1. 31 Oct, 2022 1 commit
    • Christian Brauner's avatar
      fs: introduce dedicated idmap type for mounts · 256c8aed
      Christian Brauner authored
      Last cycle we've already made the interaction with idmapped mounts more
      robust and type safe by introducing the vfs{g,u}id_t type. This cycle we
      concluded the conversion and removed the legacy helpers.
      
      Currently we still pass around the plain namespace that was attached to
      a mount. This is in general pretty convenient but it makes it easy to
      conflate filesystem and mount namespaces and what different roles they
      have to play. Especially for filesystem developers without much
      experience in this area this is an easy source for bugs.
      
      Instead of passing the plain namespace we introduce a dedicated type
      struct mnt_idmap and replace the pointer with a pointer to a struct
      mnt_idmap. There are no semantic or size changes for the mount struct
      caused by this.
      
      We then start converting all places aware of idmapped mounts to rely on
      struct mnt_idmap. Once the conversion is done all helpers down to the
      really low-level make_vfs{g,u}id() and from_vfs{g,u}id() will take a
      struct mnt_idmap argument instead of two namespace arguments. This way
      it becomes impossible to conflate the two, removing and thus eliminating
      the possibility of any bugs. Fwiw, I fixed some issues in that area a
      while ago in ntfs3 and ksmbd in the past. Afterwards, only low-level
      code can ultimately use the associated namespace for any permission
      checks. Even most of the vfs can be ultimately completely oblivious
      about this and filesystems will never interact with it directly in any
      form in the future.
      
      A struct mnt_idmap currently encompasses a simple refcount and a pointer
      to the relevant namespace the mount is idmapped to. If a mount isn't
      idmapped then it will point to a static nop_mnt_idmap. If it is an
      idmapped mount it will point to a new struct mnt_idmap. As usual there
      are no allocations or anything happening for non-idmapped mounts.
      Everthing is carefully written to be a nop for non-idmapped mounts as
      has always been the case.
      
      If an idmapped mount or mount tree is created a new struct mnt_idmap is
      allocated and a reference taken on the relevant namespace. For each
      mount in a mount tree that gets idmapped or a mount that inherits the
      idmap when it is cloned the reference count on the associated struct
      mnt_idmap is bumped. Just a reminder that we only allow a mount to
      change it's idmapping a single time and only if it hasn't already been
      attached to the filesystems and has no active writers.
      
      The actual changes are fairly straightforward. This will have huge
      benefits for maintenance and security in the long run even if it causes
      some churn. I'm aware that there's some cost for all of you. And I'll
      commit to doing this work and make this as painless as I can.
      
      Note that this also makes it possible to extend struct mount_idmap in
      the future. For example, it would be possible to place the namespace
      pointer in an anonymous union together with an idmapping struct. This
      would allow us to expose an api to userspace that would let it specify
      idmappings directly instead of having to go through the detour of
      setting up namespaces at all.
      
