* Re: [PATCH v4 1/2] landlock: Serialize TSYNC thread restriction
From: Günther Noack @ 2026-03-04 19:05 UTC (permalink / raw)
To: Yihan Ding
Cc: jannh, linux-kernel, linux-security-module, m, mic, paul,
syzbot+7ea2f5e9dfd468201817, utilityemal77
In-Reply-To: <20260304095418.465594-2-dingyihan@uniontech.com>
Hello!
Thank you for the revised patch. I tested this and it passes the
selftests now.
I noticed that the comment is unfortunately wrongly indented, which is
also caught by clang-format (see below); we should fix that before
submit; I remarked on another two less important nits in the commit
message as well.
On Wed, Mar 04, 2026 at 05:54:17PM +0800, Yihan Ding wrote:
> syzbot found a deadlock in landlock_restrict_sibling_threads().
> When multiple threads concurrently call landlock_restrict_self() with
> sibling thread restriction enabled, they can deadlock by mutually
> queueing task_works on each other and then blocking in kernel space
> (waiting for the other to finish).
>
> Fix this by serializing the TSYNC operations within the same process
> using the exec_update_lock. This prevents concurrent invocations
> from deadlocking.
>
> We use down_write_trylock() and return -ERESTARTNOINTR if the lock
^^^^^^^^^^^^^^^^^^^^^^
Nit: Maybe it would be better to write "restart the syscall" now,
as we are not just returning -ERESTARTNOINTR here any more.
> cannot be acquired immediately. This ensures that if a thread fails
> to get the lock, it will return to userspace, allowing it to process
> any pending TSYNC task_works from the lock holder, and then
> transparently restart the syscall.
>
> Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")
> Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817
> Suggested-by: Günther Noack <gnoack3000@gmail.com>
> Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
FYI This would be a good place to add a Reported-by: Justin and
Suggested-by: Tingmao as well.
> ---
> Changes in v4:
> - Use restart_syscall() instead of returning -ERESTARTNOINTR.
> This ensures the syscall is properly restarted without leaking the
> internal error code to userspace, fixing a test failure in
> tsync_test.competing_enablement. (Caught by Justin Suess, suggested
> by Tingmao Wang).
>
> Changes in v3:
> - Replaced down_write_killable() with down_write_trylock() and
> returned -ERESTARTNOINTR to avoid a secondary deadlock caused by
> blocking the execution of task_works. (Caught by Günther Noack).
>
> ---
> security/landlock/tsync.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
> index de01aa899751..1f460b9ec833 100644
> --- a/security/landlock/tsync.c
> +++ b/security/landlock/tsync.c
> @@ -446,6 +446,15 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> shared_ctx.old_cred = old_cred;
> shared_ctx.new_cred = new_cred;
> shared_ctx.set_no_new_privs = task_no_new_privs(current);
> + /*
> + * Serialize concurrent TSYNC operations to prevent deadlocks when
> + * multiple threads call landlock_restrict_self() simultaneously.
> + * If the lock is already held, we gracefully yield by restarting the
> + * syscall. This allows the current thread to process pending
> + * task_works before retrying.
> + */
^^^^^^^^^^^^^^^^
This comment should be indented with one tab, not with two, the same
as the code that follows it.
The comment text is good.
Remark on the side, the Landlock code is formatted with clang-format;
I have a small tool that runs it for me on these files:
clang-format -i \
security/landlock/*.[ch] \
include/uapi/linux/landlock.h \
tools/testing/selftests/landlock/*.[ch]
clang-format does not fix the indentation perfectly here either, but
it discovers the issue and reindents at least the first line.
> + if (!down_write_trylock(¤t->signal->exec_update_lock))
> + return restart_syscall();
>
> /*
> * We schedule a pseudo-signal task_work for each of the calling task's
> @@ -556,6 +565,6 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> wait_for_completion(&shared_ctx.all_finished);
>
> tsync_works_release(&works);
> -
> + up_write(¤t->signal->exec_update_lock);
> return atomic_read(&shared_ctx.preparation_error);
> }
> --
> 2.20.1
>
These remarks are all in comments and documentation though; the code
looks good to me and the selftests work! Thank you for looking into it!
–Günther
^ permalink raw reply
* [PATCH v1 net-next 06/15] smack: Remove IPPROTO_UDPLITE support in security_sock_rcv_skb().
From: Kuniyuki Iwashima @ 2026-03-04 19:28 UTC (permalink / raw)
To: Willem de Bruijn, David Ahern, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev,
Casey Schaufler, Paul Moore, James Morris, Serge E. Hallyn,
linux-security-module
In-Reply-To: <20260304193034.1870586-1-kuniyu@google.com>
smack_socket_sock_rcv_skb() is registered as socket_sock_rcv_skb,
which is called as security_sock_rcv_skb() in sk_filter_trim_cap().
Now that UDP-Lite is gone, let's remove the IPPROTO_UDPLITE support
in smack_socket_sock_rcv_skb().
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
---
security/smack/smack_lsm.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 98af9d7b9434..e581d6465946 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4176,7 +4176,6 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
sip->sin6_port = th->source;
break;
case IPPROTO_UDP:
- case IPPROTO_UDPLITE:
uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
if (uh != NULL)
sip->sin6_port = uh->source;
@@ -4301,8 +4300,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
#if IS_ENABLED(CONFIG_IPV6)
case PF_INET6:
proto = smk_skb_to_addr_ipv6(skb, &sadd);
- if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE &&
- proto != IPPROTO_TCP)
+ if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
break;
#ifdef SMACK_IPV6_SECMARK_LABELING
skp = smack_from_skb(skb);
--
2.53.0.473.g4a7958ca14-goog
^ permalink raw reply related
* [PATCH v1 2/4] landlock: Add missing kernel-doc "Return:" sections
From: Mickaël Salaün @ 2026-03-04 19:31 UTC (permalink / raw)
To: Günther Noack; +Cc: Mickaël Salaün, linux-security-module
In-Reply-To: <20260304193134.250495-1-mic@digikod.net>
The kernel-doc -Wreturn check warns about functions with documentation
comments that lack a "Return:" section. Add "Return:" documentation to
all functions missing it so that kernel-doc -Wreturn passes cleanly.
Convert existing function descriptions into a formal "Return:" section.
Also fix the inaccurate return documentation for
landlock_merge_ruleset() which claimed to return @parent directly, and
document the previously missing ERR_PTR() error return path. Document
the ABI version and errata return paths for landlock_create_ruleset()
which were previously only implied by the prose.
Cc: Günther Noack <gnoack@google.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
security/landlock/domain.c | 2 ++
security/landlock/fs.c | 2 +-
security/landlock/ruleset.c | 8 +++++---
security/landlock/syscalls.c | 17 +++++++++++------
security/landlock/task.c | 9 +++++----
5 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/security/landlock/domain.c b/security/landlock/domain.c
index 79cb3bbdf4c5..343a1aabaac6 100644
--- a/security/landlock/domain.c
+++ b/security/landlock/domain.c
@@ -115,6 +115,8 @@ static struct landlock_details *get_current_details(void)
* restriction. The subjective credentials must not be in an overridden state.
*
* @hierarchy->parent and @hierarchy->usage should already be set.
+ *
+ * Return: 0 on success, -errno on failure.
*/
int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy)
{
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index e764470f588c..cfe69075bf4e 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1568,7 +1568,7 @@ static int hook_path_truncate(const struct path *const path)
*
* @file: File being opened.
*
- * Returns the access rights that are required for opening the given file,
+ * Return: The access rights that are required for opening the given file,
* depending on the file type and open mode.
*/
static access_mask_t
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index a61ced492f41..de8386af2f30 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -202,6 +202,8 @@ static void build_check_ruleset(void)
* When merging a ruleset in a domain, or copying a domain, @layers will be
* added to @ruleset as new constraints, similarly to a boolean AND between
* access rights.
+ *
+ * Return: 0 on success, -errno on failure.
*/
static int insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
@@ -531,8 +533,8 @@ void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset)
* The current task is requesting to be restricted. The subjective credentials
* must not be in an overridden state. cf. landlock_init_hierarchy_log().
*
- * Returns the intersection of @parent and @ruleset, or returns @parent if
- * @ruleset is empty, or returns a duplicate of @ruleset if @parent is empty.
+ * Return: A new domain merging @parent and @ruleset on success, or ERR_PTR()
+ * on failure. If @parent is NULL, the new domain duplicates @ruleset.
*/
struct landlock_ruleset *
landlock_merge_ruleset(struct landlock_ruleset *const parent,
@@ -623,7 +625,7 @@ landlock_find_rule(const struct landlock_ruleset *const ruleset,
* @rule: A rule that grants a set of access rights for each layer
* @masks: A matrix of unfulfilled access rights for each layer
*
- * Returns true if the request is allowed (i.e. the access rights granted all
+ * Return: True if the request is allowed (i.e. the access rights granted all
* remaining unfulfilled access rights and masks has no leftover set bits).
*/
bool landlock_unmask_layers(const struct landlock_rule *const rule,
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 0d66a68677b7..3b33839b80c7 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -60,6 +60,8 @@ static bool is_initialized(void)
* @ksize_min: Minimal required size to be copied.
* @src: User space pointer or NULL.
* @usize: (Alleged) size of the data pointed to by @src.
+ *
+ * Return: 0 on success, -errno on failure.
*/
static __always_inline int
copy_min_struct_from_user(void *const dst, const size_t ksize,
@@ -178,16 +180,19 @@ const int landlock_abi_version = 8;
* - %LANDLOCK_CREATE_RULESET_VERSION
* - %LANDLOCK_CREATE_RULESET_ERRATA
*
- * This system call enables to create a new Landlock ruleset, and returns the
- * related file descriptor on success.
+ * This system call enables to create a new Landlock ruleset.
*
* If %LANDLOCK_CREATE_RULESET_VERSION or %LANDLOCK_CREATE_RULESET_ERRATA is
* set, then @attr must be NULL and @size must be 0.
*
- * Possible returned errors are:
+ * Return: The ruleset file descriptor on success, the Landlock ABI version if
+ * %LANDLOCK_CREATE_RULESET_VERSION is set, the errata value if
+ * %LANDLOCK_CREATE_RULESET_ERRATA is set, or -errno on failure. Possible
+ * returned errors are:
*
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
- * - %EINVAL: unknown @flags, or unknown access, or unknown scope, or too small @size;
+ * - %EINVAL: unknown @flags, or unknown access, or unknown scope, or too small
+ * @size;
* - %E2BIG: @attr or @size inconsistencies;
* - %EFAULT: @attr or @size inconsistencies;
* - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
@@ -398,7 +403,7 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
* This system call enables to define a new rule and add it to an existing
* ruleset.
*
- * Possible returned errors are:
+ * Return: 0 on success, or -errno on failure. Possible returned errors are:
*
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
* - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not
@@ -464,7 +469,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
* namespace or is running with no_new_privs. This avoids scenarios where
* unprivileged tasks can affect the behavior of privileged children.
*
- * Possible returned errors are:
+ * Return: 0 on success, or -errno on failure. Possible returned errors are:
*
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
* - %EINVAL: @flags contains an unknown bit.
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 833bc0cfe5c9..bf7c3db7ce46 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -37,6 +37,9 @@
*
* Checks if the @parent domain is less or equal to (i.e. an ancestor, which
* means a subset of) the @child domain.
+ *
+ * Return: True if @parent is an ancestor of or equal to @child, false
+ * otherwise.
*/
static bool domain_scope_le(const struct landlock_ruleset *const parent,
const struct landlock_ruleset *const child)
@@ -79,8 +82,7 @@ static int domain_ptrace(const struct landlock_ruleset *const parent,
* If the current task has Landlock rules, then the child must have at least
* the same rules. Else denied.
*
- * Determines whether a process may access another, returning 0 if permission
- * granted, -errno if denied.
+ * Return: 0 if permission is granted, -errno if denied.
*/
static int hook_ptrace_access_check(struct task_struct *const child,
const unsigned int mode)
@@ -129,8 +131,7 @@ static int hook_ptrace_access_check(struct task_struct *const child,
* If the parent has Landlock rules, then the current task must have the same
* or more rules. Else denied.
*
- * Determines whether the nominated task is permitted to trace the current
- * process, returning 0 if permission is granted, -errno if denied.
+ * Return: 0 if permission is granted, -errno if denied.
*/
static int hook_ptrace_traceme(struct task_struct *const parent)
{
--
2.53.0
^ permalink raw reply related
* [PATCH v1 3/4] landlock: Improve kernel-doc "Return:" section consistency
From: Mickaël Salaün @ 2026-03-04 19:31 UTC (permalink / raw)
To: Günther Noack; +Cc: Mickaël Salaün, linux-security-module
In-Reply-To: <20260304193134.250495-1-mic@digikod.net>
The canonical kernel-doc form is "Return:" (singular, without trailing
"s"). Normalize all existing "Returns:" occurrences across the Landlock
source tree to the canonical form.
Also fix capitalization for consistency. Balance descriptions to
describe all possible returned values.
Consolidate bullet-point return descriptions into inline text for
functions with simple two-value or three-value returns for consistency.
Cc: Günther Noack <gnoack@google.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
security/landlock/cred.h | 2 +-
security/landlock/domain.c | 4 ++--
security/landlock/fs.c | 26 +++++++++++---------------
security/landlock/id.c | 2 +-
security/landlock/ruleset.c | 2 +-
security/landlock/ruleset.h | 2 +-
security/landlock/task.c | 4 ++--
security/landlock/tsync.c | 17 ++++++-----------
8 files changed, 25 insertions(+), 34 deletions(-)
diff --git a/security/landlock/cred.h b/security/landlock/cred.h
index c10a06727eb1..f287c56b5fd4 100644
--- a/security/landlock/cred.h
+++ b/security/landlock/cred.h
@@ -115,7 +115,7 @@ static inline bool landlocked(const struct task_struct *const task)
* @handle_layer: returned youngest layer handling a subset of @masks. Not set
* if the function returns NULL.
*
- * Returns: landlock_cred(@cred) if any access rights specified in @masks is
+ * Return: landlock_cred(@cred) if any access rights specified in @masks is
* handled, or NULL otherwise.
*/
static inline const struct landlock_cred_security *
diff --git a/security/landlock/domain.c b/security/landlock/domain.c
index 343a1aabaac6..8b9939005aa8 100644
--- a/security/landlock/domain.c
+++ b/security/landlock/domain.c
@@ -34,7 +34,7 @@
* @exe_size: Returned size of @exe_str (including the trailing null
* character), if any.
*
- * Returns: A pointer to an allocated buffer where @exe_str point to, %NULL if
+ * Return: A pointer to an allocated buffer where @exe_str point to, %NULL if
* there is no executable path, or an error otherwise.
*/
static const void *get_current_exe(const char **const exe_str,
@@ -73,7 +73,7 @@ static const void *get_current_exe(const char **const exe_str,
}
/*
- * Returns: A newly allocated object describing a domain, or an error
+ * Return: A newly allocated object describing a domain, or an error
* otherwise.
*/
static struct landlock_details *get_current_details(void)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index cfe69075bf4e..a03ec664c78e 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -119,8 +119,8 @@ static const struct landlock_object_underops landlock_fs_underops = {
* Any new IOCTL commands that are implemented in fs/ioctl.c's do_vfs_ioctl()
* should be considered for inclusion here.
*
- * Returns: true if the IOCTL @cmd can not be restricted with Landlock for
- * device files.
+ * Return: True if the IOCTL @cmd can not be restricted with Landlock for
+ * device files, false otherwise.
*/
static __attribute_const__ bool is_masked_device_ioctl(const unsigned int cmd)
{
@@ -428,10 +428,10 @@ static bool may_refer(const struct layer_access_masks *const src_parent,
* Check that a destination file hierarchy has more restrictions than a source
* file hierarchy. This is only used for link and rename actions.
*
- * Returns: true if child1 may be moved from parent1 to parent2 without
- * increasing its access rights. If child2 is set, an additional condition is
+ * Return: True if child1 may be moved from parent1 to parent2 without
+ * increasing its access rights (if child2 is set, an additional condition is
* that child2 may be used from parent2 to parent1 without increasing its access
- * rights.
+ * rights), false otherwise.
*/
static bool no_more_access(const struct layer_access_masks *const parent1,
const struct layer_access_masks *const child1,
@@ -734,9 +734,7 @@ static void test_is_eacces_with_write(struct kunit *const test)
* checks that the collected accesses and the remaining ones are enough to
* allow the request.
*
- * Returns:
- * - true if the access request is granted;
- * - false otherwise.
+ * Return: True if the access request is granted, false otherwise.
*/
static bool
is_access_to_paths_allowed(const struct landlock_ruleset *const domain,
@@ -1022,9 +1020,8 @@ static access_mask_t maybe_remove(const struct dentry *const dentry)
* only handles walking on the same mount point and only checks one set of
* accesses.
*
- * Returns:
- * - true if all the domain access rights are allowed for @dir;
- * - false if the walk reached @mnt_root.
+ * Return: True if all the domain access rights are allowed for @dir, false if
+ * the walk reached @mnt_root.
*/
static bool collect_domain_accesses(const struct landlock_ruleset *const domain,
const struct dentry *const mnt_root,
@@ -1120,10 +1117,9 @@ static bool collect_domain_accesses(const struct landlock_ruleset *const domain,
* ephemeral matrices take some space on the stack, which limits the number of
* layers to a deemed reasonable number: 16.
*
- * Returns:
- * - 0 if access is allowed;
- * - -EXDEV if @old_dentry would inherit new access rights from @new_dir;
- * - -EACCES if file removal or creation is denied.
+ * Return: 0 if access is allowed, -EXDEV if @old_dentry would inherit new
+ * access rights from @new_dir, or -EACCES if file removal or creation is
+ * denied.
*/
static int current_check_refer_path(struct dentry *const old_dentry,
const struct path *const new_dir,
diff --git a/security/landlock/id.c b/security/landlock/id.c
index 838c3ed7bb82..6c8769777fdc 100644
--- a/security/landlock/id.c
+++ b/security/landlock/id.c
@@ -258,7 +258,7 @@ static void test_range2_rand16(struct kunit *const test)
*
* @number_of_ids: Number of IDs to hold. Must be greater than one.
*
- * Returns: The first ID in the range.
+ * Return: The first ID in the range.
