[GIT PULL] security changes for v6.9-rc3

Al Viro viro at zeniv.linux.org.uk
Tue Apr 2 22:42:30 UTC 2024


On Tue, Apr 02, 2024 at 05:36:30PM -0400, Paul Moore wrote:

> >         1) location of that hook is wrong.  It's really "how do we catch
> > file creation that does not come through open() - yes, you can use
> > mknod(2) for that".  It should've been after the call of vfs_create(),
> > not the entire switch.  LSM folks have a disturbing fondness of inserting
> > hooks in various places, but IMO this one has no business being where
> > they'd placed it.
> 
> I know it's everyone's favorite hobby to bash the LSM and LSM devs,
> but it's important to note that we don't add hooks without working
> with the associated subsystem devs to get approval.  In the cases
> where we don't get an explicit ACK, there is an on-list approval, or
> several ignored on-list attempts over weeks/months/years.  We want to
> be good neighbors.
> 
> Roberto's original patch which converted from the IMA/EVM hook to the
> LSM hook was ACK'd by the VFS folks.
> 
> Regardless, Roberto if it isn't obvious by now, just move the hook
> back to where it was prior to v6.9-rc1.

The root cause is in the too vague documentation - it's very easy to
misread as "->mknod() must call d_instantiate()", so the authors of
that patchset and reviewers of the same had missed the subtlety
involved.  No arguments about that.

Unkind comments about the LSM folks' tendency to shove hooks in
places where they make no sense had been brought by many things,
the most recent instance being this:
	However, I thought, since we were promoting it as an LSM hook,
	we should be as generic possible, and support more usages than
	what was needed for IMA.
(https://lore.kernel.org/all/3441a4a1140944f5b418b70f557bca72@huawei.com/)

I'm not blaming Roberto - that really seems to be the general attitude
around LSM;  I've seen a _lot_ of "it doesn't matter if it makes any sense,
somebody might figure out some use for the data we have at that point in
control flow, eventually if not now" kind of responses over the years.
IME asking what this or that hook is for and what it expects from the objects
passed to it gets treated as invalid question.  Which invites treating
hooks as black boxes...



More information about the Linux-security-module-archive mailing list