diff mbox series

[v14,05/12] KEYS: Move KEY_LOOKUP_ to include/linux/key.h and set KEY_LOOKUP_FLAGS_ALL

Message ID 20220830161716.754078-6-roberto.sassu@huaweicloud.com (mailing list archive)
State Handled Elsewhere
Headers show
Series bpf: Add kfuncs for PKCS#7 signature verification | expand

Commit Message

Roberto Sassu Aug. 30, 2022, 4:17 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

In preparation for the patch that introduces the bpf_lookup_user_key() eBPF
kfunc, move KEY_LOOKUP_ definitions to include/linux/key.h, to be able to
validate the kfunc parameters.

Also, define the new constant KEY_LOOKUP_FLAGS_ALL, to facilitate checking
whether a variable contains only defined flags.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/key.h      | 4 ++++
 security/keys/internal.h | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

Comments

Jarkko Sakkinen Aug. 31, 2022, 2:53 a.m. UTC | #1
On Tue, Aug 30, 2022 at 06:17:09PM +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> In preparation for the patch that introduces the bpf_lookup_user_key() eBPF
> kfunc, move KEY_LOOKUP_ definitions to include/linux/key.h, to be able to
> validate the kfunc parameters.
> 
> Also, define the new constant KEY_LOOKUP_FLAGS_ALL, to facilitate checking
> whether a variable contains only defined flags.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: KP Singh <kpsingh@kernel.org>
> ---
>  include/linux/key.h      | 4 ++++
>  security/keys/internal.h | 2 --
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/key.h b/include/linux/key.h
> index 7febc4881363..e2a70e0fa89f 100644
> --- a/include/linux/key.h
> +++ b/include/linux/key.h
> @@ -88,6 +88,10 @@ enum key_need_perm {
>  	KEY_DEFER_PERM_CHECK,	/* Special: permission check is deferred */
>  };
>  
> +#define KEY_LOOKUP_CREATE	0x01
> +#define KEY_LOOKUP_PARTIAL	0x02
> +#define KEY_LOOKUP_FLAGS_ALL	(KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL)

IMHO this could be just KEY_LOOKUP_ALL.

> +
>  struct seq_file;
>  struct user_struct;
>  struct signal_struct;
> diff --git a/security/keys/internal.h b/security/keys/internal.h
> index 9b9cf3b6fcbb..3c1e7122076b 100644
> --- a/security/keys/internal.h
> +++ b/security/keys/internal.h
> @@ -165,8 +165,6 @@ extern struct key *request_key_and_link(struct key_type *type,
>  
>  extern bool lookup_user_key_possessed(const struct key *key,
>  				      const struct key_match_data *match_data);
> -#define KEY_LOOKUP_CREATE	0x01
> -#define KEY_LOOKUP_PARTIAL	0x02
>  
>  extern long join_session_keyring(const char *name);
>  extern void key_change_session_keyring(struct callback_head *twork);
> -- 
> 2.25.1
> 

Other than that wfm.

BR, Jarkko
Jarkko Sakkinen Aug. 31, 2022, 4:51 a.m. UTC | #2
On Wed, Aug 31, 2022 at 05:53:28AM +0300, Jarkko Sakkinen wrote:
> On Tue, Aug 30, 2022 at 06:17:09PM +0200, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > In preparation for the patch that introduces the bpf_lookup_user_key() eBPF
> > kfunc, move KEY_LOOKUP_ definitions to include/linux/key.h, to be able to
> > validate the kfunc parameters.
> > 
> > Also, define the new constant KEY_LOOKUP_FLAGS_ALL, to facilitate checking
> > whether a variable contains only defined flags.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > Reviewed-by: KP Singh <kpsingh@kernel.org>
> > ---
> >  include/linux/key.h      | 4 ++++
> >  security/keys/internal.h | 2 --
> >  2 files changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/linux/key.h b/include/linux/key.h
> > index 7febc4881363..e2a70e0fa89f 100644
> > --- a/include/linux/key.h
> > +++ b/include/linux/key.h
> > @@ -88,6 +88,10 @@ enum key_need_perm {
> >  	KEY_DEFER_PERM_CHECK,	/* Special: permission check is deferred */
> >  };
> >  
> > +#define KEY_LOOKUP_CREATE	0x01
> > +#define KEY_LOOKUP_PARTIAL	0x02
> > +#define KEY_LOOKUP_FLAGS_ALL	(KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL)
> 
> IMHO this could be just KEY_LOOKUP_ALL.
> 
> > +
> >  struct seq_file;
> >  struct user_struct;
> >  struct signal_struct;
> > diff --git a/security/keys/internal.h b/security/keys/internal.h
> > index 9b9cf3b6fcbb..3c1e7122076b 100644
> > --- a/security/keys/internal.h
> > +++ b/security/keys/internal.h
> > @@ -165,8 +165,6 @@ extern struct key *request_key_and_link(struct key_type *type,
> >  
> >  extern bool lookup_user_key_possessed(const struct key *key,
> >  				      const struct key_match_data *match_data);
> > -#define KEY_LOOKUP_CREATE	0x01
> > -#define KEY_LOOKUP_PARTIAL	0x02
> >  
> >  extern long join_session_keyring(const char *name);
> >  extern void key_change_session_keyring(struct callback_head *twork);
> > -- 
> > 2.25.1
> > 
> 
> Other than that wfm.

