nfsd: set security label during create operations
When security labeling is enabled, the client can pass a file security
label as part of a create operation for the new file, similar to mode
and other attributes. At present, the security label is received by nfsd
and passed down to nfsd_create_setattr(), but nfsd_setattr() is never
called and therefore the label is never set on the new file. This bug
may have been introduced on or around commit d6a97d3f58
("NFSD:
add security label to struct nfsd_attrs"). Looking at nfsd_setattr()
I am uncertain as to whether the same issue presents for
file ACLs and therefore requires a similar fix for those.
An alternative approach would be to introduce a new LSM hook to set the
"create SID" of the current task prior to the actual file creation, which
would atomically label the new inode at creation time. This would be better
for SELinux and a similar approach has been used previously
(see security_dentry_create_files_as) but perhaps not usable by other LSMs.
Reproducer:
1. Install a Linux distro with SELinux - Fedora is easiest
2. git clone https://github.com/SELinuxProject/selinux-testsuite
3. Install the requisite dependencies per selinux-testsuite/README.md
4. Run something like the following script:
MOUNT=$HOME/selinux-testsuite
sudo systemctl start nfs-server
sudo exportfs -o rw,no_root_squash,security_label localhost:$MOUNT
sudo mkdir -p /mnt/selinux-testsuite
sudo mount -t nfs -o vers=4.2 localhost:$MOUNT /mnt/selinux-testsuite
pushd /mnt/selinux-testsuite/
sudo make -C policy load
pushd tests/filesystem
sudo runcon -t test_filesystem_t ./create_file -f trans_test_file \
-e test_filesystem_filetranscon_t -v
sudo rm -f trans_test_file
popd
sudo make -C policy unload
popd
sudo umount /mnt/selinux-testsuite
sudo exportfs -u localhost:$MOUNT
sudo rmdir /mnt/selinux-testsuite
sudo systemctl stop nfs-server
Expected output:
<eliding noise from commands run prior to or after the test itself>
Process context:
unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023
Created file: trans_test_file
File context: unconfined_u:object_r:test_filesystem_filetranscon_t:s0
File context is correct
Actual output:
<eliding noise from commands run prior to or after the test itself>
Process context:
unconfined_u:unconfined_r:test_filesystem_t:s0-s0:c0.c1023
Created file: trans_test_file
File context: system_u:object_r:test_file_t:s0
File context error, expected:
test_filesystem_filetranscon_t
got:
test_file_t
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
parent
cc63c21682
commit
442d27ff09
@ -1422,7 +1422,7 @@ nfsd_create_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp,
|
|||||||
* Callers expect new file metadata to be committed even
|
* Callers expect new file metadata to be committed even
|
||||||
* if the attributes have not changed.
|
* if the attributes have not changed.
|
||||||
*/
|
*/
|
||||||
if (iap->ia_valid)
|
if (nfsd_attrs_valid(attrs))
|
||||||
status = nfsd_setattr(rqstp, resfhp, attrs, NULL);
|
status = nfsd_setattr(rqstp, resfhp, attrs, NULL);
|
||||||
else
|
else
|
||||||
status = nfserrno(commit_metadata(resfhp));
|
status = nfserrno(commit_metadata(resfhp));
|
||||||
|
@ -60,6 +60,14 @@ static inline void nfsd_attrs_free(struct nfsd_attrs *attrs)
|
|||||||
posix_acl_release(attrs->na_dpacl);
|
posix_acl_release(attrs->na_dpacl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline bool nfsd_attrs_valid(struct nfsd_attrs *attrs)
|
||||||
|
{
|
||||||
|
struct iattr *iap = attrs->na_iattr;
|
||||||
|
|
||||||
|
return (iap->ia_valid || (attrs->na_seclabel &&
|
||||||
|
attrs->na_seclabel->len));
|
||||||
|
}
|
||||||
|
|
||||||
__be32 nfserrno (int errno);
|
__be32 nfserrno (int errno);
|
||||||
int nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp,
|
int nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp,
|
||||||
struct svc_export **expp);
|
struct svc_export **expp);
|
||||||
|
Loading…
Reference in New Issue
Block a user