Message ID | 20240307122240.3560688-1-roberto.sassu@huaweicloud.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | evm: Change vfs_getxattr() with __vfs_getxattr() in evm_calc_hmac_or_hash() | expand |
On Thu, Mar 07, 2024 at 01:22:39PM +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Use __vfs_getxattr() instead of vfs_getxattr(), in preparation for > deprecating using the vfs_ interfaces for retrieving fscaps. > > __vfs_getxattr() is only used for debugging purposes, to check if kernel > space and user space see the same xattr value. __vfs_getxattr() won't give you the value as seen by userspace though. Userspace goes through vfs_getxattr() -> xattr_getsecurity() -> cap_inode_getsecurity(), which does the conversion to the value userspace sees. __vfs_getxattr() just gives the raw disk data. I'm also currently working on changes to my fscaps series that will make it so that __vfs_getxattr() also cannot be used to read fscaps xattrs. I'll fix this and other code in EVM which will be broken by that change as part of the next version too. > > Cc: stable@vger.kernel.org # 5.14.x > Cc: linux-fsdevel@vger.kernel.org > Cc: Christian Brauner <brauner@kernel.org> > Cc: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > Fixes: 907a399de7b0 ("evm: Check xattr size discrepancy between kernel and user") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > security/integrity/evm/evm_crypto.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c > index b1ffd4cc0b44..168d98c63513 100644 > --- a/security/integrity/evm/evm_crypto.c > +++ b/security/integrity/evm/evm_crypto.c > @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, > if (size < 0) > continue; > > - user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry, > - xattr->name, NULL, 0); > + user_space_size = __vfs_getxattr(dentry, inode, xattr->name, > + NULL, 0); > if (user_space_size != size) > pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n", > dentry->d_name.name, xattr->name, size, > -- > 2.34.1 >
On Thu, 2024-03-07 at 08:31 -0600, Seth Forshee wrote: > On Thu, Mar 07, 2024 at 01:22:39PM +0100, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Use __vfs_getxattr() instead of vfs_getxattr(), in preparation for > > deprecating using the vfs_ interfaces for retrieving fscaps. > > > > __vfs_getxattr() is only used for debugging purposes, to check if kernel > > space and user space see the same xattr value. > > __vfs_getxattr() won't give you the value as seen by userspace though. > Userspace goes through vfs_getxattr() -> xattr_getsecurity() -> > cap_inode_getsecurity(), which does the conversion to the value > userspace sees. __vfs_getxattr() just gives the raw disk data. > > I'm also currently working on changes to my fscaps series that will make > it so that __vfs_getxattr() also cannot be used to read fscaps xattrs. > I'll fix this and other code in EVM which will be broken by that change > as part of the next version too. You are right, thank you! Roberto > > > > Cc: stable@vger.kernel.org # 5.14.x > > Cc: linux-fsdevel@vger.kernel.org > > Cc: Christian Brauner <brauner@kernel.org> > > Cc: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > > Fixes: 907a399de7b0 ("evm: Check xattr size discrepancy between kernel and user") > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > security/integrity/evm/evm_crypto.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c > > index b1ffd4cc0b44..168d98c63513 100644 > > --- a/security/integrity/evm/evm_crypto.c > > +++ b/security/integrity/evm/evm_crypto.c > > @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, > > if (size < 0) > > continue; > > > > - user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry, > > - xattr->name, NULL, 0); > > + user_space_size = __vfs_getxattr(dentry, inode, xattr->name, > > + NULL, 0); > > if (user_space_size != size) > > pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n", > > dentry->d_name.name, xattr->name, size, > > -- > > 2.34.1 > >
On Thu, 2024-03-07 at 15:36 +0100, Roberto Sassu wrote: > On Thu, 2024-03-07 at 08:31 -0600, Seth Forshee wrote: > > On Thu, Mar 07, 2024 at 01:22:39PM +0100, Roberto Sassu wrote: > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > Use __vfs_getxattr() instead of vfs_getxattr(), in preparation for > > > deprecating using the vfs_ interfaces for retrieving fscaps. > > > > > > __vfs_getxattr() is only used for debugging purposes, to check if kernel > > > space and user space see the same xattr value. > > > > __vfs_getxattr() won't give you the value as seen by userspace though. > > Userspace goes through vfs_getxattr() -> xattr_getsecurity() -> > > cap_inode_getsecurity(), which does the conversion to the value > > userspace sees. __vfs_getxattr() just gives the raw disk data. > > > > I'm also currently working on changes to my fscaps series that will make > > it so that __vfs_getxattr() also cannot be used to read fscaps xattrs. > > I'll fix this and other code in EVM which will be broken by that change > > as part of the next version too. > > You are right, thank you! (Apologies, I should have been more careful). Roberto > Roberto > > > > > > > Cc: stable@vger.kernel.org # 5.14.x > > > Cc: linux-fsdevel@vger.kernel.org > > > Cc: Christian Brauner <brauner@kernel.org> > > > Cc: Seth Forshee (DigitalOcean) <sforshee@kernel.org> > > > Fixes: 907a399de7b0 ("evm: Check xattr size discrepancy between kernel and user") > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > --- > > > security/integrity/evm/evm_crypto.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c > > > index b1ffd4cc0b44..168d98c63513 100644 > > > --- a/security/integrity/evm/evm_crypto.c > > > +++ b/security/integrity/evm/evm_crypto.c > > > @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, > > > if (size < 0) > > > continue; > > > > > > - user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry, > > > - xattr->name, NULL, 0); > > > + user_space_size = __vfs_getxattr(dentry, inode, xattr->name, > > > + NULL, 0); > > > if (user_space_size != size) > > > pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n", > > > dentry->d_name.name, xattr->name, size, > > > -- > > > 2.34.1 > > >
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index b1ffd4cc0b44..168d98c63513 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -278,8 +278,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, if (size < 0) continue; - user_space_size = vfs_getxattr(&nop_mnt_idmap, dentry, - xattr->name, NULL, 0); + user_space_size = __vfs_getxattr(dentry, inode, xattr->name, + NULL, 0); if (user_space_size != size) pr_debug("file %s: xattr %s size mismatch (kernel: %d, user: %d)\n", dentry->d_name.name, xattr->name, size,