From: Roberto Sassu <roberto.sassu@huawei.com>
With the newly added ability of LSMs to supply multiple xattrs, set
SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
The LSM infrastructure passes all xattrs provided by LSMs to the
filesystems through the initxattrs() callback, so that filesystems can
store xattrs in the disk.
After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
call.
Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
adding a new xattr without checking and updating the existing HMAC.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/smack/smack.h | 2 +-
security/smack/smack_lsm.c | 43 +++++++++++++++++++++++---------------
2 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index aa15ff56ed6..041688e5a77 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -128,7 +128,7 @@ struct task_smack {
#define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
#define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
-#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
+#define SMK_INODE_CHANGED 0x04 /* smack was transmuted (unused) */
#define SMK_INODE_IMPURE 0x08 /* involved in an impure transaction */
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a1c30275692..b67d901ee74 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -52,7 +52,14 @@
#define SMK_RECEIVING 1
#define SMK_SENDING 2
-#define SMACK_INODE_INIT_XATTRS 1
+/*
+ * Smack uses multiple xattrs.
+ * SMACK64 - for access control,
+ * SMACK64TRANSMUTE - label initialization,
+ * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
+ * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
+ */
+#define SMACK_INODE_INIT_XATTRS 2
#ifdef SMACK_IPV6_PORT_LABELING
static DEFINE_MUTEX(smack_ipv6_lock);
@@ -935,7 +942,6 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
struct xattr *xattrs, int *xattr_count)
{
struct task_smack *tsp = smack_cred(current_cred());
- struct inode_smack *issp = smack_inode(inode);
struct smack_known *skp = smk_of_task(tsp);
struct smack_known *isp = smk_of_inode(inode);
struct smack_known *dsp = smk_of_inode(dir);
@@ -963,6 +969,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
if ((tsp->smk_task == tsp->smk_transmuted) ||
(may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
smk_inode_transmutable(dir))) {
+ struct xattr *xattr_transmute;
+
/*
* The caller of smack_dentry_create_files_as()
* should have overridden the current cred, so the
@@ -971,7 +979,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
*/
if (tsp->smk_task != tsp->smk_transmuted)
isp = dsp;
- issp->smk_flags |= SMK_INODE_CHANGED;
+ xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count);
+ if (xattr_transmute) {
+ xattr_transmute->value = kmemdup(TRANS_TRUE,
+ TRANS_TRUE_SIZE, GFP_NOFS);
+ if (xattr_transmute->value == NULL)
+ return -ENOMEM;
+
+ xattr_transmute->value_len = TRANS_TRUE_SIZE;
+ xattr_transmute->name = XATTR_SMACK_TRANSMUTE;
+ }
}
xattr->value = kstrdup(isp->smk_known, GFP_NOFS);
@@ -3518,20 +3535,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
* If there is a transmute attribute on the
* directory mark the inode.
*/
- if (isp->smk_flags & SMK_INODE_CHANGED) {
- isp->smk_flags &= ~SMK_INODE_CHANGED;
- rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode,
- XATTR_NAME_SMACKTRANSMUTE,
- TRANS_TRUE, TRANS_TRUE_SIZE,
- 0);
- } else {
- rc = __vfs_getxattr(dp, inode,
- XATTR_NAME_SMACKTRANSMUTE, trattr,
- TRANS_TRUE_SIZE);
- if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
- TRANS_TRUE_SIZE) != 0)
- rc = -EINVAL;
- }
+ rc = __vfs_getxattr(dp, inode,
+ XATTR_NAME_SMACKTRANSMUTE, trattr,
+ TRANS_TRUE_SIZE);
+ if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
+ TRANS_TRUE_SIZE) != 0)
+ rc = -EINVAL;
if (rc >= 0)
transflag = SMK_INODE_TRANSMUTE;
}
--
2.25.1Hi Roberto,
On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> With the newly added ability of LSMs to supply multiple xattrs, set
> SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
> Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
> lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
>
> The LSM infrastructure passes all xattrs provided by LSMs to the
> filesystems through the initxattrs() callback, so that filesystems can
> store xattrs in the disk.
