diff mbox series

env: Fix warning when forcing environment without ENV_ACCESS_IGNORE_FORCE

Message ID 1610360847-21890-1-git-send-email-martin.fuzzey@flowbird.group
State Accepted
Commit 9636bf8b2e319c0f43453f71131ba70856571d05
Delegated to: Tom Rini
Headers show
Series env: Fix warning when forcing environment without ENV_ACCESS_IGNORE_FORCE | expand

Commit Message

Fuzzey, Martin Jan. 11, 2021, 10:27 a.m. UTC
Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
a warning message is displayed when setenv -f is used WITHOUT
CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
in lots of log pollution.

env_flags_validate() returns 0 if the access is accepted, or non zero
if it is refused.

So the original code
	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
		if (flag & H_FORCE)
			return 0;
	#endif

was correct, it returns 0 (accepts the modification) if forced UNLESS
IGNORE_FORCE is set (in which case access checks in the following code
are applied). The broken patch just added a printf to the force accepted
case.

To obtain the intent of the patch we need this:
	if (flag & H_FORCE) {
	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
		printf("## Error: Can't force access to \"%s\"\n", name);
	#else
		return 0;
	#endif
	}

Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")

Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
---
 env/flags.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Tom Rini Jan. 15, 2021, 6:43 p.m. UTC | #1
On Mon, Jan 11, 2021 at 11:27:20AM +0100, Martin Fuzzey wrote:

> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> a warning message is displayed when setenv -f is used WITHOUT
> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> in lots of log pollution.
> 
> env_flags_validate() returns 0 if the access is accepted, or non zero
> if it is refused.
> 
> So the original code
> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		if (flag & H_FORCE)
> 			return 0;
> 	#endif
> 
> was correct, it returns 0 (accepts the modification) if forced UNLESS
> IGNORE_FORCE is set (in which case access checks in the following code
> are applied). The broken patch just added a printf to the force accepted
> case.
> 
> To obtain the intent of the patch we need this:
> 	if (flag & H_FORCE) {
> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		printf("## Error: Can't force access to \"%s\"\n", name);
> 	#else
> 		return 0;
> 	#endif
> 	}
> 
> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> 
> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> ---
>  env/flags.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/env/flags.c b/env/flags.c
> index df4aed2..e3e833c 100644
> --- a/env/flags.c
> +++ b/env/flags.c
> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
>  		return 1;
>  #endif
>  
> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>  	if (flag & H_FORCE) {
> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>  		printf("## Error: Can't force access to \"%s\"\n", name);
> +#else
>  		return 0;
> -	}
>  #endif
> +	}
>  	switch (op) {
>  	case env_op_delete:
>  		if (item->flags & ENV_FLAGS_VARACCESS_PREVENT_DELETE) {

Marek, does this look right to you?  Heinrich, I think this means
there''s a follow-up commit that I made to one of the tests that can
probably be reverted as well?  Thanks for digging in to this Martin!
Heinrich Schuchardt Jan. 28, 2021, 9:11 a.m. UTC | #2
On 11.01.21 11:27, Martin Fuzzey wrote:
> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> a warning message is displayed when setenv -f is used WITHOUT
> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> in lots of log pollution.
>
> env_flags_validate() returns 0 if the access is accepted, or non zero
> if it is refused.
>
> So the original code
> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		if (flag & H_FORCE)
> 			return 0;
> 	#endif
>
> was correct, it returns 0 (accepts the modification) if forced UNLESS
> IGNORE_FORCE is set (in which case access checks in the following code
> are applied). The broken patch just added a printf to the force accepted
> case.
>
> To obtain the intent of the patch we need this:
> 	if (flag & H_FORCE) {
> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		printf("## Error: Can't force access to \"%s\"\n", name);
> 	#else
> 		return 0;
> 	#endif
> 	}
>
> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
>
> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> ---
>  env/flags.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/env/flags.c b/env/flags.c
> index df4aed2..e3e833c 100644
> --- a/env/flags.c
> +++ b/env/flags.c
> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,

Please, add a Sphinx style function description in include/env_flags.h
explaining exactly what this function is meant to do.

Cf.
https://www.kernel.org/doc/html/latest/doc-guide/kernel-doc.html#function-documentation

>  		return 1;
>  #endif
>
> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>  	if (flag & H_FORCE) {
> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>  		printf("## Error: Can't force access to \"%s\"\n", name);

If this is an error, why don't you return 1 (failure)?
Please, use log_err() for error messages.

> +#else
>  		return 0;

Why shouldn't the other tests be executed?

Best regards

Heinrich

> -	}
>  #endif
> +	}
>  	switch (op) {
>  	case env_op_delete:
>  		if (item->flags & ENV_FLAGS_VARACCESS_PREVENT_DELETE) {
>
Tom Rini Jan. 28, 2021, 4:25 p.m. UTC | #3
On Fri, Jan 15, 2021 at 01:43:44PM -0500, Tom Rini wrote:
> On Mon, Jan 11, 2021 at 11:27:20AM +0100, Martin Fuzzey wrote:
> 
> > Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > a warning message is displayed when setenv -f is used WITHOUT
> > CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> > in lots of log pollution.
> > 
> > env_flags_validate() returns 0 if the access is accepted, or non zero
> > if it is refused.
> > 
> > So the original code
> > 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > 		if (flag & H_FORCE)
> > 			return 0;
> > 	#endif
> > 
> > was correct, it returns 0 (accepts the modification) if forced UNLESS
> > IGNORE_FORCE is set (in which case access checks in the following code
> > are applied). The broken patch just added a printf to the force accepted
> > case.
> > 
> > To obtain the intent of the patch we need this:
> > 	if (flag & H_FORCE) {
> > 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > 		printf("## Error: Can't force access to \"%s\"\n", name);
> > 	#else
> > 		return 0;
> > 	#endif
> > 	}
> > 
> > Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > 
> > Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> > ---
> >  env/flags.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/env/flags.c b/env/flags.c
> > index df4aed2..e3e833c 100644
> > --- a/env/flags.c
> > +++ b/env/flags.c
> > @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
> >  		return 1;
> >  #endif
> >  
> > -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> >  	if (flag & H_FORCE) {
> > +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> >  		printf("## Error: Can't force access to \"%s\"\n", name);
> > +#else
> >  		return 0;
> > -	}
> >  #endif
> > +	}
> >  	switch (op) {
> >  	case env_op_delete:
> >  		if (item->flags & ENV_FLAGS_VARACCESS_PREVENT_DELETE) {
> 
> Marek, does this look right to you?  Heinrich, I think this means
> there''s a follow-up commit that I made to one of the tests that can
> probably be reverted as well?  Thanks for digging in to this Martin!

Marek? Heinrich?  I really want a little feedback on this patch since I
think it addresses a tricky problem.  Thanks.
Marek Vasut Jan. 28, 2021, 6:59 p.m. UTC | #4
On 1/28/21 10:11 AM, Heinrich Schuchardt wrote:
[...]
>> diff --git a/env/flags.c b/env/flags.c
>> index df4aed2..e3e833c 100644
>> --- a/env/flags.c
>> +++ b/env/flags.c
>> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
> 
> Please, add a Sphinx style function description in include/env_flags.h
> explaining exactly what this function is meant to do.
> 
> Cf.
> https://www.kernel.org/doc/html/latest/doc-guide/kernel-doc.html#function-documentation

This is irrelevant, it's a bugfix so docs/improvements are a separate patch.

>>   		return 1;
>>   #endif
>>
>> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>   	if (flag & H_FORCE) {
>> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>   		printf("## Error: Can't force access to \"%s\"\n", name);
> 
> If this is an error, why don't you return 1 (failure)?
> Please, use log_err() for error messages.
> 
>> +#else
>>   		return 0;
> 
> Why shouldn't the other tests be executed?

Because the code is a total mess and thus error prone.
Marek Vasut Jan. 28, 2021, 7:07 p.m. UTC | #5
On 1/11/21 11:27 AM, Martin Fuzzey wrote:
> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> a warning message is displayed when setenv -f is used WITHOUT
> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> in lots of log pollution.
> 
> env_flags_validate() returns 0 if the access is accepted, or non zero
> if it is refused.
> 
> So the original code
> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		if (flag & H_FORCE)
> 			return 0;
> 	#endif
> 
> was correct, it returns 0 (accepts the modification) if forced UNLESS
> IGNORE_FORCE is set (in which case access checks in the following code
> are applied). The broken patch just added a printf to the force accepted
> case.
> 
> To obtain the intent of the patch we need this:
> 	if (flag & H_FORCE) {
> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		printf("## Error: Can't force access to \"%s\"\n", name);
> 	#else
> 		return 0;
> 	#endif
> 	}
> 
> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> 
> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> ---
>   env/flags.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/env/flags.c b/env/flags.c
> index df4aed2..e3e833c 100644
> --- a/env/flags.c
> +++ b/env/flags.c
> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
>   		return 1;
>   #endif
>   
> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>   	if (flag & H_FORCE) {
> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>   		printf("## Error: Can't force access to \"%s\"\n", name);
> +#else
>   		return 0;
> -	}
>   #endif

