lsm: Use IS_ERR_OR_NULL() helper function

Use the IS_ERR_OR_NULL() helper instead of open-coding a
NULL and an error pointer checks to simplify the code and
improve readability.

Signed-off-by: Hong

lsm: Use IS_ERR_OR_NULL() helper function

Use the IS_ERR_OR_NULL() helper instead of open-coding a
NULL and an error pointer checks to simplify the code and
improve readability.

Signed-off-by: Hongbo Li <[email protected]>
Signed-off-by: Paul Moore <[email protected]>

show more ...

lsm: add new securityfs delete function

When deleting a directory in the security file system, the existing
securityfs_remove requires the directory to be empty, otherwise
it will do nothing. This l

lsm: add new securityfs delete function

When deleting a directory in the security file system, the existing
securityfs_remove requires the directory to be empty, otherwise
it will do nothing. This leads to a potential risk that the security
file system might be in an unclean state when the intended deletion
did not happen.

This commit introduces a new function securityfs_recursive_remove
to recursively delete a directory without leaving an unclean state.

Co-developed-by: Christian Brauner (Microsoft) <[email protected]>
Signed-off-by: Fan Wu <[email protected]>
[PM: subject line tweak]
Signed-off-by: Paul Moore <[email protected]>

show more ...

security: convert to new timestamp accessors

Convert to using the new inode timestamp accessor functions.

Acked-by: Paul Moore <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>

security: convert to new timestamp accessors

Convert to using the new inode timestamp accessor functions.

Acked-by: Paul Moore <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Christian Brauner <[email protected]>

show more ...

security: convert to ctime accessor functions

In later patches, we're going to change how the inode's ctime field is
used. Switch to using accessor functions instead of raw accesses of
inode->i_ctim

security: convert to ctime accessor functions

In later patches, we're going to change how the inode's ctime field is
used. Switch to using accessor functions instead of raw accesses of
inode->i_ctime.

Acked-by: Paul Moore <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Christian Brauner <[email protected]>

show more ...

vfs: Convert securityfs to use the new mount API

Convert the securityfs filesystem to the new internal mount API as the old
one will be obsoleted and removed. This allows greater flexibility in
com

vfs: Convert securityfs to use the new mount API

Convert the securityfs filesystem to the new internal mount API as the old
one will be obsoleted and removed. This allows greater flexibility in
communication of mount parameters between userspace, the VFS and the
filesystem.

See Documentation/filesystems/mount_api.txt for more information.

Signed-off-by: David Howells <[email protected]>
cc: [email protected]
Signed-off-by: Al Viro <[email protected]>

show more ...

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

Based on 2 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of th

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

Based on 2 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation

this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #

extracted by the scancode license scanner the SPDX license identifier

GPL-2.0-only

has been chosen to replace the boilerplate/reference in 4122 file(s).

Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Enrico Weigelt <[email protected]>
Reviewed-by: Kate Stewart <[email protected]>
Reviewed-by: Allison Randal <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

show more ...

securityfs: switch to ->free_inode()

Signed-off-by: Al Viro <[email protected]>

Revert "security: inode: fix a missing check for securityfs_create_file"

This reverts commit d1a0846006e4325cc951ca0b05c02ed1d0865006.

From Al Viro:

"Rather bad way to do it - generally, register_

Revert "security: inode: fix a missing check for securityfs_create_file"

This reverts commit d1a0846006e4325cc951ca0b05c02ed1d0865006.

From Al Viro:

"Rather bad way to do it - generally, register_filesystem() should be
the last thing done by initialization. Any modular code that
does unregister_filesystem() on failure exit is flat-out broken;
here it's not instantly FUBAR, but it's a bloody bad example.

What's more, why not let simple_fill_super() do it? Just
static int fill_super(struct super_block *sb, void *data, int silent)
{
static const struct tree_descr files[] = {
{"lsm", &lsm_ops, 0444},
{""}
};

and to hell with that call of securityfs_create_file() and all its
failure handling..."

