Re: [PATCH v16 1/3] fs: Add trusted_for(2) syscall implementation and related sysctl - Alejandro Colomar (man-pages)

From: "Alejandro Colomar (man-pages)" <alx.manpages@gmail.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Aleksa Sarai" <cyphar@cyphar.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"Christian Brauner" <christian.brauner@ubuntu.com>,
	"Christian Heimes" <christian@python.org>,
	"Deven Bowers" <deven.desai@linux.microsoft.com>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"Eric Biggers" <ebiggers@kernel.org>,
	"Eric Chiang" <ericchiang@google.com>,
	"Florian Weimer" <fweimer@redhat.com>,
	"James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>,
	"Jann Horn" <jannh@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Kees Cook" <keescook@chromium.org>,
	"Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>,
	"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
	"Matthew Garrett" <mjg59@google.com>,
	"Matthew Wilcox" <willy@infradead.org>,
	"Miklos Szeredi" <mszeredi@redhat.com>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
	"Scott Shell" <scottsh@microsoft.com>,
	"Shuah Khan" <shuah@kernel.org>,
	"Steve Dower" <steve.dower@python.org>,
	"Steve Grubb" <sgrubb@redhat.com>,
	"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
	"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
	"Yin Fengwei" <fengwei.yin@intel.com>,
	kernel-hardening@lists.openwall.com,
	"Linux API" <linux-api@vger.kernel.org>,
	"Linux FS Devel" <linux-fsdevel@vger.kernel.org>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	"Mickaël Salaün" <mic@linux.microsoft.com>
Subject: Re: [PATCH v16 1/3] fs: Add trusted_for(2) syscall implementation and related sysctl
Date: Sun, 14 Nov 2021 16:45:17 +0100	[thread overview]
Message-ID: <03ddd6e6-55ff-fff4-95f3-8c0b008443f8@gmail.com> (raw)
In-Reply-To: <CAMuHMdXj8fHDq-eFd41GJ4oNwGD5sxhPx82izNwKxE_=x8dqEA@mail.gmail.com>

Hi Geert,

On 11/14/21 16:32, Geert Uytterhoeven wrote:
> Hi Alejandro,
> 
> On Sat, Nov 13, 2021 at 8:56 PM Alejandro Colomar (man-pages)
> <alx.manpages@gmail.com> wrote:
>> On 11/13/21 14:02, Mickaël Salaün wrote:
>>>> TL;DR:
>>>>
>>>> ISO C specifies that for the following code:
>>>>
>>>>       enum foo {BAR};
>>>>
>>>>       enum foo foobar;
>>>>
>>>> typeof(foo)    shall be int
>>>> typeof(foobar) is implementation-defined
>>>
>>> I tested with some version of GCC (from 4.9 to 11) and clang (10 and 11)
>>> with different optimizations and the related sizes are at least the same
>>> as for the int type.
>>
>> GCC has -fshort-enums to make enum types be as short as possible.  I
>> expected -Os to turn this on, since it saves space, but it doesn't.
> 
> Changing optimization level must not change the ABI, else debugging
> would become even more of a nightmare.

I agree, but if you invoke implementation-defined,
then it's not (only) the compiler's fault.

Instead of not allowing GCC to enable -fshort-enums ever,
one can write ISO C-complying code in the parts that
will be exposed as an interface,
by just using int.

That allows using -fshort-enums
for whatever reasons it might be good.

Not saying that the kernel wants to enable it,
but it costs nothing to write non-implementation-defined code
that doesn't forbid it.

It's comparable to passing a struct (not a pointer to it)
to a function.
If you change the size of the struct,
you screw the interface.
Better pass pointers, or standard types.

Cheers,
Alex

-- 
Alejandro Colomar
Linux man-pages comaintainer; http://www.kernel.org/doc/man-pages/
http://www.alejandro-colomar.es/