[tomoyo-dev-en 444] Re: [PATCH] tomoyo: fix handling of path{1, 2}.parent.* conditions

Back to archive index
Christian Brauner braun****@kerne*****
Wed Jun 8 03:06:18 JST 2022


On Tue, Jun 07, 2022 at 11:22:49PM +0900, Tetsuo Handa wrote:
> On 2022/06/07 21:27, Christian Brauner wrote:
> > When path conditions are specified tomoyo tries to retrieve information about
> > the parent dentry. It currently assumes that the parent dentry is always
> > reachable from the child dentry's mount. This assumption is wrong when
> > bind-mounts are in play:
> 
> Thank you for a patch, but I consider that current behavior is correct.
> 
> > file read /foo/file1 path1.parent.uid=12
> 
> The path{1,2}.* and path{1,2}.parent.* conditions use inode's attributes.
> That is, these conditions are independent with pathname reachability.
> 
> ---------- Initialization ----------
> # mkdir -p /foo /bar
> # touch /foo/file1 /bar/file2
> # chown 100 /foo
> # chown 200 /foo/file1
> # chown 300 /bar
> # chown 400 /bar/file2
> 
> ---------- before doing bind mount ----------
> # cat /foo/file1 /bar/file2
> 
> ---------- access log of before doing bind mount ----------
> #2022/06/07 13:47:14# profile=2 mode=permissive granted=no (global-pid=2757) task={ pid=2757 ppid=2690 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 } path1={ uid=200 gid=0 ino=2501389 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=100 gid=0 ino=2501384 perm=0755 }
> <kernel> /usr/sbin/sshd /usr/bin/bash /usr/bin/cat
> file read /foo/file1
> #2022/06/07 13:47:14# profile=2 mode=permissive granted=no (global-pid=2757) task={ pid=2757 ppid=2690 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 } path1={ uid=400 gid=0 ino=273557228 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=300 gid=0 ino=273557227 perm=0755 }
> <kernel> /usr/sbin/sshd /usr/bin/bash /usr/bin/cat
> file read /bar/file2
> 
> ---------- after doing bind mount ----------
> # mount --bind /bar/file2 /foo/file1
> # cat /foo/file1 /bar/file2
> 
> ---------- access log of after doing bind mount ----------
> #2022/06/07 13:48:46# profile=2 mode=permissive granted=no (global-pid=2773) task={ pid=2773 ppid=2690 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 } path1={ uid=400 gid=0 ino=273557228 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=300 gid=0 ino=273557227 perm=0755 }
> <kernel> /usr/sbin/sshd /usr/bin/bash /usr/bin/cat
> file read /foo/file1
> #2022/06/07 13:48:46# profile=2 mode=permissive granted=no (global-pid=2773) task={ pid=2773 ppid=2690 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 } path1={ uid=400 gid=0 ino=273557228 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=300 gid=0 ino=273557227 perm=0755 }
> <kernel> /usr/sbin/sshd /usr/bin/bash /usr/bin/cat
> file read /bar/file2
> 

After having chatted about this a bit, I think I and misstated the
issue or at least didn't explain this clearly enough. What I was worried
about is that since Tomoyo is path-based and a user specifies /foo/file1
and set's a path rule like:

file read /foo/file1 path1.parent.*

then they want the path1.parent.* condition to be applied to "foo".
That is after all literally the parent in the path that's specified in
the rule.

But what will actually happen is that instead the path1.parent.*
condition will be applied to "bar" because "file2" has been bind-mounted
over "file1" and the vfs will resolve the bind-mount and pass down:
path1->dentry = file2
to Tomoyo.

I think that might be very confusing to users but if you state that this
is intended behavior then this is fine with me and I can send out the
other patches that don't deal with this.



More information about the tomoyo-dev-en mailing list
Back to archive index