Based on env/Kconfig  description of this option:

config ENV_ACCESS_IGNORE_FORCE
         bool "Block forced environment operations"
         default n
         help
           If defined, don't allow the -f switch to env set override 
variable
           access flags.

I would think the code should look like this:

#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
         if (flag & H_FORCE) {
                 printf("## Error: Can't force access to \"%s\"\n", name);
                 return 1;
         }
#else
         if (flag & H_FORCE)
		return 0;
#endif
Tom Rini Jan. 28, 2021, 7:26 p.m. UTC | #6
On Thu, Jan 28, 2021 at 08:07:54PM +0100, Marek Vasut wrote:
> On 1/11/21 11:27 AM, Martin Fuzzey wrote:
> > Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > a warning message is displayed when setenv -f is used WITHOUT
> > CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> > in lots of log pollution.
> > 
> > env_flags_validate() returns 0 if the access is accepted, or non zero
> > if it is refused.
> > 
> > So the original code
> > 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > 		if (flag & H_FORCE)
> > 			return 0;
> > 	#endif
> > 
> > was correct, it returns 0 (accepts the modification) if forced UNLESS
> > IGNORE_FORCE is set (in which case access checks in the following code
> > are applied). The broken patch just added a printf to the force accepted
> > case.
> > 
> > To obtain the intent of the patch we need this:
> > 	if (flag & H_FORCE) {
> > 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > 		printf("## Error: Can't force access to \"%s\"\n", name);
> > 	#else
> > 		return 0;
> > 	#endif
> > 	}
> > 
> > Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > 
> > Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> > ---
> >   env/flags.c | 5 +++--
> >   1 file changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/env/flags.c b/env/flags.c
> > index df4aed2..e3e833c 100644
> > --- a/env/flags.c
> > +++ b/env/flags.c
> > @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
> >   		return 1;
> >   #endif
> > -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> >   	if (flag & H_FORCE) {
> > +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> >   		printf("## Error: Can't force access to \"%s\"\n", name);
> > +#else
> >   		return 0;
> > -	}
> >   #endif
> 
> Based on env/Kconfig  description of this option:
> 
> config ENV_ACCESS_IGNORE_FORCE
>         bool "Block forced environment operations"
>         default n
>         help
>           If defined, don't allow the -f switch to env set override variable
>           access flags.
> 
> I would think the code should look like this:
> 
> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>         if (flag & H_FORCE) {
>                 printf("## Error: Can't force access to \"%s\"\n", name);
>                 return 1;
>         }
> #else
>         if (flag & H_FORCE)
> 		return 0;
> #endif

So, prior to 0f036bf4b87e we had what you're suggesting, and that lead
to 8a5cdf601f8d (which is the commit I was trying to think of) which
Heinrich did not like, but was what was needed to get things to function
again.  Wouldn't what you're proposing break the use case you had in the
first place?
Fuzzey, Martin Jan. 28, 2021, 7:37 p.m. UTC | #7
Hi Marek,

On Thu, 28 Jan 2021 at 20:07, Marek Vasut <marex@denx.de> wrote:
>
> Based on env/Kconfig  description of this option:
>
> config ENV_ACCESS_IGNORE_FORCE
>          bool "Block forced environment operations"
>          default n
>          help
>            If defined, don't allow the -f switch to env set override
> variable
>            access flags.
>
> I would think the code should look like this:
>
> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>          if (flag & H_FORCE) {
>                  printf("## Error: Can't force access to \"%s\"\n", name);
>                  return 1;
>          }
> #else
>          if (flag & H_FORCE)
>                 return 0;
> #endif

I don't think that is right.

If you do that force update will be refused when
CONFIG_ENV_ACCESS_IGNORE_FORCE, regardless if the access would be
valid without the force

The kconfig options says don't allow the -f switch to OVERRIDE
variable access flags, not "don't allow the -f switch to be used"

I think we want this truth table

-f used      ENV_ACCESS_IGNORE _FORCE     Access valid         ====>    result
N                 X
    N                                         refused
N                 X
    Y                                         accepted
Y                 N
    Y                                         accepted
Y                 N
    N                                         accepted (forced)
Y                 Y
    Y                                          accepted
Y                 Y
    N                                          refused with warning

Regards,

Martin
Marek Vasut Jan. 28, 2021, 11:03 p.m. UTC | #8
On 1/28/21 8:26 PM, Tom Rini wrote:
> On Thu, Jan 28, 2021 at 08:07:54PM +0100, Marek Vasut wrote:
>> On 1/11/21 11:27 AM, Martin Fuzzey wrote:
>>> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
>>> a warning message is displayed when setenv -f is used WITHOUT
>>> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
>>> in lots of log pollution.
>>>
>>> env_flags_validate() returns 0 if the access is accepted, or non zero
>>> if it is refused.
>>>
>>> So the original code
>>> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>> 		if (flag & H_FORCE)
>>> 			return 0;
>>> 	#endif
>>>
>>> was correct, it returns 0 (accepts the modification) if forced UNLESS
>>> IGNORE_FORCE is set (in which case access checks in the following code
>>> are applied). The broken patch just added a printf to the force accepted
>>> case.
>>>
>>> To obtain the intent of the patch we need this:
>>> 	if (flag & H_FORCE) {
>>> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>> 		printf("## Error: Can't force access to \"%s\"\n", name);
>>> 	#else
>>> 		return 0;
>>> 	#endif
>>> 	}
>>>
>>> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
>>>
>>> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
>>> ---
>>>    env/flags.c | 5 +++--
>>>    1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/env/flags.c b/env/flags.c
>>> index df4aed2..e3e833c 100644
>>> --- a/env/flags.c
>>> +++ b/env/flags.c
>>> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
>>>    		return 1;
>>>    #endif
>>> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>    	if (flag & H_FORCE) {
>>> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>    		printf("## Error: Can't force access to \"%s\"\n", name);
>>> +#else
>>>    		return 0;
>>> -	}
>>>    #endif
>>
>> Based on env/Kconfig  description of this option:
>>
>> config ENV_ACCESS_IGNORE_FORCE
>>          bool "Block forced environment operations"
>>          default n
>>          help
>>            If defined, don't allow the -f switch to env set override variable
>>            access flags.
>>
>> I would think the code should look like this:
>>
>> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>          if (flag & H_FORCE) {
>>                  printf("## Error: Can't force access to \"%s\"\n", name);
>>                  return 1;
>>          }
>> #else
>>          if (flag & H_FORCE)
>> 		return 0;
>> #endif
> 
> So, prior to 0f036bf4b87e we had what you're suggesting, and that lead
> to 8a5cdf601f8d (which is the commit I was trying to think of) which
> Heinrich did not like, but was what was needed to get things to function
> again.  Wouldn't what you're proposing break the use case you had in the
> first place?

No, the idea is to completely block the -f flag if 
CONFIG_ENV_ACCESS_IGNORE_FORCE is set from setting anything in the 
environment. That's how I understand the Kconfig entry help text.
Marek Vasut Jan. 28, 2021, 11:05 p.m. UTC | #9
On 1/28/21 8:37 PM, Fuzzey, Martin wrote:
> Hi Marek,

Hi,

> On Thu, 28 Jan 2021 at 20:07, Marek Vasut <marex@denx.de> wrote:
>>
>> Based on env/Kconfig  description of this option:
>>
>> config ENV_ACCESS_IGNORE_FORCE
>>           bool "Block forced environment operations"
>>           default n
>>           help
>>             If defined, don't allow the -f switch to env set override
>> variable
>>             access flags.
>>
>> I would think the code should look like this:
>>
>> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>           if (flag & H_FORCE) {
>>                   printf("## Error: Can't force access to \"%s\"\n", name);
>>                   return 1;
>>           }
>> #else
>>           if (flag & H_FORCE)
>>                  return 0;
>> #endif
> 
> I don't think that is right.
> 
> If you do that force update will be refused when
> CONFIG_ENV_ACCESS_IGNORE_FORCE, regardless if the access would be
> valid without the force

That's how I understand the option was intended to work, based on the 
Kconfig help text.

