* [PATCH v10 2/9] landlock: Add API support and docs for the quiet flags
From: Tingmao Wang @ 2026-06-01 0:00 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Justin Suess, Jan Kara,
Abhinav Saxena, linux-security-module
In-Reply-To: <cover.1780272022.git.m@maowtm.org>
Adds the UAPI for the quiet flags feature (but not the implementation
yet).
Even though currently LANDLOCK_ADD_RULE_QUIET only affects audit
logging, in the future this can also be used as part of a supervisor
mechanism, where it will also suppress denial notifications on a
per-object basis. Thus the name is deliberately generic, as opposed to
e.g. LANDLOCK_ADD_RULE_LOG_QUIET.
According to pahole, even after adding the struct access_masks quiet_masks
in struct landlock_hierarchy, the u32 log_* bitfield still only has a size
of 2 bytes, so there's minimal wasted space.
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v9:
- Move a mistakenly included hunk into patch 1
- Doc change for sys_landlock_create_ruleset to add missing
"quiet_scoped | scoped == scoped" requirement.
- Doc changes for struct landlock_ruleset_attr, and re-wrap added bits
wider to stay consistent with the existing block.
- Other style changes from suggestions
- Added mention of this flag in the audit section of
Documentation/admin-guide/LSM/landlock.rst
- Added a block for this new flag to the "Previous limitations" section
in Documentation/userspace-api/landlock.rst
Changes in v8:
- The new Landlock ABI version is now v10 as a result of rebase.
- Allocate a rule_flags in hook_unix_find() and pass to
is_access_to_paths_allowed().
Changes in v6:
- Fix typo in doc
Changes in v5:
- Doc fixes.
- Fix build failure without CONFIG_AUDIT / CONFIG_INET (reported by Justin
Suess)
Changes in v4:
- Minor update to this commit message.
- Fix minor formatting
Changes in v3:
- Updated docs from Mickaël's suggestions.
Changes in v2:
- Per suggestion, added support for quieting only certain access bits,
controlled by extra quiet_access_* fields in the ruleset_attr.
- Added docs for the extra fields and made updates to doc changes in v1.
In particular, call out that the effect of LANDLOCK_ADD_RULE_QUIET is
independent from the access bits passed in rule_attr
- landlock_add_rule will return -EINVAL when LANDLOCK_ADD_RULE_QUIET is
used but the ruleset does not have any quiet access bits set for the
given rule type.
- ABI version bump to v8
- Syntactic and comment changes per suggestion.
Documentation/admin-guide/LSM/landlock.rst | 9 ++-
Documentation/userspace-api/landlock.rst | 11 +++
include/uapi/linux/landlock.h | 61 +++++++++++++++++
security/landlock/domain.h | 5 ++
security/landlock/fs.c | 4 +-
security/landlock/fs.h | 2 +-
security/landlock/net.c | 5 +-
security/landlock/net.h | 5 +-
security/landlock/ruleset.c | 12 +++-
security/landlock/ruleset.h | 12 +++-
security/landlock/syscalls.c | 71 +++++++++++++++-----
tools/testing/selftests/landlock/base_test.c | 2 +-
12 files changed, 168 insertions(+), 31 deletions(-)
diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/admin-guide/LSM/landlock.rst
index 9923874e2156..ccc32dad1d1c 100644
--- a/Documentation/admin-guide/LSM/landlock.rst
+++ b/Documentation/admin-guide/LSM/landlock.rst
@@ -19,8 +19,10 @@ Audit
Denied access requests are logged by default for a sandboxed program if `audit`
is enabled. This default behavior can be changed with the
sys_landlock_restrict_self() flags (cf.
-Documentation/userspace-api/landlock.rst). Landlock logs can also be masked
-thanks to audit rules. Landlock can generate 2 audit record types.
+Documentation/userspace-api/landlock.rst), or suppressed on a per-object
+basis by using ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+). Landlock logs can
+also be masked thanks to audit rules. Landlock can generate 2 audit
+record types.
Record types
------------
@@ -172,7 +174,8 @@ If you get spammed with audit logs related to Landlock, this is either an
attack attempt or a bug in the security policy. We can put in place some
filters to limit noise with two complementary ways:
-- with sys_landlock_restrict_self()'s flags if we can fix the sandboxed
+- with sys_landlock_restrict_self()'s flags, or
+ ``LANDLOCK_ADD_RULE_QUIET`` (ABI 10+) if we can fix the sandboxed
programs,
- or with audit rules (see :manpage:`auditctl(8)`).
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 45861fa75685..138d504cb498 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -722,6 +722,17 @@ Starting with the Landlock ABI version 9, it is possible to restrict
connections to pathname UNIX domain sockets (:manpage:`unix(7)`) using
the new ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` right.
+Quiet rule flag (ABI < 10)
+-----------------------------------------
+
+Starting with the Landlock ABI version 10, it is possible to selectively
+suppress audit logs for specific denied accesses on a per-object basis with
+the ``LANDLOCK_ADD_RULE_QUIET`` flag of sys_landlock_add_rule(), in
+combination with the ``quiet_access_fs`` and ``quiet_access_net`` fields of
+struct landlock_ruleset_attr. It is also now possible to suppress audit logs
+for scope accesses via the ``quiet_scoped`` field of struct
+landlock_ruleset_attr.
+
.. _kernel_support:
Kernel support
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index b147223efc97..90a0752b61bf 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -32,6 +32,19 @@
* *handle* a wide range or all access rights that they know about at build time
* (and that they have tested with a kernel that supported them all).
*
+ * @quiet_access_fs and @quiet_access_net are bitmasks of actions for which a
+ * denial by this layer will not trigger an audit log if the corresponding
+ * object (or its children, for filesystem rules) is marked with the "quiet" bit
+ * via %LANDLOCK_ADD_RULE_QUIET, even if logging would normally take place per
+ * landlock_restrict_self() flags. @quiet_scoped is similar, except that it
+ * does not require marking any objects as quiet - if the ruleset is created
+ * with any bits set in @quiet_scoped, then denial of such scoped resources will
+ * not trigger any log. These 3 fields are available since Landlock ABI version
+ * 10.
+ *
+ * @quiet_access_fs, @quiet_access_net and @quiet_scoped must be a subset of
+ * @handled_access_fs, @handled_access_net and @scoped respectively.
+ *
* This structure can grow in future Landlock versions.
*/
struct landlock_ruleset_attr {
@@ -51,6 +64,21 @@ struct landlock_ruleset_attr {
* resources (e.g. IPCs).
*/
__u64 scoped;
+ /**
+ * @quiet_access_fs: Bitmask of filesystem actions which should not be
+ * logged if per-object quiet flag is set.
+ */
+ __u64 quiet_access_fs;
+ /**
+ * @quiet_access_net: Bitmask of network actions which should not be
+ * logged if per-object quiet flag is set.
+ */
+ __u64 quiet_access_net;
+ /**
+ * @quiet_scoped: Bitmask of scoped actions which should not be
+ * logged.
+ */
+ __u64 quiet_scoped;
};
/**
@@ -69,6 +97,39 @@ struct landlock_ruleset_attr {
#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
/* clang-format on */
+/**
+ * DOC: landlock_add_rule_flags
+ *
+ * **Flags**
+ *
+ * %LANDLOCK_ADD_RULE_QUIET
+ * Together with the quiet_* fields in struct landlock_ruleset_attr,
+ * this flag controls whether Landlock will log audit messages when
+ * access to the objects covered by this rule is denied by this layer.
+ *
+ * If audit logging is enabled, when Landlock denies an access, it will
+ * suppress the audit log if all of the following are true:
+ *
+ * - this layer is the innermost layer that denied the access;
+ * - all accesses denied by this layer are part of the quiet_* fields
+ * in the related struct landlock_ruleset_attr;
+ * - the object (or one of its parents, for filesystem rules) is
+ * marked as "quiet" via %LANDLOCK_ADD_RULE_QUIET.
+ *
+ * Because logging is only suppressed by a layer if the layer denies
+ * access, a sandboxed program cannot use this flag to "hide" access
+ * denials, without denying itself the access in the first place.
+ *
+ * The effect of this flag does not depend on the value of
+ * allowed_access in the passed in rule_attr. When this flag is
+ * present, the caller is also allowed to pass in an empty
+ * allowed_access.
+ */
+
+/* clang-format off */
+#define LANDLOCK_ADD_RULE_QUIET (1U << 0)
+/* clang-format on */
+
/**
* DOC: landlock_restrict_self_flags
*
diff --git a/security/landlock/domain.h b/security/landlock/domain.h
index af100a8cd939..9f560f3c3bd1 100644
--- a/security/landlock/domain.h
+++ b/security/landlock/domain.h
@@ -111,6 +111,11 @@ struct landlock_hierarchy {
* %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON. Set to false by default.
*/
log_new_exec : 1;
+ /**
+ * @quiet_masks: Bitmasks of access that should be quieted (i.e. not
+ * logged) if the related object is marked as quiet.
+ */
+ struct access_masks quiet_masks;
#endif /* CONFIG_AUDIT */
};
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index f7c1bc64de20..cc0852f77311 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -325,7 +325,7 @@ static struct landlock_object *get_inode_object(struct inode *const inode)
*/
int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
const struct path *const path,
- access_mask_t access_rights)
+ access_mask_t access_rights, const int flags)
{
int err;
struct landlock_id id = {
@@ -346,7 +346,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
if (IS_ERR(id.key.object))
return PTR_ERR(id.key.object);
mutex_lock(&ruleset->lock);
- err = landlock_insert_rule(ruleset, id, access_rights);
+ err = landlock_insert_rule(ruleset, id, access_rights, flags);
mutex_unlock(&ruleset->lock);
/*
* No need to check for an error because landlock_insert_rule()
diff --git a/security/landlock/fs.h b/security/landlock/fs.h
index bf9948941f2f..cb7e654933ac 100644
--- a/security/landlock/fs.h
+++ b/security/landlock/fs.h
@@ -126,6 +126,6 @@ __init void landlock_add_fs_hooks(void);
int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
const struct path *const path,
- access_mask_t access_hierarchy);
+ access_mask_t access_hierarchy, const int flags);
#endif /* _SECURITY_LANDLOCK_FS_H */
diff --git a/security/landlock/net.c b/security/landlock/net.c
index 981a362c24db..71868289748a 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -20,7 +20,8 @@
#include "ruleset.h"
int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
- const u16 port, access_mask_t access_rights)
+ const u16 port, access_mask_t access_rights,
+ const int flags)
{
int err;
const struct landlock_id id = {
@@ -35,7 +36,7 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
~landlock_get_net_access_mask(ruleset, 0);
mutex_lock(&ruleset->lock);
- err = landlock_insert_rule(ruleset, id, access_rights);
+ err = landlock_insert_rule(ruleset, id, access_rights, flags);
mutex_unlock(&ruleset->lock);
return err;
diff --git a/security/landlock/net.h b/security/landlock/net.h
index 09960c237a13..72c47f4d6803 100644
--- a/security/landlock/net.h
+++ b/security/landlock/net.h
@@ -16,7 +16,8 @@
__init void landlock_add_net_hooks(void);
int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
- const u16 port, access_mask_t access_rights);
+ const u16 port, access_mask_t access_rights,
+ const int flags);
#else /* IS_ENABLED(CONFIG_INET) */
static inline void landlock_add_net_hooks(void)
{
@@ -24,7 +25,7 @@ static inline void landlock_add_net_hooks(void)
static inline int
landlock_append_net_rule(struct landlock_ruleset *const ruleset, const u16 port,
- access_mask_t access_rights)
+ access_mask_t access_rights, const int flags)
{
return -EAFNOSUPPORT;
}
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 91948e406e69..f01c3e14e55d 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -21,6 +21,7 @@
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/workqueue.h>
+#include <uapi/linux/landlock.h>
#include "access.h"
#include "domain.h"
@@ -255,6 +256,7 @@ static int insert_rule(struct landlock_ruleset *const ruleset,
if (WARN_ON_ONCE(this->layers[0].level != 0))
return -EINVAL;
this->layers[0].access |= (*layers)[0].access;
+ this->layers[0].flags.quiet |= (*layers)[0].flags.quiet;
return 0;
}
@@ -305,12 +307,15 @@ static void build_check_layer(void)
/* @ruleset must be locked by the caller. */
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
- const access_mask_t access)
+ const access_mask_t access, const int flags)
{
struct landlock_layer layers[] = { {
.access = access,
/* When @level is zero, insert_rule() extends @ruleset. */
.level = 0,
+ .flags = {
+ .quiet = !!(flags & LANDLOCK_ADD_RULE_QUIET),
+ },
} };
build_check_layer();
@@ -351,6 +356,7 @@ static int merge_tree(struct landlock_ruleset *const dst,
return -EINVAL;
layers[0].access = walker_rule->layers[0].access;
+ layers[0].flags = walker_rule->layers[0].flags;
err = insert_rule(dst, id, &layers, ARRAY_SIZE(layers));
if (err)
@@ -581,6 +587,10 @@ landlock_merge_ruleset(struct landlock_ruleset *const parent,
if (err)
return ERR_PTR(err);
+#ifdef CONFIG_AUDIT
+ new_dom->hierarchy->quiet_masks = ruleset->quiet_masks;
+#endif /* CONFIG_AUDIT */
+
return no_free_ptr(new_dom);
}
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index f80ca487d125..d54bdb925e96 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -156,8 +156,8 @@ struct landlock_ruleset {
* @work_free: Enables to free a ruleset within a lockless
* section. This is only used by
* landlock_put_ruleset_deferred() when @usage reaches zero.
- * The fields @lock, @usage, @num_rules, @num_layers and
- * @access_masks are then unused.
+ * The fields @lock, @usage, @num_rules, @num_layers, @quiet_masks
+ * and @access_masks are then unused.
*/
struct work_struct work_free;
struct {
@@ -183,6 +183,12 @@ struct landlock_ruleset {
* non-merged ruleset (i.e. not a domain).
*/
u32 num_layers;
+ /**
+ * @quiet_masks: Stores the quiet flags for an unmerged
+ * ruleset. For a merged domain, this is stored in each
+ * layer's struct landlock_hierarchy instead.
+ */
+ struct access_masks quiet_masks;
/**
* @access_masks: Contains the subset of filesystem and
* network actions that are restricted by a ruleset.
@@ -213,7 +219,7 @@ DEFINE_FREE(landlock_put_ruleset, struct landlock_ruleset *,
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
const struct landlock_id id,
- const access_mask_t access);
+ const access_mask_t access, const int flags);
struct landlock_ruleset *
landlock_merge_ruleset(struct landlock_ruleset *const parent,
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index d45469d5d464..08b6045d6926 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -105,8 +105,11 @@ static void build_check_abi(void)
ruleset_size = sizeof(ruleset_attr.handled_access_fs);
ruleset_size += sizeof(ruleset_attr.handled_access_net);
ruleset_size += sizeof(ruleset_attr.scoped);
+ ruleset_size += sizeof(ruleset_attr.quiet_access_fs);
+ ruleset_size += sizeof(ruleset_attr.quiet_access_net);
+ ruleset_size += sizeof(ruleset_attr.quiet_scoped);
BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
- BUILD_BUG_ON(sizeof(ruleset_attr) != 24);
+ BUILD_BUG_ON(sizeof(ruleset_attr) != 48);
path_beneath_size = sizeof(path_beneath_attr.allowed_access);
path_beneath_size += sizeof(path_beneath_attr.parent_fd);
@@ -193,6 +196,9 @@ const int landlock_abi_version = 10;
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
* - %EINVAL: unknown @flags, or unknown access, or unknown scope, or too small
* @size;
+ * - %EINVAL: quiet_access_fs, quiet_access_net, or quiet_scoped is not a
+ * subset of the corresponding handled_access_fs, handled_access_net, or
+ * scoped;
* - %E2BIG: @attr or @size inconsistencies;
* - %EFAULT: @attr or @size inconsistencies;
* - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
@@ -249,6 +255,21 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
if ((ruleset_attr.scoped | LANDLOCK_MASK_SCOPE) != LANDLOCK_MASK_SCOPE)
return -EINVAL;
+ /*
+ * Check that quiet masks are subsets of the respective handled masks.
+ * Because of the checks above this is sufficient to also ensure that
+ * the quiet masks are valid access masks.
+ */
+ if ((ruleset_attr.quiet_access_fs | ruleset_attr.handled_access_fs) !=
+ ruleset_attr.handled_access_fs)
+ return -EINVAL;
+ if ((ruleset_attr.quiet_access_net | ruleset_attr.handled_access_net) !=
+ ruleset_attr.handled_access_net)
+ return -EINVAL;
+ if ((ruleset_attr.quiet_scoped | ruleset_attr.scoped) !=
+ ruleset_attr.scoped)
+ return -EINVAL;
+
/* Checks arguments and transforms to kernel struct. */
ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
ruleset_attr.handled_access_net,
@@ -256,6 +277,10 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
if (IS_ERR(ruleset))
return PTR_ERR(ruleset);
+ ruleset->quiet_masks.fs = ruleset_attr.quiet_access_fs;
+ ruleset->quiet_masks.net = ruleset_attr.quiet_access_net;
+ ruleset->quiet_masks.scope = ruleset_attr.quiet_scoped;
+
/* Creates anonymous FD referring to the ruleset. */
ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
ruleset, O_RDWR | O_CLOEXEC);
@@ -320,7 +345,7 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
}
static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
- const void __user *const rule_attr)
+ const void __user *const rule_attr, int flags)
{
struct landlock_path_beneath_attr path_beneath_attr;
struct path path;
@@ -335,9 +360,10 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
/*
* Informs about useless rule: empty allowed_access (i.e. deny rules)
- * are ignored in path walks.
+ * are ignored in path walks. However, the rule is not useless if it
+ * is there to hold a quiet flag.
*/
- if (!path_beneath_attr.allowed_access)
+ if (!flags && !path_beneath_attr.allowed_access)
return -ENOMSG;
/* Checks that allowed_access matches the @ruleset constraints. */
@@ -345,6 +371,10 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
if ((path_beneath_attr.allowed_access | mask) != mask)
return -EINVAL;
+ /* Checks for useless quiet flag. */
+ if (flags & LANDLOCK_ADD_RULE_QUIET && !ruleset->quiet_masks.fs)
+ return -EINVAL;
+
/* Gets and checks the new rule. */
err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
if (err)
@@ -352,13 +382,13 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
/* Imports the new rule. */
err = landlock_append_fs_rule(ruleset, &path,
- path_beneath_attr.allowed_access);
+ path_beneath_attr.allowed_access, flags);
path_put(&path);
return err;
}
static int add_rule_net_port(struct landlock_ruleset *ruleset,
- const void __user *const rule_attr)
+ const void __user *const rule_attr, int flags)
{
struct landlock_net_port_attr net_port_attr;
int res;
@@ -371,9 +401,10 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
/*
* Informs about useless rule: empty allowed_access (i.e. deny rules)
- * are ignored by network actions.
+ * are ignored by network actions. However, the rule is not useless
+ * if it is there to hold a quiet flag.
*/
- if (!net_port_attr.allowed_access)
+ if (!flags && !net_port_attr.allowed_access)
return -ENOMSG;
/* Checks that allowed_access matches the @ruleset constraints. */
@@ -381,13 +412,17 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
if ((net_port_attr.allowed_access | mask) != mask)
return -EINVAL;
+ /* Checks for useless quiet flag. */
+ if (flags & LANDLOCK_ADD_RULE_QUIET && !ruleset->quiet_masks.net)
+ return -EINVAL;
+
/* Denies inserting a rule with port greater than 65535. */
if (net_port_attr.port > U16_MAX)
return -EINVAL;
/* Imports the new rule. */
return landlock_append_net_rule(ruleset, net_port_attr.port,
- net_port_attr.allowed_access);
+ net_port_attr.allowed_access, flags);
}
/**
@@ -398,7 +433,7 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
* @rule_type: Identify the structure type pointed to by @rule_attr:
* %LANDLOCK_RULE_PATH_BENEATH or %LANDLOCK_RULE_NET_PORT.
* @rule_attr: Pointer to a rule (matching the @rule_type).
- * @flags: Must be 0.
+ * @flags: Must be 0 or %LANDLOCK_ADD_RULE_QUIET.
*
* This system call enables to define a new rule and add it to an existing
* ruleset.
@@ -408,20 +443,25 @@ static int add_rule_net_port(struct landlock_ruleset *ruleset,
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
* - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not
* supported by the running kernel;
- * - %EINVAL: @flags is not 0;
+ * - %EINVAL: @flags is not valid;
* - %EINVAL: The rule accesses are inconsistent (i.e.
* &landlock_path_beneath_attr.allowed_access or
* &landlock_net_port_attr.allowed_access is not a subset of the ruleset
* handled accesses)
* - %EINVAL: &landlock_net_port_attr.port is greater than 65535;
+ * - %EINVAL: LANDLOCK_ADD_RULE_QUIET is passed but the ruleset has no
+ * quiet access bits set for the corresponding rule type.
* - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access is
- * 0);
+ * 0) and no flags;
* - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
* member of @rule_attr is not a file descriptor as expected;
* - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
* @rule_attr is not the expected file descriptor type;
* - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
* - %EFAULT: @rule_attr was not a valid address.
+ *
+ * .. kernel-doc:: include/uapi/linux/landlock.h
+ * :identifiers: landlock_add_rule_flags
*/
SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
const enum landlock_rule_type, rule_type,
@@ -432,8 +472,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
if (!is_initialized())
return -EOPNOTSUPP;
- /* No flag for now. */
- if (flags)
+ if (flags && flags != LANDLOCK_ADD_RULE_QUIET)
return -EINVAL;
/* Gets and checks the ruleset. */
@@ -443,9 +482,9 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
switch (rule_type) {
case LANDLOCK_RULE_PATH_BENEATH:
- return add_rule_path_beneath(ruleset, rule_attr);
+ return add_rule_path_beneath(ruleset, rule_attr, flags);
case LANDLOCK_RULE_NET_PORT:
- return add_rule_net_port(ruleset, rule_attr);
+ return add_rule_net_port(ruleset, rule_attr, flags);
default:
return -EINVAL;
}
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 6c8113c2ded1..84e91fcaa1b2 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -201,7 +201,7 @@ TEST(add_rule_checks_ordering)
ASSERT_LE(0, ruleset_fd);
/* Checks invalid flags. */
- ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 1));
+ ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 100));
ASSERT_EQ(EINVAL, errno);
/* Checks invalid ruleset FD. */
--
2.54.0
^ permalink raw reply related
* [PATCH v10 1/9] landlock: Add a place for flags to layer rules
From: Tingmao Wang @ 2026-06-01 0:00 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Justin Suess, Jan Kara,
Abhinav Saxena, linux-security-module
In-Reply-To: <cover.1780272022.git.m@maowtm.org>
To avoid unnecessarily increasing the size of struct landlock_layer, we
make the layer level a u8 and use the space to store the flags struct.
struct layer_access_masks is renamed to struct layer_masks, and a new
field is added to track whether a quiet flag rule is seen for each
layer. Through use of bitfields, this does not increase the size of the
struct.
Cc: Justin Suess <utilityemal77@gmail.com>
Assisted-by: GitHub Copilot:claude-opus-4.7 copilot-review
Signed-off-by: Tingmao Wang <m@maowtm.org>
Co-developed-by: Justin Suess <utilityemal77@gmail.com>
Signed-off-by: Justin Suess <utilityemal77@gmail.com>
Tested-by: Justin Suess <utilityemal77@gmail.com>
---
Changes in v10:
- Doc for struct layer_mask members
- clang-format header file changes
- Add Tested-by for Justin Suess
Changes in v9:
- Move a hunk from patch 2 to here
- Fix comment and format
- Renamed struct layer_access_masks to struct layer_masks, and moved the
content of struct collected_rule_flags into this struct, getting rid
of the extra struct collected_rule_flags and function parameters.
This is following a discussion in [3]. The flag is now initialized in
landlock_init_layer_masks as false.
- Thus also removed now unnecessary layer_mask_t
Changes in v8:
- Rebase on top of mic/next
- Add Co-developed-by: Justin Suess for handling this rebase initially
- layer_mask_t was removed in [1] but we still need it for the
collected_rule_flags. Rather than using raw u16, I've chosen to
re-define it back in ruleset.h (it was in access.h).
Changes in v7:
- Take rule_flags separately from landlock_request in
is_access_to_paths_allowed to avoid writing to the landlock_request
variable if CONFIG_AUDIT is disabled (to enable compiler elision).
- Due to the above change, we don't need rule_flags in landlock_request in
this commit anymore (will be added later).
Changes in v6:
- Rebased to include the revised disconnected directory handling changes
(without the "reverting" behaviour)
Changes in v5:
- Move rule_flags into landlock_request. This lets us get rid of the
extra parameters to is_access_to_paths_allowed (and later on,
landlock_log_denial), and thus less code changes.
Changes in v3:
- Comment changes, move local variables, simplify if branch
Changes in v2:
- Comment changes
- Rebased to include disconnected directory handling changes on mic/next
and add backing up of collected_rule_flags.
[1]: https://lore.kernel.org/all/20260125195853.109967-1-gnoack3000@gmail.com/
[2]: https://lore.kernel.org/all/20251221194301.247484-1-utilityemal77@gmail.com/
[3]: https://lore.kernel.org/all/20260524.eFiz4hahrami@digikod.net/
security/landlock/access.h | 39 +++++++---
security/landlock/audit.c | 20 ++---
security/landlock/audit.h | 2 +-
security/landlock/domain.c | 19 ++---
security/landlock/domain.h | 2 +-
security/landlock/fs.c | 147 +++++++++++++++++++-----------------
security/landlock/limits.h | 3 +
security/landlock/net.c | 2 +-
security/landlock/ruleset.c | 33 +++++---
security/landlock/ruleset.h | 17 ++++-
10 files changed, 173 insertions(+), 111 deletions(-)
diff --git a/security/landlock/access.h b/security/landlock/access.h
index c19d5bc13944..42d8b5134358 100644
--- a/security/landlock/access.h
+++ b/security/landlock/access.h
@@ -62,18 +62,39 @@ static_assert(sizeof(typeof_member(union access_masks_all, masks)) ==
sizeof(typeof_member(union access_masks_all, all)));
/**
- * struct layer_access_masks - A boolean matrix of layers and access rights
- *
- * This has a bit for each combination of layer numbers and access rights.
- * During access checks, it is used to represent the access rights for each
- * layer which still need to be fulfilled. When all bits are 0, the access
- * request is considered to be fulfilled.
+ * struct layer_mask - The unfulfilled access rights and rule flags for
+ * a layer.
+ */
+struct layer_mask {
+ /**
+ * @access: During access checks, this is used to represent the access
+ * rights for each layer which still need to be fulfilled. When all
+ * bits are 0, the access request is allowed by this layer.
+ */
+ access_mask_t access : LANDLOCK_NUM_ACCESS_MAX;
+#ifdef CONFIG_AUDIT
+ /**
+ * @quiet: Whether we have encountered a rule with the quiet flag for
+ * this layer. Used to control audit logging.
+ */
+ bool quiet : 1;
+#endif /* CONFIG_AUDIT */
+};
+
+/*
+ * Make sure that we don't increase the size of struct layer_mask when
+ * storing rule flags.
+ */
+static_assert(sizeof(struct layer_mask) == sizeof(access_mask_t));
+
+/**
+ * struct layer_masks - An array of struct layer_mask, one per layer.
*/
-struct layer_access_masks {
+struct layer_masks {
/**
- * @access: The unfulfilled access rights for each layer.
+ * @layers: The unfulfilled access rights for each layer.
*/
- access_mask_t access[LANDLOCK_MAX_NUM_LAYERS];
+ struct layer_mask layers[LANDLOCK_MAX_NUM_LAYERS];
};
/*
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 851647197a01..8c56f7f6467a 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -187,11 +187,11 @@ static void test_get_hierarchy(struct kunit *const test)
/* Get the youngest layer that denied the access_request. */
static size_t get_denied_layer(const struct landlock_ruleset *const domain,
access_mask_t *const access_request,
- const struct layer_access_masks *masks)
+ const struct layer_masks *masks)
{
- for (ssize_t i = ARRAY_SIZE(masks->access) - 1; i >= 0; i--) {
- if (masks->access[i] & *access_request) {
- *access_request &= masks->access[i];
+ for (ssize_t i = ARRAY_SIZE(masks->layers) - 1; i >= 0; i--) {
+ if (masks->layers[i].access & *access_request) {
+ *access_request &= masks->layers[i].access;
return i;
}
}
@@ -208,12 +208,12 @@ static void test_get_denied_layer(struct kunit *const test)
const struct landlock_ruleset dom = {
.num_layers = 5,
};
- const struct layer_access_masks masks = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_READ_DIR,
- .access[1] = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR,
- .access[2] = LANDLOCK_ACCESS_FS_REMOVE_DIR,
+ const struct layer_masks masks = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_READ_DIR,
+ .layers[1].access = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_READ_DIR,
+ .layers[2].access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
};
access_mask_t access;
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 56778331b58c..b85d752273ac 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -43,7 +43,7 @@ struct landlock_request {
access_mask_t access;
/* Required fields for requests with layer masks. */
- const struct layer_access_masks *layer_masks;
+ const struct layer_masks *layer_masks;
/* Required fields for requests with deny masks. */
const access_mask_t all_existing_optional_access;
diff --git a/security/landlock/domain.c b/security/landlock/domain.c
index 5dd06f7c2312..d1a4d8b33ee1 100644
--- a/security/landlock/domain.c
+++ b/security/landlock/domain.c
@@ -184,7 +184,7 @@ static void test_get_layer_deny_mask(struct kunit *const test)
deny_masks_t
landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
const access_mask_t optional_access,
- const struct layer_access_masks *const masks)
+ const struct layer_masks *const masks)
{
const unsigned long access_opt = optional_access;
unsigned long access_bit;
@@ -201,8 +201,9 @@ landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
if (WARN_ON_ONCE(!access_opt))
return 0;
- for (ssize_t i = ARRAY_SIZE(masks->access) - 1; i >= 0; i--) {
- const access_mask_t denied = masks->access[i] & optional_access;
+ for (ssize_t i = ARRAY_SIZE(masks->layers) - 1; i >= 0; i--) {
+ const access_mask_t denied = masks->layers[i].access &
+ optional_access;
const unsigned long newly_denied = denied & ~all_denied;
if (!newly_denied)
@@ -222,12 +223,12 @@ landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
static void test_landlock_get_deny_masks(struct kunit *const test)
{
- const struct layer_access_masks layers1 = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_IOCTL_DEV,
- .access[1] = LANDLOCK_ACCESS_FS_TRUNCATE,
- .access[2] = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- .access[9] = LANDLOCK_ACCESS_FS_EXECUTE,
+ const struct layer_masks layers1 = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_IOCTL_DEV,
+ .layers[1].access = LANDLOCK_ACCESS_FS_TRUNCATE,
+ .layers[2].access = LANDLOCK_ACCESS_FS_IOCTL_DEV,
+ .layers[9].access = LANDLOCK_ACCESS_FS_EXECUTE,
};
KUNIT_EXPECT_EQ(test, 0x1,
diff --git a/security/landlock/domain.h b/security/landlock/domain.h
index 35cac8f6daee..af100a8cd939 100644
--- a/security/landlock/domain.h
+++ b/security/landlock/domain.h
@@ -119,7 +119,7 @@ struct landlock_hierarchy {
deny_masks_t
landlock_get_deny_masks(const access_mask_t all_existing_optional_access,
const access_mask_t optional_access,
- const struct layer_access_masks *const masks);
+ const struct layer_masks *const masks);
int landlock_init_hierarchy_log(struct landlock_hierarchy *const hierarchy);
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index edaa52572cbd..f7c1bc64de20 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -406,15 +406,15 @@ static const struct access_masks any_fs = {
* src_parent would result in having the same or fewer access rights if it were
* moved under new_parent.
*/
-static bool may_refer(const struct layer_access_masks *const src_parent,
- const struct layer_access_masks *const src_child,
- const struct layer_access_masks *const new_parent,
+static bool may_refer(const struct layer_masks *const src_parent,
+ const struct layer_masks *const src_child,
+ const struct layer_masks *const new_parent,
const bool child_is_dir)
{
- for (size_t i = 0; i < ARRAY_SIZE(new_parent->access); i++) {
- access_mask_t child_access = src_parent->access[i] &
- src_child->access[i];
- access_mask_t parent_access = new_parent->access[i];
+ for (size_t i = 0; i < ARRAY_SIZE(new_parent->layers); i++) {
+ access_mask_t child_access = src_parent->layers[i].access &
+ src_child->layers[i].access;
+ access_mask_t parent_access = new_parent->layers[i].access;
if (!child_is_dir) {
child_access &= ACCESS_FILE;
@@ -436,11 +436,11 @@ static bool may_refer(const struct layer_access_masks *const src_parent,
* that child2 may be used from parent2 to parent1 without increasing its access
* rights), false otherwise.
*/
-static bool no_more_access(const struct layer_access_masks *const parent1,
- const struct layer_access_masks *const child1,
+static bool no_more_access(const struct layer_masks *const parent1,
+ const struct layer_masks *const child1,
const bool child1_is_dir,
- const struct layer_access_masks *const parent2,
- const struct layer_access_masks *const child2,
+ const struct layer_masks *const parent2,
+ const struct layer_masks *const child2,
const bool child2_is_dir)
{
if (!may_refer(parent1, child1, parent2, child1_is_dir))
@@ -459,25 +459,25 @@ static bool no_more_access(const struct layer_access_masks *const parent1,
static void test_no_more_access(struct kunit *const test)
{
- const struct layer_access_masks rx0 = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_READ_FILE,
+ const struct layer_masks rx0 = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_READ_FILE,
};
- const struct layer_access_masks mx0 = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
+ const struct layer_masks mx0 = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_MAKE_REG,
};
- const struct layer_access_masks x0 = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE,
+ const struct layer_masks x0 = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE,
};
- const struct layer_access_masks x1 = {
- .access[1] = LANDLOCK_ACCESS_FS_EXECUTE,
+ const struct layer_masks x1 = {
+ .layers[1].access = LANDLOCK_ACCESS_FS_EXECUTE,
};
- const struct layer_access_masks x01 = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE,
- .access[1] = LANDLOCK_ACCESS_FS_EXECUTE,
+ const struct layer_masks x01 = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE,
+ .layers[1].access = LANDLOCK_ACCESS_FS_EXECUTE,
};
- const struct layer_access_masks allows_all = {};
+ const struct layer_masks allows_all = {};
/* Checks without restriction. */
NMA_TRUE(&x0, &allows_all, false, &allows_all, NULL, false);
@@ -565,9 +565,13 @@ static void test_no_more_access(struct kunit *const test)
#undef NMA_TRUE
#undef NMA_FALSE
-static bool is_layer_masks_allowed(const struct layer_access_masks *masks)
+static bool is_layer_masks_allowed(const struct layer_masks *masks)
{
- return mem_is_zero(&masks->access, sizeof(masks->access));
+ for (size_t i = 0; i < ARRAY_SIZE(masks->layers); i++) {
+ if (masks->layers[i].access)
+ return false;
+ }
+ return true;
}
/*
@@ -576,16 +580,16 @@ static bool is_layer_masks_allowed(const struct layer_access_masks *masks)
* Returns true if the request is allowed, false otherwise.
*/
static bool scope_to_request(const access_mask_t access_request,
- struct layer_access_masks *masks)
+ struct layer_masks *masks)
{
bool saw_unfulfilled_access = false;
if (WARN_ON_ONCE(!masks))
return true;
- for (size_t i = 0; i < ARRAY_SIZE(masks->access); i++) {
- masks->access[i] &= access_request;
- if (masks->access[i])
+ for (size_t i = 0; i < ARRAY_SIZE(masks->layers); i++) {
+ masks->layers[i].access &= access_request;
+ if (masks->layers[i].access)
saw_unfulfilled_access = true;
}
return !saw_unfulfilled_access;
@@ -596,41 +600,46 @@ static bool scope_to_request(const access_mask_t access_request,
static void test_scope_to_request_with_exec_none(struct kunit *const test)
{
/* Allows everything. */
- struct layer_access_masks masks = {};
+ struct layer_masks masks = {};
/* Checks and scopes with execute. */
KUNIT_EXPECT_TRUE(test,
scope_to_request(LANDLOCK_ACCESS_FS_EXECUTE, &masks));
- KUNIT_EXPECT_EQ(test, 0, masks.access[0]);
+ KUNIT_EXPECT_EQ(test, 0, (access_mask_t)masks.layers[0].access);
}
static void test_scope_to_request_with_exec_some(struct kunit *const test)
{
/* Denies execute and write. */
- struct layer_access_masks masks = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE,
- .access[1] = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ struct layer_masks masks = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE,
+ .layers[1].access = LANDLOCK_ACCESS_FS_WRITE_FILE,
};
/* Checks and scopes with execute. */
KUNIT_EXPECT_FALSE(test, scope_to_request(LANDLOCK_ACCESS_FS_EXECUTE,
&masks));
- KUNIT_EXPECT_EQ(test, LANDLOCK_ACCESS_FS_EXECUTE, masks.access[0]);
- KUNIT_EXPECT_EQ(test, 0, masks.access[1]);
+ /*
+ * These casts to access_mask_t are needed because typeof(), used in
+ * KUNIT_EXPECT_EQ(), does not work on bitfields.
+ */
+ KUNIT_EXPECT_EQ(test, LANDLOCK_ACCESS_FS_EXECUTE,
+ (access_mask_t)masks.layers[0].access);
+ KUNIT_EXPECT_EQ(test, 0, (access_mask_t)masks.layers[1].access);
}
static void test_scope_to_request_without_access(struct kunit *const test)
{
/* Denies execute and write. */
- struct layer_access_masks masks = {
- .access[0] = LANDLOCK_ACCESS_FS_EXECUTE,
- .access[1] = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ struct layer_masks masks = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_EXECUTE,
+ .layers[1].access = LANDLOCK_ACCESS_FS_WRITE_FILE,
};
/* Checks and scopes without access request. */
KUNIT_EXPECT_TRUE(test, scope_to_request(0, &masks));
- KUNIT_EXPECT_EQ(test, 0, masks.access[0]);
- KUNIT_EXPECT_EQ(test, 0, masks.access[1]);
+ KUNIT_EXPECT_EQ(test, 0, (access_mask_t)masks.layers[0].access);
+ KUNIT_EXPECT_EQ(test, 0, (access_mask_t)masks.layers[1].access);
}
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
@@ -639,15 +648,15 @@ static void test_scope_to_request_without_access(struct kunit *const test)
* Returns true if there is at least one access right different than
* LANDLOCK_ACCESS_FS_REFER.
*/
-static bool is_eacces(const struct layer_access_masks *masks,
+static bool is_eacces(const struct layer_masks *masks,
const access_mask_t access_request)
{
if (!masks)
return false;
- for (size_t i = 0; i < ARRAY_SIZE(masks->access); i++) {
+ for (size_t i = 0; i < ARRAY_SIZE(masks->layers); i++) {
/* LANDLOCK_ACCESS_FS_REFER alone must return -EXDEV. */
- if (masks->access[i] & access_request &
+ if (masks->layers[i].access & access_request &
~LANDLOCK_ACCESS_FS_REFER)
return true;
}
@@ -661,7 +670,7 @@ static bool is_eacces(const struct layer_access_masks *masks,
static void test_is_eacces_with_none(struct kunit *const test)
{
- const struct layer_access_masks masks = {};
+ const struct layer_masks masks = {};
IE_FALSE(&masks, 0);
IE_FALSE(&masks, LANDLOCK_ACCESS_FS_REFER);
@@ -671,8 +680,8 @@ static void test_is_eacces_with_none(struct kunit *const test)
static void test_is_eacces_with_refer(struct kunit *const test)
{
- const struct layer_access_masks masks = {
- .access[0] = LANDLOCK_ACCESS_FS_REFER,
+ const struct layer_masks masks = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_REFER,
};
IE_FALSE(&masks, 0);
@@ -683,8 +692,8 @@ static void test_is_eacces_with_refer(struct kunit *const test)
static void test_is_eacces_with_write(struct kunit *const test)
{
- const struct layer_access_masks masks = {
- .access[0] = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ const struct layer_masks masks = {
+ .layers[0].access = LANDLOCK_ACCESS_FS_WRITE_FILE,
};
IE_FALSE(&masks, 0);
@@ -743,11 +752,11 @@ static bool
is_access_to_paths_allowed(const struct landlock_ruleset *const domain,
const struct path *const path,
const access_mask_t access_request_parent1,
- struct layer_access_masks *layer_masks_parent1,
+ struct layer_masks *layer_masks_parent1,
struct landlock_request *const log_request_parent1,
struct dentry *const dentry_child1,
const access_mask_t access_request_parent2,
- struct layer_access_masks *layer_masks_parent2,
+ struct layer_masks *layer_masks_parent2,
struct landlock_request *const log_request_parent2,
struct dentry *const dentry_child2)
{
@@ -755,9 +764,9 @@ is_access_to_paths_allowed(const struct landlock_ruleset *const domain,
child1_is_directory = true, child2_is_directory = true;
struct path walker_path;
access_mask_t access_masked_parent1, access_masked_parent2;
- struct layer_access_masks _layer_masks_child1, _layer_masks_child2;
- struct layer_access_masks *layer_masks_child1 = NULL,
- *layer_masks_child2 = NULL;
+ struct layer_masks _layer_masks_child1, _layer_masks_child2;
+ struct layer_masks *layer_masks_child1 = NULL,
+ *layer_masks_child2 = NULL;
if (!access_request_parent1 && !access_request_parent2)
return true;
@@ -797,6 +806,10 @@ is_access_to_paths_allowed(const struct landlock_ruleset *const domain,
}
if (unlikely(dentry_child1)) {
+ /*
+ * Get the layer masks for the child dentries for use by domain
+ * check later.
+ */
if (landlock_init_layer_masks(domain, LANDLOCK_MASK_ACCESS_FS,
&_layer_masks_child1,
LANDLOCK_KEY_INODE))
@@ -952,7 +965,7 @@ static int current_check_access_path(const struct path *const path,
};
const struct landlock_cred_security *const subject =
landlock_get_applicable_subject(current_cred(), masks, NULL);
- struct layer_access_masks layer_masks;
+ struct layer_masks layer_masks;
struct landlock_request request = {};
if (!subject)
@@ -1029,7 +1042,7 @@ static access_mask_t maybe_remove(const struct dentry *const dentry)
static bool collect_domain_accesses(const struct landlock_ruleset *const domain,
const struct dentry *const mnt_root,
struct dentry *dir,
- struct layer_access_masks *layer_masks_dom)
+ struct layer_masks *layer_masks_dom)
{
bool ret = false;
@@ -1135,8 +1148,7 @@ static int current_check_refer_path(struct dentry *const old_dentry,
access_mask_t access_request_parent1, access_request_parent2;
struct path mnt_dir;
struct dentry *old_parent;
- struct layer_access_masks layer_masks_parent1 = {},
- layer_masks_parent2 = {};
+ struct layer_masks layer_masks_parent1 = {}, layer_masks_parent2 = {};
struct landlock_request request1 = {}, request2 = {};
if (!subject)
@@ -1202,7 +1214,6 @@ static int current_check_refer_path(struct dentry *const old_dentry,
allow_parent2 = collect_domain_accesses(subject->domain, mnt_dir.dentry,
new_dir->dentry,
&layer_masks_parent2);
-
if (allow_parent1 && allow_parent2)
return 0;
@@ -1580,7 +1591,7 @@ static int hook_path_truncate(const struct path *const path)
*/
static void unmask_scoped_access(const struct landlock_ruleset *const client,
const struct landlock_ruleset *const server,
- struct layer_access_masks *const masks,
+ struct layer_masks *const masks,
const access_mask_t access)
{
int client_layer, server_layer;
@@ -1621,9 +1632,9 @@ static void unmask_scoped_access(const struct landlock_ruleset *const client,
server_walker = server_walker->parent;
for (; client_layer >= 0; client_layer--) {
- if (masks->access[client_layer] & access &&
+ if (masks->layers[client_layer].access & access &&
client_walker == server_walker)
- masks->access[client_layer] &= ~access;
+ masks->layers[client_layer].access &= ~access;
client_walker = client_walker->parent;
server_walker = server_walker->parent;
@@ -1635,7 +1646,7 @@ static int hook_unix_find(const struct path *const path, struct sock *other,
{
const struct landlock_ruleset *dom_other;
const struct landlock_cred_security *subject;
- struct layer_access_masks layer_masks;
+ struct layer_masks layer_masks;
struct landlock_request request = {};
static const struct access_masks fs_resolve_unix = {
.fs = LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
@@ -1739,7 +1750,7 @@ static bool is_device(const struct file *const file)
static int hook_file_open(struct file *const file)
{
- struct layer_access_masks layer_masks = {};
+ struct layer_masks layer_masks = {};
access_mask_t open_access_request, full_access_request, allowed_access,
optional_access;
const struct landlock_cred_security *const subject =
@@ -1780,8 +1791,8 @@ static int hook_file_open(struct file *const file)
* are still unfulfilled in any of the layers.
*/
allowed_access = full_access_request;
- for (size_t i = 0; i < ARRAY_SIZE(layer_masks.access); i++)
- allowed_access &= ~layer_masks.access[i];
+ for (size_t i = 0; i < ARRAY_SIZE(layer_masks.layers); i++)
+ allowed_access &= ~layer_masks.layers[i].access;
}
/*
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index a4d908b240a2..08d5f2f6d321 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -31,6 +31,9 @@
#define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1)
#define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE)
+#define LANDLOCK_NUM_ACCESS_MAX \
+ MAX(MAX(LANDLOCK_NUM_ACCESS_FS, LANDLOCK_NUM_ACCESS_NET), LANDLOCK_NUM_SCOPE)
+
#define LANDLOCK_LAST_RESTRICT_SELF LANDLOCK_RESTRICT_SELF_TSYNC
#define LANDLOCK_MASK_RESTRICT_SELF ((LANDLOCK_LAST_RESTRICT_SELF << 1) - 1)
diff --git a/security/landlock/net.c b/security/landlock/net.c
index db2046a89a9a..981a362c24db 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -48,7 +48,7 @@ static int current_check_access_socket(struct socket *const sock,
bool connecting)
{
__be16 port;
- struct layer_access_masks layer_masks = {};
+ struct layer_masks layer_masks = {};
const struct landlock_rule *rule;
struct landlock_id id = {
.type = LANDLOCK_KEY_NET_PORT,
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 181df7736bb9..91948e406e69 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -628,7 +628,7 @@ landlock_find_rule(const struct landlock_ruleset *const ruleset,
* remaining unfulfilled access rights and masks has no leftover set bits).
*/
bool landlock_unmask_layers(const struct landlock_rule *const rule,
- struct layer_access_masks *masks)
+ struct layer_masks *masks)
{
if (!masks)
return true;
@@ -649,11 +649,17 @@ bool landlock_unmask_layers(const struct landlock_rule *const rule,
const struct landlock_layer *const layer = &rule->layers[i];
/* Clear the bits where the layer in the rule grants access. */
- masks->access[layer->level - 1] &= ~layer->access;
+ masks->layers[layer->level - 1].access &= ~layer->access;
+
+#ifdef CONFIG_AUDIT
+ /* Collect rule flags for each layer. */
+ if (layer->flags.quiet)
+ masks->layers[layer->level - 1].quiet = true;
+#endif /* CONFIG_AUDIT */
}
- for (size_t i = 0; i < ARRAY_SIZE(masks->access); i++) {
- if (masks->access[i])
+ for (size_t i = 0; i < ARRAY_SIZE(masks->layers); i++) {
+ if (masks->layers[i].access)
return false;
}
return true;
@@ -668,6 +674,7 @@ get_access_mask_t(const struct landlock_ruleset *const ruleset,
*
* Populates @masks such that for each access right in @access_request,
* the bits for all the layers are set where this access right is handled.
+ * Rule flags are also zeroed.
*
* @domain: The domain that defines the current restrictions.
* @access_request: The requested access rights to check.
@@ -680,7 +687,7 @@ get_access_mask_t(const struct landlock_ruleset *const ruleset,
access_mask_t
landlock_init_layer_masks(const struct landlock_ruleset *const domain,
const access_mask_t access_request,
- struct layer_access_masks *const masks,
+ struct layer_masks *const masks,
const enum landlock_key_type key_type)
{
access_mask_t handled_accesses = 0;
@@ -709,11 +716,19 @@ landlock_init_layer_masks(const struct landlock_ruleset *const domain,
for (size_t i = 0; i < domain->num_layers; i++) {
const access_mask_t handled = get_access_mask(domain, i);
- masks->access[i] = access_request & handled;
- handled_accesses |= masks->access[i];
+ masks->layers[i].access = access_request & handled;
+ handled_accesses |= masks->layers[i].access;
+#ifdef CONFIG_AUDIT
+ masks->layers[i].quiet = false;
+#endif /* CONFIG_AUDIT */
+ }
+ for (size_t i = domain->num_layers; i < ARRAY_SIZE(masks->layers);
+ i++) {
+ masks->layers[i].access = 0;
+#ifdef CONFIG_AUDIT
+ masks->layers[i].quiet = false;
+#endif /* CONFIG_AUDIT */
}
- for (size_t i = domain->num_layers; i < ARRAY_SIZE(masks->access); i++)
- masks->access[i] = 0;
return handled_accesses;
}
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index 889f4b30301a..f80ca487d125 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -29,7 +29,18 @@ struct landlock_layer {
/**
* @level: Position of this layer in the layer stack. Starts from 1.
*/
- u16 level;
+ u8 level;
+ /**
+ * @flags: Bitfield for special flags attached to this rule.
+ */
+ struct {
+ /**
+ * @quiet: Suppresses denial audit logs for the object covered by
+ * this rule in this domain. For filesystem rules, this inherits
+ * down the file hierarchy.
+ */
+ bool quiet : 1;
+ } flags;
/**
* @access: Bitfield of allowed actions on the kernel object. They are
* relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
@@ -302,12 +313,12 @@ landlock_get_scope_mask(const struct landlock_ruleset *const ruleset,
}
bool landlock_unmask_layers(const struct landlock_rule *const rule,
- struct layer_access_masks *masks);
+ struct layer_masks *masks);
access_mask_t
landlock_init_layer_masks(const struct landlock_ruleset *const domain,
const access_mask_t access_request,
- struct layer_access_masks *masks,
+ struct layer_masks *masks,
const enum landlock_key_type key_type);
#endif /* _SECURITY_LANDLOCK_RULESET_H */
--
2.54.0
^ permalink raw reply related
* [PATCH v10 0/9] Implement LANDLOCK_ADD_RULE_QUIET
From: Tingmao Wang @ 2026-06-01 0:00 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Justin Suess, Jan Kara,
Abhinav Saxena, linux-security-module
Hi,
This is the v10 of the "quiet flag" series, implementing the feature as
proposed in [1].
v9: https://lore.kernel.org/all/cover.1779843375.git.m@maowtm.org/
v8: https://lore.kernel.org/all/cover.1775490344.git.m@maowtm.org/
v7: https://lore.kernel.org/all/cover.1766330134.git.m@maowtm.org/
v6: https://lore.kernel.org/all/cover.1765040503.git.m@maowtm.org/
v5: https://lore.kernel.org/all/cover.1763931318.git.m@maowtm.org/
v4: https://lore.kernel.org/all/cover.1763330228.git.m@maowtm.org/
v3: https://lore.kernel.org/all/cover.1761511023.git.m@maowtm.org/
v2: https://lore.kernel.org/all/cover.1759686613.git.m@maowtm.org/
v1: https://lore.kernel.org/all/cover.1757376311.git.m@maowtm.org/
v9..v10:
- clang-format on .h files
- doc changes
- fix grammar in various comments
- remove stray __attribute__((fallthrough));
(Kept ABI version at 10)
All text following this line is unchanged
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
v8..v9:
- Refactor to store the collected rule flags in layer_masks instead
(renamed from layer_access_masks). Got rid of layer_mask_t again.
- Rebase sandboxer and net_tests on top of UDP support, resolving
conflicts
- Additional small changes, noted in each patch
v7..v8:
- Rebase to mic/next
- Re-introduced layer_mask_t due to need in first patch
- Plumb through rule flags in hook_unix_find()
- Some selftests patches were not properly clang-format'd, fixed now.
- Minor env var handling change in sandboxer
- Fix selftests use of audit_count_records() without EXPECT_EQ
v6..v7:
- Remove "landlock: Fix wrong type usage" (merged)
- Revert back to taking rule_flags separately from landlock_request until
we call landlock_log_denial (https://lore.kernel.org/all/20251219.ahn3aiJuKahb@digikod.net/)
- Rebase to mic/next
v5..v6 rebases on top of the new simpler disconnected directory handling,
change some bools into u32, and fix some typo and style.
v4..v5 addresses review feedbacks, most significantly:
- reduces code changes by pushing rule_flags into landlock_request.
- adding test cases for two layers handling different access bits.
v3..v4 is a one-character formatting change, plus more tests.
We now have 5 patches for the selftest - I'm happy to squash it into one
depending on preference (and happy for Mickaël to do the squash if no
other feedback):
- selftests/landlock: Replace hard-coded 16 with a constant
- selftests/landlock: add tests for quiet flag with fs rules
- selftests/landlock: add tests for quiet flag with net rules
- selftests/landlock: Add tests for quiet flag with scope
- selftests/landlock: Add tests for invalid use of quiet flag
v2..v3:
Not much has changed in the actual functionality except various comment,
typing, asserts and general style fixes based on feedback. The major new
thing here is tests (a bit of KUnit squashed into the optional access
commit, a lot of selftests especially in fs_tests.c).
The added fs_tests should exercise code path for optional and non-optional
access, renames, and mountpoint and disconnected directory handling. I
will add the above missing bits to v4.
Removed:
- "Implement quiet for optional accesses"
(squashed into "landlock: Suppress logging when quiet flag is present")
Old feature summary below:
The quiet flag allows a sandboxer to suppress audit logs for uninteresting
denials. The flag can be set on objects and inherits downward in the
filesystem hierarchy. On a denial, the youngest denying layer's quiet
flag setting decides whether to audit. The motivation for this feature is
to reduce audit noise, and also prepare for a future supervisor feature
which will use this bit to suppress supervisor notifications.
This patch introduces a new quiet access mask in the ruleset_attr, which
gets eventually stored in the hierarchy. This allows the user to specify
which access should be affected by quiet bits. One can then, for example,
make it such that read accesses to certain files are not audited (but
still denied), but all writes are still audited, regardless of location.
The sandboxer is extended to show example usage of this feature,
supporting quieting filesystem, network and scope accesses.
Demo:
/# LL_FS_RO=/usr LL_FS_RW= LL_FORCE_LOG=1 LL_FS_QUIET=/dev:/tmp:/etc LL_FS_QUIET_ACCESS=r ./sandboxer bash
...
audit: type=1423 audit(1759680175.562:195): domain=15bb25f6b blockers=fs.write_file,fs.read_file path="/dev/tty" dev="devtmpfs" ino=11
^^^^^^^^
# note: because write is not quieted, we see the above line. blockers
# contains read as well since that's the originally requested access.
audit: type=1424 audit(1759680175.562:195): domain=15bb25f6b status=allocated mode=enforcing pid=616 uid=0 exe="/sandboxer" comm="sandboxer"
audit: type=1300 audit(1759680175.562:195): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c86113d1 a2=802 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.562:195): proctitle="bash"
bash: cannot set terminal process group (605): Inappropriate ioctl for device
bash: no job control in this shell
bash: /etc/bash.bashrc: Permission denied
audit: type=1423 audit(1759680175.570:196): domain=15bb25f6b blockers=fs.read_file path="/.bash_history" dev="virtiofs" ino=36963
^^^^^^^^
# read outside /dev:/tmp:/etc - not quieted
audit: type=1300 audit(1759680175.570:196): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c868e400 a2=0 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.570:196): proctitle="bash"
audit: type=1423 audit(1759680175.570:197): domain=15bb25f6b blockers=fs.read_file path="/.bash_history" dev="virtiofs" ino=36963
audit: type=1300 audit(1759680175.570:197): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c868e400 a2=0 a3=0 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680175.570:197): proctitle="bash"
bash-5.2# head /etc/passwd
head: cannot open '/etc/passwd' for reading: Permission denied
^^^^^^^^
# reads to /etc are quieted
bash-5.2# echo evil >> /etc/passwd
bash: /etc/passwd: Permission denied
audit: type=1423 audit(1759680227.030:198): domain=15bb25f6b blockers=fs.write_file path="/etc/passwd" dev="virtiofs" ino=790
^^^^^^^^
# writes are not quieted
audit: type=1300 audit(1759680227.030:198): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=5565c86ab030 a2=441 a3=1b6 items=0 ppid=605 pid=616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)
audit: type=1327 audit(1759680227.030:198): proctitle="bash"
Design:
- The user can set the quiet flag for a layer on any part of the fs
hierarchy (whether it allows any access on it or not), and the flag
inherits down (no support for "cancelling" the inheritance of the flag
in specific subdirectories).
- The youngest layer that denies a request gets to decide whether the
denial is audited or not. This means that a compromised binary, for
example, cannot "turn off" Landlock auditing when it tries to access
files, unless it denies access to the files itself. There is some
debate to be had on whether, if a parent layer sets the quiet flag, but
the request is denied by a deeper layer, whether Landlock should still
audit anyway (since the rule author of the child layer likely did not
expect the denial, so it would be good diagnostic). The current
approach is to ignore the quiet on the parent layer and audit anyway.
[1]: https://github.com/landlock-lsm/linux/issues/44#issuecomment-2876500918
Kind regards,
Tingmao
Tingmao Wang (9):
landlock: Add a place for flags to layer rules
landlock: Add API support and docs for the quiet flags
landlock: Suppress logging when quiet flag is present
samples/landlock: Add quiet flag support to sandboxer
selftests/landlock: Replace hard-coded 16 with a constant
selftests/landlock: add tests for quiet flag with fs rules
selftests/landlock: add tests for quiet flag with net rules
selftests/landlock: Add tests for quiet flag with scope
selftests/landlock: Add tests for invalid use of quiet flag
Documentation/admin-guide/LSM/landlock.rst | 9 +-
Documentation/userspace-api/landlock.rst | 11 +
include/uapi/linux/landlock.h | 61 +
samples/landlock/sandboxer.c | 133 +-
security/landlock/access.h | 44 +-
security/landlock/audit.c | 281 +-
security/landlock/audit.h | 3 +-
security/landlock/domain.c | 52 +-
security/landlock/domain.h | 11 +-
security/landlock/fs.c | 180 +-
security/landlock/fs.h | 19 +-
security/landlock/limits.h | 3 +
security/landlock/net.c | 22 +-
security/landlock/net.h | 5 +-
security/landlock/ruleset.c | 45 +-
security/landlock/ruleset.h | 29 +-
security/landlock/syscalls.c | 71 +-
tools/testing/selftests/landlock/audit_test.c | 27 +-
tools/testing/selftests/landlock/base_test.c | 59 +-
tools/testing/selftests/landlock/common.h | 2 +
tools/testing/selftests/landlock/fs_test.c | 2449 ++++++++++++++++-
tools/testing/selftests/landlock/net_test.c | 138 +-
.../landlock/scoped_abstract_unix_test.c | 77 +-
23 files changed, 3512 insertions(+), 219 deletions(-)
base-commit: b7d9ce964102b004a90568726dcdf9051602ddd9
--
2.54.0
^ permalink raw reply
* Re: [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
From: Jarkko Sakkinen @ 2026-05-31 17:04 UTC (permalink / raw)
To: Alessandro G
Cc: keyringsy, stable, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, Denis Kenzior, Marcel Holtmann, keyrings,
linux-security-module, linux-kernel
In-Reply-To: <CAJXJp6jMLQvYi6rpt31hO0O5WwLipSihT9PxFJu1bvtfUS2CBw@mail.gmail.com>
On Sun, May 31, 2026 at 09:23:11AM +0200, Alessandro G wrote:
> Hi Jarkko,
>
> The surname is “Groppo” instead of “Grupp”, don’t worry and thanks for asking!
>
> Thanks also for the fix!
>
> BR,
> Alessandro
Thank you! This was a super good bug report.
Since I cannot do it without permission, can I add your tested-by to the
patch?
BR, Jarkko
>
> Il giorno dom 31 mag 2026 alle 05:25 Jarkko Sakkinen <jarkko@kernel.org> ha
> scritto:
>
> On Sun, May 31, 2026 at 05:49:13AM +0300, Jarkko Sakkinen wrote:
> > The length for the internal output buffer is calculated incorrectly,
> which
> > can result overflow when a too small buffer is provided.
> >
> > Fix the bug by allocating internal output with the size of the maximum
> > length of the cryptographic primitive instead of caller provided size.
> >
> > Cc: stable@vger.kernel.org # v4.20+
> > Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops
> for asymmetric keys [ver #2]")
> > Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> Should be available in -next within a day or along the lines so please
> be quick with tags/feedback. I'll forward a PR as soon as all is good.
>
> BR, Jarkko
>
^ permalink raw reply
* Re: [PATCH v3 1/2] landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via F_SETOWN to invoker's pgid
From: Mickaël Salaün @ 2026-05-31 10:41 UTC (permalink / raw)
To: hexlabsecurity
Cc: Justin Suess, gnoack@google.com,
linux-security-module@vger.kernel.org, stable@vger.kernel.org,
Christian Brauner
In-Reply-To: <7rvmLIHR1Zh8RDF1IY1-SYRHzErgw9gPHq0k98RLYVsmHqAejjxcuJi8V3QaSbW-SnNvY5tfM2Xn_S1dEajKV_f7iyitoPwJgOSTZQ0nytc=@proton.me>
On Fri, May 29, 2026 at 07:07:30PM +0000, hexlabsecurity@proton.me wrote:
> From b5fdc79ce1cb2881d59dfed01d3d9170306be9e8 Mon Sep 17 00:00:00 2001
> From: Bryam Vargas <hexlabsecurity@proton.me>
> Date: Fri, 29 May 2026 12:49:41 -0500
> Subject: [PATCH v3 1/2] landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via
> F_SETOWN to invoker's pgid
Please send proper threaded emails. Sending two unrelated
emails/patches and with additional headers in the body makes it more
difficult to handle and ignored by reviewer bots.
>
> A Landlock-restricted process can bypass LANDLOCK_SCOPE_SIGNAL on the
> SIGIO delivery path and deliver arbitrary signals (including SIGKILL via
> F_SETSIG) to non-Landlocked targets that share its pgid, by exploiting a
> producer-side cache-vs-live evaluation gap.
What does mean: "producer-side cache-vs-live evaluation gap"?
It looks like the "cache" here is the fowner data, which is not a cache.
Could you please make it clear in the commit message what is the threat
(e.g. real-life scenario of a signal control bypass)?
>
> The SIGIO path in hook_file_send_sigiotask() consults a cached subject
> stored in landlock_file(file)->fown_subject at fcntl(F_SETOWN) time
> (via hook_file_set_fowner()), instead of evaluating the live Landlock
> domain of the invoking task at signal-send time. The capture is gated
> by control_current_fowner(), which returns false (skipping capture)
> when pid_task(fown->pid, fown->pid_type) is in current's thread group.
Commit messages should mostly explain the "why", and only the minimal
"what".
A simpler commit message would be useful.
>
> This is correct for PIDTYPE_TGID / PIDTYPE_PID, where the target is a
> single task sharing current's cred. It is unsafe for PIDTYPE_PGID and
By "task" do you mean "process"?
> PIDTYPE_SID: when current is at the head of its pgid hlist -- the
> default placement after fork(), hlist_add_head_rcu() in kernel/fork.c --
> pid_task(pgid, PIDTYPE_PGID) resolves to current itself,
> same_thread_group(current, current) is true, the capture is skipped, and
> fown_subject.domain stays NULL. hook_file_send_sigiotask() then
> short-circuits at "if (!subject->domain) return 0;", letting the kernel
> fan the signal out to every member of the group, including tasks outside
> current's Landlock domain that SCOPE_SIGNAL is supposed to protect.
>
> The direct kill() path (hook_task_kill) is unaffected: it evaluates
> current's live domain on every call. Only the cached SIGIO path is
> broken.
>
> Tighten control_current_fowner() to apply the thread-group exemption
> only when the target identifies a single task whose Landlock cred is
> necessarily shared with current (PIDTYPE_TGID, PIDTYPE_PID). For
> PIDTYPE_PGID and PIDTYPE_SID, always capture the current Landlock
> subject so the consumer's scope check runs against every member of the
> group at delivery time.
PIDTYPE_SID doesn't seem possible.
>
> Stable kernels before the fown_subject conversion store the domain in
> landlock_file(file)->fown_domain; control_current_fowner() is identical
> there, so the same exemption and the same fix apply.
>
> Fixes: 18eb75f3af40 ("landlock: Always allow signals between threads of the same process")
> Cc: stable@vger.kernel.org
> Reported-by: Bryam Vargas <hexlabsecurity@proton.me>
You should remove Reported-by because it is implicit when you also add a
Signed-off-by with the same value.
> Tested-by: Justin Suess <utilityemal77@gmail.com>
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
> ---
> security/landlock/fs.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index c1ecfe239032..edaa52572cbd 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -1909,6 +1909,18 @@ static bool control_current_fowner(struct fown_struct *const fown)
> if (!p)
> return true;
>
> + /*
> + * For PIDTYPE_PGID and PIDTYPE_SID, signal delivery fans out to
> + * every member of the group at SIGIO time. Even when pid_task()
> + * resolves to current itself (e.g., current is the pgid hlist
> + * head post-fork), non-current members of the group are still
> + * valid targets that must be checked by hook_file_send_sigiotask().
> + * Always capture the current subject for those types so the
> + * consumer scope check runs against the live fown_subject.
This looks good but could be simplified.
> + */
> + if (fown->pid_type == PIDTYPE_PGID || fown->pid_type == PIDTYPE_SID)
PIDTYPE_SID is not possible for fowner, and I'd prefer a defensive
programming approach:
fown->pid_type != PIDTYPE_PID && fown->pid_type != PIDTYPE_TGID
> + return true;
> +
> return !same_thread_group(p, current);
> }
>
> --
> 2.43.0
>
>
^ permalink raw reply
* Re: [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
From: Jarkko Sakkinen @ 2026-05-31 3:25 UTC (permalink / raw)
To: keyringsy
Cc: stable, Alessandro Grupp, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, Denis Kenzior, Marcel Holtmann, keyrings,
linux-security-module, linux-kernel
In-Reply-To: <20260531024914.3712130-1-jarkko@kernel.org>
On Sun, May 31, 2026 at 05:49:13AM +0300, Jarkko Sakkinen wrote:
> The length for the internal output buffer is calculated incorrectly, which
> can result overflow when a too small buffer is provided.
>
> Fix the bug by allocating internal output with the size of the maximum
> length of the cryptographic primitive instead of caller provided size.
>
> Cc: stable@vger.kernel.org # v4.20+
> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Should be available in -next within a day or along the lines so please
be quick with tags/feedback. I'll forward a PR as soon as all is good.
BR, Jarkko
^ permalink raw reply
* [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()
From: Jarkko Sakkinen @ 2026-05-31 2:49 UTC (permalink / raw)
To: keyringsy
Cc: Jarkko Sakkinen, stable, Alessandro Grupp, David Howells,
Paul Moore, James Morris, Serge E. Hallyn, Denis Kenzior,
Marcel Holtmann, keyrings, linux-security-module, linux-kernel
The length for the internal output buffer is calculated incorrectly, which
can result overflow when a too small buffer is provided.
Fix the bug by allocating internal output with the size of the maximum
length of the cryptographic primitive instead of caller provided size.
Cc: stable@vger.kernel.org # v4.20+
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Reported-by: Alessandro Grupp <ale.grpp@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
Alessandro, please correct if I put the last name correctly (and
sincere apologies if not).
security/keys/keyctl_pkey.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 97bc27bbf079..ba150ee2d4a3 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_par
if (uparams.in_len > info.max_dec_size ||
uparams.out_len > info.max_enc_size)
return -EINVAL;
+
+ params->out_len = info.max_enc_size;
break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
+
+ params->out_len = info.max_dec_size;
break;
case KEYCTL_PKEY_SIGN:
if (uparams.in_len > info.max_data_size ||
uparams.out_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
case KEYCTL_PKEY_VERIFY:
if (uparams.in_len > info.max_data_size ||
uparams.in2_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
default:
BUG();
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}
--
2.47.3
^ permalink raw reply related
* Re: [PATCH] keys: Pin request_key_auth payload in instantiate paths
From: Jarkko Sakkinen @ 2026-05-30 16:49 UTC (permalink / raw)
To: eee sss
Cc: David Howells, keyrings, linux-security-module, linux-kernel,
Paul Moore, James Morris, Serge E. Hallyn
In-Reply-To: <ahsUxQryCvPggKBt@kernel.org>
On Sat, May 30, 2026 at 07:48:10PM +0300, Jarkko Sakkinen wrote:
> On Sat, May 30, 2026 at 09:19:33AM -0700, eee sss wrote:
> > Hi Jarkko,
> >
> > Yes, I have a reproducer available as a tar.gz file.
> >
> > I am not attaching it directly here because I am not sure what the preferred
> > way is to share a tar.gz reproducer in this mail context, especially with
> > mailing lists on Cc. Please let me know whether you would prefer a direct
> > attachment, a private upload location, encrypted transfer, or another channel.
> >
> > BR,
> > Shaomin
>
> Drop it to me as private! I actually have now queue of total three
> reproducers but I'll get to this sometime next week :-) Lots of stuff
> apparently happening in sec.
polite request: it is advicable to use plain text in. It's not just me
whining but also sometimes some ML servers simply drop HTML mail i.e.
only non-ML recipients will get it. Just something to be aware of that's
all.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH] keys: Pin request_key_auth payload in instantiate paths
From: Jarkko Sakkinen @ 2026-05-30 16:48 UTC (permalink / raw)
To: eee sss
Cc: David Howells, keyrings, linux-security-module, linux-kernel,
Paul Moore, James Morris, Serge E. Hallyn
In-Reply-To: <CA+TOyfhe=0Ty-FQDZy-9_LWJ6dgakzyjog5rNfQ2NdCc5X+dFQ@mail.gmail.com>
On Sat, May 30, 2026 at 09:19:33AM -0700, eee sss wrote:
> Hi Jarkko,
>
> Yes, I have a reproducer available as a tar.gz file.
>
> I am not attaching it directly here because I am not sure what the preferred
> way is to share a tar.gz reproducer in this mail context, especially with
> mailing lists on Cc. Please let me know whether you would prefer a direct
> attachment, a private upload location, encrypted transfer, or another channel.
>
> BR,
> Shaomin
Drop it to me as private! I actually have now queue of total three
reproducers but I'll get to this sometime next week :-) Lots of stuff
apparently happening in sec.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 01/11] hornet: fix TOCTOU in signed program verification
From: Fan Wu @ 2026-05-30 1:11 UTC (permalink / raw)
To: Blaise Boscaccy
Cc: Jonathan Corbet, Shuah Khan, Paul Moore, James Morris,
Serge E. Hallyn, Eric Biggers, Fan Wu, James.Bottomley,
linux-security-module
In-Reply-To: <20260528030915.2654994-2-bboscaccy@linux.microsoft.com>
On Wed, May 27, 2026 at 8:09 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> The signature verification path was vulnerable to a time-of-check vs
> time-of-use race at both the program load and program run hook sites:
> between the moment a map's contents were hashed for signature
> verification and the moment the program run hook re-verified them, an
> attacker with sufficient privileges could swap or mutate the map
> contents.
>
> Close the race by snapshotting the map hashes during program load,
> attaching them to the program, and re-verifying them from the
> security_bpf_prog hook against prog->aux->used_maps. Because used_maps
> is the same map set the verifier and runtime resolve against, there is
> no longer a window in which the verified set and the executed set can
> diverge.
>
> Since we are no longer targeting the fd_array passed in, drop the map
> index data entirely and check for whether or not the set of requested
> map hashes is a subset of prog->aux->used_maps.
>
> Reported-by: Eric Biggers <ebiggers@kernel.org>
> Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
> ---
> Documentation/admin-guide/LSM/Hornet.rst | 39 +++-----
> scripts/hornet/gen_sig.c | 17 +---
> security/hornet/hornet.asn1 | 1 -
> security/hornet/hornet_lsm.c | 121 +++--------------------
> tools/testing/selftests/hornet/Makefile | 2 +-
> 5 files changed, 35 insertions(+), 145 deletions(-)
>
> diff --git a/Documentation/admin-guide/LSM/Hornet.rst b/Documentation/admin-guide/LSM/Hornet.rst
> index 0ade4c17374c6..a369bc11408f4 100644
> --- a/Documentation/admin-guide/LSM/Hornet.rst
> +++ b/Documentation/admin-guide/LSM/Hornet.rst
> @@ -86,15 +86,14 @@ Hornet protects against the following threats:
>
> - **Tampering with map data**: When map hashes are included in the
> signature, Hornet verifies that frozen BPF maps match their expected
> - SHA-256 hashes at load time. Maps are also re-verified before program
> - execution via ``BPF_PROG_RUN``.
> + SHA-256 hashes at load time after the program is publically exposed.
>
> Hornet does **not** protect against:
>
> - Compromise of the signing key itself.
> - Attacks that occur after a program has been loaded and verified.
> - Programs loaded by the kernel itself (kernel-internal loads bypass
> - the ``BPF_PROG_RUN`` map check).
> + the map check).
>
> Known Limitations
> =================
> @@ -117,6 +116,10 @@ Known Limitations
> data. It does not guarantee positional binding of maps to specific
> fd_array slots.
>
> +- Map hash verification does not enforce any ordering. It simply asserts
> + that the set of map hashes requested to be verified exist in the used
> + array.
> +
> - BPF_MAP_TYPE_PROG_ARRAY maps must be frozen for Hornet to verify
> them. Unfrozen prog array maps are not covered by verification.
>
> @@ -159,24 +162,19 @@ The following describes what happens when a userspace program calls
> 5. Hornet extracts the authenticated attribute identified by
> ``OID_hornet_data`` (OID ``2.25.316487325684022475439036912669789383960``)
> from the PKCS#7 message. This attribute contains an ASN.1-encoded set
> - of map index/hash pairs.
> + of map hash hashes
>
> -6. For each map hash entry, Hornet retrieves the corresponding BPF map
> - via its file descriptor, confirms it is frozen, computes its SHA-256
> - hash, and compares it against the signed hash.
> +6. For each map hash entry, Hornet retrieves stores the target map hash in
> + the program's LSM blob.
>
> 7. The resulting integrity verdict is passed to the
> ``bpf_prog_load_post_integrity`` hook so that downstream LSMs can
> enforce policy.
>
> -Runtime Map Verification
> -------------------------
> -
> -When ``bpf(BPF_PROG_RUN, ...)`` is called from userspace, Hornet
> -re-verifies the hashes of all maps associated with the program. This
> -ensures that map contents have not been modified between program load
> -and execution. If any map hash no longer matches, the ``BPF_PROG_RUN``
> -command is denied.
> +8. After the verifier processes the program, once it's ready to be published,
> + Hornet intercepts the ``bpf_prog`` hook, and verifies that the set of
> + required hashes exist in the programs used maps. If the map hashes are
> + unable to be found, the command is denied.
>
> Userspace Interface
> -------------------
> @@ -199,14 +197,10 @@ the following ASN.1 schema::
> HornetData ::= SET OF Map
>
> Map ::= SEQUENCE {
> - index INTEGER,
> sha OCTET STRING
> }
>
> -Each ``Map`` entry contains the index of the map in the program's
> -``fd_array`` and its expected SHA-256 hash. A zero-length ``sha`` field
> -indicates that the map at that index should be skipped during
> -verification.
> +Each ``Map`` entry contains an expected SHA-256 hash.
>
> Tooling
> =======
> @@ -229,7 +223,7 @@ Usage::
> --key <signer.key> \
> [--pass <passphrase>] \
> --out <signature.p7b> \
> - [--add <mapfile.bin>:<index> ...]
> + [--add <mapfile.bin> ...]
>
> ``--data``
> Path to the binary file containing eBPF program instructions to sign.
> @@ -248,8 +242,7 @@ Usage::
>
> ``--add``
> Attach a map hash as a signed attribute. The argument is a path to a
> - binary map file followed by a colon and the map's index in the
> - ``fd_array``. This option may be specified multiple times.
> + binary map file. This option may be specified multiple times.
>
> extract-skel.sh
> ---------------
> diff --git a/scripts/hornet/gen_sig.c b/scripts/hornet/gen_sig.c
> index 8dd9ed66346a2..b4f983ab24bcd 100644
> --- a/scripts/hornet/gen_sig.c
> +++ b/scripts/hornet/gen_sig.c
> @@ -55,7 +55,6 @@
>
> struct hash_spec {
> char *file;
> - int index;
> };
>
> typedef struct {
> @@ -66,7 +65,6 @@ typedef struct {
>
> DECLARE_ASN1_FUNCTIONS(HORNET_MAP)
> ASN1_SEQUENCE(HORNET_MAP) = {
> - ASN1_SIMPLE(HORNET_MAP, index, ASN1_INTEGER),
> ASN1_SIMPLE(HORNET_MAP, hash, ASN1_OCTET_STRING)
> } ASN1_SEQUENCE_END(HORNET_MAP);
>
> @@ -253,12 +251,11 @@ static int sha256(const char *path, unsigned char out[SHA256_LEN], unsigned int
> return rc;
> }
>
> -static void add_hash(MAP_SET *set, unsigned char *buffer, int buffer_len, int index)
> +static void add_hash(MAP_SET *set, unsigned char *buffer, int buffer_len)
> {
> HORNET_MAP *map = NULL;
>
> map = HORNET_MAP_new();
> - ASN1_INTEGER_set(map->index, index);
> ASN1_OCTET_STRING_set(map->hash, buffer, buffer_len);
> sk_HORNET_MAP_push(set->maps, map);
> }
> @@ -320,14 +317,8 @@ int main(int argc, char **argv)
> data_path = optarg;
> break;
> case 'A':
> - if (strchr(optarg, ':')) {
> - hashes[hash_count].file = strsep(&optarg, ":");
> - hashes[hash_count].index = atoi(optarg);
> - if (++hash_count >= MAX_HASHES) {
> - usage(argv[0]);
> - return EXIT_FAILURE;
> - }
> - } else {
> + hashes[hash_count].file = optarg;
> + if (++hash_count >= MAX_HASHES) {
> usage(argv[0]);
> return EXIT_FAILURE;
> }
> @@ -371,7 +362,7 @@ int main(int argc, char **argv)
> if (sha256(hashes[i].file, hash_buffer, &hash_len) != 0) {
> DIE("failed to hash input");
> }
> - add_hash(set, hash_buffer, hash_len, hashes[i].index);
> + add_hash(set, hash_buffer, hash_len);
> }
>
> oid = OBJ_txt2obj("2.25.316487325684022475439036912669789383960", 1);
> diff --git a/security/hornet/hornet.asn1 b/security/hornet/hornet.asn1
> index e60abf451ae23..3cf50379f5e7c 100644
> --- a/security/hornet/hornet.asn1
> +++ b/security/hornet/hornet.asn1
> @@ -7,6 +7,5 @@
> HornetData ::= SET OF Map
>
> Map ::= SEQUENCE {
> - index INTEGER ({ hornet_map_index }),
> sha OCTET STRING ({ hornet_map_hash })
> } ({ hornet_next_map })
> diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
> index a4d11fa5b0889..516038413f321 100644
> --- a/security/hornet/hornet_lsm.c
> +++ b/security/hornet/hornet_lsm.c
> @@ -21,26 +21,18 @@
>
> #define MAX_USED_MAPS 64
>
> -struct hornet_maps {
> - bpfptr_t fd_array;
> -};
> -
> /* The only hashing algorithm available is SHA256 due to it be hardcoded
> * in the bpf subsystem.