      This just adds the infrastructure and doesn't do any conversions.
      Reviewed-by: default avatarSeth Forshee (DigitalOcean) <sforshee@kernel.org>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      256c8aed
  2. 28 Oct, 2022 4 commits
  3. 26 Oct, 2022 9 commits
  4. 24 Oct, 2022 1 commit
  5. 20 Oct, 2022 25 commits
    • Christian Brauner's avatar
      acl: remove a slew of now unused helpers · 0a26bde2
      Christian Brauner authored
      Now that the posix acl api is active we can remove all the hacky helpers
      we had to keep around for all these years and also remove the set and
      get posix acl xattr handler methods as they aren't needed anymore.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      0a26bde2
    • Christian Brauner's avatar
      9p: use stub posix acl handlers · 39a6497a
      Christian Brauner authored
      Now that 9p supports the get and set acl inode operations and the vfs
      has been switched to the new posi api, 9p can simply rely on the stub
      posix acl handlers. The custom xattr handlers and associated unused
      helpers can be removed.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      39a6497a
    • Christian Brauner's avatar
      cifs: use stub posix acl handlers · c39c07fc
      Christian Brauner authored
      Now that cifs supports the get and set acl inode operations and the vfs
      has been switched to the new posi api, cifs can simply rely on the stub
      posix acl handlers. The custom xattr handlers and associated unused
      helpers can be removed.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      c39c07fc
    • Christian Brauner's avatar
      ovl: use stub posix acl handlers · 200afb77
      Christian Brauner authored
      Now that ovl supports the get and set acl inode operations and the vfs
      has been switched to the new posi api, ovl can simply rely on the stub
      posix acl handlers. The custom xattr handlers and associated unused
      helpers can be removed.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      200afb77
    • Christian Brauner's avatar
      ecryptfs: use stub posix acl handlers · 04af28fa
      Christian Brauner authored
      Now that ecryptfs supports the get and set acl inode operations and the
      vfs has been switched to the new posi api, ecryptfs can simply rely on
      the stub posix acl handlers.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      04af28fa
    • Christian Brauner's avatar
      evm: remove evm_xattr_acl_change() · e10796b8
      Christian Brauner authored
      The security and integrity infrastructure has dedicated hooks now so
      evm_xattr_acl_change() is dead code. Before this commit the callchain was:
      
      evm_protect_xattr()
      -> evm_xattr_change()
         -> evm_xattr_acl_change()
      
      where evm_protect_xattr() was hit from evm_inode_setxattr() and
      evm_inode_removexattr(). But now we have evm_inode_set_acl() and
      evm_inode_remove_acl() and have switched over the vfs to rely on the posix
      acl api so the code isn't hit anymore.
      Suggested-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      e10796b8
    • Christian Brauner's avatar
      xattr: use posix acl api · 318e6685
      Christian Brauner authored
      In previous patches we built a new posix api solely around get and set
      inode operations. Now that we have all the pieces in place we can switch
      the system calls and the vfs over to only rely on this api when
      interacting with posix acls. This finally removes all type unsafety and
      type conversion issues explained in detail in [1] that we aim to get rid
      of.
      
      With the new posix acl api we immediately translate into an appropriate
      kernel internal struct posix_acl format both when getting and setting
      posix acls. This is a stark contrast to before were we hacked unsafe raw
      values into the uapi struct that was stored in a void pointer relying
      and having filesystems and security modules hack around in the uapi
      struct as well.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      318e6685
    • Christian Brauner's avatar
      ovl: use posix acl api · 31acceb9
      Christian Brauner authored
      Now that posix acls have a proper api us it to copy them.
      
      All filesystems that can serve as lower or upper layers for overlayfs
      have gained support for the new posix acl api in previous patches.
      So switch all internal overlayfs codepaths for copying posix acls to the
      new posix acl api.
      Acked-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      31acceb9
    • Christian Brauner's avatar
      ovl: implement set acl method · 0e641857
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      Now that we have added get and set acl inode operations that allow easy
      access to the dentry we give overlayfs it's own get and set acl inode
      operations.
      
      The set acl inode operation is duplicates most of the ovl posix acl
      xattr handler. The main difference being that the set acl inode
      operation relies on the new posix acl api. Once the vfs has been
      switched over the custom posix acl xattr handler will be removed
      completely.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Acked-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      0e641857
    • Christian Brauner's avatar
      ovl: implement get acl method · 6c0a8bfb
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      Now that we have added get and set acl inode operations that allow easy
      access to the dentry we give overlayfs it's own get and set acl inode
      operations.
      
      Since overlayfs is a stacking filesystem it will use the newly added
      posix acl api when retrieving posix acls from the relevant layer.
      
