From: Paul Moore <paul@paul-moore.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH] security: fix the logic in security_inode_getsecctx()
Date: Fri, 26 Jan 2024 17:18:59 -0500 [thread overview]
Message-ID: <b3e1fdd22be4d2abbaccba73f6dc3e38@paul-moore.com> (raw)
In-Reply-To: <20240126104403.1040692-1-omosnace@redhat.com>
On Jan 26, 2024 Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> The inode_getsecctx LSM hook has previously been corrected to have
> -EOPNOTSUPP instead of 0 as the default return value to fix BPF LSM
> behavior. However, the call_int_hook()-generated loop in
> security_inode_getsecctx() was left treating 0 as the neutral value, so
> after an LSM returns 0, the loop continues to try other LSMs, and if one
> of them returns a non-zero value, the function immediately returns with
> said value. So in a situation where SELinux and the BPF LSMs registered
> this hook, -EOPNOTSUPP would be incorrectly returned whenever SELinux
> returned 0.
>
> Fix this by open-coding the call_int_hook() loop and making it use the
> correct LSM_RET_DEFAULT() value as the neutral one, similar to what
> other hooks do.
>
> Reported-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Link: https://lore.kernel.org/selinux/CAEjxPJ4ev-pasUwGx48fDhnmjBnq_Wh90jYPwRQRAqXxmOKD4Q@mail.gmail.com/
> Fixes: b36995b8609a ("lsm: fix default return value for inode_getsecctx")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2257983
> ---
>
> I ran 'tools/nfs.sh' on the patch and even though it fixes the most
> serious issue that Stephen reported, some of the tests are still
> failing under NFS (but I will presume that these are pre-existing issues
> not caused by the patch).
>
> I can also see an opportunity to clean up the hook implementations in
> security/security.c - I plan to have a go at it and send it as a
> separate patch later.
>
> security/security.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
Merged, with the RHBZ link tag, into lsm/stable-6.8. I've also added a
stable tag/Cc should this should get picked up by the stable folks to
fix the breakage in the recent stable kernel releases.
Assuming no problems are uncovered over the weekend and early next week,
I'll send this to Linus next week.
Thanks everyone!
--
paul-moore.com
prev parent reply other threads:[~2024-01-26 22:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 10:44 [PATCH] security: fix the logic in security_inode_getsecctx() Ondrej Mosnacek
2024-01-26 14:32 ` Ondrej Mosnacek
2024-01-26 15:03 ` Stephen Smalley
2024-01-26 16:04 ` Stephen Smalley
2024-01-26 17:15 ` Ondrej Mosnacek
2024-01-29 19:48 ` Stephen Smalley
2024-01-29 21:55 ` Paul Moore
2024-01-30 15:44 ` Stephen Smalley
2024-01-30 16:31 ` Paul Moore
2024-01-26 16:36 ` Casey Schaufler
2024-01-26 22:18 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b3e1fdd22be4d2abbaccba73f6dc3e38@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).