[PATCH] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[PATCH] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Sudeep Holla]

When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
-ENODEV which throws the following error:
	"Unable to create integrity sysfs dir: -19"

However, if the feature is disabled, it can't be warning and hence
we need to silence the error.

Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Matthew Garrett <mjg59@google.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
---
 security/integrity/iint.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 149faa81f6f0..8082491876f9 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -218,7 +218,7 @@ void __init integrity_load_keys(void)
 static int __init integrity_fs_init(void)
 {
 	integrity_dir = securityfs_create_dir("integrity", NULL);
-	if (IS_ERR(integrity_dir)) {
+	if (IS_ENABLED(CONFIG_SECURITYFS) && IS_ERR(integrity_dir)) {
 		pr_err("Unable to create integrity sysfs dir: %ld\n",
 		       PTR_ERR(integrity_dir));
 		integrity_dir = NULL;
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Matthew Garrett]

On Mon, Jun 4, 2018 at 7:05 AM Sudeep Holla <sudeep.holla@arm.com> wrote:
> When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
> -ENODEV which throws the following error:
>         "Unable to create integrity sysfs dir: -19"
>
> However, if the feature is disabled, it can't be warning and hence
> we need to silence the error.

I think it'd be preferable to check whether it's ENODEV rather than
doing IS_ENABLED. We should also reset integrity_dir to NULL rather
than leaving it as an error - it gets passed into various other
functions, and while those should all also just be returning errors
it'd be unfortunate if one attempted to dereference it.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Sudeep Holla]

When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
-ENODEV which throws the following error:
	"Unable to create integrity sysfs dir: -19"

However, if the feature is disabled, it can't be warning and hence
we need to silence the error. This patch checks for the error -ENODEV
which is returned when CONFIG_SECURITYFS is disabled to stop the error
being thrown.

Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Matthew Garrett <mjg59@google.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
---
 security/integrity/iint.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

v1->v2:
	- Check for -ENODEV rather than IS_ENABLED(..) as suggested by
	  Matthew Garrett

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 149faa81f6f0..7051ea4a8161 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -219,10 +219,13 @@ static int __init integrity_fs_init(void)
 {
 	integrity_dir = securityfs_create_dir("integrity", NULL);
 	if (IS_ERR(integrity_dir)) {
-		pr_err("Unable to create integrity sysfs dir: %ld\n",
-		       PTR_ERR(integrity_dir));
+		int ret = PTR_ERR(integrity_dir);
+
+		if (ret != -ENODEV)
+			pr_err("Unable to create integrity sysfs dir: %ld\n",
+			       ret;
 		integrity_dir = NULL;
-		return PTR_ERR(integrity_dir);
+		return ret;
 	}

 	return 0;
--
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Mimi Zohar]

On Tue, 2018-06-05 at 11:25 +0100, Sudeep Holla wrote:
> When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
> -ENODEV which throws the following error:
> 	"Unable to create integrity sysfs dir: -19"
> 
> However, if the feature is disabled, it can't be warning and hence
> we need to silence the error. This patch checks for the error -ENODEV
> which is returned when CONFIG_SECURITYFS is disabled to stop the error
> being thrown.

Both IMA and EVM require securityfs, at least for the time being.
?Under what circumstances would integrity and not securityfs be
enabled. ?Is this a Kconfig issue?

Mimi

> 
> Cc: James Morris <jmorris@namei.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: Matthew Garrett <mjg59@google.com>
> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
> ---
>  security/integrity/iint.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> v1->v2:
> 	- Check for -ENODEV rather than IS_ENABLED(..) as suggested by
> 	  Matthew Garrett
> 
> diff --git a/security/integrity/iint.c b/security/integrity/iint.c
> index 149faa81f6f0..7051ea4a8161 100644
> --- a/security/integrity/iint.c
> +++ b/security/integrity/iint.c
> @@ -219,10 +219,13 @@ static int __init integrity_fs_init(void)
>  {
>  	integrity_dir = securityfs_create_dir("integrity", NULL);
>  	if (IS_ERR(integrity_dir)) {
> -		pr_err("Unable to create integrity sysfs dir: %ld\n",
> -		       PTR_ERR(integrity_dir));
> +		int ret = PTR_ERR(integrity_dir);
> +
> +		if (ret != -ENODEV)
> +			pr_err("Unable to create integrity sysfs dir: %ld\n",
> +			       ret;
>  		integrity_dir = NULL;
> -		return PTR_ERR(integrity_dir);
> +		return ret;
>  	}
> 
>  	return 0;
> --
> 2.7.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Sudeep Holla]

On 05/06/18 15:49, Mimi Zohar wrote:
> On Tue, 2018-06-05 at 11:25 +0100, Sudeep Holla wrote:
>> When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
>> -ENODEV which throws the following error:
>> 	"Unable to create integrity sysfs dir: -19"
>>
>> However, if the feature is disabled, it can't be warning and hence
>> we need to silence the error. This patch checks for the error -ENODEV
>> which is returned when CONFIG_SECURITYFS is disabled to stop the error
>> being thrown.
> 
> Both IMA and EVM require securityfs, at least for the time being.
> ?Under what circumstances would integrity and not securityfs be
> enabled. ?Is this a Kconfig issue?
> 

Could be, looks like it's not enforced and hence I have ended up with
a config that has CONFIG_SECURITYFS disabled. I have bot IMA and EVM
disabled too. However CONFIG_INTEGRITY is enabled.

