On 7/19/2024 10:08 AM, Paul Moore wrote:

On Jul 11, 2024 Xu Kuohai [off-list ref] wrote:

quoted

To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.

Before:
- Both hook inode_need_killpriv and func security_inode_need_killpriv
   return > 0 if security_inode_killpriv is required, 0 if not, and < 0
   to abort the operation.

After:
- Both hook inode_need_killpriv and func security_inode_need_killpriv
   return 0 on success and a negative error code on failure.
   On success, hook inode_need_killpriv sets output param @need to true
   if security_inode_killpriv is required, and false if not. When @need
   is true, func security_inode_need_killpriv sets ATTR_KILL_PRIV flag
   in @attr; when false, it clears the flag.
   On failure, @need and @attr remains unchanged.

Signed-off-by: Xu Kuohai <redacted>
---
  fs/attr.c                     |  5 ++---
  fs/inode.c                    |  4 +---
  include/linux/lsm_hook_defs.h |  2 +-
  include/linux/security.h      | 20 ++++++++++++++++----
  security/commoncap.c          | 12 ++++++++----
  security/security.c           | 29 ++++++++++++++++++++++++-----
  6 files changed, 52 insertions(+), 20 deletions(-)

In general I think a lot of these changes are a good improvement, thank
you very much for the time and effort you've spent on this.  However,
I'm not in favor of passing the new hook parameter as a way of reducing
the number of states represented by the security_inode_killpriv() return
value.  This particular hook may need to remain as one of the odd special
cases.

I learned from previous discussions [1] to use a new output parameter to store
odd return values. Actually, I am not in favor of this method either, especially
since it requires extra work to enable BPF to access the output parameter. I
think we could just keep it as-is.

[1] https://lore.kernel.org/bpf/CAHC9VhQ_sTmoXwQ_AVfjTYQe4KR-uTnksPVfsei5JZ+VDJBQkA@mail.gmail.com/ (local)