Received: by 2002:a05:7208:3003:b0:81:def:69cd with SMTP id f3csp4295705rba; Tue, 2 Apr 2024 12:40:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVNDznatqPXfY7AVimrgJU/ItziqeJX/nT+BAbZBbeVrFjXrdPc9eMqVwxJfmFWSv6ApOmm4Yg/JfFBBfaX9+uYdPQ9RXEkeUMeTszMZQ== X-Google-Smtp-Source: AGHT+IEJDF1MJZIklxOvDnCwWoa74j/VmdCFu33HefgbaS/LQ0VWRpELeArmSXfvXsImgoHzKN6J X-Received: by 2002:a17:90b:3104:b0:2a2:80e5:334b with SMTP id gc4-20020a17090b310400b002a280e5334bmr1308902pjb.18.1712086850189; Tue, 02 Apr 2024 12:40:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712086850; cv=pass; d=google.com; s=arc-20160816; b=QUYMnsqtB1uqzFgqdHcrI+PWbzkS+SB1ccDK/yIWoxSH8FsvXluEXKXKGVDXsitoDO abjRoroep9DMhFZC/E9YFIlHz23UDnEspa3HCluwjIZq1CYBBXYrsLhscsfJG3o3zALE 0P94SBfn9kdSA0KDznIpVE3HVmNaB9wJvhqS0672GUvd46UfGR7zAaFJ3Lp1vCvwWLt4 Ae9an1nIRPrKo+u7OaRP6nDRiiHkao2lH3msEpXt8Am5PzYxuh9fadJImAOW/juvyZhR fMbKEiNZY6iLPP+NudczQ1ZjF8rM9Va+QlvG0Ag1nrkVamqJjCHPf/LNjOv68bB2ljY+ JzFQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=0mQeGyOEkrbKK1USpW42EOtHV5nHSHeR2mY3J6ZfsUg=; fh=XHqQ2ZKrQOBRDCB9SkuPa579jyiyWzSo3jO8va56EVk=; b=L08fDUPXZUqIN8q5Lu1/PTIu77ZNWNrhtKign1rv3mowvwCIGX6wzEHRnqVx51peJ+ ZPd2vvl9OvqjgDaUTjOXJzl3Js6iFbksRYaal8MZHypcGhIXp54IDM6n8pW1shhbkO0f 0JkcpLbVaVpLlD6vdoRozz7tOciuee3y6/d+StCHnBte3uvMGlh/flpk42QeiIp8dJDP Pvs9IaIxbOutG6wEAziDQSOABmCuvamwNmx69AKf3peniJtKQ0WGr4oc8rXSGL2JdbkX NUjv4ajLjIDlNEAqQMTug5O6SQP/VSrfvq4OMun7sMy0DX6iyS5s5A6crPbcq1ZAiZVM KJ/Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=P7FTA2jL; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-128593-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128593-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id lb14-20020a17090b4a4e00b002a26d9ef56esi1094565pjb.66.2024.04.02.12.40.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 12:40:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-128593-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=P7FTA2jL; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-128593-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128593-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C21ABB21598 for ; Tue, 2 Apr 2024 19:39:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 73DB115B99E; Tue, 2 Apr 2024 19:39:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="P7FTA2jL" Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A229F15B962 for ; Tue, 2 Apr 2024 19:39:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086788; cv=none; b=cstULrYXpuwiA8+xqn9NzpqrqxjLuDREOoDmlSVQR3L3npN098GxAvhqvN4XFOKx6sucx65wgckjPpvGumEY9qLZJEJfHCJjtHzjwqeXsDiCctdsB0onMxM3jPRgtBLR2RzCS6BAmP9sfqZw7wK2thqt4RT1COZRf44yIr4khdI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712086788; c=relaxed/simple; bh=FUitx7MgiMoEaaLuPTTMRh2BBePYzO9uMUChIAgHet4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=qSI/kl8w9FsQyS4sOYVzpJlJkRrVXrzVRe6IBSKjlBKr0dQXt6zow5XMC5oRzBzJw1M3Qh61Z++52q4p1AWJzRQnFE3YBlQJtvaXgY8vMLbJ2fREl+bB0L2sPdsZKMZKMxyAZYupa+/n+CscOFGFiwiEDaFG5bIUG1B7aVMN6Xg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=P7FTA2jL; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-a4e8904bd71so142809566b.1 for ; Tue, 02 Apr 2024 12:39:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1712086785; x=1712691585; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0mQeGyOEkrbKK1USpW42EOtHV5nHSHeR2mY3J6ZfsUg=; b=P7FTA2jLoXfsCEtkxUDirRllSwd19LRpNYr/iGBO5t318EPrbrZ39u1tsh47t8Ulo2 jLLSfOpozJBe/dazhfqMaB1G8OpvLowTauwQQ2YFZKFfUiPvepG3XlWsqEcWAfzsx8nu FSOKiZGXPGjOb0JnVv0dIIWsYk5w+O1Y38Uic= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712086785; x=1712691585; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0mQeGyOEkrbKK1USpW42EOtHV5nHSHeR2mY3J6ZfsUg=; b=OZumzTLLAWHeRfeMvB87Ef5rdX+JjgO5xScBnU8183bvpuc0cY2ylQr7LtZNIzjJyB Sjl18NcLcorvzdJCisA3MxT8ej/MfMLIq5AQck0OPIGlNP8QsMjWc8CO9KzAj604QQ+a