Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp23639imm; Wed, 3 Oct 2018 11:14:03 -0700 (PDT) X-Google-Smtp-Source: ACcGV61jjL6eLOrfPMVmyu7hxz+h4KZoie6WsTHv4K/j7be6wpPlTG5PI/weJ24oIzfbU0v1ydvW X-Received: by 2002:a65:52c1:: with SMTP id z1-v6mr2412700pgp.65.1538590443769; Wed, 03 Oct 2018 11:14:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538590443; cv=none; d=google.com; s=arc-20160816; b=KGA3zfXF4cd9WkhuG7Ms0ipLwJzv/BkXa10Ym5TvqZuLBVASleGoJ/7ve3CglpYKU/ caadypAWsVSWQ2imXrXEQhDOcBPB4inLPVUw96hE4u2GSD0BBYFZ0pS2/hQAD4/qOQHG bobeuWMjP323ClkuqNN6nIi+Fb0AdG3s1o6+9KlSpLurQFNypKoPnuOUDw7lwt7TWQhi oYLtzLEh4+I5a9eBnUo/9JUasHq1HfVoqv4hDlYvjMRg84qiOKABW/rGEbdFgH3GBJ5z A77M7JTC+tNqonmeVVn0TvjAmC5AAfpiSbri8dC3GH3/AYQQFejTNTY+eYAQwDSgXUjV n5jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=SV2RyGYa6oYBGh+UKzsmdEkD8DK5wEmqHdz77inAHas=; b=iPA3PwFR/bWjCOMZHhsiETFKFWxuxGbbZ6VK5qa7Kh0GJpkVwiC66YB4ERZ5F04KyY qeafL80aaspJwAPWlV/cyzm8jbAsv8qKz+poocy/7a/WPrPz8EBXFwhaRY5Yxvont7G6 7l4u2TW+zeQQbh+SfEcVwJXEfxsg1YqyXTT5lmSf5OBPfxRKHuiK8WFwrWYMocKjciVD KguRPqUoAUNkuke9E5ee9QtNxxqQUy7scUQymaD1HrXILH9+3DYjNlj63fKbfTsZjr+J /E5ubug8NeajAFrGRP9s71TN1X4Yz9yTMjqgjK9JVFRQqWj0BfLTsQw4xMQCsf5VmfMb KJQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h21-v6si2539590plr.98.2018.10.03.11.13.44; Wed, 03 Oct 2018 11:14:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727336AbeJDBC5 (ORCPT + 99 others); Wed, 3 Oct 2018 21:02:57 -0400 Received: from namei.org ([65.99.196.166]:35396 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726851AbeJDBC5 (ORCPT ); Wed, 3 Oct 2018 21:02:57 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w93ID8Ag015144; Wed, 3 Oct 2018 18:13:08 GMT Date: Thu, 4 Oct 2018 04:13:08 +1000 (AEST) From: James Morris To: Kees Cook cc: Casey Schaufler , LSM , SE Linux , LKLM , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= , Salvatore Mesoraca Subject: Re: [PATCH v4 14/19] LSM: Infrastructure management of the inode security In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 21 Sep 2018, Kees Cook wrote: > On Fri, Sep 21, 2018 at 5:19 PM, Casey Schaufler wrote: > > + * lsm_early_inode - during initialization allocate a composite inode blob > > + * @inode: the inode that needs a blob > > + * > > + * Allocate the inode blob for all the modules if it's not already there > > + */ > > +void lsm_early_inode(struct inode *inode) > > +{ > > + int rc; > > + > > + if (inode == NULL) > > + panic("%s: NULL inode.\n", __func__); > > + if (inode->i_security != NULL) > > + return; > > + rc = lsm_inode_alloc(inode); > > + if (rc) > > + panic("%s: Early inode alloc failed.\n", __func__); > > +} > > I'm still advising against using panic(), but I'll leave it up to James. > Calling panic() is not appropriate here. Perhaps if it was during boot-time initialization of LSM infrastructure, but not on the fly. Use a WARN_ONCE then propagate the error back and fail the operation. -- James Morris