[PATCH v2 0/3] sysfs: Refine is_visible API

[PATCH v2 0/3] sysfs: Refine is_visible API

[Vivien Didelot]

Up to now, is_visible can only be used to either remove visibility
of a file entirely or to add permissions, but not to reduce permissions.
This makes it impossible, for example, to use DEVICE_ATTR_RW to define
file attributes and reduce permissions to read-only.

This behavior is undesirable and unnecessarily complicates code which
needs to reduce permissions; instead of just returning the desired
permissions, it has to ensure that the permissions in the attribute
variable declaration only reflect the minimal permissions ever needed.

Change semantics of is_visible to only use the permissions returned
from it instead of oring the returned value with the hard-coded
permissions.

The code now dumps a warning to the console if an is_visible function
returns unexpected permissions.

Also document struct attribute_group.

Tested with v3.19-rc5.

v2: This patchset, originally from Guenter, includes the fixup for the
patch 2/3 discussed in the thread https://lkml.org/lkml/2015/1/20/877,
that is limiting the scope of attributes to SYSFS_PREALLOC | 0664, since
we want to avoid executable and world-writable sysfs files as well.

Rebased onto v4.0-rc3.

Guenter Roeck (2):
  sysfs: Use only return value from is_visible for the file mode
  sysfs: Document struct attribute_group

Vivien Didelot (1):
  sysfs: Only accept read/write permissions for file attributes

 fs/sysfs/group.c      | 11 ++++++++---
 include/linux/sysfs.h | 15 +++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

-- 
2.3.2

[PATCH v2 1/3] sysfs: Use only return value from is_visible for the file mode

[Vivien Didelot]

From: Guenter Roeck <linux@roeck-us.net>

Up to now, is_visible can only be used to either remove visibility
of a file entirely or to add permissions, but not to reduce permissions.
This makes it impossible, for example, to use DEVICE_ATTR_RW to define
file attributes and reduce permissions to read-only.

This behavior is undesirable and unnecessarily complicates code which
needs to reduce permissions; instead of just returning the desired
permissions, it has to ensure that the permissions in the attribute
variable declaration only reflect the minimal permissions ever needed.

Change semantics of is_visible to only use the permissions returned
from it instead of oring the returned value with the hard-coded
permissions.

Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
 fs/sysfs/group.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
index 2554d88..3fdccd9 100644
--- a/fs/sysfs/group.c
+++ b/fs/sysfs/group.c
@@ -41,7 +41,7 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
 
 	if (grp->attrs) {
 		for (i = 0, attr = grp->attrs; *attr && !error; i++, attr++) {
-			umode_t mode = 0;
+			umode_t mode = (*attr)->mode;
 
 			/*
 			 * In update mode, we're changing the permissions or
@@ -56,8 +56,7 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
 					continue;
 			}
 			error = sysfs_add_file_mode_ns(parent, *attr, false,
-						       (*attr)->mode | mode,
-						       NULL);
+						       mode, NULL);
 			if (unlikely(error))
 				break;
 		}
-- 
2.3.2

Re: [PATCH v2 1/3] sysfs: Use only return value from is_visible for the file mode

[Greg Kroah-Hartman]

On Wed, Mar 11, 2015 at 02:22:09PM -0400, Vivien Didelot wrote:
> From: Guenter Roeck <linux@roeck-us.net>
> 
> Up to now, is_visible can only be used to either remove visibility
> of a file entirely or to add permissions, but not to reduce permissions.
> This makes it impossible, for example, to use DEVICE_ATTR_RW to define
> file attributes and reduce permissions to read-only.
> 
> This behavior is undesirable and unnecessarily complicates code which
> needs to reduce permissions; instead of just returning the desired
> permissions, it has to ensure that the permissions in the attribute
> variable declaration only reflect the minimal permissions ever needed.
> 
> Change semantics of is_visible to only use the permissions returned
> from it instead of oring the returned value with the hard-coded
> permissions.
> 
> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
>  fs/sysfs/group.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)

Why have you not signed off on this patch if you sent it to me?  Don't
you agree with it?

thanks,

greg k-h

[PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Vivien Didelot]

For sysfs file attributes, only read and write permissions make sense.
Mask provided attribute permissions accordingly and send a warning
to the console if invalid permission bits are set.

This patch is originally from Guenter [1] and includes the fixup
explained in the thread, that is printing permissions in octal format
and limiting the scope of attributes to SYSFS_PREALLOC | 0664.

[1] https://lkml.org/lkml/2015/1/19/599

Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
---
 fs/sysfs/group.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
index 3fdccd9..b400c04 100644
--- a/fs/sysfs/group.c
+++ b/fs/sysfs/group.c
@@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
 				if (!mode)
 					continue;
 			}
+
+			WARN(mode & ~(SYSFS_PREALLOC | 0664),
+			     "Attribute %s: Invalid permissions 0%o\n",
+			     (*attr)->name, mode);
+
+			mode &= SYSFS_PREALLOC | 0664;
 			error = sysfs_add_file_mode_ns(parent, *attr, false,
 						       mode, NULL);
 			if (unlikely(error))
-- 
2.3.2

Re: [PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Guenter Roeck]

On 03/11/2015 11:22 AM, Vivien Didelot wrote:
> For sysfs file attributes, only read and write permissions make sense.
> Mask provided attribute permissions accordingly and send a warning
> to the console if invalid permission bits are set.
>
> This patch is originally from Guenter [1] and includes the fixup
> explained in the thread, that is printing permissions in octal format
> and limiting the scope of attributes to SYSFS_PREALLOC | 0664.
>
> [1] https://lkml.org/lkml/2015/1/19/599
>
> Cc: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>

Reviewed-by: Guenter Roeck <linux@roeck-us.net>

> ---
>   fs/sysfs/group.c | 6 ++++++
>   1 file changed, 6 insertions(+)
>
> diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
> index 3fdccd9..b400c04 100644
> --- a/fs/sysfs/group.c
> +++ b/fs/sysfs/group.c
> @@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
>   				if (!mode)
>   					continue;
>   			}
> +
> +			WARN(mode & ~(SYSFS_PREALLOC | 0664),
> +			     "Attribute %s: Invalid permissions 0%o\n",
> +			     (*attr)->name, mode);
> +
> +			mode &= SYSFS_PREALLOC | 0664;
>   			error = sysfs_add_file_mode_ns(parent, *attr, false,
>   						       mode, NULL);
>   			if (unlikely(error))
>

Re: [PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Greg Kroah-Hartman]

On Wed, Mar 11, 2015 at 02:22:10PM -0400, Vivien Didelot wrote:
> For sysfs file attributes, only read and write permissions make sense.
> Mask provided attribute permissions accordingly and send a warning
> to the console if invalid permission bits are set.
> 
> This patch is originally from Guenter [1] and includes the fixup
> explained in the thread, that is printing permissions in octal format
> and limiting the scope of attributes to SYSFS_PREALLOC | 0664.
> 
> [1] https://lkml.org/lkml/2015/1/19/599
> 
> Cc: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
> ---
>  fs/sysfs/group.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
> index 3fdccd9..b400c04 100644
> --- a/fs/sysfs/group.c
> +++ b/fs/sysfs/group.c
> @@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
>  				if (!mode)
>  					continue;
>  			}
> +
> +			WARN(mode & ~(SYSFS_PREALLOC | 0664),
> +			     "Attribute %s: Invalid permissions 0%o\n",
> +			     (*attr)->name, mode);
> +
> +			mode &= SYSFS_PREALLOC | 0664;

How does a "normal" boot look with this warning in place?  There still
seem to be a number of files in sysfs that might trigger this.

Also, we have a build-time warning if a sysfs file is this type of
attribute, shouldn't we just rely on that instead of this run-time
warning?

thanks,

greg k-h

Re: [PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Guenter Roeck]

On 03/12/2015 03:01 AM, Greg Kroah-Hartman wrote:
> On Wed, Mar 11, 2015 at 02:22:10PM -0400, Vivien Didelot wrote:
>> For sysfs file attributes, only read and write permissions make sense.
>> Mask provided attribute permissions accordingly and send a warning
>> to the console if invalid permission bits are set.
>>
>> This patch is originally from Guenter [1] and includes the fixup
>> explained in the thread, that is printing permissions in octal format
>> and limiting the scope of attributes to SYSFS_PREALLOC | 0664.
>>
>> [1] https://lkml.org/lkml/2015/1/19/599
>>
>> Cc: Guenter Roeck <linux@roeck-us.net>
>> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
>> ---
>>   fs/sysfs/group.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
>> index 3fdccd9..b400c04 100644
>> --- a/fs/sysfs/group.c
>> +++ b/fs/sysfs/group.c
>> @@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
>>   				if (!mode)
>>   					continue;
>>   			}
>> +
>> +			WARN(mode & ~(SYSFS_PREALLOC | 0664),
>> +			     "Attribute %s: Invalid permissions 0%o\n",
>> +			     (*attr)->name, mode);
>> +
>> +			mode &= SYSFS_PREALLOC | 0664;
>
> How does a "normal" boot look with this warning in place?  There still
> seem to be a number of files in sysfs that might trigger this.
>
I was under the impression that they all were addressed, but I may have
missed some pattern(s). Can you point me to an example, by any chance ?

> Also, we have a build-time warning if a sysfs file is this type of
> attribute, shouldn't we just rely on that instead of this run-time
> warning?
>

The mode value can be returned from an is_visible function, and even if not
there is no guarantee that the build-time warning triggers (attribute lists
can be generated manually, for example).

Thanks,
Guenter

Re: [PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Vivien Didelot]

Hi Greg, Guenter,

> On 03/12/2015 03:01 AM, Greg Kroah-Hartman wrote:
> > On Wed, Mar 11, 2015 at 02:22:10PM -0400, Vivien Didelot wrote:
> >> For sysfs file attributes, only read and write permissions make sense.
> >> Mask provided attribute permissions accordingly and send a warning
> >> to the console if invalid permission bits are set.
> >>
> >> This patch is originally from Guenter [1] and includes the fixup
> >> explained in the thread, that is printing permissions in octal format
> >> and limiting the scope of attributes to SYSFS_PREALLOC | 0664.
> >>
> >> [1] https://lkml.org/lkml/2015/1/19/599
> >>
> >> Cc: Guenter Roeck <linux@roeck-us.net>
> >> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
> >> ---
> >>   fs/sysfs/group.c | 6 ++++++
> >>   1 file changed, 6 insertions(+)
> >>
> >> diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
> >> index 3fdccd9..b400c04 100644
> >> --- a/fs/sysfs/group.c
> >> +++ b/fs/sysfs/group.c
> >> @@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent,
> >> struct kobject *kobj,
> >>   				if (!mode)
> >>   					continue;
> >>   			}
> >> +
> >> +			WARN(mode & ~(SYSFS_PREALLOC | 0664),
> >> +			     "Attribute %s: Invalid permissions 0%o\n",
> >> +			     (*attr)->name, mode);
> >> +
> >> +			mode &= SYSFS_PREALLOC | 0664;
> >
> > How does a "normal" boot look with this warning in place?  There still
> > seem to be a number of files in sysfs that might trigger this.
> >
> I was under the impression that they all were addressed, but I may have
> missed some pattern(s). Can you point me to an example, by any chance ?

Same here, given https://lkml.org/lkml/2015/1/20/584, it looked like only
hid-lg4ff had executable attributes (which has been fixed) and a few attributes
in pci-sysfs have write access to group, but this doesn't trigger the warning.

> > Also, we have a build-time warning if a sysfs file is this type of
> > attribute, shouldn't we just rely on that instead of this run-time
> > warning?
> >
> 
> The mode value can be returned from an is_visible function, and even if not
> there is no guarantee that the build-time warning triggers (attribute lists
> can be generated manually, for example).

Indeed, as mentioned in the previous thread https://lkml.org/lkml/2015/1/20/877
the build-time macro VERIFY_OCTAL_PERMISSIONS() is not enough since an
attribute mode can be changed at run-time (a run-time equivalent of this macro
can be added in a future patch, if necessary).

Thanks Greg for the Signed-off reminders for 1/3 and 3/3. A v3 with them
is ready to be sent, if you are ok with the patchset.

Thanks,
-v

Re: [PATCH v2 2/3] sysfs: Only accept read/write permissions for file attributes

[Greg Kroah-Hartman]

On Thu, Mar 12, 2015 at 03:39:04AM -0700, Guenter Roeck wrote:
> On 03/12/2015 03:01 AM, Greg Kroah-Hartman wrote:
> >On Wed, Mar 11, 2015 at 02:22:10PM -0400, Vivien Didelot wrote:
> >>For sysfs file attributes, only read and write permissions make sense.
> >>Mask provided attribute permissions accordingly and send a warning
> >>to the console if invalid permission bits are set.
> >>
> >>This patch is originally from Guenter [1] and includes the fixup
> >>explained in the thread, that is printing permissions in octal format
> >>and limiting the scope of attributes to SYSFS_PREALLOC | 0664.
> >>
> >>[1] https://lkml.org/lkml/2015/1/19/599
> >>
> >>Cc: Guenter Roeck <linux@roeck-us.net>
> >>Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
> >>---
> >>  fs/sysfs/group.c | 6 ++++++
> >>  1 file changed, 6 insertions(+)
> >>
> >>diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
> >>index 3fdccd9..b400c04 100644
> >>--- a/fs/sysfs/group.c
> >>+++ b/fs/sysfs/group.c
> >>@@ -55,6 +55,12 @@ static int create_files(struct kernfs_node *parent, struct kobject *kobj,
> >>  				if (!mode)
> >>  					continue;
> >>  			}
> >>+
> >>+			WARN(mode & ~(SYSFS_PREALLOC | 0664),
> >>+			     "Attribute %s: Invalid permissions 0%o\n",
> >>+			     (*attr)->name, mode);
> >>+
> >>+			mode &= SYSFS_PREALLOC | 0664;
> >
> >How does a "normal" boot look with this warning in place?  There still
> >seem to be a number of files in sysfs that might trigger this.
> >
> I was under the impression that they all were addressed, but I may have
> missed some pattern(s). Can you point me to an example, by any chance ?

Ah, nevermind, they seem to have all been fixed up.

> >Also, we have a build-time warning if a sysfs file is this type of
> >attribute, shouldn't we just rely on that instead of this run-time
> >warning?
> >
> 
> The mode value can be returned from an is_visible function, and even if not
> there is no guarantee that the build-time warning triggers (attribute lists
> can be generated manually, for example).

You are correct, sorry, I missed that, nevermind again.  Once Vivien
fixes up the signed-off-by stuff here, I'll be glad to queue them up.

thanks,

greg k-h

[PATCH v2 3/3] sysfs: Document struct attribute_group

[Vivien Didelot]

From: Guenter Roeck <linux@roeck-us.net>

Document variables defined in struct attribute_group to ensure
correct usage.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
 include/linux/sysfs.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
index ddad161..99382c0 100644
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -57,6 +57,21 @@ do {							\
 #define sysfs_attr_init(attr) do {} while (0)
 #endif
 
+/**
+ * struct attribute_group - data structure used to declare an attribute group.
+ * @name:	Optional: Attribute group name
+ *		If specified, the attribute group will be created in
+ *		a new subdirectory with this name.
+ * @is_visible:	Optional: Function to return permissions associated with an
+ *		attribute of the group. Will be called repeatedly for each
+ *		attribute in the group. Only read/write permissions as well as
+ *		SYSFS_PREALLOC are accepted. Must return 0 if an attribute is
+ *		not visible. The returned value will replace static permissions
+ *		defined in struct attribute or struct bin_attribute.
+ * @attrs:	Pointer to NULL terminated list of attributes.
+ * @bin_attrs:	Pointer to NULL terminated list of binary attributes.
+ *		Either attrs or bin_attrs or both must be provided.
+ */
 struct attribute_group {
 	const char		*name;
 	umode_t			(*is_visible)(struct kobject *,
-- 
2.3.2

Re: [PATCH v2 3/3] sysfs: Document struct attribute_group

[Greg Kroah-Hartman]

On Wed, Mar 11, 2015 at 02:22:11PM -0400, Vivien Didelot wrote:
> From: Guenter Roeck <linux@roeck-us.net>
> 
> Document variables defined in struct attribute_group to ensure
> correct usage.
> 
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
>  include/linux/sysfs.h | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)

Same here, please add your signed-off-by if you think it is ok,
otherwise you shouldn't be sending it to me :)

thanks,

greg k-h