> */
> -
> -struct hornet_parse_context {
> - int indexes[MAX_USED_MAPS];
> - bool skips[MAX_USED_MAPS];
> - unsigned char hashes[SHA256_DIGEST_SIZE * MAX_USED_MAPS];
> - int hash_count;
> -};
> -
> struct hornet_prog_security_struct {
> int signed_hash_count;
> unsigned char signed_hashes[SHA256_DIGEST_SIZE * MAX_USED_MAPS];
> };
>
> +struct hornet_parse_context {
> + struct hornet_prog_security_struct *security;
> +};
> +
> struct lsm_blob_sizes hornet_blob_sizes __ro_after_init = {
> .lbs_bpf_prog = sizeof(struct hornet_prog_security_struct),
> };
> @@ -51,79 +43,17 @@ hornet_bpf_prog_security(struct bpf_prog *prog)
> return prog->aux->security + hornet_blob_sizes.lbs_bpf_prog;
> }
>
> -static int hornet_verify_hashes(struct hornet_maps *maps,
> - struct hornet_parse_context *ctx,
> - struct bpf_prog *prog)
> -{
> - int map_fd;
> - u32 i;
> - struct bpf_map *map;
> - int err = 0;
> - unsigned char hash[SHA256_DIGEST_SIZE];
> - struct hornet_prog_security_struct *security = hornet_bpf_prog_security(prog);
> -
> - for (i = 0; i < ctx->hash_count; i++) {
> - if (ctx->skips[i])
> - continue;
> -
> - err = copy_from_bpfptr_offset(&map_fd, maps->fd_array,
> - ctx->indexes[i] * sizeof(map_fd),
> - sizeof(map_fd));
> - if (err != 0)
> - return LSM_INT_VERDICT_FAULT;
It seems this verdict is no longer used.
> -
> - CLASS(fd, f)(map_fd);
> - if (fd_empty(f))
> - return LSM_INT_VERDICT_FAULT;
> - if (unlikely(fd_file(f)->f_op != &bpf_map_fops))
> - return LSM_INT_VERDICT_FAULT;
> -
> - map = fd_file(f)->private_data;
> - if (!READ_ONCE(map->frozen))
> - return LSM_INT_VERDICT_FAULT;
> -
> - if (!map->ops->map_get_hash)
> - return LSM_INT_VERDICT_FAULT;
> -
> - if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
> - return LSM_INT_VERDICT_FAULT;
> -
> - err = memcmp(hash, &ctx->hashes[i * SHA256_DIGEST_SIZE],
> - SHA256_DIGEST_SIZE);
> - if (err)
> - return LSM_INT_VERDICT_UNEXPECTED;
similar above, they should be removed for the header and for the ipe policy.
-Fan
> -
> - memcpy(&security->signed_hashes[security->signed_hash_count * SHA256_DIGEST_SIZE],
> - &ctx->hashes[i * SHA256_DIGEST_SIZE], SHA256_DIGEST_SIZE);
> - security->signed_hash_count++;
> - }
> - return LSM_INT_VERDICT_OK;
> -}
> -
> int hornet_next_map(void *context, size_t hdrlen,
> unsigned char tag,
> const void *value, size_t vlen)
> {
> struct hornet_parse_context *ctx = (struct hornet_parse_context *)context;
>
> - if (++ctx->hash_count >= MAX_USED_MAPS)
> + if (++ctx->security->signed_hash_count >= MAX_USED_MAPS)
> return -EINVAL;
> return 0;
> }
>
> -int hornet_map_index(void *context, size_t hdrlen,
> - unsigned char tag,
> - const void *value, size_t vlen)
> -{
> - struct hornet_parse_context *ctx = (struct hornet_parse_context *)context;
> -
> - if (vlen != 1)
> - return -EINVAL;
> -
> - ctx->indexes[ctx->hash_count] = *(u8 *)value;
> - return 0;
> -}
> -
> int hornet_map_hash(void *context, size_t hdrlen,
> unsigned char tag,
> const void *value, size_t vlen)
> @@ -134,11 +64,8 @@ int hornet_map_hash(void *context, size_t hdrlen,
> if (vlen != SHA256_DIGEST_SIZE && vlen != 0)
> return -EINVAL;
>
> - if (vlen) {
> - ctx->skips[ctx->hash_count] = false;
> - memcpy(&ctx->hashes[ctx->hash_count * SHA256_DIGEST_SIZE], value, vlen);
> - } else
> - ctx->skips[ctx->hash_count] = true;
> + memcpy(&ctx->security->signed_hashes[ctx->security->signed_hash_count * SHA256_DIGEST_SIZE],
> + value, vlen);
>
> return 0;
> }
> @@ -147,7 +74,6 @@ static int hornet_check_program(struct bpf_prog *prog, union bpf_attr *attr,
> struct bpf_token *token, bool is_kernel,
> enum lsm_integrity_verdict *verdict)
> {
> - struct hornet_maps maps = {0};
> bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
> struct pkcs7_message *msg;
> struct hornet_parse_context *ctx;
> @@ -172,7 +98,8 @@ static int hornet_check_program(struct bpf_prog *prog, union bpf_attr *attr,
> if (!ctx)
> return -ENOMEM;
>
> - maps.fd_array = make_bpfptr(attr->fd_array, is_kernel);
> + ctx->security = hornet_bpf_prog_security(prog);
> +
> sig = kzalloc(attr->signature_size, GFP_KERNEL);
> if (!sig) {
> err = -ENOMEM;
> @@ -225,7 +152,7 @@ static int hornet_check_program(struct bpf_prog *prog, union bpf_attr *attr,
> goto cleanup_msg;
> }
>
> - *verdict = hornet_verify_hashes(&maps, ctx, prog);
> + *verdict = LSM_INT_VERDICT_OK;
> err = 0;
>
> cleanup_msg:
> @@ -257,10 +184,8 @@ static int hornet_bpf_prog_load_integrity(struct bpf_prog *prog, union bpf_attr
> &hornet_lsmid, verdict);
> }
>
> -static int hornet_check_prog_maps(u32 ufd)
> +static int hornet_check_prog_maps(struct bpf_prog *prog)
> {
> - CLASS(fd, f)(ufd);
> - struct bpf_prog *prog;
> struct hornet_prog_security_struct *security;
> unsigned char hash[SHA256_DIGEST_SIZE];
> struct bpf_map *map;
> @@ -268,12 +193,6 @@ static int hornet_check_prog_maps(u32 ufd)
> bool found;
> int covered_count = 0;
>
> - if (fd_empty(f))
> - return -EBADF;
> - if (fd_file(f)->f_op != &bpf_prog_fops)
> - return -EINVAL;
> -
> - prog = fd_file(f)->private_data;
> security = hornet_bpf_prog_security(prog);
>
> if (!security->signed_hash_count)
> @@ -316,26 +235,14 @@ static int hornet_check_prog_maps(u32 ufd)
> return 0;
> }
>
> -static int hornet_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
> +static int hornet_bpf_prog(struct bpf_prog *prog)
> {
> - /* in horent_bpf(), anything that had originated from kernel space we assume
> - * has already been checked, in some form or another, so we don't bother
> - * checking the intergity of any maps. In hornet_bpf_prog_load_integrity(),
> - * hornet doesn't make any opinion on that and delegates that to the downstream
> - * policy enforcement.
> - */
> -
> - if (cmd != BPF_PROG_RUN)
> - return 0;
> - if (kernel)
> - return 0;
> -
> - return hornet_check_prog_maps(attr->test.prog_fd);
> + return hornet_check_prog_maps(prog);
> }
>
> static struct security_hook_list hornet_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(bpf_prog_load_integrity, hornet_bpf_prog_load_integrity),
> - LSM_HOOK_INIT(bpf, hornet_bpf),
> + LSM_HOOK_INIT(bpf_prog, hornet_bpf_prog),
> };
>
> static int __init hornet_init(void)
> diff --git a/tools/testing/selftests/hornet/Makefile b/tools/testing/selftests/hornet/Makefile
> index 432bce59f54e7..316364f95f28c 100644
> --- a/tools/testing/selftests/hornet/Makefile
> +++ b/tools/testing/selftests/hornet/Makefile
> @@ -51,7 +51,7 @@ $(OUTPUT)/gen_sig: ../../../../scripts/hornet/gen_sig.c
>
> sig.bin: insn.bin map.bin $(OUTPUT)/gen_sig
> $(OUTPUT)/gen_sig --key $(CERTDIR)/signing_key.pem --cert $(CERTDIR)/signing_key.x509 \
> - --data insn.bin --add map.bin:0 --out sig.bin
> + --data insn.bin --add map.bin --out sig.bin
>
> signed_loader.h: sig.bin
> $(SCRIPTSDIR)/write-sig.sh loader.h sig.bin > $@
> --
> 2.53.0
>
^ permalink raw reply
* Re: [PATCH] KEYS: Use acquire when reading state in keyring search
From: Jarkko Sakkinen @ 2026-05-30 1:02 UTC (permalink / raw)
To: Gui-Dong Han, dhowells
Cc: keyrings, dhowells, ebiggers, linux-security-module, linux-kernel,
baijiaju1990
In-Reply-To: <20260529033406.20673-1-hanguidong02@gmail.com>
On Fri, May 29, 2026 at 11:34:06AM +0800, Gui-Dong Han wrote:
> The negative-key race fix added release/acquire ordering for key use.
>
> Publish payload before state; read state before payload.
>
> keyring_search_iterator() still uses READ_ONCE() before match callbacks.
> An asymmetric match callback calls asymmetric_key_ids(), which reads
> key->payload.data[asym_key_ids].
>
> Use key_read_state() there to complete that ordering.
OK, so... I'm having a bit trouble understanding the exact concurrency
scenario you're trying to describe despite I think I get the fix itself
i.e. it is not pairing with mark_key_instantiated?
I'm a bit puzzled too why this was not done already in the original
commit despite introducing all the primitives.
>
> Fixes: 363b02dab09b ("KEYS: Fix race between updating and finding a negative key")
> Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
> ---
> Found by auditing READ_ONCE() used for synchronization.
> A similar fix can be found in 8df672bfe3ec.
> ---
> security/keys/keyring.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/keys/keyring.c b/security/keys/keyring.c
> index b39038f7dd31..243fb1636f10 100644
> --- a/security/keys/keyring.c
> +++ b/security/keys/keyring.c
> @@ -576,7 +576,7 @@ static int keyring_search_iterator(const void *object, void *iterator_data)
> struct keyring_search_context *ctx = iterator_data;
> const struct key *key = keyring_ptr_to_key(object);
> unsigned long kflags = READ_ONCE(key->flags);
> - short state = READ_ONCE(key->state);
> + short state = key_read_state(key);
>
> kenter("{%d}", key->serial);
>
> --
> 2.34.1
>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 02/11] hornet: invert map set check logic
From: Fan Wu @ 2026-05-30 0:57 UTC (permalink / raw)
To: Blaise Boscaccy
Cc: Jonathan Corbet, Shuah Khan, Paul Moore, James Morris,
Serge E. Hallyn, Eric Biggers, Fan Wu, James.Bottomley,
linux-security-module
In-Reply-To: <20260528030915.2654994-3-bboscaccy@linux.microsoft.com>
On Wed, May 27, 2026 at 8:09 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> In a multi-map hash verification scenario, a logic bug may have
> allowed an attacker to provide duplicate maps to satisfy the hash
> check count. Instead, invert the logic to verify each map discretely
>
> Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
> ---
I just realized there is no audit event if hornet_check_prog_maps()
fails, probably should add one.
-Fan
^ permalink raw reply
* Re: security_task_prctl: why -ENOSYS
From: Serge E. Hallyn @ 2026-05-29 22:58 UTC (permalink / raw)
To: William Roberts; +Cc: Casey Schaufler, LSM, SElinux list
In-Reply-To: <CAFftDdqvvqrbm=+XsDdkJHdm12jxK9799_A=Txz6Q5goYC2ALQ@mail.gmail.com>
On Wed, May 27, 2026 at 11:05:56AM -0500, William Roberts wrote:
> On Tue, May 26, 2026 at 6:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> > On 5/26/2026 4:21 PM, William Roberts wrote:
> > > On Tue, May 26, 2026 at 5:39 PM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > >> Hello,
> > >>
> > >> I am trying to understand the motivation behind having
> > >> security_task_prctl only continue if the return value is -ENOSYS. This
> > >> seems to be very different from other LSM hooks I have investigated.
> > >> For example, in other hooks, the value from SE Linux avc_has_perms is
> > >> used directly. This essentially means that a 0 will cause the check to
> > >> pass, and anything < 0 usually an error.
> > >>
> > >> In commit:
> > >> ----
> > >> commit d84f4f992cbd76e8f39c488cf0c5d123843923b1 ("CRED: Inaugurate COW
> > >> credentials")
> > >>
> > >> (8) security_task_prctl() and cap_task_prctl().
> > >>
> > >> security_task_prctl() has been modified to return -ENOSYS if it doesn't
> > >> want to handle a function, or otherwise return the return
> > >> value directly
> > >> rather than through an argument.
> > >>
> > >> Additionally, cap_task_prctl() now prepares a new set of
> > >> credentials, even
> > >> if it doesn't end up using it.
> > >> ----
> > >>
> > >> The check in kernel/sys.c is currently:
> > >> error = security_task_prctl(option, arg2, arg3, arg4, arg5);
> > >> if (error != -ENOSYS)
> > >> return error;
> > >>
> > >> Should this be something like, "error && error != -ENOSYS"?
> > >>
> > >> I ask because I am looking to leverage this hook in SE Linux, and it's
> > >> annoying to have to coerce all 0 returns to -ENOSYS.
> > > Of course after hours of banging my head and one email sent, it's more clear to
> > > me now WHY. This hook isn't meant for making yes or no decisions on an operation
> > > but rather to also handle special prctl flags for an LSM in question.
> > >
> > > I guess with the said, do we want this interface to be used for both
> > > a, let the lsm handle
> > > this prctl flag directed to me, as well as a yes/no security decision
> > > or do we want to split
> > > this out into two hooks?
> >
> > The task_prctl hook is used in capability and yama. It is only used to
> > provide a place to process LSM specific prctl options. It is not used to
> > make security decisions outside of processing the LSM's options. If you
> > want to make security decisions on general prctl options you will need
> > a new hook.
>
> Yeah I finally saw that after I sent the email, as always :-p, but thanks
> Casey for confirming my understanding.
>
> So now for naming... We have security_task_prctl for handling random
> prctl interface calls into LSMs. So what should this hook be called?
> Perhaps security_task_prctl_check? Should we rename the old hook to
How about security_task_prctl_allowed()? (Mirroring security_uring_*)
Renaming the existing hook security_task_prctl_handle() also wouldn't
be too bad, but that's probably more churn than it's worth.
> something else?
>
> For now, I will just pick a name, but suggestions are welcome.
>
> As an aside, any lore as to why go through generic prctl vs an
> LSM specific filesystem or an lsm specific prctl (we already
> have arch_prctl why not lsm_prctl)?
>
>
>
>
>
> >
> > >
> > >> Thanks,
> > >> Bill
^ permalink raw reply
* Re: [PATCH] keys: Pin request_key_auth payload in instantiate paths
From: Jarkko Sakkinen @ 2026-05-29 22:53 UTC (permalink / raw)
To: Shaomin Chen, David Howells
Cc: keyrings, linux-security-module, linux-kernel, David Howells,
Paul Moore, James Morris, Serge E. Hallyn
In-Reply-To: <20260526024838.3368409-1-eeesssooo020@gmail.com>
On Tue, May 26, 2026 at 10:48:38AM +0800, Shaomin Chen wrote:
> keyctl_instantiate_key_common() reads request_key_auth from the assumed
> auth key before copying an instantiation payload from userspace. The copy
> can fault and sleep. If the request completes and revokes the auth key in
> that window, the auth payload can be detached and freed before the
> instantiate path uses it again.
>
> A request-key helper reproducer can trigger this race. One helper child
> blocks in KEYCTL_INSTANTIATE_IOV while the original helper instantiates the
> requested key and returns. KASAN then reports a use-after-free from the
> stale request_key_auth payload in keyctl_instantiate_key_common().
>
> Give request_key_auth payloads a refcount. Take a payload reference while
> authkey->sem stabilizes the payload and revocation state. Hold that
> reference across the instantiate and reject paths. Drop the auth key
> owning reference from revoke and destroy.
>
> Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
> Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
> Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
> ---
> include/keys/request_key_auth-type.h | 2 ++
> security/keys/internal.h | 2 ++
> security/keys/keyctl.c | 24 +++++++++++++++-----
> security/keys/request_key_auth.c | 33 ++++++++++++++++++++++++++--
> 4 files changed, 53 insertions(+), 8 deletions(-)
>
> diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h
> index 36b89a933310..01e42ee5f409 100644
> --- a/include/keys/request_key_auth-type.h
> +++ b/include/keys/request_key_auth-type.h
> @@ -9,12 +9,14 @@
> #define _KEYS_REQUEST_KEY_AUTH_TYPE_H
>
> #include <linux/key.h>
> +#include <linux/refcount.h>
>
> /*
> * Authorisation record for request_key().
> */
> struct request_key_auth {
> struct rcu_head rcu;
> + refcount_t usage;
> struct key *target_key;
> struct key *dest_keyring;
> const struct cred *cred;
> diff --git a/security/keys/internal.h b/security/keys/internal.h
> index 2cffa6dc8255..b7b622bc36a1 100644
> --- a/security/keys/internal.h
> +++ b/security/keys/internal.h
> @@ -208,6 +208,8 @@ extern struct key *request_key_auth_new(struct key *target,
> const void *callout_info,
> size_t callout_len,
> struct key *dest_keyring);
> +struct request_key_auth *request_key_auth_get(struct key *authkey);
> +void request_key_auth_put(struct request_key_auth *rka);
>
> extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
>
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index ef855d69c97a..d14ace88e529 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -1197,9 +1197,13 @@ static long keyctl_instantiate_key_common(key_serial_t id,
> if (!instkey)
> goto error;
>
> - rka = instkey->payload.data[0];
> - if (rka->target_key->serial != id)
> + rka = request_key_auth_get(instkey);
> + if (!rka) {
> + ret = -EKEYREVOKED;
> goto error;
> + }
> + if (rka->target_key->serial != id)
> + goto error_put_rka;
>
> /* pull the payload in if one was supplied */
> payload = NULL;
> @@ -1208,7 +1212,7 @@ static long keyctl_instantiate_key_common(key_serial_t id,
> ret = -ENOMEM;
> payload = kvmalloc(plen, GFP_KERNEL);
> if (!payload)
> - goto error;
> + goto error_put_rka;
>
> ret = -EFAULT;
> if (!copy_from_iter_full(payload, plen, from))
> @@ -1234,6 +1238,8 @@ static long keyctl_instantiate_key_common(key_serial_t id,
>
> error2:
> kvfree_sensitive(payload, plen);
> +error_put_rka:
> + request_key_auth_put(rka);
> error:
> return ret;
> }
> @@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
> if (!instkey)
> goto error;
>
> - rka = instkey->payload.data[0];
> - if (rka->target_key->serial != id)
> + rka = request_key_auth_get(instkey);
> + if (!rka) {
> + ret = -EKEYREVOKED;
> goto error;
> + }
> + if (rka->target_key->serial != id)
> + goto error_put_rka;
>
> /* find the destination keyring if present (which must also be
> * writable) */
> ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
> if (ret < 0)
> - goto error;
> + goto error_put_rka;
>
> /* instantiate the key and link it into a keyring */
> ret = key_reject_and_link(rka->target_key, timeout, error,
> @@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
> if (ret == 0)
> keyctl_change_reqkey_auth(NULL);
>
> +error_put_rka:
> + request_key_auth_put(rka);
> error:
> return ret;
> }
> diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
> index a7d7538c1f70..282e09d8fa46 100644
> --- a/security/keys/request_key_auth.c
> +++ b/security/keys/request_key_auth.c
> @@ -23,6 +23,7 @@ static void request_key_auth_describe(const struct key *, struct seq_file *);
> static void request_key_auth_revoke(struct key *);
> static void request_key_auth_destroy(struct key *);
> static long request_key_auth_read(const struct key *, char *, size_t);
> +static void request_key_auth_rcu_disposal(struct rcu_head *);
>
> /*
> * The request-key authorisation key type definition.
> @@ -115,6 +116,31 @@ static void free_request_key_auth(struct request_key_auth *rka)
> kfree(rka);
> }
>
> +/*
> + * Take a reference to the request-key authorisation payload so callers can
> + * drop authkey->sem before doing operations that may sleep.
> + */
> +struct request_key_auth *request_key_auth_get(struct key *authkey)
> +{
> + struct request_key_auth *rka;
> +
> + down_read(&authkey->sem);
> + rka = dereference_key_locked(authkey);
> + if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
> + refcount_inc(&rka->usage);
> + else
> + rka = NULL;
> + up_read(&authkey->sem);
> +
> + return rka;
> +}
> +
> +void request_key_auth_put(struct request_key_auth *rka)
> +{
> + if (rka && refcount_dec_and_test(&rka->usage))
> + call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
> +}
> +
> /*
> * Dispose of the request_key_auth record under RCU conditions
> */
> @@ -136,8 +162,10 @@ static void request_key_auth_revoke(struct key *key)
> struct request_key_auth *rka = dereference_key_locked(key);
>
> kenter("{%d}", key->serial);
> + if (!rka)
> + return;
> rcu_assign_keypointer(key, NULL);
> - call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
> + request_key_auth_put(rka);
> }
>
> /*
> @@ -150,7 +178,7 @@ static void request_key_auth_destroy(struct key *key)
> kenter("{%d}", key->serial);
> if (rka) {
> rcu_assign_keypointer(key, NULL);
> - call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
> + request_key_auth_put(rka);
> }
> }
>
> @@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct key *target, const char *op,
> rka = kzalloc_obj(*rka);
> if (!rka)
> goto error;
> + refcount_set(&rka->usage, 1);
> rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
> if (!rka->callout_info)
> goto error_free_rka;
> --
> 2.47.3
I get the approach and for it makes sense but I'd really like to hear
David's feedback on this before moving forward.
In the meanwhile, were you able to do a script or similar as a
reproducer?
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v4 3/3] tpm: tpm_crb_ffa: revert defered_probed when tpm_crb_ffa is built-in
From: Jarkko Sakkinen @ 2026-05-29 22:46 UTC (permalink / raw)
To: Yeoreum Yun
Cc: linux-security-module, linux-kernel, linux-integrity, paul, zohar,
roberto.sassu, noodles, sudeep.holla, jmorris, serge,
dmitry.kasatkin, eric.snowberg, jgg
In-Reply-To: <20260525075404.3480282-4-yeoreum.yun@arm.com>
On Mon, May 25, 2026 at 08:54:04AM +0100, Yeoreum Yun wrote:
> commit 746d9e9f62a6 ("tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's build_in")
> probe tpm_crb_ffa forcefully when it's built-in to integrate with IMA.
>
> However, IMA now provides the IMA_INIT_LATE_SYNC build option, which
> initialises IMA at the late_initcall_sync level, so this change is no
> longer required.
>
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
> drivers/char/tpm/tpm_crb_ffa.c | 18 +++---------------
> 1 file changed, 3 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
> index 99f1c1e5644b..025c4d4b17ca 100644
> --- a/drivers/char/tpm/tpm_crb_ffa.c
> +++ b/drivers/char/tpm/tpm_crb_ffa.c
> @@ -177,23 +177,13 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
> */
> int tpm_crb_ffa_init(void)
> {
> - int ret = 0;
> -
> - if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
> - ret = ffa_register(&tpm_crb_ffa_driver);
> - if (ret) {
> - tpm_crb_ffa = ERR_PTR(-ENODEV);
> - return ret;
> - }
> - }
> -
> if (!tpm_crb_ffa)
> - ret = -ENOENT;
> + return -ENOENT;
>
> if (IS_ERR_VALUE(tpm_crb_ffa))
> - ret = -ENODEV;
> + return -ENODEV;
>
> - return ret;
> + return 0;
> }
> EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
>
> @@ -405,9 +395,7 @@ static struct ffa_driver tpm_crb_ffa_driver = {
> .id_table = tpm_crb_ffa_device_id,
> };
>
> -#ifdef MODULE
> module_ffa_driver(tpm_crb_ffa_driver);
> -#endif
>
> MODULE_AUTHOR("Arm");
> MODULE_DESCRIPTION("TPM CRB FFA driver");
> --
> LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
>
How we would sync up this patch? Through which tree etc.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH] tpm-buf: memory-safe allocations
From: Jarkko Sakkinen @ 2026-05-29 22:37 UTC (permalink / raw)
To: Srish Srinivasan
Cc: linux-integrity, Jarkko Sakkinen, Arun Menon, Daniel P. Smith,
Alec Brown, Ross Philipson, Stefan Berger, Peter Huewe,
Jason Gunthorpe, James Bottomley, Mimi Zohar, David Howells,
Paul Moore, James Morris, Serge E. Hallyn, linux-kernel, keyrings,
linux-security-module
In-Reply-To: <b4e26e4c-d62d-4551-bbdd-b4409316c4a9@linux.ibm.com>
On Mon, May 25, 2026 at 07:16:03PM +0530, Srish Srinivasan wrote:
> Tested on emulated TPM 1.2 and TPM 2.0 backends.
>
> Coverage:
> TPM 1.2: sysfs and trusted-key paths
> TPM 2.0: PCR, random, and trusted-key paths
>
> Tested-by: Srish Srinivasan <ssrish@linux.ibm.com>
>
> On 5/22/26 7:05 AM, Jarkko Sakkinen wrote:
> > From: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
> >
> > Decouple kzalloc from buffer creation, so that a managed allocation can be
> > used:
> >
> > struct tpm_buf *buf __free(kfree) buf = kzalloc(TPM_BUFSIZE,
> > GFP_KERNEL);
> > if (!buf)
> > return -ENOMEM;
> >
> > tpm_buf_init(buf, TPM_BUFSIZE);
> >
> > Alternatively, stack allocations are also possible:
> >
> > u8 buf_data[512];
> > struct tpm_buf *buf = (struct tpm_buf *)buf_data;
> > tpm_buf_init(buf, sizeof(buf_data));
> >
> > This is achieved by embedding buffer's header inside the allocated blob,
> > instead of having an outer wrapper.
> >
> > Cc: Arun Menon <armenon@redhat.com>
> > Cc: Daniel P. Smith <dpsmith@apertussolutions.com>
> > Cc: Alec Brown <alec.r.brown@oracle.com>
> > Cc: Ross Philipson <ross.philipson@gmail.com>
> > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
> > ---
> > Rebased the managed allocations patch, which has been probably like a
> > year in circulation.
