On Fri, Oct 18, 2024 at 15:42:15 +0000, Eric Snowberg wrote:
> > On Oct 17, 2024, at 11:21 PM, Ben Boeckel <me@xxxxxxxxxxxxxx> wrote:
> > Can this be committed to `Documentation/` and not just the Git history
> > please?
>
> This is documented, but it doesn't come in until the 8th patch in the series.
> Hopefully that is not an issue.
Ah, I'll look there, thanks.
> >> + if (isspace(desc[i]))
> >> + desc[i] = 0;
> >
> > How is setting a space to `0` *removing* it? Surely the `isxdigit` check
> > internally is going to reject this. Perhaps you meant to have two
> > indices into `desc`, one read and one write and to stall the write index
> > as long as we're reading whitespace?
> >
> > Also, that whitespace is stripped is a userspace-relevant detail that
> > should be documented.
>
> This was done incase the end-user has a trailing carriage return at the
> end of their ACL. I have updated the comment as follows:
>
> + /*
> + * Copy the user supplied contents, if uppercase is used, convert it to
> + * lowercase. Also if the end of the ACL contains any whitespace, strip
> + * it out.
> + */
Well, this doesn't check the end for whitespace; any internal whitespace
will terminate the key:
DEAD BEEF
^ becomes NUL
and results in the same thing as `DEAD` being passed.
> >
> >> +static void key_acl_destroy(struct key *key)
> >> +{
> >> + /* It should not be possible to get here */
> >> + pr_info("destroy clavis_key_acl denied\n");
> >> +}
> >> +
> >> +static void key_acl_revoke(struct key *key)
> >> +{
> >> + /* It should not be possible to get here */
> >> + pr_info("revoke clavis_key_acl denied\n");
> >> +}
> >
> > These keys cannot be destroyed or revoked? This seems…novel to me. What
> > if there's a timeout on the key? If such keys are immortal, timeouts
> > should also be refused?
>
> All the system kernel keyrings work this way. But now that you bring this up, neither of
> these functions are really necessary, so I will remove them in the next round.
>
> >> +static int key_acl_vet_description(const char *desc)
> >> +{
> >> + int i, desc_len;
> >> + s16 ktype;
> >> +
> >> + if (!desc)
> >> + goto invalid;
> >> +
> >> + desc_len = sizeof(desc);
> >
> > This should be `strlen`, no?
>
> I will change this to strlen
Actually, this could probably be `strnlen` using `CLAVIS_ASCII_KID_MAX +
1` just to avoid running off into la-la land when we're going to error
anyways. Or even `8` because we only actually care about "is at least 7
bytes". Worth a comment either way.
Looking forward to the next cycle.
Thanks,
--Ben
