Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3498205pxv; Mon, 12 Jul 2021 19:35:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsbgYBFIH8QdYjYY16sXXsR8SOc4lD4oAcxWLuokq+pF51cS0ZhFABPQkgaDRDw/sCc+MA X-Received: by 2002:a92:cf05:: with SMTP id c5mr1222474ilo.196.1626143746914; Mon, 12 Jul 2021 19:35:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626143746; cv=none; d=google.com; s=arc-20160816; b=G5+fWrccJO+V4UY7C4BzrEt4YlQOALAmJRdAEhtSvuz2DwcSDf5TXHH+lFMaOfnSes sE4tKqaghL9fUTOPBwIu26OMWJhjUHEvqXPNB7xNB+NrOY7zgESxJPlGTamGc5U3T9cH ePXrFCYAy4QzJt+WexvaOAox2MPg3rP6OLL2LZ9Y0vYJbEmG7SK4aaNcXDsU1b1ryC35 HJH+uoqVY93rwaviBJAg0D6zXOR848Xt6FkHNFH+KN9Kyeo5o8oCY01dIzSrO+OnnIVP RCtqwDv08g/Pbs7MtUswh3VkII9xaA18Vkca8NqdLy+HwHv1ejcOnXLitOQW6YiOZ6re VR4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=RBPu6xYIBS0viB5UZS492p6zHqYEhcALtpbidr1sCrU=; b=0ygwSSlaW4O6RSMDsQh0OHIqkySoaAefuRBhxuPQ1+cnzX7agSvBXOFoyNBxDrALMk PVeps448G1ZT7UXm4ksrTith5hQBUiwaqPilx94mV5P2/XxLA1L9rkufoKJWpJtjIKec yOfBzhqjZg+MFjAeB6N8MuS6euAzKTO/PJ9QGuGK+2LgDvlkF4M5446U08kHShiB1ePd q3X1iZjhgUS0Bcv5bIczb1uTV5nT4Pqp+qNVHkSg1feAdioCI270yi2Mft5wt6gOAoZf SXMB1Ho3WB4LLXxbhRdClLn43FraV6e8AkcLIfs8TZXMVdP+hrGITUfTgexuYWMkY8sL olag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=hAqQVpiv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u26si7694796jam.87.2021.07.12.19.35.34; Mon, 12 Jul 2021 19:35:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=hAqQVpiv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233397AbhGMChs (ORCPT + 99 others); Mon, 12 Jul 2021 22:37:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231418AbhGMChr (ORCPT ); Mon, 12 Jul 2021 22:37:47 -0400 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E94F8C061794 for ; Mon, 12 Jul 2021 19:34:57 -0700 (PDT) Received: by mail-ej1-x632.google.com with SMTP id nd37so38585250ejc.3 for ; Mon, 12 Jul 2021 19:34:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RBPu6xYIBS0viB5UZS492p6zHqYEhcALtpbidr1sCrU=; b=hAqQVpiv52aQMiILfGaILA7UZ3Vb7hpAEZl5MSyT4Y9giLdF8ZWBqgareVlSQUHWpR ZUrim0on5dre3bqN5EGAiRzVWG6nVeaiF+s6JaGu2Q+54HjtAgU1AvqcqlU5GALyqPc8 J59ZdfyvvWc0CNOaKSGrAuHZon7DtT9jG9x1ueo2PbGCXBvXV9LCEYmPz0NJvuwLKCb4 e5swfb54jlYSJ49YcMdOKdIhN3CYIP2f7H6ObIehgsT00rpoEugEWTcwjWsk6Ijx/OB+ sziXashjbhIgbQwAsqKXq8JHPkE9kbOMVO58+jj4MNa7U/Fp8vQxUrXCiR8DuABY3fmZ DToA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RBPu6xYIBS0viB5UZS492p6zHqYEhcALtpbidr1sCrU=; b=euRtXqF5WwqRLcJAxMW8xGf89pnCaysOb5JuJS4Jb/fQanlNn/N4CrWkvZIlFmZPaU 8uwjkaBIHPoX5yGeDLJmBI29D67WPAnS8FUUINbb6OYTOWOgKABVgGlfUaF3//QiYfEY E+GnOVsF+ajjiPtkVDJVK9vMgRp0/rcPG4UZoMem4fOHiuVEwV+cl0b3NlY6j0yEy8+y nGIg4bqnkmCBfcVPsIQcLWcq3EXukT8C/VTgJSjRV3x/x1sYFEW2n1HRHQKCJogQ+aZB DaOK3JyON8OS6cNyRoN6vxQgTaWipng75i00AUeRN5gvl0UsKYyBcHuPnG5HWDbHFjiM AqWg== X-Gm-Message-State: AOAM532ftYghA/LNSUWrVYnBGbnFjtJkvqR6irLPmW6tZs+xuS4J1srY UK/FKJ0RVnrtwpbtcb7nxp2/qQJKA1gBzVHLpUQ+ X-Received: by 2002:a17:907:10d8:: with SMTP id