[PATCH v1 0/2] Refactor return value of two lsm hooks
Xu Kuohai
xukuohai at huaweicloud.com
Wed Jul 24 02:06:57 UTC 2024
From: Xu Kuohai <xukuohai at huawei.com>
The BPF LSM program may cause a kernel panic if it returns an
unexpected value, such as a positive value on the hook
file_alloc_security.
To fix it, series [1] refactored the LSM hook return values and
added BPF return value checks.
[1] used two methods to refactor hook return values:
- converting positive return value to negative error code
- adding additional output parameter to store odd return values
Based on discussion in [1], only two hooks refactored with the
second method may be acceptable. Since the second method requires
extra work on BPF side to ensure that the output parameter is
set properly, the extra work does not seem worthwhile for just
two hooks. So this series includes only the two patches refactored
with the first method.
Changes to [1]:
- Drop unnecessary patches
- Rebase
- Remove redundant comments in the inode_copy_up_xattr patch
[1] https://lore.kernel.org/bpf/20240711111908.3817636-1-xukuohai@huaweicloud.com
https://lore.kernel.org/bpf/20240711113828.3818398-1-xukuohai@huaweicloud.com
Xu Kuohai (2):
lsm: Refactor return value of LSM hook vm_enough_memory
lsm: Refactor return value of LSM hook inode_copy_up_xattr
fs/overlayfs/copy_up.c | 6 +++---
include/linux/lsm_hook_defs.h | 2 +-
include/linux/security.h | 2 +-
security/commoncap.c | 11 +++--------
security/integrity/evm/evm_main.c | 2 +-
security/security.c | 22 ++++++++--------------
security/selinux/hooks.c | 19 ++++++-------------
security/smack/smack_lsm.c | 6 +++---
8 files changed, 26 insertions(+), 44 deletions(-)
--
2.39.2
More information about the Linux-security-module-archive
mailing list