lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhSu4gJYWgHqvt7a_C_rr3yaubDdvxtHdw0=3wPdP+QbbA@mail.gmail.com>
Date: Mon, 16 Dec 2024 19:22:01 -0500
From: Paul Moore <paul@...l-moore.com>
To: Song Liu <song@...nel.org>
Cc: linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org, 
	linux-kernel@...r.kernel.org, linux-btrfs@...r.kernel.org, 
	linux-xfs@...r.kernel.org, linux-security-module@...r.kernel.org, 
	willy@...radead.org, corbet@....net, clm@...com, josef@...icpanda.com, 
	dsterba@...e.com, brauner@...nel.org, jack@...e.cz, cem@...nel.org, 
	djwong@...nel.org, jmorris@...ei.org, serge@...lyn.com, fdmanana@...e.com, 
	johannes.thumshirn@....com
Subject: Re: [RFC] lsm: fs: Use i_callback to free i_security in RCU callback

On Mon, Dec 16, 2024 at 6:43 PM Song Liu <song@...nel.org> wrote:
>
> inode->i_security needes to be freed from RCU callback. A rcu_head was
> added to i_security to call the RCU callback. However, since struct inode
> already has i_rcu, the extra rcu_head is wasteful. Specifically, when any
> LSM uses i_security, a rcu_head (two pointers) is allocated for each
> inode.
>
> Add security_inode_free_rcu() to i_callback to free i_security so that
> a rcu_head is saved for each inode. Special care are needed for file
> systems that provide a destroy_inode() callback, but not a free_inode()
> callback. Specifically, the following logic are added to handle such
> cases:
>
>  - XFS recycles inode after destroy_inode. The inodes are freed from
>    recycle logic. Let xfs_inode_free_callback() and xfs_inode_alloc()
>    call security_inode_free_rcu() before freeing the inode.
>  - Let pipe free inode from a RCU callback.
>  - Let btrfs-test free inode from a RCU callback.

If I recall correctly, historically the vfs devs have pushed back on
filesystem specific changes such as this, requiring LSM hooks to
operate at the VFS layer unless there was absolutely no other choice.

>From a LSM perspective I'm also a little concerned that this approach
is too reliant on individual filesystems doing the right thing with
respect to LSM hooks which I worry will result in some ugly bugs in
the future.

> Signed-off-by: Song Liu <song@...nel.org>
> ---
>  Documentation/filesystems/vfs.rst |  8 ++++-
>  fs/btrfs/fs.h                     |  1 +
>  fs/btrfs/inode.c                  |  4 +++
>  fs/btrfs/tests/btrfs-tests.c      |  1 +
>  fs/inode.c                        |  2 ++
>  fs/pipe.c                         |  1 -
>  fs/xfs/xfs_icache.c               |  3 ++
>  include/linux/security.h          |  4 +++
>  security/security.c               | 49 +++++++++++++++++++------------
>  9 files changed, 53 insertions(+), 20 deletions(-)

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