Received: by 2002:a05:7208:3003:b0:81:def:69cd with SMTP id f3csp4319490rba; Tue, 2 Apr 2024 13:28:33 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXRnV3dsnBPEpxbgJdbVBxVCik7QC1ouOQ7vpBeOBhBp1+x3KVGRHZWKM8mrkX6PP6mJihr72i5v2y0dGoGHGT1hMscSi6KtLHrXiq5gw== X-Google-Smtp-Source: AGHT+IHPXc6HhLEiNpcBTKb8SXlwCBT5sKtDy8KqcHjJaxnHer1YkrSSbfYWicj2e6BQB8+4lUKw X-Received: by 2002:a05:6214:108b:b0:699:249a:1e46 with SMTP id o11-20020a056214108b00b00699249a1e46mr822603qvr.12.1712089713038; Tue, 02 Apr 2024 13:28:33 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712089713; cv=pass; d=google.com; s=arc-20160816; b=z0QwU8Nl62UiFVs9/Pu8GDKUk8UK6yt69Y0NkQu0dOKkPmZgqY1o+XV/51fTLIAt7K PB07AY4STrnCHDrg6WSBpKvYA5G26rAOSRx4LvlkwYdquOntG6B++6yNbllwdsTMwnBn uEtzvlNBym4kYj0CzdEiO0j9bl61TRF+FVuZuznB04A8V33OMdOsj1m5LZaIKJQSsLUi fUPi3fXqM9DKnsfCkBd7E+CK2GjYyS8d8TWl2KmQoMezQdDJ1w3ffncXfrxlgXF5lUbQ 8Sq11QRWr8ebb2k5LvH4npYtbu+ziyWoS7dlg6Sgz1oGpN04YwSxT7BVPTdm5Zbmo+mz jzNw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=CoSv33fHX+PiwFO/k1mr+DGe32nj0k4cYvUK0De9J/g=; fh=8whL4xZFn/AmUPQM5GHC5DdorBfA1ozZbbRM/56BBYE=; b=y6DGf2o+vrBd+bavgmlMBUUWp54xRb4lKsoALGPEqrtHcPLSTvn1Z5UPuTdAc1HIsd vEngkwZ0OoCqqBXVGIYMJn7zoCK2udEklB2OSaSyAwJIOtmh8+x2tMWdpZ8ACppbMxvv Su00sXN29uudFRahsG1hcuL8RCbXFd9GVDj67DVFkUAP4KE5QUevY+f39Tdpal9NoDOd BUPRN7W0WlEed887NJg+z9ZdMCZCJwvlD9682uvnvEH0CledPj0pQiXX2/SzFB6jB6r8 Y9iXHqACJ+PcwQY9p2oT3YiNdHLnSFbMJs65iNjG2CDrOVrOhBA7tQ8I2hJPC8YTQLJ2 ED7w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=CW9yCGB4; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-128657-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128657-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id i4-20020a0cfd24000000b00696946e1832si12699901qvs.136.2024.04.02.13.28.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 13:28:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-128657-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=CW9yCGB4; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-128657-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128657-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C36821C220DD for ; Tue, 2 Apr 2024 20:28:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E25B015D5D7; Tue, 2 Apr 2024 20:28:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="CW9yCGB4" Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84C0615D5AF for ; Tue, 2 Apr 2024 20:28:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712089705; cv=none; b=Ul2U9y/tPB7l2e9+re6myE/aE8OfTCaux6+Tys8v1QeduHMRZpMNpo7RuyjE8RVKALj934bW9i5Jy6JDMY7NSDnPkrVzwr2sU1EzdgAGwLrP30GOxQ4Og50myofAHUGiQtlkx/5+w+HqdwVRAKNMdUue46VFf8pMpQ6is+nLbxA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712089705; c=relaxed/simple; bh=LfVYX8aS+uGvfYiFPza5xfpJggy3wA1TMy/HX9tJed4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=LQ+JjT5SLIw1c4OX4+xNK9lzD2uvcthyp6gg4RlsPd7tIXlL47/Jv+7tixico6IDvaII1CVT8MQo52gi9wMOyzW0WRqimbAgJ+cAunX6RU6KiD/1DRl5mHWu+tZwwLnaFyfdn5Yn2iV+hj3CbR0oDLn1pkVcwOl2M2ZYXJgUoHc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=CW9yCGB4; arc=none smtp.client-ip=209.85.128.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-6144369599bso32702627b3.3 for ; Tue, 02 Apr 2024 13:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1712089702; x=1712694502; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=CoSv33fHX+PiwFO/k1mr+DGe32nj0k4cYvUK0De9J/g=; b=CW9yCGB4NsT7Ls+jy9a6DbYdVWYC6HEPWhP+LRjpxT8xZbfmT/2MlJpXWm41hFvCdP zJcJJbaBAJUmVDzLx+hbesZBDJqjxEXn44gC0Jz6qf5Q1jK9t7SmMdIWQtYqGGSg6nTt hwsNtV1wVZp12mAgDmTDKqNY/9b/yc+RBs82dlEuWi5kyKpFqVzlmrnUqznGfzPQ/XU8 ntcMqkXDQamfcIVrut1I+Siwehow7GjMTqsb50uULbCq0hX9vWVPwwhvE3vqZJ2UU+hZ wlpdv5vqjuG+5w4Tik6p1gB66uVC+iXGqaJAmKZVpCoep2DV72fT3+g61GehW+I14v7W F4pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712089702; x=1712694502; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CoSv33fHX+PiwFO/k1mr+DGe32nj0k4cYvUK0De9J/g=; b=bquPeLB468wEZf1+PJCuGn+a/7kCx/geWa9VOWZb+M83gKkdUEgXF4jSy4uhEucTyR SXvTt9e6id1Ilw6cpPMDOqu6Vqpgvk3ubf2fzVSDjAmSSm1rTQ5fcrtPA2f+gLgM1Rsf O0ljlTr02OLyo9VC1BtITNJ/F5+OJPhuldwbzGIOnGmFhc5wHVmo8atW/4p1jnIMWjaa /TBUcnIj3+tskZqxPIQ3pEsDrkLfWAEg6/2rL49bvZUlUPpb2M7aF+XGW3Lq7Ojkkf7c MBQXvSjanwmUHQhejohmjqKSGUOFcalNMJ2npmGeKRe7krG6q40KywK4gYgBOMxpw/z9 5dlA== X-Forwarded-Encrypted: i=1; AJvYcCUwXiZuATq8dBZAPv6YnqDBsYXPm9vzO6gWpf3BT2G9rF5zgqR4/DaMSh41XhFGdCfhfVSj9OcAqhgWp2RhoF68Zc4gAbk8vHUvB24k X-Gm-Message-State: AOJu0YwDBQ9MexQ1ZBJ24yFaE/+X49ox7ejEhCle//iZkFOCF0ASfa+H RCBOcSn+8X27l2PR8YKV/rzSSyPmkJZf15lNYv5QSrGUZ4dyBfRBzT3Z+AiJ6doLWMwB5Mwgmra QILmjJGSptPYq2ZJH57fYSTU4eUfGBdRAMEkc X-Received: by 2002:a81:5342:0:b0:611:2eb4:2402 with SMTP id h63-20020a815342000000b006112eb42402mr12634897ywb.21.1712089702684; Tue, 02 Apr 2024 13:28:22 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240402141145.2685631-1-roberto.sassu@huaweicloud.com> In-Reply-To: From: Paul Moore Date: Tue, 2 Apr 2024 16:28:12 -0400 Message-ID: Subject: Re: [GIT PULL] security changes for v6.9-rc3 To: Linus Torvalds Cc: Roberto Sassu , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 2, 2024 at 4:27=E2=80=AFPM Paul Moore wro= te: > On Tue, Apr 2, 2024 at 3:39=E2=80=AFPM Linus Torvalds > wrote: > > > > ... > > > But if we really want to do this ("if mknod creates a positive dentry, > > I won't see it in lookup, so I want to appraise it now"), then we > > should just deal with this in the generic layer with some hack like > > this: > > > > --- a/security/security.c > > +++ b/security/security.c > > @@ -1801,7 +1801,8 @@ EXPORT_SYMBOL(security_path_mknod); > > */ > > void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry= *dentry) > > { > > - if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) > > + struct inode *inode =3D d_backing_inode(dentry); > > + if (unlikely(!inode || IS_PRIVATE(inode))) > > return; > > call_void_hook(path_post_mknod, idmap, dentry); > > } > > Other than your snippet wrapping both the inode/NULL and > inode/IS_PRIVATE checks with an unlikely(), that's what Roberto > submitted (his patch only wrapped the inode/IS_PRIVATE with unlikely). Nevermind, I missed the obvious OR / AND diff ... sorry for the noise. --=20 paul-moore.com