[PATCH v4 2/20] lsm: Refactor return value of LSM hook inode_need_killpriv

Xu Kuohai xukuohai at huaweicloud.com
Sat Jul 20 09:27:56 UTC 2024 

On 7/19/2024 10:08 AM, Paul Moore wrote:
> On Jul 11, 2024 Xu Kuohai <xukuohai at huaweicloud.com> wrote:
>>
>> To be consistent with most LSM hooks, convert the return value of
>> hook inode_need_killpriv to 0 or a negative error code.
>>
>> Before:
>> - Both hook inode_need_killpriv and func security_inode_need_killpriv
>>    return > 0 if security_inode_killpriv is required, 0 if not, and < 0
>>    to abort the operation.
>>
>> After:
>> - Both hook inode_need_killpriv and func security_inode_need_killpriv
>>    return 0 on success and a negative error code on failure.
>>    On success, hook inode_need_killpriv sets output param @need to true
>>    if security_inode_killpriv is required, and false if not. When @need
>>    is true, func security_inode_need_killpriv sets ATTR_KILL_PRIV flag
>>    in @attr; when false, it clears the flag.
>>    On failure, @need and @attr remains unchanged.
>>
>> Signed-off-by: Xu Kuohai <xukuohai at huawei.com>
>> ---
>>   fs/attr.c                     |  5 ++---
>>   fs/inode.c                    |  4 +---
>>   include/linux/lsm_hook_defs.h |  2 +-
>>   include/linux/security.h      | 20 ++++++++++++++++----
>>   security/commoncap.c          | 12 ++++++++----
>>   security/security.c           | 29 ++++++++++++++++++++++++-----
>>   6 files changed, 52 insertions(+), 20 deletions(-)
> 
> In general I think a lot of these changes are a good improvement, thank
> you very much for the time and effort you've spent on this.  However,
> I'm not in favor of passing the new hook parameter as a way of reducing
> the number of states represented by the security_inode_killpriv() return
> value.  This particular hook may need to remain as one of the odd special
> cases.
> 

I learned from previous discussions [1] to use a new output parameter to store
odd return values. Actually, I am not in favor of this method either, especially
since it requires extra work to enable BPF to access the output parameter. I
think we could just keep it as-is.

[1] https://lore.kernel.org/bpf/CAHC9VhQ_sTmoXwQ_AVfjTYQe4KR-uTnksPVfsei5JZ+VDJBQkA@mail.gmail.com/

More information about the Linux-security-module-archive mailing list