From: Christian Brauner <[email protected]>
To: Stefan Roesch <[email protected]>
Cc: [email protected], [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected]
Subject: Re: [RFC PATCH v2 06/16] fs: split off need_remove_file_privs() do_remove_file_privs()
Date: Tue, 17 May 2022 15:18:41 +0200 [thread overview]
Message-ID: <20220517131841.wjuy7mmqo3w2rdsv@wittgenstein> (raw)
In-Reply-To: <[email protected]>
On Mon, May 16, 2022 at 09:47:08AM -0700, Stefan Roesch wrote:
> This splits off the function need_remove_file_privs() from the function
> do_remove_file_privs() from the function file_remove_privs().
>
> No intended functional changes in this patch.
>
> Signed-off-by: Stefan Roesch <[email protected]>
> ---
Just a few nits...
> fs/inode.c | 57 ++++++++++++++++++++++++++++++++++++------------------
> 1 file changed, 38 insertions(+), 19 deletions(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 9d9b422504d1..a6d70a1983f8 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -2010,17 +2010,8 @@ static int __remove_privs(struct user_namespace *mnt_userns,
> return notify_change(mnt_userns, dentry, &newattrs, NULL);
> }
>
> -/*
> - * Remove special file priviledges (suid, capabilities) when file is written
> - * to or truncated.
> - */
> -int file_remove_privs(struct file *file)
> +static int need_file_remove_privs(struct inode *inode, struct dentry *dentry)
I'd rather call this file_needs_remove_privs()?
> {
> - struct dentry *dentry = file_dentry(file);
> - struct inode *inode = file_inode(file);
> - int kill;
> - int error = 0;
> -
> /*
> * Fast path for nothing security related.
> * As well for non-regular files, e.g. blkdev inodes.
> @@ -2030,16 +2021,37 @@ int file_remove_privs(struct file *file)
> if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
> return 0;
>
> - kill = dentry_needs_remove_privs(dentry);
> - if (kill < 0)
> - return kill;
> - if (kill)
> - error = __remove_privs(file_mnt_user_ns(file), dentry, kill);
> + return dentry_needs_remove_privs(dentry);
> +}
> +
> +static int do_file_remove_privs(struct file *file, struct inode *inode,
> + struct dentry *dentry, int kill)
and that __file_remove_privs() which matches the rest of the file since
here we don't have a lot of do_* but rather __* convention afaict.
> +{
> + int error = 0;
> +
> + error = __remove_privs(file_mnt_user_ns(file), dentry, kill);
> if (!error)
> inode_has_no_xattr(inode);
>
> return error;
> }
> +
> +/*
> + * Remove special file privileges (suid, capabilities) when file is written
> + * to or truncated.
> + */
> +int file_remove_privs(struct file *file)
This is a generic comment, not aimed specifically at your change but we
really need to get better at kernel-doc...
Since you're already touching this code could you at least to the
exported function you're modifying add sm like:
/**
* file_remove_privs - remove special file privileges (suid, capabilities)
* @file: file to remove privileges from
*
* When file is modified by a write or truncation ensure that special
* file privileges are removed.
*
* Return: 0 on success, negative errno on failure.
*/
int file_remove_privs(struct file *file)
This will then render on kernel.org/doc see e.g. lookup_one():
https://www.kernel.org/doc/html/latest/filesystems/api-summary.html?highlight=lookup_one#c.lookup_one
> +{
> + struct dentry *dentry = file_dentry(file);
> + struct inode *inode = file_inode(file);
> + int kill;
> +
> + kill = need_file_remove_privs(inode, dentry);
> + if (kill <= 0)
> + return kill;
> +
> + return do_file_remove_privs(file, inode, dentry, kill);
> +}
> EXPORT_SYMBOL(file_remove_privs);
>
> /**
> @@ -2093,15 +2105,22 @@ EXPORT_SYMBOL(file_update_time);
> /* Caller must hold the file's inode lock */
> int file_modified(struct file *file)
Similar I'd add sm like:
/**
* file_modified - handle mandated vfs changes when modifying a file
* @file: file that was was modified
*
* When file has been modified ensure that special
* file privileges are removed and time settings are updated.
*
* Context: Caller must hold the file's inode lock.
*
* Return: 0 on success, negative errno on failure.
*/
int file_remove_privs(struct file *file)
> {
> - int err;
> + int ret;
> + struct dentry *dentry = file_dentry(file);
> + struct inode *inode = file_inode(file);
>
> /*
> * Clear the security bits if the process is not being run by root.
> * This keeps people from modifying setuid and setgid binaries.
> */
> - err = file_remove_privs(file);
> - if (err)
> - return err;
> + ret = need_file_remove_privs(inode, dentry);
> + if (ret < 0) {
> + return ret;
> + } else if (ret > 0) {
> + ret = do_file_remove_privs(file, inode, dentry, ret);
> + if (ret)
> + return ret;
> + }
The else-if branch looks a bit unorthodox to me. I'd probably rather
make this:
ret = need_file_remove_privs(inode, dentry);
if (ret < 0)
return ret;
if (ret > 0) {
ret = do_file_remove_privs(file, inode, dentry, ret);
if (ret)
return ret;
}
>
> if (unlikely(file->f_mode & FMODE_NOCMTIME))
> return 0;
> --
> 2.30.2
>
next prev parent reply other threads:[~2022-05-17 13:18 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 16:47 [RFC PATCH v2 00/16] io-uring/xfs: support async buffered writes Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 01/16] block: add check for async buffered writes to generic_write_checks Stefan Roesch
2022-05-16 23:43 ` Matthew Wilcox
2022-05-18 23:20 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 02/16] iomap: add iomap_page_create_gfp to allocate iomap_pages Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 03/16] iomap: use iomap_page_create_gfp() in __iomap_write_begin Stefan Roesch
2022-05-16 23:58 ` Matthew Wilcox
2022-05-18 23:21 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 04/16] iomap: add async buffered write support Stefan Roesch
2022-05-17 11:14 ` Jan Kara
2022-05-18 23:19 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 05/16] xfs: add iomap " Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 06/16] fs: split off need_remove_file_privs() do_remove_file_privs() Stefan Roesch
2022-05-17 13:18 ` Christian Brauner [this message]
2022-05-18 23:25 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 07/16] fs: split off need_file_update_time and do_file_update_time Stefan Roesch
2022-05-17 11:20 ` Jan Kara
2022-05-18 23:21 ` Stefan Roesch
2022-05-17 13:40 ` Christian Brauner
2022-05-18 23:28 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 08/16] fs: add pending file update time flag Stefan Roesch
2022-05-17 11:28 ` Jan Kara
2022-05-17 13:48 ` Christian Brauner
2022-05-18 23:23 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 09/16] xfs: enable async write file modification handling Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 10/16] xfs: add async buffered write support Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 11/16] io_uring: add support for async buffered writes Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 12/16] mm: factor out _balance_dirty_pages() from balance_dirty_pages() Stefan Roesch
2022-05-18 11:07 ` Jan Kara
2022-05-18 23:31 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 13/16] mm: add balance_dirty_pages_ratelimited_flags() function Stefan Roesch
2022-05-17 20:12 ` Jan Kara
2022-05-18 23:29 ` Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 14/16] iomap: use balance_dirty_pages_ratelimited_flags in iomap_write_iter Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 15/16] io_uring: add tracepoint for short writes Stefan Roesch
2022-05-16 16:47 ` [RFC PATCH v2 16/16] xfs: enable async buffered write support Stefan Roesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220517131841.wjuy7mmqo3w2rdsv@wittgenstein \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox