Message ID | 20221115175652.3836811-2-roberto.sassu@huaweicloud.com (mailing list archive) |
---|---|
State | RFC |
Headers | show |
Series | security: Ensure LSMs return expected values | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Not a local patch |
bpf/vmtest-bpf-next-PR | pending | PR summary |
bpf/vmtest-bpf-next-VM_Test-1 | success | Logs for ShellCheck |
bpf/vmtest-bpf-next-VM_Test-4 | pending | Logs for build for s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-7 | success | Logs for llvm-toolchain |
bpf/vmtest-bpf-next-VM_Test-8 | success | Logs for set-matrix |
bpf/vmtest-bpf-next-VM_Test-5 | success | Logs for build for x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-6 | success | Logs for build for x86_64 with llvm-16 |
bpf/vmtest-bpf-next-VM_Test-2 | success | Logs for build for aarch64 with gcc |
bpf/vmtest-bpf-next-VM_Test-3 | success | Logs for build for aarch64 with llvm-16 |
On Tue, Nov 15, 2022 at 12:57 PM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > include/linux/lsm_hooks.h reports the result of the LSM infrastructure to > the callers, not what LSMs should return to the LSM infrastructure. > > Clarify that and add that returning 1 from the LSMs means calling > __vm_enough_memory() with cap_sys_admin set, 0 without. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: KP Singh <kpsingh@kernel.org> > --- > include/linux/lsm_hooks.h | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 4ec80b96c22e..f40b82ca91e7 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1411,7 +1411,9 @@ > * Check permissions for allocating a new virtual mapping. > * @mm contains the mm struct it is being added to. > * @pages contains the number of pages. > - * Return 0 if permission is granted. > + * Return 0 if permission is granted by LSMs to the caller. LSMs should > + * return 1 if __vm_enough_memory() should be called with > + * cap_sys_admin set, 0 if not. I think this is a nice addition, but according to the code, any value greater than zero will trigger the caller-should-have-CAP_SYS_ADMIN behavior, not just 1. I suggest updating the comment.
On Tue, 2022-11-15 at 21:11 -0500, Paul Moore wrote: > On Tue, Nov 15, 2022 at 12:57 PM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > include/linux/lsm_hooks.h reports the result of the LSM infrastructure to > > the callers, not what LSMs should return to the LSM infrastructure. > > > > Clarify that and add that returning 1 from the LSMs means calling > > __vm_enough_memory() with cap_sys_admin set, 0 without. > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > Reviewed-by: KP Singh <kpsingh@kernel.org> > > --- > > include/linux/lsm_hooks.h | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > > index 4ec80b96c22e..f40b82ca91e7 100644 > > --- a/include/linux/lsm_hooks.h > > +++ b/include/linux/lsm_hooks.h > > @@ -1411,7 +1411,9 @@ > > * Check permissions for allocating a new virtual mapping. > > * @mm contains the mm struct it is being added to. > > * @pages contains the number of pages. > > - * Return 0 if permission is granted. > > + * Return 0 if permission is granted by LSMs to the caller. LSMs should > > + * return 1 if __vm_enough_memory() should be called with > > + * cap_sys_admin set, 0 if not. > > I think this is a nice addition, but according to the code, any value > greater than zero will trigger the caller-should-have-CAP_SYS_ADMIN > behavior, not just 1. I suggest updating the comment. Ok, yes. Thanks. Roberto
On Wed, Nov 16, 2022 at 9:06 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > On Tue, 2022-11-15 at 21:11 -0500, Paul Moore wrote: > > On Tue, Nov 15, 2022 at 12:57 PM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > include/linux/lsm_hooks.h reports the result of the LSM infrastructure to > > > the callers, not what LSMs should return to the LSM infrastructure. > > > > > > Clarify that and add that returning 1 from the LSMs means calling > > > __vm_enough_memory() with cap_sys_admin set, 0 without. > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > Reviewed-by: KP Singh <kpsingh@kernel.org> > > > --- > > > include/linux/lsm_hooks.h | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > > > index 4ec80b96c22e..f40b82ca91e7 100644 > > > --- a/include/linux/lsm_hooks.h > > > +++ b/include/linux/lsm_hooks.h > > > @@ -1411,7 +1411,9 @@ > > > * Check permissions for allocating a new virtual mapping. > > > * @mm contains the mm struct it is being added to. > > > * @pages contains the number of pages. > > > - * Return 0 if permission is granted. > > > + * Return 0 if permission is granted by LSMs to the caller. LSMs should > > > + * return 1 if __vm_enough_memory() should be called with > > > + * cap_sys_admin set, 0 if not. > > > > I think this is a nice addition, but according to the code, any value > > greater than zero will trigger the caller-should-have-CAP_SYS_ADMIN > > behavior, not just 1. I suggest updating the comment. > > Ok, yes. Thanks. Also, this is an unrelated patch and you can probably send it independently, especially since the other changes will now land mostly via BPF. > > Roberto >
On Wed, Nov 16, 2022 at 2:18 PM KP Singh <kpsingh@kernel.org> wrote: > On Wed, Nov 16, 2022 at 9:06 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > > > On Tue, 2022-11-15 at 21:11 -0500, Paul Moore wrote: > > > On Tue, Nov 15, 2022 at 12:57 PM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > include/linux/lsm_hooks.h reports the result of the LSM infrastructure to > > > > the callers, not what LSMs should return to the LSM infrastructure. > > > > > > > > Clarify that and add that returning 1 from the LSMs means calling > > > > __vm_enough_memory() with cap_sys_admin set, 0 without. > > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > Reviewed-by: KP Singh <kpsingh@kernel.org> > > > > --- > > > > include/linux/lsm_hooks.h | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > > > > index 4ec80b96c22e..f40b82ca91e7 100644 > > > > --- a/include/linux/lsm_hooks.h > > > > +++ b/include/linux/lsm_hooks.h > > > > @@ -1411,7 +1411,9 @@ > > > > * Check permissions for allocating a new virtual mapping. > > > > * @mm contains the mm struct it is being added to. > > > > * @pages contains the number of pages. > > > > - * Return 0 if permission is granted. > > > > + * Return 0 if permission is granted by LSMs to the caller. LSMs should > > > > + * return 1 if __vm_enough_memory() should be called with > > > > + * cap_sys_admin set, 0 if not. > > > > > > I think this is a nice addition, but according to the code, any value > > > greater than zero will trigger the caller-should-have-CAP_SYS_ADMIN > > > behavior, not just 1. I suggest updating the comment. > > > > Ok, yes. Thanks. > > Also, this is an unrelated patch and you can probably send it > independently, especially > since the other changes will now land mostly via BPF. Yes, the doc/comment changes really have nothing to do with the other stuff we are discussing in this patchset.
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4ec80b96c22e..f40b82ca91e7 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1411,7 +1411,9 @@ * Check permissions for allocating a new virtual mapping. * @mm contains the mm struct it is being added to. * @pages contains the number of pages. - * Return 0 if permission is granted. + * Return 0 if permission is granted by LSMs to the caller. LSMs should + * return 1 if __vm_enough_memory() should be called with + * cap_sys_admin set, 0 if not. * * @ismaclabel: * Check if the extended attribute specified by @name