static inline int posix_acl_type(const char *name) +{ + if (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) + return ACL_TYPE_ACCESS; + else if (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0) + return ACL_TYPE_DEFAULT; + + return -1; +} + +static int vfs_set_acl_idmapped_mnt(struct user_namespace *mnt_userns, + struct user_namespace *fs_userns, + struct posix_acl *acl) +{ + for (int n = 0; n < acl->a_count; n++) { + struct posix_acl_entry *acl_e = &acl->a_entries[n]; + + switch (acl_e->e_tag) { + case ACL_USER: + acl_e->e_uid = from_vfsuid(mnt_userns, fs_userns, + VFSUIDT_INIT(acl_e->e_uid)); + break; + case ACL_GROUP: + acl_e->e_gid = from_vfsgid(mnt_userns, fs_userns, + VFSGIDT_INIT(acl_e->e_gid)); + break; + } + } + + return 0; +} + +/** + * vfs_set_acl - set posix acls + * @mnt_userns: user namespace of the mount + * @dentry: the dentry based on which to set the posix acls + * @acl_name: the name of the posix acl + * @kacl: the posix acls in the appropriate VFS format + * + * This function sets @kacl. The caller must all posix_acl_release() on @kacl + * afterwards. + * + * Return: On success 0, on error negative errno. + */ +int vfs_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) +{ + int acl_type; + int error; + struct inode *inode = d_inode(dentry); + struct inode *delegated_inode = NULL; + + acl_type = posix_acl_type(acl_name); + if (acl_type < 0) + return -EINVAL; + + if (kacl) { + /* + * If we're on an idmapped mount translate from mount specific + * vfs{g,u}id_t into global filesystem k{g,u}id_t. + * Afterwards we can cache the POSIX ACLs filesystem wide and - + * if this is a filesystem with a backing store - ultimately + * translate them to backing store values. + */ + error = vfs_set_acl_idmapped_mnt(mnt_userns, i_user_ns(inode), kacl); + if (error) + return error; + } + +retry_deleg: + inode_lock(inode); + + /* + * We only care about restrictions the inode struct itself places upon + * us otherwise POSIX ACLs aren't subject to any VFS restrictions. + */ + error = xattr_permission(mnt_userns, inode, acl_name, MAY_WRITE); + if (error) + goto out_inode_unlock; + + error = security_inode_set_acl(mnt_userns, dentry, acl_name, kacl); + if (error) + goto out_inode_unlock; + + error = try_break_deleg(inode, &delegated_inode); + if (error) + goto out_inode_unlock; + + if (inode->i_opflags & IOP_XATTR) + error = set_posix_acl(mnt_userns, dentry, acl_type, kacl); + else if (unlikely(is_bad_inode(inode))) + error = -EIO; + else + error = -EOPNOTSUPP; + if (!error) { + fsnotify_xattr(dentry); + evm_inode_post_set_acl(dentry, acl_name, kacl); + } + +out_inode_unlock: + inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } + + return error; +} +EXPORT_SYMBOL(vfs_set_acl); diff --git a/fs/xattr.c b/fs/xattr.c index 61107b6bbed2..e16d7bde4935 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -84,9 +84,8 @@ xattr_resolve_name(struct inode *inode, const char **name) * Check permissions for extended attribute access. This is a bit complicated * because different namespaces have very different rules. */ -static int -xattr_permission(struct user_namespace *mnt_userns, struct inode *inode, - const char *name, int mask) +int xattr_permission(struct user_namespace *mnt_userns, struct inode *inode, + const char *name, int mask) { /* * We can never set or remove an extended attribute on a read-only diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h index cd16a756cd1e..85a5671204c4 100644 --- a/include/linux/posix_acl.h +++ b/include/linux/posix_acl.h @@ -99,6 +99,9 @@ static inline void cache_no_acl(struct inode *inode) inode->i_acl = NULL; inode->i_default_acl = NULL; } + +int vfs_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl); #else static inline int posix_acl_chmod(struct user_namespace *mnt_userns, struct dentry *dentry, umode_t mode) @@ -126,6 +129,13 @@ static inline int posix_acl_create(struct inode *inode, umode_t *mode, static inline void forget_all_cached_acls(struct inode *inode) { } + +static inline int vfs_set_acl(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, + struct posix_acl *acl) +{ + return 0; +} #endif /* CONFIG_FS_POSIX_ACL */ struct posix_acl *get_acl(struct inode *inode, int type); diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 4c379d23ec6e..8267e547e631 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -73,6 +73,8 @@ ssize_t vfs_getxattr_alloc(struct user_namespace *mnt_userns, char **xattr_value, size_t size, gfp_t flags); int xattr_supported_namespace(struct inode *inode, const char *prefix); +int xattr_permission(struct user_namespace *mnt_userns, struct inode *inode, + const char *name, int mask); static inline const char *xattr_prefix(const struct xattr_handler *handler) { From patchwork Wed Sep 28 16:08:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 12992505 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72EE0C32771 for ; Wed, 28 Sep 2022 16:16:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234125AbiI1QQA (ORCPT ); Wed, 28 Sep 2022 12:16:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234161AbiI1QOg (ORCPT ); Wed, 28 Sep 2022 