From: Eric Biggers <ebiggers@kernel.org>
To: Lokesh Gidra <lokeshgidra@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
James Morris <jmorris@namei.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
Daniel Colascione <dancol@dancol.org>,
Kees Cook <keescook@chromium.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
KP Singh <kpsingh@google.com>,
David Howells <dhowells@redhat.com>,
Thomas Cedeno <thomascedeno@google.com>,
Anders Roxell <anders.roxell@linaro.org>,
Sami Tolvanen <samitolvanen@google.com>,
Matthew Garrett <matthewgarrett@google.com>,
Aaron Goidel <acgoide@tycho.nsa.gov>,
Randy Dunlap <rdunlap@infradead.org>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
YueHaibing <yuehaibing@huawei.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Alexei Starovoitov <ast@kernel.org>,
Alexey Budankov <alexey.budankov@linux.intel.com>,
Adrian Reber <areber@redhat.com>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
kaleshsingh@google.com, calin@google.com, surenb@google.com,
nnk@google.com, jeffv@google.com, kernel-team@android.com,
Daniel Colascione <dancol@google.com>
Subject: Re: [PATCH v10 1/3] Add a new LSM-supporting anonymous inode interface
Date: Wed, 4 Nov 2020 12:27:21 -0800 [thread overview]
Message-ID: <20201104202721.GB1796392@gmail.com> (raw)
In-Reply-To: <20201011082936.4131726-2-lokeshgidra@google.com>
At a high level this patch looks fine to me, but a few nits below. Also as I
mentioned on the cover letter, it seems this should be split into two patches --
one for the fs changes and one for the security changes.
On Sun, Oct 11, 2020 at 01:29:34AM -0700, Lokesh Gidra wrote:
> +static struct inode *anon_inode_make_secure_inode(
> + const char *name,
> + const struct inode *context_inode)
> {
> - struct file *file;
> + struct inode *inode;
> + const struct qstr qname = QSTR_INIT(name, strlen(name));
> + int error;
> +
> + inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
> + if (IS_ERR(inode))
> + return inode;
> + inode->i_flags &= ~S_PRIVATE;
The comment for alloc_anon_inode() still claims that it uses a single inode.
It would be helpful to fix that comment.
> +/**
> + * Like anon_inode_getfd() creates a new file, but by hooking it to a new anon
> + * inode, rather than to the same singleton inode. Also adds the @context_inode
> + * argument to allow security modules to control creation of the new file. Once
> + * the security module makes the decision, the context_inode is no longer needed
> + * and hence reference to it is not held.
> + */
The first sentence seems a bit off, gramatically. Also, it seems there should
be a hint here as to why anyone would care whether the inode is singleton or
not. Remember, people will be reading this code years down the line, and people
may not understand the exact problem you are trying to solve.
Would the following be accurate, or am I misunderstanding something?
/**
* Like anon_inode_getfd(), but create a new !S_PRIVATE anon inode rather than
* reuse the singleton anon inode, and call the init_security_anon() LSM hook.
* This allows the inode to have its own security context and for a LSM to
* reject creation of the inode. An optional @context_inode argument is also
* added to provide the logical "parent" of the new inode. The LSM may use
* @context_inode in init_security_anon(), but a reference to it is not held.
*/
> diff --git a/include/linux/anon_inodes.h b/include/linux/anon_inodes.h
> index d0d7d96261ad..6ab840ee93bc 100644
> --- a/include/linux/anon_inodes.h
> +++ b/include/linux/anon_inodes.h
> @@ -10,12 +10,20 @@
> #define _LINUX_ANON_INODES_H
>
> struct file_operations;
> +struct inode;
>
> struct file *anon_inode_getfile(const char *name,
> const struct file_operations *fops,
> void *priv, int flags);
> +
> +int anon_inode_getfd_secure(const char *name,
> + const struct file_operations *fops,
> + void *priv, int flags,
> + const struct inode *context_inode);
> +
> int anon_inode_getfd(const char *name, const struct file_operations *fops,
> void *priv, int flags);
>
> +
Unwanted whitespace change here.
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 9e2e3e63719d..586186f1184b 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -233,6 +233,15 @@
> * Returns 0 if @name and @value have been successfully set,
> * -EOPNOTSUPP if no security attribute is needed, or
> * -ENOMEM on memory allocation failure.
> + * @inode_init_security_anon:
> + * Set up the incore security field for the new anonymous inode
> + * and return whether the inode creation is permitted by the security
> + * module or not.
> + * @inode contains the inode structure
> + * @name name of the anonymous inode class
> + * @context_inode optional related inode
> + * Returns 0 on success, -EACCESS if the security module denies the
> + * creation of this inode, or another -errno upon other errors.
EACCES, not EACCESS. The spelling mistakes of decades past are still with us...
- Eric
next prev parent reply other threads:[~2020-11-04 20:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-11 8:29 [PATCH v10 0/3] SELinux support for anonymous inodes and UFFD Lokesh Gidra
2020-10-11 8:29 ` [PATCH v10 1/3] Add a new LSM-supporting anonymous inode interface Lokesh Gidra
2020-11-04 20:27 ` Eric Biggers [this message]
2020-10-11 8:29 ` [PATCH v10 2/3] Teach SELinux about anonymous inodes Lokesh Gidra
2020-10-11 8:29 ` [PATCH v10 3/3] Use secure anon inodes for userfaultfd Lokesh Gidra
2020-11-04 20:36 ` Eric Biggers
2020-10-26 16:57 ` [PATCH v10 0/3] SELinux support for anonymous inodes and UFFD Lokesh Gidra
2020-11-04 20:07 ` Eric Biggers
2020-11-04 20:29 ` Eric Biggers
2020-11-03 22:00 Lokesh Gidra
2020-11-03 22:00 ` [PATCH v10 1/3] Add a new LSM-supporting anonymous inode interface Lokesh Gidra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201104202721.GB1796392@gmail.com \
--to=ebiggers@kernel.org \
--cc=acgoide@tycho.nsa.gov \
--cc=alexey.budankov@linux.intel.com \
--cc=anders.roxell@linaro.org \
--cc=areber@redhat.com \
--cc=ast@kernel.org \
--cc=calin@google.com \
--cc=casey@schaufler-ca.com \
--cc=christian.brauner@ubuntu.com \
--cc=cyphar@cyphar.com \
--cc=dancol@dancol.org \
--cc=dancol@google.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=joel@joelfernandes.org \
--cc=kaleshsingh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=kpsingh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=matthewgarrett@google.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=rdunlap@infradead.org \
--cc=samitolvanen@google.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=surenb@google.com \
--cc=thomascedeno@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).