> > drivers/char/tpm/tpm-buf.c | 122 ++++++----
> > drivers/char/tpm/tpm-sysfs.c | 17 +-
> > drivers/char/tpm/tpm.h | 1 -
> > drivers/char/tpm/tpm1-cmd.c | 150 ++++++------
> > drivers/char/tpm/tpm2-cmd.c | 277 +++++++++++-----------
> > drivers/char/tpm/tpm2-sessions.c | 149 ++++++------
> > drivers/char/tpm/tpm2-space.c | 44 ++--
> > drivers/char/tpm/tpm_vtpm_proxy.c | 30 +--
> > include/linux/tpm.h | 18 +-
> > security/keys/trusted-keys/trusted_tpm1.c | 44 ++--
> > security/keys/trusted-keys/trusted_tpm2.c | 165 ++++++-------
> > 11 files changed, 505 insertions(+), 512 deletions(-)
> >
> > diff --git a/drivers/char/tpm/tpm-buf.c b/drivers/char/tpm/tpm-buf.c
> > index dc882fc9fa9e..b16d824ef0af 100644
> > --- a/drivers/char/tpm/tpm-buf.c
> > +++ b/drivers/char/tpm/tpm-buf.c
> > @@ -7,82 +7,110 @@
> > #include <linux/module.h>
> > #include <linux/tpm.h>
> >
> > -/**
> > - * tpm_buf_init() - Allocate and initialize a TPM command
> > - * @buf: A &tpm_buf
> > - * @tag: TPM_TAG_RQU_COMMAND, TPM2_ST_NO_SESSIONS or TPM2_ST_SESSIONS
> > - * @ordinal: A command ordinal
> > - *
> > - * Return: 0 or -ENOMEM
> > - */
> > -int tpm_buf_init(struct tpm_buf *buf, u16 tag, u32 ordinal)
> > +static void __tpm_buf_size_invariant(struct tpm_buf *buf, u16 buf_size)
> > {
> > - buf->data = (u8 *)__get_free_page(GFP_KERNEL);
> > - if (!buf->data)
> > - return -ENOMEM;
> > -
> > - tpm_buf_reset(buf, tag, ordinal);
> > - return 0;
> > + u32 buf_size_2 = (u32)buf->capacity + (u32)sizeof(*buf);
> > +
> > + if (!buf->capacity) {
> > + if (buf_size > TPM_BUFSIZE) {
> > + WARN(1, "%s: size overflow: %u\n", __func__, buf_size);
> > + buf->flags |= TPM_BUF_OVERFLOW;
> > + }
> > + } else {
> > + if (buf_size != buf_size_2) {
> > + WARN(1, "%s: size mismatch: %u != %u\n", __func__,
> > + buf_size, buf_size_2);
> > + buf->flags |= TPM_BUF_OVERFLOW;
> > + }
> > + }
> > }
> > -EXPORT_SYMBOL_GPL(tpm_buf_init);
> >
> > -/**
> > - * tpm_buf_reset() - Initialize a TPM command
> > - * @buf: A &tpm_buf
> > - * @tag: TPM_TAG_RQU_COMMAND, TPM2_ST_NO_SESSIONS or TPM2_ST_SESSIONS
> > - * @ordinal: A command ordinal
> > - */
> > -void tpm_buf_reset(struct tpm_buf *buf, u16 tag, u32 ordinal)
> > +static void __tpm_buf_reset(struct tpm_buf *buf, u16 buf_size, u16 tag,
> > + u32 ordinal)
> > {
> > struct tpm_header *head = (struct tpm_header *)buf->data;
> >
> > + __tpm_buf_size_invariant(buf, buf_size);
> > +
> > + if (buf->flags & TPM_BUF_OVERFLOW)
> > + return;
> > +
> > WARN_ON(tag != TPM_TAG_RQU_COMMAND && tag != TPM2_ST_NO_SESSIONS &&
> > tag != TPM2_ST_SESSIONS && tag != 0);
> >
> > buf->flags = 0;
> > buf->length = sizeof(*head);
> > + buf->capacity = buf_size - sizeof(*buf);
> > + buf->handles = 0;
> > head->tag = cpu_to_be16(tag);
> > head->length = cpu_to_be32(sizeof(*head));
> > head->ordinal = cpu_to_be32(ordinal);
> > +}
> > +
> > +static void __tpm_buf_reset_sized(struct tpm_buf *buf, u16 buf_size)
> > +{
> > + __tpm_buf_size_invariant(buf, buf_size);
> > +
> > + if (buf->flags & TPM_BUF_OVERFLOW)
> > + return;
> > +
> > + buf->flags = TPM_BUF_TPM2B;
> > + buf->length = 2;
> > + buf->capacity = buf_size - sizeof(*buf);
> > buf->handles = 0;
> > + buf->data[0] = 0;
> > + buf->data[1] = 0;
> > }
> > -EXPORT_SYMBOL_GPL(tpm_buf_reset);
> >
> > /**
> > - * tpm_buf_init_sized() - Allocate and initialize a sized (TPM2B) buffer
> > - * @buf: A @tpm_buf
> > - *
> > - * Return: 0 or -ENOMEM
> > + * tpm_buf_init() - Initialize a TPM command
> > + * @buf: A &tpm_buf
> > + * @buf_size: Size of the buffer.
> > */
> > -int tpm_buf_init_sized(struct tpm_buf *buf)
> > +void tpm_buf_init(struct tpm_buf *buf, u16 buf_size)
> > {
> > - buf->data = (u8 *)__get_free_page(GFP_KERNEL);
> > - if (!buf->data)
> > - return -ENOMEM;
> > + memset(buf, 0, buf_size);
> > + __tpm_buf_reset(buf, buf_size, TPM_TAG_RQU_COMMAND, 0);
> > +}
> > +EXPORT_SYMBOL_GPL(tpm_buf_init);
> >
> > - tpm_buf_reset_sized(buf);
> > - return 0;
> > +/**
> > + * tpm_buf_init_sized() - Initialize a sized buffer
> > + * @buf: A &tpm_buf
> > + * @buf_size: Size of the buffer.
> > + */
> > +void tpm_buf_init_sized(struct tpm_buf *buf, u16 buf_size)
> > +{
> > + memset(buf, 0, buf_size);
> > + __tpm_buf_reset_sized(buf, buf_size);
> > }
> > EXPORT_SYMBOL_GPL(tpm_buf_init_sized);
> >
> > /**
> > - * tpm_buf_reset_sized() - Initialize a sized buffer
> > + * tpm_buf_reset() - Re-initialize a TPM command
> > * @buf: A &tpm_buf
> > + * @tag: TPM_TAG_RQU_COMMAND, TPM2_ST_NO_SESSIONS or TPM2_ST_SESSIONS
> > + * @ordinal: A command ordinal
> > */
> > -void tpm_buf_reset_sized(struct tpm_buf *buf)
> > +void tpm_buf_reset(struct tpm_buf *buf, u16 tag, u32 ordinal)
> > {
> > - buf->flags = TPM_BUF_TPM2B;
> > - buf->length = 2;
> > - buf->data[0] = 0;
> > - buf->data[1] = 0;
> > + u16 buf_size = buf->capacity + sizeof(*buf);
> > +
> > + __tpm_buf_reset(buf, buf_size, tag, ordinal);
> > }
> > -EXPORT_SYMBOL_GPL(tpm_buf_reset_sized);
> > +EXPORT_SYMBOL_GPL(tpm_buf_reset);
> >
> > -void tpm_buf_destroy(struct tpm_buf *buf)
> > +/**
> > + * tpm_buf_reset_sized() - Re-initialize a sized buffer
> > + * @buf: A &tpm_buf
> > + */
> > +void tpm_buf_reset_sized(struct tpm_buf *buf)
> > {
> > - free_page((unsigned long)buf->data);
> > + u16 buf_size = buf->capacity + sizeof(*buf);
> > +
> > + __tpm_buf_reset_sized(buf, buf_size);
> > }
> > -EXPORT_SYMBOL_GPL(tpm_buf_destroy);
> > +EXPORT_SYMBOL_GPL(tpm_buf_reset_sized);
> >
> > /**
> > * tpm_buf_length() - Return the number of bytes consumed by the data
> > @@ -90,7 +118,7 @@ EXPORT_SYMBOL_GPL(tpm_buf_destroy);
> > *
> > * Return: The number of bytes consumed by the buffer
> > */
> > -u32 tpm_buf_length(struct tpm_buf *buf)
> > +u16 tpm_buf_length(struct tpm_buf *buf)
> > {
> > return buf->length;
> > }
> > @@ -104,11 +132,13 @@ EXPORT_SYMBOL_GPL(tpm_buf_length);
> > */
> > void tpm_buf_append(struct tpm_buf *buf, const u8 *new_data, u16 new_length)
> > {
> > + u32 total_length = (u32)buf->length + (u32)new_length;
> > +
> > /* Return silently if overflow has already happened. */
> > if (buf->flags & TPM_BUF_OVERFLOW)
> > return;
> >
> > - if ((buf->length + new_length) > PAGE_SIZE) {
> > + if (total_length > (u32)buf->capacity) {
> > WARN(1, "tpm_buf: write overflow\n");
> > buf->flags |= TPM_BUF_OVERFLOW;
> > return;
> > diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
> > index 94231f052ea7..1de03cf340b3 100644
> > --- a/drivers/char/tpm/tpm-sysfs.c
> > +++ b/drivers/char/tpm/tpm-sysfs.c
> > @@ -32,28 +32,31 @@ struct tpm_readpubek_out {
> > static ssize_t pubek_show(struct device *dev, struct device_attribute *attr,
> > char *buf)
> > {
> > - struct tpm_buf tpm_buf;
> > struct tpm_readpubek_out *out;
> > int i;
> > char *str = buf;
> > struct tpm_chip *chip = to_tpm_chip(dev);
> > char anti_replay[20];
> > + struct tpm_buf *tpm_buf __free(kfree) = NULL;
> >
> > memset(&anti_replay, 0, sizeof(anti_replay));
> >
> > if (tpm_try_get_ops(chip))
> > return 0;
> >
> > - if (tpm_buf_init(&tpm_buf, TPM_TAG_RQU_COMMAND, TPM_ORD_READPUBEK))
> > + tpm_buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!tpm_buf)
> > goto out_ops;
> >
> > - tpm_buf_append(&tpm_buf, anti_replay, sizeof(anti_replay));
> > + tpm_buf_init(tpm_buf, TPM_BUFSIZE);
> > + tpm_buf_reset(tpm_buf, TPM_TAG_RQU_COMMAND, TPM_ORD_READPUBEK);
> > + tpm_buf_append(tpm_buf, anti_replay, sizeof(anti_replay));
> >
> > - if (tpm_transmit_cmd(chip, &tpm_buf, READ_PUBEK_RESULT_MIN_BODY_SIZE,
> > + if (tpm_transmit_cmd(chip, tpm_buf, READ_PUBEK_RESULT_MIN_BODY_SIZE,
> > "attempting to read the PUBEK"))
> > - goto out_buf;
> > + goto out_ops;
> >
> > - out = (struct tpm_readpubek_out *)&tpm_buf.data[10];
> > + out = (struct tpm_readpubek_out *)&tpm_buf->data[10];
> > str +=
> > sprintf(str,
> > "Algorithm: %4ph\n"
> > @@ -71,8 +74,6 @@ static ssize_t pubek_show(struct device *dev, struct device_attribute *attr,
> > for (i = 0; i < 256; i += 16)
> > str += sprintf(str, "%16ph\n", &out->modulus[i]);
> >
> > -out_buf:
> > - tpm_buf_destroy(&tpm_buf);
> > out_ops:
> > tpm_put_ops(chip);
> > return str - buf;
> > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > index 87d68ddf270a..03f5346343ab 100644
> > --- a/drivers/char/tpm/tpm.h
> > +++ b/drivers/char/tpm/tpm.h
> > @@ -33,7 +33,6 @@
> > #endif
> >
> > #define TPM_MINOR 224 /* officially assigned */
> > -#define TPM_BUFSIZE 4096
> > #define TPM_NUM_DEVICES 65536
> > #define TPM_RETRY 50
> >
> > diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> > index b49a790f1bd5..6facc3de2c46 100644
> > --- a/drivers/char/tpm/tpm1-cmd.c
> > +++ b/drivers/char/tpm/tpm1-cmd.c
> > @@ -323,20 +323,18 @@ unsigned long tpm1_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal)
> > */
> > static int tpm1_startup(struct tpm_chip *chip)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> >
> > dev_info(&chip->dev, "starting up the TPM manually\n");
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_STARTUP);
> > - if (rc < 0)
> > - return rc;
> > -
> > - tpm_buf_append_u16(&buf, TPM_ST_CLEAR);
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to start the TPM");
> > - tpm_buf_destroy(&buf);
> > - return rc;
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_STARTUP);
> > + tpm_buf_append_u16(buf, TPM_ST_CLEAR);
> > + return tpm_transmit_cmd(chip, buf, 0, "attempting to start the TPM");
> > }
> >
> > int tpm1_get_timeouts(struct tpm_chip *chip)
> > @@ -463,50 +461,47 @@ int tpm1_get_timeouts(struct tpm_chip *chip)
> > int tpm1_pcr_extend(struct tpm_chip *chip, u32 pcr_idx, const u8 *hash,
> > const char *log_msg)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > -
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCR_EXTEND);
> > - if (rc)
> > - return rc;
> > -
> > - tpm_buf_append_u32(&buf, pcr_idx);
> > - tpm_buf_append(&buf, hash, TPM_DIGEST_SIZE);
> > -
> > - rc = tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE, log_msg);
> > - tpm_buf_destroy(&buf);
> > - return rc;
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCR_EXTEND);
> > + tpm_buf_append_u32(buf, pcr_idx);
> > + tpm_buf_append(buf, hash, TPM_DIGEST_SIZE);
> > + return tpm_transmit_cmd(chip, buf, TPM_DIGEST_SIZE, log_msg);
> > }
> >
> > #define TPM_ORD_GET_CAP 101
> > ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> > const char *desc, size_t min_cap_length)
> > {
> > - struct tpm_buf buf;
> > int rc;
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_CAP);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_CAP);
> >
> > if (subcap_id == TPM_CAP_VERSION_1_1 ||
> > subcap_id == TPM_CAP_VERSION_1_2) {
> > - tpm_buf_append_u32(&buf, subcap_id);
> > - tpm_buf_append_u32(&buf, 0);
> > + tpm_buf_append_u32(buf, subcap_id);
> > + tpm_buf_append_u32(buf, 0);
> > } else {
> > if (subcap_id == TPM_CAP_FLAG_PERM ||
> > subcap_id == TPM_CAP_FLAG_VOL)
> > - tpm_buf_append_u32(&buf, TPM_CAP_FLAG);
> > + tpm_buf_append_u32(buf, TPM_CAP_FLAG);
> > else
> > - tpm_buf_append_u32(&buf, TPM_CAP_PROP);
> > + tpm_buf_append_u32(buf, TPM_CAP_PROP);
> >
> > - tpm_buf_append_u32(&buf, 4);
> > - tpm_buf_append_u32(&buf, subcap_id);
> > + tpm_buf_append_u32(buf, 4);
> > + tpm_buf_append_u32(buf, subcap_id);
> > }
> > - rc = tpm_transmit_cmd(chip, &buf, min_cap_length, desc);
> > + rc = tpm_transmit_cmd(chip, buf, min_cap_length, desc);
> > if (!rc)
> > - *cap = *(cap_t *)&buf.data[TPM_HEADER_SIZE + 4];
> > - tpm_buf_destroy(&buf);
> > + *cap = *(cap_t *)&buf->data[TPM_HEADER_SIZE + 4];
> > return rc;
> > }
> > EXPORT_SYMBOL_GPL(tpm1_getcap);
> > @@ -530,21 +525,24 @@ struct tpm1_get_random_out {
> > int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > {
> > struct tpm1_get_random_out *out;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > u32 num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA);
> > - struct tpm_buf buf;
> > u32 total = 0;
> > int retries = 5;
> > u32 recd;
> > int rc;
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_RANDOM);
> > - if (rc)
> > - return rc;
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_RANDOM);
> >
> > do {
> > - tpm_buf_append_u32(&buf, num_bytes);
> > + tpm_buf_append_u32(buf, num_bytes);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
> > + rc = tpm_transmit_cmd(chip, buf, sizeof(out->rng_data_len),
> > "attempting get random");
> > if (rc) {
> > if (rc > 0)
> > @@ -552,7 +550,7 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > goto out;
> > }
> >
> > - out = (struct tpm1_get_random_out *)&buf.data[TPM_HEADER_SIZE];
> > + out = (struct tpm1_get_random_out *)&buf->data[TPM_HEADER_SIZE];
> >
> > recd = be32_to_cpu(out->rng_data_len);
> > if (recd > num_bytes) {
> > @@ -560,8 +558,8 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > goto out;
> > }
> >
> > - if (tpm_buf_length(&buf) < TPM_HEADER_SIZE +
> > - sizeof(out->rng_data_len) + recd) {
> > + if (tpm_buf_length(buf) < TPM_HEADER_SIZE +
> > + sizeof(out->rng_data_len) + recd) {
> > rc = -EFAULT;
> > goto out;
> > }
> > @@ -571,41 +569,36 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > total += recd;
> > num_bytes -= recd;
> >
> > - tpm_buf_reset(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_RANDOM);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_GET_RANDOM);
> > } while (retries-- && total < max);
> >
> > rc = total ? (int)total : -EIO;
> > out:
> > - tpm_buf_destroy(&buf);
> > return rc;
> > }
> >
> > #define TPM_ORD_PCRREAD 21
> > int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
> > {
> > - struct tpm_buf buf;
> > int rc;
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCRREAD);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - tpm_buf_append_u32(&buf, pcr_idx);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_PCRREAD);
> > + tpm_buf_append_u32(buf, pcr_idx);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, TPM_DIGEST_SIZE,
> > + rc = tpm_transmit_cmd(chip, buf, TPM_DIGEST_SIZE,
> > "attempting to read a pcr value");
> > if (rc)
> > - goto out;
> > -
> > - if (tpm_buf_length(&buf) < TPM_DIGEST_SIZE) {
> > - rc = -EFAULT;
> > - goto out;
> > - }
> > + return rc;
> >
> > - memcpy(res_buf, &buf.data[TPM_HEADER_SIZE], TPM_DIGEST_SIZE);
> > + if (tpm_buf_length(buf) < TPM_DIGEST_SIZE)
> > + return -EFAULT;
> >
> > -out:
> > - tpm_buf_destroy(&buf);
> > + memcpy(res_buf, &buf->data[TPM_HEADER_SIZE], TPM_DIGEST_SIZE);
> > return rc;
> > }
> >
> > @@ -619,16 +612,13 @@ int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf)
> > */
> > static int tpm1_continue_selftest(struct tpm_chip *chip)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_CONTINUE_SELFTEST);
> > - if (rc)
> > - return rc;
> > -
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "continue selftest");
> > - tpm_buf_destroy(&buf);
> > - return rc;
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_CONTINUE_SELFTEST);
> > + return tpm_transmit_cmd(chip, buf, 0, "continue selftest");
> > }
> >
> > /**
> > @@ -742,22 +732,24 @@ int tpm1_auto_startup(struct tpm_chip *chip)
> > int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_suspend_pcr)
> > {
> > u8 dummy_hash[TPM_DIGEST_SIZE] = { 0 };
> > - struct tpm_buf buf;
> > unsigned int try;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > int rc;
> >
> > -
> > /* for buggy tpm, flush pcrs with extend to selected dummy */
> > if (tpm_suspend_pcr)
> > rc = tpm1_pcr_extend(chip, tpm_suspend_pcr, dummy_hash,
> > "extending dummy pcr before suspend");
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_SAVESTATE);
> >
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_SAVESTATE);
> > - if (rc)
> > - return rc;
> > /* now do the actual savestate */
> > for (try = 0; try < TPM_RETRY; try++) {
> > - rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
> > + rc = tpm_transmit_cmd(chip, buf, 0, NULL);
> > /*
> > * If the TPM indicates that it is too busy to respond to
> > * this command then retry before giving up. It can take
> > @@ -772,7 +764,7 @@ int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_suspend_pcr)
> > break;
> > tpm_msleep(TPM_TIMEOUT_RETRY);
> >
> > - tpm_buf_reset(&buf, TPM_TAG_RQU_COMMAND, TPM_ORD_SAVESTATE);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_SAVESTATE);
> > }
> >
> > if (rc)
> > @@ -782,8 +774,6 @@ int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_suspend_pcr)
> > dev_warn(&chip->dev, "TPM savestate took %dms\n",
> > try * TPM_TIMEOUT_RETRY);
> >
> > - tpm_buf_destroy(&buf);
> > -
> > return rc;
> > }
> >
> > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > index 52ee350da867..f619ce390f6d 100644
> > --- a/drivers/char/tpm/tpm2-cmd.c
> > +++ b/drivers/char/tpm/tpm2-cmd.c
> > @@ -119,12 +119,13 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
> > {
> > int i;
> > int rc;
> > - struct tpm_buf buf;
> > struct tpm2_pcr_read_out *out;
> > u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
> > u16 digest_size;
> > u16 expected_digest_size = 0;
> >
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > +
> > if (pcr_idx >= TPM2_PLATFORM_PCR)
> > return -EINVAL;
> >
> > @@ -139,36 +140,35 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
> > expected_digest_size = chip->allocated_banks[i].digest_size;
> > }
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
> > - if (rc)
> > - return rc;
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
> >
> > pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
> >
> > - tpm_buf_append_u32(&buf, 1);
> > - tpm_buf_append_u16(&buf, digest->alg_id);
> > - tpm_buf_append_u8(&buf, TPM2_PCR_SELECT_MIN);
> > - tpm_buf_append(&buf, (const unsigned char *)pcr_select,
> > + tpm_buf_append_u32(buf, 1);
> > + tpm_buf_append_u16(buf, digest->alg_id);
> > + tpm_buf_append_u8(buf, TPM2_PCR_SELECT_MIN);
> > + tpm_buf_append(buf, (const unsigned char *)pcr_select,
> > sizeof(pcr_select));
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to read a pcr value");
> > + rc = tpm_transmit_cmd(chip, buf, 0, "attempting to read a pcr value");
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > - out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
> > + out = (struct tpm2_pcr_read_out *)&buf->data[TPM_HEADER_SIZE];
> > digest_size = be16_to_cpu(out->digest_size);
> > if (digest_size > sizeof(digest->digest) ||
> > - (!digest_size_ptr && digest_size != expected_digest_size)) {
> > - rc = -EINVAL;
> > - goto out;
> > - }
> > + (!digest_size_ptr && digest_size != expected_digest_size))
> > + return -EINVAL;
> >
> > if (digest_size_ptr)
> > *digest_size_ptr = digest_size;
> >
> > memcpy(digest->digest, out->digest, digest_size);
> > -out:
> > - tpm_buf_destroy(&buf);
> > return rc;
> > }
> >
> > @@ -184,56 +184,54 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
> > int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
> > struct tpm_digest *digests)
> > {
> > - struct tpm_buf buf;
> > int rc;
> > int i;
> >
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > +
> > if (!disable_pcr_integrity) {
> > rc = tpm2_start_auth_session(chip);
> > if (rc)
> > return rc;
> > }
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND);
> > - if (rc) {
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > if (!disable_pcr_integrity)
> > tpm2_end_auth_session(chip);
> > - return rc;
> > + return -ENOMEM;
> > }
> >
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_PCR_EXTEND);
> > +
> > if (!disable_pcr_integrity) {
> > - rc = tpm_buf_append_name(chip, &buf, pcr_idx, NULL);
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_buf_append_name(chip, buf, pcr_idx, NULL);
> > + if (rc)
> > return rc;
> > - }
> > - tpm_buf_append_hmac_session(chip, &buf, 0, NULL, 0);
> > + tpm_buf_append_hmac_session(chip, buf, 0, NULL, 0);
> > } else {
> > - tpm_buf_append_handle(chip, &buf, pcr_idx);
> > - tpm_buf_append_auth(chip, &buf, NULL, 0);
> > + tpm_buf_append_handle(chip, buf, pcr_idx);
> > + tpm_buf_append_auth(chip, buf, NULL, 0);
> > }
> >
> > - tpm_buf_append_u32(&buf, chip->nr_allocated_banks);
> > + tpm_buf_append_u32(buf, chip->nr_allocated_banks);
> >
> > for (i = 0; i < chip->nr_allocated_banks; i++) {
> > - tpm_buf_append_u16(&buf, digests[i].alg_id);
> > - tpm_buf_append(&buf, (const unsigned char *)&digests[i].digest,
> > + tpm_buf_append_u16(buf, digests[i].alg_id);
> > + tpm_buf_append(buf, (const unsigned char *)&digests[i].digest,
> > chip->allocated_banks[i].digest_size);
> > }
> >
> > if (!disable_pcr_integrity) {
> > - rc = tpm_buf_fill_hmac_session(chip, &buf);
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_buf_fill_hmac_session(chip, buf);
> > + if (rc)
> > return rc;
> > - }
> > }
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting extend a PCR value");
> > + rc = tpm_transmit_cmd(chip, buf, 0, "attempting extend a PCR value");
> > if (!disable_pcr_integrity)
> > - rc = tpm_buf_check_hmac_response(chip, &buf, rc);
> > -
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_buf_check_hmac_response(chip, buf, rc);
> >
> > return rc;
> > }
> > @@ -258,7 +256,6 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > {
> > struct tpm2_get_random_out *out;
> > struct tpm_header *head;
> > - struct tpm_buf buf;
> > u32 recd;
> > u32 num_bytes = max;
> > int err;
> > @@ -267,6 +264,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > u8 *dest_ptr = dest;
> > off_t offset;
> >
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > +
> > if (!num_bytes || max > TPM_MAX_RNG_DATA)
> > return -EINVAL;
> >
> > @@ -274,50 +273,52 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > if (err)
> > return err;
> >
> > - err = tpm_buf_init(&buf, 0, 0);
> > - if (err) {
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > tpm2_end_auth_session(chip);
> > - return err;
> > + return -ENOMEM;
> > }
> >
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > +
> > do {
> > - tpm_buf_reset(&buf, TPM2_ST_SESSIONS, TPM2_CC_GET_RANDOM);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_GET_RANDOM);
> > if (tpm2_chip_auth(chip)) {
> > - tpm_buf_append_hmac_session(chip, &buf,
> > + tpm_buf_append_hmac_session(chip, buf,
> > TPM2_SA_ENCRYPT |
> > TPM2_SA_CONTINUE_SESSION,
> > NULL, 0);
> > } else {
> > - offset = buf.handles * 4 + TPM_HEADER_SIZE;
> > - head = (struct tpm_header *)buf.data;
> > - if (tpm_buf_length(&buf) == offset)
> > + offset = buf->handles * 4 + TPM_HEADER_SIZE;
> > + head = (struct tpm_header *)buf->data;
> > + if (tpm_buf_length(buf) == offset)
> > head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
> > }
> > - tpm_buf_append_u16(&buf, num_bytes);
> > - err = tpm_buf_fill_hmac_session(chip, &buf);
> > + tpm_buf_append_u16(buf, num_bytes);
> > + err = tpm_buf_fill_hmac_session(chip, buf);
> > if (err)
> > goto out;
> >
> > - err = tpm_transmit_cmd(chip, &buf,
> > + err = tpm_transmit_cmd(chip, buf,
> > offsetof(struct tpm2_get_random_out,
> > buffer),
> > "attempting get random");
> > - err = tpm_buf_check_hmac_response(chip, &buf, err);
> > + err = tpm_buf_check_hmac_response(chip, buf, err);
> > if (err) {
> > if (err > 0)
> > err = -EIO;
> > goto out;
> > }
> >
> > - head = (struct tpm_header *)buf.data;
> > + head = (struct tpm_header *)buf->data;
> > offset = TPM_HEADER_SIZE;
> > /* Skip the parameter size field: */
> > if (be16_to_cpu(head->tag) == TPM2_ST_SESSIONS)
> > offset += 4;
> >
> > - out = (struct tpm2_get_random_out *)&buf.data[offset];
> > + out = (struct tpm2_get_random_out *)&buf->data[offset];
> > recd = min_t(u32, be16_to_cpu(out->size), num_bytes);
> > - if (tpm_buf_length(&buf) <
> > + if (tpm_buf_length(buf) <
> > TPM_HEADER_SIZE +
> > offsetof(struct tpm2_get_random_out, buffer) +
> > recd) {
> > @@ -331,11 +332,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > num_bytes -= recd;
> > } while (retries-- && total < max);
> >
> > - tpm_buf_destroy(&buf);
