Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security

From: Tetsuo Handa
Date: Wed Jul 10 2024 - 20:33:15 EST

Next message: Luis Claudio R. Goncalves: "[ANNOUNCE] 5.10.220-rt112"
Previous message: Alison Schofield: "Re: [PATCH v2 0/5] Address translation for HDM decoding"
In reply to: Paul Moore: "Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security"
Next in thread: Paul Moore: "Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024/06/28 3:28, Paul Moore wrote:
> It's also worth mentioning that while we always allocate i_security in
> security_inode_alloc() right now, I can see a world where we allocate
> the i_security field based on need using the lsm_blob_size info (maybe
> that works today? not sure how kmem_cache handled 0 length blobs?).
> The result is that there might be a legitimate case where i_security
> is NULL, yet we still want to call into the LSM using the
> inode_free_security() implementation hook.

As a LKM-based LSM user, I don't like dependency on the lsm_blob_size info.

Since LKM-based LSM users cannot use lsm_blob_size due to __ro_after_init,
LKM-based LSM users depend on individual LSM hooks being called even if
i_security is NULL. How do we provide hooks for AV/EDR which cannot be
built into vmlinux (due to distributor's support policy) ? They cannot be
benefited from infrastructure-managed security blobs.

Next message: Luis Claudio R. Goncalves: "[ANNOUNCE] 5.10.220-rt112"
Previous message: Alison Schofield: "Re: [PATCH v2 0/5] Address translation for HDM decoding"
In reply to: Paul Moore: "Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security"
Next in thread: Paul Moore: "Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]