Cache the mounters credentials and make access to the net directories
contingent of the permissions of the mounter of proc.
Show /proc/self/net only if mounter has CAP_NET_ADMIN and if proc is
mounted with subset=pid option.
Signed-off-by: Alexey Gladkov <[email protected]>
---
fs/proc/proc_net.c | 8 ++++++++
fs/proc/root.c | 7 +++++++
include/linux/proc_fs.h | 1 +
3 files changed, 16 insertions(+)
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
index dba63b2429f0..c43fc5c907db 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -26,6 +26,7 @@
#include <linux/uidgid.h>
#include <net/net_namespace.h>
#include <linux/seq_file.h>
+#include <linux/security.h>
#include "internal.h"
@@ -275,6 +276,7 @@ static struct net *get_proc_task_net(struct inode *dir)
struct task_struct *task;
struct nsproxy *ns;
struct net *net = NULL;
+ struct proc_fs_info *fs_info = proc_sb_info(dir->i_sb);
rcu_read_lock();
task = pid_task(proc_pid(dir), PIDTYPE_PID);
@@ -287,6 +289,12 @@ static struct net *get_proc_task_net(struct inode *dir)
}
rcu_read_unlock();
+ if (net && (fs_info->pidonly == PROC_PIDONLY_ON) &&
+ security_capable(fs_info->mounter_cred, net->user_ns, CAP_NET_ADMIN, CAP_OPT_NONE) < 0) {
+ put_net(net);
+ net = NULL;
+ }
+
return net;
}
diff --git a/fs/proc/root.c b/fs/proc/root.c
index c6bf74de1906..eeeda375cf85 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -184,6 +184,8 @@ static int proc_fill_super(struct super_block *s, struct fs_context *fc)
s->s_fs_info = fs_info;
fs_info->pid_ns = get_pid_ns(ctx->pid_ns);
+ fs_info->mounter_cred = get_cred(fc->cred);
+
proc_apply_options(s, fc, current_user_ns());
/*
@@ -219,9 +221,13 @@ static int proc_fill_super(struct super_block *s, struct fs_context *fc)
static int proc_reconfigure(struct fs_context *fc)
{
struct super_block *sb = fc->root->d_sb;
+ struct proc_fs_info *fs_info = proc_sb_info(sb);
sync_filesystem(sb);
+ put_cred(fs_info->mounter_cred);
+ fs_info->mounter_cred = get_cred(fc->cred);
+
proc_apply_options(sb, fc, current_user_ns());
return 0;
}
@@ -276,6 +282,7 @@ static void proc_kill_sb(struct super_block *sb)
kill_anon_super(sb);
put_pid_ns(fs_info->pid_ns);
+ put_cred(fs_info->mounter_cred);
kfree(fs_info);
}
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index d1eed1b43651..671c6dafc4ee 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -63,6 +63,7 @@ struct proc_fs_info {
kgid_t pid_gid;
enum proc_hidepid hide_pid;
enum proc_pidonly pidonly;
+ struct cred *mounter_cred;
};
static inline struct proc_fs_info *proc_sb_info(struct super_block *sb)
--
2.25.4
Hi Alexey,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linux/master]
[also build test WARNING on kees/for-next/pstore linus/master v5.9-rc1 next-20200819]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git bcf876870b95592b52519ed4aafcf9d95999bc9c
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=xtensa
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
fs/proc/root.c: In function 'proc_fill_super':
>> fs/proc/root.c:187:24: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
187 | fs_info->mounter_cred = get_cred(fc->cred);
| ^
fs/proc/root.c: In function 'proc_reconfigure':
fs/proc/root.c:229:24: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
229 | fs_info->mounter_cred = get_cred(fc->cred);
| ^
# https://github.com/0day-ci/linux/commit/9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
git checkout 9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
vim +/const +187 fs/proc/root.c
164
165 static int proc_fill_super(struct super_block *s, struct fs_context *fc)
166 {
167 struct proc_fs_context *ctx = fc->fs_private;
168 struct inode *root_inode;
169 struct proc_fs_info *fs_info;
170 int ret;
171
172 fs_info = kzalloc(sizeof(*fs_info), GFP_KERNEL);
173 if (!fs_info)
174 return -ENOMEM;
175
176 /* User space would break if executables or devices appear on proc */
177 s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
178 s->s_flags |= SB_NODIRATIME | SB_NOSUID | SB_NOEXEC;
179 s->s_blocksize = 1024;
180 s->s_blocksize_bits = 10;
181 s->s_magic = PROC_SUPER_MAGIC;
182 s->s_op = &proc_sops;
183 s->s_time_gran = 1;
184 s->s_fs_info = fs_info;
185
186 fs_info->pid_ns = get_pid_ns(ctx->pid_ns);
> 187 fs_info->mounter_cred = get_cred(fc->cred);
188
189 proc_apply_options(s, fc, current_user_ns());
190
191 /*
192 * procfs isn't actually a stacking filesystem; however, there is
193 * too much magic going on inside it to permit stacking things on
194 * top of it
195 */
196 s->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
197
198 /* procfs dentries and inodes don't require IO to create */
199 s->s_shrink.seeks = 0;
200
201 pde_get(&proc_root);
202 root_inode = proc_get_inode(s, &proc_root);
203 if (!root_inode) {
204 pr_err("proc_fill_super: get root inode failed\n");
205 return -ENOMEM;
206 }
207
208 s->s_root = d_make_root(root_inode);
209 if (!s->s_root) {
210 pr_err("proc_fill_super: allocate dentry failed\n");
211 return -ENOMEM;
212 }
213
214 ret = proc_setup_self(s);
215 if (ret) {
216 return ret;
217 }
218 return proc_setup_thread_self(s);
219 }
220
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi Alexey,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linux/master]
[also build test WARNING on kees/for-next/pstore linus/master v5.9-rc1 next-20200819]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git bcf876870b95592b52519ed4aafcf9d95999bc9c
config: m68k-randconfig-s032-20200819 (attached as .config)
compiler: m68k-linux-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.2-183-gaa6ede3b-dirty
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=m68k
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
sparse warnings: (new ones prefixed by >>)
>> fs/proc/root.c:187:31: sparse: sparse: incorrect type in assignment (different modifiers) @@ expected struct cred *mounter_cred @@ got struct cred const * @@
>> fs/proc/root.c:187:31: sparse: expected struct cred *mounter_cred
>> fs/proc/root.c:187:31: sparse: got struct cred const *
fs/proc/root.c:229:31: sparse: sparse: incorrect type in assignment (different modifiers) @@ expected struct cred *mounter_cred @@ got struct cred const * @@
fs/proc/root.c:229:31: sparse: expected struct cred *mounter_cred
fs/proc/root.c:229:31: sparse: got struct cred const *
# https://github.com/0day-ci/linux/commit/9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
git checkout 9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
vim +187 fs/proc/root.c
164
165 static int proc_fill_super(struct super_block *s, struct fs_context *fc)
166 {
167 struct proc_fs_context *ctx = fc->fs_private;
168 struct inode *root_inode;
169 struct proc_fs_info *fs_info;
170 int ret;
171
172 fs_info = kzalloc(sizeof(*fs_info), GFP_KERNEL);
173 if (!fs_info)
174 return -ENOMEM;
175
176 /* User space would break if executables or devices appear on proc */
177 s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
178 s->s_flags |= SB_NODIRATIME | SB_NOSUID | SB_NOEXEC;
179 s->s_blocksize = 1024;
180 s->s_blocksize_bits = 10;
181 s->s_magic = PROC_SUPER_MAGIC;
182 s->s_op = &proc_sops;
183 s->s_time_gran = 1;
184 s->s_fs_info = fs_info;
185
186 fs_info->pid_ns = get_pid_ns(ctx->pid_ns);
> 187 fs_info->mounter_cred = get_cred(fc->cred);
188
189 proc_apply_options(s, fc, current_user_ns());
190
191 /*
192 * procfs isn't actually a stacking filesystem; however, there is
193 * too much magic going on inside it to permit stacking things on
194 * top of it
195 */
196 s->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
197
198 /* procfs dentries and inodes don't require IO to create */
199 s->s_shrink.seeks = 0;
200
201 pde_get(&proc_root);
202 root_inode = proc_get_inode(s, &proc_root);
203 if (!root_inode) {
204 pr_err("proc_fill_super: get root inode failed\n");
205 return -ENOMEM;
206 }
207
208 s->s_root = d_make_root(root_inode);
209 if (!s->s_root) {
210 pr_err("proc_fill_super: allocate dentry failed\n");
211 return -ENOMEM;
212 }
213
214 ret = proc_setup_self(s);
215 if (ret) {
216 return ret;
217 }
218 return proc_setup_thread_self(s);
219 }
220
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi Alexey,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linux/master]
[also build test ERROR on kees/for-next/pstore linus/master v5.9-rc1 next-20200819]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git bcf876870b95592b52519ed4aafcf9d95999bc9c
config: s390-randconfig-r034-20200818 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project b34b1e38381fa4d1b1d9751a6b5233b68e734cfe)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=s390
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
>> fs/proc/root.c:187:24: error: assigning to 'struct cred *' from 'const struct cred *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
fs_info->mounter_cred = get_cred(fc->cred);
^ ~~~~~~~~~~~~~~~~~~
fs/proc/root.c:229:24: error: assigning to 'struct cred *' from 'const struct cred *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
fs_info->mounter_cred = get_cred(fc->cred);
^ ~~~~~~~~~~~~~~~~~~
2 errors generated.
# https://github.com/0day-ci/linux/commit/9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Alexey-Gladkov/proc-Relax-check-of-mount-visibility/20200820-031542
git checkout 9c2a0eea7f38b1a4e201b8f2da0c5fd7b423daf9
vim +187 fs/proc/root.c
164
165 static int proc_fill_super(struct super_block *s, struct fs_context *fc)
166 {
167 struct proc_fs_context *ctx = fc->fs_private;
168 struct inode *root_inode;
169 struct proc_fs_info *fs_info;
170 int ret;
171
172 fs_info = kzalloc(sizeof(*fs_info), GFP_KERNEL);
173 if (!fs_info)
174 return -ENOMEM;
175
176 /* User space would break if executables or devices appear on proc */
177 s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
178 s->s_flags |= SB_NODIRATIME | SB_NOSUID | SB_NOEXEC;
179 s->s_blocksize = 1024;
180 s->s_blocksize_bits = 10;
181 s->s_magic = PROC_SUPER_MAGIC;
182 s->s_op = &proc_sops;
183 s->s_time_gran = 1;
184 s->s_fs_info = fs_info;
185
186 fs_info->pid_ns = get_pid_ns(ctx->pid_ns);
> 187 fs_info->mounter_cred = get_cred(fc->cred);
188
189 proc_apply_options(s, fc, current_user_ns());
190
191 /*
192 * procfs isn't actually a stacking filesystem; however, there is
193 * too much magic going on inside it to permit stacking things on
194 * top of it
195 */
196 s->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
197
198 /* procfs dentries and inodes don't require IO to create */
199 s->s_shrink.seeks = 0;
200
201 pde_get(&proc_root);
202 root_inode = proc_get_inode(s, &proc_root);
203 if (!root_inode) {
204 pr_err("proc_fill_super: get root inode failed\n");
205 return -ENOMEM;
206 }
207
208 s->s_root = d_make_root(root_inode);
209 if (!s->s_root) {
210 pr_err("proc_fill_super: allocate dentry failed\n");
211 return -ENOMEM;
212 }
213
214 ret = proc_setup_self(s);
215 if (ret) {
216 return ret;
217 }
218 return proc_setup_thread_self(s);
219 }
220
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]