Re: [PATCH] selinux: fix a type cast problem in cred_init_security()

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Thu, 27 Jan 2022 19:17:01 +0100

On Thu, Jan 27, 2022 at 6:27 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Jan 27, 2022 at 12:14 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > On Thu, Jan 27, 2022 at 4:57 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > > In the process of removing an explicit type cast to preserve a cred
> > > const qualifier in cred_init_security() we ran into a problem where
> > > the task_struct::real_cred field is defined with the "__rcu"
> > > attribute but the selinux_cred() function parameter is not, leading
> > > to a sparse warning:
> > >
> > >   security/selinux/hooks.c:216:36: sparse: sparse:
> > >     incorrect type in argument 1 (different address spaces)
> > >     @@     expected struct cred const *cred
> > >     @@     got struct cred const [noderef] __rcu *real_cred
> > >
> > > As we don't want to add the "__rcu" attribute to the selinux_cred()
> > > parameter, we're going to add an explicit cast back to
> > > cred_init_security().
> > >
> > > Fixes: b084e189b01a ("selinux: simplify cred_init_security")
> > > Reported-by: kernel test robot <lkp@xxxxxxxxx>
> > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > > ---
> > >  security/selinux/hooks.c |    2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > > index eae7dbd62df1..c057896e7dcd 100644
> > > --- a/security/selinux/hooks.c
> > > +++ b/security/selinux/hooks.c
> > > @@ -213,7 +213,7 @@ static void cred_init_security(void)
> > >  {
> > >         struct task_security_struct *tsec;
> > >
> > > -       tsec = selinux_cred(current->real_cred);
> > > +       tsec = selinux_cred((__force const struct cred *)current->real_cred);
> > >         tsec->osid = tsec->sid = SECINITSID_KERNEL;
> > >  }
> >
> > How about using unrcu_pointer() instead of the cast? It seems to do
> > effectively the same while looking less ugly :)
>
> Ah ha!  I didn't know that function/macro existed :)

Full disclosure: I also discovered it today :) First I thought of
rcu_dereference_raw(), but I decided to skim through
<linux/rcupdate.h> looking for a better fit (rcu_dereference_raw()
also does READ_ONCE(), which is not really necessary in this case) and
found this one.

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.