>
> After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
> d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
> was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
> call.
>
> Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
> adding a new xattr without checking and updating the existing HMAC.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Just a few comments/nits inline.
> ---
> security/smack/smack.h | 2 +-
> security/smack/smack_lsm.c | 43 +++++++++++++++++++++++---------------
> 2 files changed, 27 insertions(+), 18 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index aa15ff56ed6..041688e5a77 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -128,7 +128,7 @@ struct task_smack {
>
> #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
> #define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
> -#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
> +#define SMK_INODE_CHANGED 0x04 /* smack was transmuted (unused) */
> #define SMK_INODE_IMPURE 0x08 /* involved in an impure transaction */
>
> /*
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a1c30275692..b67d901ee74 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -52,7 +52,14 @@
> #define SMK_RECEIVING 1
> #define SMK_SENDING 2
>
> -#define SMACK_INODE_INIT_XATTRS 1
> +/*
> + * Smack uses multiple xattrs.
> + * SMACK64 - for access control,
> + * SMACK64TRANSMUTE - label initialization,
> + * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
> + * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
> + */
> +#define SMACK_INODE_INIT_XATTRS 2
>
> #ifdef SMACK_IPV6_PORT_LABELING
> static DEFINE_MUTEX(smack_ipv6_lock);
> @@ -935,7 +942,6 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> struct xattr *xattrs, int *xattr_count)
> {
> struct task_smack *tsp = smack_cred(current_cred());
> - struct inode_smack *issp = smack_inode(inode);
> struct smack_known *skp = smk_of_task(tsp);
> struct smack_known *isp = smk_of_inode(inode);
> struct smack_known *dsp = smk_of_inode(dir);
> @@ -963,6 +969,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> if ((tsp->smk_task == tsp->smk_transmuted) ||
> (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
> smk_inode_transmutable(dir))) {
> + struct xattr *xattr_transmute;
> +
Variables should be defined at the beginning of the function.
Is there a reason for beginning the function with "if (xattr) {"
instead "if (!xattr) return 0;". This causes unnecessary indenting.
> /*
> * The caller of smack_dentry_create_files_as()
> * should have overridden the current cred, so the
> @@ -971,7 +979,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> */
> if (tsp->smk_task != tsp->smk_transmuted)
> isp = dsp;
> - issp->smk_flags |= SMK_INODE_CHANGED;
> + xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count);
> + if (xattr_transmute) {
> + xattr_transmute->value = kmemdup(TRANS_TRUE,
> + TRANS_TRUE_SIZE, GFP_NOFS);
script/checkpatch --strict complains here.
> + if (xattr_transmute->value == NULL)
> + return -ENOMEM;
> +
> + xattr_transmute->value_len = TRANS_TRUE_SIZE;
> + xattr_transmute->name = XATTR_SMACK_TRANSMUTE;
> + }
> }
>
> xattr->value = kstrdup(isp->smk_known, GFP_NOFS);
> @@ -3518,20 +3535,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
> * If there is a transmute attribute on the
> * directory mark the inode.
> */
> - if (isp->smk_flags & SMK_INODE_CHANGED) {
> - isp->smk_flags &= ~SMK_INODE_CHANGED;
> - rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode,
> - XATTR_NAME_SMACKTRANSMUTE,
> - TRANS_TRUE, TRANS_TRUE_SIZE,
> - 0);
> - } else {
> - rc = __vfs_getxattr(dp, inode,
> - XATTR_NAME_SMACKTRANSMUTE, trattr,
> - TRANS_TRUE_SIZE);
> - if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> - TRANS_TRUE_SIZE) != 0)
> - rc = -EINVAL;
> - }
> + rc = __vfs_getxattr(dp, inode,
> + XATTR_NAME_SMACKTRANSMUTE, trattr,
> + TRANS_TRUE_SIZE);
> + if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> + TRANS_TRUE_SIZE) != 0)
> + rc = -EINVAL;
> if (rc >= 0)
> transflag = SMK_INODE_TRANSMUTE;
> }
On 6/9/2023 9:35 PM, Mimi Zohar wrote:
> Hi Roberto,
>
> On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote:
>> From: Roberto Sassu <roberto.sassu@huawei.com>
>>
>> With the newly added ability of LSMs to supply multiple xattrs, set
>> SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
>> Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
>> lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
>>
>> The LSM infrastructure passes all xattrs provided by LSMs to the
>> filesystems through the initxattrs() callback, so that filesystems can
>> store xattrs in the disk.
>>
>> After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
>> d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
>> was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
>> call.
>>
>> Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
>> adding a new xattr without checking and updating the existing HMAC.
>>
>> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>
> Just a few comments/nits inline.
>
>> ---
>> security/smack/smack.h | 2 +-
>> security/smack/smack_lsm.c | 43 +++++++++++++++++++++++---------------
>> 2 files changed, 27 insertions(+), 18 deletions(-)
>>
>> diff --git a/security/smack/smack.h b/security/smack/smack.h
>> index aa15ff56ed6..041688e5a77 100644
>> --- a/security/smack/smack.h
>> +++ b/security/smack/smack.h
>> @@ -128,7 +128,7 @@ struct task_smack {
>>
>> #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
>> #define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
>> -#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
>> +#define SMK_INODE_CHANGED 0x04 /* smack was transmuted (unused) */
>> #define SMK_INODE_IMPURE 0x08 /* involved in an impure transaction */
>>
>> /*
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index a1c30275692..b67d901ee74 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -52,7 +52,14 @@
>> #define SMK_RECEIVING 1
>> #define SMK_SENDING 2
>>
>> -#define SMACK_INODE_INIT_XATTRS 1
>> +/*
>> + * Smack uses multiple xattrs.
>> + * SMACK64 - for access control,
>> + * SMACK64TRANSMUTE - label initialization,
>> + * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
>> + * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
>> + */
>> +#define SMACK_INODE_INIT_XATTRS 2
>>
>> #ifdef SMACK_IPV6_PORT_LABELING
>> static DEFINE_MUTEX(smack_ipv6_lock);
>> @@ -935,7 +942,6 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
>> struct xattr *xattrs, int *xattr_count)
>> {
>> struct task_smack *tsp = smack_cred(current_cred());
>> - struct inode_smack *issp = smack_inode(inode);
>> struct smack_known *skp = smk_of_task(tsp);
>> struct smack_known *isp = smk_of_inode(inode);
>> struct smack_known *dsp = smk_of_inode(dir);
>> @@ -963,6 +969,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
>> if ((tsp->smk_task == tsp->smk_transmuted) ||
>> (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
>> smk_inode_transmutable(dir))) {
>> + struct xattr *xattr_transmute;
>> +
>
> Variables should be defined at the beginning of the function.
Casey asked to declare the variable in this block.
> Is there a reason for beginning the function with "if (xattr) {"
> instead "if (!xattr) return 0;". This causes unnecessary indenting.
I revisited this part and made few fixes:
https://lore.kernel.org/linux-security-module/20230607123612.2791303-1-roberto.sassu@huaweicloud.com/
Patch 3 should address your concern.
>> /*
>> * The caller of smack_dentry_create_files_as()
>> * should have overridden the current cred, so the
>> @@ -971,7 +979,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
>> */
>> if (tsp->smk_task != tsp->smk_transmuted)
>> isp = dsp;
>> - issp->smk_flags |= SMK_INODE_CHANGED;
>> + xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count);
>> + if (xattr_transmute) {
>> + xattr_transmute->value = kmemdup(TRANS_TRUE,
>> + TRANS_TRUE_SIZE, GFP_NOFS);
>
> script/checkpatch --strict complains here.
Thanks, I didn't know about it.
It seems that they are more stylistic things. Probably, not worth to
respin the patch set just for those (unless you prefer I do it).
Thanks
Roberto
>> + if (xattr_transmute->value == NULL)
>> + return -ENOMEM;
>> +
>> + xattr_transmute->value_len = TRANS_TRUE_SIZE;
>> + xattr_transmute->name = XATTR_SMACK_TRANSMUTE;
>> + }
>> }
>>
>> xattr->value = kstrdup(isp->smk_known, GFP_NOFS);
>> @@ -3518,20 +3535,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
>> * If there is a transmute attribute on the
>> * directory mark the inode.
>> */
>> - if (isp->smk_flags & SMK_INODE_CHANGED) {
>> - isp->smk_flags &= ~SMK_INODE_CHANGED;
>> - rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode,
>> - XATTR_NAME_SMACKTRANSMUTE,
>> - TRANS_TRUE, TRANS_TRUE_SIZE,
>> - 0);
>> - } else {
>> - rc = __vfs_getxattr(dp, inode,
>> - XATTR_NAME_SMACKTRANSMUTE, trattr,
>> - TRANS_TRUE_SIZE);
>> - if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
>> - TRANS_TRUE_SIZE) != 0)
>> - rc = -EINVAL;
>> - }
>> + rc = __vfs_getxattr(dp, inode,
>> + XATTR_NAME_SMACKTRANSMUTE, trattr,
>> + TRANS_TRUE_SIZE);
>> + if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
>> + TRANS_TRUE_SIZE) != 0)
>> + rc = -EINVAL;
>> if (rc >= 0)
>> transflag = SMK_INODE_TRANSMUTE;
>> }
>
>
On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> With the newly added ability of LSMs to supply multiple xattrs, set
> SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
> Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
> lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
>
> The LSM infrastructure passes all xattrs provided by LSMs to the
> filesystems through the initxattrs() callback, so that filesystems can
> store xattrs in the disk.
>
> After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
> d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
> was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
> call.
>
> Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
> adding a new xattr without checking and updating the existing HMAC.
Hi Mengchi
could you please redo your tests with this patch set applied?
https://lore.kernel.org/linux-integrity/20230603191518.1397490-1-roberto.sassu@huaweicloud.com/
You need:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/log/?h=next
https://github.com/cschaufler/smack-next/commits/next
Thanks
Roberto
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
> security/smack/smack.h | 2 +-
> security/smack/smack_lsm.c | 43 +++++++++++++++++++++++---------------
> 2 files changed, 27 insertions(+), 18 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index aa15ff56ed6..041688e5a77 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -128,7 +128,7 @@ struct task_smack {
>
> #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
> #define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
> -#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
> +#define SMK_INODE_CHANGED 0x04 /* smack was transmuted (unused) */
> #define SMK_INODE_IMPURE 0x08 /* involved in an impure transaction */
>
> /*
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a1c30275692..b67d901ee74 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -52,7 +52,14 @@
> #define SMK_RECEIVING 1
> #define SMK_SENDING 2
>
> -#define SMACK_INODE_INIT_XATTRS 1
> +/*
> + * Smack uses multiple xattrs.
> + * SMACK64 - for access control,
> + * SMACK64TRANSMUTE - label initialization,
> + * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
> + * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
> + */
> +#define SMACK_INODE_INIT_XATTRS 2
>
> #ifdef SMACK_IPV6_PORT_LABELING
> static DEFINE_MUTEX(smack_ipv6_lock);
> @@ -935,7 +942,6 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> struct xattr *xattrs, int *xattr_count)
> {
> struct task_smack *tsp = smack_cred(current_cred());
> - struct inode_smack *issp = smack_inode(inode);
> struct smack_known *skp = smk_of_task(tsp);
> struct smack_known *isp = smk_of_inode(inode);
> struct smack_known *dsp = smk_of_inode(dir);
> @@ -963,6 +969,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> if ((tsp->smk_task == tsp->smk_transmuted) ||
> (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
> smk_inode_transmutable(dir))) {
> + struct xattr *xattr_transmute;
> +
> /*
> * The caller of smack_dentry_create_files_as()
> * should have overridden the current cred, so the
> @@ -971,7 +979,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> */
> if (tsp->smk_task != tsp->smk_transmuted)
> isp = dsp;
> - issp->smk_flags |= SMK_INODE_CHANGED;
> + xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count);
> + if (xattr_transmute) {
> + xattr_transmute->value = kmemdup(TRANS_TRUE,
> + TRANS_TRUE_SIZE, GFP_NOFS);
> + if (xattr_transmute->value == NULL)
> + return -ENOMEM;
> +
> + xattr_transmute->value_len = TRANS_TRUE_SIZE;
> + xattr_transmute->name = XATTR_SMACK_TRANSMUTE;
> + }
> }
>
> xattr->value = kstrdup(isp->smk_known, GFP_NOFS);
> @@ -3518,20 +3535,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
> * If there is a transmute attribute on the
> * directory mark the inode.
