| 1 |
Tomwij, blueness, as rsbac_sources maintainers, if you want to test |
| 2 |
fixation Patch with the source I have pointed in my initial mail, expect |
| 3 |
some troubles in compilation (conflicting types with k_uidt. I think it's |
| 4 |
not related with fixation Patch, but with rsbac instead, and git in |
| 5 |
particular an something puntual :-S. So when I could make it compile (I |
| 6 |
have asked about this to ao, tested with rsbac 3.10 too...with same result) |
| 7 |
I will tell you, |
| 8 |
|
| 9 |
Rsbac git is now (as I have seen this night) with troubles and I could only |
| 10 |
get rsbac sources from webgit clicking in "snapshot" |
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
2013/7/29 Javier Juan Martínez Cabezón <tazok.id0@×××××.com> |
| 17 |
|
| 18 |
> Hi and thanks for your answer, in rsbac code in namei.c this code: |
| 19 |
> |
| 20 |
> |
| 21 |
> rsbac_name = rsbac_symlink_redirect(dentry- |
| 22 |
> >d_inode, link, buflen); |
| 23 |
> |
| 24 |
> assigns to rsbac_name the result of rsbac_symlink_redirect() |
| 25 |
> |
| 26 |
> the part I have found about rsbac_symlink_redirect definition is this |
| 27 |
> (from adf_main.c, rsbac only code) |
| 28 |
> |
| 29 |
> ( |
| 30 |
> http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=blob;f=rsbac/adf/adf_main.c;h=decb72b3648cf4353deead1b880048bbfa17a035;hb=HEAD: |
| 31 |
> |
| 32 |
> #ifdef CONFIG_RSBAC_SYM_REDIR |
| 33 |
> 2741 EXPORT_SYMBOL(rsbac_symlink_redirect); |
| 34 |
> 2742 |
| 35 |
> 2743 /* This function changes the symlink content by adding a suffix, if |
| 36 |
> 2744 * requested. It returns NULL, if unchanged, or a pointer to a |
| 37 |
> 2745 * kmalloc'd new char * otherwise, which has to be kfree'd after use. |
| 38 |
> 2746 */ |
| 39 |
> 2747 *char * rsbac_symlink_redirect( |
| 40 |
> 2748 struct inode * inode_p, |
| 41 |
> 2749 const char * name, |
| 42 |
> 2750 u_int maxlen)* |
| 43 |
> 2751 { |
| 44 |
> 2752 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || |
| 45 |
> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) |
| 46 |
> || defined(CONFIG_RSBAC_SYM_REDIR_UID) |
| 47 |
> 2753 * union rsbac_target_id_t * i_tid_p; |
| 48 |
> 2754 int err; |
| 49 |
> 2755 union rsbac_attribute_value_t i_attr_val;* |
| 50 |
> 2756 #endif |
| 51 |
> . |
| 52 |
> . |
| 53 |
> . |
| 54 |
> #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || |
| 55 |
> defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC) |
| 56 |
> || defined(CONFIG_RSBAC_SYM_REDIR_UID) |
| 57 |
> 2793 * i_tid_p = kmalloc(sizeof(*i_tid_p), GFP_KERNEL);* |
| 58 |
> 2794 if(!i_tid_p) |
| 59 |
> 2795 { |
| 60 |
> 2796 rsbac_printk(KERN_DEBUG |
| 61 |
> 2797 "rsbac_symlink_redirect(): not enough memory for symlink |
| 62 |
> redir remote ip inode %u on dev %02u:%02u!\n", |
| 63 |
> 2798 inode_p->i_ino, |
| 64 |
> 2799 RSBAC_MAJOR(inode_p->i_sb->s_dev), |
| 65 |
> RSBAC_MINOR(inode_p->i_sb->s_dev) ); |
| 66 |
> 2800 return NULL; |
| 67 |
> 2801 } |
| 68 |
