[PATCH v1 0/2] Refactor return value of two lsm hooks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Xu Kuohai <xukuohai@xxxxxxxxxx>

The BPF LSM program may cause a kernel panic if it returns an
unexpected value, such as a positive value on the hook
file_alloc_security.

To fix it, series [1] refactored the LSM hook return values and
added BPF return value checks.

[1] used two methods to refactor hook return values:

- converting positive return value to negative error code

- adding additional output parameter to store odd return values

Based on discussion in [1], only two hooks refactored with the
second method may be acceptable. Since the second method requires
extra work on BPF side to ensure that the output parameter is
set properly, the extra work does not seem worthwhile for just
two hooks. So this series includes only the two patches refactored
with the first method.

Changes to [1]:
- Drop unnecessary patches
- Rebase
- Remove redundant comments in the inode_copy_up_xattr patch

[1] https://lore.kernel.org/bpf/20240711111908.3817636-1-xukuohai@xxxxxxxxxxxxxxx
    https://lore.kernel.org/bpf/20240711113828.3818398-1-xukuohai@xxxxxxxxxxxxxxx

Xu Kuohai (2):
  lsm: Refactor return value of LSM hook vm_enough_memory
  lsm: Refactor return value of LSM hook inode_copy_up_xattr

 fs/overlayfs/copy_up.c            |  6 +++---
 include/linux/lsm_hook_defs.h     |  2 +-
 include/linux/security.h          |  2 +-
 security/commoncap.c              | 11 +++--------
 security/integrity/evm/evm_main.c |  2 +-
 security/security.c               | 22 ++++++++--------------
 security/selinux/hooks.c          | 19 ++++++-------------
 security/smack/smack_lsm.c        |  6 +++---
 8 files changed, 26 insertions(+), 44 deletions(-)

-- 
2.39.2





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux