Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp355361lqh; Thu, 28 Mar 2024 04:25:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXtnaChgxxAzBMwuyD0NcfbEWgDMnzuyZpP6FsdWWn+JmOuBgJnOMY32ujw7/AzF7ccizHusw/YPDwPufmedN7TRnsnvHzHeQgn7Z9ziQ== X-Google-Smtp-Source: AGHT+IGuksg07E5LcKrpRxZOb4sf2QjFYAB0oBKQwqNmBL+3Jfxx02t+tWWwOP31fHvfrZdWMqcj X-Received: by 2002:a05:6122:36a2:b0:4d3:4aad:22d4 with SMTP id ec34-20020a05612236a200b004d34aad22d4mr3435660vkb.0.1711625109961; Thu, 28 Mar 2024 04:25:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711625109; cv=pass; d=google.com; s=arc-20160816; b=Rm2gSsBjyjC9GZQy3wfrkHwHEjiDZkH/17dny5F9D2yN8QlKaHjxIV2ZZfW6MdlcHW ScIHQMvecdUGyRkXDvAKdXyw685o7PUElSL6OXbt7cnDrTKBoiKGuzyB1UDQ2oQch0yx zr2b45uM6tIdXV5+z57444qP/BsVowGiOnGAeMUjgAOolkN6kJppTIbVaMcIvYh4mAEz jobKGNnvZtd6bu1tIPhIAQAhlWZkAjlxVGN+wUVC3q5yI4K+M5MlqJdCK1ktD/+5a/5v H1R95v0bZT81i9RKbTdyZKG6QWwYE91zx/mcheSEBW9iOSbKRoT26qswblGbHtcO4ad6 MY3g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=gwvzXMh/iYiqbDuPWhEpzC/H8r553pENd2GTgAGLLhE=; fh=f1kzYb6aO0YZuff/4kH//KB6e2Mau4bxhMGVgJYHSYI=; b=fELu6Z96vOnRGTVArpT45qiXFCYJfisGYiO6zYVZ/pCx1mVATUcyb9qtM28L+TY6XL lEvUu+P0jbe6tjnbhQuc8rOS4oUWjDmM+qmnKlbQS06XIoY5keqU9hqUPOiFIf55Jjn/ eSQHZMwxBLL2xKFzUG6jT1klTaSjry1vE5dbTbdusPMjnGU7ZCKwbFrFSy5UGrL7++Nk 5M0lDlmVO/cA9O8YDd9tXEA1eHGy+ZzVK2dbUjceTmy6AauAbn2iJ/k22+G2xup6mAtM 9rzuND6RE1Z/a/ThQj+Rp/Qq6d0ncbolHhzuYxml5aP7rZfcN7P3kEm7IDEuIMwzKDGc PnEg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-122827-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-122827-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id c10-20020a0cf2ca000000b0069696dcf7c0si1218442qvm.134.2024.03.28.04.25.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Mar 2024 04:25:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-122827-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-122827-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-122827-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9E0D01C2729E for ; Thu, 28 Mar 2024 11:25:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 81D5A7E777; Thu, 28 Mar 2024 11:24:56 +0000 (UTC) Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 404C07E574; Thu, 28 Mar 2024 11:24:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711625095; cv=none; b=KwuMoV2fgvtuRSennm6okgK17DSH/SDJqjnKjZnLu5+mal8eUEe5Yd7MtlpeUI7M7oLR1XzJh1Z8j1sj22EaJFsHRLig24r1pwnvZlYniN+lCcLWiJOzRY7m+ruXOY9JBI65eJZOx1tEEuPI9DkzPmddbvQ4HwvARPyRAkIpNUE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711625095; c=relaxed/simple; bh=IVWuMXHvJ24EzomPmVm//u7gaDNCPlrLrRC0bENfsmo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=OaKL0UbU2k6VE8oi5JhvOLhrMznqM7YU5hY0h2FwSgYPJ2FL7iTy8v6vci8dFuYs4sikzEVx+IQDYh1M3TVdTjPzuf7QulxOEiTGkAZd/yMVBLkIheaeWkhkJeW8rYotPgwhsPrUznK3z8cB3nkCiUrcVSv2oQ9lDbmYhLXbBg8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.186.29]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4V514V66wjz9xqx0; Thu, 28 Mar 2024 19:08:42 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.47]) by mail.maildlp.com (Postfix) with ESMTP id 4A515140801; Thu, 28 Mar 2024 19:24:43 +0800 (CST) Received: from [10.81.200.225] (unknown [10.81.200.225]) by APP1 (Coremail) with SMTP id LxC2BwAXCxRwUwVmbnglBQ--.8766S2; Thu, 28 Mar 2024 12:24:42 +0100 (CET) Message-ID: <4ad908dc-ddc5-492e-8ed4-d304156b5810@huaweicloud.com> Date: Thu, 28 Mar 2024 13:24:25 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: kernel crash in mknod Content-Language: en-US To: Christian Brauner Cc: Roberto Sassu , Al Viro , Steve French , LKML , linux-fsdevel , CIFS , Paulo Alcantara , Christian Brauner , Mimi Zohar , Paul Moore , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" References: <20240324054636.GT538574@ZenIV> <3441a4a1140944f5b418b70f557bca72@huawei.com> <20240325-beugen-kraftvoll-1390fd52d59c@brauner> <20240326-halbkreis-wegstecken-8d5886e54d28@brauner> <4a0b28ba-be57-4443-b91e-1a744a0feabf@huaweicloud.com> <20240328-raushalten-krass-cb040068bde9@brauner> From: Roberto Sassu In-Reply-To: <20240328-raushalten-krass-cb040068bde9@brauner> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CM-TRANSID:LxC2BwAXCxRwUwVmbnglBQ--.8766S2 X-Coremail-Antispam: 1UD129KBjvJXoWxGrWrXrW7uryfJFykZFWDJwb_yoWrCr1kpF 4rt3WDGws5JFW3Wr1IyF17ua1Sva4rWFW5AF4Fgw15ArnxKr1jqF1SvFyY9FW5Kr4xW34I qa17trsxWw4DAa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUk0b4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv 6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjxUrR6zUUUUU X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAQBF1jj5fjZQABs3 On 3/28/2024 12:08 PM, Christian Brauner wrote: > On Thu, Mar 28, 2024 at 12:53:40PM +0200, Roberto Sassu wrote: >> On 3/26/2024 12:40 PM, Christian Brauner wrote: >>>> we can change the parameter of security_path_post_mknod() from >>>> dentry to inode? >>> >>> If all current callers only operate on the inode then it seems the best >>> to only pass the inode. If there's some reason someone later needs a >>> dentry the hook can always be changed. >> >> Ok, so the crash is likely caused by: >> >> void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry >> *dentry) >> { >> if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) >> >> I guess we can also simply check if there is an inode attached to the >> dentry, to minimize the changes. I can do both. >> >> More technical question, do I need to do extra checks on the dentry before >> calling security_path_post_mknod()? > > Why do you need the dentry? The two users I see are ima in [1] and evm in [2]. > Both of them don't care about the dentry. They only care about the > inode. So why is that hook not just: Sure, I can definitely do that. Seems an easier fix to do an extra check in security_path_post_mknod(), rather than changing the parameter everywhere. Next time, when we introduce new LSM hooks we can try to introduce more specific parameters. Also, consider that the pre hook security_path_mknod() has the dentry as parameter. For symmetry, we could keep it in the post hook. What I was also asking is if I can still call d_backing_inode() on the dentry without extra checks, and avoiding the IS_PRIVATE() check if the former returns NULL. > diff --git a/security/security.c b/security/security.c > index 7e118858b545..025689a7e912 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1799,11 +1799,11 @@ EXPORT_SYMBOL(security_path_mknod); > * > * Update inode security field after a file has been created. > */ > -void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry) > +void security_inode_post_mknod(struct mnt_idmap *idmap, struct inode *inode) > { > - if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > + if (unlikely(IS_PRIVATE(inode))) > return; > - call_void_hook(path_post_mknod, idmap, dentry); > + call_void_hook(path_post_mknod, idmap, inode); > } > > /** > > And one another thing I'd like to point out is that the security hook is > called "security_path_post_mknod()" while the evm and ima hooks are > called evm_post_path_mknod() and ima_post_path_mknod() respectively. In > other words: > > git grep _path_post_mknod() doesn't show the implementers of that hook > which is rather unfortunate. It would be better if the pattern were: > > _$some_$ordered_$words() I know, yes. Didn't want to change just yet since people familiar with the IMA code know the current function name. I don't see any problem to rename the functions. Thanks Roberto > [1]: > static void evm_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry) > { > struct inode *inode = d_backing_inode(dentry); > struct evm_iint_cache *iint = evm_iint_inode(inode); > > if (!S_ISREG(inode->i_mode)) > return; > > if (iint) > iint->flags |= EVM_NEW_FILE; > } > > [2]: > static void ima_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry) > { > struct ima_iint_cache *iint; > struct inode *inode = dentry->d_inode; > int must_appraise; > > if (!ima_policy_flag || !S_ISREG(inode->i_mode)) > return; > > must_appraise = ima_must_appraise(idmap, inode, MAY_ACCESS, > FILE_CHECK); > if (!must_appraise) > return; > > /* Nothing to do if we can't allocate memory */ > iint = ima_inode_get(inode); > if (!iint) > return; > > /* needed for re-opening empty files */ > iint->flags |= IMA_NEW_FILE; > } > > > >> >> Thanks >> >> Roberto >> >>> For bigger changes it's also worthwhile if the object that's passed down >>> into the hook-based LSM layer is as specific as possible. If someone >>> does a change that affects lifetime rules of mounts then any hook that >>> takes a struct path argument that's unused means going through each LSM >>> that implements the hook only to find out it's not actually used. >>> Similar for dentry vs inode imho. >>