Re: [PATCH] fs: Add flags to __d_path for suppressing suffix andmapping /proc/self

From: Tetsuo Handa
Date: Tue Feb 16 2010 - 07:11:54 EST

Next message: Nikita V. Youshchenko: "Extended error reporting to user space?"
Previous message: Mrs Claire page: "[no subject]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Al Viro wrote:
> > Also, procfs is usually mounted on /proc , but it can be mounted on /proc2 ,
> > /mnt/proc3 or /p . Thus, the caller of __d_path() can't convert /proc/PID to
> > /proc/self from string returned by __d_path() because the caller can't find
> > the mount point of procfs from the returned string. If the caller traverses
> > dentry/vfsmount tree in order to find the mount point of procfs, it results in
> > duplicating __d_path() because the the caller does not use __d_path().
>
> No. If you don't care which instance it is, you can bloody well check that
> superblock is that of a procfs and track the path to its root *in* *caller*.

I couldn't catch. Are you suggesting that TOMOYO should not call __d_path() for
dentry if dentry->d_sb->s_magic == PROC_SUPER_MAGIC ?

> Instead of calling d_path and looking at vfsmount tree at all. And you'd
> better do that without assumptions that no name in procfs could be a number
> unrelated to PIDs (i.e. you'd need to check that parent of your candidate
> is root).

I'm doing IS_ROOT(parent) to check that parent of dentry is root.

> BTW, *any* filesystem may be mounted at several places at once. Moreover,
> different subtrees of the same fs may be found at different mountpoints.

Yes. I know.

> IIRC,
> back when "pathname-based" checks had been discussed, their proponents said
> that they don't care if rules for different instances were inconsistent and
> that it's OK to have them covered sepately, as long as you default to giving
> lower permissions to unrecognized ones. Why is procfs an exception?

Because procfs redirects /proc/self to /proc/PID using symlink when the
userspace accesses information of current process. This redirection makes it
impossible for name based checks to grant only accessing information of
current process.

What I want to do is to undo this redirection done by procfs. Undoing this
redirection makes it possible for name based checks to grant only accessing
information of current process.

Granting /proc/self/ is more secure than granting /proc/*/ if userspace needs
to access only information of current process.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nikita V. Youshchenko: "Extended error reporting to user space?"
Previous message: Mrs Claire page: "[no subject]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]