      Since overlayfs can also be mounted on top of idmapped layers. If
      idmapped layers are used overlayfs must take the layer's idmapping into
      account after it retrieved the posix acls from the relevant layer.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      6c0a8bfb
    • Christian Brauner's avatar
      ecryptfs: implement set acl method · 86c261b9
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      So far ecryptfs didn't implement get and set acl inode operations
      because it wanted easy access to the dentry. Now that we extended the
      set acl inode operation to take a dentry argument and added a new get
      acl inode operation that takes a dentry argument we can let ecryptfs
      implement get and set acl inode operations.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      86c261b9
    • Christian Brauner's avatar
      ecryptfs: implement get acl method · af84016f
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      So far ecryptfs didn't implement get and set acl inode operations
      because it wanted easy access to the dentry. Now that we extended the
      set acl inode operation to take a dentry argument and added a new get
      acl inode operation that takes a dentry argument we can let ecryptfs
      implement get and set acl inode operations.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      af84016f
    • Christian Brauner's avatar
      ksmbd: use vfs_remove_acl() · b82784a2
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      Now that we've switched all filesystems that can serve as the lower
      filesystem for ksmbd we can switch ksmbd over to rely on
      the posix acl api. Note that this is orthogonal to switching the vfs
      itself over.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      b82784a2
    • Christian Brauner's avatar
      acl: add vfs_remove_acl() · aeb7f005
      Christian Brauner authored
      In previous patches we implemented get and set inode operations for all
      non-stacking filesystems that support posix acls but didn't yet
      implement get and/or set acl inode operations. This specifically
      affected cifs and 9p.
      
      Now we can build a posix acl api based solely on get and set inode
      operations. We add a new vfs_remove_acl() api that can be used to set
      posix acls. This finally removes all type unsafety and type conversion
      issues explained in detail in [1] that we aim to get rid of.
      
      After we finished building the vfs api we can switch stacking
      filesystems to rely on the new posix api and then finally switch the
      xattr system calls themselves to rely on the posix acl api.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      aeb7f005
    • Christian Brauner's avatar
      acl: add vfs_get_acl() · 4f353ba4
      Christian Brauner authored
      In previous patches we implemented get and set inode operations for all
      non-stacking filesystems that support posix acls but didn't yet
      implement get and/or set acl inode operations. This specifically
      affected cifs and 9p.
      
      Now we can build a posix acl api based solely on get and set inode
      operations. We add a new vfs_get_acl() api that can be used to get posix
      acls. This finally removes all type unsafety and type conversion issues
      explained in detail in [1] that we aim to get rid of.
      
      After we finished building the vfs api we can switch stacking
      filesystems to rely on the new posix api and then finally switch the
      xattr system calls themselves to rely on the posix acl api.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      4f353ba4
    • Christian Brauner's avatar
      acl: add vfs_set_acl() · e4cc9163
      Christian Brauner authored
      In previous patches we implemented get and set inode operations for all
      non-stacking filesystems that support posix acls but didn't yet
      implement get and/or set acl inode operations. This specifically
      affected cifs and 9p.
      
      Now we can build a posix acl api based solely on get and set inode
      operations. We add a new vfs_set_acl() api that can be used to set posix
      acls. This finally removes all type unsafety and type conversion issues
      explained in detail in [1] that we aim to get rid of.
      
      After we finished building the vfs api we can switch stacking
      filesystems to rely on the new posix api and then finally switch the
      xattr system calls themselves to rely on the posix acl api.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      e4cc9163
    • Christian Brauner's avatar
      internal: add may_write_xattr() · 56851bc9
      Christian Brauner authored
      Split out the generic checks whether an inode allows writing xattrs. Since
      security.* and system.* xattrs don't have any restrictions and we're going
      to split out posix acls into a dedicated api we will use this helper to
      check whether we can write posix acls.
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      56851bc9
    • Christian Brauner's avatar
      evm: add post set acl hook · a56df5d5
      Christian Brauner authored
      The security_inode_post_setxattr() hook is used by security modules to
      update their own security.* xattrs. Consequently none of the security
      modules operate on posix acls. So we don't need an additional security
      hook when post setting posix acls.
      
      However, the integrity subsystem wants to be informed about posix acl
      changes in order to reset the EVM status flag.
      
      -> evm_inode_post_setxattr()
         -> evm_update_evmxattr()
            -> evm_calc_hmac()
               -> evm_calc_hmac_or_hash()
      
      and evm_cacl_hmac_or_hash() walks the global list of protected xattr
      names evm_config_xattrnames. This global list can be modified via
      /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is
      restricted to security.* xattrs and the default xattrs in
      evm_config_xattrnames only contains security.* xattrs as well.
      
      So the actual value for posix acls is currently completely irrelevant
      for evm during evm_inode_post_setxattr() and frankly it should stay that
      way in the future to not cause the vfs any more headaches. But if the
      actual posix acl values matter then evm shouldn't operate on the binary
      void blob and try to hack around in the uapi struct anyway. Instead it
      should then in the future add a dedicated hook which takes a struct
      posix_acl argument passing the posix acls in the proper vfs format.
      
      For now it is sufficient to make evm_inode_post_set_acl() a wrapper
      around evm_inode_post_setxattr() not passing any actual values down.
      This will cause the hashes to be updated as before.
      Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      a56df5d5
    • Christian Brauner's avatar
      integrity: implement get and set acl hook · e61b135f
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      So far posix acls were passed as a void blob to the security and
      integrity modules. Some of them like evm then proceed to interpret the
      void pointer and convert it into the kernel internal struct posix acl
      representation to perform their integrity checking magic. This is
      obviously pretty problematic as that requires knowledge that only the
      vfs is guaranteed to have and has lead to various bugs. Add a proper
      security hook for setting posix acls and pass down the posix acls in
      their appropriate vfs format instead of hacking it through a void
      pointer stored in the uapi format.
      
      I spent considerate time in the security module and integrity
      infrastructure and audited all codepaths. EVM is the only part that
      really has restrictions based on the actual posix acl values passed
      through it (e.g., i_mode). Before this dedicated hook EVM used to translate
      from the uapi posix acl format sent to it in the form of a void pointer
      into the vfs format. This is not a good thing. Instead of hacking around in
      the uapi struct give EVM the posix acls in the appropriate vfs format and
      perform sane permissions checks that mirror what it used to to in the
      generic xattr hook.
      
      IMA doesn't have any restrictions on posix acls. When posix acls are
      changed it just wants to update its appraisal status to trigger an EVM
      revalidation.
      
      The removal of posix acls is equivalent to passing NULL to the posix set
      acl hooks. This is the same as before through the generic xattr api.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Acked-by: Paul Moore <paul@paul-moore.com> (LSM)
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      e61b135f
    • Christian Brauner's avatar
      smack: implement get, set and remove acl hook · 44faac01
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      So far posix acls were passed as a void blob to the security and
      integrity modules. Some of them like evm then proceed to interpret the
      void pointer and convert it into the kernel internal struct posix acl
      representation to perform their integrity checking magic. This is
      obviously pretty problematic as that requires knowledge that only the
      vfs is guaranteed to have and has lead to various bugs. Add a proper
      security hook for setting posix acls and pass down the posix acls in
      their appropriate vfs format instead of hacking it through a void
      pointer stored in the uapi format.
      
      I spent considerate time in the security module infrastructure and
      audited all codepaths. Smack has no restrictions based on the posix
      acl values passed through it. The capability hook doesn't need to be
      called either because it only has restrictions on security.* xattrs. So
      these all becomes very simple hooks for smack.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Reviewed-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      44faac01
    • Christian Brauner's avatar
      selinux: implement get, set and remove acl hook · 1bdeb218
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      So far posix acls were passed as a void blob to the security and
      integrity modules. Some of them like evm then proceed to interpret the
      void pointer and convert it into the kernel internal struct posix acl
      representation to perform their integrity checking magic. This is
      obviously pretty problematic as that requires knowledge that only the
      vfs is guaranteed to have and has lead to various bugs. Add a proper
      security hook for setting posix acls and pass down the posix acls in
      their appropriate vfs format instead of hacking it through a void
      pointer stored in the uapi format.
      
