From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: slp@redhat.com, sebastian.hasler@stuvus.uni-stuttgart.de,
qemu-devel@nongnu.org, groug@kaod.org, virtio-fs@redhat.com,
stefanha@redhat.com, vgoyal@redhat.com
Subject: Re: [PULL 09/12] virtiofsd: Create new file with security context
Date: Thu, 7 Apr 2022 13:44:35 +0100 [thread overview]
Message-ID: <Yk7cs6xSImIyDqpZ@work-vm> (raw)
In-Reply-To: <CAFEAcA9m2U2fcUYXpRJwt09UgGqDA2K3BDt1xgXZL63jc1EWEQ@mail.gmail.com>
* Peter Maydell (peter.maydell@linaro.org) wrote:
> On Thu, 17 Feb 2022 at 17:40, Dr. David Alan Gilbert (git)
> <dgilbert@redhat.com> wrote:
> >
> > From: Vivek Goyal <vgoyal@redhat.com>
> >
> > This patch adds support for creating new file with security context
> > as sent by client. It basically takes three paths.
> >
> > - If no security context enabled, then it continues to create files without
> > security context.
> >
> > - If security context is enabled and but security.selinux has not been
> > remapped, then it uses /proc/thread-self/attr/fscreate knob to set
> > security context and then create the file. This will make sure that
> > newly created file gets the security context as set in "fscreate" and
> > this is atomic w.r.t file creation.
> >
> > This is useful and host and guest SELinux policies don't conflict and
> > can work with each other. In that case, guest security.selinux xattr
> > is not remapped and it is passthrough as "security.selinux" xattr
> > on host.
> >
> > - If security context is enabled but security.selinux xattr has been
> > remapped to something else, then it first creates the file and then
> > uses setxattr() to set the remapped xattr with the security context.
> > This is a non-atomic operation w.r.t file creation.
> >
> > This mode will be most versatile and allow host and guest to have their
> > own separate SELinux xattrs and have their own separate SELinux policies.
> >
> > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > Message-Id: <20220208204813.682906-9-vgoyal@redhat.com>
> > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
>
> Hi; Coverity reports some issues (CID 1487142, 1487195), because
> it is not a fan of the error-handling pattern used in this code:
>
> > +static int do_mknod_symlink_secctx(fuse_req_t req, struct lo_inode *dir,
> > + const char *name, const char *secctx_name)
> > +{
> > + int path_fd, err;
> > + char procname[64];
> > + struct lo_data *lo = lo_data(req);
> > +
> > + if (!req->secctx.ctxlen) {
> > + return 0;
> > + }
> > +
> > + /* Open newly created element with O_PATH */
> > + path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> > + err = path_fd == -1 ? errno : 0;
> > + if (err) {
> > + return err;
> > + }
>
> We set err based on whether path_fd is -1 or not, but we decide
> whether to early-return based on the value of err. Coverity
> doesn't know that openat() will always set errno to something
> non-zero if it returns -1, so it complains because it thinks
> there's a code path where openat() returns -1, but errno is 0,
> and so we don't take the early-return and instead continue
> through all the code below to the "close(path_fd)", which
> should not be being passed a negative value for the filedescriptor.
>
> I could just mark these as false-positives, but it does seem a bit
> odd that we are using two different conditions here. Perhaps it would
> be better to rephrase? For instance, for the openat() we could write:
>
> path_fd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
> if (path_fd == -1) {
> return errno;
> }
That looks OK to me; please send a patch.
Some of the cases look like they need to just be a little careful that
'err' always gets set to 0 if there are later cases that might set err.
Dave
> and similarly for the openat() in open_set_proc_fscreate().
>
> > + sprintf(procname, "%i", path_fd);
> > + FCHDIR_NOFAIL(lo->proc_self_fd);
> > + /* Set security context. This is not atomic w.r.t file creation */
> > + err = setxattr(procname, secctx_name, req->secctx.ctx, req->secctx.ctxlen,
> > + 0);
> > + if (err) {
> > + err = errno;
> > + }
>
> > + FCHDIR_NOFAIL(lo->root.fd);
> > + close(path_fd);
> > + return err;
> > +}
>
> thanks
> -- PMM
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2022-04-07 12:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-17 17:24 [PULL 00/12] virtiofs queue Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 01/12] virtiofsd: Do not support blocking flock Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 02/12] virtiofsd: Fix breakage due to fuse_init_in size change Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 03/12] linux-headers: Update headers to v5.17-rc1 Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 04/12] virtiofsd: Parse extended "struct fuse_init_in" Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 05/12] virtiofsd: Extend size of fuse_conn_info->capable and ->want fields Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 06/12] virtiofsd, fuse_lowlevel.c: Add capability to parse security context Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 07/12] virtiofsd: Move core file creation code in separate function Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 08/12] virtiofsd: Add helpers to work with /proc/self/task/tid/attr/fscreate Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
2022-04-07 10:20 ` Peter Maydell
2022-04-07 12:44 ` Dr. David Alan Gilbert [this message]
2022-04-07 13:09 ` Vivek Goyal
2022-02-17 17:24 ` [PULL 10/12] virtiofsd: Create new file using O_TMPFILE and set " Dr. David Alan Gilbert (git)
2022-02-17 17:24 ` [PULL 11/12] virtiofsd: Add an option to enable/disable security label Dr. David Alan Gilbert (git)
2022-02-17 17:25 ` [PULL 12/12] virtiofsd: Add basic support for FUSE_SYNCFS request Dr. David Alan Gilbert (git)
2022-02-20 15:05 ` [PULL 00/12] virtiofs queue Peter Maydell
-- strict thread matches above, loose matches on Subject: below --
2022-02-17 14:23 Dr. David Alan Gilbert (git)
2022-02-17 14:23 ` [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
2022-02-16 17:36 [PULL 00/12] virtiofs queue Dr. David Alan Gilbert (git)
2022-02-16 17:36 ` [PULL 09/12] virtiofsd: Create new file with security context Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yk7cs6xSImIyDqpZ@work-vm \
--to=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sebastian.hasler@stuvus.uni-stuttgart.de \
--cc=slp@redhat.com \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).