> The kconfig options says don't allow the -f switch to OVERRIDE
> variable access flags, not "don't allow the -f switch to be used"

I suspect the help text needs clarification then.
Fuzzey, Martin Jan. 29, 2021, 7:42 a.m. UTC | #10
On Fri, 29 Jan 2021 at 00:05, Marek Vasut <marex@denx.de> wrote:
>
> On 1/28/21 8:37 PM, Fuzzey, Martin wrote:
> > Hi Marek,
>
> Hi,
>
> > On Thu, 28 Jan 2021 at 20:07, Marek Vasut <marex@denx.de> wrote:
> >>
> >> Based on env/Kconfig  description of this option:
> >>
> >> config ENV_ACCESS_IGNORE_FORCE
> >>           bool "Block forced environment operations"
> >>           default n
> >>           help
> >>             If defined, don't allow the -f switch to env set override
> >> variable
> >>             access flags.
> >>
> >> I would think the code should look like this:
> >>
> >> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> >>           if (flag & H_FORCE) {
> >>                   printf("## Error: Can't force access to \"%s\"\n", name);
> >>                   return 1;
> >>           }
> >> #else
> >>           if (flag & H_FORCE)
> >>                  return 0;
> >> #endif
> >
> > I don't think that is right.
> >
> > If you do that force update will be refused when
> > CONFIG_ENV_ACCESS_IGNORE_FORCE, regardless if the access would be
> > valid without the force
>
> That's how I understand the option was intended to work, based on the
> Kconfig help text.
>

Ok we are understanding different things about what it's supposed to do then.

But if everyone agrees that the option should completely disable -f
then I'm fine with that, in which case the version of the patch you
propose is good (and easier to understand).

The problem I have is with the current 0f036bf4b87e which leads to log
spam on boards that *don't* have CONFIG_ENV_ACCESS_IGNORE_FORCE set
and do use -f.

> > The kconfig options says don't allow the -f switch to OVERRIDE
> > variable access flags, not "don't allow the -f switch to be used"
>
> I suspect the help text needs clarification then.

Agreed

Martin
Marek Vasut Jan. 29, 2021, 11:16 a.m. UTC | #11
On 1/29/21 8:42 AM, Fuzzey, Martin wrote:
> On Fri, 29 Jan 2021 at 00:05, Marek Vasut <marex@denx.de> wrote:
>>
>> On 1/28/21 8:37 PM, Fuzzey, Martin wrote:
>>> Hi Marek,
>>
>> Hi,
>>
>>> On Thu, 28 Jan 2021 at 20:07, Marek Vasut <marex@denx.de> wrote:
>>>>
>>>> Based on env/Kconfig  description of this option:
>>>>
>>>> config ENV_ACCESS_IGNORE_FORCE
>>>>            bool "Block forced environment operations"
>>>>            default n
>>>>            help
>>>>              If defined, don't allow the -f switch to env set override
>>>> variable
>>>>              access flags.
>>>>
>>>> I would think the code should look like this:
>>>>
>>>> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>            if (flag & H_FORCE) {
>>>>                    printf("## Error: Can't force access to \"%s\"\n", name);
>>>>                    return 1;
>>>>            }
>>>> #else
>>>>            if (flag & H_FORCE)
>>>>                   return 0;
>>>> #endif
>>>
>>> I don't think that is right.
>>>
>>> If you do that force update will be refused when
>>> CONFIG_ENV_ACCESS_IGNORE_FORCE, regardless if the access would be
>>> valid without the force
>>
>> That's how I understand the option was intended to work, based on the
>> Kconfig help text.
>>
> 
> Ok we are understanding different things about what it's supposed to do then.
> 
> But if everyone agrees that the option should completely disable -f
> then I'm fine with that, in which case the version of the patch you
> propose is good (and easier to understand).
> 
> The problem I have is with the current 0f036bf4b87e which leads to log
> spam on boards that *don't* have CONFIG_ENV_ACCESS_IGNORE_FORCE set
> and do use -f.