      I spent considerate time in the security module infrastructure and
      audited all codepaths. SELinux has no restrictions based on the posix
      acl values passed through it. The capability hook doesn't need to be
      called either because it only has restrictions on security.* xattrs. So
      these are all fairly simply hooks for SELinux.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      1bdeb218
    • Christian Brauner's avatar
      security: add get, remove and set acl hook · 72b3897e
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      So far posix acls were passed as a void blob to the security and
      integrity modules. Some of them like evm then proceed to interpret the
      void pointer and convert it into the kernel internal struct posix acl
      representation to perform their integrity checking magic. This is
      obviously pretty problematic as that requires knowledge that only the
      vfs is guaranteed to have and has lead to various bugs. Add a proper
      security hook for setting posix acls and pass down the posix acls in
      their appropriate vfs format instead of hacking it through a void
      pointer stored in the uapi format.
      
      In the next patches we implement the hooks for the few security modules
      that do actually have restrictions on posix acls.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      72b3897e
    • Christian Brauner's avatar
      9p: implement set acl method · 079da629
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      So far 9p implemented a ->get_inode_acl() operation that didn't require
      access to the dentry in order to allow (limited) permission checking via
      posix acls in the vfs. Now that we have get and set acl inode operations
      that take a dentry argument we can give 9p get and set acl inode
      operations.
      
      This is mostly a light refactoring of the codepaths currently used in 9p
      posix acl xattr handler. After we have fully implemented the posix acl
      api and switched the vfs over to it, the 9p specific posix acl xattr
      handler and associated code will be removed.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      079da629
    • Christian Brauner's avatar
      9p: implement get acl method · 6cd4d4e8
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      So far 9p implemented a ->get_inode_acl() operation that didn't require
      access to the dentry in order to allow (limited) permission checking via
      posix acls in the vfs. Now that we have get and set acl inode operations
      that take a dentry argument we can give 9p get and set acl inode
      operations.
      
      This is mostly a refactoring of the codepaths currently used in 9p posix
      acl xattr handler. After we have fully implemented the posix acl api and
      switched the vfs over to it, the 9p specific posix acl xattr handler and
      associated code will be removed.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      6cd4d4e8
    • Christian Brauner's avatar
      cifs: implement set acl method · dc1af4c4
      Christian Brauner authored
      The current way of setting and getting posix acls through the generic
      xattr interface is error prone and type unsafe. The vfs needs to
      interpret and fixup posix acls before storing or reporting it to
      userspace. Various hacks exist to make this work. The code is hard to
      understand and difficult to maintain in it's current form. Instead of
      making this work by hacking posix acls through xattr handlers we are
      building a dedicated posix acl api around the get and set inode
      operations. This removes a lot of hackiness and makes the codepaths
      easier to maintain. A lot of background can be found in [1].
      
      In order to build a type safe posix api around get and set acl we need
      all filesystem to implement get and set acl.
      
      So far cifs wasn't able to implement get and set acl inode operations
      because it needs access to the dentry. Now that we extended the set acl
      inode operation to take a dentry argument and added a new get acl inode
      operation that takes a dentry argument we can let cifs implement get and
      set acl inode operations.
      
      This is mostly a copy and paste of the codepaths currently used in cifs'
      posix acl xattr handler. After we have fully implemented the posix acl
      api and switched the vfs over to it, the cifs specific posix acl xattr
      handler and associated code will be removed and the code duplication
      will go away.
      
      Note, until the vfs has been switched to the new posix acl api this
      patch is a non-functional change.
      
      Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      dc1af4c4