*/
u64 landlock_get_id_range(size_t number_of_ids)
{
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index de8386af2f30..52e48ffcc3aa 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -675,7 +675,7 @@ get_access_mask_t(const struct landlock_ruleset *const ruleset,
* @masks: Layer access masks to populate.
* @key_type: The key type to switch between access masks of different types.
*
- * Returns: An access mask where each access right bit is set which is handled
+ * Return: An access mask where each access right bit is set which is handled
* in any of the active layers in @domain.
*/
access_mask_t
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 87d52031fb5a..5e63f78f7e1a 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -232,7 +232,7 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
*
* @domain: Landlock ruleset (used as a domain)
*
- * Returns: an access_masks result of the OR of all the domain's access masks.
+ * Return: An access_masks result of the OR of all the domain's access masks.
*/
static inline struct access_masks
landlock_union_access_masks(const struct landlock_ruleset *const domain)
diff --git a/security/landlock/task.c b/security/landlock/task.c
index bf7c3db7ce46..f2dbdebf2770 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -174,8 +174,8 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
* @server: IPC receiver domain.
* @scope: The scope restriction criteria.
*
- * Returns: True if @server is in a different domain from @client, and @client
- * is scoped to access @server (i.e. access should be denied).
+ * Return: True if @server is in a different domain from @client and @client
+ * is scoped to access @server (i.e. access should be denied), false otherwise.
*/
static bool domain_is_scoped(const struct landlock_ruleset *const client,
const struct landlock_ruleset *const server,
diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
index b06a0fa4cedb..359aecbb1e4b 100644
--- a/security/landlock/tsync.c
+++ b/security/landlock/tsync.c
@@ -183,10 +183,8 @@ struct tsync_works {
* capacity. This can legitimately happen if new threads get started after we
* grew the capacity.
*
- * Returns:
- * A pointer to the preallocated context struct, with task filled in.
- *
- * NULL, if we ran out of preallocated context structs.
+ * Return: A pointer to the preallocated context struct with task filled in, or
+ * NULL if preallocated context structs ran out.
*/
static struct tsync_work *tsync_works_provide(struct tsync_works *s,
struct task_struct *task)
@@ -243,11 +241,8 @@ static void tsync_works_trim(struct tsync_works *s)
* On a successful return, the subsequent n calls to tsync_works_provide() are
* guaranteed to succeed. (size + n <= capacity)
*
- * Returns:
- * -ENOMEM if the (re)allocation fails
-
- * 0 if the allocation succeeds, partially succeeds, or no reallocation
- * was needed
+ * Return: 0 on success or partial success, -ENOMEM if the (re)allocation
+ * fails.
*/
static int tsync_works_grow_by(struct tsync_works *s, size_t n, gfp_t flags)
{
@@ -363,8 +358,8 @@ static size_t count_additional_threads(const struct tsync_works *works)
* For each added task_work, atomically increments shared_ctx->num_preparing and
* shared_ctx->num_unfinished.
*
- * Returns:
- * true, if at least one eligible sibling thread was found
+ * Return: True if at least one eligible sibling thread was found, false
+ * otherwise.
*/
static bool schedule_task_work(struct tsync_works *works,
struct tsync_shared_context *shared_ctx)
--
2.53.0
^ permalink raw reply related
* [PATCH v1 4/4] landlock: Fix formatting in tsync.c
From: Mickaël Salaün @ 2026-03-04 19:31 UTC (permalink / raw)
To: Günther Noack; +Cc: Mickaël Salaün, linux-security-module
In-Reply-To: <20260304193134.250495-1-mic@digikod.net>
Fix comment formatting in tsync.c to fit in 80 columns.
Cc: Günther Noack <gnoack@google.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
My previous squashed fix was wrong.
---
security/landlock/tsync.c | 121 +++++++++++++++++++++-----------------
1 file changed, 66 insertions(+), 55 deletions(-)
diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
index 359aecbb1e4b..50445ae167dd 100644
--- a/security/landlock/tsync.c
+++ b/security/landlock/tsync.c
@@ -85,12 +85,14 @@ static void restrict_one_thread(struct tsync_shared_context *ctx)
/*
* Switch out old_cred with new_cred, if possible.
*
- * In the common case, where all threads initially point to the same
- * struct cred, this optimization avoids creating separate redundant
- * credentials objects for each, which would all have the same contents.
+ * In the common case, where all threads initially point to the
+ * same struct cred, this optimization avoids creating separate
+ * redundant credentials objects for each, which would all have
+ * the same contents.
*
- * Note: We are intentionally dropping the const qualifier here, because
- * it is required by commit_creds() and abort_creds().
+ * Note: We are intentionally dropping the const qualifier
+ * here, because it is required by commit_creds() and
+ * abort_creds().
*/
cred = (struct cred *)get_cred(ctx->new_cred);
} else {
@@ -101,8 +103,8 @@ static void restrict_one_thread(struct tsync_shared_context *ctx)
atomic_set(&ctx->preparation_error, -ENOMEM);
/*
- * Even on error, we need to adhere to the protocol and coordinate
- * with concurrently running invocations.
+ * Even on error, we need to adhere to the protocol and
+ * coordinate with concurrently running invocations.
*/
if (atomic_dec_return(&ctx->num_preparing) == 0)
complete_all(&ctx->all_prepared);
@@ -135,9 +137,9 @@ static void restrict_one_thread(struct tsync_shared_context *ctx)
}
/*
- * Make sure that all sibling tasks fulfill the no_new_privs prerequisite.
- * (This is in line with Seccomp's SECCOMP_FILTER_FLAG_TSYNC logic in
- * kernel/seccomp.c)
+ * Make sure that all sibling tasks fulfill the no_new_privs
+ * prerequisite. (This is in line with Seccomp's
+ * SECCOMP_FILTER_FLAG_TSYNC logic in kernel/seccomp.c)
*/
if (ctx->set_no_new_privs)
task_set_no_new_privs(current);
@@ -221,16 +223,17 @@ static void tsync_works_trim(struct tsync_works *s)
ctx = s->works[s->size - 1];
/*
- * For consistency, remove the task from ctx so that it does not look like
- * we handed it a task_work.
+ * For consistency, remove the task from ctx so that it does not look
+ * like we handed it a task_work.
*/
put_task_struct(ctx->task);
*ctx = (typeof(*ctx)){};
/*
- * Cancel the tsync_works_provide() change to recycle the reserved memory
- * for the next thread, if any. This also ensures that cancel_tsync_works()
- * and tsync_works_release() do not see any NULL task pointers.
+ * Cancel the tsync_works_provide() change to recycle the reserved
+ * memory for the next thread, if any. This also ensures that
+ * cancel_tsync_works() and tsync_works_release() do not see any NULL
+ * task pointers.
*/
s->size--;
}
@@ -388,17 +391,17 @@ static bool schedule_task_work(struct tsync_works *works,
continue;
/*
- * We found a sibling thread that is not doing its task_work yet, and
- * which might spawn new threads before our task work runs, so we need
- * at least one more round in the outer loop.
+ * We found a sibling thread that is not doing its task_work
+ * yet, and which might spawn new threads before our task work
+ * runs, so we need at least one more round in the outer loop.
*/
found_more_threads = true;
ctx = tsync_works_provide(works, thread);
if (!ctx) {
/*
- * We ran out of preallocated contexts -- we need to try again with
- * this thread at a later time!
+ * We ran out of preallocated contexts -- we need to
+ * try again with this thread at a later time!
* found_more_threads is already true at this point.
*/
break;
@@ -413,10 +416,10 @@ static bool schedule_task_work(struct tsync_works *works,
err = task_work_add(thread, &ctx->work, TWA_SIGNAL);
if (unlikely(err)) {
/*
- * task_work_add() only fails if the task is about to exit. We
- * checked that earlier, but it can happen as a race. Resume
- * without setting an error, as the task is probably gone in the
- * next loop iteration.
+ * task_work_add() only fails if the task is about to
+ * exit. We checked that earlier, but it can happen as
+ * a race. Resume without setting an error, as the
+ * task is probably gone in the next loop iteration.
*/
tsync_works_trim(works);
@@ -497,24 +500,25 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
* After this barrier is reached, it's safe to read
* shared_ctx.preparation_error.
*
- * 4) reads shared_ctx.preparation_error and then either does commit_creds()
- * or abort_creds().
+ * 4) reads shared_ctx.preparation_error and then either does
+ * commit_creds() or abort_creds().
*
* 5) signals that it's done altogether (barrier synchronization
* "all_finished")
*
- * Unlike seccomp, which modifies sibling tasks directly, we do not need to
- * acquire the cred_guard_mutex and sighand->siglock:
+ * Unlike seccomp, which modifies sibling tasks directly, we do not
+ * need to acquire the cred_guard_mutex and sighand->siglock:
*
- * - As in our case, all threads are themselves exchanging their own struct
- * cred through the credentials API, no locks are needed for that.
+ * - As in our case, all threads are themselves exchanging their own
+ * struct cred through the credentials API, no locks are needed for
+ * that.
* - Our for_each_thread() loops are protected by RCU.
- * - We do not acquire a lock to keep the list of sibling threads stable
- * between our for_each_thread loops. If the list of available sibling
- * threads changes between these for_each_thread loops, we make up for
- * that by continuing to look for threads until they are all discovered
- * and have entered their task_work, where they are unable to spawn new
- * threads.
+ * - We do not acquire a lock to keep the list of sibling threads
+ * stable between our for_each_thread loops. If the list of
+ * available sibling threads changes between these for_each_thread
+ * loops, we make up for that by continuing to look for threads until
+ * they are all discovered and have entered their task_work, where
+ * they are unable to spawn new threads.
*/
do {
/* In RCU read-lock, count the threads we need. */
@@ -531,43 +535,50 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
}
/*
- * The "all_prepared" barrier is used locally to the loop body, this use
- * of for_each_thread(). We can reset it on each loop iteration because
- * all previous loop iterations are done with it already.
+ * The "all_prepared" barrier is used locally to the loop body,
+ * this use of for_each_thread(). We can reset it on each loop
+ * iteration because all previous loop iterations are done with
+ * it already.
*
- * num_preparing is initialized to 1 so that the counter can not go to 0
- * and mark the completion as done before all task works are registered.
- * We decrement it at the end of the loop body.
+ * num_preparing is initialized to 1 so that the counter can
+ * not go to 0 and mark the completion as done before all task
+ * works are registered. We decrement it at the end of the
+ * loop body.
*/
atomic_set(&shared_ctx.num_preparing, 1);
reinit_completion(&shared_ctx.all_prepared);
/*
- * In RCU read-lock, schedule task work on newly discovered sibling
- * tasks.
+ * In RCU read-lock, schedule task work on newly discovered
+ * sibling tasks.
*/
found_more_threads = schedule_task_work(&works, &shared_ctx);
/*
- * Decrement num_preparing for current, to undo that we initialized it
- * to 1 a few lines above.
+ * Decrement num_preparing for current, to undo that we
+ * initialized it to 1 a few lines above.
*/
if (atomic_dec_return(&shared_ctx.num_preparing) > 0) {
if (wait_for_completion_interruptible(
&shared_ctx.all_prepared)) {
- /* In case of interruption, we need to retry the system call. */
+ /*
+ * In case of interruption, we need to retry
+ * the system call.
+ */
atomic_set(&shared_ctx.preparation_error,
-ERESTARTNOINTR);
/*
- * Cancel task works for tasks that did not start running yet,
- * and decrement all_prepared and num_unfinished accordingly.
+ * Cancel task works for tasks that did not
+ * start running yet, and decrement
+ * all_prepared and num_unfinished accordingly.
*/
cancel_tsync_works(&works, &shared_ctx);
/*
- * The remaining task works have started running, so waiting for
- * their completion will finish.
+ * The remaining task works have started
+ * running, so waiting for their completion
+ * will finish.
*/
wait_for_completion(&shared_ctx.all_prepared);
}
@@ -576,14 +587,14 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
!atomic_read(&shared_ctx.preparation_error));
/*
- * We now have all sibling threads blocking and in "prepared" state in the
- * task work. Ask all threads to commit.
+ * We now have all sibling threads blocking and in "prepared" state in
+ * the task work. Ask all threads to commit.
*/
complete_all(&shared_ctx.ready_to_commit);
/*
- * Decrement num_unfinished for current, to undo that we initialized it to 1
- * at the beginning.
+ * Decrement num_unfinished for current, to undo that we initialized it
+ * to 1 at the beginning.
*/
if (atomic_dec_return(&shared_ctx.num_unfinished) > 0)
wait_for_completion(&shared_ctx.all_finished);
--
2.53.0
^ permalink raw reply related
* [PATCH v1 1/4] landlock: Fix kernel-doc warning for pointer-to-array parameters
From: Mickaël Salaün @ 2026-03-04 19:31 UTC (permalink / raw)
To: Günther Noack; +Cc: Mickaël Salaün, linux-security-module
The insert_rule() and create_rule() functions take a
pointer-to-flexible-array parameter declared as:
const struct landlock_layer (*const layers)[]
The kernel-doc parser cannot handle a qualifier between * and the
parameter name in this syntax, producing spurious "Invalid param" and
"not described" warnings.
Introduce landlock_layer_array_t as a typedef for the flexible array
type so the parameter can be written as:
const landlock_layer_array_t *const layers
This is the same type but kernel-doc parses it correctly, while
preserving the pointer-to-array type safety that prevents callers from
accidentally passing a pointer to a single element.
Cc: Günther Noack <gnoack@google.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
security/landlock/ruleset.c | 4 ++--
security/landlock/ruleset.h | 8 ++++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 419b237de635..a61ced492f41 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -108,7 +108,7 @@ static bool is_object_pointer(const enum landlock_key_type key_type)
static struct landlock_rule *
create_rule(const struct landlock_id id,
- const struct landlock_layer (*const layers)[], const u32 num_layers,
+ const landlock_layer_array_t *const layers, const u32 num_layers,
const struct landlock_layer *const new_layer)
{
struct landlock_rule *new_rule;
@@ -205,7 +205,7 @@ static void build_check_ruleset(void)
*/
static int insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
- const struct landlock_layer (*const layers)[],
+ const landlock_layer_array_t *const layers,
const size_t num_layers)
{
struct rb_node **walker_node;
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 9d6dc632684c..87d52031fb5a 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -37,6 +37,14 @@ struct landlock_layer {
access_mask_t access;
};
+/*
+ * Flexible array of Landlock layers, used for pointer-to-array function
+ * parameters that reference either a stack-allocated layer array or a rule's
+ * flexible array member (struct landlock_rule.layers). This typedef avoids
+ * the complex (*const name)[] syntax that the kernel-doc parser cannot handle.
+ */
+typedef struct landlock_layer landlock_layer_array_t[];
+
/**
* union landlock_key - Key of a ruleset's red-black tree
*/
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v3 12/12] treewide: change inode->i_ino from unsigned long to u64
From: Damien Le Moal @ 2026-03-04 21:41 UTC (permalink / raw)
To: Jeff Layton, Alexander Viro, Christian Brauner, Jan Kara,
Steven Rostedt, Masami Hiramatsu, Mathieu Desnoyers, Dan Williams,
Eric Biggers, Theodore Y. Ts'o, Muchun Song, Oscar Salvador,
David Hildenbrand, David Howells, Paulo Alcantara, Andreas Dilger,
Jan Kara, Jaegeuk Kim, Chao Yu, Trond Myklebust, Anna Schumaker,
Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
Steve French, Ronnie Sahlberg, Shyam Prasad N, Bharath SM,
Alexander Aring, Ryusuke Konishi, Viacheslav Dubeyko,
Eric Van Hensbergen, Latchesar Ionkov, Dominique Martinet,
Christian Schoenebeck, David Sterba, Marc Dionne, Ian Kent,
Luis de Bethencourt, Salah Triki, Tigran A. Aivazian,
Ilya Dryomov, Alex Markuze, Jan Harkes, coda, Nicolas Pitre,
Tyler Hicks, Amir Goldstein, Christoph Hellwig,
John Paul Adrian Glaubitz, Yangtao Li, Mikulas Patocka,
David Woodhouse, Richard Weinberger, Dave Kleikamp,
Konstantin Komarov, Mark Fasheh, Joel Becker, Joseph Qi,
Mike Marshall, Martin Brandenburg, Miklos Szeredi, Anders Larsen,
Zhihao Cheng, Naohiro Aota, Johannes Thumshirn, John Johansen,
Paul Moore, James Morris, Serge E. Hallyn, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Fan Wu,
Stephen Smalley, Ondrej Mosnacek, Casey Schaufler, Alex Deucher,
Christian König, David Airlie, Simona Vetter, Sumit Semwal,
Eric Dumazet, Kuniyuki Iwashima, Paolo Abeni, Willem de Bruijn,
David S. Miller, Jakub Kicinski, Simon Horman, Oleg Nesterov,
Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
Ian Rogers, Adrian Hunter, James Clark, Darrick J. Wong,
Martin Schiller, Eric Paris, Joerg Reuter, Marcel Holtmann,
Johan Hedberg, Luiz Augusto von Dentz, Oliver Hartkopp,
Marc Kleine-Budde, David Ahern, Neal Cardwell, Steffen Klassert,
Herbert Xu, Remi Denis-Courmont, Marcelo Ricardo Leitner,
Xin Long, Magnus Karlsson, Maciej Fijalkowski, Stanislav Fomichev,
Alexei Starovoitov, Daniel Borkmann, Jesper Dangaard Brouer,
John Fastabend
Cc: linux-fsdevel, linux-kernel, linux-trace-kernel, nvdimm, fsverity,
linux-mm, netfs, linux-ext4, linux-f2fs-devel, linux-nfs,
linux-cifs, samba-technical, linux-nilfs, v9fs, linux-afs, autofs,
ceph-devel, codalist, ecryptfs, linux-mtd, jfs-discussion, ntfs3,
ocfs2-devel, devel, linux-unionfs, apparmor,
linux-security-module, linux-integrity, selinux, amd-gfx,
dri-devel, linux-media, linaro-mm-sig, netdev, linux-perf-users,
linux-fscrypt, linux-xfs, linux-hams, linux-x25, audit,
linux-bluetooth, linux-can, linux-sctp, bpf
In-Reply-To: <20260304-iino-u64-v3-12-2257ad83d372@kernel.org>
On 3/5/26 00:32, Jeff Layton wrote:
> On 32-bit architectures, unsigned long is only 32 bits wide, which
> causes 64-bit inode numbers to be silently truncated. Several
> filesystems (NFS, XFS, BTRFS, etc.) can generate inode numbers that
> exceed 32 bits, and this truncation can lead to inode number collisions
> and other subtle bugs on 32-bit systems.
>
> Change the type of inode->i_ino from unsigned long to u64 to ensure that
> inode numbers are always represented as 64-bit values regardless of
> architecture. Update all format specifiers treewide from %lu/%lx to
> %llu/%llx to match the new type, along with corresponding local variable
> types.
>
> This is the bulk treewide conversion. Earlier patches in this series
> handled trace events separately to allow trace field reordering for
> better struct packing on 32-bit.
>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
For the zonefs bits:
Acked-by: Damien Le Moal <dlemoal@kernel.org>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply
* Re: [PATCH v3 08/12] zonefs: widen trace event i_ino fields to u64
From: Damien Le Moal @ 2026-03-04 21:41 UTC (permalink / raw)
To: Jeff Layton, Alexander Viro, Christian Brauner, Jan Kara,
Steven Rostedt, Masami Hiramatsu, Mathieu Desnoyers, Dan Williams,
Eric Biggers, Theodore Y. Ts'o, Muchun Song, Oscar Salvador,
David Hildenbrand, David Howells, Paulo Alcantara, Andreas Dilger,
Jan Kara, Jaegeuk Kim, Chao Yu, Trond Myklebust, Anna Schumaker,
Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
Steve French, Ronnie Sahlberg, Shyam Prasad N, Bharath SM,
Alexander Aring, Ryusuke Konishi, Viacheslav Dubeyko,
Eric Van Hensbergen, Latchesar Ionkov, Dominique Martinet,
Christian Schoenebeck, David Sterba, Marc Dionne, Ian Kent,
Luis de Bethencourt, Salah Triki, Tigran A. Aivazian,
Ilya Dryomov, Alex Markuze, Jan Harkes, coda, Nicolas Pitre,
Tyler Hicks, Amir Goldstein, Christoph Hellwig,
John Paul Adrian Glaubitz, Yangtao Li, Mikulas Patocka,
David Woodhouse, Richard Weinberger, Dave Kleikamp,
Konstantin Komarov, Mark Fasheh, Joel Becker, Joseph Qi,
Mike Marshall, Martin Brandenburg, Miklos Szeredi, Anders Larsen,
Zhihao Cheng, Naohiro Aota, Johannes Thumshirn, John Johansen,
Paul Moore, James Morris, Serge E. Hallyn, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Fan Wu,
Stephen Smalley, Ondrej Mosnacek, Casey Schaufler, Alex Deucher,
Christian König, David Airlie, Simona Vetter, Sumit Semwal,
Eric Dumazet, Kuniyuki Iwashima, Paolo Abeni, Willem de Bruijn,
David S. Miller, Jakub Kicinski, Simon Horman, Oleg Nesterov,
Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
Ian Rogers, Adrian Hunter, James Clark, Darrick J. Wong,
Martin Schiller, Eric Paris, Joerg Reuter, Marcel Holtmann,
Johan Hedberg, Luiz Augusto von Dentz, Oliver Hartkopp,
Marc Kleine-Budde, David Ahern, Neal Cardwell, Steffen Klassert,
Herbert Xu, Remi Denis-Courmont, Marcelo Ricardo Leitner,
Xin Long, Magnus Karlsson, Maciej Fijalkowski, Stanislav Fomichev,
Alexei Starovoitov, Daniel Borkmann, Jesper Dangaard Brouer,
John Fastabend
Cc: linux-fsdevel, linux-kernel, linux-trace-kernel, nvdimm, fsverity,
linux-mm, netfs, linux-ext4, linux-f2fs-devel, linux-nfs,
linux-cifs, samba-technical, linux-nilfs, v9fs, linux-afs, autofs,
ceph-devel, codalist, ecryptfs, linux-mtd, jfs-discussion, ntfs3,
ocfs2-devel, devel, linux-unionfs, apparmor,
linux-security-module, linux-integrity, selinux, amd-gfx,
dri-devel, linux-media, linaro-mm-sig, netdev, linux-perf-users,
linux-fscrypt, linux-xfs, linux-hams, linux-x25, audit,
linux-bluetooth, linux-can, linux-sctp, bpf
In-Reply-To: <20260304-iino-u64-v3-8-2257ad83d372@kernel.org>
On 3/5/26 00:32, Jeff Layton wrote:
> Update zonefs trace event definitions to use u64 instead of
> ino_t/unsigned long for inode number fields.
>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Damien Le Moal <dlemoal@kernel.org>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply
* Re: [PATCH v3 00/15] Further centralising of directory locking for name ops.
From: NeilBrown @ 2026-03-05 1:24 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley, Darrick J. Wong
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260224222542.3458677-1-neilb@ownmail.net>
Hi Christian,
do you have thoughts about this series? Any idea when you might have
time to review and (hopefully) apply them?
Thanks,
NeilBrown
On Wed, 25 Feb 2026, NeilBrown wrote:
> Following Chris Mason's tool-based review, here is v3 with some fixes.
> Particularly 06/15 mistakenly tested the result of start_creating for NULL
> and 09/15 had some really messed up flow in error handling.
> Also human-language typos fixed.
>
> This code is in
> github.com:neilbrown/linux.git
> branch pdirops
>
> For anyone interested, my next batch is in branch pdirops-next
>
> Original patch description below.
>
> Thanks,
> NeilBrown
>
> I am working towards changing the locking rules for name-operations: locking
> the name rather than the whole directory.
>
> The current part of this process is centralising all the locking so that
> it can be changed in one place.
>
> Recently "start_creating", "start_removing", "start_renaming" and related
> interaces were added which combine the locking and the lookup. At that time
> many callers were changed to use the new interfaces. However there are still
> an assortment of places out side of fs/namei.c where the directory is locked
> explictly, whether with inode_lock() or lock_rename() or similar. These were
> missed in the first pass for an assortment of uninteresting reasons.
>
> This series addresses the remaining places where explicit locking is
> used, and changes them to use the new interfaces, or otherwise removes
> the explicit locking.
>
> The biggest changes are in overlayfs. The other changes are quite
> simple, though maybe the cachefiles changes is the least simple of those.
>
> I'm running the --overlay tests in xfstests and nothing has popped yet.
> I'll continue with this and run some NFS tests too.
>
> Thanks for your review of these patches!
>
> NeilBrown
>
> [PATCH v3 01/15] VFS: note error returns in documentation for various
> [PATCH v3 02/15] fs/proc: Don't lock root inode when creating "self"
> [PATCH v3 03/15] VFS: move the start_dirop() kerndoc comment to
> [PATCH v3 04/15] libfs: change simple_done_creating() to use
> [PATCH v3 05/15] Apparmor: Use simple_start_creating() /
> [PATCH v3 06/15] selinux: Use simple_start_creating() /
> [PATCH v3 07/15] nfsd: switch purge_old() to use
> [PATCH v3 08/15] VFS: make lookup_one_qstr_excl() static.
> [PATCH v3 09/15] ovl: Simplify ovl_lookup_real_one()
> [PATCH v3 10/15] cachefiles: change cachefiles_bury_object to use
> [PATCH v3 11/15] ovl: pass name buffer to ovl_start_creating_temp()
> [PATCH v3 12/15] ovl: change ovl_create_real() to get a new lock when
> [PATCH v3 13/15] ovl: use is_subdir() for testing if one thing is a
> [PATCH v3 14/15] ovl: remove ovl_lock_rename_workdir()
> [PATCH v3 15/15] VFS: unexport lock_rename(), lock_rename_child(),
>
>
^ permalink raw reply
* [PATCH v2 0/8] module: Move 'struct module_signature' to UAPI
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
This structure definition is used outside the kernel proper.
For example in kmod and the kernel build environment.
To allow reuse, move it to a new UAPI header.
While it is not a true UAPI, it is a common practice to have
non-UAPI interface definitions in the kernel's UAPI headers.
This came up as part of my CONFIG_MODULE_HASHES series [0].
But it is useful on its own and so we get it out of the way.
[0] https://lore.kernel.org/lkml/aZ3OfJJSJgfOb0rJ@levanger/
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Changes in v2:
- Drop spurious definition of MODULE_SIGNATURE_TYPE_MERKLE.
- s/modules/module/ in two patch subjects.
- Pick up review tags.
- Link to v1: https://lore.kernel.org/r/20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de
---
Thomas Weißschuh (8):
extract-cert: drop unused definition of PKEY_ID_PKCS7
module: Drop unused signature types
module: Give 'enum pkey_id_type' a more specific name
module: Give MODULE_SIG_STRING a more descriptive name
module: Move 'struct module_signature' to UAPI
tools uapi headers: add linux/module_signature.h
sign-file: use 'struct module_signature' from the UAPI headers
selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
arch/s390/kernel/machine_kexec_file.c | 6 ++--
certs/extract-cert.c | 2 --
include/linux/module_signature.h | 30 +---------------
include/uapi/linux/module_signature.h | 41 ++++++++++++++++++++++
kernel/module/signing.c | 4 +--
kernel/module_signature.c | 2 +-
scripts/Makefile | 1 +
scripts/sign-file.c | 19 +++-------
security/integrity/ima/ima_modsig.c | 6 ++--
tools/include/uapi/linux/module_signature.h | 41 ++++++++++++++++++++++
.../selftests/bpf/prog_tests/verify_pkcs7_sig.c | 28 ++-------------
11 files changed, 100 insertions(+), 80 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260302-module-signature-uapi-61fa80b1e2bb
Best regards,
--
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
^ permalink raw reply
* [PATCH v2 1/8] extract-cert: drop unused definition of PKEY_ID_PKCS7
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
This definition duplicates a definition from an internal kernel header
which is going to be renamed.