Yes, that should be fixed, one way or the other.
(in fact, can you also write a test for this case ?)
Tom Rini Feb. 1, 2021, 7:31 p.m. UTC | #12
On Fri, Jan 29, 2021 at 12:03:52AM +0100, Marek Vasut wrote:
> On 1/28/21 8:26 PM, Tom Rini wrote:
> > On Thu, Jan 28, 2021 at 08:07:54PM +0100, Marek Vasut wrote:
> > > On 1/11/21 11:27 AM, Martin Fuzzey wrote:
> > > > Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > > > a warning message is displayed when setenv -f is used WITHOUT
> > > > CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> > > > in lots of log pollution.
> > > > 
> > > > env_flags_validate() returns 0 if the access is accepted, or non zero
> > > > if it is refused.
> > > > 
> > > > So the original code
> > > > 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > > > 		if (flag & H_FORCE)
> > > > 			return 0;
> > > > 	#endif
> > > > 
> > > > was correct, it returns 0 (accepts the modification) if forced UNLESS
> > > > IGNORE_FORCE is set (in which case access checks in the following code
> > > > are applied). The broken patch just added a printf to the force accepted
> > > > case.
> > > > 
> > > > To obtain the intent of the patch we need this:
> > > > 	if (flag & H_FORCE) {
> > > > 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > > > 		printf("## Error: Can't force access to \"%s\"\n", name);
> > > > 	#else
> > > > 		return 0;
> > > > 	#endif
> > > > 	}
> > > > 
> > > > Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> > > > 
> > > > Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
> > > > ---
> > > >    env/flags.c | 5 +++--
> > > >    1 file changed, 3 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/env/flags.c b/env/flags.c
> > > > index df4aed2..e3e833c 100644
> > > > --- a/env/flags.c
> > > > +++ b/env/flags.c
> > > > @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
> > > >    		return 1;
> > > >    #endif
> > > > -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > > >    	if (flag & H_FORCE) {
> > > > +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > > >    		printf("## Error: Can't force access to \"%s\"\n", name);
> > > > +#else
> > > >    		return 0;
> > > > -	}
> > > >    #endif
> > > 
> > > Based on env/Kconfig  description of this option:
> > > 
> > > config ENV_ACCESS_IGNORE_FORCE
> > >          bool "Block forced environment operations"
> > >          default n
> > >          help
> > >            If defined, don't allow the -f switch to env set override variable
> > >            access flags.
> > > 
> > > I would think the code should look like this:
> > > 
> > > #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> > >          if (flag & H_FORCE) {
> > >                  printf("## Error: Can't force access to \"%s\"\n", name);
> > >                  return 1;
> > >          }
> > > #else
> > >          if (flag & H_FORCE)
> > > 		return 0;
> > > #endif
> > 
> > So, prior to 0f036bf4b87e we had what you're suggesting, and that lead
> > to 8a5cdf601f8d (which is the commit I was trying to think of) which
> > Heinrich did not like, but was what was needed to get things to function
> > again.  Wouldn't what you're proposing break the use case you had in the
> > first place?
> 
> No, the idea is to completely block the -f flag if
> CONFIG_ENV_ACCESS_IGNORE_FORCE is set from setting anything in the
> environment. That's how I understand the Kconfig entry help text.

