Hello,
I would like to request the backport of the commit below to address a kernel panic in ocfs2 that was identified by Valentin Vidić in this thread:
https://lore.kernel.org/linux-security-module/20230401214151.1243189-1-vvidi...
While Valentin provides his own patch in the original message, the preferred patch is one that went up to Linus during the last merge window; Valentin has tested the patch and confirmed that it resolved the reported problem.
commit de3004c874e740304cc4f4a83d6200acb511bbda Author: Roberto Sassu roberto.sassu@huawei.com Date: Tue Mar 14 09:17:16 2023 +0100
ocfs2: Switch to security_inode_init_security()
In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security().
Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs.
As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_old_inode_init_security(), i.e. just obtaining the xattr, in addition to setting all xattrs provided by LSMs.
Supporting multiple xattrs is not currently supported where security_old_inode_init_security() was called (mknod, symlink), as it requires non-trivial changes that can be done at a later time. Like for reiserfs, even if EVM is invoked, it will not provide an xattr (if it is not the first to set it, its xattr will be discarded; if it is the first, it does not have xattrs to calculate the HMAC on).
Finally, since security_inode_init_security(), unlike security_old_inode_init_security(), returns zero instead of -EOPNOTSUPP if no xattrs were provided by LSMs or if inodes are private, additionally check in ocfs2_init_security_get() if the xattr name is set.
If not, act as if security_old_inode_init_security() returned -EOPNOTSUPP, and set si->enable to zero to notify to the functions following ocfs2_init_security_get() that no xattrs are available.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Reviewed-by: Casey Schaufler casey@schaufler-ca.com Acked-by: Joseph Qi joseph.qi@linux.alibaba.com Reviewed-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Paul Moore paul@paul-moore.com