gVCVY4KBV8b+gLlSDIuT2KMYJkyYSRkThKfW9TkMgR28uutDDU9c0wqEM0iYLiLVR64H J6y4MQoVnErS8Hl0FdqaSVLGbMUZw41q9QSyNCQTstDPZ9V6RDmLPXli8aAhj5rQ5KRk ORlyZG+dx1tPLG3EFnXM4O1aEFFD3K0ecVqWhfzKQ7EDEleTBFQOzOl4b9CBFnfSFuzn 5M7Q== X-Forwarded-Encrypted: i=1; AJvYcCUjtq9ZwiarDf8+X4BGNCzpJR3LJR9XkByC7tcjcjctBGORzz4VRcTs06O3+WorihIzXH6Y1Uf9at4foPaRaHmlt2VLmIwy08Gtr7Gv X-Gm-Message-State: AOJu0YwGDAZmt4szHs2gPuJPvxc9NXsraGAD+ejl7pQR9tUP7ZhE9oDk B7zc4M23x3PxEXYJrdYvqp7KdnRitiuIVh/obR2Cgk3GedBVjyl065mKMY+67mZXTeqO22wJ6mX x8MI= X-Received: by 2002:a17:906:bb08:b0:a47:3651:a302 with SMTP id jz8-20020a170906bb0800b00a473651a302mr8473774ejb.42.1712086784719; Tue, 02 Apr 2024 12:39:44 -0700 (PDT) Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com. [209.85.208.41]) by smtp.gmail.com with ESMTPSA id qk3-20020a170906d9c300b00a473abcb9fdsm6962122ejb.90.2024.04.02.12.39.43 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Apr 2024 12:39:43 -0700 (PDT) Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-56845954ffeso8176334a12.2 for ; Tue, 02 Apr 2024 12:39:43 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCXvVctNH7ypGFHtXkAm2T6levq45NF/TKNqwb9NWpnCFSvbvNqUDtdQUV7nWjyrktiVZCykMsoLuZhfB03fX/aghcSAyXHb4xR7v8mF X-Received: by 2002:a17:906:2698:b0:a47:4d61:de44 with SMTP id t24-20020a170906269800b00a474d61de44mr8673776ejc.55.1712086783205; Tue, 02 Apr 2024 12:39:43 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240402141145.2685631-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20240402141145.2685631-1-roberto.sassu@huaweicloud.com> From: Linus Torvalds Date: Tue, 2 Apr 2024 12:39:27 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] security changes for v6.9-rc3 To: Roberto Sassu Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" On Tue, 2 Apr 2024 at 07:12, Roberto Sassu wrote: > A single bug fix to address a kernel panic in the newly introduced function > security_path_post_mknod. So I've pulled from you before, but I still don't have a signature chain for your key (not that I can even find the key itself, much less a signature chain). Last time I pulled, it was after having everybody else just verify the actual commit. This time, the commit looks like a valid "avoid NULL", but I have to say that I also think the security layer code in question is ENTIRELY WRONG. IOW, as far as I can tell, the mknod() system call may indeed leave the dentry unhashed, and rely on anybody who then wants to use the new special file to just do a "lookup()" to actually use it. HOWEVER. That also means that the whole notion of "post_path_mknod() is complete and utter hoghwash. There is not anything that the security layer can possibly validly do. End result: instead of checking the 'inode' for NULL, I think the right fix is to remove that meaningless security hook. It cannot do anything sane, since one option is always 'the inode hasn't been initialized yet". Put another way: any security hook that checks inode in security_path_post_mknod() seems simply buggy. But if we really want to do this ("if mknod creates a positive dentry, I won't see it in lookup, so I want to appraise it now"), then we should just deal with this in the generic layer with some hack like this: --- a/security/security.c +++ b/security/security.c @@ -1801,7 +1801,8 @@ EXPORT_SYMBOL(security_path_mknod); */ void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry) { - if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + struct inode *inode = d_backing_inode(dentry); + if (unlikely(!inode || IS_PRIVATE(inode))) return; call_void_hook(path_post_mknod, idmap, dentry); } and IMA and EVM would have to do any validation at lookup() time for the cases where the dentry wasn't hashed by ->mknod. Anyway, all of this is to say that I don't feel like I can pull this without (a) more acks by people and (b) explanations for why the simpler fix to just security_path_post_mknod() isn't the right fix. Linus