About security_path_mknod() in aufs.
Tim Gardner
tim.gardner at canonical.com
Mon Nov 15 14:10:29 UTC 2010
On 11/09/2010 04:58 AM, Tetsuo Handa wrote:
> Hello.
>
> TOMOYO has started to check 'dev' argument of security_path_mknod() since
> 2.6.36. The argument 'dev' is passed without new_decode_dev() conversion.
>
> This is because I thought we should avoid useless new_decode_dev() call if
> LSM modules (i.e. SELinux/Smack/AppArmor) don't check that argument.
> I expected that security_path_mknod() is called from places outside vfs_mknod().
>
> 2016 error = security_path_mknod(&nd.path, dentry, mode, dev);
> 2017 if (error)
> 2018 goto out_drop_write;
> 2019 switch (mode& S_IFMT) {
> 2020 case 0: case S_IFREG:
> 2021 error = vfs_create(nd.path.dentry->d_inode,dentry,mode,&nd);
> 2022 break;
> 2023 case S_IFCHR: case S_IFBLK:
> 2024 error = vfs_mknod(nd.path.dentry->d_inode,dentry,mode,
> 2025 new_decode_dev(dev));
>
> But aufs's vfsub_mknod() (called from add_simple() from aufs_mknod() from
> vfs_mknod()) is calling security_path_mknod().
>
> 266 int vfsub_mknod(struct inode *dir, struct path *path, int mode, dev_t dev)
> 267 {
> 268 int err;
> 269 struct dentry *d;
> 270
> 271 IMustLock(dir);
> 272
> 273 d = path->dentry;
> 274 path->dentry = d->d_parent;
> 275 err = security_path_mknod(path, d, mode, dev);
> 276 path->dentry = d;
> 277 if (unlikely(err))
> 278 goto out;
> 279
> 280 err = vfs_mknod(dir, path->dentry, mode, dev);
>
> In vfsub_mknod(), 'dev' was already converted by 'new_decode_dev(dev)'
> but TOMOYO is expecting 'dev' rather than 'new_decode_dev(dev)'.
>
> With Natty kernel, TOMOYO will check new_decode_dev(new_decode_dev(dev))
> (which is wrong) when security_path_mknod() is called from vfsub_mknod().
>
> How should we fix this?
>
> Regards.
>
John - any comments?
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list