> */
> - if (isp->smk_flags & SMK_INODE_CHANGED) {
> - isp->smk_flags &= ~SMK_INODE_CHANGED;
> - rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode,
> - XATTR_NAME_SMACKTRANSMUTE,
> - TRANS_TRUE, TRANS_TRUE_SIZE,
> - 0);
> - } else {
> - rc = __vfs_getxattr(dp, inode,
> - XATTR_NAME_SMACKTRANSMUTE, trattr,
> - TRANS_TRUE_SIZE);
> - if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> - TRANS_TRUE_SIZE) != 0)
> - rc = -EINVAL;
> - }
> + rc = __vfs_getxattr(dp, inode,
> + XATTR_NAME_SMACKTRANSMUTE, trattr,
> + TRANS_TRUE_SIZE);
> + if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> + TRANS_TRUE_SIZE) != 0)
> + rc = -EINVAL;
> if (rc >= 0)
> transflag = SMK_INODE_TRANSMUTE;
> }
On Mon, 2023-06-05 08:38:29 +0000, Roberto Sassu wrote:
>
> On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > With the newly added ability of LSMs to supply multiple xattrs, set
> > SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
> > Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
> > lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
> >
> > The LSM infrastructure passes all xattrs provided by LSMs to the
> > filesystems through the initxattrs() callback, so that filesystems can
> > store xattrs in the disk.
> >
> > After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
> > d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
> > was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
> > call.
> >
> > Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
> > adding a new xattr without checking and updating the existing HMAC.
>
> Hi Mengchi
>
> could you please redo your tests with this patch set applied?
>
> https://lore.kernel.org/linux-integrity/20230603191518.1397490-1-roberto.sassu@huaweicloud.com/
>
> You need:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/log/?h=next
>
> https://github.com/cschaufler/smack-next/commits/next
>
> Thanks
>
> Roberto
Sorry for the later reply. It turned out lsm.git repo needs your previous
two overlay fs fixes before applying these four patches.
With v12 I did not see the issue I reported anymore.
Best,
Mengchi
>
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> > security/smack/smack.h | 2 +-
> > security/smack/smack_lsm.c | 43 +++++++++++++++++++++++---------------
> > 2 files changed, 27 insertions(+), 18 deletions(-)
> >
> > diff --git a/security/smack/smack.h b/security/smack/smack.h
> > index aa15ff56ed6..041688e5a77 100644
> > --- a/security/smack/smack.h
> > +++ b/security/smack/smack.h
> > @@ -128,7 +128,7 @@ struct task_smack {
> >
> > #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
> > #define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
> > -#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
> > +#define SMK_INODE_CHANGED 0x04 /* smack was transmuted (unused) */
> > #define SMK_INODE_IMPURE 0x08 /* involved in an impure transaction */
> >
> > /*
> > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> > index a1c30275692..b67d901ee74 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -52,7 +52,14 @@
> > #define SMK_RECEIVING 1
> > #define SMK_SENDING 2
> >
> > -#define SMACK_INODE_INIT_XATTRS 1
> > +/*
> > + * Smack uses multiple xattrs.
