From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, vgoyal@redhat.com, groug@kaod.org,
sebastian.hasler@stuvus.uni-stuttgart.de, virtio-fs@redhat.com,
stefanha@redhat.com, slp@redhat.com
Subject: Re: [Virtio-fs] [PULL 09/12] virtiofsd: Create new file with security context
Date: Thu, 7 Apr 2022 13:44:35 +0100 [thread overview]
Message-ID: <Yk7cs6xSImIyDqpZ@work-vm> (raw)
In-Reply-To: <CAFEAcA9m2U2fcUYXpRJwt09UgGqDA2K3BDt1xgXZL63jc1EWEQ@mail.gmail.com>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> On Thu, 17 Feb 2022 at 17:40, Dr. David Alan Gilbert (git)
> <dgilbert@redhat.com> wrote:
> >
> > From: Vivek Goyal <vgoyal@redhat.com>
> >
> > This patch adds support for creating new file with security context
> > as sent by client. It basically takes three paths.
> >
> > - If no security context enabled, then it continues to create files without
> > security context.
> >
> > - If security context is enabled and but security.selinux has not been
> > remapped, then it uses /proc/thread-self/attr/fscreate knob to set
> > security context and then create the file. This will make sure that
> > newly created file gets the security context as set in "fscreate" and
> > this is atomic w.r.t file creation.
> >
> > This is useful and host and guest SELinux policies don't conflict and
> > can work with each other. In that case, guest security.selinux xattr
> > is not remapped and it is passthrough as "security.selinux" xattr
> > on host.
> >
> > - If security context is enabled but security.selinux xattr has been
> > remapped to something else, then it first creates the file and then
> > uses setxattr() to set the remapped xattr with the security context.
> > This is a non-atomic operation w.r.t file creation.
> >
> > This mode will be most versatile and allow host and guest to have their
> > own separate SELinux xattrs and have their own separate SELinux policies.
> >
> > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > Message-Id: <20220208204813.682906-9-vgoyal@redhat.com>
> > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
>
> Hi; Coverity reports some issues (CID 1487142, 1487195), because
> it is not a fan of the error-handling pattern used in this code:
>
> > +static int do_mknod_symlink_secctx(fuse_req_t req, struct lo_inode *dir,
> > + const char *name, const char *secctx_name)
> > +{
> > + int path_fd, err;
> > + char procname[64];
> > + struct lo_data *lo = lo_data(req);
> > +
> > + if (!req->secctx.ctxlen) {
> > + return 0;
> > + }
> > +
> > + /* Open newly created element with O_PATH */
> > + path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> > + err = path_fd == -1 ? errno : 0;
> > + if (err) {
> > + return err;
> > + }
>
> We set err based on whether path_fd is -1 or not, but we decide
> whether to early-return based on the value of err. Coverity
> doesn't know that openat() will always set errno to something
> non-zero if it returns -1, so it complains because it thinks
> there's a code path where openat() returns -1, but errno is 0,
> and so we don't take the early-return and instead continue
> through all the code below to the "close(path_fd)", which
> should not be being passed a negative value for the filedescriptor.
>
> I could just mark these as false-positives, but it does seem a bit
> odd that we are using two different conditions here. Perhaps it would
> be better to rephrase? For instance, for the openat() we could write:
>
> path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> if (path_fd == -1) {
> return errno;
> }
That looks OK to me; please send a patch.
Some of the cases look like they need to just be a little careful that
'err' always gets set to 0 if there are later cases that might set err.
Dave
> and similarly for the openat() in open_set_proc_fscreate().
>
> > + sprintf(procname, "%i", path_fd);
> > + FCHDIR_NOFAIL(lo->proc_self_fd);
> > + /* Set security context. This is not atomic w.r.t file creation */
> > + err = setxattr(procname, secctx_name, req->secctx.ctx, req->secctx.ctxlen,
> > + 0);
> > + if (err) {
> > + err = errno;
> > + }
>
> > + FCHDIR_NOFAIL(lo->root.fd);
> > + close(path_fd);
> > + return err;
> > +}
>
> thanks
> -- PMM
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: slp@redhat.com, sebastian.hasler@stuvus.uni-stuttgart.de,
qemu-devel@nongnu.org, groug@kaod.org, virtio-fs@redhat.com,
stefanha@redhat.com, vgoyal@redhat.com
Subject: Re: [PULL 09/12] virtiofsd: Create new file with security context
Date: Thu, 7 Apr 2022 13:44:35 +0100 [thread overview]
Message-ID: <Yk7cs6xSImIyDqpZ@work-vm> (raw)
In-Reply-To: <CAFEAcA9m2U2fcUYXpRJwt09UgGqDA2K3BDt1xgXZL63jc1EWEQ@mail.gmail.com>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> On Thu, 17 Feb 2022 at 17:40, Dr. David Alan Gilbert (git)
> <dgilbert@redhat.com> wrote:
> >
> > From: Vivek Goyal <vgoyal@redhat.com>
> >
> > This patch adds support for creating new file with security context
> > as sent by client. It basically takes three paths.
> >
> > - If no security context enabled, then it continues to create files without
> > security context.
> >
> > - If security context is enabled and but security.selinux has not been
> > remapped, then it uses /proc/thread-self/attr/fscreate knob to set
> > security context and then create the file. This will make sure that
> > newly created file gets the security context as set in "fscreate" and
> > this is atomic w.r.t file creation.
