Message ID | 20240711111908.3817636-6-xukuohai@huaweicloud.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Paul Moore |
Headers | show |
Series | Add return value range check for BPF LSM | expand |
On Jul 11, 2024 Xu Kuohai <xukuohai@huaweicloud.com> wrote: > > To be consistent with most LSM hooks, convert the return value of > hook inode_copy_up_xattr to 0 or a negative error code. > > Before: > - Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when > discarding xattr, -EOPNOTSUPP if it does not know xattr, or any > other negative error code otherwise. > > After: > - Hook inode_copy_up_xattr returns 0 when accepting xattr, *-ECANCELED* > when discarding xattr, -EOPNOTSUPP if it does not know xattr, or > any other negative error code otherwise. > > Signed-off-by: Xu Kuohai <xukuohai@huawei.com> > --- > fs/overlayfs/copy_up.c | 6 +++--- > security/integrity/evm/evm_main.c | 2 +- > security/security.c | 12 ++++++------ > security/selinux/hooks.c | 4 ++-- > security/smack/smack_lsm.c | 6 +++--- > 5 files changed, 15 insertions(+), 15 deletions(-) ... > diff --git a/security/security.c b/security/security.c > index 26eea8f4cd74..12215ca286af 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2675,18 +2675,18 @@ EXPORT_SYMBOL(security_inode_copy_up); > * lower layer to the union/overlay layer. The caller is responsible for > * reading and writing the xattrs, this hook is merely a filter. > * > - * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP > - * if the security module does not know about attribute, or a negative > - * error code to abort the copy up. > + * Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr, > + * -EOPNOTSUPP if the security module does not know about attribute, > + * or a negative error code to abort the copy up. > */ > int security_inode_copy_up_xattr(struct dentry *src, const char *name) > { > int rc; > > /* > - * The implementation can return 0 (accept the xattr), 1 (discard the > - * xattr), -EOPNOTSUPP if it does not know anything about the xattr or > - * any other error code in case of an error. > + * The implementation can return 0 (accept the xattr), -ECANCELED > + * (discard the xattr), -EOPNOTSUPP if it does not know anything > + * about the xattr or any other error code in case of an error. > */ Updating the comment here is good, but considering that we also discuss the return value in the function header comment, I think it might be better to just remove this comment entirely and leave the function header comment as the single source. Duplicated comments/docs tend to fall out of sync and create confusion. > rc = call_int_hook(inode_copy_up_xattr, src, name); > if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) -- paul-moore.com
On 7/19/2024 10:08 AM, Paul Moore wrote: > On Jul 11, 2024 Xu Kuohai <xukuohai@huaweicloud.com> wrote: >> >> To be consistent with most LSM hooks, convert the return value of >> hook inode_copy_up_xattr to 0 or a negative error code. >> >> Before: >> - Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when >> discarding xattr, -EOPNOTSUPP if it does not know xattr, or any >> other negative error code otherwise. >> >> After: >> - Hook inode_copy_up_xattr returns 0 when accepting xattr, *-ECANCELED* >> when discarding xattr, -EOPNOTSUPP if it does not know xattr, or >> any other negative error code otherwise. >> >> Signed-off-by: Xu Kuohai <xukuohai@huawei.com> >> --- >> fs/overlayfs/copy_up.c | 6 +++--- >> security/integrity/evm/evm_main.c | 2 +- >> security/security.c | 12 ++++++------ >> security/selinux/hooks.c | 4 ++-- >> security/smack/smack_lsm.c | 6 +++--- >> 5 files changed, 15 insertions(+), 15 deletions(-) > > ... > >> diff --git a/security/security.c b/security/security.c >> index 26eea8f4cd74..12215ca286af 100644 >> --- a/security/security.c >> +++ b/security/security.c >> @@ -2675,18 +2675,18 @@ EXPORT_SYMBOL(security_inode_copy_up); >> * lower layer to the union/overlay layer. The caller is responsible for >> * reading and writing the xattrs, this hook is merely a filter. >> * >> - * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP >> - * if the security module does not know about attribute, or a negative >> - * error code to abort the copy up. >> + * Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr, >> + * -EOPNOTSUPP