Re: [RFC PATCH v2 06/16] fs: split off need_remove_file_privs() do_remove_file_privs()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, May 16, 2022 at 09:47:08AM -0700, Stefan Roesch wrote:
> This splits off the function need_remove_file_privs() from the function
> do_remove_file_privs() from the function file_remove_privs().
> 
> No intended functional changes in this patch.
> 
> Signed-off-by: Stefan Roesch <shr@xxxxxx>
> ---

Just a few nits...

>  fs/inode.c | 57 ++++++++++++++++++++++++++++++++++++------------------
>  1 file changed, 38 insertions(+), 19 deletions(-)
> 
> diff --git a/fs/inode.c b/fs/inode.c
> index 9d9b422504d1..a6d70a1983f8 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -2010,17 +2010,8 @@ static int __remove_privs(struct user_namespace *mnt_userns,
>  	return notify_change(mnt_userns, dentry, &newattrs, NULL);
>  }
>  
> -/*
> - * Remove special file priviledges (suid, capabilities) when file is written
> - * to or truncated.
> - */
> -int file_remove_privs(struct file *file)
> +static int need_file_remove_privs(struct inode *inode, struct dentry *dentry)

I'd rather call this file_needs_remove_privs()?

>  {
> -	struct dentry *dentry = file_dentry(file);
> -	struct inode *inode = file_inode(file);
> -	int kill;
> -	int error = 0;
> -
>  	/*
>  	 * Fast path for nothing security related.
>  	 * As well for non-regular files, e.g. blkdev inodes.
> @@ -2030,16 +2021,37 @@ int file_remove_privs(struct file *file)
>  	if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
>  		return 0;
>  
> -	kill = dentry_needs_remove_privs(dentry);
> -	if (kill < 0)
> -		return kill;
> -	if (kill)
> -		error = __remove_privs(file_mnt_user_ns(file), dentry, kill);
> +	return dentry_needs_remove_privs(dentry);
> +}
> +
> +static int do_file_remove_privs(struct file *file, struct inode *inode,
> +				struct dentry *dentry, int kill)

and that __file_remove_privs() which matches the rest of the file since
here we don't have a lot of do_* but rather __* convention afaict.

> +{
> +	int error = 0;
> +
> +	error = __remove_privs(file_mnt_user_ns(file), dentry, kill);
>  	if (!error)
>  		inode_has_no_xattr(inode);
>  
>  	return error;
>  }
> +
> +/*
> + * Remove special file privileges (suid, capabilities) when file is written
> + * to or truncated.
> + */
> +int file_remove_privs(struct file *file)

This is a generic comment, not aimed specifically at your change but we
really need to get better at kernel-doc...

Since you're already touching this code could you at least to the
exported function you're modifying add sm like:

/**
 * file_remove_privs - remove special file privileges (suid, capabilities) 
 * @file: file to remove privileges from
 * 
 * When file is modified by a write or truncation ensure that special
 * file privileges are removed.
 *
 * Return: 0 on success, negative errno on failure.
 */
int file_remove_privs(struct file *file)

This will then render on kernel.org/doc see e.g. lookup_one():
https://www.kernel.org/doc/html/latest/filesystems/api-summary.html?highlight=lookup_one#c.lookup_one

> +{
> +	struct dentry *dentry = file_dentry(file);
> +	struct inode *inode = file_inode(file);
> +	int kill;
> +
> +	kill = need_file_remove_privs(inode, dentry);
> +	if (kill <= 0)
> +		return kill;
> +
> +	return do_file_remove_privs(file, inode, dentry, kill);
> +}
>  EXPORT_SYMBOL(file_remove_privs);
>  
>  /**
> @@ -2093,15 +2105,22 @@ EXPORT_SYMBOL(file_update_time);
>  /* Caller must hold the file's inode lock */
>  int file_modified(struct file *file)

Similar I'd add sm like:

/**
 * file_modified - handle mandated vfs changes when modifying a file
 * @file: file that was was modified
 * 
 * When file has been modified ensure that special
 * file privileges are removed and time settings are updated.
 *
 * Context: Caller must hold the file's inode lock.
 *
 * Return: 0 on success, negative errno on failure.
 */
int file_remove_privs(struct file *file)

>  {
> -	int err;
> +	int ret;
> +	struct dentry *dentry = file_dentry(file);
> +	struct inode *inode = file_inode(file);
>  
>  	/*
>  	 * Clear the security bits if the process is not being run by root.
>  	 * This keeps people from modifying setuid and setgid binaries.
>  	 */
> -	err = file_remove_privs(file);
> -	if (err)
> -		return err;
> +	ret = need_file_remove_privs(inode, dentry);
> +	if (ret < 0) {
> +		return ret;
> +	} else if (ret > 0) {
> +		ret = do_file_remove_privs(file, inode, dentry, ret);
> +		if (ret)
> +			return ret;
> +	}

The else-if branch looks a bit unorthodox to me. I'd probably rather
make this:

	ret = need_file_remove_privs(inode, dentry);
	if (ret < 0)
		return ret;
	
	if (ret > 0) {
		ret = do_file_remove_privs(file, inode, dentry, ret);
		if (ret)
			return ret;
	}
>  
>  	if (unlikely(file->f_mode & FMODE_NOCMTIME))
>  		return 0;
> -- 
> 2.30.2
>
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux