| Message ID | 20190410165434.206579-1-mortonm@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [01/10] LSM: SafeSetID: fix pr_warn() to include newline | expand |
On Wed, Apr 10, 2019 at 9:54 AM Micah Morton <mortonm@chromium.org> wrote: > > From: Jann Horn <jannh@google.com> > > Fix the pr_warn() calls in the SafeSetID LSM to have newlines at the end. > Without this, denial messages will be buffered as incomplete lines in > log_output(), and will then only show up once something else prints into > dmesg. > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > --- > security/safesetid/lsm.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c > index cecd38e2ac80..2daecab3a4c0 100644 > --- a/security/safesetid/lsm.c > +++ b/security/safesetid/lsm.c > @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, > * to functionality other than calling set*uid() (e.g. > * allowing user to set up userns uid mappings). > */ > - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", > + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", > __kuid_val(cred->uid)); > return -1; > } > @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) > { > if (check_setuid_policy_hashtable_key_value(parent, child)) > return 0; > - pr_warn("UID transition (%d -> %d) blocked", > + pr_warn("UID transition (%d -> %d) blocked\n", > __kuid_val(parent), > __kuid_val(child)); > /* > -- > 2.21.0.392.gf8f6787159e-goog >
These 10 patches got buried, but Jann, Kees and myself are in agreement on how they look. Could they get merged? Patches 8/10 and 9/10 have a v2 that should get merged instead of the originals. I can respond on all the patches that should get merged if that is helpful? On Wed, Apr 10, 2019 at 10:09 AM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Apr 10, 2019 at 9:54 AM Micah Morton <mortonm@chromium.org> wrote: > > > > From: Jann Horn <jannh@google.com> > > > > Fix the pr_warn() calls in the SafeSetID LSM to have newlines at the end. > > Without this, denial messages will be buffered as incomplete lines in > > log_output(), and will then only show up once something else prints into > > dmesg. > > > > Signed-off-by: Jann Horn <jannh@google.com> > > Signed-off-by: Micah Morton <mortonm@chromium.org> > > Reviewed-by: Kees Cook <keescook@chromium.org> > > -Kees > > > --- > > security/safesetid/lsm.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c > > index cecd38e2ac80..2daecab3a4c0 100644 > > --- a/security/safesetid/lsm.c > > +++ b/security/safesetid/lsm.c > > @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, > > * to functionality other than calling set*uid() (e.g. > > * allowing user to set up userns uid mappings). > > */ > > - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", > > + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", > > __kuid_val(cred->uid)); > > return -1; > > } > > @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) > > { > > if (check_setuid_policy_hashtable_key_value(parent, child)) > > return 0; > > - pr_warn("UID transition (%d -> %d) blocked", > > + pr_warn("UID transition (%d -> %d) blocked\n", > > __kuid_val(parent), > > __kuid_val(child)); > > /* > > -- > > 2.21.0.392.gf8f6787159e-goog > > > > > -- > Kees Cook
On Mon, 6 May 2019, Micah Morton wrote: > These 10 patches got buried, but Jann, Kees and myself are in > agreement on how they look. > > Could they get merged? Patches 8/10 and 9/10 have a v2 that should get > merged instead of the originals. I can respond on all the patches that > should get merged if that is helpful? Please do so. > > On Wed, Apr 10, 2019 at 10:09 AM Kees Cook <keescook@chromium.org> wrote: > > > > On Wed, Apr 10, 2019 at 9:54 AM Micah Morton <mortonm@chromium.org> wrote: > > > > > > From: Jann Horn <jannh@google.com> > > > > > > Fix the pr_warn() calls in the SafeSetID LSM to have newlines at the end. > > > Without this, denial messages will be buffered as incomplete lines in > > > log_output(), and will then only show up once something else prints into > > > dmesg. > > > > > > Signed-off-by: Jann Horn <jannh@google.com> > > > Signed-off-by: Micah Morton <mortonm@chromium.org> > > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > > -Kees > > > > > --- > > > security/safesetid/lsm.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c > > > index cecd38e2ac80..2daecab3a4c0 100644 > > > --- a/security/safesetid/lsm.c > > > +++ b/security/safesetid/lsm.c > > > @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, > > > * to functionality other than calling set*uid() (e.g. > > > * allowing user to set up userns uid mappings). > > > */ > > > - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", > > > + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", > > > __kuid_val(cred->uid)); > > > return -1; > > > } > > > @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) > > > { > > > if (check_setuid_policy_hashtable_key_value(parent, child)) > > > return 0; > > > - pr_warn("UID transition (%d -> %d) blocked", > > > + pr_warn("UID transition (%d -> %d) blocked\n", > > > __kuid_val(parent), > > > __kuid_val(child)); > > > /* > > > -- > > > 2.21.0.392.gf8f6787159e-goog > > > > > > > > > -- > > Kees Cook >
Ok, this ones ready for merge. On Mon, May 6, 2019 at 4:39 PM James Morris <jmorris@namei.org> wrote: > > On Mon, 6 May 2019, Micah Morton wrote: > > > These 10 patches got buried, but Jann, Kees and myself are in > > agreement on how they look. > > > > Could they get merged? Patches 8/10 and 9/10 have a v2 that should get > > merged instead of the originals. I can respond on all the patches that > > should get merged if that is helpful? > > Please do so. > > > > > On Wed, Apr 10, 2019 at 10:09 AM Kees Cook <keescook@chromium.org> wrote: > > > > > > On Wed, Apr 10, 2019 at 9:54 AM Micah Morton <mortonm@chromium.org> wrote: > > > > > > > > From: Jann Horn <jannh@google.com> > > > > > > > > Fix the pr_warn() calls in the SafeSetID LSM to have newlines at the end. > > > > Without this, denial messages will be buffered as incomplete lines in > > > > log_output(), and will then only show up once something else prints into > > > > dmesg. > > > > > > > > Signed-off-by: Jann Horn <jannh@google.com> > > > > Signed-off-by: Micah Morton <mortonm@chromium.org> > > > > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > > > > -Kees > > > > > > > --- > > > > security/safesetid/lsm.c | 4 ++-- > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c > > > > index cecd38e2ac80..2daecab3a4c0 100644 > > > > --- a/security/safesetid/lsm.c > > > > +++ b/security/safesetid/lsm.c > > > > @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, > > > > * to functionality other than calling set*uid() (e.g. > > > > * allowing user to set up userns uid mappings). > > > > */ > > > > - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", > > > > + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", > > > > __kuid_val(cred->uid)); > > > > return -1; > > > > } > > > > @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) > > > > { > > > > if (check_setuid_policy_hashtable_key_value(parent, child)) > > > > return 0; > > > > - pr_warn("UID transition (%d -> %d) blocked", > > > > + pr_warn("UID transition (%d -> %d) blocked\n", > > > > __kuid_val(parent), > > > > __kuid_val(child)); > > > > /* > > > > -- > > > > 2.21.0.392.gf8f6787159e-goog > > > > > > > > > > > > > -- > > > Kees Cook > > > > -- > James Morris > <jmorris@namei.org> >
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index cecd38e2ac80..2daecab3a4c0 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, * to functionality other than calling set*uid() (e.g. * allowing user to set up userns uid mappings). */ - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", __kuid_val(cred->uid)); return -1; } @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) { if (check_setuid_policy_hashtable_key_value(parent, child)) return 0; - pr_warn("UID transition (%d -> %d) blocked", + pr_warn("UID transition (%d -> %d) blocked\n", __kuid_val(parent), __kuid_val(child)); /*