> > + * SMACK64 - for access control,
> > + * SMACK64TRANSMUTE - label initialization,
> > + * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
> > + * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
> > + */
> > +#define SMACK_INODE_INIT_XATTRS 2
> >
> > #ifdef SMACK_IPV6_PORT_LABELING
> > static DEFINE_MUTEX(smack_ipv6_lock);
> > @@ -935,7 +942,6 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> > struct xattr *xattrs, int *xattr_count)
> > {
> > struct task_smack *tsp = smack_cred(current_cred());
> > - struct inode_smack *issp = smack_inode(inode);
> > struct smack_known *skp = smk_of_task(tsp);
> > struct smack_known *isp = smk_of_inode(inode);
> > struct smack_known *dsp = smk_of_inode(dir);
> > @@ -963,6 +969,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> > if ((tsp->smk_task == tsp->smk_transmuted) ||
> > (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
> > smk_inode_transmutable(dir))) {
> > + struct xattr *xattr_transmute;
> > +
> > /*
> > * The caller of smack_dentry_create_files_as()
> > * should have overridden the current cred, so the
> > @@ -971,7 +979,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
> > */
> > if (tsp->smk_task != tsp->smk_transmuted)
> > isp = dsp;
> > - issp->smk_flags |= SMK_INODE_CHANGED;
> > + xattr_transmute = lsm_get_xattr_slot(xattrs, xattr_count);
> > + if (xattr_transmute) {
> > + xattr_transmute->value = kmemdup(TRANS_TRUE,
> > + TRANS_TRUE_SIZE, GFP_NOFS);
> > + if (xattr_transmute->value == NULL)
> > + return -ENOMEM;
> > +
> > + xattr_transmute->value_len = TRANS_TRUE_SIZE;
> > + xattr_transmute->name = XATTR_SMACK_TRANSMUTE;
> > + }
> > }
> >
> > xattr->value = kstrdup(isp->smk_known, GFP_NOFS);
> > @@ -3518,20 +3535,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
> > * If there is a transmute attribute on the
> > * directory mark the inode.
> > */
> > - if (isp->smk_flags & SMK_INODE_CHANGED) {
> > - isp->smk_flags &= ~SMK_INODE_CHANGED;
> > - rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode,
> > - XATTR_NAME_SMACKTRANSMUTE,
> > - TRANS_TRUE, TRANS_TRUE_SIZE,
> > - 0);
> > - } else {
> > - rc = __vfs_getxattr(dp, inode,
> > - XATTR_NAME_SMACKTRANSMUTE, trattr,
> > - TRANS_TRUE_SIZE);
> > - if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> > - TRANS_TRUE_SIZE) != 0)
> > - rc = -EINVAL;
> > - }
> > + rc = __vfs_getxattr(dp, inode,
> > + XATTR_NAME_SMACKTRANSMUTE, trattr,
> > + TRANS_TRUE_SIZE);
> > + if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
> > + TRANS_TRUE_SIZE) != 0)
> > + rc = -EINVAL;
> > if (rc >= 0)
> > transflag = SMK_INODE_TRANSMUTE;
> > }
>
>
On Mon Jun 5, 2023 at 11:38 AM EEST, Roberto Sassu wrote: > On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > With the newly added ability of LSMs to supply multiple xattrs, set > > SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate(). nit: TRANSMUTE Sorry, just hit into my eye. I skimmed it because I implemented original feature :-) BR, Jarkko
On 6/9/2023 9:26 AM, Jarkko Sakkinen wrote: > On Mon Jun 5, 2023 at 11:38 AM EEST, Roberto Sassu wrote: >> On Sat, 2023-06-03 at 21:15 +0200, Roberto Sassu wrote: >>> From: Roberto Sassu <roberto.sassu@huawei.com> >>> >>> With the newly added ability of LSMs to supply multiple xattrs, set >>> SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate(). > > nit: TRANSMUTE > > Sorry, just hit into my eye. I skimmed it because I implemented original > feature :-) Cool! Currently the transmute xattr is defined as: #define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE" so, should be good to say the full xattr name, right? Thanks Roberto
© 2016 - 2026 Red Hat, Inc.