> 2802 i_tid_p->symlink.device = inode_p->i_sb->s_dev; |
| 69 |
> 2803 i_tid_p->symlink.inode = inode_p->i_ino; |
| 70 |
> 2804 i_tid_p->symlink.dentry_p = NULL; |
| 71 |
> 2805 #endif |
| 72 |
> |
| 73 |
> |
| 74 |
> So, Would be safe maintain the namei.c related part from fixation patch |
| 75 |
> as is isn't it? |
| 76 |
> |
| 77 |
> This in particular: |
| 78 |
> |
| 79 |
> |
| 80 |
> #ifdef CONFIG_RSBAC_SYM_REDIR |
| 81 |
> rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen); |
| 82 |
> if (rsbac_name) { |
| 83 |
> len = strlen(rsbac_name); |
| 84 |
> if (copy_to_user(buffer, rsbac_name, len)) |
| 85 |
> len = -EFAULT; |
| 86 |
> kfree(rsbac_name); |
| 87 |
> } |
| 88 |
> else |
| 89 |
> #endif |
| 90 |
> if (len < sizeof(tmpbuf)) { |
| 91 |
> memcpy(tmpbuf, link, len); |
| 92 |
> newlink = tmpbuf; |
| 93 |
> } else |
| 94 |
> newlink = link; |
| 95 |
> |
| 96 |
> if (copy_to_user(buffer, newlink, len)) |
| 97 |
> len = -EFAULT; |
| 98 |
> out: |
| 99 |
> return len; |
| 100 |
> } |
| 101 |
> |
| 102 |
> This piece of code doesn't change usually change in rsbac as I would had |
| 103 |
> seen, so fixation patch should stay equal towards (if switched correct PaX |
| 104 |
> patch and rsbac patch it only rejects in this four positions and always the |
| 105 |
> same ones, so fixation patch should work for another versions too.. |
| 106 |
> |
| 107 |
> Thanks a lot pageexec. |
| 108 |
> |
| 109 |
> |
| 110 |
> |
| 111 |
> 2013/7/29 PaX Team <pageexec@×××××.com> |
| 112 |
> |
| 113 |
>> On 29 Jul 2013 at 6:23, Javier Juan Martínez Cabezón wrote: |
| 114 |
>> |
| 115 |
>> > PaX tries to do this modification to rsbac git code: |
| 116 |
>> > |
| 117 |
>> > --- fs/namei.c 2013-03-19 01:53:21.091281869 +0100 |
| 118 |
>> > +++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100 |
| 119 |
>> > @@ -3954,7 +3956,14 @@ |
| 120 |
>> > len = strlen(link); |
| 121 |
>> > if (len > (unsigned) buflen) |
| 122 |
>> > len = buflen; |
| 123 |
>> > - if (copy_to_user(buffer, link, len)) |
| 124 |
>> > + |
| 125 |
>> > + if (len < sizeof(tmpbuf)) { |
| 126 |
>> > + memcpy(tmpbuf, link, len); |
| 127 |
>> > + newlink = tmpbuf; |
| 128 |
>> > + } else |
| 129 |
>> > + newlink = link; |
| 130 |
>> > + |
| 131 |
>> > + if (copy_to_user(buffer, newlink, len)) |
| 132 |
>> > len = -EFAULT; |
| 133 |
>> > out: |
| 134 |
>> > return len; |
| 135 |
>> |
| 136 |
>> this change is done for USERCOPY to prevent false positive reports when |
| 137 |
>> the |
| 138 |
>> name comes from a dentry field (vs. a normal kmalloc slab) or something |
| 139 |
>> like that. if you want to enable USERCOPY under RSBAC as well then you'll |
| 140 |
>> have to ensure that either rsbac_name is allocated by a normal kmalloc |
| 141 |
>> (this |
| 142 |
>> seems to be the case already from a quick look) or you'll have to do the |
| 143 |
>> temporary stack copy as done in the above snippet. |
| 144 |
>> |
| 145 |
>> |
| 146 |
>> |
| 147 |
>> |
| 148 |
> |
Archives