| Message ID | 20191127040051.39169-1-yukuai3@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mm/shmem.c: don't set 'seals' to 'F_SEAL_SEAL' in shmem_get_inode | expand |
On Wed, 27 Nov 2019, yu kuai wrote: > 'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent > further seals from being set", thus sealing API will be useless and many > code in shmem.c will never be reached. For example: The sealing API is not useless, and that code can be reached. > > shmem_setattr > if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) || > (newsize > oldsize && (info->seals & F_SEAL_GROW))) > return -EPERM; > > So, initialize 'seals' to zero is more reasonable. > > Signed-off-by: yu kuai <yukuai3@huawei.com> NAK. See memfd_create in mm/memfd.c (code which originated in mm/shmem.c, then was extended to support hugetlbfs also): sealing is for memfds, not for tmpfs or hugetlbfs files or SHM. Without thinking about it too hard, I believe that to allow sealing on tmpfs files would introduce surprising new behaviors on them, which might well raise security issues; and also be incompatible with the guarantees intended by sealing. > --- > mm/shmem.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/mm/shmem.c b/mm/shmem.c > index 165fa6332993..7b032b347bda 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -2256,7 +2256,6 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode > memset(info, 0, (char *)inode - (char *)info); > spin_lock_init(&info->lock); > atomic_set(&info->stop_eviction, 0); > - info->seals = F_SEAL_SEAL; > info->flags = flags & VM_NORESERVE; > INIT_LIST_HEAD(&info->shrinklist); > INIT_LIST_HEAD(&info->swaplist); > -- > 2.17.2
On 2019/11/27 12:24, Hugh Dickins Wrote: > On Wed, 27 Nov 2019, yu kuai wrote: > >> 'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent >> further seals from being set", thus sealing API will be useless and many >> code in shmem.c will never be reached. For example: > > The sealing API is not useless, and that code can be reached. > >> >> shmem_setattr >> if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) || >> (newsize > oldsize && (info->seals & F_SEAL_GROW))) >> return -EPERM; >> >> So, initialize 'seals' to zero is more reasonable. >> >> Signed-off-by: yu kuai <yukuai3@huawei.com> > > NAK. > > See memfd_create in mm/memfd.c (code which originated in mm/shmem.c, > then was extended to support hugetlbfs also): sealing is for memfds, > not for tmpfs or hugetlbfs files or SHM. Without thinking about it too > hard, I believe that to allow sealing on tmpfs files would introduce > surprising new behaviors on them, which might well raise security issues; > and also be incompatible with the guarantees intended by sealing. Thank you for your response. Yu Kuai
diff --git a/mm/shmem.c b/mm/shmem.c index 165fa6332993..7b032b347bda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2256,7 +2256,6 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode memset(info, 0, (char *)inode - (char *)info); spin_lock_init(&info->lock); atomic_set(&info->stop_eviction, 0); - info->seals = F_SEAL_SEAL; info->flags = flags & VM_NORESERVE; INIT_LIST_HEAD(&info->shrinklist); INIT_LIST_HEAD(&info->swaplist);
'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent further seals from being set", thus sealing API will be useless and many code in shmem.c will never be reached. For example: shmem_setattr if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) || (newsize > oldsize && (info->seals & F_SEAL_GROW))) return -EPERM; So, initialize 'seals' to zero is more reasonable. Signed-off-by: yu kuai <yukuai3@huawei.com> --- mm/shmem.c | 1 - 1 file changed, 1 deletion(-)