Re: [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: Ian Bridges <icb@fastmail.org>
Cc: Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	selinux@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state()
Date: Mon, 22 Jun 2026 17:53:01 +0100	[thread overview]
Message-ID: <20260622175301.6a36756b@pumpkin> (raw)
In-Reply-To: <ajlN94VO7BYNUTAy@dev>

On Mon, 22 Jun 2026 10:00:07 -0500
Ian Bridges <icb@fastmail.org> wrote:

> In preparation for removing the deprecated strlcat() API[1], replace the
> strscpy()/strlcat() chain in selinux_ima_collect_state() with a struct
> seq_buf, which tracks the write position and remaining space internally.
> 
> The seven open-coded WARN_ON(rc >= buf_len) truncation checks become a
> single seq_buf_has_overflowed() check after the string is built. The
> kzalloc() and its exact-size computation are unchanged, so the
> measurement string passed to IMA is unchanged.
> 
> Link: https://github.com/KSPP/linux/issues/370 [1]
> Signed-off-by: Ian Bridges <icb@fastmail.org>
> ---
>  security/selinux/ima.c | 35 ++++++++++++++---------------------
>  1 file changed, 14 insertions(+), 21 deletions(-)
> 
> diff --git a/security/selinux/ima.c b/security/selinux/ima.c
> index aa34da9b0aeb..3d81093d16aa 100644
> --- a/security/selinux/ima.c
> +++ b/security/selinux/ima.c
> @@ -9,6 +9,7 @@
>   */
>  #include <linux/vmalloc.h>
>  #include <linux/ima.h>
> +#include <linux/seq_buf.h>
>  #include "security.h"
>  #include "ima.h"
>  
> @@ -21,8 +22,9 @@
>  static char *selinux_ima_collect_state(void)
>  {
>  	const char *on = "=1;", *off = "=0;";
> +	struct seq_buf s;
>  	char *buf;
> -	int buf_len, len, i, rc;
> +	int buf_len, len, i;
>  
>  	buf_len = strlen("initialized=0;enforcing=0;checkreqprot=0;") + 1;
>  
> @@ -34,33 +36,24 @@ static char *selinux_ima_collect_state(void)
>  	if (!buf)
>  		return NULL;
>  
> -	rc = strscpy(buf, "initialized", buf_len);
> -	WARN_ON(rc < 0);
> +	seq_buf_init(&s, buf, buf_len);

That is silly, you need the length of the buffer not the length of a string
that is the expected length of the output.

>  
> -	rc = strlcat(buf, selinux_initialized() ? on : off, buf_len);
> -	WARN_ON(rc >= buf_len);
> +	seq_buf_puts(&s, "initialized");
> +	seq_buf_puts(&s, selinux_initialized() ? on : off);
>  
> -	rc = strlcat(buf, "enforcing", buf_len);
> -	WARN_ON(rc >= buf_len);
> +	seq_buf_puts(&s, "enforcing");
> +	seq_buf_puts(&s, enforcing_enabled() ? on : off);
>  
> -	rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len);
> -	WARN_ON(rc >= buf_len);
> -
> -	rc = strlcat(buf, "checkreqprot", buf_len);
> -	WARN_ON(rc >= buf_len);
> -
> -	rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len);
> -	WARN_ON(rc >= buf_len);
> +	seq_buf_puts(&s, "checkreqprot");
> +	seq_buf_puts(&s, checkreqprot_get() ? on : off);

That lot would be easier to read as a seq_printf() - with %d and
kill 'on' and 'off'.
Why does 'security' code so often look like c**p.

	David

>  
>  	for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
> -		rc = strlcat(buf, selinux_policycap_names[i], buf_len);
> -		WARN_ON(rc >= buf_len);
> -
> -		rc = strlcat(buf, selinux_state.policycap[i] ? on : off,
> -			buf_len);
> -		WARN_ON(rc >= buf_len);
> +		seq_buf_puts(&s, selinux_policycap_names[i]);
> +		seq_buf_puts(&s, selinux_state.policycap[i] ? on : off);
>  	}
>  
> +	WARN_ON(seq_buf_has_overflowed(&s));
> +
>  	return buf;
>  }
>

next prev parent reply	other threads:[~2026-06-22 16:53 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-22 15:00 [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state() Ian Bridges
2026-06-22 16:53 ` David Laight [this message]
2026-06-22 17:09   ` Casey Schaufler
2026-06-22 20:04   ` Ian Bridges

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260622175301.6a36756b@pumpkin \
    --to=david.laight.linux@gmail.com \
    --cc=icb@fastmail.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.