Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp9505093ybl; Fri, 17 Jan 2020 13:15:39 -0800 (PST) X-Google-Smtp-Source: APXvYqxYTfn5XGBqiNVLJOK5pO/NRwnrBDcYEudcT2w3xW1AN4mVhmTFktkO9d12C4mC3fJwQXpi X-Received: by 2002:a05:6830:15a:: with SMTP id j26mr7289517otp.137.1579295739099; Fri, 17 Jan 2020 13:15:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579295739; cv=none; d=google.com; s=arc-20160816; b=Qzir0p/5g6DnTmwOZ1+Lh7zo2merfIbVvUBEAFc9ve1iJWxuoWDbIIeyFyd2F3xxrK xzgCjeyDn35hxiAx27ESQC8eLmW48iFhY9nokyx9lUwlwKCHmAMu/2ra4ILeP00bN1ah xBwvaWNUR/B62u9KulYLJLCiSx/N9qb4R2aW94+vrX6SgJ1vSxDH1DeTAKmV/t4QCK4Z Kay8eRzjavKNl2JCNGjPsKpjJ866GNROcPsoRqvww/wDxFrAeunhsPpk+EhrYccjmeV9 cN+H8J1TIi9RfhvZg2CbULq9ia/9eBDEG1hZ8CZ8Ysn12XfdRBn2biHz6DqDHxy/wdws fPMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=owzMv+I/wvOMpS2DsF+a7FQ/+XSsKh4C+RbEiqbAz90=; b=n8f4peXZp8gR5Ou6D6dLlTjPvvw4ZYxzgbYy7TfXH6FRjLUDU7uBIYM8MNLb39NMPn 7JmEeJAJfmnCsYcc21wPJmrnseBrl8eyDyK+Xyup6TIjk+QRD6XU+XdehDpceR5ok6LL R9q+10B7W/j0yjFCuNHMsHTza3/jxDUUYtqrl1SNEaQcMuBgJFfbQR7kUrP/WVS8/sFn 1jN5rvF3SMdZSmUKO/9bB22d6d2H6WUPW5DYHtbbjXS8KIzTMvmrf3DcO/jRkY/YPuyK 5c2BxXlOfHC4olfN0q3IC8ZBcfay+/U/h+nWGZUMTQkpfxNlKYjGdyqD5MqAndarTxAv Nicw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Y74wESVe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y205si14615596oig.137.2020.01.17.13.15.26; Fri, 17 Jan 2020 13:15:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Y74wESVe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726857AbgAQVOY (ORCPT + 99 others); Fri, 17 Jan 2020 16:14:24 -0500 Received: from mail.kernel.org ([198.145.29.99]:33226 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726587AbgAQVOX (ORCPT ); Fri, 17 Jan 2020 16:14:23 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7190820748; Fri, 17 Jan 2020 21:14:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579295662; bh=OS7yVO2N6BDDdHCe/tuw7AF3sNjZ1YfY9NXe0Sml+nc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Y74wESVeAfeNLVHeRVBf/+nfKeyMgbscXlK4eJ6NVy4KMvwkUF9e04+4DegV98Oje aiw2NOlFvwFSeT2VOWw/h53pmLOJY9Bjlcd6UBajXgFwSqxMlib/fQf/RqnFDkZNCs ZNjGlyPzHp4FqcL3o0hvZ/80ZByIBTYbrP3t0350= Date: Fri, 17 Jan 2020 22:14:19 +0100 From: Greg Kroah-Hartman To: Topi Miettinen Cc: Luis Chamberlain , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] firmware_loader: load files from the mount namespace of init Message-ID: <20200117211419.GA2042215@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 17, 2020 at 08:36:13PM +0200, Topi Miettinen wrote: > Hi, > > I have an experimental setup where almost every possible system service > (even early startup ones) runs in separate namespace, using a dedicated, > minimal file system. In process of minimizing the contents of the file > systems with regards to modules and firmware files, I noticed that in my > system, the firmware files are loaded from three different mount namespaces, > those of systemd-udevd, init and systemd-networkd. The logic of the source > namespace is not very clear, it seems to depend on the driver, but the > namespace of the current process is used. > > So, this patch tries to make things a bit clearer and changes the loading of > firmware files only from the mount namespace of init. This may also improve > security, though I think that using firmware files as attack vector could be > too impractical anyway. I like this, but: > Later, it might make sense to make the mount namespace configurable, for > example with a new file in > /proc/sys/kernel/firmware_config/. That would allow a dedicated file system > only for firmware files and those need not be present anywhere else. This > configurability would make more sense if made also for kernel modules and > /sbin/modprobe. Modules are already loaded from init namespace > (usermodehelper uses kthreadd namespace) except when directly loaded by > systemd-udevd. I think you answered your question of why firmware is loaded from the namespace of systemd-udevd at times, it happens due to a module being asked to be loaded which then called out and asked for firmware as part of its probe process. Now saying that the firmware load namespace is going to be tied always to the modprobe namespace is problematic, as we can't guarantee that will always happen for all bus and driver types. So resetting this all back to the init namespace seems to make sense to me, and odds are it will not break anything. But, as you are adding a new firmware feature, any chance you can write an additional test to the firmware self-tests so that we can verify that this really is working the way you are saying it does, so we can trust it and verify it doesn't break in the future? thanks, greg k-h