> > -
> > return total ? total : -EIO;
> > out:
> > - tpm_buf_destroy(&buf);
> > tpm2_end_auth_session(chip);
> > return err;
> > }
> > @@ -347,20 +345,18 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
> > */
> > void tpm2_flush_context(struct tpm_chip *chip, u32 handle)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > -
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT);
> > - if (rc) {
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n",
> > handle);
> > return;
> > }
> >
> > - tpm_buf_append_u32(&buf, handle);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT);
> > + tpm_buf_append_u32(buf, handle);
> >
> > - tpm_transmit_cmd(chip, &buf, 0, "flushing context");
> > - tpm_buf_destroy(&buf);
> > + tpm_transmit_cmd(chip, buf, 0, "flushing context");
> > }
> > EXPORT_SYMBOL_GPL(tpm2_flush_context);
> >
> > @@ -387,19 +383,21 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id, u32 *value,
> > const char *desc)
> > {
> > struct tpm2_get_cap_out *out;
> > - struct tpm_buf buf;
> > int rc;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > - if (rc)
> > - return rc;
> > - tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES);
> > - tpm_buf_append_u32(&buf, property_id);
> > - tpm_buf_append_u32(&buf, 1);
> > - rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > + tpm_buf_append_u32(buf, TPM2_CAP_TPM_PROPERTIES);
> > + tpm_buf_append_u32(buf, property_id);
> > + tpm_buf_append_u32(buf, 1);
> > + rc = tpm_transmit_cmd(chip, buf, 0, NULL);
> > if (!rc) {
> > out = (struct tpm2_get_cap_out *)
> > - &buf.data[TPM_HEADER_SIZE];
> > + &buf->data[TPM_HEADER_SIZE];
> > /*
> > * To prevent failing boot up of some systems, Infineon TPM2.0
> > * returns SUCCESS on TPM2_Startup in field upgrade mode. Also
> > @@ -411,7 +409,6 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32 property_id, u32 *value,
> > else
> > rc = -ENODATA;
> > }
> > - tpm_buf_destroy(&buf);
> > return rc;
> > }
> > EXPORT_SYMBOL_GPL(tpm2_get_tpm_pt);
> > @@ -428,15 +425,14 @@ EXPORT_SYMBOL_GPL(tpm2_get_tpm_pt);
> > */
> > void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > -
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SHUTDOWN);
> > - if (rc)
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > return;
> > - tpm_buf_append_u16(&buf, shutdown_type);
> > - tpm_transmit_cmd(chip, &buf, 0, "stopping the TPM");
> > - tpm_buf_destroy(&buf);
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SHUTDOWN);
> > + tpm_buf_append_u16(buf, shutdown_type);
> > + tpm_transmit_cmd(chip, buf, 0, "stopping the TPM");
> > }
> >
> > /**
> > @@ -454,20 +450,21 @@ void tpm2_shutdown(struct tpm_chip *chip, u16 shutdown_type)
> > */
> > static int tpm2_do_selftest(struct tpm_chip *chip)
> > {
> > - struct tpm_buf buf;
> > int full;
> > int rc;
> >
> > for (full = 0; full < 2; full++) {
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SELF_TEST);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> >
> > - tpm_buf_append_u8(&buf, full);
> > - rc = tpm_transmit_cmd(chip, &buf, 0,
> > - "attempting the self test");
> > - tpm_buf_destroy(&buf);
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SELF_TEST);
> > + tpm_buf_append_u8(buf, full);
> > + rc = tpm_transmit_cmd(chip, buf, 0,
> > + "attempting the self test");
> > if (rc == TPM2_RC_TESTING)
> > rc = TPM2_RC_SUCCESS;
> > if (rc == TPM2_RC_INITIALIZE || rc == TPM2_RC_SUCCESS)
> > @@ -492,23 +489,24 @@ static int tpm2_do_selftest(struct tpm_chip *chip)
> > int tpm2_probe(struct tpm_chip *chip)
> > {
> > struct tpm_header *out;
> > - struct tpm_buf buf;
> > int rc;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > - if (rc)
> > - return rc;
> > - tpm_buf_append_u32(&buf, TPM2_CAP_TPM_PROPERTIES);
> > - tpm_buf_append_u32(&buf, TPM_PT_TOTAL_COMMANDS);
> > - tpm_buf_append_u32(&buf, 1);
> > - rc = tpm_transmit_cmd(chip, &buf, 0, NULL);
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > + tpm_buf_append_u32(buf, TPM2_CAP_TPM_PROPERTIES);
> > + tpm_buf_append_u32(buf, TPM_PT_TOTAL_COMMANDS);
> > + tpm_buf_append_u32(buf, 1);
> > + rc = tpm_transmit_cmd(chip, buf, 0, NULL);
> > /* We ignore TPM return codes on purpose. */
> > if (rc >= 0) {
> > - out = (struct tpm_header *)buf.data;
> > + out = (struct tpm_header *)buf->data;
> > if (be16_to_cpu(out->tag) == TPM2_ST_NO_SESSIONS)
> > chip->flags |= TPM_CHIP_FLAG_TPM2;
> > }
> > - tpm_buf_destroy(&buf);
> > return 0;
> > }
> > EXPORT_SYMBOL_GPL(tpm2_probe);
> > @@ -548,7 +546,6 @@ struct tpm2_pcr_selection {
> > ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> > {
> > struct tpm2_pcr_selection pcr_selection;
> > - struct tpm_buf buf;
> > void *marker;
> > void *end;
> > void *pcr_select_offset;
> > @@ -560,20 +557,22 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> > int rc;
> > int i = 0;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - tpm_buf_append_u32(&buf, TPM2_CAP_PCRS);
> > - tpm_buf_append_u32(&buf, 0);
> > - tpm_buf_append_u32(&buf, 1);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > + tpm_buf_append_u32(buf, TPM2_CAP_PCRS);
> > + tpm_buf_append_u32(buf, 0);
> > + tpm_buf_append_u32(buf, 1);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 9, "get tpm pcr allocation");
> > + rc = tpm_transmit_cmd(chip, buf, 9, "get tpm pcr allocation");
> > if (rc)
> > goto out;
> >
> > nr_possible_banks = be32_to_cpup(
> > - (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
> > + (__be32 *)&buf->data[TPM_HEADER_SIZE + 5]);
> > if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
> > pr_err("tpm: out of bank capacity: %u > %u\n",
> > nr_possible_banks, TPM2_MAX_PCR_BANKS);
> > @@ -581,10 +580,10 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> > goto out;
> > }
> >
> > - marker = &buf.data[TPM_HEADER_SIZE + 9];
> > + marker = &buf->data[TPM_HEADER_SIZE + 9];
> >
> > - rsp_len = be32_to_cpup((__be32 *)&buf.data[2]);
> > - end = &buf.data[rsp_len];
> > + rsp_len = be32_to_cpup((__be32 *)&buf->data[2]);
> > + end = &buf->data[rsp_len];
> >
> > for (i = 0; i < nr_possible_banks; i++) {
> > pcr_select_offset = marker +
> > @@ -617,20 +616,19 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> >
> > chip->nr_allocated_banks = nr_alloc_banks;
> > out:
> > - tpm_buf_destroy(&buf);
> > -
> > return rc;
> > }
> >
> > int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip)
> > {
> > - struct tpm_buf buf;
> > u32 nr_commands;
> > __be32 *attrs;
> > u32 cc;
> > int i;
> > int rc;
> >
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > +
> > rc = tpm2_get_tpm_pt(chip, TPM_PT_TOTAL_COMMANDS, &nr_commands, NULL);
> > if (rc)
> > goto out;
> > @@ -647,30 +645,31 @@ int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip)
> > goto out;
> > }
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > - if (rc)
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > + rc = -ENOMEM;
> > goto out;
> > + }
> >
> > - tpm_buf_append_u32(&buf, TPM2_CAP_COMMANDS);
> > - tpm_buf_append_u32(&buf, TPM2_CC_FIRST);
> > - tpm_buf_append_u32(&buf, nr_commands);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_GET_CAPABILITY);
> > + tpm_buf_append_u32(buf, TPM2_CAP_COMMANDS);
> > + tpm_buf_append_u32(buf, TPM2_CC_FIRST);
> > + tpm_buf_append_u32(buf, nr_commands);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 9 + 4 * nr_commands, NULL);
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_transmit_cmd(chip, buf, 9 + 4 * nr_commands, NULL);
> > + if (rc)
> > goto out;
> > - }
> >
> > if (nr_commands !=
> > - be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) {
> > + be32_to_cpup((__be32 *)&buf->data[TPM_HEADER_SIZE + 5])) {
> > rc = -EFAULT;
> > - tpm_buf_destroy(&buf);
> > goto out;
> > }
> >
> > chip->nr_commands = nr_commands;
> >
> > - attrs = (__be32 *)&buf.data[TPM_HEADER_SIZE + 9];
> > + attrs = (__be32 *)&buf->data[TPM_HEADER_SIZE + 9];
> > for (i = 0; i < nr_commands; i++, attrs++) {
> > chip->cc_attrs_tbl[i] = be32_to_cpup(attrs);
> > cc = chip->cc_attrs_tbl[i] & 0xFFFF;
> > @@ -682,8 +681,6 @@ int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip)
> > }
> > }
> >
> > - tpm_buf_destroy(&buf);
> > -
> > out:
> > if (rc > 0)
> > rc = -ENODEV;
> > @@ -704,20 +701,18 @@ EXPORT_SYMBOL_GPL(tpm2_get_cc_attrs_tbl);
> >
> > static int tpm2_startup(struct tpm_chip *chip)
> > {
> > - struct tpm_buf buf;
> > - int rc;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> >
> > dev_info(&chip->dev, "starting up the TPM manually\n");
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_STARTUP);
> > - if (rc < 0)
> > - return rc;
> > -
> > - tpm_buf_append_u16(&buf, TPM2_SU_CLEAR);
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to start the TPM");
> > - tpm_buf_destroy(&buf);
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - return rc;
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_STARTUP);
> > + tpm_buf_append_u16(buf, TPM2_SU_CLEAR);
> > + return tpm_transmit_cmd(chip, buf, 0, "attempting to start the TPM");
> > }
> >
> > /**
> > diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> > index 795cd99dc6fe..b6a93db5a5ee 100644
> > --- a/drivers/char/tpm/tpm2-sessions.c
> > +++ b/drivers/char/tpm/tpm2-sessions.c
> > @@ -167,8 +167,8 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name)
> > {
> > u32 mso = tpm2_handle_mso(handle);
> > off_t offset = TPM_HEADER_SIZE;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > int rc, name_size_alg;
> > - struct tpm_buf buf;
> >
> > if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE &&
> > mso != TPM2_MSO_NVRAM) {
> > @@ -176,50 +176,40 @@ static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name)
> > return sizeof(u32);
> > }
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
> > - if (rc)
> > - return rc;
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - tpm_buf_append_u32(&buf, handle);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
> > + tpm_buf_append_u32(buf, handle);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic");
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_transmit_cmd(chip, buf, 0, "TPM2_ReadPublic");
> > + if (rc)
> > return tpm_ret_to_err(rc);
> > - }
> >
> > /* Skip TPMT_PUBLIC: */
> > - offset += tpm_buf_read_u16(&buf, &offset);
> > + offset += tpm_buf_read_u16(buf, &offset);
> >
> > /*
> > * Ensure space for the length field of TPM2B_NAME and hashAlg field of
> > * TPMT_HA (the extra four bytes).
> > */
> > - if (offset + 4 > tpm_buf_length(&buf)) {
> > - tpm_buf_destroy(&buf);
> > + if (offset + 4 > tpm_buf_length(buf))
> > return -EIO;
> > - }
> > -
> > - rc = tpm_buf_read_u16(&buf, &offset);
> > - name_size_alg = name_size(&buf.data[offset]);
> >
> > - if (name_size_alg < 0) {
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_buf_read_u16(buf, &offset);
> > + name_size_alg = name_size(&buf->data[offset]);
> > + if (name_size_alg < 0)
> > return name_size_alg;
> > - }
> >
> > - if (rc != name_size_alg) {
> > - tpm_buf_destroy(&buf);
> > + if (rc != name_size_alg)
> > return -EIO;
> > - }
> >
> > - if (offset + rc > tpm_buf_length(&buf)) {
> > - tpm_buf_destroy(&buf);
> > + if (offset + rc > tpm_buf_length(buf))
> > return -EIO;
> > - }
> >
> > - memcpy(name, &buf.data[offset], rc);
> > - tpm_buf_destroy(&buf);
> > + memcpy(name, &buf->data[offset], rc);
> > return name_size_alg;
> > }
> > #endif /* CONFIG_TCG_TPM2_HMAC */
> > @@ -987,8 +977,8 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key)
> > */
> > int tpm2_start_auth_session(struct tpm_chip *chip)
> > {
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > struct tpm2_auth *auth;
> > - struct tpm_buf buf;
> > u32 null_key;
> > int rc;
> >
> > @@ -1007,41 +997,43 @@ int tpm2_start_auth_session(struct tpm_chip *chip)
> >
> > auth->session = TPM_HEADER_SIZE;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
> > - if (rc)
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > + rc = -ENOMEM;
> > goto out;
> > + }
> >
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS);
> > /* salt key handle */
> > - tpm_buf_append_u32(&buf, null_key);
> > + tpm_buf_append_u32(buf, null_key);
> > /* bind key handle */
> > - tpm_buf_append_u32(&buf, TPM2_RH_NULL);
> > + tpm_buf_append_u32(buf, TPM2_RH_NULL);
> > /* nonce caller */
> > get_random_bytes(auth->our_nonce, sizeof(auth->our_nonce));
> > - tpm_buf_append_u16(&buf, sizeof(auth->our_nonce));
> > - tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce));
> > + tpm_buf_append_u16(buf, sizeof(auth->our_nonce));
> > + tpm_buf_append(buf, auth->our_nonce, sizeof(auth->our_nonce));
> >
> > /* append encrypted salt and squirrel away unencrypted in auth */
> > - tpm_buf_append_salt(&buf, chip, auth);
> > + tpm_buf_append_salt(buf, chip, auth);
> > /* session type (HMAC, audit or policy) */
> > - tpm_buf_append_u8(&buf, TPM2_SE_HMAC);
> > + tpm_buf_append_u8(buf, TPM2_SE_HMAC);
> >
> > /* symmetric encryption parameters */
> > /* symmetric algorithm */
> > - tpm_buf_append_u16(&buf, TPM_ALG_AES);
> > + tpm_buf_append_u16(buf, TPM_ALG_AES);
> > /* bits for symmetric algorithm */
> > - tpm_buf_append_u16(&buf, AES_KEY_BITS);
> > + tpm_buf_append_u16(buf, AES_KEY_BITS);
> > /* symmetric algorithm mode (must be CFB) */
> > - tpm_buf_append_u16(&buf, TPM_ALG_CFB);
> > + tpm_buf_append_u16(buf, TPM_ALG_CFB);
> > /* hash algorithm for session */
> > - tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
> > + tpm_buf_append_u16(buf, TPM_ALG_SHA256);
> >
> > - rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
> > + rc = tpm_ret_to_err(tpm_transmit_cmd(chip, buf, 0, "StartAuthSession"));
> > tpm2_flush_context(chip, null_key);
> >
> > if (rc == TPM2_RC_SUCCESS)
> > - rc = tpm2_parse_start_auth_session(auth, &buf);
> > -
> > - tpm_buf_destroy(&buf);
> > + rc = tpm2_parse_start_auth_session(auth, buf);
> >
> > if (rc == TPM2_RC_SUCCESS) {
> > chip->auth = auth;
> > @@ -1262,19 +1254,21 @@ static int tpm2_parse_create_primary(struct tpm_chip *chip, struct tpm_buf *buf,
> > static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
> > u32 *handle, u8 *name)
> > {
> > + struct tpm_buf *template __free(kfree) = NULL;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > int rc;
> > - struct tpm_buf buf;
> > - struct tpm_buf template;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
> > - if (rc)
> > - return rc;
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> >
> > - rc = tpm_buf_init_sized(&template);
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > - return rc;
> > - }
> > + template = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!template)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE_PRIMARY);
> > + tpm_buf_init_sized(template, TPM_BUFSIZE);
> >
> > /*
> > * create the template. Note: in order for userspace to
> > @@ -1286,75 +1280,72 @@ static int tpm2_create_primary(struct tpm_chip *chip, u32 hierarchy,
> > */
> >
> > /* key type */
> > - tpm_buf_append_u16(&template, TPM_ALG_ECC);
> > + tpm_buf_append_u16(template, TPM_ALG_ECC);
> >
> > /* name algorithm */
> > - tpm_buf_append_u16(&template, TPM_ALG_SHA256);
> > + tpm_buf_append_u16(template, TPM_ALG_SHA256);
> >
> > /* object properties */
> > - tpm_buf_append_u32(&template, TPM2_OA_NULL_KEY);
> > + tpm_buf_append_u32(template, TPM2_OA_NULL_KEY);
> >
> > /* sauth policy (empty) */
> > - tpm_buf_append_u16(&template, 0);
> > + tpm_buf_append_u16(template, 0);
> >
> > /* BEGIN parameters: key specific; for ECC*/
> >
> > /* symmetric algorithm */
> > - tpm_buf_append_u16(&template, TPM_ALG_AES);
> > + tpm_buf_append_u16(template, TPM_ALG_AES);
> >
> > /* bits for symmetric algorithm */
> > - tpm_buf_append_u16(&template, AES_KEY_BITS);
> > + tpm_buf_append_u16(template, AES_KEY_BITS);
> >
> > /* algorithm mode (must be CFB) */
> > - tpm_buf_append_u16(&template, TPM_ALG_CFB);
> > + tpm_buf_append_u16(template, TPM_ALG_CFB);
> >
> > /* scheme (NULL means any scheme) */
> > - tpm_buf_append_u16(&template, TPM_ALG_NULL);
> > + tpm_buf_append_u16(template, TPM_ALG_NULL);
> >
> > /* ECC Curve ID */
> > - tpm_buf_append_u16(&template, TPM2_ECC_NIST_P256);
> > + tpm_buf_append_u16(template, TPM2_ECC_NIST_P256);
> >
> > /* KDF Scheme */
> > - tpm_buf_append_u16(&template, TPM_ALG_NULL);
> > + tpm_buf_append_u16(template, TPM_ALG_NULL);
> >
> > /* unique: key specific; for ECC it is two zero size points */
> > - tpm_buf_append_u16(&template, 0);
> > - tpm_buf_append_u16(&template, 0);
> > + tpm_buf_append_u16(template, 0);
> > + tpm_buf_append_u16(template, 0);
> >
> > /* END parameters */
> >
> > /* primary handle */
> > - tpm_buf_append_u32(&buf, hierarchy);
> > - tpm_buf_append_empty_auth(&buf, TPM2_RS_PW);
> > + tpm_buf_append_u32(buf, hierarchy);
> > + tpm_buf_append_empty_auth(buf, TPM2_RS_PW);
> >
> > /* sensitive create size is 4 for two empty buffers */
> > - tpm_buf_append_u16(&buf, 4);
> > + tpm_buf_append_u16(buf, 4);
> >
> > /* sensitive create auth data (empty) */
> > - tpm_buf_append_u16(&buf, 0);
> > + tpm_buf_append_u16(buf, 0);
> >
> > /* sensitive create sensitive data (empty) */
> > - tpm_buf_append_u16(&buf, 0);
> > + tpm_buf_append_u16(buf, 0);
> >
> > /* the public template */
> > - tpm_buf_append(&buf, template.data, template.length);
> > - tpm_buf_destroy(&template);
> > + tpm_buf_append(buf, template->data, template->length);
> >
> > /* outside info (empty) */
> > - tpm_buf_append_u16(&buf, 0);
> > + tpm_buf_append_u16(buf, 0);
> >
> > /* creation PCR (none) */
> > - tpm_buf_append_u32(&buf, 0);
> > + tpm_buf_append_u32(buf, 0);
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0,
> > + rc = tpm_transmit_cmd(chip, buf, 0,
> > "attempting to create NULL primary");
> >
> > if (rc == TPM2_RC_SUCCESS)
> > - rc = tpm2_parse_create_primary(chip, &buf, handle, hierarchy,
> > + rc = tpm2_parse_create_primary(chip, buf, handle, hierarchy,
> > name);
> >
> > - tpm_buf_destroy(&buf);
> > -
> > return rc;
> > }
> >
> > diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
> > index 60354cd53b5c..cbf86ff5931f 100644
> > --- a/drivers/char/tpm/tpm2-space.c
> > +++ b/drivers/char/tpm/tpm2-space.c
> > @@ -71,24 +71,25 @@ void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space)
> > int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
> > unsigned int *offset, u32 *handle)
> > {
> > - struct tpm_buf tbuf;
> > struct tpm2_context *ctx;
> > unsigned int body_size;
> > int rc;
> >
> > - rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *tbuf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!tbuf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(tbuf, TPM_BUFSIZE);
> > + tpm_buf_reset(tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_LOAD);
> >
> > ctx = (struct tpm2_context *)&buf[*offset];
> > body_size = sizeof(*ctx) + be16_to_cpu(ctx->blob_size);
> > - tpm_buf_append(&tbuf, &buf[*offset], body_size);
> > + tpm_buf_append(tbuf, &buf[*offset], body_size);
> >
> > - rc = tpm_transmit_cmd(chip, &tbuf, 4, NULL);
> > + rc = tpm_transmit_cmd(chip, tbuf, 4, NULL);
> > if (rc < 0) {
> > dev_warn(&chip->dev, "%s: failed with a system error %d\n",
> > __func__, rc);
> > - tpm_buf_destroy(&tbuf);
> > return -EFAULT;
> > } else if (tpm2_rc_value(rc) == TPM2_RC_HANDLE ||
> > rc == TPM2_RC_REFERENCE_H0) {
> > @@ -103,64 +104,55 @@ int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
> > * flushed outside the space
> > */
> > *handle = 0;
> > - tpm_buf_destroy(&tbuf);
> > return -ENOENT;
> > } else if (tpm2_rc_value(rc) == TPM2_RC_INTEGRITY) {
> > - tpm_buf_destroy(&tbuf);
> > return -EINVAL;
> > } else if (rc > 0) {
> > dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
> > __func__, rc);
> > - tpm_buf_destroy(&tbuf);
> > return -EFAULT;
> > }
> >
> > - *handle = be32_to_cpup((__be32 *)&tbuf.data[TPM_HEADER_SIZE]);
> > + *handle = be32_to_cpup((__be32 *)&tbuf->data[TPM_HEADER_SIZE]);
> > *offset += body_size;
> > -
> > - tpm_buf_destroy(&tbuf);
> > return 0;
> > }
> >
> > int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf,
> > unsigned int buf_size, unsigned int *offset)
> > {
> > - struct tpm_buf tbuf;
> > unsigned int body_size;
> > int rc;
> >
> > - rc = tpm_buf_init(&tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE);
> > - if (rc)
> > - return rc;
> > + struct tpm_buf *tbuf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!tbuf)
> > + return -ENOMEM;
> >
> > - tpm_buf_append_u32(&tbuf, handle);
> > + tpm_buf_init(tbuf, TPM_BUFSIZE);
> > + tpm_buf_reset(tbuf, TPM2_ST_NO_SESSIONS, TPM2_CC_CONTEXT_SAVE);
> > + tpm_buf_append_u32(tbuf, handle);
> >
> > - rc = tpm_transmit_cmd(chip, &tbuf, 0, NULL);
> > + rc = tpm_transmit_cmd(chip, tbuf, 0, NULL);
> > if (rc < 0) {
> > dev_warn(&chip->dev, "%s: failed with a system error %d\n",
> > __func__, rc);
> > - tpm_buf_destroy(&tbuf);
> > return -EFAULT;
> > } else if (tpm2_rc_value(rc) == TPM2_RC_REFERENCE_H0) {
> > - tpm_buf_destroy(&tbuf);
> > return -ENOENT;
> > } else if (rc) {
> > dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
> > __func__, rc);
> > - tpm_buf_destroy(&tbuf);
> > return -EFAULT;
> > }
> >
> > - body_size = tpm_buf_length(&tbuf) - TPM_HEADER_SIZE;
> > + body_size = tpm_buf_length(tbuf) - TPM_HEADER_SIZE;
> > if ((*offset + body_size) > buf_size) {
> > dev_warn(&chip->dev, "%s: out of backing storage\n", __func__);
> > - tpm_buf_destroy(&tbuf);
> > return -ENOMEM;
> > }
> >
> > - memcpy(&buf[*offset], &tbuf.data[TPM_HEADER_SIZE], body_size);
> > + memcpy(&buf[*offset], &tbuf->data[TPM_HEADER_SIZE], body_size);
> > *offset += body_size;
> > - tpm_buf_destroy(&tbuf);
> > return 0;
> > }
> >
> > diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c
> > index 7bb0f4d4a2ed..b81fd2a537df 100644
> > --- a/drivers/char/tpm/tpm_vtpm_proxy.c
> > +++ b/drivers/char/tpm/tpm_vtpm_proxy.c
> > @@ -395,40 +395,36 @@ static bool vtpm_proxy_tpm_req_canceled(struct tpm_chip *chip, u8 status)
> >
> > static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality)
> > {
> > - struct tpm_buf buf;
> > int rc;
> > const struct tpm_header *header;
> > struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
> >
> > + struct tpm_buf *buf __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > if (chip->flags & TPM_CHIP_FLAG_TPM2)
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS,
> > - TPM2_CC_SET_LOCALITY);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_SET_LOCALITY);
> > else
> > - rc = tpm_buf_init(&buf, TPM_TAG_RQU_COMMAND,
> > - TPM_ORD_SET_LOCALITY);
> > - if (rc)
> > - return rc;
> > - tpm_buf_append_u8(&buf, locality);
> > + tpm_buf_reset(buf, TPM_TAG_RQU_COMMAND, TPM_ORD_SET_LOCALITY);
> > +
> > + tpm_buf_append_u8(buf, locality);
> >
> > proxy_dev->state |= STATE_DRIVER_COMMAND;
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to set locality");
> > + rc = tpm_transmit_cmd(chip, buf, 0, "attempting to set locality");
> >
> > proxy_dev->state &= ~STATE_DRIVER_COMMAND;
> >
> > - if (rc < 0) {
> > - locality = rc;
> > - goto out;
> > - }
> > + if (rc < 0)
> > + return rc;
> >
> > - header = (const struct tpm_header *)buf.data;
> > + header = (const struct tpm_header *)buf->data;
> > rc = be32_to_cpu(header->return_code);
> > if (rc)
> > locality = -1;
> >
> > -out:
> > - tpm_buf_destroy(&buf);
> > -
> > return locality;
> > }
> >
> > diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> > index 202da079d500..14d75c1482d6 100644
> > --- a/include/linux/tpm.h
> > +++ b/include/linux/tpm.h
> > @@ -26,6 +26,7 @@
> > #include <crypto/aes.h>
> >
> > #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> > +#define TPM_BUFSIZE 4096
> >
> > #define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> > #define TPM2_MAX_PCR_BANKS 8
> > @@ -378,13 +379,15 @@ enum tpm_buf_flags {
> > };
> >
> > /*
> > - * A string buffer type for constructing TPM commands.
