linux-next: manual merge of the integrity tree with the vfs tree

linux-next: manual merge of the integrity tree with the vfs tree

[Stephen Rothwell]

Hi all,

Today's linux-next merge of the integrity tree got a conflict in:

  security/integrity/ima/ima_fs.c

between commit:

  3bc8f29b149e ("new helper: memdup_user_nul()")

from the vfs tree and commit:

  6427e6c71c8b ("ima: ima_write_policy() limit locking")

from the integrity tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc security/integrity/ima/ima_fs.c
index a185b6f2f390,f355231997b4..000000000000
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@@ -277,13 -272,25 +272,20 @@@ static ssize_t ima_write_policy(struct 
  	if (*ppos != 0)
  		goto out;
  
 -	result = -ENOMEM;
 -	data = kmalloc(datalen + 1, GFP_KERNEL);
 -	if (!data)
 +	data = memdup_user_nul(buf, datalen);
 +	if (IS_ERR(data)) {
 +		result = PTR_ERR(data);
  		goto out;
 -
 -	*(data + datalen) = '\0';
 -
 -	result = -EFAULT;
 -	if (copy_from_user(data, buf, datalen))
 -		goto out_free;
 +	}
  
+ 	result = mutex_lock_interruptible(&ima_write_mutex);
+ 	if (result < 0)
+ 		goto out_free;
  	result = ima_parse_add_rule(data);
+ 	mutex_unlock(&ima_write_mutex);
+ 
+ out_free:
+ 	kfree(data);
  out:
  	if (result < 0)
  		valid_policy = 0;

Re: linux-next: manual merge of the integrity tree with the vfs tree

[Stephen Rothwell]

[Just cc'ing the security tree maintainer, since this will soon be in
his tree and is related to a conflict between that tree and the vfs
tree.]

On Mon, 4 Jan 2016 13:52:21 +1100 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>
> Hi all,
> 
> Today's linux-next merge of the integrity tree got a conflict in:
> 
>   security/integrity/ima/ima_fs.c
> 
> between commit:
> 
>   3bc8f29b149e ("new helper: memdup_user_nul()")
> 
> from the vfs tree and commit:
> 
>   6427e6c71c8b ("ima: ima_write_policy() limit locking")
> 
> from the integrity tree.
> 
> I fixed it up (see below) and can carry the fix as necessary (no action
> is required).
> 
> -- 
> Cheers,
> Stephen Rothwell                    sfr@canb.auug.org.au
> 
> diff --cc security/integrity/ima/ima_fs.c
> index a185b6f2f390,f355231997b4..000000000000
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@@ -277,13 -272,25 +272,20 @@@ static ssize_t ima_write_policy(struct 
>   	if (*ppos != 0)
>   		goto out;
>   
>  -	result = -ENOMEM;
>  -	data = kmalloc(datalen + 1, GFP_KERNEL);
>  -	if (!data)
>  +	data = memdup_user_nul(buf, datalen);
>  +	if (IS_ERR(data)) {
>  +		result = PTR_ERR(data);
>   		goto out;
>  -
>  -	*(data + datalen) = '\0';
>  -
>  -	result = -EFAULT;
>  -	if (copy_from_user(data, buf, datalen))
>  -		goto out_free;
>  +	}
>   
> + 	result = mutex_lock_interruptible(&ima_write_mutex);
> + 	if (result < 0)
> + 		goto out_free;
>   	result = ima_parse_add_rule(data);
> + 	mutex_unlock(&ima_write_mutex);
> + 
> + out_free:
> + 	kfree(data);
>   out:
>   	if (result < 0)
>   		valid_policy = 0;

Re: linux-next: manual merge of the integrity tree with the vfs tree

[Al Viro]

On Mon, Jan 04, 2016 at 01:52:21PM +1100, Stephen Rothwell wrote:
> Hi all,
> 
> Today's linux-next merge of the integrity tree got a conflict in:
> 
>   security/integrity/ima/ima_fs.c
> 
> between commit:
> 
>   3bc8f29b149e ("new helper: memdup_user_nul()")
> 
> from the vfs tree and commit:
> 
>   6427e6c71c8b ("ima: ima_write_policy() limit locking")
> 
> from the integrity tree.
> 
> I fixed it up (see below) and can carry the fix as necessary (no action
> is required).

