TOMOYO

Fork

[tomoyo-users-en 634] Re: Greetings; gokigen yo

• Previous message (by thread): [tomoyo-users-en 633] Greetings; gokigen yo
• Next message (by thread): [tomoyo-users-en 635] Re: Greetings; gokigen yo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

Kyle Sallee wrote:
> 
> 
> #2016/02/07 20:15:09# profile=3 mode=enforcing granted=no (global-pid=6458)
> task={ pid=23261 ppid=26622 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0
> fsgid=0 } path1={ uid=0 gid=0 ino=131127 major=8 minor=19 perm=0755
> type=directory } path1.parent={ uid=0 gid=0 ino=131126 perm=0755 }
> <kernel> //free
> file unlink /tmp/anything/p/
> 
> /tmp/anything/p/ is a directory.
> /tmp/anything/p/ ga directory desu.
> 
> By the Tomoyo domain removal should be allowed.
> Tomoyo domain ni yoru to dekiru hazu desu.
> 
> From the remove function; the request was not granted.
> Remove function kara nozomu tokoro wo narimasen.
> 
> While from the rmdir function; the request was granted.
> Keredomo rmdir function kara; Tomoyo ha itashimasu.
> 
It seems that remove() function unconditionally tries to delete it
using unlink(), and retries using rmdir() when unlink() failed with EISDIR.

---------- sample program ----------
#include <stdio.h>

int main(int argc, char *argv[]) {
        remove("/tmp/anything/p");
        return 0;
}
---------- sample program ----------

---------- strace output (without TOMOYO) ----------
unlink("/tmp/anything/p")               = -1 EISDIR (Is a directory)
rmdir("/tmp/anything/p")                = 0
---------- strace output (without TOMOYO) ----------

> How unexpected?
> Okashii to omoimasu.
> 
> Might a bug exist?
> Mushi ga aru kamo shiremasen?
> 

Indeed, it is an unexpected error code for userspace.

Technically, security_path_unlink() hook (used by TOMOYO and AppArmor)
is called before may_delete() which performs EISDIR check is called.
While on the other hand, security_inode_unlink() hook (used by SELinux
and Smack) is called after may_delete() is called.

Calling security_path_unlink() before may_delete() is a limitation (tolerable
approach for VFS maintainers) for using security_path_unlink() hook. Thus,
if we want to avoid this error, TOMOYO needs to return EISDIR if the file
passed to security_path_unlink() is a directory.

Since /tmp/anything/p/ is a directory, rmdir() needs to be used for
removing it. I think this denial log will be gone if you add

  acl_group $N file unlink /
  acl_group $N file unlink /\{\*\}/
  acl_group $N file unlink \*:/
  acl_group $N file unlink \*:/\{\*\}/

to exception policy, for TOMOYO will grant removing directories using
unlink() and may_delete() will reject such requests with EISDIR.

> # uname -r
> 4.1.15
> 
> For the help thanks.
> osewani narimasu.
> 
> Tomoyo ga suki deshou deshou!
> Tomoyo is great, right!
> 
> Arigatou goazaimasu.
> Thanks.

Thank you for your report.

• Previous message (by thread): [tomoyo-users-en 633] Greetings; gokigen yo
• Next message (by thread): [tomoyo-users-en 635] Re: Greetings; gokigen yo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]