'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent
further seals from being set", thus sealing API will be useless and many
code in shmem.c will never be reached. For example:
shmem_setattr
if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
(newsize > oldsize && (info->seals & F_SEAL_GROW)))
return -EPERM;
So, initialize 'seals' to zero is more reasonable.
Signed-off-by: yu kuai <[email protected]>
---
mm/shmem.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 165fa6332993..7b032b347bda 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2256,7 +2256,6 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode
memset(info, 0, (char *)inode - (char *)info);
spin_lock_init(&info->lock);
atomic_set(&info->stop_eviction, 0);
- info->seals = F_SEAL_SEAL;
info->flags = flags & VM_NORESERVE;
INIT_LIST_HEAD(&info->shrinklist);
INIT_LIST_HEAD(&info->swaplist);
--
2.17.2
On Wed, 27 Nov 2019, yu kuai wrote:
> 'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent
> further seals from being set", thus sealing API will be useless and many
> code in shmem.c will never be reached. For example:
The sealing API is not useless, and that code can be reached.
>
> shmem_setattr
> if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
> (newsize > oldsize && (info->seals & F_SEAL_GROW)))
> return -EPERM;
>
> So, initialize 'seals' to zero is more reasonable.
>
> Signed-off-by: yu kuai <[email protected]>
NAK.
See memfd_create in mm/memfd.c (code which originated in mm/shmem.c,
then was extended to support hugetlbfs also): sealing is for memfds,
not for tmpfs or hugetlbfs files or SHM. Without thinking about it too
hard, I believe that to allow sealing on tmpfs files would introduce
surprising new behaviors on them, which might well raise security issues;
and also be incompatible with the guarantees intended by sealing.
> ---
> mm/shmem.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index 165fa6332993..7b032b347bda 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -2256,7 +2256,6 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode
> memset(info, 0, (char *)inode - (char *)info);
> spin_lock_init(&info->lock);
> atomic_set(&info->stop_eviction, 0);
> - info->seals = F_SEAL_SEAL;
> info->flags = flags & VM_NORESERVE;
> INIT_LIST_HEAD(&info->shrinklist);
> INIT_LIST_HEAD(&info->swaplist);
> --
> 2.17.2
On 2019/11/27 12:24, Hugh Dickins Wrote:
> On Wed, 27 Nov 2019, yu kuai wrote:
>
>> 'seals' is set to 'F_SEAL_SEAL' in shmem_get_inode, which means "prevent
>> further seals from being set", thus sealing API will be useless and many
>> code in shmem.c will never be reached. For example:
>
> The sealing API is not useless, and that code can be reached.
>
>>
>> shmem_setattr
>> if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
>> (newsize > oldsize && (info->seals & F_SEAL_GROW)))
>> return -EPERM;
>>
>> So, initialize 'seals' to zero is more reasonable.
>>
>> Signed-off-by: yu kuai <[email protected]>
>
> NAK.
>
> See memfd_create in mm/memfd.c (code which originated in mm/shmem.c,
> then was extended to support hugetlbfs also): sealing is for memfds,
> not for tmpfs or hugetlbfs files or SHM. Without thinking about it too
> hard, I believe that to allow sealing on tmpfs files would introduce
> surprising new behaviors on them, which might well raise security issues;
> and also be incompatible with the guarantees intended by sealing.
Thank you for your response.
Yu Kuai