| Message ID | 20221128144240.210110-2-roberto.sassu@huaweicloud.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp5722072wrr;
Mon, 28 Nov 2022 06:48:52 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6EcVoGs3hpLjgoG3Ws9m4y7VJzT7WaPr0RorVJ7bT3JmurljpNZawXffmdE4KqIxLSn9Be
X-Received: by 2002:a17:906:1c56:b0:7bb:344a:3c30 with SMTP id
l22-20020a1709061c5600b007bb344a3c30mr17798561ejg.692.1669646932709;
Mon, 28 Nov 2022 06:48:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669646932; cv=none;
d=google.com; s=arc-20160816;
b=H9Uw+Kp2i1QyPAGALB9pvGfUqOiCyfQRmz1ciP5sQceMAMpipZVif5YTgxHZbdEpQ1
7ZyBMGNPYJS595qrwGaANf+fb3fHxkUvjT12QzIU0qd1m9XaXtSTmKafKQ2GP7yXIqL9
6AWz7gUULxEg1RempBgS+qzAihkoG8plyYWH8BOjPgDrPLeqwPYuv5KzBih4r+xg5utx
d8tYwVW0M7dVSBtShpxH6c7oJ3s5wJKU0+S9oTMp+HWBJ1udGxQrnp0L4m94vTX6FEV7
p8kS6Y5CiOK6rqLRx4SQR2Z3Um/UvIQnWCSmJwPqLQ05WTzB7da016hJsJKWv3j8RNa4
4OEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=B+CIFjeK2Gm1+bYTp4QjAFhusRhoDc5jzpiwynxUMyE=;
b=07ZFaxpRGjlzhTwZyrI5/Ucy5xuu/JIkprjEszsPZxA3hsiD0VX+6BG/GzFpVtlga9
pRsLq4oA7tjIrCUVmg39p74j/rNAzyx42BI3hUrKs8TQSnyqTv2MRQIE+DeGXDdjFrpj
RCJGPVVGPm8O/l+TASOZlL6SVitcyphzORMXGWzctN3cCv1Au42LOu2lquOE63mpm1h2
tvkcfVAWCCdFcE1f78cjwrOUhJ+lhwCDFI8dOMLFsHVZeSuEPqW4fOv8cWhPWFfIgFHP
Uqb++hqKpJZX+0UmAJsIw7fN00fLOTu6t4CiHZnYoul0UVJmA/O2NRTYD+wexjSqoh4+
76bg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
d1-20020a50ea81000000b00463a83ce065si9350508edo.420.2022.11.28.06.48.29;
Mon, 28 Nov 2022 06:48:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232651AbiK1Ons (ORCPT <rfc822;gah0developer@gmail.com>
+ 99 others); Mon, 28 Nov 2022 09:43:48 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35494 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232628AbiK1OnO (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 28 Nov 2022 09:43:14 -0500
Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com
[14.137.139.46])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 564CE766E;
Mon, 28 Nov 2022 06:43:13 -0800 (PST)
Received: from mail02.huawei.com (unknown [172.18.147.228])
by frasgout13.his.huawei.com (SkyGuard) with ESMTP id
4NLShG2FLNz9v7Yt;
Mon, 28 Nov 2022 22:36:14 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP1 (Coremail) with SMTP id LxC2BwC3oG3iyIRjL9qiAA--.42928S3;
Mon, 28 Nov 2022 15:42:54 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: paul@paul-moore.com, casey@schaufler-ca.com, omosnace@redhat.com,
john.johansen@canonical.com, kpsingh@kernel.org
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v2 1/2] lsm: Clarify documentation of vm_enough_memory hook
Date: Mon, 28 Nov 2022 15:42:39 +0100
Message-Id: <20221128144240.210110-2-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221128144240.210110-1-roberto.sassu@huaweicloud.com>
References: <20221128144240.210110-1-roberto.sassu@huaweicloud.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: LxC2BwC3oG3iyIRjL9qiAA--.42928S3
X-Coremail-Antispam: 1UD129KBjvJXoW7uFyxGF1kGF4Utw15Ar1DKFg_yoW8Gr45pF
WkWrsxKr1v9ry3C397Cana9w43Ww4ruryUt34DW3s8Z3WftrnFgr48Gr47Xr9Fyr4vkan8
KFW2kw4rWw1jyFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUU9Eb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw
A2048vs2IY020Ec7CjxVAFwI0_JFI_Gr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS
w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV
WxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_
Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc
Ij6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_
Jr0_Gr1lF7xvr2IYc2Ij64vIr41lc7CjxVAaw2AFwI0_GFv_Wryl42xK82IYc2Ij64vIr4
1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK
67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI
8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26F4j6r4UJwCI42IY6xAIw20E
Y4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267
AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU0xsqJUUUUU==
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAKBF1jj4X7EgACsQ
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750751702027141825?=
X-GMAIL-MSGID: =?utf-8?q?1750751702027141825?=
|
| Series |
lsm: Improve LSM hooks documentation
|
|
Commit Message
Roberto Sassu
Nov. 28, 2022, 2:42 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com> include/linux/lsm_hooks.h reports the result of the LSM infrastructure to the callers, not what LSMs should return to the LSM infrastructure. Clarify that and add that if all LSMs return a positive value __vm_enough_memory() will be called with cap_sys_admin set. If at least one LSM returns 0 or negative, it will be called with cap_sys_admin cleared. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- include/linux/lsm_hooks.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
Comments
On Mon, Nov 28, 2022 at 9:43 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > include/linux/lsm_hooks.h reports the result of the LSM infrastructure to > the callers, not what LSMs should return to the LSM infrastructure. > > Clarify that and add that if all LSMs return a positive value > __vm_enough_memory() will be called with cap_sys_admin set. If at least one > LSM returns 0 or negative, it will be called with cap_sys_admin cleared. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > include/linux/lsm_hooks.h | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) Thanks Roberto. Normally I don't like merging patches this close to the merge window, but as this is a comment-only fix that makes an important clarification I'm going to make an exception here and merge it into lsm/next. > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 2831efebde69..c35e260efd8c 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1398,7 +1398,11 @@ > * Check permissions for allocating a new virtual mapping. > * @mm contains the mm struct it is being added to. > * @pages contains the number of pages. > - * Return 0 if permission is granted. > + * Return 0 if permission is granted by the LSM infrastructure to the > + * caller. If all LSMs return a positive value, __vm_enough_memory() will > + * be called with cap_sys_admin set. If at least one LSM returns 0 or > + * negative, __vm_enough_memory() will be called with cap_sys_admin > + * cleared. > * > * @ismaclabel: > * Check if the extended attribute specified by @name > -- > 2.25.1
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 2831efebde69..c35e260efd8c 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1398,7 +1398,11 @@ * Check permissions for allocating a new virtual mapping. * @mm contains the mm struct it is being added to. * @pages contains the number of pages. - * Return 0 if permission is granted. + * Return 0 if permission is granted by the LSM infrastructure to the + * caller. If all LSMs return a positive value, __vm_enough_memory() will + * be called with cap_sys_admin set. If at least one LSM returns 0 or + * negative, __vm_enough_memory() will be called with cap_sys_admin + * cleared. * * @ismaclabel: * Check if the extended attribute specified by @name