From: Linus Torvalds <torvalds@linux-foundation.org>
To: Mimi Zohar <zohar@us.ibm.com>
Cc: linux-security-module@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] vfs: fix IMA lockdep circular locking dependency
Date: Tue, 15 May 2012 10:19:46 -0700 [thread overview]
Message-ID: <CA+55aFzrJNd5J7i3Rp7-ctc=bDn5GTWu=H1xyCgGZ-rzu74Gbw@mail.gmail.com> (raw)
In-Reply-To: <1336963631-3541-1-git-send-email-zohar@us.ibm.com>
On Sun, May 13, 2012 at 7:47 PM, Mimi Zohar <zohar@us.ibm.com> wrote:
> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> This patch has been updated to move the ima_file_mmap() call from
> security_file_mmap() to the new vm_mmap() function.
Ugh. I really have to admit to hating this.
Quite frankly, I'd much rather apply a patch that moved the call to
security_file_mmap() entirely outside the mmap_sem instead.
You did basically that, but you only moved the ima_file_mmap()
portion. Why not move it *all*?
Sure, that changes semantics. But does the "security_ops->file_mmap()"
function really need mmap_sem protection?
As far as I can tell, the *only* thing that the security layer tends
to care about is that address (ie the whole "dac_mmap_min_addr"
thing), or the file.
And the *file* doesn't need or want any mmap_sem protection.
The actual final address does "need" the mmap_sem, but in fact none of
the security models really care, except for the obvious NULL mapping
thing. And that can only happen with MAP_FIXED *or* when a person
gives an explicit suggested address.
So I would suggest:
- never test the default mmap address case (ie the case of a NULL
'addr' without PROT_FIXED set).
- move the whole call to security_file_mmap() to outside the
mmap_sem, and test the *suggested* address (which is not the same as
the final address)
Yes, this makes the assumption that arch_get_unmapped_area() will not
return a bad address. We'd have to think about that. I already found
one possible worry, where the default arch_get_unmapped_area() does
this:
if (addr) {
addr = PAGE_ALIGN(addr);
and maybe we need to make sure that that PAGE_ALIGN() does not
overflow into 0. Things like that (probably right thing to do: make
sure that 'addr' is already aligned when checking security), but the
point being that it looks like a *really* bad idea to require us
holding the mmap_sem() for this silly security check, when we could
just do it up-front because nobody really cares.
Ok?
I would also actually suggest that we move the "cap_file_mmap()" call
from the security model ->file_mmap() function into
"security_file_mmap()", so that all the security models don't even
have to remember to do that. Because a security model that *doesn't*
do the dac_mmap_min_addr comparison really is broken (we used to have
that bug in SELinux).
What do you think?
Linus
next prev parent reply other threads:[~2012-05-15 17:20 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-14 2:47 [PATCH] vfs: fix IMA lockdep circular locking dependency Mimi Zohar
2012-05-15 0:29 ` James Morris
2012-05-15 0:51 ` Mimi Zohar
2012-05-15 15:14 ` James Morris
2012-05-15 16:06 ` Mimi Zohar
2012-05-15 17:19 ` Linus Torvalds [this message]
2012-05-15 18:36 ` Mimi Zohar
2012-05-15 18:41 ` Linus Torvalds
2012-05-15 19:42 ` Eric Paris
2012-05-15 20:07 ` Mimi Zohar
2012-05-15 21:43 ` Linus Torvalds
2012-05-16 0:37 ` Linus Torvalds
2012-05-16 0:42 ` Al Viro
2012-05-16 0:45 ` Linus Torvalds
2012-05-16 1:53 ` Linus Torvalds
2012-05-16 11:37 ` James Morris
2012-05-16 11:38 ` James Morris
2012-05-16 13:27 ` Mimi Zohar
2012-05-16 13:42 ` Eric Paris
2012-05-16 13:52 ` Mimi Zohar
2012-05-16 14:06 ` Eric Paris
2012-05-16 15:23 ` Linus Torvalds
2012-05-16 15:47 ` Mimi Zohar
2012-05-16 16:09 ` Linus Torvalds
2012-05-16 2:18 ` Al Viro
2012-05-23 21:18 ` Mimi Zohar
2012-05-30 4:34 ` Al Viro
2012-05-30 16:36 ` Al Viro
2012-05-30 19:42 ` Eric Paris
2012-05-30 20:24 ` Al Viro
2012-05-30 20:28 ` Linus Torvalds
2012-05-30 20:56 ` Al Viro
2012-05-30 21:04 ` Linus Torvalds
2012-05-30 21:36 ` Al Viro
2012-05-30 22:51 ` Linus Torvalds
2012-05-31 0:28 ` Al Viro
2012-05-31 0:40 ` Linus Torvalds
2012-05-31 0:56 ` Al Viro
2012-05-31 3:55 ` Mimi Zohar
2012-05-31 4:20 ` James Morris
2012-05-30 20:33 ` Mimi Zohar
2012-05-30 20:53 ` Al Viro
2012-05-16 14:13 ` Eric Paris
2012-05-16 15:13 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+55aFzrJNd5J7i3Rp7-ctc=bDn5GTWu=H1xyCgGZ-rzu74Gbw@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.