To get rid of an instance of the old name, drop the definition.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
| 2 --
1 file changed, 2 deletions(-)
--git a/certs/extract-cert.c b/certs/extract-cert.c
index 7d6d468ed612..8c762f908443 100644
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -33,8 +33,6 @@
#endif
#include "ssl-common.h"
-#define PKEY_ID_PKCS7 2
-
static __attribute__((noreturn))
void format(void)
{
--
2.53.0
^ permalink raw reply related
* [PATCH v2 2/8] module: Drop unused signature types
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
Only PKCS#7 signatures are used today.
Remove the unused enum values. As this enum is used in on-disk data,
preserve the numeric value.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
include/linux/module_signature.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 7eb4b00381ac..820cc1473383 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -15,9 +15,7 @@
#define MODULE_SIG_STRING "~Module signature appended~\n"
enum pkey_id_type {
- PKEY_ID_PGP, /* OpenPGP generated key ID */
- PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
- PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
+ PKEY_ID_PKCS7 = 2, /* Signature in PKCS#7 message */
};
/*
--
2.53.0
^ permalink raw reply related
* [PATCH v2 3/8] module: Give 'enum pkey_id_type' a more specific name
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
This enum originates in generic cryptographic code and has a very
generic name. Nowadays it is only used for module signatures.
As this enum is going to be exposed in a UAPI header, give it a more
specific name for clarity and consistency.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
arch/s390/kernel/machine_kexec_file.c | 2 +-
include/linux/module_signature.h | 6 +++---
kernel/module_signature.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 1bf59c3f0e2b..667ee9279e23 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -53,7 +53,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
return -EKEYREJECTED;
kernel_len -= sig_len;
- if (ms->id_type != PKEY_ID_PKCS7)
+ if (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7)
return -EKEYREJECTED;
if (ms->algo != 0 ||
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 820cc1473383..c3a05d4cfe67 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -14,8 +14,8 @@
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
#define MODULE_SIG_STRING "~Module signature appended~\n"
-enum pkey_id_type {
- PKEY_ID_PKCS7 = 2, /* Signature in PKCS#7 message */
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
};
/*
@@ -31,7 +31,7 @@ enum pkey_id_type {
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
- u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
+ u8 id_type; /* Key identifier type [enum module_signature_type] */
u8 signer_len; /* Length of signer's name [0] */
u8 key_id_len; /* Length of key identifier [0] */
u8 __pad[3];
diff --git a/kernel/module_signature.c b/kernel/module_signature.c
index 00132d12487c..a0eee2fe4368 100644
--- a/kernel/module_signature.c
+++ b/kernel/module_signature.c
@@ -24,7 +24,7 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
- if (ms->id_type != PKEY_ID_PKCS7) {
+ if (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
pr_err("%s: not signed with expected PKCS#7 message\n",
name);
return -ENOPKG;
--
2.53.0
^ permalink raw reply related
* [PATCH v2 4/8] module: Give MODULE_SIG_STRING a more descriptive name
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
The purpose of the constant it is not entirely clear from its name.
As this constant is going to be exposed in a UAPI header, give it a more
specific name for clarity. As all its users call it 'marker', use that
wording in the constant itself.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
arch/s390/kernel/machine_kexec_file.c | 4 ++--
include/linux/module_signature.h | 2 +-
kernel/module/signing.c | 4 ++--
security/integrity/ima/ima_modsig.c | 6 +++---
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 667ee9279e23..6f0852d5a3a9 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -28,7 +28,7 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
#ifdef CONFIG_KEXEC_SIG
int s390_verify_sig(const char *kernel, unsigned long kernel_len)
{
- const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
+ const unsigned long marker_len = sizeof(MODULE_SIGNATURE_MARKER) - 1;
struct module_signature *ms;
unsigned long sig_len;
int ret;
@@ -40,7 +40,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
if (marker_len > kernel_len)
return -EKEYREJECTED;
- if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING,
+ if (memcmp(kernel + kernel_len - marker_len, MODULE_SIGNATURE_MARKER,
marker_len))
return -EKEYREJECTED;
kernel_len -= marker_len;
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index c3a05d4cfe67..915549c779dc 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -12,7 +12,7 @@
#include <linux/types.h>
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIG_STRING "~Module signature appended~\n"
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
enum module_signature_type {
MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..590ba29c85ab 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -70,7 +70,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
int module_sig_check(struct load_info *info, int flags)
{
int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const unsigned long markerlen = sizeof(MODULE_SIGNATURE_MARKER) - 1;
const char *reason;
const void *mod = info->hdr;
bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
@@ -81,7 +81,7 @@ int module_sig_check(struct load_info *info, int flags)
*/
if (!mangled_module &&
info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerlen) == 0) {
/* We truncate the module to discard the signature */
info->len -= markerlen;
err = mod_verify_sig(mod, info);
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index 9aa92fd35a03..632c746fd81e 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -40,7 +40,7 @@ struct modsig {
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig)
{
- const size_t marker_len = strlen(MODULE_SIG_STRING);
+ const size_t marker_len = strlen(MODULE_SIGNATURE_MARKER);
const struct module_signature *sig;
struct modsig *hdr;
size_t sig_len;
@@ -51,7 +51,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
return -ENOENT;
p = buf + buf_len - marker_len;
- if (memcmp(p, MODULE_SIG_STRING, marker_len))
+ if (memcmp(p, MODULE_SIGNATURE_MARKER, marker_len))
return -ENOENT;
buf_len -= marker_len;
@@ -105,7 +105,7 @@ void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size)
* Provide the file contents (minus the appended sig) so that the PKCS7
* code can calculate the file hash.
*/
- size -= modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) +
+ size -= modsig->raw_pkcs7_len + strlen(MODULE_SIGNATURE_MARKER) +
sizeof(struct module_signature);
rc = pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size);
if (rc)
--
2.53.0
^ permalink raw reply related
* [PATCH v2 6/8] tools uapi headers: add linux/module_signature.h
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
This header is going to be used from scripts/sign-file.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
tools/include/uapi/linux/module_signature.h | 41 +++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/tools/include/uapi/linux/module_signature.h b/tools/include/uapi/linux/module_signature.h
new file mode 100644
index 000000000000..634c9f1c8fc2
--- /dev/null
+++ b/tools/include/uapi/linux/module_signature.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Module signature handling.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#ifndef _UAPI_LINUX_MODULE_SIGNATURE_H
+#define _UAPI_LINUX_MODULE_SIGNATURE_H
+
+#include <linux/types.h>
+
+/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
+
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
+};
+
+/*
+ * Module signature information block.
+ *
+ * The constituents of the signature section are, in order:
+ *
+ * - Signer's name
+ * - Key identifier
+ * - Signature data
+ * - Information block
+ */
+struct module_signature {
+ __u8 algo; /* Public-key crypto algorithm [0] */
+ __u8 hash; /* Digest algorithm [0] */
+ __u8 id_type; /* Key identifier type [enum module_signature_type] */
+ __u8 signer_len; /* Length of signer's name [0] */
+ __u8 key_id_len; /* Length of key identifier [0] */
+ __u8 __pad[3];
+ __be32 sig_len; /* Length of signature data */
+};
+
+#endif /* _UAPI_LINUX_MODULE_SIGNATURE_H */
--
2.53.0
^ permalink raw reply related
* [PATCH v2 5/8] module: Move 'struct module_signature' to UAPI
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
This structure definition is used outside the kernel proper.
For example in kmod and the kernel build environment.
To allow reuse, move it to a new UAPI header.
While it is not a true UAPI, it is a common practice to have
non-UAPI interface definitions in the kernel's UAPI headers.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
include/linux/module_signature.h | 28 +-----------------------
include/uapi/linux/module_signature.h | 41 +++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 27 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 915549c779dc..db335d46787f 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -10,33 +10,7 @@
#define _LINUX_MODULE_SIGNATURE_H
#include <linux/types.h>
-
-/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
-
-enum module_signature_type {
- MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
-};
-
-/*
- * Module signature information block.
- *
- * The constituents of the signature section are, in order:
- *
- * - Signer's name
- * - Key identifier
- * - Signature data
- * - Information block
- */
-struct module_signature {
- u8 algo; /* Public-key crypto algorithm [0] */
- u8 hash; /* Digest algorithm [0] */
- u8 id_type; /* Key identifier type [enum module_signature_type] */
- u8 signer_len; /* Length of signer's name [0] */
- u8 key_id_len; /* Length of key identifier [0] */
- u8 __pad[3];
- __be32 sig_len; /* Length of signature data */
-};
+#include <uapi/linux/module_signature.h>
int mod_check_sig(const struct module_signature *ms, size_t file_len,
const char *name);
diff --git a/include/uapi/linux/module_signature.h b/include/uapi/linux/module_signature.h
new file mode 100644
index 000000000000..634c9f1c8fc2
--- /dev/null
+++ b/include/uapi/linux/module_signature.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Module signature handling.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#ifndef _UAPI_LINUX_MODULE_SIGNATURE_H
+#define _UAPI_LINUX_MODULE_SIGNATURE_H
+
+#include <linux/types.h>
+
+/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
+
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
+};
+
+/*
+ * Module signature information block.