> >
> > This is useful and host and guest SELinux policies don't conflict and
> > can work with each other. In that case, guest security.selinux xattr
> > is not remapped and it is passthrough as "security.selinux" xattr
> > on host.
> >
> > - If security context is enabled but security.selinux xattr has been
> > remapped to something else, then it first creates the file and then
> > uses setxattr() to set the remapped xattr with the security context.
> > This is a non-atomic operation w.r.t file creation.
> >
> > This mode will be most versatile and allow host and guest to have their
> > own separate SELinux xattrs and have their own separate SELinux policies.
> >
> > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > Message-Id: <20220208204813.682906-9-vgoyal@redhat.com>
> > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
>
> Hi; Coverity reports some issues (CID 1487142, 1487195), because
> it is not a fan of the error-handling pattern used in this code:
>
> > +static int do_mknod_symlink_secctx(fuse_req_t req, struct lo_inode *dir,
> > + const char *name, const char *secctx_name)
> > +{
> > + int path_fd, err;
> > + char procname[64];
> > + struct lo_data *lo = lo_data(req);
> > +
> > + if (!req->secctx.ctxlen) {
> > + return 0;
> > + }
> > +
> > + /* Open newly created element with O_PATH */
> > + path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> > + err = path_fd == -1 ? errno : 0;
> > + if (err) {
> > + return err;
> > + }
>
> We set err based on whether path_fd is -1 or not, but we decide
> whether to early-return based on the value of err. Coverity
> doesn't know that openat() will always set errno to something
> non-zero if it returns -1, so it complains because it thinks
> there's a code path where openat() returns -1, but errno is 0,
> and so we don't take the early-return and instead continue
> through all the code below to the "close(path_fd)", which
> should not be being passed a negative value for the filedescriptor.
>
> I could just mark these as false-positives, but it does seem a bit
> odd that we are using two different conditions here. Perhaps it would
> be better to rephrase? For instance, for the openat() we could write:
>
> path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> if (path_fd == -1) {
> return errno;
> }
That looks OK to me; please send a patch.
Some of the cases look like they need to just be a little careful that
'err' always gets set to 0 if there are later cases that might set err.
Dave
> and similarly for the openat() in open_set_proc_fscreate().
>
> > + sprintf(procname, "%i", path_fd);
> > + FCHDIR_NOFAIL(lo->proc_self_fd);
> > + /* Set security context. This is not atomic w.r.t file creation */
> > + err = setxattr(procname, secctx_name, req->secctx.ctx, req->secctx.ctxlen,
> > + 0);
> > + if (err) {
> > + err = errno;
> > + }
>
> > + FCHDIR_NOFAIL(lo->root.fd);
> > + close(path_fd);
> > + return err;
> > +}
>
> thanks
> -- PMM
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2022-04-07 12:44 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-17 17:24 [Virtio-fs] [PULL 00/12] virtiofs queue Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 01/12] virtiofsd: Do not support blocking flock Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 02/12] virtiofsd: Fix breakage due to fuse_init_in size change Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 03/12] linux-headers: Update headers to v5.17-rc1 Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 04/12] virtiofsd: Parse extended "struct fuse_init_in" Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 05/12] virtiofsd: Extend size of fuse_conn_info->capable and ->want fields Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 06/12] virtiofsd, fuse_lowlevel.c: Add capability to parse security context Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 07/12] virtiofsd: Move core file creation code in separate function Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 08/12] virtiofsd: Add helpers to work with /proc/self/task/tid/attr/fscreate Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-04-07 10:20 ` [Virtio-fs] " Peter Maydell
2022-04-07 10:20 ` Peter Maydell
2022-04-07 12:44 ` Dr. David Alan Gilbert [this message]
2022-04-07 12:44 ` Dr. David Alan Gilbert
2022-04-07 13:09 ` [Virtio-fs] " Vivek Goyal
2022-04-07 13:09 ` Vivek Goyal
2022-02-17 17:24 ` [Virtio-fs] [PULL 10/12] virtiofsd: Create new file using O_TMPFILE and set " Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [Virtio-fs] [PULL 11/12] virtiofsd: Add an option to enable/disable security label Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` Dr. David Alan Gilbert (git)
2022-02-17 17:25 ` [Virtio-fs] [PULL 12/12] virtiofsd: Add basic support for FUSE_SYNCFS request Dr. David Alan Gilbert (git)
2022-02-17 17:25 ` Dr. David Alan Gilbert (git)
2022-02-20 15:05 ` [Virtio-fs] [PULL 00/12] virtiofs queue Peter Maydell
2022-02-20 15:05 ` Peter Maydell
-- strict thread matches above, loose matches on Subject: below --
2022-02-17 14:23 [Virtio-fs] " Dr. David Alan Gilbert (git)
2022-02-17 14:23 ` [Virtio-fs] [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
2022-02-16 17:36 [Virtio-fs] [PULL 00/12] virtiofs queue Dr. David Alan Gilbert (git)
2022-02-16 17:36 ` [Virtio-fs] [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yk7cs6xSImIyDqpZ@work-vm \
--to=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sebastian.hasler@stuvus.uni-stuttgart.de \
--cc=slp@redhat.com \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.