• Vivek Goyal's avatar
    lsm,audit,selinux: Introduce a new audit data type LSM_AUDIT_DATA_FILE · 43af5de7
    Vivek Goyal authored
    Right now LSM_AUDIT_DATA_PATH type contains "struct path" in union "u"
    of common_audit_data. This information is used to print path of file
    at the same time it is also used to get to dentry and inode. And this
    inode information is used to get to superblock and device and print
    device information.
    
    This does not work well for layered filesystems like overlay where dentry
    contained in path is overlay dentry and not the real dentry of underlying
    file system. That means inode retrieved from dentry is also overlay
    inode and not the real inode.
    
    SELinux helpers like file_path_has_perm() are doing checks on inode
    retrieved from file_inode(). This returns the real inode and not the
    overlay inode. That means we are doing check on real inode but for audit
    purposes we are printing details of overlay inode and that can be
    confusing while debugging.
    
    Hence, introduce a new type LSM_AUDIT_DATA_FILE which carries file
    information and inode retrieved is real inode using file_inode(). That
    way right avc denied information is given to user.
    
    For example, following is one example avc before the patch.
    
      type=AVC msg=audit(1473360868.399:214): avc:  denied  { read open } for
        pid=1765 comm="cat"
        path="/root/.../overlay/container1/merged/readfile"
        dev="overlay" ino=21443
        scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
        tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
        tclass=file permissive=0
    
    It looks as follows after the patch.
    
      type=AVC msg=audit(1473360017.388:282): avc:  denied  { read open } for
        pid=2530 comm="cat"
        path="/root/.../overlay/container1/merged/readfile"
        dev="dm-0" ino=2377915
        scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
        tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
        tclass=file permissive=0
    
    Notice that now dev information points to "dm-0" device instead of
    "overlay" device. This makes it clear that check failed on underlying
    inode and not on the overlay inode.
    Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
    [PM: slight tweaks to the description to make checkpatch.pl happy]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    43af5de7
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...