rv24mr2673354ejb.542.1626143695922; Mon, 12 Jul 2021 19:34:55 -0700 (PDT) MIME-Version: 1.0 References: <20210616085118.1141101-1-omosnace@redhat.com> <8735tdiyc1.ffs@nanos.tec.linutronix.de> In-Reply-To: <8735tdiyc1.ffs@nanos.tec.linutronix.de> From: Paul Moore Date: Mon, 12 Jul 2021 22:34:45 -0400 Message-ID: Subject: Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks To: Thomas Gleixner Cc: Ondrej Mosnacek , linux-security-module@vger.kernel.org, James Morris , Steven Rostedt , Ingo Molnar , Steffen Klassert , Herbert Xu , "David S . Miller" , Stephen Smalley , selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, x86@kernel.org, linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org, linux-efi@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-pci@vger.kernel.org, linux-pm@vger.kernel.org, linux-serial@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Casey Schaufler Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 19, 2021 at 1:00 PM Thomas Gleixner wrote: > On Wed, Jun 16 2021 at 10:51, Ondrej Mosnacek wrote: > > diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c > > index bda73cb7a044..c43a13241ae8 100644 > > --- a/arch/x86/mm/testmmiotrace.c > > +++ b/arch/x86/mm/testmmiotrace.c > > @@ -116,7 +116,7 @@ static void do_test_bulk_ioremapping(void) > > static int __init init(void) > > { > > unsigned long size = (read_far) ? (8 << 20) : (16 << 10); > > - int ret = security_locked_down(LOCKDOWN_MMIOTRACE); > > + int ret = security_locked_down(current_cred(), LOCKDOWN_MMIOTRACE); > > I have no real objection to those patches, but it strikes me odd that > out of the 62 changed places 58 have 'current_cred()' and 4 have NULL as > argument. > > I can't see why this would ever end up with anything else than > current_cred() or NULL and NULL being the 'special' case. So why not > having security_locked_down_no_cred() and make current_cred() implicit > for security_locked_down() which avoids most of the churn and just makes > the special cases special. I might be missing something though. Unfortunately it is not uncommon for kernel subsystems to add, move, or otherwise play around with LSM hooks without checking with the LSM folks; generally this is okay, but there have been a few problems in the past and I try to keep that in mind when we are introducing new hooks or modifying existing ones. If we have two LSM hooks for roughly the same control point it has the potential to cause confusion, e.g. do I use the "normal" or the "no_cred" version? What if I don't want to pass a credential, can I just use "no_cred"? My thinking with the single, always-pass-a-cred function is that callers don't have to worry about choosing from multiple, similar hooks and they know they need to pass a cred which hopefully gets them thinking about what cred is appropriate. It's not foolproof, but I believe the single hook approach will be less prone to accidents ... or so I hope :) -- paul moore www.paul-moore.com