Re: [PATCH v2] kernel: add panic_on_taint

From: Luis Chamberlain
Date: Thu May 07 2020 - 14:23:01 EST


On Thu, May 07, 2020 at 02:06:31PM -0400, Rafael Aquini wrote:
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 8a176d8727a3..b80ab660d727 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1217,6 +1217,13 @@ static struct ctl_table kern_table[] = {
> .extra1 = SYSCTL_ZERO,
> .extra2 = SYSCTL_ONE,
> },
> + {
> + .procname = "panic_on_taint",
> + .data = &panic_on_taint,
> + .maxlen = sizeof(unsigned long),
> + .mode = 0644,
> + .proc_handler = proc_doulongvec_minmax,
> + },

You sent this out before I could reply to the other thread on v1.
My thoughts on the min / max values, or lack here:

Valid range doesn't mean "currently allowed defined" masks.

For example, if you expect to panic due to a taint, but a new taint type
you want was not added on an older kernel you would be under a very
*false* sense of security that your kernel may not have hit such a
taint, but the reality of the situation was that the kernel didn't
support that taint flag only added in future kernels.

You may need to define a new flag (MAX_TAINT) which should be the last
value + 1, the allowed max values would be

(2^MAX_TAINT)-1

or

(1<<MAX_TAINT)-1

Since this is to *PANIC* I think we do want to test ranges and ensure
only valid ones are allowed.

Luis