From: Al Viro <viro@ftp.linux.org.uk>
To: David Howells <dhowells@redhat.com>
Cc: hch@infradead.org, Trond.Myklebust@netapp.com, sds@tycho.nsa.gov,
casey@schaufler-ca.com, linux-kernel@vger.kernel.org,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 01/24] CRED: Introduce a COW credentials record
Date: Wed, 26 Sep 2007 19:08:58 +0100 [thread overview]
Message-ID: <20070926180858.GP8181@ftp.linux.org.uk> (raw)
In-Reply-To: <20070926142104.2656.26389.stgit@warthog.procyon.org.uk>
On Wed, Sep 26, 2007 at 03:21:05PM +0100, David Howells wrote:
> To alter the credentials record, a copy must be made. This copy may then be
> altered and then the pointer in the task_struct redirected to it. From that
> point on the new record should be considered immutable.
Umm... Perhaps a better primitive would be "make sure that our cred is
not shared with anybody, creating a copy and redirecting reference to
it if needed".
> In addition, the default setting of i_uid and i_gid to fsuid and fsgid has been
> moved from the callers of new_inode() into new_inode() itself.
I don't think it's safe; better do something trivial like
own_inode(inode)
that would set these (and that's a goot splitup candidate, to go in front
of the series).
FWIW, the main weakness here is the need of update_current_cred()
splattered all over the entry points. Two problems:
a) it's a bug source (somebody adds a syscall and forgets to
add that call / somebody modifies syscall guts and doesn't notice that
it needs to be added).
b) it's almost always doing noting, so being lazier would be
better (event numbers checked in the inlined part, perhaps?)
The former would be more robust if it had been closer to the places where
we get to passing current->cred to functions. The latter... When do
we actually step into this kind of situation (somebody changing keys on
us) and what's the right semantics here? E.g. if it happens in the middle
of long read(), do we want to keep using the original keys?
Comments?
next prev parent reply other threads:[~2007-09-26 18:09 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-26 14:20 [PATCH 00/24] Introduce credential record David Howells
2007-09-26 14:21 ` [PATCH 01/24] CRED: Introduce a COW credentials record David Howells
2007-09-26 18:08 ` Al Viro [this message]
2007-09-26 21:08 ` David Howells
2007-09-26 14:21 ` [PATCH 02/24] CRED: Split the task security data and move part of it into struct cred David Howells
2007-09-26 14:21 ` [PATCH 03/24] CRED: Alter security_task_getsecid() and similar to return both task SIDs David Howells
2007-09-26 14:21 ` [PATCH 04/24] CRED: Move the effective capabilities into the cred struct David Howells
2007-09-26 14:21 ` [PATCH 05/24] CRED: Fix up the other credentials references David Howells
2007-09-26 14:21 ` [PATCH 06/24] CRED: Request a credential record for a kernel service David Howells
2007-09-26 14:21 ` [PATCH 07/24] FS-Cache: Release page->private after failed readahead David Howells
2007-09-26 14:21 ` [PATCH 08/24] FS-Cache: Recruit a couple of page flags for cache management David Howells
2007-09-26 14:21 ` [PATCH 09/24] FS-Cache: Provide an add_wait_queue_tail() function David Howells
2007-09-26 14:21 ` [PATCH 10/24] FS-Cache: Generic filesystem caching facility David Howells
2007-09-26 14:21 ` [PATCH 11/24] CacheFiles: Add missing copy_page export for ia64 David Howells
2007-09-26 14:22 ` [PATCH 12/24] CacheFiles: Add a hook to write a single page of data to an inode David Howells
2007-09-26 14:22 ` [PATCH 13/24] CacheFiles: Permit the page lock state to be monitored David Howells
2007-09-26 14:22 ` [PATCH 14/24] CacheFiles: Export things for CacheFiles David Howells
2007-09-26 14:22 ` [PATCH 15/24] CacheFiles: A cache that backs onto a mounted filesystem David Howells
2007-09-26 14:22 ` [PATCH 16/24] NFS: Use local caching David Howells
2007-09-26 14:22 ` [PATCH 17/24] NFS: Configuration and mount option changes to enable local caching on NFS David Howells
2007-09-26 14:22 ` [PATCH 18/24] NFS: Display local caching state David Howells
2007-09-26 14:22 ` [PATCH 19/24] AFS: Add TestSetPageError() David Howells
2007-09-26 14:22 ` [PATCH 20/24] AFS: Add a function to excise a rejected write from the pagecache David Howells
2007-09-26 14:22 ` [PATCH 21/24] AFS: Improve handling of a rejected writeback David Howells
2007-09-26 14:22 ` [PATCH 22/24] AFS: Implement shared-writable mmap David Howells
2007-09-26 14:22 ` [PATCH 23/24] AF_RXRPC: Save the operation ID for debugging David Howells
2007-09-26 14:23 ` [PATCH 24/24] FS-Cache: Make kAFS use FS-Cache David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070926180858.GP8181@ftp.linux.org.uk \
--to=viro@ftp.linux.org.uk \
--cc=Trond.Myklebust@netapp.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox