All of lore.kernel.org
 help / color / mirror / Atom feed
* Question about inode security blob
@ 2021-01-12  0:56 Fan Wu
  2021-01-12  1:28 ` Casey Schaufler
  0 siblings, 1 reply; 5+ messages in thread
From: Fan Wu @ 2021-01-12  0:56 UTC (permalink / raw)
  To: linux-security-module

Hi,

I'm trying to learn the security blob infrastructure for my future LSM 
development.

Unlike other blobs, I found inode security blob has a special pattern. I 
couldn’t find useful information on the web so I think this mail list is 
the most appropriate place to ask this question.

The BPF and SELinux will check whether the inode->i_security is NULL 
before use
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/bpf_lsm.h#n35
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/selinux/include/objsec.h#n164

But for smack, it doesn't do such a check
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack.h#n347
Is this because smack_set_mnt_opts() already does the NULL check at
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack_lsm.c#n784 
?

Also, I wonder in which situation will the inode->i_security be NULL?

Thanks, and I hope I could make my contributions to LSM soon.

Best,
Fan

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Question about inode security blob
  2021-01-12  0:56 Question about inode security blob Fan Wu
@ 2021-01-12  1:28 ` Casey Schaufler
  2021-01-12  2:11   ` Fan Wu
  0 siblings, 1 reply; 5+ messages in thread
From: Casey Schaufler @ 2021-01-12  1:28 UTC (permalink / raw)
  To: Fan Wu, linux-security-module; +Cc: Casey Schaufler

On 1/11/2021 4:56 PM, Fan Wu wrote:
> Hi,
>
> I'm trying to learn the security blob infrastructure for my future LSM development.
>
> Unlike other blobs, I found inode security blob has a special pattern. I couldn’t find useful information on the web so I think this mail list is the most appropriate place to ask this question.
>
> The BPF and SELinux will check whether the inode->i_security is NULL before use
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/bpf_lsm.h#n35
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/selinux/include/objsec.h#n164

The inode security blob should never be NULL in a situation where
any of the LSM hooks depend on it. The only ways that could possibly
happen are if an inode is allocated before the LSM infrastructure is
initialized or if the system is out of memory when an inode is allocated
and there are no entries in the cache. As the code says, "unlikely" and
probably in a system failure state already.

>
> But for smack, it doesn't do such a check
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack.h#n347
> Is this because smack_set_mnt_opts() already does the NULL check at
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack_lsm.c#n784 ?

Smack tries to be pedantic about having data set up properly. So is the
LSM infrastructure management of inode blobs. I have not identified a case
where you should be able to get to an LSM hook requiring the security blob
if the blob is NULL. If initializing the inode fails it should be impossible
to use the inode thereafter.

>
> Also, I wonder in which situation will the inode->i_security be NULL?

The inode->i_security should never be NULL if the inode has been
initialized. Any LSM hook that finds this to be NULL has probably
identified a bug elsewhere in the system.

>
> Thanks, and I hope I could make my contributions to LSM soon.

Excellent. Please, tell us more about what you're proposing.

>
> Best,
> Fan


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Question about inode security blob
  2021-01-12  1:28 ` Casey Schaufler
@ 2021-01-12  2:11   ` Fan Wu
  2021-01-12  4:38     ` James Morris
  0 siblings, 1 reply; 5+ messages in thread
From: Fan Wu @ 2021-01-12  2:11 UTC (permalink / raw)
  To: Casey Schaufler, linux-security-module