if the security module does not know about attribute, >> + * or a negative error code to abort the copy up. >> */ >> int security_inode_copy_up_xattr(struct dentry *src, const char *name) >> { >> int rc; >> >> /* >> - * The implementation can return 0 (accept the xattr), 1 (discard the >> - * xattr), -EOPNOTSUPP if it does not know anything about the xattr or >> - * any other error code in case of an error. >> + * The implementation can return 0 (accept the xattr), -ECANCELED >> + * (discard the xattr), -EOPNOTSUPP if it does not know anything >> + * about the xattr or any other error code in case of an error. >> */ > > Updating the comment here is good, but considering that we also discuss > the return value in the function header comment, I think it might be > better to just remove this comment entirely and leave the function header > comment as the single source. Duplicated comments/docs tend to fall out > of sync and create confusion. > OK, will do >> rc = call_int_hook(inode_copy_up_xattr, src, name); >> if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) > > > -- > paul-moore.com >
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index a5ef2005a2cc..337a5be99ac9 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -115,12 +115,12 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de continue; error = security_inode_copy_up_xattr(old, name); - if (error < 0 && error != -EOPNOTSUPP) - break; - if (error == 1) { + if (error == -ECANCELED) { error = 0; continue; /* Discard */ } + if (error < 0 && error != -EOPNOTSUPP) + break; if (is_posix_acl_xattr(name)) { error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name); diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 62fe66dd53ce..6924ed508ebd 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -1000,7 +1000,7 @@ static int evm_inode_copy_up_xattr(struct dentry *src, const char *name) case EVM_XATTR_HMAC: case EVM_IMA_XATTR_DIGSIG: default: - rc = 1; /* discard */ + rc = -ECANCELED; /* discard */ } kfree(xattr_data); diff --git a/security/security.c b/security/security.c index 26eea8f4cd74..12215ca286af 100644 --- a/security/security.c +++ b/security/security.c @@ -2675,18 +2675,18 @@ EXPORT_SYMBOL(security_inode_copy_up); * lower layer to the union/overlay layer. The caller is responsible for * reading and writing the xattrs, this hook is merely a filter. * - * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP - * if the security module does not know about attribute, or a negative - * error code to abort the copy up. + * Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr, + * -EOPNOTSUPP if the security module does not know about attribute, + * or a negative error code to abort the copy up. */ int security_inode_copy_up_xattr(struct dentry *src, const char *name) { int rc; /* - * The implementation can return 0 (accept the xattr), 1 (discard the - * xattr), -EOPNOTSUPP if it does not know anything about the xattr or - * any other error code in case of an error. + * The implementation can return 0 (accept the xattr), -ECANCELED + * (discard the xattr), -EOPNOTSUPP if it does not know anything + * about the xattr or any other error code in case of an error. */ rc = call_int_hook(inode_copy_up_xattr, src, name); if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5dedd3917d57..f9a6637dfd78 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3528,8 +3528,8 @@ static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) * xattrs up. Instead, filter out SELinux-related xattrs following * policy load. */ - if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0) - return 1; /* Discard */ + if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) + return -ECANCELED; /* Discard */ /* * Any other attribute apart from SELINUX is not claimed, supported * by selinux. diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6f73906bf7ea..ae8f1c2d0ca6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4893,10 +4893,10 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) { /* - * Return 1 if this is the smack access Smack attribute. + * Return -ECANCELED if this is the smack access Smack attribute. */ - if (strcmp(name, XATTR_NAME_SMACK) == 0) - return 1; + if (!strcmp(name, XATTR_NAME_SMACK)) + return -ECANCELED; return -EOPNOTSUPP; }