Roberto, with the change done above, just add my ack
to the next version:

Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko
Jarkko Sakkinen Aug. 31, 2022, 6:29 a.m. UTC | #3
On Wed, Aug 31, 2022 at 07:51:47AM +0300, Jarkko Sakkinen wrote:
> On Wed, Aug 31, 2022 at 05:53:28AM +0300, Jarkko Sakkinen wrote:
> > On Tue, Aug 30, 2022 at 06:17:09PM +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > 
> > > In preparation for the patch that introduces the bpf_lookup_user_key() eBPF
> > > kfunc, move KEY_LOOKUP_ definitions to include/linux/key.h, to be able to
> > > validate the kfunc parameters.
> > > 
> > > Also, define the new constant KEY_LOOKUP_FLAGS_ALL, to facilitate checking
> > > whether a variable contains only defined flags.
> > > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > Reviewed-by: KP Singh <kpsingh@kernel.org>
> > > ---
> > >  include/linux/key.h      | 4 ++++
> > >  security/keys/internal.h | 2 --
> > >  2 files changed, 4 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/linux/key.h b/include/linux/key.h
> > > index 7febc4881363..e2a70e0fa89f 100644
> > > --- a/include/linux/key.h
> > > +++ b/include/linux/key.h
> > > @@ -88,6 +88,10 @@ enum key_need_perm {
> > >  	KEY_DEFER_PERM_CHECK,	/* Special: permission check is deferred */
> > >  };
> > >  
> > > +#define KEY_LOOKUP_CREATE	0x01
> > > +#define KEY_LOOKUP_PARTIAL	0x02
> > > +#define KEY_LOOKUP_FLAGS_ALL	(KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL)
> > 
> > IMHO this could be just KEY_LOOKUP_ALL.
> > 
> > > +
> > >  struct seq_file;
> > >  struct user_struct;
> > >  struct signal_struct;
> > > diff --git a/security/keys/internal.h b/security/keys/internal.h
> > > index 9b9cf3b6fcbb..3c1e7122076b 100644
> > > --- a/security/keys/internal.h
> > > +++ b/security/keys/internal.h
> > > @@ -165,8 +165,6 @@ extern struct key *request_key_and_link(struct key_type *type,
> > >  
> > >  extern bool lookup_user_key_possessed(const struct key *key,
> > >  				      const struct key_match_data *match_data);
> > > -#define KEY_LOOKUP_CREATE	0x01
> > > -#define KEY_LOOKUP_PARTIAL	0x02
> > >  
> > >  extern long join_session_keyring(const char *name);
> > >  extern void key_change_session_keyring(struct callback_head *twork);
> > > -- 
> > > 2.25.1
> > > 
> > 
> > Other than that wfm.
> 
> Roberto, with the change done above, just add my ack
> to the next version:
> 
> Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

And it is fine also to pick this to the bpf tree with
rest of the patch set (in the end).

BR, Jarkko
Roberto Sassu Aug. 31, 2022, 9:23 a.m. UTC | #4
On Wed, 2022-08-31 at 07:51 +0300, Jarkko Sakkinen wrote:
> On Wed, Aug 31, 2022 at 05:53:28AM +0300, Jarkko Sakkinen wrote:
> > On Tue, Aug 30, 2022 at 06:17:09PM +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > 
> > > In preparation for the patch that introduces the
> > > bpf_lookup_user_key() eBPF
> > > kfunc, move KEY_LOOKUP_ definitions to include/linux/key.h, to be
> > > able to
> > > validate the kfunc parameters.
> > > 
> > > Also, define the new constant KEY_LOOKUP_FLAGS_ALL, to facilitate
> > > checking
> > > whether a variable contains only defined flags.
> > > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > Reviewed-by: KP Singh <kpsingh@kernel.org>
> > > ---
> > >  include/linux/key.h      | 4 ++++
> > >  security/keys/internal.h | 2 --
> > >  2 files changed, 4 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/linux/key.h b/include/linux/key.h
> > > index 7febc4881363..e2a70e0fa89f 100644
> > > --- a/include/linux/key.h
> > > +++ b/include/linux/key.h
> > > @@ -88,6 +88,10 @@ enum key_need_perm {
> > >  	KEY_DEFER_PERM_CHECK,	/* Special: permission check is deferred
> > > */
> > >  };
> > >  
> > > +#define KEY_LOOKUP_CREATE	0x01
> > > +#define KEY_LOOKUP_PARTIAL	0x02
> > > +#define KEY_LOOKUP_FLAGS_ALL	(KEY_LOOKUP_CREATE |
> > > KEY_LOOKUP_PARTIAL)
> > 
> > IMHO this could be just KEY_LOOKUP_ALL.
> > 
> > > +
> > >  struct seq_file;
> > >  struct user_struct;
> > >  struct signal_struct;
> > > diff --git a/security/keys/internal.h b/security/keys/internal.h
> > > index 9b9cf3b6fcbb..3c1e7122076b 100644
> > > --- a/security/keys/internal.h
> > > +++ b/security/keys/internal.h
> > > @@ -165,8 +165,6 @@ extern struct key
> > > *request_key_and_link(struct key_type *type,
> > >  
> > >  extern bool lookup_user_key_possessed(const struct key *key,
> > >  				      const struct key_match_data
> > > *match_data);
> > > -#define KEY_LOOKUP_CREATE	0x01
> > > -#define KEY_LOOKUP_PARTIAL	0x02
> > >  
> > >  extern long join_session_keyring(const char *name);
> > >  extern void key_change_session_keyring(struct callback_head
> > > *twork);
> > > -- 
> > > 2.25.1
> > > 
> > 
> > Other than that wfm.
> 
> Roberto, with the change done above, just add my ack
> to the next version:
> 
> Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
> 

