linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: Missing security_file_permission() ch

Re: Missing security_file_permission() check from sys_splice()

From: Stephen Smalley <sds_at_nospam>
Date: Fri Nov 09 2007 - 14:49:37 GMT
To: Lin Tan <>

On Thu, 2007-11-08 at 23:20 -0600, Lin Tan wrote:
> Seems that an unauthorized user can send file through sockets due to
> the following missing check errors.
> There is not security_file_permission() check from sys_splice(),
> which can invoke sock_sendpage(). The call chain is as follows.
> sys_splice -> do_splice -> do_splice_from -> generic_splice_sendpage
> (via function pointer out->f_op->splice_write, which is set up in net/
> socket.c) -> pipe_to_sendpage -> sock_sendpage ( via file->f_op-
> >sendpage, in net/socket.c)
> I believe sock_sendpage() needs to be protected by
> security_file_permission() for two reasons. First, in the following
> path it is protected.
> sys_sendfile -> do_sendfile -> file_send_actor -> sock_sendpage
> Second, if it is not protected, then unauthorized user can send file
> through sockets. Adding the check in do_splice_from() should solve
> the problem.
> Similar problems exit in do_splice_to() and probably in sys_vmspliace
> () too.

What kernel version are you looking at?

Current kernel has security_file_permission() calls in do_splice_from() and do_splice_to().

BTW, one might argue that for the socket case, these should be mediated by the socket hooks, which does happen if the sendpage operation falls back to sock_no_sendpage() -> kernel_sendmsg() -> sock_sendmsg(). But that doesn't happen when the protocol implementation implements its own sendpage operations, of course. So possibly there should be a socket security hook call in sock_sendpage(). -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to More majordomo info at