Re: [Patch 1/2] selinux: ajust rules for ATTR_FORCE
From: Stephen Smalley
Date: Mon Aug 17 2009 - 15:05:09 EST
On Tue, 2009-08-18 at 03:46 +0900, OGAWA Hirofumi wrote:
> Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
>
> > On Mon, 2009-08-17 at 03:07 -0400, Amerigo Wang wrote:
> >> As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132,
> >> we should let selinux_inode_setattr() to match our ATTR_* rules.
> >> ATTR_FORCE should not force things like ATTR_SIZE.
>
> [...]
>
> >
> > This will only apply the setattr check if ATTR_FORCE was specified,
> > which is not the current behavior nor what we want.
> >
> > NAK.
>
> How about this? I tweaked Amerigo's patch, and it is based on the
> original code is doing. This is only compile-test though.
>
> [I'm still not sure what selinux want to do. normally inode_permission()
> should check truncate() permission, and this FILE__SIZE checks something
> again...? And we want to check FILE__WRITE for ATTR_[AMC]TIME?]
Explicit setting of mode, owner, group, or timestamps is to be checked
by the setattr permission, while implicit setting of timestamps or size
is mediated by the write permission. Permission needs to be revalidated
on use to address potential file relabeling or policy change.
ATTR_FORCE is supposed to suppress permission checking altogether, and
shouldn't be mixed with multiple attribute changes if some should be
subject to permission checks while others should not.
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/