Re: [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ian Bridges <icb@fastmail.org>
To: David Laight <david.laight.linux@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	selinux@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state()
Date: Mon, 22 Jun 2026 15:04:34 -0500	[thread overview]
Message-ID: <ajmVUvURpXKLjYLo@dev> (raw)
In-Reply-To: <20260622175301.6a36756b@pumpkin>

On Mon, Jun 22, 2026 at 05:53:01PM +0100, David Laight wrote:
> On Mon, 22 Jun 2026 10:00:07 -0500
> Ian Bridges <icb@fastmail.org> wrote:
> 
> > In preparation for removing the deprecated strlcat() API[1], replace the
> > strscpy()/strlcat() chain in selinux_ima_collect_state() with a struct
> > seq_buf, which tracks the write position and remaining space internally.
> > 
> > The seven open-coded WARN_ON(rc >= buf_len) truncation checks become a
> > single seq_buf_has_overflowed() check after the string is built. The
> > kzalloc() and its exact-size computation are unchanged, so the
> > measurement string passed to IMA is unchanged.
> > 
> > Link: https://github.com/KSPP/linux/issues/370 [1]
> > Signed-off-by: Ian Bridges <icb@fastmail.org>
> > ---
> >  security/selinux/ima.c | 35 ++++++++++++++---------------------
> >  1 file changed, 14 insertions(+), 21 deletions(-)
> > 
> > diff --git a/security/selinux/ima.c b/security/selinux/ima.c
> > index aa34da9b0aeb..3d81093d16aa 100644
> > --- a/security/selinux/ima.c
> > +++ b/security/selinux/ima.c
> > @@ -9,6 +9,7 @@
> >   */
> >  #include <linux/vmalloc.h>
> >  #include <linux/ima.h>
> > +#include <linux/seq_buf.h>
> >  #include "security.h"
> >  #include "ima.h"
> >  
> > @@ -21,8 +22,9 @@
> >  static char *selinux_ima_collect_state(void)
> >  {
> >  	const char *on = "=1;", *off = "=0;";
> > +	struct seq_buf s;
> >  	char *buf;
> > -	int buf_len, len, i, rc;
> > +	int buf_len, len, i;
> >  
> >  	buf_len = strlen("initialized=0;enforcing=0;checkreqprot=0;") + 1;
> >  
> > @@ -34,33 +36,24 @@ static char *selinux_ima_collect_state(void)
> >  	if (!buf)
> >  		return NULL;
> >  
> > -	rc = strscpy(buf, "initialized", buf_len);
> > -	WARN_ON(rc < 0);
> > +	seq_buf_init(&s, buf, buf_len);
> 
> That is silly, you need the length of the buffer not the length of a string
> that is the expected length of the output.
>

Is buf_len not the correct value to use here? buf_len is passed as the size
argument to the earlier kzalloc() call (not shown in the patch diff) that
allocates buf.

> >  
> > -	rc = strlcat(buf, selinux_initialized() ? on : off, buf_len);
> > -	WARN_ON(rc >= buf_len);
> > +	seq_buf_puts(&s, "initialized");
> > +	seq_buf_puts(&s, selinux_initialized() ? on : off);
> >  
> > -	rc = strlcat(buf, "enforcing", buf_len);
> > -	WARN_ON(rc >= buf_len);
> > +	seq_buf_puts(&s, "enforcing");
> > +	seq_buf_puts(&s, enforcing_enabled() ? on : off);
> >  
> > -	rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len);
> > -	WARN_ON(rc >= buf_len);
> > -
> > -	rc = strlcat(buf, "checkreqprot", buf_len);
> > -	WARN_ON(rc >= buf_len);
> > -
> > -	rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len);
> > -	WARN_ON(rc >= buf_len);
> > +	seq_buf_puts(&s, "checkreqprot");
> > +	seq_buf_puts(&s, checkreqprot_get() ? on : off);
> 
> That lot would be easier to read as a seq_printf() - with %d and
> kill 'on' and 'off'.

This is a good suggestion, I'll use this approach in the v2.

> Why does 'security' code so often look like c**p.
> 
> 	David
> 
> >  
> >  	for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
> > -		rc = strlcat(buf, selinux_policycap_names[i], buf_len);
> > -		WARN_ON(rc >= buf_len);
> > -
> > -		rc = strlcat(buf, selinux_state.policycap[i] ? on : off,
> > -			buf_len);
> > -		WARN_ON(rc >= buf_len);
> > +		seq_buf_puts(&s, selinux_policycap_names[i]);
> > +		seq_buf_puts(&s, selinux_state.policycap[i] ? on : off);
> >  	}
> >  
> > +	WARN_ON(seq_buf_has_overflowed(&s));
> > +
> >  	return buf;
> >  }
> >  
>

     prev parent reply	other threads:[~2026-06-22 20:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-22 15:00 [PATCH] selinux: replace strlcat() with seq_buf in selinux_ima_collect_state() Ian Bridges
2026-06-22 16:53 ` David Laight
2026-06-22 17:09   ` Casey Schaufler
2026-06-22 20:04   ` Ian Bridges [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ajmVUvURpXKLjYLo@dev \
    --to=icb@fastmail.org \
    --cc=david.laight.linux@gmail.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.