Signed-off-by: James Morris <[email protected]>

show more ...

securityfs: fix use-after-free on symlink traversal

symlink body shouldn't be freed without an RCU delay. Switch securityfs
to ->destroy_inode() and use of call_rcu(); free both the inode and symli

securityfs: fix use-after-free on symlink traversal

symlink body shouldn't be freed without an RCU delay. Switch securityfs
to ->destroy_inode() and use of call_rcu(); free both the inode and symlink
body in the callback.

Signed-off-by: Al Viro <[email protected]>

show more ...

security: inode: fix a missing check for securityfs_create_file

securityfs_create_file may fail. The fix checks its status and
returns the error code upstream if it fails.

Signed-off-by: Kangjie L

security: inode: fix a missing check for securityfs_create_file

securityfs_create_file may fail. The fix checks its status and
returns the error code upstream if it fails.

Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...

security: fs: make inode explicitly non-modular

The Makefile/Kconfig entry controlling compilation of this code is:

security/Makefile:obj-$(CONFIG_SECURITYFS) += inode.o

security/Kc

security: fs: make inode explicitly non-modular

The Makefile/Kconfig entry controlling compilation of this code is:

security/Makefile:obj-$(CONFIG_SECURITYFS) += inode.o

security/Kconfig:config SECURITYFS
security/Kconfig: bool "Enable the securityfs filesystem"

...meaning that it currently is not being built as a module by anyone.

Lets remove the couple traces of modular infrastructure use, so that
when reading the driver there is no doubt it is builtin-only.

We also delete the MODULE_LICENSE tag etc. since all that information
is already contained at the top of the file in the comments.

The removal of module.h uncovered a couple previously hidden implicit
header requirements which are now included explicitly.

Cc: James Morris <[email protected]>
Cc: "Serge E. Hallyn" <[email protected]>
Cc: [email protected]
Signed-off-by: Paul Gortmaker <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...

securityfs: add the ability to support symlinks

Signed-off-by: John Johansen <[email protected]>
Reviewed-by: Seth Arnold <[email protected]>
Acked-by: Kees Cook <keescook@chromium

securityfs: add the ability to support symlinks

Signed-off-by: John Johansen <[email protected]>
Reviewed-by: Seth Arnold <[email protected]>
Acked-by: Kees Cook <[email protected]>

show more ...

fs: constify tree_descr arrays passed to simple_fill_super()

simple_fill_super() is passed an array of tree_descr structures which
describe the files to create in the filesystem's root directory. S

fs: constify tree_descr arrays passed to simple_fill_super()

simple_fill_super() is passed an array of tree_descr structures which
describe the files to create in the filesystem's root directory. Since
these arrays are never modified intentionally, they should be 'const' so
that they are placed in .rodata and benefit from memory protection.
This patch updates the function signature and all users, and also
constifies tree_descr.name.

Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Al Viro <[email protected]>

show more ...

LSM: Add /sys/kernel/security/lsm

I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a

LSM: Add /sys/kernel/security/lsm

I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a comma separated
list of the active security modules. No more groping around
in /proc/filesystems or other clever hacks.

Unchanged from previous versions except for being updated
to the latest security next branch.

Signed-off-by: Casey Schaufler <[email protected]>
Acked-by: John Johansen <[email protected]>
Acked-by: Paul Moore <[email protected]>
Acked-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...

securityfs: fix securityfs_create_dir comment

If there is an error creating a directory with securityfs_create_dir,
the error is propagated via ERR_PTR but the function comment claims that
NULL is r

securityfs: fix securityfs_create_dir comment

If there is an error creating a directory with securityfs_create_dir,
the error is propagated via ERR_PTR but the function comment claims that
NULL is returned.

This is a similar commit to 88e6c94cda322ff2b32f72bb8d96f9675cdad8aa
("fix long-broken securityfs_create_file comment") that did not fix
securityfs_create_dir comment at the same time.

Signed-off-by: Laurent Georget <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>

show more ...

fs: Replace CURRENT_TIME with current_time() for inode timestamps

CURRENT_TIME macro is not appropriate for filesystems as it
doesn't use the right granularity for filesystem timestamps.
Use current

fs: Replace CURRENT_TIME with current_time() for inode timestamps

CURRENT_TIME macro is not appropriate for filesystems as it
doesn't use the right granularity for filesystem timestamps.
Use current_time() instead.

CURRENT_TIME is also not y2038 safe.

This is also in preparation for the patch that transitions
vfs timestamps to use 64 bit time and hence make them
y2038 safe. As part of the effort current_time() will be
extended to do range checks. Hence, it is necessary for all
file system timestamps to use current_time(). Also,
current_time() will be transitioned along with vfs to be
y2038 safe.

Note that whenever a single call to current_time() is used
to change timestamps in different inodes, it is because they
share the same time granularity.

Signed-off-by: Deepa Dinamani <[email protected]>
Reviewed-by: Arnd Bergmann <[email protected]>
Acked-by: Felipe Balbi <[email protected]>
Acked-by: Steven Whitehouse <[email protected]>
Acked-by: Ryusuke Konishi <[email protected]>
Acked-by: David Sterba <[email protected]>
Signed-off-by: Al Viro <[email protected]>

show more ...

securityfs: ->d_parent is never NULL or negative

Signed-off-by: Al Viro <[email protected]>

drbd: ->d_parent is never NULL or negative

Signed-off-by: Al Viro <[email protected]>

wrappers for ->i_mutex access

parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
inode_foo(inode) being mutex_foo(&inode->i_mutex).

Please, use those for access to ->i_mutex; over the c

wrappers for ->i_mutex access

parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
inode_foo(inode) being mutex_foo(&inode->i_mutex).

Please, use those for access to ->i_mutex; over the coming cycle
->i_mutex will become rwsem, with ->lookup() done with it held
only shared.

Signed-off-by: Al Viro <[email protected]>

show more ...

sysfs: Create mountpoints with sysfs_create_mount_point

This allows for better documentation in the code and
it allows for a simpler and fully correct version of
fs_fully_visible to be written.

The

sysfs: Create mountpoints with sysfs_create_mount_point

This allows for better documentation in the code and
it allows for a simpler and fully correct version of
fs_fully_visible to be written.

The mount points converted and their filesystems are:
/sys/hypervisor/s390/ s390_hypfs
/sys/kernel/config/ configfs
/sys/kernel/debug/ debugfs
/sys/firmware/efi/efivars/ efivarfs
/sys/fs/fuse/connections/ fusectl
/sys/fs/pstore/ pstore
/sys/kernel/tracing/ tracefs
/sys/fs/cgroup/ cgroup
/sys/kernel/security/ securityfs
/sys/fs/selinux/ selinuxfs
/sys/fs/smackfs/ smackfs

Cc: [email protected]
Acked-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: "Eric W. Biederman" <[email protected]>

show more ...

make simple_positive() public

Signed-off-by: Al Viro <[email protected]>

VFS: security/: d_inode() annotations

... except where that code acts as a filesystem driver, rather than
working with dentries given to it.

Signed-off-by: David Howells <[email protected]>
Signe

VFS: security/: d_inode() annotations

... except where that code acts as a filesystem driver, rather than
working with dentries given to it.

Signed-off-by: David Howells <[email protected]>
Signed-off-by: Al Viro <[email protected]>

show more ...

VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)

Convert the following where appropriate:

(1) S_ISLNK(dentry->d_inode) to d_is_symlink(dentry).

(2) S_ISREG(dentry->d_in

VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)

Convert the following where appropriate:

(1) S_ISLNK(dentry->d_inode) to d_is_symlink(dentry).

(2) S_ISREG(dentry->d_inode) to d_is_reg(dentry).

(3) S_ISDIR(dentry->d_inode) to d_is_dir(dentry). This is actually more
complicated than it appears as some calls should be converted to
d_can_lookup() instead. The difference is whether the directory in
question is a real dir with a ->lookup op or whether it's a fake dir with
a ->d_automount op.

In some circumstances, we can subsume checks for dentry->d_inode not being
NULL into this, provided we the code isn't in a filesystem that expects
d_inode to be NULL if the dirent really *is* negative (ie. if we're going to
use d_inode() rather than d_backing_inode() to get the inode pointer).

Note that the dentry type field may be set to something other than
DCACHE_MISS_TYPE when d_inode is NULL in the case of unionmount, where the VFS
manages the fall-through from a negative dentry to a lower layer. In such a
case, the dentry type of the negative union dentry is set to the same as the
type of the lower dentry.

However, if you know d_inode is not NULL at the call site, then you can use
the d_is_xxx() functions even in a filesystem.

There is one further complication: a 0,0 chardev dentry may be labelled
DCACHE_WHITEOUT_TYPE rather than DCACHE_SPECIAL_TYPE. Strictly, this was
intended for special directory entry types that don't have attached inodes.

The following perl+coccinelle script was used:

use strict;

my @callers;
open($fd, 'git grep -l \'S_IS[A-Z].*->d_inode\' |') ||
die "Can't grep for S_ISDIR and co. callers";
@callers = <$fd>;
close($fd);
unless (@callers) {
print "No matches\n";
exit(0);
}

my @cocci = (
'@@',
'expression E;',
'@@',
'',
'- S_ISLNK(E->d_inode->i_mode)',
'+ d_is_symlink(E)',
'',
'@@',
'expression E;',
'@@',
'',
'- S_ISDIR(E->d_inode->i_mode)',
'+ d_is_dir(E)',
'',
'@@',
'expression E;',
'@@',
'',
'- S_ISREG(E->d_inode->i_mode)',
'+ d_is_reg(E)' );

my $coccifile = "tmp.sp.cocci";
open($fd, ">$coccifile") || die $coccifile;
print($fd "$_\n") || die $coccifile foreach (@cocci);
close($fd);

foreach my $file (@callers) {
chomp $file;
print "Processing ", $file, "\n";
system("spatch", "--sp-file", $coccifile, $file, "--in-place", "--no-show-diff") == 0 ||
die "spatch failed";
}

[AV: overlayfs parts skipped]

Signed-off-by: David Howells <[email protected]>
Signed-off-by: Al Viro <[email protected]>

show more ...

Documentation: Docbook: Fix generated DocBook/kernel-api.xml

This patch fix spelling typo found in DocBook/kernel-api.xml.
It is because the file is generated from the source comments,
I have to fix

Documentation: Docbook: Fix generated DocBook/kernel-api.xml

This patch fix spelling typo found in DocBook/kernel-api.xml.
It is because the file is generated from the source comments,
I have to fix the comments in source codes.

Signed-off-by: Masanari Iida <[email protected]>
Acked-by: Randy Dunlap <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>

show more ...

securityfs: fix object creation races

inode needs to be fully set up before we feed it to d_instantiate().
securityfs_create_file() does *not* do so; it sets ->i_fop and
->i_private only after we'd

securityfs: fix object creation races

inode needs to be fully set up before we feed it to d_instantiate().
securityfs_create_file() does *not* do so; it sets ->i_fop and
->i_private only after we'd exposed the inode. Unfortunately,
that's done fairly deep in call chain, so the amount of churn
is considerable. Helper functions killed by substituting into
their solitary call sites, dead code removed. We finally can
bury default_file_ops, now that the final value of ->i_fop is
available (and assigned) at the point where inode is allocated.

Reviewed-by: James Morris <[email protected]>
Signed-off-by: Al Viro <[email protected]>

show more ...