On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai xukuohai@huaweicloud.com wrote:
To be consistent with most LSM hooks, convert the return value of hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func security_inode_need_killpriv return > 0 if security_inode_killpriv is required, 0 if not, and < 0 to abort the operation.
After:
- Both hook inode_need_killpriv and func security_inode_need_killpriv return 0 on success and a negative error code on failure. On success, hook inode_need_killpriv sets output param @need to true if security_inode_killpriv is required, and false if not. When @need is true, func security_inode_need_killpriv sets ATTR_KILL_PRIV flag in @attr; when false, it clears the flag. On failure, @need and @attr remains unchanged.
Signed-off-by: Xu Kuohai xukuohai@huawei.com
fs/attr.c | 5 ++--- fs/inode.c | 4 +--- include/linux/lsm_hook_defs.h | 2 +- include/linux/security.h | 20 ++++++++++++++++---- security/commoncap.c | 12 ++++++++---- security/security.c | 29 ++++++++++++++++++++++++----- 6 files changed, 52 insertions(+), 20 deletions(-)
In general I think a lot of these changes are a good improvement, thank you very much for the time and effort you've spent on this. However, I'm not in favor of passing the new hook parameter as a way of reducing the number of states represented by the security_inode_killpriv() return value. This particular hook may need to remain as one of the odd special cases.
I learned from previous discussions [1] to use a new output parameter to store odd return values. Actually, I am not in favor of this method either, especially since it requires extra work to enable BPF to access the output parameter. I think we could just keep it as-is.
[1] https://lore.kernel.org/bpf/CAHC9VhQ_sTmoXwQ_AVfjTYQe4KR-uTnksPVfsei5JZ+VDJB...