Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2761547lqz; Wed, 3 Apr 2024 07:59:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWu3/4+Bxj1chWYBJ9HLpS7vIslmrVFAqPpV1DRUdyffZHMS7fHYW8VtGgp+QUYhaYrUinAEkR7/V/GQXg9GHy/yaohyqZtIHVwhWfwWw== X-Google-Smtp-Source: AGHT+IEnS+XHspoKMBn9hxb2BNUy/5JKuwCyu2HHSZM+KelM06RFubzchBUw3rJkj8DxZXYog5bP X-Received: by 2002:a05:6808:38cd:b0:3c5:d552:22ca with SMTP id el13-20020a05680838cd00b003c5d55222camr769323oib.20.1712156357783; Wed, 03 Apr 2024 07:59:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712156357; cv=pass; d=google.com; s=arc-20160816; b=f4moyiJkKxqp399fCCUq2G45VE39F/ZRY748szS9pDQ6p9R38thuX0r/28v0NQFimM JgqGVQAOQamkjoE9jRHXe+LeJXdYFhAY96HglCgHNj49TJVHMR1LB96WUjMkAeTlNNaa SMVvH8Kg/scCYr2nxVYL0uIRy8XlpJfn41F1mcQTwJMcrAiOZA7OIJ88gl3FofYB2mff hGI5zgztsuTzoQBXDKNHRKaoiGkNU5VhH3nDoRubUQoi7O80AxcPU3fmes2xAeD0fVsK dTr3khmZk/y+YmOhwXE9PaRhsf0YyUW1IpTCTLnD1e1cXaObO+SWL+r5Irl2LdwoVXvg pO+A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=N6ozn8GWGaymICONfaql8z8aBGhL/vcq5PD2xm3yHTg=; fh=iUiS6ajRHETd0+1RaS6fsLar07Cltzl48+CQepElzXw=; b=UJ6Fig1vV7GE2EP+agN1GphkhMF1n/aJgx2sK0hSp2ce41YljHLzrmjQnFbQJDqF2j s8EvN1sXamrAfwxFMqDlM6I7p2MAC9BYgLlL86QRSx2006E08C8zIcVg+nSyb3hlM27n 8RC96poGIWjy0yJGBZbD4CSGMYunP4q+7pw6VZY/oKjUjy4/uzx7lsxxR86vy0XuWgFH KW/HaQofYf731ruT2PUBst25Dk4c1xO2X0n2BnWYihJXbSWHVk0Ye9Pp7VpaGz0YRSV5 cambBpGxXtbVmYP2Ou+gpGoyo8XkK6NizHKvr82Z6JNpqiGaep4mFke8rKxGC0OEdKRK 3+6w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NTgGLUkm; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-130014-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130014-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id y9-20020a05622a164900b004315e361873si14655370qtj.704.2024.04.03.07.59.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 07:59:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-130014-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=NTgGLUkm; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-130014-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130014-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 647941C21257 for ; Wed, 3 Apr 2024 14:59:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 21D5B149E1D; Wed, 3 Apr 2024 14:59:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="NTgGLUkm" Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B730149C77 for ; Wed, 3 Apr 2024 14:58:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712156341; cv=none; b=Jn/EvxXvcV28gGsads32GNWwgBc7UR123OuY7T2Z8qDIwOFbSWxoYxd9RXi+hvgeCun3qg65cd7UChzNJuoxfhu0sDJ8EjbpMQ/xF6R5cgqipjt+W8kozkZarBHoBzwqFDO8HWHxeEtcSWdLqvrO8v8GY+hlIVQWOstMh3U9qP4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712156341; c=relaxed/simple; bh=bA08xc5rb3BdVwkyNJ3oXMMCv+codCJF7wxqAsTEmbM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=uSZgbpjNS+wPODYr6giATIPf9y4jajKAd5OZ3DGWB5jwcd8MQzWJqJiWvWYxyhU6eqjCOE1kPkwoe2GNXXXS4VEWyHoSsTM+2RloUollD3fSVmWa5EMC9pqAePiHfcXQY/GcR/aPigzkM+vYNhWhvnLD7Zy8s6PBjrZPq1FqHwQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=NTgGLUkm; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-61495e769bdso31607357b3.0 for ; Wed, 03 Apr 2024 07:58:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1712156338; x=1712761138; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=N6ozn8GWGaymICONfaql8z8aBGhL/vcq5PD2xm3yHTg=; b=NTgGLUkmp+mD862RxBHk1Uizuyvzo0bnE4KI+UdiJDaO1+vrbFUwPNSgGT5lOL/wvP aV2EW/WE46eGtubOBk10gQJ1m6nm0aCoQ+Btrc3bxvCS7WZr/kqsZ5CB0WcRqmvfLtoY 8vv0D/2HFC4qr4kvXmD4aQ0qyeVEwSOQ49Kzhul3jd6F6yiz/SkGzSzPGPgkkMivA5M8 GVYzVGzczxBfUBzjE5b83d5qJAlaVgSppSzmkzmmj9z1KWZLjI/fe9+trzKkns8IN4zt 1foAqoJrbFc3e5+yVtOpEjVHAahVO2I3I3qJupKJGELRWPvqt9YbaEngxNgG3Co/W3W+ 0mfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712156338; x=1712761138; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N6ozn8GWGaymICONfaql8z8aBGhL/vcq5PD2xm3yHTg=; b=egFuhr6j2fLhZ4bf8IU4pfI55iBKnhoCQvTZ8V47hMZZFARjq+4b3TByvSlRZH8UPS 2ZI9YXAyO8oPvtwSPGeR11GmweXrmRni/r6akOe5El2EBTn9iyJiL8lPSAdBQe69R6Xt SelTLDKb5h7h/+LTWVfmWgSKhKwz5meh5NsIQdI6GFUnwR5PdwuKxnr31mplvP9HeIDY NEQeDEdt2rDIKEp8L8QtkIt58vGnx8cWv40tKwpxsec6OFz96Vxd7m/7gBfHo7bUukxD rPJCiPXwD4n0ACg2Mait8Zq27ketXSnT9yVCbZ1qkhgyZXnUM3u3qdXRglAbaWMqSFFj v/Qw== X-Forwarded-Encrypted: i=1; AJvYcCUuFHsGPQTfy/jY4VeGlJQcyIsSWe9DmptBb1CM18rS9TeNDFcOM0m/gVGeK5cOPF326jKXnqU8z5Lco5I/CPS/Q01pdcCwSbBQp5Vk X-Gm-Message-State: AOJu0YwL2yZ5zMOMpxQN3U33loeU5RaVwsWrYQSeIS2w0J0Blh5N1CFP skwYnIQP5xwlx1yyjLt/sD7JL8rDESOg4DHy9vhjjxJzIdMnCO80BQFZd6n2V49ZeSFeS2qL/8K 6mrVVZD7lf0rwVsJ5HErA4kBBHIvrj9O/B+EN X-Received: by 2002:a0d:d5c1:0:b0:615:144f:1f5c with SMTP id x184-20020a0dd5c1000000b00615144f1f5cmr6498090ywd.47.1712156338103; Wed, 03 Apr 2024 07:58:58 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240403075729.2888084-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20240403075729.2888084-1-roberto.sassu@huaweicloud.com> From: Paul Moore Date: Wed, 3 Apr 2024 10:58:47 -0400 Message-ID: Subject: Re: [PATCH v3] security: Place security_path_post_mknod() where the original IMA call was To: Roberto Sassu Cc: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-cifs@vger.kernel.org, pc@manguebit.com, christian@brauner.io, torvalds@linux-foundation.org, Roberto Sassu , Steve French Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 3, 2024 at 3:57=E2=80=AFAM Roberto Sassu wrote: > > From: Roberto Sassu > > Commit 08abce60d63f ("security: Introduce path_post_mknod hook") > introduced security_path_post_mknod(), to replace the IMA-specific call t= o > ima_post_path_mknod(). > > For symmetry with security_path_mknod(), security_path_post_mknod() was > called after a successful mknod operation, for any file type, rather than > only for regular files at the time there was the IMA call. > > However, as reported by VFS maintainers, successful mknod operation does > not mean that the dentry always has an inode attached to it (for example, > not for FIFOs on a SAMBA mount). > > If that condition happens, the kernel crashes when > security_path_post_mknod() attempts to verify if the inode associated to > the dentry is private. > > Move security_path_post_mknod() where the ima_post_path_mknod() call was, > which is obviously correct from IMA/EVM perspective. IMA/EVM are the only > in-kernel users, and only need to inspect regular files. > > Reported-by: Steve French > Closes: https://lore.kernel.org/linux-kernel/CAH2r5msAVzxCUHHG8VKrMPUKQHm= BpE6K9_vjhgDa1uAvwx4ppw@mail.gmail.com/ > Suggested-by: Al Viro > Fixes: 08abce60d63f ("security: Introduce path_post_mknod hook") > Signed-off-by: Roberto Sassu > --- > fs/namei.c | 7 ++----- > security/security.c | 4 ++-- > 2 files changed, 4 insertions(+), 7 deletions(-) Acked-by: Paul Moore --=20 paul-moore.com