Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3842BC433F5 for ; Sat, 13 Nov 2021 13:02:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1CFC660ED7 for ; Sat, 13 Nov 2021 13:02:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235795AbhKMNFO (ORCPT ); Sat, 13 Nov 2021 08:05:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235306AbhKMNFK (ORCPT ); Sat, 13 Nov 2021 08:05:10 -0500 Received: from smtp-42a8.mail.infomaniak.ch (smtp-42a8.mail.infomaniak.ch [IPv6:2001:1600:4:17::42a8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0ACADC061767 for ; Sat, 13 Nov 2021 05:02:13 -0800 (PST) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Hrwb60SPVzMpqmc; Sat, 13 Nov 2021 14:02:10 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4HrwZv5yQNzlh8T4; Sat, 13 Nov 2021 14:01:59 +0100 (CET) Subject: Re: [PATCH v16 1/3] fs: Add trusted_for(2) syscall implementation and related sysctl To: "Alejandro Colomar (man-pages)" , Al Viro , Andrew Morton Cc: Aleksa Sarai , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Christian Brauner , Christian Heimes , Deven Bowers , Dmitry Vyukov , Eric Biggers , Eric Chiang , Florian Weimer , Geert Uytterhoeven , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , "Madhavan T . Venkataraman" , Matthew Garrett , Matthew Wilcox , Miklos Szeredi , Mimi Zohar , Paul Moore , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Scott Shell , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Yin Fengwei , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20211110190626.257017-1-mic@digikod.net> <20211110190626.257017-2-mic@digikod.net> <8a22a3c2-468c-e96c-6516-22a0f029aa34@gmail.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <5312f022-96ea-5555-8d17-4e60a33cf8f8@digikod.net> Date: Sat, 13 Nov 2021 14:02:02 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <8a22a3c2-468c-e96c-6516-22a0f029aa34@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/11/2021 20:16, Alejandro Colomar (man-pages) wrote: > Hi Mickaël, Hi Alejandro, > > On 11/10/21 20:06, Mickaël Salaün wrote: >> diff --git a/fs/open.c b/fs/open.c >> index f732fb94600c..96a80abec41b 100644 >> --- a/fs/open.c >> +++ b/fs/open.c >> @@ -480,6 +482,114 @@ SYSCALL_DEFINE2(access, const char __user *, >> filename, int, mode) >>       return do_faccessat(AT_FDCWD, filename, mode, 0); >>   } >>   +#define TRUST_POLICY_EXEC_MOUNT            BIT(0) >> +#define TRUST_POLICY_EXEC_FILE            BIT(1) >> + >> +int sysctl_trusted_for_policy __read_mostly; >> + >> +/** > ... >> + */ >> +SYSCALL_DEFINE3(trusted_for, const int, fd, const enum >> trusted_for_usage, usage, > > Please, don't use enums for interfaces.  They are implementation defined > types, and vary between compilers and within the same compiler also > depending on optimization flags. > > C17::6.7.2.2.4: > [ > Each enumerated type shall be compatible with char, > a signed integer type, or an unsigned integer type. > The choice of type is implementation-defined,130) > but shall be capable of representing the values of > all the members of the enumeration. > ] > > See also: > > > > So, please use only standard integer types for interfaces. > > And in the case of enums, since the language specifies that enumeration > constants (the macro-like identifiers) are of type int, it makes sense > for functions to use int. > > C17::6.7.2.2.3: > [ > The identifiers in an enumerator list are declared as constants > that have type int and may appear wherever such are permitted. > ] > > I'd use an int for the API/ABI, even if it's expected to be assigned > values of 'enum trusted_for_usage' (that should be specified in the > manual page in DESCRIPTION, but not in SYNOPSIS, which should specify int). > > > > TL;DR: > > ISO C specifies that for the following code: > >     enum foo {BAR}; > >     enum foo foobar; > > typeof(foo)    shall be int > typeof(foobar) is implementation-defined I tested with some version of GCC (from 4.9 to 11) and clang (10 and 11) with different optimizations and the related sizes are at least the same as for the int type. > > Since foobar = BAR; assigns an int, the best thing to do to avoid > implementation-defined behavior, is to declare foobar as int too. OK, so it should be enough to change the syscall argument type from enum trusted_for_usage to int, but we can keep the UAPI with the enum (i.e. we don't need to change the value to #define TRUSTED_FOR_EXECUTION 1) right? > > >> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h >> index 528a478dbda8..c535e0e43cc8 100644 >> --- a/include/linux/syscalls.h >> +++ b/include/linux/syscalls.h >> @@ -462,6 +463,7 @@ asmlinkage long sys_fallocate(int fd, int mode, >> loff_t offset, loff_t len); >>   asmlinkage long sys_faccessat(int dfd, const char __user *filename, >> int mode); >>   asmlinkage long sys_faccessat2(int dfd, const char __user *filename, >> int mode, >>                      int flags); >> +asmlinkage long sys_trusted_for(int fd, enum trusted_for_usage usage, >> u32 flags); > > Same here. > >>   asmlinkage long sys_chdir(const char __user *filename); >>   asmlinkage long sys_fchdir(unsigned int fd); >>   asmlinkage long sys_chroot(const char __user *filename); > > Thanks, > Alex > >