I've been looking at your patches when they're all applied, and I suspect
you're missing some security calls.
For instance, in lookup_open(), you call security_path_mknod() prior to
calling vfs_create(), but you don't call it prior to calling atomic_open() or
in, say, nfs_atomic_open(). You do need to, however, though I can see it's
difficult to work out where. Is it possible to call it if O_CREAT is
specified and d_inode is NULL right before calling atomic_open()?
I'm also wondering if you're missing an audit_inode() call in the if (created)
path after the retry_lookup label.
David
I'd also recommend changing the "ok" and "common" labels in do_last() to
something a bit more meaningful, perhaps:
common -> finish_open
ok -> finish_open_may_want_write
Also, does it make sense to combine:
if (!S_ISREG(nd->inode->i_mode))
will_truncate = 0;
with:
int will_truncate = open_flag & O_TRUNC;
up at the top of the function.
As the code stands, if ->atomic_open() opens the file but does not create it,
handle_truncate() will be called on it even if it is not a regular file,
whereas by the normal path, it won't.
I would also be tempted to move the body of:
if (filp == ERR_PTR(-EOPENSTALE) && save_parent.dentry && !retried) {
BUG_ON(save_parent.dentry != dir);
path_put(&nd->path);
nd->path = save_parent;
nd->inode = dir->d_inode;
save_parent.mnt = NULL;
save_parent.dentry = NULL;
if (want_write) {
mnt_drop_write(nd->path.mnt);
want_write = 0;
}
retried = true;
goto retry_lookup;
}
before the retry_lookup label and then goto around it from the preceding
if-else statement or place it at the bottom to make the "common:" block simpler
to read. Also, you could nest the if (filp == ERR_PTR(-EOPENSTALE)...) inside
if (IS_ERR(filp)).
Can I also suggest being consistent about the use of int v bool? "created"
and "retried" are bool, but "will_truncate", "want_write" and "symlink_ok" are
not. Granted some of this is likely inherited from the previous incarnation.
David
David Howells <[email protected]> writes:
> I've been looking at your patches when they're all applied, and I suspect
> you're missing some security calls.
>
> For instance, in lookup_open(), you call security_path_mknod() prior to
> calling vfs_create(), but you don't call it prior to calling atomic_open() or
> in, say, nfs_atomic_open().
We call security_path_mknod() before ->atomic_open() in may_o_create().
> You do need to, however, though I can see it's
> difficult to work out where. Is it possible to call it if O_CREAT is
> specified and d_inode is NULL right before calling atomic_open()?
>
> I'm also wondering if you're missing an audit_inode() call in the if (created)
> path after the retry_lookup label.
There's no audit_inode() on the created dentry neither in the original
code nor in the modified code.
But that may be a bug regardless, it's just independent of my changes.
At least AFAICS.
Thanks,
Miklos
David Howells <[email protected]> writes:
> I'd also recommend changing the "ok" and "common" labels in do_last() to
> something a bit more meaningful, perhaps:
>
> common -> finish_open
> ok -> finish_open_may_want_write
Okay. I'll do a separate label cleanup patch.
>
> Also, does it make sense to combine:
>
> if (!S_ISREG(nd->inode->i_mode))
> will_truncate = 0;
>
> with:
>
> int will_truncate = open_flag & O_TRUNC;
>
> up at the top of the function.
We need to check nd->inode->i_mode *after* the lookup. So top of the
function is not a good place.
>
> As the code stands, if ->atomic_open() opens the file but does not create it,
> handle_truncate() will be called on it even if it is not a regular file,
> whereas by the normal path, it won't.
Right, that appears to be a bug. Thanks for spotting.
>
> I would also be tempted to move the body of:
>
> if (filp == ERR_PTR(-EOPENSTALE) && save_parent.dentry && !retried) {
> BUG_ON(save_parent.dentry != dir);
> path_put(&nd->path);
> nd->path = save_parent;
> nd->inode = dir->d_inode;
> save_parent.mnt = NULL;
> save_parent.dentry = NULL;
> if (want_write) {
> mnt_drop_write(nd->path.mnt);
> want_write = 0;
> }
> retried = true;
> goto retry_lookup;
> }
>
> before the retry_lookup label and then goto around it from the preceding
> if-else statement or place it at the bottom to make the "common:" block simpler
> to read. Also, you could nest the if (filp == ERR_PTR(-EOPENSTALE)...) inside
> if (IS_ERR(filp)).
Yeah, moving to the bottom sounds like a good cleanup.
>
> Can I also suggest being consistent about the use of int v bool? "created"
> and "retried" are bool, but "will_truncate", "want_write" and "symlink_ok" are
> not. Granted some of this is likely inherited from the previous
> incarnation.
Yes, will do a cleanup patch.
Thanks,
Miklos
Miklos Szeredi <[email protected]> wrote:
> > For instance, in lookup_open(), you call security_path_mknod() prior to
> > calling vfs_create(), but you don't call it prior to calling atomic_open()
> > or in, say, nfs_atomic_open().
>
> We call security_path_mknod() before ->atomic_open() in may_o_create().
Okay.
> > I'm also wondering if you're missing an audit_inode() call in the if
> > (created) path after the retry_lookup label.
>
> There's no audit_inode() on the created dentry neither in the original
> code nor in the modified code.
>
> But that may be a bug regardless, it's just independent of my changes.
> At least AFAICS.
Fair enough.
David
Miklos Szeredi <[email protected]> wrote:
> > Also, does it make sense to combine:
> >
> > if (!S_ISREG(nd->inode->i_mode))
> > will_truncate = 0;
> >
> > with:
> >
> > int will_truncate = open_flag & O_TRUNC;
> >
> > up at the top of the function.
>
> We need to check nd->inode->i_mode *after* the lookup. So top of the
> function is not a good place.
Good point.
David