Ocfs2 devel - Oct 2015 - [PATCH v3 3/7] selinux: Get rid of file_path_has_perm

On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <sds at
tycho.nsa.gov> wrote:
>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>
>>> Use path_has_perm directly instead.
>>
>>
>> This reverts:
>>
>> commit 13f8e9810bff12d01807b6f92329111f45218235
>> Author: David Howells <dhowells at redhat.com>
>> Date:   Thu Jun 13 23:37:55 2013 +0100
>>
>>     SELinux: Institute file_path_has_perm()
>>
>>     Create a file_path_has_perm() function that is like path_has_perm()
but
>>     instead takes a file struct that is the source of both the path and
the
>>     inode (rather than getting the inode from the dentry in the path). 
This
>>     is then used where appropriate.
>>
>>     This will be useful for situations like unionmount where it will be
>>     possible to have an apparently-negative dentry (eg. a fallthrough)
that
>> is
>>     open with the file struct pointing to an inode on the lower fs.
>>
>>     Signed-off-by: David Howells <dhowells at redhat.com>
>>     Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
>>
>> which I think David was intending to use as part of his
SELinux/overlayfs
>> support.
> 
> Okay. As long as overlayfs support in SELinux is in half-finished
> state, let's leave this alone.
Also, the caller is holding a spinlock (tty_files_lock), so you can't call
inode_doinit from
here.

Try stress testing your patch series by just always setting isec->initialized
to LABEL_INVALID.
Previously the *has_perm functions could be called under essentially any
condition, with the exception
of when in a RCU walk and needing to audit the dname (but they did not
previously block/sleep).

On 10/28/2015 01:31 PM, Stephen Smalley wrote:
> On 10/28/2015 07:48 AM, Andreas Gruenbacher wrote:
>> On Tue, Oct 27, 2015 at 5:40 PM, Stephen Smalley <sds at
tycho.nsa.gov> wrote:
>>> On 10/26/2015 05:15 PM, Andreas Gruenbacher wrote:
>>>>
>>>> Use path_has_perm directly instead.
>>>
>>>
>>> This reverts:
>>>
>>> commit 13f8e9810bff12d01807b6f92329111f45218235
>>> Author: David Howells <dhowells at redhat.com>
>>> Date:   Thu Jun 13 23:37:55 2013 +0100
>>>
>>>      SELinux: Institute file_path_has_perm()
>>>
>>>      Create a file_path_has_perm() function that is like
path_has_perm() but
>>>      instead takes a file struct that is the source of both the
path and the
>>>      inode (rather than getting the inode from the dentry in the
path).  This
>>>      is then used where appropriate.
>>>
>>>      This will be useful for situations like unionmount where it
will be
>>>      possible to have an apparently-negative dentry (eg. a
fallthrough) that
>>> is
>>>      open with the file struct pointing to an inode on the lower
fs.
>>>
>>>      Signed-off-by: David Howells <dhowells at redhat.com>
>>>      Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
>>>
>>> which I think David was intending to use as part of his
SELinux/overlayfs
>>> support.
>>
>> Okay. As long as overlayfs support in SELinux is in half-finished
>> state, let's leave this alone.
>
> Also, the caller is holding a spinlock (tty_files_lock), so you can't
call inode_doinit from
> here.
>
> Try stress testing your patch series by just always setting
isec->initialized to LABEL_INVALID.
> Previously the *has_perm functions could be called under essentially any
condition, with the exception
> of when in a RCU walk and needing to audit the dname (but they did not
previously block/sleep).
file_has_perm() also gets called from match_file() callback to 
iterate_fd(), which holds files->file_lock.