From: Al Viro <viro@ZenIV.linux.org.uk>
To: Seung-Woo Kim <sw0312.kim@samsung.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
jh80.chung@sungmsung.com, cw00.choi@samsung.com,
casey@schaufler-ca.com,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [BUG] Panic when systemd boot do mkdir on tmpfs mounted path with smack enabled environment
Date: Fri, 27 May 2016 19:51:51 +0100 [thread overview]
Message-ID: <20160527185150.GP14480@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20160527151141.GO14480@ZenIV.linux.org.uk>
On Fri, May 27, 2016 at 04:11:41PM +0100, Al Viro wrote:
> > After commit, "b968091 security_d_instantiate(): move to the point prior to attaching dentry to inode", booting on system with
> > systemd and security smack, following kernel panic occurs.
>
> /*
> * If this is a new directory and the label was
> * transmuted when the inode was initialized
> * set the transmute attribute on the directory
> * and mark the inode.
> *
> * If there is a transmute attribute on the
> * directory mark the inode.
> */
> if (isp->smk_flags & SMK_INODE_CHANGED) {
> isp->smk_flags &= ~SMK_INODE_CHANGED;
> rc = inode->i_op->setxattr(dp,
> XATTR_NAME_SMACKTRANSMUTE,
> TRANS_TRUE, TRANS_TRUE_SIZE,
> 0);
>
> Damnation ;-/ That change (separating inode and dentry arguments of
> ->getxattr() so that security_d_instantiate() could be called before dentry
> is hashed or attached to inode) had been discussed back in early March and
> reaction of Casey back then had been basically "I believe that smack can
> live with that, will verify that in about a week". With no followup
> objections - neither immediate, nor in a week. As the matter of fact,
> your posting is the first time anyone has reported stepping into that problem.
> And that change had been present in linux-next since the beginning of May ;-/
> Sigh...
>
> > It works fine if reverting the commit, "b968091 security_d_instantiate(): move to the point prior to attaching dentry to inode", for
> > d_instantiate() like following.
>
> Can't be reverted in mainline. Not without shitloads of other stuff.
>
> There is a fairly straightforward way to handle that - do to ->setxattr()
> what we'd already done to ->getxattr(). See vfs.git#smack-fix. Warning:
> it's only build-tested. I'm going to have it go through LTP and xfstests
> shortly; _please_ check if it works on your setup, because I've no idea
> how to put together a testing setup for smack.
FWIW, that couple of commits seems to survive the testing here and is
pretty obvious. I have _NOT_ tested it on smack setups, so I really want
somebody (Casey or someone in Samsung) to check if it fixes the problem.
The change itself isn't tricky, but I fucking _hate_ doing that this late
in the merge window ;-/
next prev parent reply other threads:[~2016-05-27 18:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-27 11:09 [BUG] Panic when systemd boot do mkdir on tmpfs mounted path with smack enabled environment Seung-Woo Kim
2016-05-27 15:11 ` Al Viro
2016-05-27 18:51 ` Al Viro [this message]
2016-05-27 19:01 ` Linus Torvalds
2016-05-27 19:26 ` Al Viro
2016-05-27 19:34 ` Linus Torvalds
2016-05-27 19:43 ` Al Viro
2016-05-27 19:48 ` Linus Torvalds
2016-05-27 20:24 ` Al Viro
2016-05-27 22:44 ` Casey Schaufler
2016-05-30 1:43 ` Seung-Woo Kim
2016-05-27 19:03 ` Casey Schaufler
2016-05-27 19:37 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160527185150.GP14480@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=casey@schaufler-ca.com \
--cc=cw00.choi@samsung.com \
--cc=jh80.chung@sungmsung.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sw0312.kim@samsung.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).