FWIW, I'm going to pull the part that introduces memdup_user_nul() into
a never-rebased branch and if security.git is willing to pull it and handle
that conversion in ima_write_policy() themselves, I'll be only glad to drop
the corresponding chunk in vfs.git#for-next

Re: linux-next: manual merge of the integrity tree with the vfs tree

[Mimi Zohar]

On Mon, 2016-01-04 at 03:16 +0000, Al Viro wrote:
> On Mon, Jan 04, 2016 at 01:52:21PM +1100, Stephen Rothwell wrote:
> > Hi all,
> > 
> > Today's linux-next merge of the integrity tree got a conflict in:
> > 
> >   security/integrity/ima/ima_fs.c
> > 
> > between commit:
> > 
> >   3bc8f29b149e ("new helper: memdup_user_nul()")
> > 
> > from the vfs tree and commit:
> > 
> >   6427e6c71c8b ("ima: ima_write_policy() limit locking")
> > 
> > from the integrity tree.
> > 
> > I fixed it up (see below) and can carry the fix as necessary (no action
> > is required).

Thanks!

> FWIW, I'm going to pull the part that introduces memdup_user_nul() into
> a never-rebased branch and if security.git is willing to pull it and handle
> that conversion in ima_write_policy() themselves, I'll be only glad to drop
> the corresponding chunk in vfs.git#for-next

Al,

As memdup_user_nul() is not in the security tree, it would break the
security tree builds.  Having the patch in the linux-integrity/next
branch wouldn't help matters.

Mimi

Re: linux-next: manual merge of the integrity tree with the vfs tree

[Stephen Rothwell]

Hi Mimi,

On Mon, 04 Jan 2016 00:06:37 -0500 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> On Mon, 2016-01-04 at 03:16 +0000, Al Viro wrote:
> >
> > FWIW, I'm going to pull the part that introduces memdup_user_nul() into
> > a never-rebased branch and if security.git is willing to pull it and handle
> > that conversion in ima_write_policy() themselves, I'll be only glad to drop
> > the corresponding chunk in vfs.git#for-next  
> 
> As memdup_user_nul() is not in the security tree, it would break the
> security tree builds.  Having the patch in the linux-integrity/next
> branch wouldn't help matters.

I think Al intends for you to merge his "never-rebased branch" that
contains the memdup_user_nul patch into the integrity tree (or James to
merge it into the security tree).  He will also merge the same branch
into his vfs tree and remove the patch that updates ima_write_policy()
to use memdup_user_nul() and you (or James) could apply that patch in
the integrity (or security) tree.

This way we end up with the same commit creating memdup_user_nul() in
both trees and no left over conflicts.

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

Re: linux-next: manual merge of the integrity tree with the vfs tree

[Mimi Zohar]

On Mon, 2016-01-04 at 16:23 +1100, Stephen Rothwell wrote:
> Hi Mimi,
> 
> On Mon, 04 Jan 2016 00:06:37 -0500 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> >
> > On Mon, 2016-01-04 at 03:16 +0000, Al Viro wrote:
> > >
> > > FWIW, I'm going to pull the part that introduces memdup_user_nul() into
> > > a never-rebased branch and if security.git is willing to pull it and handle
> > > that conversion in ima_write_policy() themselves, I'll be only glad to drop
> > > the corresponding chunk in vfs.git#for-next  
> > 
> > As memdup_user_nul() is not in the security tree, it would break the
> > security tree builds.  Having the patch in the linux-integrity/next
> > branch wouldn't help matters.
> 
> I think Al intends for you to merge his "never-rebased branch" that
> contains the memdup_user_nul patch into the integrity tree (or James to
> merge it into the security tree).  He will also merge the same branch
> into his vfs tree and remove the patch that updates ima_write_policy()
> to use memdup_user_nul() and you (or James) could apply that patch in
> the integrity (or security) tree.
> 
> This way we end up with the same commit creating memdup_user_nul() in
> both trees and no left over conflicts.

Thank you for the explanation.  It sounds like a plan.  James, are you
ok with this?

Mimi