+ *
+ * The constituents of the signature section are, in order:
+ *
+ * - Signer's name
+ * - Key identifier
+ * - Signature data
+ * - Information block
+ */
+struct module_signature {
+ __u8 algo; /* Public-key crypto algorithm [0] */
+ __u8 hash; /* Digest algorithm [0] */
+ __u8 id_type; /* Key identifier type [enum module_signature_type] */
+ __u8 signer_len; /* Length of signer's name [0] */
+ __u8 key_id_len; /* Length of key identifier [0] */
+ __u8 __pad[3];
+ __be32 sig_len; /* Length of signature data */
+};
+
+#endif /* _UAPI_LINUX_MODULE_SIGNATURE_H */
--
2.53.0
^ permalink raw reply related
* [PATCH v2 7/8] sign-file: use 'struct module_signature' from the UAPI headers
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
Now that the UAPI headers provide the required definitions, use those.
Some symbols have been renamed, adapt to those.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
scripts/Makefile | 1 +
scripts/sign-file.c | 19 ++++---------------
2 files changed, 5 insertions(+), 15 deletions(-)
diff --git a/scripts/Makefile b/scripts/Makefile
index 0941e5ce7b57..3434a82a119f 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -35,6 +35,7 @@ HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
HOSTLDLIBS_sorttable = -lpthread
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
HOSTCFLAGS_sign-file.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
+HOSTCFLAGS_sign-file.o += -I$(srctree)/tools/include/uapi/
HOSTLDLIBS_sign-file = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
ifdef CONFIG_UNWINDER_ORC
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 73fbefd2e540..86b010ac1514 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -40,19 +40,7 @@
#endif
#include "ssl-common.h"
-struct module_signature {
- uint8_t algo; /* Public-key crypto algorithm [0] */
- uint8_t hash; /* Digest algorithm [0] */
- uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
- uint8_t signer_len; /* Length of signer's name [0] */
- uint8_t key_id_len; /* Length of key identifier [0] */
- uint8_t __pad[3];
- uint32_t sig_len; /* Length of signature data */
-};
-
-#define PKEY_ID_PKCS7 2
-
-static char magic_number[] = "~Module signature appended~\n";
+#include <linux/module_signature.h>
static __attribute__((noreturn))
void format(void)
@@ -197,7 +185,7 @@ static X509 *read_x509(const char *x509_name)
int main(int argc, char **argv)
{
- struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+ struct module_signature sig_info = { .id_type = MODULE_SIGNATURE_TYPE_PKCS7 };
char *hash_algo = NULL;
char *private_key_name = NULL, *raw_sig_name = NULL;
char *x509_name, *module_name, *dest_name;
@@ -357,7 +345,8 @@ int main(int argc, char **argv)
sig_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(sig_size);
ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
- ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
+ ERR(BIO_write(bd, MODULE_SIGNATURE_MARKER, sizeof(MODULE_SIGNATURE_MARKER) - 1) < 0,
+ "%s", dest_name);
ERR(BIO_free(bd) != 1, "%s", dest_name);
--
2.53.0
^ permalink raw reply related
* [PATCH v2 8/8] selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
From: Thomas Weißschuh @ 2026-03-05 7:11 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de>
Now that the UAPI headers provide the required definitions, use those.
Some symbols have been renamed, adapt to those.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
.../selftests/bpf/prog_tests/verify_pkcs7_sig.c | 28 +++-------------------
1 file changed, 3 insertions(+), 25 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c b/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
index 4d69d9d55e17..f327feb8e38c 100644
--- a/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
+++ b/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
@@ -18,6 +18,7 @@
#include <linux/keyctl.h>
#include <sys/xattr.h>
#include <linux/fsverity.h>
+#include <linux/module_signature.h>
#include <test_progs.h>
#include "test_verify_pkcs7_sig.skel.h"
@@ -33,29 +34,6 @@
#define SHA256_DIGEST_SIZE 32
#endif
-/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIG_STRING "~Module signature appended~\n"
-
-/*
- * Module signature information block.
- *
- * The constituents of the signature section are, in order:
- *
- * - Signer's name
- * - Key identifier
- * - Signature data
- * - Information block
- */
-struct module_signature {
- __u8 algo; /* Public-key crypto algorithm [0] */
- __u8 hash; /* Digest algorithm [0] */
- __u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
- __u8 signer_len; /* Length of signer's name [0] */
- __u8 key_id_len; /* Length of key identifier [0] */
- __u8 __pad[3];
- __be32 sig_len; /* Length of signature data */
-};
-
struct data {
__u8 data[MAX_DATA_SIZE];
__u32 data_len;
@@ -215,7 +193,7 @@ static int populate_data_item_mod(struct data *data_item)
return 0;
modlen = st.st_size;
- marker_len = sizeof(MODULE_SIG_STRING) - 1;
+ marker_len = sizeof(MODULE_SIGNATURE_MARKER) - 1;
fd = open(mod_path, O_RDONLY);
if (fd == -1)
@@ -228,7 +206,7 @@ static int populate_data_item_mod(struct data *data_item)
if (mod == MAP_FAILED)
return -errno;
- if (strncmp(mod + modlen - marker_len, MODULE_SIG_STRING, marker_len)) {
+ if (strncmp(mod + modlen - marker_len, MODULE_SIGNATURE_MARKER, marker_len)) {
ret = -EINVAL;
goto out;
}
--
2.53.0
^ permalink raw reply related
* [PATCH v3 0/8] module: Move 'struct module_signature' to UAPI
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
This structure definition is used outside the kernel proper.
For example in kmod and the kernel build environment.
To allow reuse, move it to a new UAPI header.
While it is not a true UAPI, it is a common practice to have
non-UAPI interface definitions in the kernel's UAPI headers.
This came up as part of my CONFIG_MODULE_HASHES series [0].
But it is useful on its own and so we get it out of the way.
[0] https://lore.kernel.org/lkml/aZ3OfJJSJgfOb0rJ@levanger/
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Changes in v3:
- Also adapt the include path for the custom sign-file rule in the bpf selftests.
(My manual run of BPF CI still fails, due to an BUG() on s390,
I don't see how this is due to this patch)
- Link to v2: https://lore.kernel.org/r/20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de
Changes in v2:
- Drop spurious definition of MODULE_SIGNATURE_TYPE_MERKLE.
- s/modules/module/ in two patch subjects.
- Pick up review tags.
- Link to v1: https://lore.kernel.org/r/20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de
---
Thomas Weißschuh (8):
extract-cert: drop unused definition of PKEY_ID_PKCS7
module: Drop unused signature types
module: Give 'enum pkey_id_type' a more specific name
module: Give MODULE_SIG_STRING a more descriptive name
module: Move 'struct module_signature' to UAPI
tools uapi headers: add linux/module_signature.h
sign-file: use 'struct module_signature' from the UAPI headers
selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
arch/s390/kernel/machine_kexec_file.c | 6 ++--
certs/extract-cert.c | 2 --
include/linux/module_signature.h | 30 +---------------
include/uapi/linux/module_signature.h | 41 ++++++++++++++++++++++
kernel/module/signing.c | 4 +--
kernel/module_signature.c | 2 +-
scripts/Makefile | 1 +
scripts/sign-file.c | 19 +++-------
security/integrity/ima/ima_modsig.c | 6 ++--
tools/include/uapi/linux/module_signature.h | 41 ++++++++++++++++++++++
tools/testing/selftests/bpf/Makefile | 1 +
.../selftests/bpf/prog_tests/verify_pkcs7_sig.c | 28 ++-------------
12 files changed, 101 insertions(+), 80 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260302-module-signature-uapi-61fa80b1e2bb
Best regards,
--
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
^ permalink raw reply
* [PATCH v3 1/8] extract-cert: drop unused definition of PKEY_ID_PKCS7
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
This definition duplicates a definition from an internal kernel header
which is going to be renamed.
To get rid of an instance of the old name, drop the definition.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
| 2 --
1 file changed, 2 deletions(-)
--git a/certs/extract-cert.c b/certs/extract-cert.c
index 7d6d468ed612..8c762f908443 100644
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -33,8 +33,6 @@
#endif
#include "ssl-common.h"
-#define PKEY_ID_PKCS7 2
-
static __attribute__((noreturn))
void format(void)
{
--
2.53.0
^ permalink raw reply related
* [PATCH v3 2/8] module: Drop unused signature types
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
Only PKCS#7 signatures are used today.
Remove the unused enum values. As this enum is used in on-disk data,
preserve the numeric value.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
include/linux/module_signature.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 7eb4b00381ac..820cc1473383 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -15,9 +15,7 @@
#define MODULE_SIG_STRING "~Module signature appended~\n"
enum pkey_id_type {
- PKEY_ID_PGP, /* OpenPGP generated key ID */
- PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
- PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
+ PKEY_ID_PKCS7 = 2, /* Signature in PKCS#7 message */
};
/*
--
2.53.0
^ permalink raw reply related
* [PATCH v3 3/8] module: Give 'enum pkey_id_type' a more specific name
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
This enum originates in generic cryptographic code and has a very
generic name. Nowadays it is only used for module signatures.