> > + * A buffer for constructing and parsing TPM commands, responses and sized
> > + * (TPM2B) buffers.
> > */
> > struct tpm_buf {
> > - u32 flags;
> > - u32 length;
> > - u8 *data;
> > + u8 flags;
> > + u16 length;
> > + u16 capacity;
> > u8 handles;
> > + u8 data[];
> > };
> >
> > enum tpm2_object_attributes {
> > @@ -415,12 +418,11 @@ struct tpm2_hash {
> > unsigned int tpm_id;
> > };
> >
> > -int tpm_buf_init(struct tpm_buf *buf, u16 tag, u32 ordinal);
> > +void tpm_buf_init(struct tpm_buf *buf, u16 buf_size);
> > +void tpm_buf_init_sized(struct tpm_buf *buf, u16 buf_size);
> > void tpm_buf_reset(struct tpm_buf *buf, u16 tag, u32 ordinal);
> > -int tpm_buf_init_sized(struct tpm_buf *buf);
> > void tpm_buf_reset_sized(struct tpm_buf *buf);
> > -void tpm_buf_destroy(struct tpm_buf *buf);
> > -u32 tpm_buf_length(struct tpm_buf *buf);
> > +u16 tpm_buf_length(struct tpm_buf *buf);
> > void tpm_buf_append(struct tpm_buf *buf, const u8 *new_data, u16 new_length);
> > void tpm_buf_append_u8(struct tpm_buf *buf, const u8 value);
> > void tpm_buf_append_u16(struct tpm_buf *buf, const u16 value);
> > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c
> > index 13513819991e..6e03fa7227e4 100644
> > --- a/security/keys/trusted-keys/trusted_tpm1.c
> > +++ b/security/keys/trusted-keys/trusted_tpm1.c
> > @@ -317,9 +317,8 @@ static int TSS_checkhmac2(unsigned char *buffer,
> > * For key specific tpm requests, we will generate and send our
> > * own TPM command packets using the drivers send function.
> > */
> > -static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
> > +static int trusted_tpm_send(struct tpm_buf *buf)
> > {
> > - struct tpm_buf buf;
> > int rc;
> >
> > if (!chip)
> > @@ -329,12 +328,9 @@ static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
> > if (rc)
> > return rc;
> >
> > - buf.flags = 0;
> > - buf.length = buflen;
> > - buf.data = cmd;
> > - dump_tpm_buf(cmd);
> > - rc = tpm_transmit_cmd(chip, &buf, 4, "sending data");
> > - dump_tpm_buf(cmd);
> > + dump_tpm_buf(buf->data);
> > + rc = tpm_transmit_cmd(chip, buf, 4, "sending data");
> > + dump_tpm_buf(buf->data);
> >
> > if (rc > 0)
> > /* TPM error */
> > @@ -380,7 +376,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
> > tpm_buf_append_u32(tb, handle);
> > tpm_buf_append(tb, ononce, TPM_NONCE_SIZE);
> >
> > - ret = trusted_tpm_send(tb->data, tb->length);
> > + ret = trusted_tpm_send(tb);
> > if (ret < 0)
> > return ret;
> >
> > @@ -404,7 +400,7 @@ static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
> > return -ENODEV;
> >
> > tpm_buf_reset(tb, TPM_TAG_RQU_COMMAND, TPM_ORD_OIAP);
> > - ret = trusted_tpm_send(tb->data, tb->length);
> > + ret = trusted_tpm_send(tb);
> > if (ret < 0)
> > return ret;
> >
> > @@ -513,7 +509,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
> > tpm_buf_append_u8(tb, cont);
> > tpm_buf_append(tb, td->pubauth, SHA1_DIGEST_SIZE);
> >
> > - ret = trusted_tpm_send(tb->data, tb->length);
> > + ret = trusted_tpm_send(tb);
> > if (ret < 0)
> > goto out;
> >
> > @@ -604,7 +600,7 @@ static int tpm_unseal(struct tpm_buf *tb,
> > tpm_buf_append_u8(tb, cont);
> > tpm_buf_append(tb, authdata2, SHA1_DIGEST_SIZE);
> >
> > - ret = trusted_tpm_send(tb->data, tb->length);
> > + ret = trusted_tpm_send(tb);
> > if (ret < 0) {
> > pr_info("authhmac failed (%d)\n", ret);
> > return ret;
> > @@ -631,23 +627,23 @@ static int tpm_unseal(struct tpm_buf *tb,
> > static int key_seal(struct trusted_key_payload *p,
> > struct trusted_key_options *o)
> > {
> > - struct tpm_buf tb;
> > int ret;
> >
> > - ret = tpm_buf_init(&tb, 0, 0);
> > - if (ret)
> > - return ret;
> > + struct tpm_buf *tb __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!tb)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(tb, TPM_BUFSIZE);
> >
> > /* include migratable flag at end of sealed key */
> > p->key[p->key_len] = p->migratable;
> >
> > - ret = tpm_seal(&tb, o->keytype, o->keyhandle, o->keyauth,
> > + ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
> > p->key, p->key_len + 1, p->blob, &p->blob_len,
> > o->blobauth, o->pcrinfo, o->pcrinfo_len);
> > if (ret < 0)
> > pr_info("srkseal failed (%d)\n", ret);
> >
> > - tpm_buf_destroy(&tb);
> > return ret;
> > }
> >
> > @@ -657,14 +653,15 @@ static int key_seal(struct trusted_key_payload *p,
> > static int key_unseal(struct trusted_key_payload *p,
> > struct trusted_key_options *o)
> > {
> > - struct tpm_buf tb;
> > int ret;
> >
> > - ret = tpm_buf_init(&tb, 0, 0);
> > - if (ret)
> > - return ret;
> > + struct tpm_buf *tb __free(kfree) = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!tb)
> > + return -ENOMEM;
> > +
> > + tpm_buf_init(tb, TPM_BUFSIZE);
> >
> > - ret = tpm_unseal(&tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
> > + ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
> > o->blobauth, p->key, &p->key_len);
> > if (ret < 0)
> > pr_info("srkunseal failed (%d)\n", ret);
> > @@ -672,7 +669,6 @@ static int key_unseal(struct trusted_key_payload *p,
> > /* pull migratable flag out of sealed key */
> > p->migratable = p->key[--p->key_len];
> >
> > - tpm_buf_destroy(&tb);
> > return ret;
> > }
> >
> > diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
> > index 6340823f8b53..6f5c34b885fb 100644
> > --- a/security/keys/trusted-keys/trusted_tpm2.c
> > +++ b/security/keys/trusted-keys/trusted_tpm2.c
> > @@ -234,7 +234,8 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> > struct trusted_key_options *options)
> > {
> > off_t offset = TPM_HEADER_SIZE;
> > - struct tpm_buf buf, sized;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > + struct tpm_buf *sized __free(kfree) = NULL;
> > int blob_len = 0;
> > int hash;
> > u32 flags;
> > @@ -255,97 +256,100 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
> > if (rc)
> > goto out_put;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
> > - if (rc) {
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > + rc = -ENOMEM;
> > tpm2_end_auth_session(chip);
> > goto out_put;
> > }
> >
> > - rc = tpm_buf_init_sized(&sized);
> > - if (rc) {
> > - tpm_buf_destroy(&buf);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
> > +
> > + sized = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!sized) {
> > + rc = -ENOMEM;
> > tpm2_end_auth_session(chip);
> > goto out_put;
> > }
> >
> > - rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL);
> > + tpm_buf_init_sized(sized, TPM_BUFSIZE);
> > +
> > + rc = tpm_buf_append_name(chip, buf, options->keyhandle, NULL);
> > if (rc)
> > goto out;
> >
> > - tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_DECRYPT,
> > + tpm_buf_append_hmac_session(chip, buf, TPM2_SA_DECRYPT,
> > options->keyauth, TPM_DIGEST_SIZE);
> >
> > /* sensitive */
> > - tpm_buf_append_u16(&sized, options->blobauth_len);
> > + tpm_buf_append_u16(sized, options->blobauth_len);
> >
> > if (options->blobauth_len)
> > - tpm_buf_append(&sized, options->blobauth, options->blobauth_len);
> > + tpm_buf_append(sized, options->blobauth, options->blobauth_len);
> >
> > - tpm_buf_append_u16(&sized, payload->key_len);
> > - tpm_buf_append(&sized, payload->key, payload->key_len);
> > - tpm_buf_append(&buf, sized.data, sized.length);
> > + tpm_buf_append_u16(sized, payload->key_len);
> > + tpm_buf_append(sized, payload->key, payload->key_len);
> > + tpm_buf_append(buf, sized->data, sized->length);
> >
> > /* public */
> > - tpm_buf_reset_sized(&sized);
> > - tpm_buf_append_u16(&sized, TPM_ALG_KEYEDHASH);
> > - tpm_buf_append_u16(&sized, hash);
> > + tpm_buf_reset_sized(sized);
> > + tpm_buf_append_u16(sized, TPM_ALG_KEYEDHASH);
> > + tpm_buf_append_u16(sized, hash);
> >
> > /* key properties */
> > flags = 0;
> > flags |= options->policydigest_len ? 0 : TPM2_OA_USER_WITH_AUTH;
> > flags |= payload->migratable ? 0 : (TPM2_OA_FIXED_TPM | TPM2_OA_FIXED_PARENT);
> > - tpm_buf_append_u32(&sized, flags);
> > + tpm_buf_append_u32(sized, flags);
> >
> > /* policy */
> > - tpm_buf_append_u16(&sized, options->policydigest_len);
> > + tpm_buf_append_u16(sized, options->policydigest_len);
> > if (options->policydigest_len)
> > - tpm_buf_append(&sized, options->policydigest, options->policydigest_len);
> > + tpm_buf_append(sized, options->policydigest, options->policydigest_len);
> >
> > /* public parameters */
> > - tpm_buf_append_u16(&sized, TPM_ALG_NULL);
> > - tpm_buf_append_u16(&sized, 0);
> > + tpm_buf_append_u16(sized, TPM_ALG_NULL);
> > + tpm_buf_append_u16(sized, 0);
> >
> > - tpm_buf_append(&buf, sized.data, sized.length);
> > + tpm_buf_append(buf, sized->data, sized->length);
> >
> > /* outside info */
> > - tpm_buf_append_u16(&buf, 0);
> > + tpm_buf_append_u16(buf, 0);
> >
> > /* creation PCR */
> > - tpm_buf_append_u32(&buf, 0);
> > + tpm_buf_append_u32(buf, 0);
> >
> > - if (buf.flags & TPM_BUF_OVERFLOW) {
> > + if (buf->flags & TPM_BUF_OVERFLOW) {
> > rc = -E2BIG;
> > tpm2_end_auth_session(chip);
> > goto out;
> > }
> >
> > - rc = tpm_buf_fill_hmac_session(chip, &buf);
> > + rc = tpm_buf_fill_hmac_session(chip, buf);
> > if (rc)
> > goto out;
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 4, "sealing data");
> > - rc = tpm_buf_check_hmac_response(chip, &buf, rc);
> > + rc = tpm_transmit_cmd(chip, buf, 4, "sealing data");
> > + rc = tpm_buf_check_hmac_response(chip, buf, rc);
> > if (rc)
> > goto out;
> >
> > - blob_len = tpm_buf_read_u32(&buf, &offset);
> > - if (blob_len > MAX_BLOB_SIZE || buf.flags & TPM_BUF_BOUNDARY_ERROR) {
> > + blob_len = tpm_buf_read_u32(buf, &offset);
> > + if (blob_len > MAX_BLOB_SIZE || buf->flags & TPM_BUF_BOUNDARY_ERROR) {
> > rc = -E2BIG;
> > goto out;
> > }
> > - if (buf.length - offset < blob_len) {
> > + if (buf->length - offset < blob_len) {
> > rc = -EFAULT;
> > goto out;
> > }
> >
> > - blob_len = tpm2_key_encode(payload, options, &buf.data[offset], blob_len);
> > + blob_len = tpm2_key_encode(payload, options, &buf->data[offset], blob_len);
> > if (blob_len < 0)
> > rc = blob_len;
> >
> > out:
> > - tpm_buf_destroy(&sized);
> > - tpm_buf_destroy(&buf);
> > -
> > if (!rc)
> > payload->blob_len = blob_len;
> >
> > @@ -373,7 +377,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip,
> > u32 *blob_handle)
> > {
> > u8 *blob_ref __free(kfree) = NULL;
> > - struct tpm_buf buf;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > unsigned int private_len;
> > unsigned int public_len;
> > unsigned int blob_len;
> > @@ -427,39 +431,38 @@ static int tpm2_load_cmd(struct tpm_chip *chip,
> > if (rc)
> > return rc;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_LOAD);
> > - if (rc) {
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > tpm2_end_auth_session(chip);
> > - return rc;
> > + return -ENOMEM;
> > }
> >
> > - rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_LOAD);
> > +
> > + rc = tpm_buf_append_name(chip, buf, options->keyhandle, NULL);
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > - tpm_buf_append_hmac_session(chip, &buf, 0, options->keyauth,
> > + tpm_buf_append_hmac_session(chip, buf, 0, options->keyauth,
> > TPM_DIGEST_SIZE);
> >
> > - tpm_buf_append(&buf, blob, blob_len);
> > + tpm_buf_append(buf, blob, blob_len);
> >
> > - if (buf.flags & TPM_BUF_OVERFLOW) {
> > - rc = -E2BIG;
> > + if (buf->flags & TPM_BUF_OVERFLOW) {
> > tpm2_end_auth_session(chip);
> > - goto out;
> > + return -E2BIG;
> > }
> >
> > - rc = tpm_buf_fill_hmac_session(chip, &buf);
> > + rc = tpm_buf_fill_hmac_session(chip, buf);
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 4, "loading blob");
> > - rc = tpm_buf_check_hmac_response(chip, &buf, rc);
> > + rc = tpm_transmit_cmd(chip, buf, 4, "loading blob");
> > + rc = tpm_buf_check_hmac_response(chip, buf, rc);
> > if (!rc)
> > *blob_handle = be32_to_cpup(
> > - (__be32 *) &buf.data[TPM_HEADER_SIZE]);
> > -
> > -out:
> > - tpm_buf_destroy(&buf);
> > + (__be32 *)&buf->data[TPM_HEADER_SIZE]);
> >
> > return tpm_ret_to_err(rc);
> > }
> > @@ -482,7 +485,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
> > u32 blob_handle)
> > {
> > struct tpm_header *head;
> > - struct tpm_buf buf;
> > + struct tpm_buf *buf __free(kfree) = NULL;
> > u16 data_len;
> > int offset;
> > u8 *data;
> > @@ -492,18 +495,21 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
> > if (rc)
> > return rc;
> >
> > - rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL);
> > - if (rc) {
> > + buf = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
> > + if (!buf) {
> > tpm2_end_auth_session(chip);
> > - return rc;
> > + return -ENOMEM;
> > }
> >
> > - rc = tpm_buf_append_name(chip, &buf, blob_handle, NULL);
> > + tpm_buf_init(buf, TPM_BUFSIZE);
> > + tpm_buf_reset(buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL);
> > +
> > + rc = tpm_buf_append_name(chip, buf, blob_handle, NULL);
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > if (!options->policyhandle) {
> > - tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT,
> > + tpm_buf_append_hmac_session(chip, buf, TPM2_SA_ENCRYPT,
> > options->blobauth,
> > options->blobauth_len);
> > } else {
> > @@ -518,39 +524,36 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
> > * could repeat our actions with the exfiltrated
> > * password.
> > */
> > - tpm2_buf_append_auth(&buf, options->policyhandle,
> > + tpm2_buf_append_auth(buf, options->policyhandle,
> > NULL /* nonce */, 0, 0,
> > options->blobauth, options->blobauth_len);
> > if (tpm2_chip_auth(chip)) {
> > - tpm_buf_append_hmac_session(chip, &buf, TPM2_SA_ENCRYPT, NULL, 0);
> > + tpm_buf_append_hmac_session(chip, buf, TPM2_SA_ENCRYPT,
> > + NULL, 0);
> > } else {
> > - offset = buf.handles * 4 + TPM_HEADER_SIZE;
> > - head = (struct tpm_header *)buf.data;
> > - if (tpm_buf_length(&buf) == offset)
> > + offset = buf->handles * 4 + TPM_HEADER_SIZE;
> > + head = (struct tpm_header *)buf->data;
> > + if (tpm_buf_length(buf) == offset)
> > head->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
> > }
> > }
> >
> > - rc = tpm_buf_fill_hmac_session(chip, &buf);
> > + rc = tpm_buf_fill_hmac_session(chip, buf);
> > if (rc)
> > - goto out;
> > + return rc;
> >
> > - rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing");
> > - rc = tpm_buf_check_hmac_response(chip, &buf, rc);
> > + rc = tpm_transmit_cmd(chip, buf, 6, "unsealing");
> > + rc = tpm_buf_check_hmac_response(chip, buf, rc);
> >
> > if (!rc) {
> > data_len = be16_to_cpup(
> > - (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
> > - if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE) {
> > - rc = -EFAULT;
> > - goto out;
> > - }
> > + (__be16 *)&buf->data[TPM_HEADER_SIZE + 4]);
> > + if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE)
> > + return -EFAULT;
> >
> > - if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 6 + data_len) {
> > - rc = -EFAULT;
> > - goto out;
> > - }
> > - data = &buf.data[TPM_HEADER_SIZE + 6];
> > + if (tpm_buf_length(buf) < TPM_HEADER_SIZE + 6 + data_len)
> > + return -EFAULT;
> > + data = &buf->data[TPM_HEADER_SIZE + 6];
> >
> > if (payload->old_format) {
> > /* migratable flag is at the end of the key */
> > @@ -567,8 +570,6 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
> > }
> > }
> >
> > -out:
> > - tpm_buf_destroy(&buf);
> > return tpm_ret_to_err(rc);
> > }
> >
> > --
> > 2.47.3
> >
> >
Thank you.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH] tpm-buf: memory-safe allocations
From: Jarkko Sakkinen @ 2026-05-29 22:33 UTC (permalink / raw)
To: James Bottomley
Cc: linux-integrity, Jarkko Sakkinen, Arun Menon, Daniel P. Smith,
Alec Brown, Ross Philipson, Stefan Berger, Peter Huewe,
Jason Gunthorpe, Mimi Zohar, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, linux-kernel, keyrings,
linux-security-module
In-Reply-To: <27db53d88a44e057c2f0ed5a637f65e4e18c8c3d.camel@HansenPartnership.com>
On Fri, May 29, 2026 at 10:08:52AM -0400, James Bottomley wrote:
> On Tue, 2026-05-26 at 10:53 +0300, Jarkko Sakkinen wrote:
> > On Mon, May 25, 2026 at 01:50:51PM -0400, James Bottomley wrote:
> > > On Fri, 2026-05-22 at 04:35 +0300, Jarkko Sakkinen wrote:
> > > > Decouple kzalloc from buffer creation, so that a managed
> > > > allocation
> > > > can be
> > > > used:
> > > >
> > > > struct tpm_buf *buf __free(kfree) buf =
> > > > kzalloc(TPM_BUFSIZE,
> > > > GFP_KERNEL);
> > > > if (!buf)
> > > > return -ENOMEM;
> > > >
> > > > tpm_buf_init(buf, TPM_BUFSIZE);
> > > >
> > > > Alternatively, stack allocations are also possible:
> > > >
> > > > u8 buf_data[512];
> > > > struct tpm_buf *buf = (struct tpm_buf *)buf_data;
> > > > tpm_buf_init(buf, sizeof(buf_data));
> > >
> > > This isn't really a good idea from a security point of view.
> > > Remember the buffer has to be big enough for both the sent and the
> > > received data. Today we simply set TPM_BUFSIZE to the maximum
> > > amount a TPM requires and all the send and receives just work. If
> > > we let callers set this size, we're asking for them to get it wrong
> > > (or at least forget about the receive part) and for us to get a DMA
> > > overrun from the TPM ... which might be potentially exploitable
> > > depending on how it occurs (think of an unseal of user chosen data
> > > overrunning).
> >
> > It's one patch so you're free to remark the call sites where this
> > happens. This is not a majorn concern at all.
>
> Nearly twenty years ago, when the kernel was a lot smaller, a then
> kernel luminary called Rusty Russell realized we needed to pay much
> more attention to how we design APIs inside the kernel if we wanted it
> to grow successfully. He published his initial thoughts and gave talks
> at both the kernel summit and OLS on it:
>
> https://ozlabs.org/~rusty/index.cgi/tech/2008-03-18.html
>
> The key point that's always stuck with me is "hard to misuse beats easy
> to use". Later he came up with a rating scale (now known as the Rusty
> API classification):
>
> https://ozlabs.org/~rusty/index.cgi/tech/2008-03-30.html
>
> and for chuckles and grins on April fools day he came up with a
> negative rating ridiculing some of our dafter API choices:
>
> https://ozlabs.org/~rusty/index.cgi/tech/2008-04-01.html
>
> The point for this patch set is that the sizing of the original tpm_buf
> interface scores 10/10 on the Rusty scale (it's impossible to get
> wrong). Simply threading size through the whole API, as this patch
> does, may look like the right answer, but it causes a massive reduction
> in API score. In fact, since the buffer has to be sized not only
> according to what goes in, but also what gets returned and this is
> nowhere mentioned in the new documentation it scores -3 (read the
> documentation and you can still get it wrong). Now by mentioning the
> sizing problems in the doc, you can probably get it up to +3 (read the
> documentation and you'll get it right) but my question was not if you
> got it wrong somewhere in the patch but whether we couldn't do a whole
> lot better in terms of API score by designing a better API.
>
> A key point about the 185 version of the TPM spec is that it's really
> only a few commands that need larger buffers (the Post Quantum ML-KEM
> keys) which doesn't apply to most of the in-kernel TPM callsites.
> Since tpm_buf_init takes the ordinal, we can actually tell at runtime
> (or compile time if the ordinal is a constant) if the command would
> need a larger buffer. We can also tell from the TPM properties whether
> the TPM itself can take a larger buffer, so for every current TPM we
> could retain the original score 10/10 API and warn at runtime if there
> might be a problem. Then the larger keys seem to fit into 8k, so we
> could still retain most of the original API properties of being
> difficult to misuse simply by having an 8k size flag (which we could
> ignore if the TPM doesn't support it) and warn at runtime if
> tpm_buf_init sends an ordinal which might need a larger buffer. At
> worst we should be able to get to an API which scores 5/10 (do it right
> or it will break at runtime).
>
> Regards,
>
> James
This patch has pre-existed long before any of this post-quantum stuff,
and there are good reasons so to have buffers managed given e.g.,
complexity of tpm2-sessions code. It prevents any major risk for
memory leaks.
Trenchboot extends the use buffers to early boot and we want a robust
structure. I'm not going to spend my time reading about philosophical
aspects of API design. There are quantitative reasons to decrease
the risk of memory leaks.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH 00/11] hornet: security, tooling and selftest fixes
From: Paul Moore @ 2026-05-29 20:56 UTC (permalink / raw)
To: Blaise Boscaccy
Cc: Jonathan Corbet, Shuah Khan, James Morris, Serge E. Hallyn,
Eric Biggers, Fan Wu, James.Bottomley, linux-security-module
In-Reply-To: <CAHC9VhSQzV0xZPFwkNdUJ5Lz8Mw6gppBhR6QyRdrY8xCTohHDw@mail.gmail.com>
On Thu, May 28, 2026 at 9:39 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, May 27, 2026 at 11:09 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
> >
> > Patch 1 closes a TOCTOU race in signature verification. Map
> > contents were hashed at the program-load hook and re-hashed at
> > the program-run hook, leaving a window in which a sufficiently
> > privileged attacker could mutate a map between the two checks
> > and run a program whose maps no longer matched what was signed.
> > The fix records the verified hashes on the prog at load time
> > and, in security_bpf_prog, checks them against
> > prog->aux->used_maps — the same map set the verifier and
> > runtime resolve against — so the verified and executed sets
> > cannot diverge. The per-map index in the signature format is no
> > longer needed and is dropped; the check becomes a subset test.
> > Reported by Eric Biggers.
> >
> > Patches 2-3 fix two counting bugs in the same area: duplicate maps
> > could satisfy the required hash count, and an off-by-one capped
> > accepted maps at MAX_USED_MAPS.
> >
> > Patches 4-11 are in response to sashiko feedback found here:
> > https://sashiko.dev/#/patchset/20260507191416.2984054-1-bboscaccy%40linux.microsoft.com
> >
> > They provide some correctness fixes in the hornet tooling along with
> > making the selftest behave under cross-compilation and skip cleanly
> > when signing keys / bpftool / vmlinux BTF are unavailable, instead of
> > breaking the global selftest build.
> >
> > Blaise Boscaccy (11):
> > hornet: fix TOCTOU in signed program verification
> > hornet: invert map set check logic
> > hornet: fix off-by-one bug in max used maps check
> > selftests: hornet: handle cross compilation and test skipping
> > hornet: gen_sig: fix off-by-one check for used maps
> > hornet: gen_sig: fix error string allocations
> > hornet: gen_sig: check for bad allocations
> > hornet: gen_sig: fix missing command line switches
> > hornet: scripts: set a non-zero error code for usage
> > hornet: scripts: harden scripts to handle trailing whitespace
> > hornet: scripts: Improve argument handling and error messages
> >
> > Documentation/admin-guide/LSM/Hornet.rst | 39 +++---
> > scripts/hornet/extract-insn.sh | 24 ++--
> > scripts/hornet/extract-map.sh | 25 ++--
> > scripts/hornet/extract-skel.sh | 35 ++++--
> > scripts/hornet/gen_sig.c | 61 ++++++----
> > scripts/hornet/write-sig.sh | 10 +-
> > security/hornet/hornet.asn1 | 1 -
> > security/hornet/hornet_lsm.c | 148 ++++-------------------
> > tools/testing/selftests/hornet/Makefile | 114 +++++++++++++----
> > 9 files changed, 235 insertions(+), 222 deletions(-)
>
> Aside from a possible (?) typo in patch 5/11, this patchset looks okay
> to me so I'm going to merge it to lsm/dev-staging now with the idea of
> moving it to lsm/dev once Blaise provides some clarity on patch-5.
With the typo in 5/11 sorted out, I've gone ahead and moved these
fixes over to lsm/dev. I also took the liberty of adding the
associated 'Fixes:' tags, not critical in this case, but nice to have.
--
paul-moore.com
^ permalink raw reply
* [PATCH] selftests/landlock: explicitly disable audit
From: Maximilian Heyne @ 2026-05-29 20:03 UTC (permalink / raw)
To: stable
Cc: Maximilian Heyne, Mickaël Salaün, Günther Noack,
Shuah Khan, linux-security-module, linux-kselftest, linux-kernel
I'm seeing sporadic selftest failures, such as
# RUN scoped_audit.connect_to_child ...
# scoped_abstract_unix_test.c:314:connect_to_child:Expected 0 (0) == records.access (8)
# connect_to_child: Test failed
# FAIL scoped_audit.connect_to_child
not ok 19 scoped_audit.connect_to_child
This seems similar to what commit 3647a4977fb73d ("selftests/landlock:
Drain stale audit records on init") tried to fix. However, the added
drain loop is not effective. When setting the AUDIT_STATUS_PID, the
kauditd_thread is woken up starting to send messages from the hold queue
to the netlink. Depending on scheduling of this kthread not all messages
might be send via the netlink in the 1 us interval.
Therefore, instead of trying to drain the queue, let's just disable
audit when running non-audit tests or more precisely disable it after
audit-tests. This way we won't generate any new audit message that could
interfere with the other tests.
The comment saying that on process exit audit will be disabled is wrong.
The closed file descriptor just causes an auditd_reset(), not a
disablement. So future messages will be queued in the hold queue.
Cc: stable@vger.kernel.org
Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
I've seen the failures on the 6.18 kernels but haven't tested on latest
upstream. However, I still think this is an issue.
---
tools/testing/selftests/landlock/audit.h | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h
index 834005b2b0f09..7842330875f53 100644
--- a/tools/testing/selftests/landlock/audit.h
+++ b/tools/testing/selftests/landlock/audit.h
@@ -494,10 +494,9 @@ static int audit_init_filter_exe(struct audit_filter *filter, const char *path)
static int audit_cleanup(int audit_fd, struct audit_filter *filter)
{
struct audit_filter new_filter;
+ int err;
if (audit_fd < 0 || !filter) {
- int err;
-
/*
* Simulates audit_init_with_exe_filter() when called from
* FIXTURE_TEARDOWN_PARENT().
@@ -518,12 +517,10 @@ static int audit_cleanup(int audit_fd, struct audit_filter *filter)
audit_filter_exe(audit_fd, filter, AUDIT_DEL_RULE);
audit_filter_drop(audit_fd, AUDIT_DEL_RULE);
- /*
- * Because audit_cleanup() might not be called by the test auditd
- * process, it might not be possible to explicitly set it. Anyway,
- * AUDIT_STATUS_ENABLED will implicitly be set to 0 when the auditd
- * process will exit.
- */
+ err = audit_set_status(audit_fd, AUDIT_STATUS_ENABLED, 0);
+ if (err)
+ return err;
+
return close(audit_fd);
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related
* [syzbot] [lsm?] KASAN: slab-use-after-free Read in security_inode_follow_link
From: syzbot @ 2026-05-29 20:01 UTC (permalink / raw)
To: jmorris, linux-kernel, linux-security-module, paul, serge,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: eb3f4b7426cf Merge tag 'nfsd-7.1-2' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17dae52e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8118209836970b54
dashboard link: https://syzkaller.appspot.com/bug?extid=0962e3a1af6d5e26a52c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14427ed2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109e452e580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-eb3f4b74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1406171f5cf6/vmlinux-eb3f4b74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/19b8bb9b727a/bzImage-eb3f4b74.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in security_inode_follow_link+0x277/0x280 security/security.c:1819
Read of size 4 at addr ffff8880393e0004 by task syz.0.594/8610
CPU: 3 UID: 0 PID: 8610 Comm: syz.0.594 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x13d/0x4b0 mm/kasan/report.c:482
kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
security_inode_follow_link+0x277/0x280 security/security.c:1819
pick_link+0x433/0x13c0 fs/namei.c:2049
step_into_slowpath+0x9ba/0xf90 fs/namei.c:2123
step_into fs/namei.c:2148 [inline]
walk_component fs/namei.c:2284 [inline]
link_path_walk+0xf28/0x1cc0 fs/namei.c:2652
path_parentat fs/namei.c:2856 [inline]
__filename_parentat+0x213/0x740 fs/namei.c:2880
filename_parentat fs/namei.c:2898 [inline]
filename_unlinkat+0xf7/0x730 fs/namei.c:5537
__do_sys_unlinkat fs/namei.c:5597 [inline]
__se_sys_unlinkat fs/namei.c:5589 [inline]
__x64_sys_unlinkat+0xc0/0x130 fs/namei.c:5589
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60b0f9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f60b1dc9028 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007f60b1215fa0 RCX: 00007f60b0f9ce59
RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 0000000000000006
RBP: 00007f60b1032d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60b1216038 R14: 00007f60b1215fa0 R15: 00007ffddfc81a28
</TASK>
Allocated by task 8610:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4570 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918
alloc_inode+0x183/0x250 fs/inode.c:347
new_inode+0x22/0x1c0 fs/inode.c:1179
bpf_get_inode kernel/bpf/inode.c:117 [inline]
bpf_get_inode kernel/bpf/inode.c:102 [inline]
bpf_symlink+0x69/0x240 kernel/bpf/inode.c:391
vfs_symlink fs/namei.c:5643 [inline]
vfs_symlink+0x178/0x4d0 fs/namei.c:5622
filename_symlinkat+0x2a6/0x560 fs/namei.c:5668
__do_sys_symlinkat fs/namei.c:5688 [inline]
__se_sys_symlinkat fs/namei.c:5683 [inline]
__x64_sys_symlinkat+0x9c/0xe0 fs/namei.c:5683
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 8611:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6251 [inline]
kmem_cache_free+0x127/0x6c0 mm/slub.c:6378
destroy_inode+0xcb/0x1c0 fs/inode.c:394
evict+0x599/0xad0 fs/inode.c:865
iput_final fs/inode.c:1960 [inline]
iput.part.0+0x605/0xf50 fs/inode.c:2009
iput+0x35/0x40 fs/inode.c:1975
filename_unlinkat+0x466/0x730 fs/namei.c:5572
__do_sys_unlinkat fs/namei.c:5597 [inline]
__se_sys_unlinkat fs/namei.c:5589 [inline]
__x64_sys_unlinkat+0xc0/0x130 fs/namei.c:5589
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880393e0000
which belongs to the cache inode_cache of size 1088
The buggy address is located 4 bytes inside of
freed 1088-byte region [ffff8880393e0000, ffff8880393e0440)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x393e0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803ce9f201
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888100090000 dead000000000100 dead000000000122
raw: 0000000000000000 00000008001a001a 00000000f5000000 ffff88803ce9f201
head: 00fff00000000040 ffff888100090000 dead000000000100 dead000000000122
head: 0000000000000000 00000008001a001a 00000000f5000000 ffff88803ce9f201
head: 00fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5753, tgid 5753 (syz-execprog), ts 103858448509, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853
prep_new_page mm/page_alloc.c:1861 [inline]
get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab mm/slub.c:3467 [inline]
new_slab+0xa6/0x6c0 mm/slub.c:3525
refill_objects+0x277/0x420 mm/slub.c:7272
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x375/0x650 mm/slub.c:4652
alloc_from_pcs mm/slub.c:4750 [inline]
slab_alloc_node mm/slub.c:4884 [inline]
kmem_cache_alloc_lru_noprof+0x485/0x6e0 mm/slub.c:4918
alloc_inode+0x183/0x250 fs/inode.c:347
iget_locked+0x1d9/0x6d0 fs/inode.c:1474
kernfs_get_inode+0x46/0x470 fs/kernfs/inode.c:252
kernfs_iop_lookup+0x1a7/0x2d0 fs/kernfs/dir.c:1274
lookup_open.isra.0+0x631/0x11b0 fs/namei.c:4484
open_last_lookups fs/namei.c:4611 [inline]
path_openat+0xa98/0x31a0 fs/namei.c:4855
do_file_open+0x20e/0x430 fs/namei.c:4887
do_sys_openat2+0x10d/0x1e0 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1381
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880393dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880393dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880393e0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880393e0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880393e0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* [PATCH v3 2/2] selftests/landlock: test SCOPE_SIGNAL on the SIGIO/fowner pgid path
From: hexlabsecurity @ 2026-05-29 19:08 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Justin Suess, gnoack@google.com,
linux-security-module@vger.kernel.org, stable@vger.kernel.org
From 06174d6988915949342c86fe4d1ee210571a2321 Mon Sep 17 00:00:00 2001
From: Bryam Vargas <hexlabsecurity@proton.me>
Date: Fri, 29 May 2026 12:51:27 -0500
Subject: [PATCH v3 2/2] selftests/landlock: test SCOPE_SIGNAL on the
SIGIO/fowner pgid path
Add a regression test for the LANDLOCK_SCOPE_SIGNAL bypass on the
asynchronous SIGIO delivery path. A sandboxed task that owns a file via
fcntl(F_SETOWN, -pgrp) while sitting at the head of its process group's
PID hlist (the default position after fork()) used to have its Landlock
subject capture skipped, letting the SIGIO fan-out reach non-sandboxed
members of the process group.
The test creates a dedicated process group, sandboxes the (hlist-head)
child with LANDLOCK_SCOPE_SIGNAL, arms F_SETSIG(SIGURG) / F_SETOWN(-pgrp)
/ O_ASYNC on a pipe and triggers the fan-out. The in-domain child must
receive the signal (proving the trigger fired); the non-sandboxed parent,
which is outside the child's domain, must not. Without the fix the parent
is signaled and the test fails.
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
.../selftests/landlock/scoped_signal_test.c | 97 +++++++++++++++++++
1 file changed, 97 insertions(+)
diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c
index d8bf33417619..05151929c263 100644
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -559,4 +559,101 @@ TEST_F(fown, sigurg_socket)
_metadata->exit_code = KSFT_FAIL;
}
+/*
+ * Checks that LANDLOCK_SCOPE_SIGNAL is enforced on the asynchronous SIGIO
+ * delivery path (fcntl(F_SETOWN)) when the file owner is a process group.
+ *
+ * A sandboxed task sitting at the head of its process group's PID hlist (the
+ * default position right after fork()) used to escape the
+ * fcntl(F_SETOWN, -pgrp) subject capture: pid_task(pgrp, PIDTYPE_PGID)
+ * resolved to the task itself, so the same-thread-group exemption skipped
+ * recording its Landlock domain. At SIGIO time the cached subject was then
+ * empty and the signal fanned out to every group member, including
+ * non-sandboxed tasks outside the domain.
+ */
+TEST(sigio_to_pgid_members)
+{
+ int trigger[2], sync_child[2];
+ char buf;
+ pid_t child;
+ int status, i;
+
+ drop_caps(_metadata);
+
+ /*
+ * Isolates the test in its own process group so the SIGIO fan-out
+ * stays bounded to this parent and the child forked below.
+ */
+ ASSERT_EQ(0, setpgid(0, 0));
+
+ /* The non-sandboxed parent is the protected (out-of-domain) target. */
+ ASSERT_EQ(0, setup_signal_handler(SIGURG));
+ signal_received = 0;
+
+ ASSERT_EQ(0, pipe2(trigger, O_CLOEXEC));
+ ASSERT_EQ(0, pipe2(sync_child, O_CLOEXEC));
+
+ child = fork();
+ ASSERT_LE(0, child);
+ if (child == 0) {
+ /*
+ * The child inherits the parent's new process group and, just
+ * attached with hlist_add_head_rcu(), is now the head of the
+ * pgid hlist: this is the case that used to skip the capture.
+ */
+ EXPECT_EQ(0, close(sync_child[0]));
+
+ /* In-domain positive control: the child must be signaled. */
+ ASSERT_EQ(0, setup_signal_handler(SIGURG));
+ signal_received = 0;
+
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+
+ /* Owns the SIGIO source for the whole process group. */
+ ASSERT_EQ(0, fcntl(trigger[0], F_SETSIG, SIGURG));
+ ASSERT_EQ(0, fcntl(trigger[0], F_SETOWN, -getpgrp()));
+ ASSERT_EQ(0, fcntl(trigger[0], F_SETFL, O_ASYNC));
+
+ /* Fans SIGURG out to every member of the process group. */
+ ASSERT_EQ(1, write(trigger[1], ".", 1));
+
+ /*
+ * The sandboxed child is in its own domain and must always be
+ * signaled: this proves the SIGIO actually fired.
+ */
+ for (i = 0; i < 1000 && !signal_received; i++)
+ usleep(1000);
+ EXPECT_EQ(1, signal_received);
+
+ ASSERT_EQ(1, write(sync_child[1], ".", 1));
+ EXPECT_EQ(0, close(sync_child[1]));
+
+ _exit(_metadata->exit_code);
+ return;
+ }
+ EXPECT_EQ(0, close(sync_child[1]));
+ EXPECT_EQ(0, close(trigger[0]));
+ EXPECT_EQ(0, close(trigger[1]));
+
+ /* Waits for the child to generate the SIGIO. */
+ ASSERT_EQ(1, read(sync_child[0], &buf, 1));
+ EXPECT_EQ(0, close(sync_child[0]));
+
+ /* Lets a delivered-but-pending signal run our handler, if any. */
+ for (i = 0; i < 100 && !signal_received; i++)
+ usleep(1000);
+
+ /*
+ * SCOPE_SIGNAL must block the fan-out to this non-sandboxed parent,
+ * which is outside the child's Landlock domain. Before the fix the
+ * parent was signaled here.
+ */
+ EXPECT_EQ(0, signal_received);
+
+ ASSERT_EQ(child, waitpid(child, &status, 0));
+ if (WIFSIGNALED(status) || !WIFEXITED(status) ||
+ WEXITSTATUS(status) != EXIT_SUCCESS)
+ _metadata->exit_code = KSFT_FAIL;
+}
+
TEST_HARNESS_MAIN
--
2.43.0
^ permalink raw reply related
* [PATCH v3 1/2] landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via F_SETOWN to invoker's pgid
From: hexlabsecurity @ 2026-05-29 19:07 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Justin Suess, gnoack@google.com,
linux-security-module@vger.kernel.org, stable@vger.kernel.org
From b5fdc79ce1cb2881d59dfed01d3d9170306be9e8 Mon Sep 17 00:00:00 2001
From: Bryam Vargas <hexlabsecurity@proton.me>
Date: Fri, 29 May 2026 12:49:41 -0500
Subject: [PATCH v3 1/2] landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via
F_SETOWN to invoker's pgid
A Landlock-restricted process can bypass LANDLOCK_SCOPE_SIGNAL on the
SIGIO delivery path and deliver arbitrary signals (including SIGKILL via
F_SETSIG) to non-Landlocked targets that share its pgid, by exploiting a
producer-side cache-vs-live evaluation gap.
The SIGIO path in hook_file_send_sigiotask() consults a cached subject
stored in landlock_file(file)->fown_subject at fcntl(F_SETOWN) time
(via hook_file_set_fowner()), instead of evaluating the live Landlock
domain of the invoking task at signal-send time. The capture is gated
by control_current_fowner(), which returns false (skipping capture)
when pid_task(fown->pid, fown->pid_type) is in current's thread group.
This is correct for PIDTYPE_TGID / PIDTYPE_PID, where the target is a
single task sharing current's cred. It is unsafe for PIDTYPE_PGID and
PIDTYPE_SID: when current is at the head of its pgid hlist -- the
default placement after fork(), hlist_add_head_rcu() in kernel/fork.c --
pid_task(pgid, PIDTYPE_PGID) resolves to current itself,
same_thread_group(current, current) is true, the capture is skipped, and
fown_subject.domain stays NULL. hook_file_send_sigiotask() then
short-circuits at "if (!subject->domain) return 0;", letting the kernel
fan the signal out to every member of the group, including tasks outside
current's Landlock domain that SCOPE_SIGNAL is supposed to protect.
The direct kill() path (hook_task_kill) is unaffected: it evaluates
current's live domain on every call. Only the cached SIGIO path is
broken.
Tighten control_current_fowner() to apply the thread-group exemption
only when the target identifies a single task whose Landlock cred is
necessarily shared with current (PIDTYPE_TGID, PIDTYPE_PID). For
PIDTYPE_PGID and PIDTYPE_SID, always capture the current Landlock
subject so the consumer's scope check runs against every member of the
group at delivery time.
Stable kernels before the fown_subject conversion store the domain in
landlock_file(file)->fown_domain; control_current_fowner() is identical
there, so the same exemption and the same fix apply.
Fixes: 18eb75f3af40 ("landlock: Always allow signals between threads of the same process")
Cc: stable@vger.kernel.org
Reported-by: Bryam Vargas <hexlabsecurity@proton.me>
Tested-by: Justin Suess <utilityemal77@gmail.com>
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
security/landlock/fs.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index c1ecfe239032..edaa52572cbd 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1909,6 +1909,18 @@ static bool control_current_fowner(struct fown_struct *const fown)
if (!p)
return true;
+ /*
+ * For PIDTYPE_PGID and PIDTYPE_SID, signal delivery fans out to
+ * every member of the group at SIGIO time. Even when pid_task()
+ * resolves to current itself (e.g., current is the pgid hlist
+ * head post-fork), non-current members of the group are still
+ * valid targets that must be checked by hook_file_send_sigiotask().
+ * Always capture the current subject for those types so the
+ * consumer scope check runs against the live fown_subject.
+ */
+ if (fown->pid_type == PIDTYPE_PGID || fown->pid_type == PIDTYPE_SID)
+ return true;
+
return !same_thread_group(p, current);
}
--
2.43.0
^ permalink raw reply related
* Re: [REPORT] landlock: SCOPE_SIGNAL bypass via F_SETOWN to invoker pgid -> SIGIO/SIGKILL to non-sandboxed targets
From: hexlabsecurity @ 2026-05-29 19:03 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Justin Suess, gnoack@google.com,
linux-security-module@vger.kernel.org, stable@vger.kernel.org
In-Reply-To: <20260529.li6kaiDaim4B@digikod.net>
Hi Mickaël,
> Could you please replace the reproducer code with a proper kselftest?
> That would need to be a new email patch (v3) [...]
Done -- v3 is a two-patch series:
[PATCH v3 1/2] landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via F_SETOWN to invoker's pgid
[PATCH v3 2/2] selftests/landlock: test SCOPE_SIGNAL on the SIGIO/fowner pgid path
Patch 2 replaces the informal reproducer with a regression test in
scoped_signal_test.c, reusing the existing fown/SIGURG idiom. It adds
TEST(sigio_to_pgid_members): a sandboxed child at the head of its pgid hlist
arms F_SETSIG(SIGURG) / F_SETOWN(-pgrp) / O_ASYNC and triggers the fan-out; the
in-domain child must be signaled (positive control) and the non-sandboxed
parent must not.
I also added the Fixes: tag and Cc: stable that v2 was missing:
Fixes: 18eb75f3af40 ("landlock: Always allow signals between threads of the same process")
That is where the same-thread-group exemption on the fowner path was
introduced (v6.15; backported to 6.12.y/6.13.y/6.14.y -- the original v6.12
signal scoping captured the subject unconditionally and was not affected).
The fix hunk itself is unchanged from v1/v2 and keeps Justin's Tested-by.
A/B on 6.12.90 + CONFIG_SECURITY_LANDLOCK (same .config, only the hunk
differs): without patch 1 the new test fails (the parent is signaled); with it
the test passes and the landlock signal-scoping suite is 20/20. checkpatch is
clean except one expected Reported-by/Closes warning -- the original report was
sent to security@kernel.org, so there is no public URL to point Closes: at.
Thanks,
Bryam Vargas
Independent security researcher. HEXLAB SAS (registration pending) -- Cali, Colombia.
This series fixes a LANDLOCK_SCOPE_SIGNAL bypass on the asynchronous SIGIO
(fcntl(F_SETOWN)) delivery path and adds the kselftest requested in review.
Patch 1 narrows the same-thread-group exemption in control_current_fowner()
so that F_SETOWN to a process group (or session) always captures the caller's
Landlock subject. Without it, a sandboxed task at the head of its pgid hlist
(the default position after fork()) skips the capture, and the SIGIO fan-out
reaches non-sandboxed members of the process group, defeating SCOPE_SIGNAL.
The direct kill() path (hook_task_kill) is unaffected.
Patch 2 adds a regression test to scoped_signal_test.c, replacing the informal
reproducer that previously accompanied the fix.
The defect was introduced by commit 18eb75f3af40 ("landlock: Always allow
signals between threads of the same process") in v6.15, and is present in the
stable branches that backported it (6.12.y, 6.13.y, 6.14.y).
control_current_fowner() is identical across those branches, so patch 1 applies
as-is (stable kernels before the fown_subject conversion store the domain in
landlock_file(file)->fown_domain; the exemption and the fix are the same).
A/B verified on 6.12.90 + CONFIG_SECURITY_LANDLOCK (same .config, only the fix
hunk differs):
- without patch 1: the new test fails -- the non-sandboxed parent receives
the signal (SCOPE_SIGNAL bypassed);
- with patch 1: the new test passes, and the whole landlock signal-scoping
suite passes 20/20 (no regression).
v2 -> v3:
- patch 1: add Fixes: tag and Cc: stable; the fix hunk is unchanged from v1/v2.
- patch 2 (new): replace the git-notes reproducer with a kselftest.
- v1/v2 were sent to security@kernel.org (embargoed; not in a public archive).
Bryam Vargas (2):
landlock: fix LANDLOCK_SCOPE_SIGNAL bypass via F_SETOWN to invoker's pgid
selftests/landlock: test SCOPE_SIGNAL on the SIGIO/fowner pgid path
security/landlock/fs.c | 12 +++
.../selftests/landlock/scoped_signal_test.c | 97 +++++++++++++++++++
2 files changed, 109 insertions(+)
base-commit: 27fa82620cbaa89a7fc11ac3057701d598813e87
^ permalink raw reply
* Re: [PATCH 05/11] hornet: gen_sig: fix off-by-one check for used maps
From: Paul Moore @ 2026-05-29 18:54 UTC (permalink / raw)
To: Blaise Boscaccy
Cc: Jonathan Corbet, Shuah Khan, James Morris, Serge E. Hallyn,
Eric Biggers, Fan Wu, James.Bottomley, linux-security-module
In-Reply-To: <87tsrqxfdc.fsf@microsoft.com>
On Fri, May 29, 2026 at 2:03 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
>
> > On Wed, May 27, 2026 at 11:09 PM Blaise Boscaccy
> > <bboscaccy@linux.microsoft.com> wrote:
> >>
> >> A logic bug limited the maximum number of used maps to
> >> MAX_USED_MAPS-1.
> >
> > Should this be MAX_HASHES-1 and not MAX_USED_MAPS-1?
>
> Good eye. Yes that should be MAX_HASHES-1 in the commit message.
Okay, I'll fix that up when merging.
--
paul-moore.com
^ permalink raw reply
* Re: [PATCH 05/11] hornet: gen_sig: fix off-by-one check for used maps
From: Blaise Boscaccy @ 2026-05-29 18:03 UTC (permalink / raw)
To: Paul Moore
Cc: Jonathan Corbet, Shuah Khan, James Morris, Serge E. Hallyn,
Eric Biggers, Fan Wu, James.Bottomley, linux-security-module
In-Reply-To: <CAHC9VhR6G5qmd3kXPas_L_SiJx=6J=wUw80xxL9Eu4=tSjMAoQ@mail.gmail.com>
Paul Moore <paul@paul-moore.com> writes:
> On Wed, May 27, 2026 at 11:09 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> A logic bug limited the maximum number of used maps to
>> MAX_USED_MAPS-1.
>
> Should this be MAX_HASHES-1 and not MAX_USED_MAPS-1?
>
Good eye. Yes that should be MAX_HASHES-1 in the commit message.
>> Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
>> ---
>> scripts/hornet/gen_sig.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/scripts/hornet/gen_sig.c b/scripts/hornet/gen_sig.c
>> index b4f983ab24bcd..4e8caad22f381 100644
>> --- a/scripts/hornet/gen_sig.c
>> +++ b/scripts/hornet/gen_sig.c
>> @@ -317,11 +317,11 @@ int main(int argc, char **argv)
>> data_path = optarg;
>> break;
>> case 'A':
>> - hashes[hash_count].file = optarg;
>> - if (++hash_count >= MAX_HASHES) {
>> + if (hash_count >= MAX_HASHES) {
>> usage(argv[0]);
>> return EXIT_FAILURE;
>> }
>> + hashes[hash_count++].file = optarg;
>> break;
>> default:
>> usage(argv[0]);
>> --
>> 2.53.0
>
> --
> paul-moore.com
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox