From: Paul Moore <paul@paul-moore.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
Subject: Re: [PATCH] lsm: handle the NULL buffer case in lsm_fill_user_ctx()
Date: Fri, 15 Mar 2024 12:00:36 -0400 [thread overview]
Message-ID: <CAHC9VhT3OuEgViyUD+HJ7S1JfO3qDorWsLR0mYm+RFYDMht-Og@mail.gmail.com> (raw)
In-Reply-To: <20240315155503.GA308713@mail.hallyn.com>
On Fri, Mar 15, 2024 at 11:55 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> On Fri, Mar 15, 2024 at 11:18:38AM -0400, Paul Moore wrote:
> > On Fri, Mar 15, 2024 at 11:02 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > > On Wed, Mar 13, 2024 at 10:22:03PM -0400, Paul Moore wrote:
> > > > Passing a NULL buffer into the lsm_get_self_attr() syscall is a valid
> > > > way to quickly determine the minimum size of the buffer needed to for
> > > > the syscall to return all of the LSM attributes to the caller.
> > > > Unfortunately we/I broke that behavior in commit d7cf3412a9f6
> > > > ("lsm: consolidate buffer size handling into lsm_fill_user_ctx()")
> > > > such that it returned an error to the caller; this patch restores the
> > > > original desired behavior of using the NULL buffer as a quick way to
> > > > correctly size the attribute buffer.
> > > >
> > > > Cc: stable@vger.kernel.org
> > > > Fixes: d7cf3412a9f6 ("lsm: consolidate buffer size handling into lsm_fill_user_ctx()")
> > > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > > > ---
> > > > security/security.c | 8 +++++++-
> > > > 1 file changed, 7 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/security/security.c b/security/security.c
> > > > index 5b2e0a15377d..7e118858b545 100644
> > > > --- a/security/security.c
> > > > +++ b/security/security.c
> > > > @@ -780,7 +780,9 @@ static int lsm_superblock_alloc(struct super_block *sb)
> > > > * @id: LSM id
> > > > * @flags: LSM defined flags
> > > > *
> > > > - * Fill all of the fields in a userspace lsm_ctx structure.
> > > > + * Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL
> > > > + * simply calculate the required size to output via @utc_len and return
> > > > + * success.
> > > > *
> > > > * Returns 0 on success, -E2BIG if userspace buffer is not large enough,
> > > > * -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.
> > > > @@ -799,6 +801,10 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
> > > > goto out;
> > > > }
> > > >
> > > > + /* no buffer - return success/0 and set @uctx_len to the req size */
> > > > + if (!uctx)
> > > > + goto out;
> > >
> > > If the user just passes in *uctx_len=0, then they will get -E2BIG
> > > but still will get the length in *uctx_len.
> >
> > Right, which is the desired behavior, this patch allows userspace to
> > not have to worry about supplying a buffer if they just want to check
> > the required size, regardless of the value passed in @uctx_len.
>
> To be clear - I was saying that is the behavior before your patch.
>
> (If I'm not wrong)
>
> This patch changes behavior as follows:
>
> Before this patch, there was one way for the user to query the required
> size: send in a length of 0, get back E2BIG and check the *uctx_len you
> had passed in for the required value.
>
> After this patch, there are two ways - one resulting in -E2BIG as before,
> and one requiring uctx_len to be set to a large value *and* uctx to be
> NULL, getting rc=0 and taking that to mean look at the new uctx_len value.
Yes, agreed, no notes.
> > > To use it this new way, they have to first set *uctx_len to a
> > > value larger than nctx_len could possibly be, else they'll...
> > > still get -E2BIG.
> >
> > True.
> >
> > > So I'm not sure this patch has value.
> >
> > Oh, but it resolves a kselftest failure in a released kernel, that's
> > worth a *lot* in my mind.
>
> Sorry, you didn't mention the test in the commit message. Which testcase?
See the tools/testing/selftests/lsm/lsm_get_self_attr_test.c tests.
--
paul-moore.com
next prev parent reply other threads:[~2024-03-15 16:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-14 2:22 [PATCH] lsm: handle the NULL buffer case in lsm_fill_user_ctx() Paul Moore
2024-03-14 15:49 ` Paul Moore
2024-03-15 15:02 ` Serge E. Hallyn
2024-03-15 15:18 ` Paul Moore
2024-03-15 15:55 ` Serge E. Hallyn
2024-03-15 16:00 ` Paul Moore [this message]
2024-03-15 16:18 ` Casey Schaufler
2024-03-15 16:08 ` Casey Schaufler
2024-03-15 16:13 ` Serge E. Hallyn
2024-03-15 16:19 ` Paul Moore
2024-03-15 16:28 ` Serge E. Hallyn
2024-03-15 16:42 ` Paul Moore
2024-03-15 17:00 ` Serge E. Hallyn
2024-03-15 19:32 ` Paul Moore
2024-03-15 19:40 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhT3OuEgViyUD+HJ7S1JfO3qDorWsLR0mYm+RFYDMht-Og@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).