On 2021/1/11 17:28, Casey Schaufler wrote:
> On 1/11/2021 4:56 PM, Fan Wu wrote:
>> Hi,
>>
>> I'm trying to learn the security blob infrastructure for my future LSM development.
>>
>> Unlike other blobs, I found inode security blob has a special pattern. I couldn’t find useful information on the web so I think this mail list is the most appropriate place to ask this question.
>>
>> The BPF and SELinux will check whether the inode->i_security is NULL before use
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/bpf_lsm.h#n35
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/selinux/include/objsec.h#n164
> 
> The inode security blob should never be NULL in a situation where
> any of the LSM hooks depend on it. The only ways that could possibly
> happen are if an inode is allocated before the LSM infrastructure is
> initialized or if the system is out of memory when an inode is allocated
> and there are no entries in the cache. As the code says, "unlikely" and
> probably in a system failure state already.
> 
>>
>> But for smack, it doesn't do such a check
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack.h#n347
>> Is this because smack_set_mnt_opts() already does the NULL check at
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack_lsm.c#n784 ?
> 
> Smack tries to be pedantic about having data set up properly. So is the
> LSM infrastructure management of inode blobs. I have not identified a case
> where you should be able to get to an LSM hook requiring the security blob
> if the blob is NULL. If initializing the inode fails it should be impossible
> to use the inode thereafter.
> 
>>
>> Also, I wonder in which situation will the inode->i_security be NULL?
> 
> The inode->i_security should never be NULL if the inode has been
> initialized. Any LSM hook that finds this to be NULL has probably
> identified a bug elsewhere in the system.
> 

Thanks for the quick reply. If I understand correctly, I should follow 
the first pattern if I want to use the inode blob.
>>
>> Thanks, and I hope I could make my contributions to LSM soon.
> 
> Excellent. Please, tell us more about what you're proposing.
> 

My work will be related to the IPE LSM we proposed before. For the inode 
blob, we want to use it to save some file data like FSVerity signature 
so that the LSM can define policy based on that data.
>>
>> Best,
>> Fan

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Question about inode security blob
  2021-01-12  2:11   ` Fan Wu
@ 2021-01-12  4:38     ` James Morris
  2021-01-12  8:10       ` KP Singh
  0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2021-01-12  4:38 UTC (permalink / raw)
  To: Fan Wu; +Cc: Casey Schaufler, linux-security-module

On Mon, 11 Jan 2021, Fan Wu wrote:

> > The inode->i_security should never be NULL if the inode has been
> > initialized. Any LSM hook that finds this to be NULL has probably
> > identified a bug elsewhere in the system.
> > 
> 
> Thanks for the quick reply. If I understand correctly, I should follow the
> first pattern if I want to use the inode blob.

I don't think it's necessary, and if there's a race somewhere causing 
this, we shouldn't just paper it over.

Btw, none of the existing cases are even using WARN_ON or similar to let 
the user know there's a problem.


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Question about inode security blob
  2021-01-12  4:38     ` James Morris
@ 2021-01-12  8:10       ` KP Singh
  0 siblings, 0 replies; 5+ messages in thread
From: KP Singh @ 2021-01-12  8:10 UTC (permalink / raw)
  To: James Morris; +Cc: Fan Wu, Casey Schaufler, Linux Security Module list

On Tue, Jan 12, 2021 at 5:39 AM James Morris <jmorris@namei.org> wrote:
>
> On Mon, 11 Jan 2021, Fan Wu wrote:
>
> > > The inode->i_security should never be NULL if the inode has been
> > > initialized. Any LSM hook that finds this to be NULL has probably
> > > identified a bug elsewhere in the system.
> > >
> >
> > Thanks for the quick reply. If I understand correctly, I should follow the
> > first pattern if I want to use the inode blob.
>
> I don't think it's necessary, and if there's a race somewhere causing
> this, we shouldn't just paper it over.
>
> Btw, none of the existing cases are even using WARN_ON or similar to let
> the user know there's a problem.

I agree, for BPF, I will send a patch to switch to using WARN_ON_ONCE or just
get rid of the check altogether.

>
>
> --
> James Morris
> <jmorris@namei.org>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-12  8:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12  0:56 Question about inode security blob Fan Wu
2021-01-12  1:28 ` Casey Schaufler
2021-01-12  2:11   ` Fan Wu
2021-01-12  4:38     ` James Morris
2021-01-12  8:10       ` KP Singh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.