Perfect, thanks.

Roberto
Alexei Starovoitov Aug. 31, 2022, 3:33 p.m. UTC | #5
On Wed, Aug 31, 2022 at 2:24 AM Roberto Sassu
<roberto.sassu@huaweicloud.com> wrote:
> > > >
> > > > +#define KEY_LOOKUP_CREATE        0x01
> > > > +#define KEY_LOOKUP_PARTIAL       0x02
> > > > +#define KEY_LOOKUP_FLAGS_ALL     (KEY_LOOKUP_CREATE |
> > > > KEY_LOOKUP_PARTIAL)
> > >
> > > IMHO this could be just KEY_LOOKUP_ALL.

Since this is supposed to be kernel internal flags
please make them enum, so that bpf progs can auto-adjust
(with the help of CORE) to changes in this enum.
With #define there is no way for bpf prog to know
when #define changed in the future kernels.
Roberto Sassu Aug. 31, 2022, 3:55 p.m. UTC | #6
On Wed, 2022-08-31 at 08:33 -0700, Alexei Starovoitov wrote:
> On Wed, Aug 31, 2022 at 2:24 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > > > > +#define KEY_LOOKUP_CREATE        0x01
> > > > > +#define KEY_LOOKUP_PARTIAL       0x02
> > > > > +#define KEY_LOOKUP_FLAGS_ALL     (KEY_LOOKUP_CREATE |
> > > > > KEY_LOOKUP_PARTIAL)
> > > > 
> > > > IMHO this could be just KEY_LOOKUP_ALL.
> 
> Since this is supposed to be kernel internal flags
> please make them enum, so that bpf progs can auto-adjust
> (with the help of CORE) to changes in this enum.
> With #define there is no way for bpf prog to know
> when #define changed in the future kernels.

Ok, will add in the next version.

Thanks

Roberto
Jarkko Sakkinen Sept. 2, 2022, 3:27 a.m. UTC | #7
On Wed, Aug 31, 2022 at 08:33:38AM -0700, Alexei Starovoitov wrote:
> On Wed, Aug 31, 2022 at 2:24 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > > > >
> > > > > +#define KEY_LOOKUP_CREATE        0x01
> > > > > +#define KEY_LOOKUP_PARTIAL       0x02
> > > > > +#define KEY_LOOKUP_FLAGS_ALL     (KEY_LOOKUP_CREATE |
> > > > > KEY_LOOKUP_PARTIAL)
> > > >
> > > > IMHO this could be just KEY_LOOKUP_ALL.
> 
> Since this is supposed to be kernel internal flags
> please make them enum, so that bpf progs can auto-adjust
> (with the help of CORE) to changes in this enum.
> With #define there is no way for bpf prog to know
> when #define changed in the future kernels.

Isn't enum also Rust compatibility requirement, or do I remember
incorrectly? Anyway, good suggestion.

BR, Jarkko
diff mbox series

Patch

diff --git a/include/linux/key.h b/include/linux/key.h
index 7febc4881363..e2a70e0fa89f 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -88,6 +88,10 @@  enum key_need_perm {
 	KEY_DEFER_PERM_CHECK,	/* Special: permission check is deferred */
 };
 
+#define KEY_LOOKUP_CREATE	0x01
+#define KEY_LOOKUP_PARTIAL	0x02
+#define KEY_LOOKUP_FLAGS_ALL	(KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL)
+
 struct seq_file;
 struct user_struct;
 struct signal_struct;
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 9b9cf3b6fcbb..3c1e7122076b 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -165,8 +165,6 @@  extern struct key *request_key_and_link(struct key_type *type,
 
 extern bool lookup_user_key_possessed(const struct key *key,
 				      const struct key_match_data *match_data);
-#define KEY_LOOKUP_CREATE	0x01
-#define KEY_LOOKUP_PARTIAL	0x02
 
 extern long join_session_keyring(const char *name);
 extern void key_change_session_keyring(struct callback_head *twork);