-- 
Regards,
Sudeep
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Mimi Zohar]

On Tue, 2018-06-05 at 11:25 +0100, Sudeep Holla wrote:
> When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
> -ENODEV which throws the following error:
> 	"Unable to create integrity sysfs dir: -19"
> 
> However, if the feature is disabled, it can't be warning and hence
> we need to silence the error. This patch checks for the error -ENODEV
> which is returned when CONFIG_SECURITYFS is disabled to stop the error
> being thrown.
> 
> Cc: James Morris <jmorris@namei.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: Matthew Garrett <mjg59@google.com>
> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
> ---
>  security/integrity/iint.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> v1->v2:
> 	- Check for -ENODEV rather than IS_ENABLED(..) as suggested by
> 	  Matthew Garrett
> 
> diff --git a/security/integrity/iint.c b/security/integrity/iint.c
> index 149faa81f6f0..7051ea4a8161 100644
> --- a/security/integrity/iint.c
> +++ b/security/integrity/iint.c
> @@ -219,10 +219,13 @@ static int __init integrity_fs_init(void)
>  {
>  	integrity_dir = securityfs_create_dir("integrity", NULL);
>  	if (IS_ERR(integrity_dir)) {
> -		pr_err("Unable to create integrity sysfs dir: %ld\n",
> -		       PTR_ERR(integrity_dir));
> +		int ret = PTR_ERR(integrity_dir);
> +
> +		if (ret != -ENODEV)
> +			pr_err("Unable to create integrity sysfs dir: %ld\n",
> +			       ret;

Can we replace "sysfs" to "securityfs" at the same time?

>  		integrity_dir = NULL;
> -		return PTR_ERR(integrity_dir);
> +		return ret;
>  	}
> 
>  	return 0;
> --
> 2.7.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Matthew Garrett]

On Tue, Jun 5, 2018 at 3:26 AM Sudeep Holla <sudeep.holla@arm.com> wrote:
>
> When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
> -ENODEV which throws the following error:
>         "Unable to create integrity sysfs dir: -19"
>
> However, if the feature is disabled, it can't be warning and hence
> we need to silence the error. This patch checks for the error -ENODEV
> which is returned when CONFIG_SECURITYFS is disabled to stop the error
> being thrown.
>
> Cc: James Morris <jmorris@namei.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: Matthew Garrett <mjg59@google.com>
> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
ACKed-by: Matthew Garrett <mjg59@google.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Sudeep Holla]

When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
-ENODEV which throws the following error:
	"Unable to create integrity sysfs dir: -19"

However, if the feature is disabled, it can't be warning and hence
we need to silence the error. This patch checks for the error -ENODEV
which is returned when CONFIG_SECURITYFS is disabled to stop the error
being thrown.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Matthew Garrett <mjg59@google.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
---
 security/integrity/iint.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

Hi Mimi Zohar,

Extremely sorry for the silly mistake. Somehow my aarch64 toolchain
doesn't complain about this and I failed to notice though it's so
obvious.

Regards,
Sudeep

v2->v3:
	- Fix the format specifier for pr_err(%d instead of %ld)
	- Replace "sysfs" to "securityfs" in the dmesg as suggested by
	  Mimi Zohar
v1->v2:
	- Check for -ENODEV rather than IS_ENABLED(..) as suggested by
	  Matthew Garrett

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 149faa81f6f0..ba605714aac4 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -219,10 +219,13 @@ static int __init integrity_fs_init(void)
 {
 	integrity_dir = securityfs_create_dir("integrity", NULL);
 	if (IS_ERR(integrity_dir)) {
-		pr_err("Unable to create integrity sysfs dir: %ld\n",
-		       PTR_ERR(integrity_dir));
+		int ret = PTR_ERR(integrity_dir);
+
+		if (ret != -ENODEV)
+			pr_err("Unable to create integrity securityfs dir: %d\n",
+			       ret);
 		integrity_dir = NULL;
-		return PTR_ERR(integrity_dir);
+		return ret;
 	}
 
 	return 0;
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3] integrity: silence warning when CONFIG_SECURITYFS is not enabled

[Mimi Zohar]

On Wed, 2018-06-13 at 16:00 +0100, Sudeep Holla wrote:

> Hi Mimi Zohar,
> 
> Extremely sorry for the silly mistake. Somehow my aarch64 toolchain
> doesn't complain about this and I failed to notice though it's so
> obvious.

Thanks for the updated patch.  It's now in next-integrity-queued branch.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html