From patchwork Wed Nov 23 09:51:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 24838 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2698420wrr; Wed, 23 Nov 2022 02:08:20 -0800 (PST) X-Google-Smtp-Source: AA0mqf48Is7Ofhlh2ijxtE3HN7qEyFu6p97jHj66NOZomSYmtl8jEZZWtmFdrxlJXuL2oHLckpGf X-Received: by 2002:a17:906:e0d7:b0:7b9:a74b:f16a with SMTP id gl23-20020a170906e0d700b007b9a74bf16amr2432446ejb.192.1669198099988; Wed, 23 Nov 2022 02:08:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669198099; cv=none; d=google.com; s=arc-20160816; b=aT+QOAc8PDvCTUYufQ/fMi2FMa5EGhodx0dxxVCACrrsUasZUE7kV2Jg184l3aniXt cBLjusa28Fqk9/cC/mC5EI4Xe0i4FVLnR3TchIIS9NFjLSPM/Ah4lKhCRpGgI+gCpgX/ UC430T9sR3Z3JbXgf2RYdCFHIo59Ux/iR5fEcDn/FAGQMYqmSBWN0PmX5eUQRrE993Kp wdhUpsxABfI8LkokuN9e/tELQ8rPCiXC2xvdtjUXLGk4sPnVASWY9md7Mm8jMUbemHTv 5WZh/H6oenypr/bQE4qgW7eJC9CTGNYgDSiqEMtZG3cjPKDvRnJFj4gLkUyx2UYu4Tsa eb6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=lO1mFu3EycTFouUt7DwoeKPjF9aCJcmA5WD/n34ftd8=; b=iW2PZheR7LuoLLa4CM54/DhY1SLYAz8r0Mbjjkbo33EHOhUFlJNxRG+YLhkAFD+9It WnC/A4Az1/2/p6uDeu7ObpJNxBzXKf7AFNgBLuZbauP5rI0R6Vn4Kbi7+T2loehqfgzr Q2Dws1ypQfgFCvntH1FhTY8a/AaDWyMASlWHQCik3k0p69Bm3ZCwQikjbAasAD80b/hd /qNvsrpwR4k5ZYlcLt136GoRcb2Nk8ISwgui+Y6QkPuGEeIeSBoeHgwQ3ejeJrTuFVPh xkhUfckYQ0B5Iuzk5Deids03pcriTlGlu3nic5TyJYJLPz2/ayygmQRD0hQxqKsI7ReB 3ugw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oz35-20020a1709077da300b007b5ce4a4360si8716551ejc.151.2022.11.23.02.07.51; Wed, 23 Nov 2022 02:08:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236860AbiKWKCX (ORCPT + 99 others); Wed, 23 Nov 2022 05:02:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236901AbiKWKBD (ORCPT ); Wed, 23 Nov 2022 05:01:03 -0500 Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3AE4F11A704; Wed, 23 Nov 2022 01:53:09 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4NHGVd4fZRz9xFXk; Wed, 23 Nov 2022 17:46:49 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwAH829J7X1jzDqKAA--.13162S4; Wed, 23 Nov 2022 10:52:40 +0100 (CET) From: Roberto Sassu To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, casey@schaufler-ca.com Cc: ocfs2-devel@oss.oracle.com, reiserfs-devel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, nicolas.bouchinet@clip-os.org, Roberto Sassu Subject: [PATCH v5 2/6] ocfs2: Switch to security_inode_init_security() Date: Wed, 23 Nov 2022 10:51:58 +0100 Message-Id: <20221123095202.599252-3-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221123095202.599252-1-roberto.sassu@huaweicloud.com> References: <20221123095202.599252-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: LxC2BwAH829J7X1jzDqKAA--.13162S4 X-Coremail-Antispam: 1UD129KBjvJXoWxCw4rKFyxCF1xJw4fAr4xZwb_yoWrKryrpa 1rtFnxtr4fJFy8Wryftr4a9a1S9rWrGrZrGrs3G34DZFn8Cr1ftry0yr1Y9Fy5XrWDJFyk tr4Fkrsxuws8JwUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBab4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v2 6r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2 WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE bVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x 0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E 7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_WrylIxkGc2Ij64vIr41lIxAIcV C0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr1j6F4UJwCI42IY 6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aV CY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x07UC9aPUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAFBF1jj4HGZgAAsT X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750281067284945051?= X-GMAIL-MSGID: =?utf-8?q?1750281067284945051?= From: Roberto Sassu In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. Supporting multiple xattrs is not currently supported, as it requires non-trivial changes that can be done at a later time. As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_old_inode_init_security(), i.e. just obtaining the xattr, in addition to setting all xattrs provided by LSMs. Finally, modify the handling of the return value from ocfs2_init_security_get(). As security_inode_init_security() does not return -EOPNOTSUPP, remove this case and directly handle the error if the return value is not zero. However, the previous case of receiving -EOPNOTSUPP should be still taken into account, as security_inode_init_security() could return zero without setting xattrs and ocfs2 would consider it as if the xattr was set. Instead, if security_inode_init_security() returned zero, look at the xattr if it was set, and behave accordingly, i.e. set si->enable to zero to notify to the functions following ocfs2_init_security_get() that the xattr is not available (same as if security_old_inode_init_security() returned -EOPNOTSUPP). Signed-off-by: Roberto Sassu --- fs/ocfs2/namei.c | 18 ++++++------------ fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index 05f32989bad6..55fba81cd2d1 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -242,6 +242,7 @@ static int ocfs2_mknod(struct user_namespace *mnt_userns, int want_meta = 0; int xattr_credits = 0; struct ocfs2_security_xattr_info si = { + .name = NULL, .enable = 1, }; int did_quota_inode = 0; @@ -315,12 +316,8 @@ static int ocfs2_mknod(struct user_namespace *mnt_userns, /* get security xattr */ status = ocfs2_init_security_get(inode, dir, &dentry->d_name, &si); if (status) { - if (status == -EOPNOTSUPP) - si.enable = 0; - else { - mlog_errno(status); - goto leave; - } + mlog_errno(status); + goto leave; } /* calculate meta data/clusters for setting security and acl xattr */ @@ -1805,6 +1802,7 @@ static int ocfs2_symlink(struct user_namespace *mnt_userns, int want_clusters = 0; int xattr_credits = 0; struct ocfs2_security_xattr_info si = { + .name = NULL, .enable = 1, }; int did_quota = 0, did_quota_inode = 0; @@ -1875,12 +1873,8 @@ static int ocfs2_symlink(struct user_namespace *mnt_userns, /* get security xattr */ status = ocfs2_init_security_get(inode, dir, &dentry->d_name, &si); if (status) { - if (status == -EOPNOTSUPP) - si.enable = 0; - else { - mlog_errno(status); - goto bail; - } + mlog_errno(status); + goto bail; } /* calculate meta data/clusters for setting security xattr */ diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 95d0611c5fc7..55699c573541 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -7259,9 +7259,21 @@ static int ocfs2_xattr_security_set(const struct xattr_handler *handler, static int ocfs2_initxattrs(struct inode *inode, const struct xattr *xattr_array, void *fs_info) { + struct ocfs2_security_xattr_info *si = fs_info; const struct xattr *xattr; int err = 0; + if (si) { + si->value = kmemdup(xattr_array->value, xattr_array->value_len, + GFP_KERNEL); + if (!si->value) + return -ENOMEM; + + si->name = xattr_array->name; + si->value_len = xattr_array->value_len; + return 0; + } + for (xattr = xattr_array; xattr->name != NULL; xattr++) { err = ocfs2_xattr_set(inode, OCFS2_XATTR_INDEX_SECURITY, xattr->name, xattr->value, @@ -7277,13 +7289,23 @@ int ocfs2_init_security_get(struct inode *inode, const struct qstr *qstr, struct ocfs2_security_xattr_info *si) { + int ret; + /* check whether ocfs2 support feature xattr */ if (!ocfs2_supports_xattr(OCFS2_SB(dir->i_sb))) return -EOPNOTSUPP; - if (si) - return security_old_inode_init_security(inode, dir, qstr, - &si->name, &si->value, - &si->value_len); + if (si) { + ret = security_inode_init_security(inode, dir, qstr, + &ocfs2_initxattrs, si); + /* + * security_inode_init_security() does not return -EOPNOTSUPP, + * we have to check the xattr ourselves. + */ + if (!ret && !si->name) + si->enable = 0; + + return ret; + } return security_inode_init_security(inode, dir, qstr, &ocfs2_initxattrs, NULL);