As this enum is going to be exposed in a UAPI header, give it a more
specific name for clarity and consistency.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
arch/s390/kernel/machine_kexec_file.c | 2 +-
include/linux/module_signature.h | 6 +++---
kernel/module_signature.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 1bf59c3f0e2b..667ee9279e23 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -53,7 +53,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
return -EKEYREJECTED;
kernel_len -= sig_len;
- if (ms->id_type != PKEY_ID_PKCS7)
+ if (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7)
return -EKEYREJECTED;
if (ms->algo != 0 ||
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 820cc1473383..c3a05d4cfe67 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -14,8 +14,8 @@
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
#define MODULE_SIG_STRING "~Module signature appended~\n"
-enum pkey_id_type {
- PKEY_ID_PKCS7 = 2, /* Signature in PKCS#7 message */
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
};
/*
@@ -31,7 +31,7 @@ enum pkey_id_type {
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
- u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
+ u8 id_type; /* Key identifier type [enum module_signature_type] */
u8 signer_len; /* Length of signer's name [0] */
u8 key_id_len; /* Length of key identifier [0] */
u8 __pad[3];
diff --git a/kernel/module_signature.c b/kernel/module_signature.c
index 00132d12487c..a0eee2fe4368 100644
--- a/kernel/module_signature.c
+++ b/kernel/module_signature.c
@@ -24,7 +24,7 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
- if (ms->id_type != PKEY_ID_PKCS7) {
+ if (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
pr_err("%s: not signed with expected PKCS#7 message\n",
name);
return -ENOPKG;
--
2.53.0
^ permalink raw reply related
* [PATCH v3 4/8] module: Give MODULE_SIG_STRING a more descriptive name
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
The purpose of the constant it is not entirely clear from its name.
As this constant is going to be exposed in a UAPI header, give it a more
specific name for clarity. As all its users call it 'marker', use that
wording in the constant itself.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
arch/s390/kernel/machine_kexec_file.c | 4 ++--
include/linux/module_signature.h | 2 +-
kernel/module/signing.c | 4 ++--
security/integrity/ima/ima_modsig.c | 6 +++---
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 667ee9279e23..6f0852d5a3a9 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -28,7 +28,7 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
#ifdef CONFIG_KEXEC_SIG
int s390_verify_sig(const char *kernel, unsigned long kernel_len)
{
- const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
+ const unsigned long marker_len = sizeof(MODULE_SIGNATURE_MARKER) - 1;
struct module_signature *ms;
unsigned long sig_len;
int ret;
@@ -40,7 +40,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
if (marker_len > kernel_len)
return -EKEYREJECTED;
- if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING,
+ if (memcmp(kernel + kernel_len - marker_len, MODULE_SIGNATURE_MARKER,
marker_len))
return -EKEYREJECTED;
kernel_len -= marker_len;
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index c3a05d4cfe67..915549c779dc 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -12,7 +12,7 @@
#include <linux/types.h>
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIG_STRING "~Module signature appended~\n"
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
enum module_signature_type {
MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..590ba29c85ab 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -70,7 +70,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
int module_sig_check(struct load_info *info, int flags)
{
int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const unsigned long markerlen = sizeof(MODULE_SIGNATURE_MARKER) - 1;
const char *reason;
const void *mod = info->hdr;
bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
@@ -81,7 +81,7 @@ int module_sig_check(struct load_info *info, int flags)
*/
if (!mangled_module &&
info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerlen) == 0) {
/* We truncate the module to discard the signature */
info->len -= markerlen;
err = mod_verify_sig(mod, info);
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index 9aa92fd35a03..632c746fd81e 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -40,7 +40,7 @@ struct modsig {
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig)
{
- const size_t marker_len = strlen(MODULE_SIG_STRING);
+ const size_t marker_len = strlen(MODULE_SIGNATURE_MARKER);
const struct module_signature *sig;
struct modsig *hdr;
size_t sig_len;
@@ -51,7 +51,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
return -ENOENT;
p = buf + buf_len - marker_len;
- if (memcmp(p, MODULE_SIG_STRING, marker_len))
+ if (memcmp(p, MODULE_SIGNATURE_MARKER, marker_len))
return -ENOENT;
buf_len -= marker_len;
@@ -105,7 +105,7 @@ void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size)
* Provide the file contents (minus the appended sig) so that the PKCS7
* code can calculate the file hash.
*/
- size -= modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) +
+ size -= modsig->raw_pkcs7_len + strlen(MODULE_SIGNATURE_MARKER) +
sizeof(struct module_signature);
rc = pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size);
if (rc)
--
2.53.0
^ permalink raw reply related
* [PATCH v3 6/8] tools uapi headers: add linux/module_signature.h
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
This header is going to be used from scripts/sign-file.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
tools/include/uapi/linux/module_signature.h | 41 +++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/tools/include/uapi/linux/module_signature.h b/tools/include/uapi/linux/module_signature.h
new file mode 100644
index 000000000000..634c9f1c8fc2
--- /dev/null
+++ b/tools/include/uapi/linux/module_signature.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Module signature handling.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#ifndef _UAPI_LINUX_MODULE_SIGNATURE_H
+#define _UAPI_LINUX_MODULE_SIGNATURE_H
+
+#include <linux/types.h>
+
+/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
+
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
+};
+
+/*
+ * Module signature information block.
+ *
+ * The constituents of the signature section are, in order:
+ *
+ * - Signer's name
+ * - Key identifier
+ * - Signature data
+ * - Information block
+ */
+struct module_signature {
+ __u8 algo; /* Public-key crypto algorithm [0] */
+ __u8 hash; /* Digest algorithm [0] */
+ __u8 id_type; /* Key identifier type [enum module_signature_type] */
+ __u8 signer_len; /* Length of signer's name [0] */
+ __u8 key_id_len; /* Length of key identifier [0] */
+ __u8 __pad[3];
+ __be32 sig_len; /* Length of signature data */
+};
+
+#endif /* _UAPI_LINUX_MODULE_SIGNATURE_H */
--
2.53.0
^ permalink raw reply related
* [PATCH v3 5/8] module: Move 'struct module_signature' to UAPI
From: Thomas Weißschuh @ 2026-03-05 9:31 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis Chamberlain, Petr Pavlu,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin, Heiko Carstens,
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Mimi Zohar, Roberto Sassu, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Nathan Chancellor, Nicolas Schier, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Shuah Khan
Cc: keyrings, linux-kernel, linux-modules, linux-s390,
linux-integrity, linux-security-module, linux-kbuild, bpf,
linux-kselftest, Thomas Weißschuh
In-Reply-To: <20260305-module-signature-uapi-v3-0-92f45ea6028c@linutronix.de>
This structure definition is used outside the kernel proper.
For example in kmod and the kernel build environment.
To allow reuse, move it to a new UAPI header.
While it is not a true UAPI, it is a common practice to have
non-UAPI interface definitions in the kernel's UAPI headers.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
---
include/linux/module_signature.h | 28 +-----------------------
include/uapi/linux/module_signature.h | 41 +++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 27 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 915549c779dc..db335d46787f 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -10,33 +10,7 @@
#define _LINUX_MODULE_SIGNATURE_H
#include <linux/types.h>
-
-/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
-
-enum module_signature_type {
- MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
-};
-
-/*
- * Module signature information block.
- *
- * The constituents of the signature section are, in order:
- *
- * - Signer's name
- * - Key identifier
- * - Signature data
- * - Information block
- */
-struct module_signature {
- u8 algo; /* Public-key crypto algorithm [0] */
- u8 hash; /* Digest algorithm [0] */
- u8 id_type; /* Key identifier type [enum module_signature_type] */
- u8 signer_len; /* Length of signer's name [0] */
- u8 key_id_len; /* Length of key identifier [0] */
- u8 __pad[3];
- __be32 sig_len; /* Length of signature data */
-};
+#include <uapi/linux/module_signature.h>
int mod_check_sig(const struct module_signature *ms, size_t file_len,
const char *name);
diff --git a/include/uapi/linux/module_signature.h b/include/uapi/linux/module_signature.h
new file mode 100644
index 000000000000..634c9f1c8fc2
--- /dev/null
+++ b/include/uapi/linux/module_signature.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Module signature handling.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#ifndef _UAPI_LINUX_MODULE_SIGNATURE_H
+#define _UAPI_LINUX_MODULE_SIGNATURE_H
+
+#include <linux/types.h>
+
+/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
+#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n"
+
+enum module_signature_type {
+ MODULE_SIGNATURE_TYPE_PKCS7 = 2, /* Signature in PKCS#7 message */
+};
+
+/*
+ * Module signature information block.
+ *
+ * The constituents of the signature section are, in order:
+ *
+ * - Signer's name
+ * - Key identifier
+ * - Signature data
+ * - Information block
+ */
+struct module_signature {
+ __u8 algo; /* Public-key crypto algorithm [0] */
+ __u8 hash; /* Digest algorithm [0] */
+ __u8 id_type; /* Key identifier type [enum module_signature_type] */
+ __u8 signer_len; /* Length of signer's name [0] */
+ __u8 key_id_len; /* Length of key identifier [0] */
+ __u8 __pad[3];
+ __be32 sig_len; /* Length of signature data */
+};
+
+#endif /* _UAPI_LINUX_MODULE_SIGNATURE_H */
--
2.53.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox