[PATCH V32 27/27] tracefs: Restrict tracefs when the kernel is locked down

Steven Rostedt rostedt at goodmis.org
Thu Apr 4 13:39:07 UTC 2019


On Wed,  3 Apr 2019 17:32:49 -0700
Matthew Garrett <matthewgarrett at google.com> wrote:


> +static void tracefs_destroy_inode(struct inode *inode)
> +{
> +	if S_ISREG(inode->i_mode)

Can we please put parenthesis around the condition. I know that the
macro has them, but no other place in the kernel plays such a trick.

	if (S_ISREG(inode->i_mode))

Other than that, the rest looks good.

Reviewed-by: Steven Rostedt (VMware) <rostedt at goodmis.org>

-- Steve

> +		kfree(inode->i_fop);
> +}
> +
>  static int tracefs_remount(struct super_block *sb, int *flags, char *data)
>  {
>  	int err;
> @@ -260,6 +288,7 @@ static int tracefs_show_options(struct seq_file *m, struct dentry *root)
>  
>  static const struct super_operations tracefs_super_operations = {
>  	.statfs		= simple_statfs,
> +	.destroy_inode  = tracefs_destroy_inode,
>  	.remount_fs	= tracefs_remount,
>  	.show_options	= tracefs_show_options,
>  };
> @@ -393,6 +422,7 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
>  {
>  	struct dentry *dentry;
>  	struct inode *inode;
> +	struct file_operations *proxy_fops;
>  
>  	if (!(mode & S_IFMT))
>  		mode |= S_IFREG;
> @@ -406,8 +436,16 @@ struct dentry *tracefs_create_file(const char *name, umode_t mode,
>  	if (unlikely(!inode))
>  		return failed_creating(dentry);
>  
> +	proxy_fops = kzalloc(sizeof(struct file_operations), GFP_KERNEL);
> +	if (!proxy_fops)
> +		return failed_creating(dentry);
> +
> +	dentry->d_fsdata = fops ? (void *)fops :
> +		(void *)&tracefs_file_operations;
> +	memcpy(proxy_fops, dentry->d_fsdata, sizeof(struct file_operations));
> +	proxy_fops->open = default_open_file;
>  	inode->i_mode = mode;
> -	inode->i_fop = fops ? fops : &tracefs_file_operations;
> +	inode->i_fop = proxy_fops;
>  	inode->i_private = data;
>  	d_instantiate(dentry, inode);
>  	fsnotify_create(dentry->d_parent->d_inode, dentry);



More information about the Linux-security-module-archive mailing list