12:14:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A27B1DF393; Wed, 28 Sep 2022 09:13:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D264561ED7; Wed, 28 Sep 2022 16:13:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 352BCC433D7; Wed, 28 Sep 2022 16:13:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664381631; bh=tSWSc0RzHXYJdQPae3JpE6xvY1f+QZmrBPNCIoz96UI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tbf98rHwWzLZgiVzkAExTN+sch+GFxxoomo1Z7WSTfWt5Q6leEpWQvei1Msl2H4Cz jsWAiM47OJTVMAp6/UTSlElDbvlB6NSFGihtbFOEZw9eBm2P9wa5u80hDPTZfeWp70 2KNP/A7g194DiJ25PiNCtm7nh9rXVglImNBoSRiBx4MzeSJnIDnsd5qWx0p0C/ZnI1 VRekXv20WfqNKxDGAzcqsOU8n8fDqbsJg5Ln+Gf7cTEOIgAjeg0W2N9aeN0NgETb+D MV06/OYHNLKj78Wz0kBn5xczCDwXoE+H/XVpKdlzXJH2+kMyqa7woeA+X8X9iuf1PY 018SWZ6BN3/dg== From: Christian Brauner To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner , Seth Forshee , Christoph Hellwig , Al Viro , Mimi Zohar , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Moore Subject: [PATCH v3 24/29] evm: remove evm_xattr_acl_change() Date: Wed, 28 Sep 2022 18:08:38 +0200 Message-Id: <20220928160843.382601-25-brauner@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220928160843.382601-1-brauner@kernel.org> References: <20220928160843.382601-1-brauner@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3856; i=brauner@kernel.org; h=from:subject; bh=tSWSc0RzHXYJdQPae3JpE6xvY1f+QZmrBPNCIoz96UI=; b=owGbwMvMwCU28Zj0gdSKO4sYT6slMSSbFNat4Gm6wWOsoKh6oo5rh5vDh2leS72PR7o1h2t+OZtQ mvemo5SFQYyLQVZMkcWh3SRcbjlPxWajTA2YOaxMIEMYuDgFYCJnLjEynFm92G1qN6fo0gxbhsNxmR 1s339N5HpdfLUnc3XrZq0KDUaG+bzvlxz54DR31SHvdS+U+SdP2mFgzZbQ/CjvaOLF0jv/mAA= X-Developer-Key: i=brauner@kernel.org; a=openpgp; fpr=4880B8C9BD0E5106FC070F4F7B3C391EFEA93624 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The security and integrity infrastructure has dedicated hooks now so evm_xattr_acl_change() is dead code. Before this commit the callchain was: evm_protect_xattr() -> evm_xattr_change() -> evm_xattr_acl_change() where evm_protect_xattr() was hit from evm_inode_setxattr() and evm_inode_removexattr(). But now we have evm_inode_set_acl() and evm_inode_remove_acl() and have switched over the vfs to rely on the posix acl api so the code isn't hit anymore. Suggested-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) --- Notes: /* v2 */ unchanged /* v3 */ Paul Moore : - Remove evm_xattr_acl_change() completely. security/integrity/evm/evm_main.c | 64 ------------------------------- 1 file changed, 64 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7904786b610f..e0d120383870 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -434,66 +434,6 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); } -/* - * evm_xattr_acl_change - check if passed ACL changes the inode mode - * @mnt_userns: user namespace of the idmapped mount - * @dentry: pointer to the affected dentry - * @xattr_name: requested xattr - * @xattr_value: requested xattr value - * @xattr_value_len: requested xattr value length - * - * Check if passed ACL changes the inode mode, which is protected by EVM. - * - * Returns 1 if passed ACL causes inode mode change, 0 otherwise. - */ -static int evm_xattr_acl_change(struct user_namespace *mnt_userns, - struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) -{ -#ifdef CONFIG_FS_POSIX_ACL - umode_t mode; - struct posix_acl *acl = NULL, *acl_res; - struct inode *inode = d_backing_inode(dentry); - int rc; - - /* - * An earlier comment here mentioned that the idmappings for - * ACL_{GROUP,USER} don't matter since EVM is only interested in the - * mode stored as part of POSIX ACLs. Nonetheless, if it must translate - * from the uapi POSIX ACL representation to the VFS internal POSIX ACL - * representation it should do so correctly. There's no guarantee that - * we won't change POSIX ACLs in a way that ACL_{GROUP,USER} matters - * for the mode at some point and it's difficult to keep track of all - * the LSM and integrity modules and what they do to POSIX ACLs. - * - * Frankly, EVM shouldn't try to interpret the uapi struct for POSIX - * ACLs it received. It requires knowledge that only the VFS is - * guaranteed to have. - */ - acl = vfs_set_acl_prepare(mnt_userns, i_user_ns(inode), - xattr_value, xattr_value_len); - if (IS_ERR_OR_NULL(acl)) - return 1; - - acl_res = acl; - /* - * Passing mnt_userns is necessary to correctly determine the GID in - * an idmapped mount, as the GID is used to clear the setgid bit in - * the inode mode. - */ - rc = posix_acl_update_mode(mnt_userns, inode, &mode, &acl_res); - - posix_acl_release(acl); - - if (rc) - return 1; - - if (inode->i_mode != mode) - return 1; -#endif - return 0; -} - /* * evm_xattr_change - check if passed xattr value differs from current value * @mnt_userns: user namespace of the idmapped mount @@ -513,10 +453,6 @@ static int evm_xattr_change(struct user_namespace *mnt_userns, char *xattr_data = NULL; int rc = 0; - if (posix_xattr_acl(xattr_name)) - return evm_xattr_acl_change(mnt_userns, dentry, xattr_name, - xattr_value, xattr_value_len); - rc = vfs_getxattr_alloc(&init_user_ns, dentry, xattr_name, &xattr_data, 0, GFP_NOFS); if (rc < 0)