So was this all a "by inspection" bug then and not something you ran in
to in use?  I'm a bit worried that "how it's implemented" is relied upon
more than "how it's documented in the help", esp since the former is
probably older than the latter.
Marek Vasut Feb. 3, 2021, 4:39 p.m. UTC | #13
On 2/1/21 8:31 PM, Tom Rini wrote:
> On Fri, Jan 29, 2021 at 12:03:52AM +0100, Marek Vasut wrote:
>> On 1/28/21 8:26 PM, Tom Rini wrote:
>>> On Thu, Jan 28, 2021 at 08:07:54PM +0100, Marek Vasut wrote:
>>>> On 1/11/21 11:27 AM, Martin Fuzzey wrote:
>>>>> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
>>>>> a warning message is displayed when setenv -f is used WITHOUT
>>>>> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
>>>>> in lots of log pollution.
>>>>>
>>>>> env_flags_validate() returns 0 if the access is accepted, or non zero
>>>>> if it is refused.
>>>>>
>>>>> So the original code
>>>>> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>> 		if (flag & H_FORCE)
>>>>> 			return 0;
>>>>> 	#endif
>>>>>
>>>>> was correct, it returns 0 (accepts the modification) if forced UNLESS
>>>>> IGNORE_FORCE is set (in which case access checks in the following code
>>>>> are applied). The broken patch just added a printf to the force accepted
>>>>> case.
>>>>>
>>>>> To obtain the intent of the patch we need this:
>>>>> 	if (flag & H_FORCE) {
>>>>> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>> 		printf("## Error: Can't force access to \"%s\"\n", name);
>>>>> 	#else
>>>>> 		return 0;
>>>>> 	#endif
>>>>> 	}
>>>>>
>>>>> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
>>>>>
>>>>> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
>>>>> ---
>>>>>     env/flags.c | 5 +++--
>>>>>     1 file changed, 3 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/env/flags.c b/env/flags.c
>>>>> index df4aed2..e3e833c 100644
>>>>> --- a/env/flags.c
>>>>> +++ b/env/flags.c
>>>>> @@ -563,12 +563,13 @@ int env_flags_validate(const struct env_entry *item, const char *newval,
>>>>>     		return 1;
>>>>>     #endif
>>>>> -#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>>     	if (flag & H_FORCE) {
>>>>> +#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>>     		printf("## Error: Can't force access to \"%s\"\n", name);
>>>>> +#else
>>>>>     		return 0;
>>>>> -	}
>>>>>     #endif
>>>>
>>>> Based on env/Kconfig  description of this option:
>>>>
>>>> config ENV_ACCESS_IGNORE_FORCE
>>>>           bool "Block forced environment operations"
>>>>           default n
>>>>           help
>>>>             If defined, don't allow the -f switch to env set override variable
>>>>             access flags.
>>>>
>>>> I would think the code should look like this:
>>>>
>>>> #ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
>>>>           if (flag & H_FORCE) {
>>>>                   printf("## Error: Can't force access to \"%s\"\n", name);
>>>>                   return 1;
>>>>           }
>>>> #else
>>>>           if (flag & H_FORCE)
>>>> 		return 0;
>>>> #endif
>>>
>>> So, prior to 0f036bf4b87e we had what you're suggesting, and that lead
>>> to 8a5cdf601f8d (which is the commit I was trying to think of) which
>>> Heinrich did not like, but was what was needed to get things to function
>>> again.  Wouldn't what you're proposing break the use case you had in the
>>> first place?
>>
>> No, the idea is to completely block the -f flag if
>> CONFIG_ENV_ACCESS_IGNORE_FORCE is set from setting anything in the
>> environment. That's how I understand the Kconfig entry help text.
> 
> So was this all a "by inspection" bug then and not something you ran in
> to in use?  I'm a bit worried that "how it's implemented" is relied upon
> more than "how it's documented in the help", esp since the former is
> probably older than the latter.

The usecase of the writeable list is to completely block the -f flag.
Maybe some further cleanup of the env config options is required, 
because it is poorly documented it seems.
Tom Rini April 18, 2021, 12:45 p.m. UTC | #14
On Mon, Jan 11, 2021 at 11:27:20AM +0100, Martin Fuzzey wrote:

> Since commit 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> a warning message is displayed when setenv -f is used WITHOUT
> CONFIG_ENV_ACCESS_IGNORE_FORCE, but the variable is set anyway, resulting
> in lots of log pollution.
> 
> env_flags_validate() returns 0 if the access is accepted, or non zero
> if it is refused.
> 
> So the original code
> 	#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		if (flag & H_FORCE)
> 			return 0;
> 	#endif
> 
> was correct, it returns 0 (accepts the modification) if forced UNLESS
> IGNORE_FORCE is set (in which case access checks in the following code
> are applied). The broken patch just added a printf to the force accepted
> case.
> 
> To obtain the intent of the patch we need this:
> 	if (flag & H_FORCE) {
> 	#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
> 		printf("## Error: Can't force access to \"%s\"\n", name);
> 	#else
> 		return 0;
> 	#endif
> 	}
> 
> Fixes: 0f036bf4b87e ("env: Warn on force access if ENV_ACCESS_IGNORE_FORCE set")
> 
> Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>

Applied to u-boot/master, thanks!
diff mbox series

Patch

diff --git a/env/flags.c b/env/flags.c
index df4aed2..e3e833c 100644
--- a/env/flags.c
+++ b/env/flags.c
@@ -563,12 +563,13 @@  int env_flags_validate(const struct env_entry *item, const char *newval,
 		return 1;
 #endif
 
-#ifndef CONFIG_ENV_ACCESS_IGNORE_FORCE
 	if (flag & H_FORCE) {
+#ifdef CONFIG_ENV_ACCESS_IGNORE_FORCE
 		printf("## Error: Can't force access to \"%s\"\n", name);
+#else
 		return 0;
-	}
 #endif
+	}
 	switch (op) {
 	case env_op_delete:
 		if (item->flags & ENV_FLAGS_VARACCESS_PREVENT_DELETE) {